diff options
254 files changed, 2531 insertions, 1671 deletions
diff --git a/libnDPI b/libnDPI -Subproject 181a03c5ad41bda533fbfa307627939c2ff30b7 +Subproject 2cd0479204301c50c6149706fcd4df3058b2a8c @@ -1244,6 +1244,7 @@ static struct nDPId_workflow * init_workflow(char const * const file_or_device) workflow->ndpi_struct = ndpi_init_detection_module(init_prefs); if (workflow->ndpi_struct == NULL) { + syslog(LOG_DAEMON | LOG_ERR, "%s", "BUG: Could not init ndpi detection module"); free_workflow(&workflow); return NULL; } @@ -1254,6 +1255,9 @@ static struct nDPId_workflow * init_workflow(char const * const file_or_device) workflow->ndpi_flows_active = (void **)ndpi_calloc(workflow->max_active_flows, sizeof(void *)); if (workflow->ndpi_flows_active == NULL) { + syslog(LOG_DAEMON | LOG_ERR, + "Could not allocate %llu bytes for (active) flow tracking", + workflow->max_active_flows * sizeof(void *)); free_workflow(&workflow); return NULL; } @@ -1263,6 +1267,9 @@ static struct nDPId_workflow * init_workflow(char const * const file_or_device) workflow->ndpi_flows_idle = (void **)ndpi_calloc(workflow->max_idle_flows, sizeof(void *)); if (workflow->ndpi_flows_idle == NULL) { + syslog(LOG_DAEMON | LOG_ERR, + "Could not allocate %llu bytes for (idle) flow tracking", + workflow->max_idle_flows * sizeof(void *)); free_workflow(&workflow); return NULL; } @@ -1291,8 +1298,12 @@ static struct nDPId_workflow * init_workflow(char const * const file_or_device) ndpi_set_detection_preferences(workflow->ndpi_struct, ndpi_pref_enable_tls_block_dissection, 1); if (ndpi_init_serializer_ll(&workflow->ndpi_serializer, ndpi_serialization_format_json, NETWORK_BUFFER_MAX_SIZE) != - 1) + 0) { + syslog(LOG_DAEMON | LOG_ERR, + "BUG: Could not init JSON serializer with buffer size: %u bytes", + NETWORK_BUFFER_MAX_SIZE); + free_workflow(&workflow); return NULL; } @@ -1541,8 +1552,7 @@ static int is_l4_protocol_timed_out(struct nDPId_workflow const * const workflow struct nDPId_flow_basic const * const flow_basic) { uint64_t sdiff = flow_basic->last_seen % nDPId_options.flow_scan_interval; - uint64_t itime = - get_l4_protocol_idle_time(flow_basic->l4_protocol) - sdiff; + uint64_t itime = get_l4_protocol_idle_time(flow_basic->l4_protocol) - sdiff; return (flow_basic->last_seen + itime <= workflow->last_time) || (flow_basic->tcp_fin_rst_seen == 1 && @@ -3076,16 +3086,18 @@ static void ndpi_process_packet(uint8_t * const args, flow_basic.src.v6.ip[1] = ip6->ip6_src.u6_addr.u6_addr64[1]; flow_basic.dst.v6.ip[0] = ip6->ip6_dst.u6_addr.u6_addr64[0]; flow_basic.dst.v6.ip[1] = ip6->ip6_dst.u6_addr.u6_addr64[1]; + uint64_t min_addr[2]; - if (flow_basic.src.v6.ip[0] > flow_basic.dst.v6.ip[0] && flow_basic.src.v6.ip[1] > flow_basic.dst.v6.ip[1]) + if (flow_basic.src.v6.ip[0] > flow_basic.dst.v6.ip[0] || + (flow_basic.src.v6.ip[0] == flow_basic.dst.v6.ip[0] && flow_basic.src.v6.ip[1] > flow_basic.dst.v6.ip[1])) { min_addr[0] = flow_basic.dst.v6.ip[0]; - min_addr[1] = flow_basic.dst.v6.ip[0]; + min_addr[1] = flow_basic.dst.v6.ip[1]; } else { min_addr[0] = flow_basic.src.v6.ip[0]; - min_addr[1] = flow_basic.src.v6.ip[0]; + min_addr[1] = flow_basic.src.v6.ip[1]; } thread_index = min_addr[0] + min_addr[1] + ip6->ip6_hdr.ip6_un1_nxt; } diff --git a/schema/flow_event_schema.json b/schema/flow_event_schema.json index 65ef899fc..3b84f77cf 100644 --- a/schema/flow_event_schema.json +++ b/schema/flow_event_schema.json @@ -188,6 +188,9 @@ "ndpi": { "type": "object" }, + "entropy": { + "type": "number" + }, "dhcp": { "type": "object" }, @@ -197,6 +200,9 @@ "mdns": { "type": "object" }, + "ntp": { + "type": "object" + }, "ubntac2": { "type": "object" }, diff --git a/test/results/1kxun.pcap.out b/test/results/1kxun.pcap.out index 5439db3c4..e33b8a27d 100644 --- a/test/results/1kxun.pcap.out +++ b/test/results/1kxun.pcap.out @@ -11,7 +11,7 @@ 00588{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1470104373232,"flow_last_seen":1470104373232,"flow_idle_time":180000,"flow_min_l4_payload_len":133,"flow_max_l4_payload_len":133,"flow_tot_l4_payload_len":133,"flow_avg_l4_payload_len":133,"midstream":0,"ts_msec":1470104373232,"l3_proto":"ip4","src_ip":"192.168.5.44","dst_ip":"239.255.255.250","src_port":51389,"dst_port":1900,"l4_proto":"udp","ndpi": {"proto":"SSDP","breed":"Acceptable","category":"System"}} 00552{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":5,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1470104373741,"flow_last_seen":1470104373741,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1470104373741,"l3_proto":"ip4","src_ip":"192.168.119.1","dst_ip":"255.255.255.255","src_port":67,"dst_port":68,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00840{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_last_seen":1470104373741,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":342,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":342,"pkt_l4_len":308,"ts_msec":1470104373741,"pkt":"\/\/\/\/\/\/\/\/TF4M6gNlCABFAAFIAAAAABARcfzAqHcB\/\/\/\/\/wBDAEQBNKS5AgEGAMCRIFIAAIAAwKgFJMCoBSTAqHcBAAAAAAAmWsJjVQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEFNgTAqHcBMwQAAAA8AQT\/\/wAAAwTAqHcBBhCoXwEBCAgICKhfwAEICAQEKgioX8MMe8wtdP8AAAAA"} -00612{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":5,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1470104373741,"flow_last_seen":1470104373741,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1470104373741,"l3_proto":"ip4","src_ip":"192.168.119.1","dst_ip":"255.255.255.255","src_port":67,"dst_port":68,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"fingerprint":""}} +00643{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":5,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1470104373741,"flow_last_seen":1470104373741,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1470104373741,"l3_proto":"ip4","src_ip":"192.168.119.1","dst_ip":"255.255.255.255","src_port":67,"dst_port":68,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"hostname":"","fingerprint":"","class_ident":""}} 00546{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":6,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1470104375419,"flow_last_seen":1470104375419,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1470104375419,"l3_proto":"ip4","src_ip":"192.168.5.16","dst_ip":"68.233.253.133","src_port":53605,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00455{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_last_seen":1470104375419,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1470104375419,"pkt":"TF4M6gNlYMVHBbyMCABFAAA0ZDJAAEAGzmrAqAUQROn9hdFlAFAG4xw3xV6fSoAREAEocwAAAQEIChoPAavPGvHS"} 00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":7,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":1,"flow_first_seen":1470104376017,"flow_last_seen":1470104376017,"flow_idle_time":180000,"flow_min_l4_payload_len":137,"flow_max_l4_payload_len":137,"flow_tot_l4_payload_len":137,"flow_avg_l4_payload_len":137,"midstream":0,"ts_msec":1470104376017,"l3_proto":"ip4","src_ip":"192.168.5.50","dst_ip":"239.255.255.250","src_port":64674,"dst_port":1900,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -24,7 +24,7 @@ 00611{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":10,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_last_seen":1470104376301,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":175,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":175,"pkt_l4_len":141,"ts_msec":1470104376301,"pkt":"AQBef\/\/6SNIkYzEACABFAAChOpEAAAERyOzAqAUs7\/\/\/+si9B2wAjdLxTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSG9zdDoyMzkuMjU1LjI1NS4yNTA6MTkwMA0KU1Q6dXJuOnNjaGVtYXMtdXBucC1vcmc6ZGV2aWNlOkludGVybmV0R2F0ZXdheURldmljZToxDQpNYW46InNzZHA6ZGlzY292ZXIiDQpNWDozDQoNCg=="} 00547{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":11,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":1,"flow_first_seen":1470104376301,"flow_last_seen":1470104376301,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1470104376301,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00839{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":11,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_last_seen":1470104376301,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":342,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":342,"pkt_l4_len":308,"ts_msec":1470104376301,"pkt":"\/\/\/\/\/\/\/\/cD6s8PAHCABFAAFIDscAAP8Rq94AAAAA\/\/\/\/\/wBEAEMBNJGnAQEGAAYPv1sAAAAAAAAAAAAAAAAAAAAAAAAAAHA+rPDwBwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEDNwcBeQMGD3f8OQIF3D0HAXA+rPDwBzIEwKgD7TMEAHanAAwEU2hlbv8AAAAAAAAAAAAAAAAAAAAA"} -00627{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":11,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":1,"flow_first_seen":1470104376301,"flow_last_seen":1470104376301,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1470104376301,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"fingerprint":"1,121,3,6,15,119,252"}} +00662{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":11,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":1,"flow_first_seen":1470104376301,"flow_last_seen":1470104376301,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1470104376301,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"hostname":"shen","fingerprint":"1,121,3,6,15,119,252","class_ident":""}} 00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":12,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":1,"flow_first_seen":1470104376816,"flow_last_seen":1470104376816,"flow_idle_time":180000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1470104376816,"l3_proto":"ip6","src_ip":"fe80::406:55a8:6453:25dd","dst_ip":"ff02::1:2","src_port":546,"dst_port":547,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00501{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":12,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_last_seen":1470104376816,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":98,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":98,"pkt_l4_len":44,"ts_msec":1470104376816,"pkt":"MzMAAQACcD6s8PAHht1gBWEEACwRAf6AAAAAAAAABAZVqGRTJd3\/AgAAAAAAAAAAAAAAAQACAiICIwAsiWgLJ3MdAAEADgABAAEduOb7cD6s8PAHAAYABAAXABgACAACAAA="} 00591{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":12,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":1,"flow_first_seen":1470104376816,"flow_last_seen":1470104376816,"flow_idle_time":180000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1470104376816,"l3_proto":"ip6","src_ip":"fe80::406:55a8:6453:25dd","dst_ip":"ff02::1:2","src_port":546,"dst_port":547,"l4_proto":"udp","ndpi": {"proto":"DHCPV6","breed":"Acceptable","category":"Network"}} @@ -44,10 +44,10 @@ 00457{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":18,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":2,"flow_last_seen":1470104377720,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":64,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":64,"pkt_l4_len":30,"ts_msec":1470104377720,"pkt":"AQBeAAD8ABxCjnAxCABFAAAyUcEAAAERU03AqHMI4AAA\/MkCFOsAHtPcYF4AAAABAAAAAAAABHdwYWQAAAEAAQ=="} 00545{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":19,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":1,"flow_first_seen":1470104377734,"flow_last_seen":1470104377734,"flow_idle_time":180000,"flow_min_l4_payload_len":38,"flow_max_l4_payload_len":38,"flow_tot_l4_payload_len":38,"flow_avg_l4_payload_len":38,"midstream":0,"ts_msec":1470104377734,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"8.8.8.8","src_port":51024,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00477{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":19,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":1,"flow_last_seen":1470104377734,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":80,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":80,"pkt_l4_len":46,"ts_msec":1470104377734,"pkt":"TF4M6gNlABxCjnAxCABFAABCUcIAAIARpSjAqHMICAgICMdQADUALoWI\/SwBAAABAAAAAAAAAmpwBmthbmthbgUxa3h1bgRtb2JpAAABAAE="} -00724{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":19,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":1,"flow_first_seen":1470104377734,"flow_last_seen":1470104377734,"flow_idle_time":180000,"flow_min_l4_payload_len":38,"flow_max_l4_payload_len":38,"flow_tot_l4_payload_len":38,"flow_avg_l4_payload_len":38,"midstream":0,"ts_msec":1470104377734,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"8.8.8.8","src_port":51024,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Streaming"},"dns": {"query":"jp.kankan.1kxun.mobi","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00722{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":19,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":1,"flow_first_seen":1470104377734,"flow_last_seen":1470104377734,"flow_idle_time":180000,"flow_min_l4_payload_len":38,"flow_max_l4_payload_len":38,"flow_tot_l4_payload_len":38,"flow_avg_l4_payload_len":38,"midstream":0,"ts_msec":1470104377734,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"8.8.8.8","src_port":51024,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Streaming"},"dns": {"query":"jp.kankan.1kxun.mobi","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00477{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":20,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":2,"flow_last_seen":1470104377734,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":80,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":80,"pkt_l4_len":46,"ts_msec":1470104377734,"pkt":"TF4M6gNlABxCjnAxCABFAABCUcIAAIARpSjAqHMICAgICMdQADUALoWI\/SwBAAABAAAAAAAAAmpwBmthbmthbgUxa3h1bgRtb2JpAAABAAE="} 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":21,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":3,"flow_last_seen":1470104377753,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":112,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":112,"pkt_l4_len":78,"ts_msec":1470104377753,"pkt":"ABxCjnAxTF4M6gNlCABFAABinjgAAC4RqpIICAgIwKhzCAA1x1AATmX5\/SyBgAABAAIAAAAAAmpwBmthbmthbgUxa3h1bgRtb2JpAAABAAHADAABAAEAAAErAARquSNuwAwAAQABAAABKwAEarkjcA=="} -00740{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":21,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":3,"flow_first_seen":1470104377734,"flow_last_seen":1470104377753,"flow_idle_time":180000,"flow_min_l4_payload_len":38,"flow_max_l4_payload_len":70,"flow_tot_l4_payload_len":146,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1470104377753,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"8.8.8.8","src_port":51024,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Streaming"},"dns": {"query":"jp.kankan.1kxun.mobi","num_queries":1,"num_answers":2,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"106.185.35.110"}} +00738{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":21,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":3,"flow_first_seen":1470104377734,"flow_last_seen":1470104377753,"flow_idle_time":180000,"flow_min_l4_payload_len":38,"flow_max_l4_payload_len":70,"flow_tot_l4_payload_len":146,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1470104377753,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"8.8.8.8","src_port":51024,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Streaming"},"dns": {"query":"jp.kankan.1kxun.mobi","num_queries":1,"num_answers":2,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"106.185.35.110"}} 00549{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":22,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":1,"flow_first_seen":1470104377754,"flow_last_seen":1470104377754,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1470104377754,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.185.35.110","src_port":49597,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00457{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":22,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":1,"flow_last_seen":1470104377754,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1470104377754,"pkt":"TF4M6gNlABxCjnAxCABFAAA0UcRAAIAG5yfAqHMIarkjbsG9AFA9WFFgAAAAAIACIAA9OgAAAgQE7AEDAwgBAQQC"} 00457{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":23,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":2,"flow_last_seen":1470104377754,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1470104377754,"pkt":"TF4M6gNlABxCjnAxCABFAAA0UcRAAIAG5yfAqHMIarkjbsG9AFA9WFFgAAAAAIACIAA9OgAAAgQE7AEDAwgBAQQC"} @@ -58,7 +58,7 @@ 00843{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":32,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_last_seen":1470104377839,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":342,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":342,"pkt_l4_len":308,"ts_msec":1470104377839,"pkt":"\/\/\/\/\/\/\/\/TF4M6gNlCABFAAFIAAAAABARcfzAqHcB\/\/\/\/\/wBDAEQBNAJhAgEGADFjB6UAAAAAwKgFCcCoBQnAqHcBAAAAAHDxofgq\/QAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEFNgTAqHcBMwQAAAA8AQT\/\/wAAAwTAqHcBBhCoXwEBCAgICKhfwAEICAQE\/wAAAAAAAAAAAAAAAAAA"} 00545{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":35,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":1,"flow_first_seen":1470104377901,"flow_last_seen":1470104377901,"flow_idle_time":180000,"flow_min_l4_payload_len":34,"flow_max_l4_payload_len":34,"flow_tot_l4_payload_len":34,"flow_avg_l4_payload_len":34,"midstream":0,"ts_msec":1470104377901,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"8.8.8.8","src_port":52723,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00472{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":35,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":1,"flow_last_seen":1470104377901,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":76,"pkt_l4_len":42,"ts_msec":1470104377901,"pkt":"TF4M6gNlABxCjnAxCABFAAA+UcgAAIARpSbAqHMICAgICM3zADUAKlE0ceUBAAABAAAAAAAABmthbmthbgUxa3h1bgNjb20AAAEAAQ=="} -00720{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":35,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":1,"flow_first_seen":1470104377901,"flow_last_seen":1470104377901,"flow_idle_time":180000,"flow_min_l4_payload_len":34,"flow_max_l4_payload_len":34,"flow_tot_l4_payload_len":34,"flow_avg_l4_payload_len":34,"midstream":0,"ts_msec":1470104377901,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"8.8.8.8","src_port":52723,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Streaming"},"dns": {"query":"kankan.1kxun.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00718{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":35,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":1,"flow_first_seen":1470104377901,"flow_last_seen":1470104377901,"flow_idle_time":180000,"flow_min_l4_payload_len":34,"flow_max_l4_payload_len":34,"flow_tot_l4_payload_len":34,"flow_avg_l4_payload_len":34,"midstream":0,"ts_msec":1470104377901,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"8.8.8.8","src_port":52723,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Streaming"},"dns": {"query":"kankan.1kxun.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00472{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":36,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":2,"flow_last_seen":1470104377901,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":76,"pkt_l4_len":42,"ts_msec":1470104377901,"pkt":"TF4M6gNlABxCjnAxCABFAAA+UcgAAIARpSbAqHMICAgICM3zADUAKlE0ceUBAAABAAAAAAAABmthbmthbgUxa3h1bgNjb20AAAEAAQ=="} 00549{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":37,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":1,"flow_first_seen":1470104378005,"flow_last_seen":1470104378005,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1470104378005,"l3_proto":"ip4","src_ip":"192.168.5.16","dst_ip":"192.168.115.75","src_port":53622,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00450{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":37,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":1,"flow_last_seen":1470104378005,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"ts_msec":1470104378005,"pkt":"ABAj4ACgYMVHBbyMCABFAAAol0tAAEAGqdjAqAUQwKhzS9F2AbsV1ofmvikqE1ARIAA8\/AAAAAAAAAAA"} @@ -95,17 +95,17 @@ 00457{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":57,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":1,"flow_last_seen":1470104378906,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1470104378906,"pkt":"TF4M6gNlABxCjnAxCABFAAA0Uc5AAIAGmFPAqHMI3kn+p8G+AFDrM0BvAAAAAIACIABRhAAAAgQE7AEDAwgBAQQC"} 00457{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":58,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":2,"flow_last_seen":1470104378906,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1470104378906,"pkt":"TF4M6gNlABxCjnAxCABFAAA0Uc5AAIAGmFPAqHMI3kn+p8G+AFDrM0BvAAAAAIACIABRhAAAAgQE7AEDAwgBAQQC"} 00516{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":59,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":3,"flow_last_seen":1470104378954,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":108,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":108,"pkt_l4_len":74,"ts_msec":1470104378954,"pkt":"ABxCjnAxTF4M6gNlCABFAABeST8AADAR\/Y8ICAgIwKhzCAA1zfMASpHwceWBgAABAAIAAAAABmthbmthbgUxa3h1bgNjb20AAAEAAcAMAAEAAQAAAlcABN5J\/nHADAABAAEAAAJXAATeSf6n"} -00736{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":59,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":3,"flow_first_seen":1470104377901,"flow_last_seen":1470104378954,"flow_idle_time":180000,"flow_min_l4_payload_len":34,"flow_max_l4_payload_len":66,"flow_tot_l4_payload_len":134,"flow_avg_l4_payload_len":44,"midstream":0,"ts_msec":1470104378954,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"8.8.8.8","src_port":52723,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Streaming"},"dns": {"query":"kankan.1kxun.com","num_queries":1,"num_answers":2,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"222.73.254.113"}} +00734{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":59,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":3,"flow_first_seen":1470104377901,"flow_last_seen":1470104378954,"flow_idle_time":180000,"flow_min_l4_payload_len":34,"flow_max_l4_payload_len":66,"flow_tot_l4_payload_len":134,"flow_avg_l4_payload_len":44,"midstream":0,"ts_msec":1470104378954,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"8.8.8.8","src_port":52723,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Streaming"},"dns": {"query":"kankan.1kxun.com","num_queries":1,"num_answers":2,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"222.73.254.113"}} 00615{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":60,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_last_seen":1470104378967,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":179,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":179,"pkt_l4_len":145,"ts_msec":1470104378967,"pkt":"AQBef\/\/6uKxv2MGbCABFAAClQRMAAAQRv2DAqAUy7\/\/\/+vyiB2wAkVLKTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSG9zdDogMjM5LjI1NS4yNTUuMjUwOjE5MDANClNUOiB1cm46c2NoZW1hcy11cG5wLW9yZzpkZXZpY2U6SW50ZXJuZXRHYXRld2F5RGV2aWNlOjENCk1hbjogInNzZHA6ZGlzY292ZXIiDQpNWDogMw0KDQo="} 00611{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":61,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_last_seen":1470104378967,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":175,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":175,"pkt_l4_len":141,"ts_msec":1470104378967,"pkt":"AQBef\/\/6SNIkYwreCABFAAChfiAAAAERhWDAqAUp7\/\/\/+tgQB2wAjcOhTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSG9zdDoyMzkuMjU1LjI1NS4yNTA6MTkwMA0KU1Q6dXJuOnNjaGVtYXMtdXBucC1vcmc6ZGV2aWNlOkludGVybmV0R2F0ZXdheURldmljZToxDQpNYW46InNzZHA6ZGlzY292ZXIiDQpNWDozDQoNCg=="} 00457{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":62,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":3,"flow_last_seen":1470104378970,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1470104378970,"pkt":"ABxCjnAxTF4M6gNlCABFAAA0AABAADEGOSLeSf6nwKhzCABQwb6HB4x76zNAcIASFtBGWQAAAgQFtAEBBAIBAwMH"} 00905{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":65,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":25,"flow_packets_processed":6,"flow_first_seen":1470104378906,"flow_last_seen":1470104378975,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":420,"flow_tot_l4_payload_len":420,"flow_avg_l4_payload_len":70,"midstream":0,"ts_msec":1470104378975,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"222.73.254.167","src_port":49598,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP","breed":"Acceptable","category":"Streaming"},"http": {"hostname":"kankan.1kxun.com","url":"kankan.1kxun.com\/api\/videos\/alsolikes\/10410.json?callback=jQuery18306855657112319022_1470103242123&_=1470104377899","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.22 (KHTML, like Gecko) Chrome\/25.0.1364.152 Safari\/537.22"}} 00545{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":69,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":1,"flow_first_seen":1470104379066,"flow_last_seen":1470104379066,"flow_idle_time":180000,"flow_min_l4_payload_len":31,"flow_max_l4_payload_len":31,"flow_tot_l4_payload_len":31,"flow_avg_l4_payload_len":31,"midstream":0,"ts_msec":1470104379066,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"8.8.8.8","src_port":60724,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00469{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":69,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":26,"flow_packet_id":1,"flow_last_seen":1470104379066,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":73,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":73,"pkt_l4_len":39,"ts_msec":1470104379066,"pkt":"TF4M6gNlABxCjnAxCABFAAA7UdIAAIARpR\/AqHMICAgICO00ADUAJ9woKZABAAABAAAAAAAAA3BpYwUxa3h1bgNjb20AAAEAAQ=="} -00717{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":69,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":1,"flow_first_seen":1470104379066,"flow_last_seen":1470104379066,"flow_idle_time":180000,"flow_min_l4_payload_len":31,"flow_max_l4_payload_len":31,"flow_tot_l4_payload_len":31,"flow_avg_l4_payload_len":31,"midstream":0,"ts_msec":1470104379066,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"8.8.8.8","src_port":60724,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Streaming"},"dns": {"query":"pic.1kxun.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00715{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":69,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":1,"flow_first_seen":1470104379066,"flow_last_seen":1470104379066,"flow_idle_time":180000,"flow_min_l4_payload_len":31,"flow_max_l4_payload_len":31,"flow_tot_l4_payload_len":31,"flow_avg_l4_payload_len":31,"midstream":0,"ts_msec":1470104379066,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"8.8.8.8","src_port":60724,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Streaming"},"dns": {"query":"pic.1kxun.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00469{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":70,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":26,"flow_packet_id":2,"flow_last_seen":1470104379066,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":73,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":73,"pkt_l4_len":39,"ts_msec":1470104379066,"pkt":"TF4M6gNlABxCjnAxCABFAAA7UdIAAIARpR\/AqHMICAgICO00ADUAJ9woKZABAAABAAAAAAAAA3BpYwUxa3h1bgNjb20AAAEAAQ=="} 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":71,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":26,"flow_packet_id":3,"flow_last_seen":1470104379115,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":137,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":137,"pkt_l4_len":103,"ts_msec":1470104379115,"pkt":"ABxCjnAxTF4M6gNlCABFAAB7GLEAAC4RMAEICAgIwKhzCAA17TQAZ+zhKZCBgAABAAQAAAAAA3BpYwUxa3h1bgNjb20AAAEAAcAMAAEAAQAAAlcABGq7I\/bADAABAAEAAAJXAASAx7rowAwAAQABAAACVwAEgMdvqcAMAAEAAQAAAlcABGq6Ezo="} -00733{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":71,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":3,"flow_first_seen":1470104379066,"flow_last_seen":1470104379115,"flow_idle_time":180000,"flow_min_l4_payload_len":31,"flow_max_l4_payload_len":95,"flow_tot_l4_payload_len":157,"flow_avg_l4_payload_len":52,"midstream":0,"ts_msec":1470104379115,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"8.8.8.8","src_port":60724,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Streaming"},"dns": {"query":"pic.1kxun.com","num_queries":1,"num_answers":4,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"106.187.35.246"}} +00731{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":71,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":3,"flow_first_seen":1470104379066,"flow_last_seen":1470104379115,"flow_idle_time":180000,"flow_min_l4_payload_len":31,"flow_max_l4_payload_len":95,"flow_tot_l4_payload_len":157,"flow_avg_l4_payload_len":52,"midstream":0,"ts_msec":1470104379115,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"8.8.8.8","src_port":60724,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Streaming"},"dns": {"query":"pic.1kxun.com","num_queries":1,"num_answers":4,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"106.187.35.246"}} 00549{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":72,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":27,"flow_packets_processed":1,"flow_first_seen":1470104379117,"flow_last_seen":1470104379117,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1470104379117,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.187.35.246","src_port":49599,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":72,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":27,"flow_packet_id":1,"flow_last_seen":1470104379117,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1470104379117,"pkt":"TF4M6gNlABxCjnAxCABFAAA0UdRAAIAG5o3AqHMIarsj9sG\/AFBFF77fAAAAAIACIADHbwAAAgQE7AEDAwgBAQQC"} 00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":73,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":27,"flow_packet_id":2,"flow_last_seen":1470104379117,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1470104379117,"pkt":"TF4M6gNlABxCjnAxCABFAAA0UdRAAIAG5o3AqHMIarsj9sG\/AFBFF77fAAAAAIACIADHbwAAAgQE7AEDAwgBAQQC"} @@ -240,7 +240,7 @@ 00617{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":604,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":3,"flow_last_seen":1470104383675,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":179,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":179,"pkt_l4_len":145,"ts_msec":1470104383675,"pkt":"AQBef\/\/6zD2CHu7jCABFAAClQLYAAAQRv8DAqAUv7\/\/\/+utrB2wAkWQETS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSG9zdDogMjM5LjI1NS4yNTUuMjUwOjE5MDANClNUOiB1cm46c2NoZW1hcy11cG5wLW9yZzpkZXZpY2U6SW50ZXJuZXRHYXRld2F5RGV2aWNlOjENCk1hbjogInNzZHA6ZGlzY292ZXIiDQpNWDogMw0KDQo="} 00552{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":607,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":55,"flow_packets_processed":1,"flow_first_seen":1470104383810,"flow_last_seen":1470104383810,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1470104383810,"l3_proto":"ip4","src_ip":"192.168.5.16","dst_ip":"192.168.119.1","src_port":68,"dst_port":67,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00830{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":607,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":1,"flow_last_seen":1470104383810,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":342,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":342,"pkt_l4_len":308,"ts_msec":1470104383810,"pkt":"TF4M6gNlYMVHBbyMCABFAAFI+0MAAEARgP\/AqAUQwKh3AQBEAEMBNFvxAQEGABeXwMwAAAAAwKgFEAAAAAAAAAAAAAAAAGDFRwW8jAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEDNwkBAwYPd1\/8LC45AgXcPQcBYMVHBbyMMwQAdqcADAtNYWNCb29rLUFpcv8AAAAAAAAAAAAAAAAA"} -00637{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":607,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":55,"flow_packets_processed":1,"flow_first_seen":1470104383810,"flow_last_seen":1470104383810,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1470104383810,"l3_proto":"ip4","src_ip":"192.168.5.16","dst_ip":"192.168.119.1","src_port":68,"dst_port":67,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"fingerprint":"1,3,6,15,119,95,252,44,46"}} +00679{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":607,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":55,"flow_packets_processed":1,"flow_first_seen":1470104383810,"flow_last_seen":1470104383810,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1470104383810,"l3_proto":"ip4","src_ip":"192.168.5.16","dst_ip":"192.168.119.1","src_port":68,"dst_port":67,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"hostname":"macbook-air","fingerprint":"1,3,6,15,119,95,252,44,46","class_ident":""}} 00831{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":608,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":2,"flow_last_seen":1470104383815,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":342,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":342,"pkt_l4_len":308,"ts_msec":1470104383815,"pkt":"ABxCjnAxTF4M6gNlCABFAAFIAAAAABARrEPAqHcBwKgFEABDAEQBNHbOAgEGABeXwMwAAAAAwKgFEMCoBRDAqHcBAAAAAGDFRwW8jAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEFNgTAqHcBMwQAAAA8AQT\/\/wAAAwTAqHcBBhCoXwEBCAgICKhfwAEICAQE\/wAAAAAAAAAAAAAAAAAA"} 00614{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":612,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":3,"flow_last_seen":1470104384085,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":175,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":175,"pkt_l4_len":141,"ts_msec":1470104384085,"pkt":"AQBef\/\/6\/PiuMpcsCABFAAChLEMAAAER2QfAqANf7\/\/\/+uhMB2wAjbUvTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSG9zdDoyMzkuMjU1LjI1NS4yNTA6MTkwMA0KU1Q6dXJuOnNjaGVtYXMtdXBucC1vcmc6ZGV2aWNlOkludGVybmV0R2F0ZXdheURldmljZToxDQpNYW46InNzZHA6ZGlzY292ZXIiDQpNWDozDQoNCg=="} 00614{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":618,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":2,"flow_last_seen":1470104384289,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":175,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":175,"pkt_l4_len":141,"ts_msec":1470104384289,"pkt":"AQBef\/\/6CJ4BzeuNCABFAAChFFAAAAER7zTAqAUl7\/\/\/+t\/tB2wAjbvITS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSG9zdDoyMzkuMjU1LjI1NS4yNTA6MTkwMA0KU1Q6dXJuOnNjaGVtYXMtdXBucC1vcmc6ZGV2aWNlOkludGVybmV0R2F0ZXdheURldmljZToxDQpNYW46InNzZHA6ZGlzY292ZXIiDQpNWDozDQoNCg=="} @@ -316,7 +316,7 @@ 00463{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":787,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":73,"flow_packet_id":2,"flow_last_seen":1470104396987,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":68,"pkt_l4_len":34,"ts_msec":1470104396987,"pkt":"AQBeAAD8SNIkYwreCABFAAA2fi4AAAERlLvAqAUp4AAA\/NTGFOsAItEVVXMAAAABAAAAAAAACGtldmluLVBDAAD\/AAE="} 00553{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":791,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":74,"flow_packets_processed":1,"flow_first_seen":1470104397091,"flow_last_seen":1470104397091,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1470104397091,"l3_proto":"ip4","src_ip":"192.168.5.9","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00843{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":791,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":74,"flow_packet_id":1,"flow_last_seen":1470104397091,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":342,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":342,"pkt_l4_len":308,"ts_msec":1470104397091,"pkt":"\/\/\/\/\/\/\/\/cPGh+Cr9CABFAAFIAzMAAIARcMHAqAUJ\/\/\/\/\/wBEAEMBND1aAQEGAPwPedgAAIAAwKgFCQAAAAAAAAAAAAAAAHDxofgq\/QAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEIPQcBcPGh+Cr9DAlKb2FubmEtUEM8CE1TRlQgNS4wNw0BDwMGLC4vHyF5+Sv8\/wAAAAAAAAAAAAAA"} -00651{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":791,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":74,"flow_packets_processed":1,"flow_first_seen":1470104397091,"flow_last_seen":1470104397091,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1470104397091,"l3_proto":"ip4","src_ip":"192.168.5.9","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"fingerprint":"1,15,3,6,44,46,47,31,33,121,249,43,252"}} +00699{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":791,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":74,"flow_packets_processed":1,"flow_first_seen":1470104397091,"flow_last_seen":1470104397091,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1470104397091,"l3_proto":"ip4","src_ip":"192.168.5.9","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"hostname":"joanna-pc","fingerprint":"1,15,3,6,44,46,47,31,33,121,249,43,252","class_ident":"MSFT 5.0"}} 00559{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":803,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":75,"flow_packets_processed":1,"flow_first_seen":1470104397807,"flow_last_seen":1470104397807,"flow_idle_time":180000,"flow_min_l4_payload_len":137,"flow_max_l4_payload_len":137,"flow_tot_l4_payload_len":137,"flow_avg_l4_payload_len":137,"midstream":0,"ts_msec":1470104397807,"l3_proto":"ip4","src_ip":"192.168.5.48","dst_ip":"239.255.255.250","src_port":49701,"dst_port":1900,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00617{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":803,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":75,"flow_packet_id":1,"flow_last_seen":1470104397807,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":179,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":179,"pkt_l4_len":145,"ts_msec":1470104397807,"pkt":"AQBef\/\/6bEAIlAI6CABFAAClrzIAAAERVEPAqAUw7\/\/\/+sIlB2wAkY1JTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSG9zdDogMjM5LjI1NS4yNTUuMjUwOjE5MDANClNUOiB1cm46c2NoZW1hcy11cG5wLW9yZzpkZXZpY2U6SW50ZXJuZXRHYXRld2F5RGV2aWNlOjENCk1hbjogInNzZHA6ZGlzY292ZXIiDQpNWDogMw0KDQo="} 00591{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":803,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":75,"flow_packets_processed":1,"flow_first_seen":1470104397807,"flow_last_seen":1470104397807,"flow_idle_time":180000,"flow_min_l4_payload_len":137,"flow_max_l4_payload_len":137,"flow_tot_l4_payload_len":137,"flow_avg_l4_payload_len":137,"midstream":0,"ts_msec":1470104397807,"l3_proto":"ip4","src_ip":"192.168.5.48","dst_ip":"239.255.255.250","src_port":49701,"dst_port":1900,"l4_proto":"udp","ndpi": {"proto":"SSDP","breed":"Acceptable","category":"System"}} @@ -436,7 +436,7 @@ 00474{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1071,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":104,"flow_packet_id":2,"flow_last_seen":1470104412962,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":75,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":75,"pkt_l4_len":41,"ts_msec":1470104412962,"pkt":"AQBeAAD86LH8q\/uyCABFAAA9eeYAAAERmPTAqAUx4AAA\/Pw4FOsAKTqNDBAAAAABAAAAAAAAD2NhZXNhci10aGlua3BhZAAA\/wAB"} 00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1079,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":105,"flow_packets_processed":1,"flow_first_seen":1470104413679,"flow_last_seen":1470104413679,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1470104413679,"l3_proto":"ip4","src_ip":"192.168.5.41","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00845{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1079,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":105,"flow_packet_id":1,"flow_last_seen":1470104413679,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":342,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":342,"pkt_l4_len":308,"ts_msec":1470104413679,"pkt":"\/\/\/\/\/\/\/\/SNIkYwreCABFAAFIfjcAAEARNZ3AqAUp\/\/\/\/\/wBEAEMBNOoXAQEGAAJEmkEAAIAAwKgFKQAAAAAAAAAAAAAAAEjSJGMK3gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEIPQcBSNIkYwreDAhrZXZpbi1QQzwITVNGVCA1LjA3DQEPAwYsLi8fIXn5K\/z\/AAAAAAAAAAAAAAAA"} -00654{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1079,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":105,"flow_packets_processed":1,"flow_first_seen":1470104413679,"flow_last_seen":1470104413679,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1470104413679,"l3_proto":"ip4","src_ip":"192.168.5.41","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"fingerprint":"1,15,3,6,44,46,47,31,33,121,249,43,252"}} +00701{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1079,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":105,"flow_packets_processed":1,"flow_first_seen":1470104413679,"flow_last_seen":1470104413679,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1470104413679,"l3_proto":"ip4","src_ip":"192.168.5.41","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"hostname":"kevin-pc","fingerprint":"1,15,3,6,44,46,47,31,33,121,249,43,252","class_ident":"MSFT 5.0"}} 00831{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1082,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":3,"flow_last_seen":1470104413815,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":342,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":342,"pkt_l4_len":308,"ts_msec":1470104413815,"pkt":"TF4M6gNlYMVHBbyMCABFAAFIqYMAAEAR0r\/AqAUQwKh3AQBEAEMBNFvwAQEGABeXwM0AAAAAwKgFEAAAAAAAAAAAAAAAAGDFRwW8jAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEDNwkBAwYPd1\/8LC45AgXcPQcBYMVHBbyMMwQAdqcADAtNYWNCb29rLUFpcv8AAAAAAAAAAAAAAAAA"} 00561{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1087,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":106,"flow_packets_processed":1,"flow_first_seen":1470104414296,"flow_last_seen":1470104414296,"flow_idle_time":7440000,"flow_min_l4_payload_len":1093,"flow_max_l4_payload_len":1093,"flow_tot_l4_payload_len":1093,"flow_avg_l4_payload_len":1093,"midstream":1,"ts_msec":1470104414296,"l3_proto":"ip4","src_ip":"192.168.5.16","dst_ip":"31.13.87.36","src_port":53580,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 01940{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1087,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":106,"flow_packet_id":1,"flow_last_seen":1470104414296,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":1159,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1159,"pkt_l4_len":1125,"ts_msec":1470104414296,"pkt":"TF4M6gNlYMVHBbyMCABFAAR5Xv9AAEAGm5bAqAUQHw1XJNFMAbv8UmzuBJ2iMIAYEABHkgAAAQEIChoPmUJf7iUmFwMDBEAsTuFq8CapSbqPXvcdxKrSs42tBtoxpkpEhbC8nI\/Z9Ti9iLIQZa5j5LW58IaLnxvFb3pZI+B1RxFJh1MX7hfwSESpGA\/xdeEaXYqNDQOsIrAzCG5XHIwlKsfFfn\/8RQrusMspya+fP6t\/Zg2Y6qSh9wcmn8mXJja+baLib9aevB6ce5XBs3a64vsRCgFs5NXASh55KEqD8yMaqdrRhlWFE6xGr6+SpmMLlVUwh48nOg1sBDe\/WYgSpLNk63+28tyTAwCIcOk3y10vOsyt7ZjgvztDnWOLtsn7\/6kMi3u2RdUB7eGGzM2NovPfgy\/qKgW2LAn44liW9WewObR4bp+dPFEvC0Y3+SW5bib2uvhBosFVLRK5YrZcwALZJXqqXhrrs6bu\/ljawzwGUMfLGQ2WSbwafdg9dJ73rdMEF1vEvfkETGUyJeWyPgg2G2DdxVtAlhAOni2Cb6JW3jV3kUvfm9gPSADxqT1QqjMQAvLuAsUt5WChMz4yp18RafOK\/1ZUrwxEzqELsHqkpHQf4ILnKSgg5+kGWAcGpm5BV27qLCy+WyMYEnVR9nevFTvw2OV3haLNTqpyfd4K7vOAMw+dbscVa9MHAeqcd7IQnXV8FbWdFXkC4wCM4E8hTvbfJf2QumZQ2fXLtiYd3sw8qoFpqMjmllDchFzska7DS7GVif4h6CnDNlZ4V+i1Eng9ELpwqlbXjyiEgMAhv7fPmI8e61K\/2gGY8OMdxcNsyD40PLGc9n2gJgcjUdhv3yk5lS0wyxma1JJ1Pa0sEMzvHL8CT6BpEzwkMJEMkciKtJ6VsJyummJhpN5MU9bS0CfSvwU0ARZvT+jD4m9Xd2enHnLuDwg4KR5SAhfN1vXfVfNlzPARDhSaBSDDpj8POKqEg5amwWHcBAQbXCOcOftYxPyyUfYlmBS91ssyfM9KHAYAPjuptOjnLxGz2x9TbNHcI4nTKruVWTV9ktQaEfrdpb\/HDqnCQBNGReenZ\/zWZ\/GfJml4Cm+qteZq9C64lEHb9+XokUZOr8X2s3gyZpMYfRa5jmhmO9xmHg7WJrK4eIDuKfpKwBJ058yTVyD7l0KDSW9GneGAGkjet6prc4idVI6G79csJZdQxaibq52QgAy0phRLTPkicoq0gLlZcIZm+Mml46cJhhEv0H26dA+KCoM5R5DwKEyBjuFs1QF3Y4+SDB+bc1Wt792AR8qtKWp6gbS96vJnCeIhTEA3KFLfapTzgvIE4vSB7KreGQj+tnmHbTp1DHeV+7y4PmFv5on7p4A6CEwD6f6fjePEHDfs2g0EYheGp2VL2NvXgnD2ikpgTUWxxOX40I6u2o6OTbP2RNpQ9m8KCHjwUMiisO3DyvkoNm8lZ6ZPWkev9k5y7txVdM8LiyyQoSG929RxmQGshqjjCdAsjAk+bbGLy98uGf3QTIpvsX0AlZ7fP\/qiRzGtQg=="} @@ -502,7 +502,7 @@ 00506{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1336,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":118,"flow_packet_id":3,"flow_last_seen":1470104426276,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":92,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":92,"pkt_l4_len":58,"ts_msec":1470104426276,"pkt":"\/\/\/\/\/\/\/\/AAwpjO\/4CABFAABOZ6UAAIARUUHAqABowKj\/\/wCJAIkAOgIy8PkBEAABAAAAAAAAIEZERURDT0VCRkNGQ0VCRU9FREVCRkNDT0VQRkNFSEFBAAAgAAE="} 00552{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1343,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":119,"flow_packets_processed":1,"flow_first_seen":1470104426973,"flow_last_seen":1470104426973,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1470104426973,"l3_proto":"ip4","src_ip":"192.168.5.16","dst_ip":"17.253.26.125","src_port":123,"dst_port":123,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00492{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1343,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":119,"flow_packet_id":1,"flow_last_seen":1470104426973,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"ts_msec":1470104426973,"pkt":"TF4M6gNlYMVHBbyMCABFwABMyLEAAEARvv3AqAUQEf0afQB7AHsAOHvnIwIG7AAAJiAAAPbJEf0afdtKfo89Puc520qBhKZDx2jbSoGEtCSHfttKgew\/d58s"} -00583{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1343,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":119,"flow_packets_processed":1,"flow_first_seen":1470104426973,"flow_last_seen":1470104426973,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1470104426973,"l3_proto":"ip4","src_ip":"192.168.5.16","dst_ip":"17.253.26.125","src_port":123,"dst_port":123,"l4_proto":"udp","ndpi": {"proto":"NTP.Apple","breed":"Safe","category":"System"}} +00621{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1343,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":119,"flow_packets_processed":1,"flow_first_seen":1470104426973,"flow_last_seen":1470104426973,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1470104426973,"l3_proto":"ip4","src_ip":"192.168.5.16","dst_ip":"17.253.26.125","src_port":123,"dst_port":123,"l4_proto":"udp","ndpi": {"proto":"NTP.Apple","breed":"Safe","category":"System"},"ntp": {"request_code":0,"version":0}} 00564{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1346,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":120,"flow_packets_processed":1,"flow_first_seen":1470104426992,"flow_last_seen":1470104426992,"flow_idle_time":180000,"flow_min_l4_payload_len":26,"flow_max_l4_payload_len":26,"flow_tot_l4_payload_len":26,"flow_avg_l4_payload_len":26,"midstream":0,"ts_msec":1470104426992,"l3_proto":"ip6","src_ip":"fe80::4568:efbc:40b1:1346","dst_ip":"ff02::1:3","src_port":57148,"dst_port":5355,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00493{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1346,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":120,"flow_packet_id":1,"flow_last_seen":1470104426992,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":88,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":88,"pkt_l4_len":34,"ts_msec":1470104426992,"pkt":"MzMAAQADSNIkYwreht1gAAAAACIRAf6AAAAAAAAARWjvvECxE0b\/AgAAAAAAAAAAAAAAAQAD3zwU6wAi91hE5AAAAAEAAAAAAAAIa2V2aW4tUEMAAP8AAQ=="} 00598{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1346,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":120,"flow_packets_processed":1,"flow_first_seen":1470104426992,"flow_last_seen":1470104426992,"flow_idle_time":180000,"flow_min_l4_payload_len":26,"flow_max_l4_payload_len":26,"flow_tot_l4_payload_len":26,"flow_avg_l4_payload_len":26,"midstream":0,"ts_msec":1470104426992,"l3_proto":"ip6","src_ip":"fe80::4568:efbc:40b1:1346","dst_ip":"ff02::1:3","src_port":57148,"dst_port":5355,"l4_proto":"udp","ndpi": {"proto":"LLMNR","breed":"Acceptable","category":"Network"}} @@ -618,7 +618,7 @@ 00564{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1439,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":62,"flow_packets_processed":2,"flow_first_seen":1470104391254,"flow_last_seen":1470104391361,"flow_idle_time":180000,"flow_min_l4_payload_len":24,"flow_max_l4_payload_len":24,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":24,"midstream":0,"ts_msec":1470104433789,"l3_proto":"ip6","src_ip":"fe80::5d92:62a8:ebde:1319","dst_ip":"ff02::1:3","src_port":63659,"dst_port":5355,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00553{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1439,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":112,"flow_packets_processed":2,"flow_first_seen":1470104416855,"flow_last_seen":1470104416959,"flow_idle_time":180000,"flow_min_l4_payload_len":27,"flow_max_l4_payload_len":27,"flow_tot_l4_payload_len":54,"flow_avg_l4_payload_len":27,"midstream":0,"ts_msec":1470104433789,"l3_proto":"ip4","src_ip":"192.168.5.9","dst_ip":"224.0.0.252","src_port":62822,"dst_port":5355,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00556{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1439,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":111,"flow_packets_processed":2,"flow_first_seen":1470104416855,"flow_last_seen":1470104416958,"flow_idle_time":180000,"flow_min_l4_payload_len":27,"flow_max_l4_payload_len":27,"flow_tot_l4_payload_len":54,"flow_avg_l4_payload_len":27,"midstream":0,"ts_msec":1470104433789,"l3_proto":"ip4","src_ip":"192.168.101.33","dst_ip":"224.0.0.252","src_port":62822,"dst_port":5355,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} -00599{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1439,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":61,"flow_packets_processed":3,"flow_first_seen":1470104391199,"flow_last_seen":1470104391208,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1,"flow_tot_l4_payload_len":2,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1470104433789,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"64.233.189.128","src_port":49581,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.Google","breed":"Tracker\/Ads","category":"Web"},"http": {}} +00597{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1439,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":61,"flow_packets_processed":3,"flow_first_seen":1470104391199,"flow_last_seen":1470104391208,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1,"flow_tot_l4_payload_len":2,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1470104433789,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"64.233.189.128","src_port":49581,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.Google","breed":"Acceptable","category":"Web"},"http": {}} 00552{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1439,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":61,"flow_packets_processed":3,"flow_first_seen":1470104391199,"flow_last_seen":1470104391208,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1,"flow_tot_l4_payload_len":2,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1470104433789,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"64.233.189.128","src_port":49581,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00553{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1439,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":20,"flow_packets_processed":2,"flow_first_seen":1470104378045,"flow_last_seen":1470104378454,"flow_idle_time":180000,"flow_min_l4_payload_len":30,"flow_max_l4_payload_len":30,"flow_tot_l4_payload_len":60,"flow_avg_l4_payload_len":30,"midstream":0,"ts_msec":1470104433789,"l3_proto":"ip4","src_ip":"192.168.3.95","dst_ip":"224.0.0.252","src_port":58779,"dst_port":5355,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00561{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1439,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":14,"flow_first_seen":1470104377754,"flow_last_seen":1470104422913,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1218,"flow_tot_l4_payload_len":2048,"flow_avg_l4_payload_len":146,"midstream":0,"ts_msec":1470104433789,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.185.35.110","src_port":49597,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -700,9 +700,9 @@ ~~ total active/idle flows...: 129/129 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2248414 bytes -~~ total memory freed........: 2248414 bytes -~~ total allocations/frees...: 37228/37228 +~~ total memory allocated....: 4856571 bytes +~~ total memory freed........: 4856571 bytes +~~ total allocations/frees...: 101433/101433 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 162 chars ~~ json string max len.......: 2437 chars diff --git a/test/results/443-chrome.pcap.out b/test/results/443-chrome.pcap.out index 457616b6a..1a3b7bec9 100644 --- a/test/results/443-chrome.pcap.out +++ b/test/results/443-chrome.pcap.out @@ -12,9 +12,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1930201 bytes -~~ total memory freed........: 1930201 bytes -~~ total allocations/frees...: 35340/35340 +~~ total memory allocated....: 4592516 bytes +~~ total memory freed........: 4592516 bytes +~~ total allocations/frees...: 99536/99536 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 162 chars ~~ json string max len.......: 2422 chars diff --git a/test/results/443-curl.pcap.out b/test/results/443-curl.pcap.out index a186f8004..eec15e2fa 100644 --- a/test/results/443-curl.pcap.out +++ b/test/results/443-curl.pcap.out @@ -5,7 +5,7 @@ 00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"443-curl.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1581113120513,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1581113120513,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGAU7AqAENsj7FgtjjAbvMd3aWj5LRfoAQECwaIgAAAQEICh5iRd0laAqT"} 00788{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"443-curl.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1581113120474,"flow_last_seen":1581113120522,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1581113120522,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":55523,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.ntop","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.ntop.org","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} 00844{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"443-curl.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":1581113120474,"flow_last_seen":1581113120563,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1957,"flow_avg_l4_payload_len":326,"midstream":0,"ts_msec":1581113120563,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":55523,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.ntop","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.ntop.org","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"ae53107a2e47ea20c72ac44821a728bf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01045{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":7,"source":"443-curl.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":7,"flow_first_seen":1581113120474,"flow_last_seen":1581113120564,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":3397,"flow_avg_l4_payload_len":485,"midstream":0,"ts_msec":1581113120564,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":55523,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.ntop","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.ntop.org","server_names":"www.ntop.org","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"ae53107a2e47ea20c72ac44821a728bf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3","issuerDN":"CN=www.ntop.org","alpn":"h2,http\/1.1","fingerprint":"DB:A7:E4:3E:6D:BB:21:AB:68:47:35:E8:0B:8F:15:DF:DB:C7:C9:6F"}} +01046{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":7,"source":"443-curl.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":7,"flow_first_seen":1581113120474,"flow_last_seen":1581113120564,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":3397,"flow_avg_l4_payload_len":485,"midstream":0,"ts_msec":1581113120564,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":55523,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.ntop","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.ntop.org","server_names":"www.ntop.org","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"ae53107a2e47ea20c72ac44821a728bf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3","subjectDN":"CN=www.ntop.org","alpn":"h2,http\/1.1","fingerprint":"DB:A7:E4:3E:6D:BB:21:AB:68:47:35:E8:0B:8F:15:DF:DB:C7:C9:6F"}} 00563{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":109,"source":"443-curl.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":109,"flow_first_seen":1581113120474,"flow_last_seen":1581113121570,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":66816,"flow_avg_l4_payload_len":612,"midstream":0,"ts_msec":1581113121570,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":55523,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00158{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":109,"source":"443-curl.pcap","alias":"nDPId-test","total-events-serialized":10} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -16,10 +16,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1936201 bytes -~~ total memory freed........: 1936201 bytes -~~ total allocations/frees...: 35453/35453 +~~ total memory allocated....: 4598516 bytes +~~ total memory freed........: 4598516 bytes +~~ total allocations/frees...: 99649/99649 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 163 chars -~~ json string max len.......: 1050 chars -~~ json string avg len.......: 658 chars +~~ json string max len.......: 1051 chars +~~ json string avg len.......: 659 chars diff --git a/test/results/443-firefox.pcap.out b/test/results/443-firefox.pcap.out index e45c3856c..6e1086b56 100644 --- a/test/results/443-firefox.pcap.out +++ b/test/results/443-firefox.pcap.out @@ -3,9 +3,9 @@ 00479{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"443-firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1581109488041,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1581109488041,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGAULAqAENsj7Fgs9oAbstYO2oAAAAALAC\/\/8dyQAAAgQFtAEDAwUBAQgKHivVZQAAAAAEAgAA"} 00474{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"443-firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1581109488079,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1581109488079,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADQGDUayPsWCwKgBDQG7z2h4KhDzLWDtqaAS\/ojkXQAAAgQFrAQCCAolMJ2OHivVZQEDAwc="} 00461{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"443-firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1581109488079,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1581109488079,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGAU7AqAENsj7Fgs9oAbstYO2peCoQ9IAQECwBWgAAAQEICh4r1YolMJ2O"} -00848{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"443-firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1581109488041,"flow_last_seen":1581109488081,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1581109488081,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53096,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.ntop","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.ntop.org","ja3":"f6ce47303dce394049af395fc6d0bc20","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -00910{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"443-firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":1581109488041,"flow_last_seen":1581109488123,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1957,"flow_avg_l4_payload_len":326,"midstream":0,"ts_msec":1581109488123,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53096,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.ntop","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.ntop.org","ja3":"f6ce47303dce394049af395fc6d0bc20","ja3s":"3653a20186a5b490426131a611e01992","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -01111{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":7,"source":"443-firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":7,"flow_first_seen":1581109488041,"flow_last_seen":1581109488123,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":3397,"flow_avg_l4_payload_len":485,"midstream":0,"ts_msec":1581109488123,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53096,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.ntop","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.ntop.org","server_names":"www.ntop.org","ja3":"f6ce47303dce394049af395fc6d0bc20","ja3s":"3653a20186a5b490426131a611e01992","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","issuerDN":"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3","issuerDN":"CN=www.ntop.org","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"DB:A7:E4:3E:6D:BB:21:AB:68:47:35:E8:0B:8F:15:DF:DB:C7:C9:6F"}} +00848{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"443-firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1581109488041,"flow_last_seen":1581109488081,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1581109488081,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53096,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.ntop","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.ntop.org","ja3":"b20b44b18b853ef29ab773e921b03422","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00910{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"443-firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":1581109488041,"flow_last_seen":1581109488123,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1957,"flow_avg_l4_payload_len":326,"midstream":0,"ts_msec":1581109488123,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53096,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.ntop","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.ntop.org","ja3":"b20b44b18b853ef29ab773e921b03422","ja3s":"3653a20186a5b490426131a611e01992","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +01112{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":7,"source":"443-firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":7,"flow_first_seen":1581109488041,"flow_last_seen":1581109488123,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":3397,"flow_avg_l4_payload_len":485,"midstream":0,"ts_msec":1581109488123,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53096,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.ntop","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.ntop.org","server_names":"www.ntop.org","ja3":"b20b44b18b853ef29ab773e921b03422","ja3s":"3653a20186a5b490426131a611e01992","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","issuerDN":"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3","subjectDN":"CN=www.ntop.org","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"DB:A7:E4:3E:6D:BB:21:AB:68:47:35:E8:0B:8F:15:DF:DB:C7:C9:6F"}} 00567{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":667,"source":"443-firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":667,"flow_first_seen":1581109488041,"flow_last_seen":1581109496480,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":414073,"flow_avg_l4_payload_len":620,"midstream":0,"ts_msec":1581109496480,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53096,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00161{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":667,"source":"443-firefox.pcap","alias":"nDPId-test","total-events-serialized":10} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -16,10 +16,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1952437 bytes -~~ total memory freed........: 1952437 bytes -~~ total allocations/frees...: 36012/36012 +~~ total memory allocated....: 4614752 bytes +~~ total memory freed........: 4614752 bytes +~~ total allocations/frees...: 100208/100208 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 166 chars -~~ json string max len.......: 1116 chars +~~ json string max len.......: 1117 chars ~~ json string avg len.......: 692 chars diff --git a/test/results/443-git.pcap.out b/test/results/443-git.pcap.out index ea1c88b9c..04657b557 100644 --- a/test/results/443-git.pcap.out +++ b/test/results/443-git.pcap.out @@ -5,7 +5,7 @@ 00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"443-git.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1581113657744,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1581113657744,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGerjAqAENjFJyBNnAAbv0\/p6AgM3QzYAQECpNNAAAAQEICh5qXC0OCxAa"} 00794{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"443-git.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1581113657633,"flow_last_seen":1581113657751,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1581113657751,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"140.82.114.4","src_port":55744,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Github","breed":"Acceptable","category":"Collaborative"},"tls": {"version":"TLSv1.2","client_requested_server_name":"github.com","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}} 00850{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":5,"source":"443-git.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":5,"flow_first_seen":1581113657633,"flow_last_seen":1581113657863,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1424,"flow_tot_l4_payload_len":1941,"flow_avg_l4_payload_len":388,"midstream":0,"ts_msec":1581113657863,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"140.82.114.4","src_port":55744,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Github","breed":"Acceptable","category":"Collaborative"},"tls": {"version":"TLSv1.2","client_requested_server_name":"github.com","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"ae53107a2e47ea20c72ac44821a728bf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"http\/1.1"}} -01153{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":7,"source":"443-git.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":7,"flow_first_seen":1581113657633,"flow_last_seen":1581113657863,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1424,"flow_tot_l4_payload_len":4067,"flow_avg_l4_payload_len":581,"midstream":0,"ts_msec":1581113657863,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"140.82.114.4","src_port":55744,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Github","breed":"Acceptable","category":"Collaborative"},"tls": {"version":"TLSv1.2","client_requested_server_name":"github.com","server_names":"github.com,www.github.com","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"ae53107a2e47ea20c72ac44821a728bf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA","issuerDN":"C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=github.com","alpn":"http\/1.1","fingerprint":"CA:06:F5:6B:25:8B:7A:0D:4F:2B:05:47:09:39:47:86:51:15:19:84"}} +01154{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":7,"source":"443-git.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":7,"flow_first_seen":1581113657633,"flow_last_seen":1581113657863,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1424,"flow_tot_l4_payload_len":4067,"flow_avg_l4_payload_len":581,"midstream":0,"ts_msec":1581113657863,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"140.82.114.4","src_port":55744,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Github","breed":"Acceptable","category":"Collaborative"},"tls": {"version":"TLSv1.2","client_requested_server_name":"github.com","server_names":"github.com,www.github.com","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"ae53107a2e47ea20c72ac44821a728bf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=github.com","alpn":"http\/1.1","fingerprint":"CA:06:F5:6B:25:8B:7A:0D:4F:2B:05:47:09:39:47:86:51:15:19:84"}} 00558{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":70,"source":"443-git.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":70,"flow_first_seen":1581113657633,"flow_last_seen":1581113658456,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1424,"flow_tot_l4_payload_len":32585,"flow_avg_l4_payload_len":465,"midstream":0,"ts_msec":1581113658456,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"140.82.114.4","src_port":55744,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00156{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":70,"source":"443-git.pcap","alias":"nDPId-test","total-events-serialized":10} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -16,10 +16,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1938580 bytes -~~ total memory freed........: 1938580 bytes -~~ total allocations/frees...: 35416/35416 +~~ total memory allocated....: 4600895 bytes +~~ total memory freed........: 4600895 bytes +~~ total allocations/frees...: 99612/99612 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 161 chars -~~ json string max len.......: 1158 chars +~~ json string max len.......: 1159 chars ~~ json string avg len.......: 705 chars diff --git a/test/results/443-opvn.pcap.out b/test/results/443-opvn.pcap.out index 38c156ccc..77af5416b 100644 --- a/test/results/443-opvn.pcap.out +++ b/test/results/443-opvn.pcap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1931506 bytes -~~ total memory freed........: 1931506 bytes -~~ total allocations/frees...: 35385/35385 +~~ total memory allocated....: 4593821 bytes +~~ total memory freed........: 4593821 bytes +~~ total allocations/frees...: 99581/99581 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 161 chars ~~ json string max len.......: 592 chars diff --git a/test/results/443-safari.pcap.out b/test/results/443-safari.pcap.out index 6eb631161..9690bf424 100644 --- a/test/results/443-safari.pcap.out +++ b/test/results/443-safari.pcap.out @@ -5,7 +5,7 @@ 00460{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"443-safari.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1581109359639,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1581109359639,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGAU7AqAENsj7Fgs8nAbvmgoUOqpsjGIAQECxO5AAAAQEICh4p6N4lLqfY"} 00825{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"443-safari.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1581109359601,"flow_last_seen":1581109359641,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":233,"flow_tot_l4_payload_len":233,"flow_avg_l4_payload_len":58,"midstream":0,"ts_msec":1581109359641,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53031,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.ntop","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.ntop.org","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}} 00888{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"443-safari.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":1581109359601,"flow_last_seen":1581109359683,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1673,"flow_avg_l4_payload_len":278,"midstream":0,"ts_msec":1581109359683,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53031,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.ntop","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.ntop.org","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"f9fcb52580329fb6a9b61d7542087b90","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}} -01089{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":7,"source":"443-safari.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":7,"flow_first_seen":1581109359601,"flow_last_seen":1581109359683,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":3113,"flow_avg_l4_payload_len":444,"midstream":0,"ts_msec":1581109359683,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53031,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.ntop","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.ntop.org","server_names":"www.ntop.org","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"f9fcb52580329fb6a9b61d7542087b90","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","issuerDN":"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3","issuerDN":"CN=www.ntop.org","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"DB:A7:E4:3E:6D:BB:21:AB:68:47:35:E8:0B:8F:15:DF:DB:C7:C9:6F"}} +01090{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":7,"source":"443-safari.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":7,"flow_first_seen":1581109359601,"flow_last_seen":1581109359683,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":3113,"flow_avg_l4_payload_len":444,"midstream":0,"ts_msec":1581109359683,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53031,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.ntop","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.ntop.org","server_names":"www.ntop.org","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"f9fcb52580329fb6a9b61d7542087b90","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","issuerDN":"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3","subjectDN":"CN=www.ntop.org","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"DB:A7:E4:3E:6D:BB:21:AB:68:47:35:E8:0B:8F:15:DF:DB:C7:C9:6F"}} 00564{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":41,"source":"443-safari.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":41,"flow_first_seen":1581109359601,"flow_last_seen":1581109360696,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":17203,"flow_avg_l4_payload_len":419,"midstream":0,"ts_msec":1581109360696,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53031,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00159{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":41,"source":"443-safari.pcap","alias":"nDPId-test","total-events-serialized":10} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -16,10 +16,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1934259 bytes -~~ total memory freed........: 1934259 bytes -~~ total allocations/frees...: 35385/35385 +~~ total memory allocated....: 4596574 bytes +~~ total memory freed........: 4596574 bytes +~~ total allocations/frees...: 99581/99581 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 164 chars -~~ json string max len.......: 1094 chars -~~ json string avg len.......: 680 chars +~~ json string max len.......: 1095 chars +~~ json string avg len.......: 681 chars diff --git a/test/results/4in4tunnel.pcap.out b/test/results/4in4tunnel.pcap.out index 9aceeb261..9342511c7 100644 --- a/test/results/4in4tunnel.pcap.out +++ b/test/results/4in4tunnel.pcap.out @@ -18,9 +18,9 @@ ~~ total active/idle flows...: 0/0 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1926508 bytes -~~ total memory freed........: 1926508 bytes -~~ total allocations/frees...: 35335/35335 +~~ total memory allocated....: 4589247 bytes +~~ total memory freed........: 4589247 bytes +~~ total allocations/frees...: 99531/99531 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 156 chars ~~ json string max len.......: 515 chars diff --git a/test/results/4in6tunnel.pcap.out b/test/results/4in6tunnel.pcap.out index c8c9c7a8d..3c1ab5020 100644 --- a/test/results/4in6tunnel.pcap.out +++ b/test/results/4in6tunnel.pcap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1928240 bytes -~~ total memory freed........: 1928240 bytes -~~ total allocations/frees...: 35342/35342 +~~ total memory allocated....: 4590555 bytes +~~ total memory freed........: 4590555 bytes +~~ total allocations/frees...: 99538/99538 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 162 chars ~~ json string max len.......: 872 chars diff --git a/test/results/6in4tunnel.pcap.out b/test/results/6in4tunnel.pcap.out index fbbca3f6a..f5b8ec5b4 100644 --- a/test/results/6in4tunnel.pcap.out +++ b/test/results/6in4tunnel.pcap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1931807 bytes -~~ total memory freed........: 1931807 bytes -~~ total allocations/frees...: 35465/35465 +~~ total memory allocated....: 4594122 bytes +~~ total memory freed........: 4594122 bytes +~~ total allocations/frees...: 99661/99661 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 164 chars ~~ json string max len.......: 650 chars diff --git a/test/results/6in6tunnel.pcap.out b/test/results/6in6tunnel.pcap.out index a9a7bbdd3..61aa4752a 100644 --- a/test/results/6in6tunnel.pcap.out +++ b/test/results/6in6tunnel.pcap.out @@ -16,9 +16,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1929798 bytes -~~ total memory freed........: 1929798 bytes -~~ total allocations/frees...: 35343/35343 +~~ total memory allocated....: 4591689 bytes +~~ total memory freed........: 4591689 bytes +~~ total allocations/frees...: 99539/99539 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 163 chars ~~ json string max len.......: 577 chars diff --git a/test/results/BGP_Cisco_hdlc_slarp.pcap.out b/test/results/BGP_Cisco_hdlc_slarp.pcap.out index 4b2197605..272ff93e8 100644 --- a/test/results/BGP_Cisco_hdlc_slarp.pcap.out +++ b/test/results/BGP_Cisco_hdlc_slarp.pcap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1928530 bytes -~~ total memory freed........: 1928530 bytes -~~ total allocations/frees...: 35352/35352 +~~ total memory allocated....: 4590845 bytes +~~ total memory freed........: 4590845 bytes +~~ total allocations/frees...: 99548/99548 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 173 chars ~~ json string max len.......: 596 chars diff --git a/test/results/BGP_redist.pcap.out b/test/results/BGP_redist.pcap.out index baa8225c8..12041c718 100644 --- a/test/results/BGP_redist.pcap.out +++ b/test/results/BGP_redist.pcap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1928153 bytes -~~ total memory freed........: 1928153 bytes -~~ total allocations/frees...: 35339/35339 +~~ total memory allocated....: 4590468 bytes +~~ total memory freed........: 4590468 bytes +~~ total allocations/frees...: 99535/99535 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 160 chars ~~ json string max len.......: 616 chars diff --git a/test/results/EAQ.pcap.out b/test/results/EAQ.pcap.out index 116ff0fda..98f745ac8 100644 --- a/test/results/EAQ.pcap.out +++ b/test/results/EAQ.pcap.out @@ -3,12 +3,12 @@ 00465{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"EAQ.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1432820948562,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1432820948562,"pkt":"ABoRAAACABoRAAABCABFAAA8xb9AAEAGRgEKCAABrcJ3MND5AFA4ezYlAAAAAKACOQisdgAAAgQFtAQCCAoABPOaAAAAAAEDAwQ="} 00439{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"EAQ.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1432820948566,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1432820948566,"pkt":"ABoRAAACABoRAAABCABFAAAoAAJAABAGO9OtwncwCggAAQBQ0PnHhMnaOHs2JlAS\/\/+vjAAA"} 00437{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"EAQ.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1432820948569,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1432820948569,"pkt":"ABoRAAACABoRAAABCABFAAAoxcBAAEAGRhQKCAABrcJ3MND5AFA4ezYmx4TJ21AQOQh2hQAA"} -00742{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"EAQ.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1432820948562,"flow_last_seen":1432820948576,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":100,"flow_tot_l4_payload_len":100,"flow_avg_l4_payload_len":25,"midstream":0,"ts_msec":1432820948576,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.194.119.48","src_port":53497,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"11":"HTTP Suspicious User-Agent"},"proto":"HTTP.Google","breed":"Tracker\/Ads","category":"Web"},"http": {"hostname":"www.google.com","url":"www.google.com\/","code":0,"content_type":"","user_agent":"test"}} +00740{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"EAQ.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1432820948562,"flow_last_seen":1432820948576,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":100,"flow_tot_l4_payload_len":100,"flow_avg_l4_payload_len":25,"midstream":0,"ts_msec":1432820948576,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.194.119.48","src_port":53497,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"11":"HTTP Suspicious User-Agent"},"proto":"HTTP.Google","breed":"Acceptable","category":"Web"},"http": {"hostname":"www.google.com","url":"www.google.com\/","code":0,"content_type":"","user_agent":"test"}} 00541{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":10,"source":"EAQ.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1432820948836,"flow_last_seen":1432820948836,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1432820948836,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.194.119.24","src_port":40467,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00467{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":10,"source":"EAQ.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_last_seen":1432820948836,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1432820948836,"pkt":"ABoRAAACABoRAAABCABFAAA8DwhAAEAG\/NAKCAABrcJ3GJ4TAFBXrfy9AAAAAKACOQj5jgAAAgQFtAQCCAoABPO1AAAAAAEDAwQ="} 00441{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":11,"source":"EAQ.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_last_seen":1432820948837,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1432820948837,"pkt":"ABoRAAACABoRAAABCABFAAAoAAZAABAGO+etwncYCggAAQBQnhOoUgNCV638vlAS\/\/\/iigAA"} 00439{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":12,"source":"EAQ.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_last_seen":1432820948844,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1432820948844,"pkt":"ABoRAAACABoRAAABCABFAAAoDwlAAEAG\/OMKCAABrcJ3GJ4TAFBXrfy+qFIDQ1AQOQipgwAA"} -00785{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":13,"source":"EAQ.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":4,"flow_first_seen":1432820948836,"flow_last_seen":1432820948845,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":139,"flow_tot_l4_payload_len":139,"flow_avg_l4_payload_len":34,"midstream":0,"ts_msec":1432820948845,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.194.119.24","src_port":40467,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"11":"HTTP Suspicious User-Agent"},"proto":"HTTP.Google","breed":"Tracker\/Ads","category":"Web"},"http": {"hostname":"www.google.com.br","url":"www.google.com.br\/?gfe_rd=cr&ei=1BxnVcP9OKKk8we50oDAAg","code":0,"content_type":"","user_agent":"test"}} +00783{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":13,"source":"EAQ.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":4,"flow_first_seen":1432820948836,"flow_last_seen":1432820948845,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":139,"flow_tot_l4_payload_len":139,"flow_avg_l4_payload_len":34,"midstream":0,"ts_msec":1432820948845,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.194.119.24","src_port":40467,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"11":"HTTP Suspicious User-Agent"},"proto":"HTTP.Google","breed":"Acceptable","category":"Web"},"http": {"hostname":"www.google.com.br","url":"www.google.com.br\/?gfe_rd=cr&ei=1BxnVcP9OKKk8we50oDAAg","code":0,"content_type":"","user_agent":"test"}} 00547{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":24,"source":"EAQ.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1432820949586,"flow_last_seen":1432820949586,"flow_idle_time":180000,"flow_min_l4_payload_len":16,"flow_max_l4_payload_len":16,"flow_tot_l4_payload_len":16,"flow_avg_l4_payload_len":16,"midstream":0,"ts_msec":1432820949586,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"200.185.138.146","src_port":52257,"dst_port":6000,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00445{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24,"source":"EAQ.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_last_seen":1432820949586,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"ts_msec":1432820949586,"pkt":"ABoRAAACABoRAAABCABFAAAsAABAAEAR3WwKCAAByLmKkswhF3AAGNX0AAAAAAAADdoAAUsHAACQAA=="} 00445{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":25,"source":"EAQ.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_last_seen":1432820949685,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"ts_msec":1432820949685,"pkt":"ABoRAAACABoRAAABCABFAAAsAAxAABARDWHIuYqSCggAARdwzCEAGAX1AAAAAAAADdoAAUsHAABgAA=="} @@ -201,10 +201,10 @@ ~~ total active/idle flows...: 31/31 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1982418 bytes -~~ total memory freed........: 1982418 bytes -~~ total allocations/frees...: 35631/35631 +~~ total memory allocated....: 4632013 bytes +~~ total memory freed........: 4632013 bytes +~~ total allocations/frees...: 99827/99827 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 159 chars -~~ json string max len.......: 790 chars -~~ json string avg len.......: 545 chars +~~ json string max len.......: 788 chars +~~ json string avg len.......: 544 chars diff --git a/test/results/IEC104.pcap.out b/test/results/IEC104.pcap.out index ff2494f24..d34775b56 100644 --- a/test/results/IEC104.pcap.out +++ b/test/results/IEC104.pcap.out @@ -20,9 +20,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1930175 bytes -~~ total memory freed........: 1930175 bytes -~~ total allocations/frees...: 35356/35356 +~~ total memory allocated....: 4592066 bytes +~~ total memory freed........: 4592066 bytes +~~ total allocations/frees...: 99552/99552 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 160 chars ~~ json string max len.......: 592 chars diff --git a/test/results/KakaoTalk_chat.pcap.out b/test/results/KakaoTalk_chat.pcap.out index 8ab5e6d37..efdf9706f 100644 --- a/test/results/KakaoTalk_chat.pcap.out +++ b/test/results/KakaoTalk_chat.pcap.out @@ -86,14 +86,14 @@ 00748{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":56,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":2,"flow_first_seen":1430069030083,"flow_last_seen":1430069030119,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":75,"flow_tot_l4_payload_len":112,"flow_avg_l4_payload_len":56,"midstream":0,"ts_msec":1430069030119,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"10.188.191.1","src_port":61011,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.KakaoTalk","breed":"Acceptable","category":"Chat"},"dns": {"query":"plus-talk.kakao.com","num_queries":1,"num_answers":2,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"210.103.240.15"}} 00534{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":57,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":1,"flow_first_seen":1430069030119,"flow_last_seen":1430069030119,"flow_idle_time":120000,"flow_min_l4_payload_len":111,"flow_max_l4_payload_len":111,"flow_tot_l4_payload_len":111,"flow_avg_l4_payload_len":111,"midstream":0,"ts_msec":1430069030119,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"10.188.191.1","l4_proto":"icmp","flow_datalink":113,"flow_max_packets":3} 00578{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":57,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":19,"flow_packet_id":1,"flow_last_seen":1430069030119,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":147,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":147,"pkt_l4_len":111,"ts_msec":1430069030119,"pkt":"AAQCEgAAAAAAAAAAAAAIAEXAAIMZuAAAQAE5cQoYUrwKvL8BAwMj8wAAAABFAABn\/dEAADURYSMKvL8BChhSvAA17lMAUxMnuTqBgAABAAIAAAAACXBsdXMtdGFsawVrYWthbwNjb20AAAEAAcAMAAUAAQAAA5UACgRwbHVzAmdswBbAMQABAAEAAADJAATSZ\/AP"} -00565{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":57,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":1,"flow_first_seen":1430069030119,"flow_last_seen":1430069030119,"flow_idle_time":120000,"flow_min_l4_payload_len":111,"flow_max_l4_payload_len":111,"flow_tot_l4_payload_len":111,"flow_avg_l4_payload_len":111,"midstream":0,"ts_msec":1430069030119,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"10.188.191.1","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"}} +00584{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":57,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":1,"flow_first_seen":1430069030119,"flow_last_seen":1430069030119,"flow_idle_time":120000,"flow_min_l4_payload_len":111,"flow_max_l4_payload_len":111,"flow_tot_l4_payload_len":111,"flow_avg_l4_payload_len":111,"midstream":0,"ts_msec":1430069030119,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"10.188.191.1","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"},"entropy":4.755603} 00560{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":58,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":20,"flow_packets_processed":1,"flow_first_seen":1430069030121,"flow_last_seen":1430069030121,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1430069030121,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"210.103.240.15","src_port":37821,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00484{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":58,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":1,"flow_last_seen":1430069030121,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"ts_msec":1430069030121,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAADwrfUAAPwbw8woYUrzSZ\/APk70Bu6\/qIaMAAAAAoAI5CH35AAACBAV4BAIICgALCt4AAAAAAQMDBw=="} 00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":59,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":2,"flow_last_seen":1430069030159,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":60,"pkt_l4_len":24,"ts_msec":1430069030159,"pkt":"AAACEgAAAAAAAAAAAAAIAEUAACwUQ0AA+AZPPdJn8A8KGFK8AbuTvWC6rQuv6iGkYBIRHPMdAAACBAV4"} 00456{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":60,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":3,"flow_last_seen":1430069030162,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":56,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":56,"pkt_l4_len":20,"ts_msec":1430069030162,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAACgrfkAAPwbxBgoYUrzSZ\/APk70Bu6\/qIaRguq0MUBA5COKyAAA="} 00809{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":61,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":20,"flow_packets_processed":4,"flow_first_seen":1430069030121,"flow_last_seen":1430069030171,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":216,"flow_tot_l4_payload_len":216,"flow_avg_l4_payload_len":54,"midstream":0,"ts_msec":1430069030171,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"210.103.240.15","src_port":37821,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"dff8a0aa1c904aaea76c5bf624e88333","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00879{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":64,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":20,"flow_packets_processed":7,"flow_first_seen":1430069030121,"flow_last_seen":1430069030296,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1280,"flow_tot_l4_payload_len":1496,"flow_avg_l4_payload_len":213,"midstream":0,"ts_msec":1430069030296,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"210.103.240.15","src_port":37821,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"dff8a0aa1c904aaea76c5bf624e88333","ja3s":"4192c0a946c5bd9b544b4656d9f624a4","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA"}} -01134{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":70,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":20,"flow_packets_processed":13,"flow_first_seen":1430069030121,"flow_last_seen":1430069030336,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1280,"flow_tot_l4_payload_len":3736,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1430069030336,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"210.103.240.15","src_port":37821,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.KakaoTalk","breed":"Acceptable","category":"Chat"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.kakao.com","ja3":"dff8a0aa1c904aaea76c5bf624e88333","ja3s":"4192c0a946c5bd9b544b4656d9f624a4","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Thawte, Inc., CN=Thawte SSL CA","issuerDN":"C=KR, ST=Gyeonggi-do, L=Seongnam-si, O=Kakao Corp., CN=*.kakao.com","fingerprint":"0D:14:6D:8D:5E:EB:F5:F5:42:87:CD:AB:AE:A1:DC:AA:5A:76:6F:E4"}} +01135{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":70,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":20,"flow_packets_processed":13,"flow_first_seen":1430069030121,"flow_last_seen":1430069030336,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1280,"flow_tot_l4_payload_len":3736,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1430069030336,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"210.103.240.15","src_port":37821,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.KakaoTalk","breed":"Acceptable","category":"Chat"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.kakao.com","ja3":"dff8a0aa1c904aaea76c5bf624e88333","ja3s":"4192c0a946c5bd9b544b4656d9f624a4","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Thawte, Inc., CN=Thawte SSL CA","subjectDN":"C=KR, ST=Gyeonggi-do, L=Seongnam-si, O=Kakao Corp., CN=*.kakao.com","fingerprint":"0D:14:6D:8D:5E:EB:F5:F5:42:87:CD:AB:AE:A1:DC:AA:5A:76:6F:E4"}} 00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":75,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":1,"flow_first_seen":1430069030508,"flow_last_seen":1430069030508,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1430069030508,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"31.13.68.84","src_port":37553,"dst_port":80,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00482{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":75,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":1,"flow_last_seen":1430069030508,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"ts_msec":1430069030508,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAADz6+UAAPwaAjQoYUrwfDURUkrEAUI6+8f0AAAAAoAI5CDAyAAACBAV4BAIICgALCwQAAAAAAQMDBw=="} 00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":77,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":2,"flow_last_seen":1430069030549,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":60,"pkt_l4_len":24,"ts_msec":1430069030549,"pkt":"AAACEgAAAAAAAAAAAAAIAEUAACy6BkAA+AYIkB8NRFQKGFK8AFCSsWQ58S+OvvH+YBIRHF3ZAAACBAV4"} @@ -107,7 +107,7 @@ 00481{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":90,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":1,"flow_last_seen":1430069030703,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":78,"pkt_l4_len":42,"ts_msec":1430069030703,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAAD4AAEAAQBHSHgoYUrwKvAEBYBQANQAqICQnwAEAAAEAAAAAAAADYXBpCGZhY2Vib29rA2NvbQAAAQAB"} 00728{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":90,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":1,"flow_first_seen":1430069030703,"flow_last_seen":1430069030703,"flow_idle_time":180000,"flow_min_l4_payload_len":34,"flow_max_l4_payload_len":34,"flow_tot_l4_payload_len":34,"flow_avg_l4_payload_len":34,"midstream":0,"ts_msec":1430069030703,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"10.188.1.1","src_port":24596,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Facebook","breed":"Fun","category":"SocialNetwork"},"dns": {"query":"api.facebook.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00878{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":91,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":11,"flow_first_seen":1430069026370,"flow_last_seen":1430069030731,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1280,"flow_tot_l4_payload_len":1648,"flow_avg_l4_payload_len":149,"midstream":0,"ts_msec":1430069030731,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"173.252.97.2","src_port":35503,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Facebook","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"dff8a0aa1c904aaea76c5bf624e88333","ja3s":"6c13ac74a6f75099ef2480748e5d94d2","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA"}} -01666{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":95,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":15,"flow_first_seen":1430069026370,"flow_last_seen":1430069030740,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1280,"flow_tot_l4_payload_len":3915,"flow_avg_l4_payload_len":261,"midstream":0,"ts_msec":1430069030740,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"173.252.97.2","src_port":35503,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Facebook","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.facebook.com,facebook.com,*.fbsbx.com,*.fbcdn.net,*.xx.fbcdn.net,*.xy.fbcdn.net,fb.com,*.fb.com,*.facebookcorewwwi.onion,facebookcorewwwi.onion,*.fbcdn23dssr3jqnq.onion,fbcdn23dssr3jqnq.onion,*.fbsbx2q4mvcl63pw.onion,fbsbx2q4mvcl63pw.onion,*.m.facebook.com,*.messenger.com,messenger.com,*.m.facebookcorewwwi.onion,*.xx.fbcdn23dssr3jqnq.onion,xx.fbcdn23dssr3jqnq.onion,*.xy.fbcdn23dssr3jqnq.onion,xy.fbcdn23dssr3jqnq.onion,*.xz.fbcdn.net,xz.fbcdn.net,*.xz.fbcdn23dssr3jqnq.onion,xz.fbcdn23dssr3jqnq.onion,m.facebookcorewwwi.onion","ja3":"dff8a0aa1c904aaea76c5bf624e88333","ja3s":"6c13ac74a6f75099ef2480748e5d94d2","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3","issuerDN":"C=US, ST=CA, L=Menlo Park, O=Facebook, Inc., CN=*.facebook.com","fingerprint":"A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4"}} +01667{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":95,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":15,"flow_first_seen":1430069026370,"flow_last_seen":1430069030740,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1280,"flow_tot_l4_payload_len":3915,"flow_avg_l4_payload_len":261,"midstream":0,"ts_msec":1430069030740,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"173.252.97.2","src_port":35503,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Facebook","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.facebook.com,facebook.com,*.fbsbx.com,*.fbcdn.net,*.xx.fbcdn.net,*.xy.fbcdn.net,fb.com,*.fb.com,*.facebookcorewwwi.onion,facebookcorewwwi.onion,*.fbcdn23dssr3jqnq.onion,fbcdn23dssr3jqnq.onion,*.fbsbx2q4mvcl63pw.onion,fbsbx2q4mvcl63pw.onion,*.m.facebook.com,*.messenger.com,messenger.com,*.m.facebookcorewwwi.onion,*.xx.fbcdn23dssr3jqnq.onion,xx.fbcdn23dssr3jqnq.onion,*.xy.fbcdn23dssr3jqnq.onion,xy.fbcdn23dssr3jqnq.onion,*.xz.fbcdn.net,xz.fbcdn.net,*.xz.fbcdn23dssr3jqnq.onion,xz.fbcdn23dssr3jqnq.onion,m.facebookcorewwwi.onion","ja3":"dff8a0aa1c904aaea76c5bf624e88333","ja3s":"6c13ac74a6f75099ef2480748e5d94d2","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3","subjectDN":"C=US, ST=CA, L=Menlo Park, O=Facebook, Inc., CN=*.facebook.com","fingerprint":"A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4"}} 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":98,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":2,"flow_last_seen":1430069030748,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":118,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":118,"pkt_l4_len":82,"ts_msec":1430069030748,"pkt":"AAACEgAAAAAAAAAAAAAIAEUAAGbtpgAANREvUAq8AQEKGFK8ADVgFABSeRsnwIGAAAEAAgAAAAADYXBpCGZhY2Vib29rA2NvbQAAAQABwAwABQABAAAD6wAMBHN0YXIEYzEwcsAQwC4AAQABAAAACQAEHw1EVA=="} 00741{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":98,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":2,"flow_first_seen":1430069030703,"flow_last_seen":1430069030748,"flow_idle_time":180000,"flow_min_l4_payload_len":34,"flow_max_l4_payload_len":74,"flow_tot_l4_payload_len":108,"flow_avg_l4_payload_len":54,"midstream":0,"ts_msec":1430069030748,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"10.188.1.1","src_port":24596,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Facebook","breed":"Fun","category":"SocialNetwork"},"dns": {"query":"api.facebook.com","num_queries":1,"num_answers":2,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"31.13.68.84"}} 00557{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":99,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":24,"flow_packets_processed":1,"flow_first_seen":1430069030751,"flow_last_seen":1430069030751,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1430069030751,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"31.13.68.84","src_port":45209,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} @@ -119,7 +119,7 @@ 00486{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":109,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":1,"flow_last_seen":1430069030978,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":80,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":80,"pkt_l4_len":44,"ts_msec":1430069030978,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAAEAAAEAAQBHSHAoYUrwKvAEBTH4ANQAsPIiqhwEAAAEAAAAAAAAFZ3JhcGgIZmFjZWJvb2sDY29tAAABAAE="} 00731{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":109,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":25,"flow_packets_processed":1,"flow_first_seen":1430069030978,"flow_last_seen":1430069030978,"flow_idle_time":180000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1430069030978,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"10.188.1.1","src_port":19582,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Facebook","breed":"Fun","category":"SocialNetwork"},"dns": {"query":"graph.facebook.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00899{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":111,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":24,"flow_packets_processed":6,"flow_first_seen":1430069030751,"flow_last_seen":1430069031001,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":1951,"flow_avg_l4_payload_len":325,"midstream":0,"ts_msec":1430069031001,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"31.13.68.84","src_port":45209,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Facebook","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"api.facebook.com","ja3":"051d20e8adbe8dac78945de300764d5e","ja3s":"6806b8fe92d7d465715d771eb102ff04","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"}} -01688{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":115,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":24,"flow_packets_processed":10,"flow_first_seen":1430069030751,"flow_last_seen":1430069031013,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":4134,"flow_avg_l4_payload_len":413,"midstream":0,"ts_msec":1430069031013,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"31.13.68.84","src_port":45209,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Facebook","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"api.facebook.com","server_names":"*.facebook.com,facebook.com,*.fbsbx.com,*.fbcdn.net,*.xx.fbcdn.net,*.xy.fbcdn.net,fb.com,*.fb.com,*.facebookcorewwwi.onion,facebookcorewwwi.onion,*.fbcdn23dssr3jqnq.onion,fbcdn23dssr3jqnq.onion,*.fbsbx2q4mvcl63pw.onion,fbsbx2q4mvcl63pw.onion,*.m.facebook.com,*.messenger.com,messenger.com,*.m.facebookcorewwwi.onion,*.xx.fbcdn23dssr3jqnq.onion,xx.fbcdn23dssr3jqnq.onion,*.xy.fbcdn23dssr3jqnq.onion,xy.fbcdn23dssr3jqnq.onion,*.xz.fbcdn.net,xz.fbcdn.net,*.xz.fbcdn23dssr3jqnq.onion,xz.fbcdn23dssr3jqnq.onion,m.facebookcorewwwi.onion","ja3":"051d20e8adbe8dac78945de300764d5e","ja3s":"6806b8fe92d7d465715d771eb102ff04","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3","issuerDN":"C=US, ST=CA, L=Menlo Park, O=Facebook, Inc., CN=*.facebook.com","fingerprint":"A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4"}} +01689{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":115,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":24,"flow_packets_processed":10,"flow_first_seen":1430069030751,"flow_last_seen":1430069031013,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":4134,"flow_avg_l4_payload_len":413,"midstream":0,"ts_msec":1430069031013,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"31.13.68.84","src_port":45209,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Facebook","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"api.facebook.com","server_names":"*.facebook.com,facebook.com,*.fbsbx.com,*.fbcdn.net,*.xx.fbcdn.net,*.xy.fbcdn.net,fb.com,*.fb.com,*.facebookcorewwwi.onion,facebookcorewwwi.onion,*.fbcdn23dssr3jqnq.onion,fbcdn23dssr3jqnq.onion,*.fbsbx2q4mvcl63pw.onion,fbsbx2q4mvcl63pw.onion,*.m.facebook.com,*.messenger.com,messenger.com,*.m.facebookcorewwwi.onion,*.xx.fbcdn23dssr3jqnq.onion,xx.fbcdn23dssr3jqnq.onion,*.xy.fbcdn23dssr3jqnq.onion,xy.fbcdn23dssr3jqnq.onion,*.xz.fbcdn.net,xz.fbcdn.net,*.xz.fbcdn23dssr3jqnq.onion,xz.fbcdn23dssr3jqnq.onion,m.facebookcorewwwi.onion","ja3":"051d20e8adbe8dac78945de300764d5e","ja3s":"6806b8fe92d7d465715d771eb102ff04","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3","subjectDN":"C=US, ST=CA, L=Menlo Park, O=Facebook, Inc., CN=*.facebook.com","fingerprint":"A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4"}} 00565{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":117,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":2,"flow_last_seen":1430069031017,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":138,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":138,"pkt_l4_len":102,"ts_msec":1430069031017,"pkt":"AAACEgAAAAAAAAAAAAAIAEUAAHocCwAANREA2Aq8AQEKGFK8ADVMfgBmmjSqh4GAAAEAAwAAAAAFZ3JhcGgIZmFjZWJvb2sDY29tAAABAAHADAAFAAEAAAVxAAYDYXBpwBLAMAAFAAEAAAV2AAwEc3RhcgRjMTBywBLAQgABAAEAAAARAAQfDURG"} 00744{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":117,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":25,"flow_packets_processed":2,"flow_first_seen":1430069030978,"flow_last_seen":1430069031017,"flow_idle_time":180000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":94,"flow_tot_l4_payload_len":130,"flow_avg_l4_payload_len":65,"midstream":0,"ts_msec":1430069031017,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"10.188.1.1","src_port":19582,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Facebook","breed":"Fun","category":"SocialNetwork"},"dns": {"query":"graph.facebook.com","num_queries":1,"num_answers":3,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"31.13.68.70"}} 00558{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":119,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":1,"flow_first_seen":1430069031042,"flow_last_seen":1430069031042,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1430069031042,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"31.13.68.70","src_port":43581,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} @@ -131,7 +131,7 @@ 00495{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":127,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":27,"flow_packet_id":1,"flow_last_seen":1430069031167,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":85,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":85,"pkt_l4_len":49,"ts_msec":1430069031167,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAAEUAAEAAQBHSFwoYUrwKvAEBD7EANQAxznCJ\/wEAAAEAAAAAAAAKZGV2ZWxvcGVycwhmYWNlYm9vawNjb20AAAEAAQ=="} 00735{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":127,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":27,"flow_packets_processed":1,"flow_first_seen":1430069031167,"flow_last_seen":1430069031167,"flow_idle_time":180000,"flow_min_l4_payload_len":41,"flow_max_l4_payload_len":41,"flow_tot_l4_payload_len":41,"flow_avg_l4_payload_len":41,"midstream":0,"ts_msec":1430069031167,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"10.188.1.1","src_port":4017,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Facebook","breed":"Fun","category":"SocialNetwork"},"dns": {"query":"developers.facebook.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00901{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":132,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":7,"flow_first_seen":1430069031042,"flow_last_seen":1430069031203,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1280,"flow_tot_l4_payload_len":1845,"flow_avg_l4_payload_len":263,"midstream":0,"ts_msec":1430069031203,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"31.13.68.70","src_port":43581,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Facebook","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"graph.facebook.com","ja3":"051d20e8adbe8dac78945de300764d5e","ja3s":"6806b8fe92d7d465715d771eb102ff04","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"}} -01690{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":138,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":12,"flow_first_seen":1430069031042,"flow_last_seen":1430069031220,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1280,"flow_tot_l4_payload_len":4136,"flow_avg_l4_payload_len":344,"midstream":0,"ts_msec":1430069031220,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"31.13.68.70","src_port":43581,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Facebook","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"graph.facebook.com","server_names":"*.facebook.com,facebook.com,*.fbsbx.com,*.fbcdn.net,*.xx.fbcdn.net,*.xy.fbcdn.net,fb.com,*.fb.com,*.facebookcorewwwi.onion,facebookcorewwwi.onion,*.fbcdn23dssr3jqnq.onion,fbcdn23dssr3jqnq.onion,*.fbsbx2q4mvcl63pw.onion,fbsbx2q4mvcl63pw.onion,*.m.facebook.com,*.messenger.com,messenger.com,*.m.facebookcorewwwi.onion,*.xx.fbcdn23dssr3jqnq.onion,xx.fbcdn23dssr3jqnq.onion,*.xy.fbcdn23dssr3jqnq.onion,xy.fbcdn23dssr3jqnq.onion,*.xz.fbcdn.net,xz.fbcdn.net,*.xz.fbcdn23dssr3jqnq.onion,xz.fbcdn23dssr3jqnq.onion,m.facebookcorewwwi.onion","ja3":"051d20e8adbe8dac78945de300764d5e","ja3s":"6806b8fe92d7d465715d771eb102ff04","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3","issuerDN":"C=US, ST=CA, L=Menlo Park, O=Facebook, Inc., CN=*.facebook.com","fingerprint":"A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4"}} +01691{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":138,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":12,"flow_first_seen":1430069031042,"flow_last_seen":1430069031220,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1280,"flow_tot_l4_payload_len":4136,"flow_avg_l4_payload_len":344,"midstream":0,"ts_msec":1430069031220,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"31.13.68.70","src_port":43581,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Facebook","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"graph.facebook.com","server_names":"*.facebook.com,facebook.com,*.fbsbx.com,*.fbcdn.net,*.xx.fbcdn.net,*.xy.fbcdn.net,fb.com,*.fb.com,*.facebookcorewwwi.onion,facebookcorewwwi.onion,*.fbcdn23dssr3jqnq.onion,fbcdn23dssr3jqnq.onion,*.fbsbx2q4mvcl63pw.onion,fbsbx2q4mvcl63pw.onion,*.m.facebook.com,*.messenger.com,messenger.com,*.m.facebookcorewwwi.onion,*.xx.fbcdn23dssr3jqnq.onion,xx.fbcdn23dssr3jqnq.onion,*.xy.fbcdn23dssr3jqnq.onion,xy.fbcdn23dssr3jqnq.onion,*.xz.fbcdn.net,xz.fbcdn.net,*.xz.fbcdn23dssr3jqnq.onion,xz.fbcdn23dssr3jqnq.onion,m.facebookcorewwwi.onion","ja3":"051d20e8adbe8dac78945de300764d5e","ja3s":"6806b8fe92d7d465715d771eb102ff04","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3","subjectDN":"C=US, ST=CA, L=Menlo Park, O=Facebook, Inc., CN=*.facebook.com","fingerprint":"A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4"}} 00574{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":139,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":27,"flow_packet_id":2,"flow_last_seen":1430069031221,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":144,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":144,"pkt_l4_len":108,"ts_msec":1430069031221,"pkt":"AAACEgAAAAAAAAAAAAAIAEUAAIDtrgAANREvLgq8AQEKGFK8ADUPsQBsjjKJ\/4GAAAEAAwAAAAAKZGV2ZWxvcGVycwhmYWNlYm9vawNjb20AAAEAAcAMAAUAAQAAA+oABwRzdGFywBfANQAFAAEAAAPqAAwEc3RhcgRjMTBywBfASAABAAEAAAAIAAQfDURU"} 00749{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":139,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":27,"flow_packets_processed":2,"flow_first_seen":1430069031167,"flow_last_seen":1430069031221,"flow_idle_time":180000,"flow_min_l4_payload_len":41,"flow_max_l4_payload_len":100,"flow_tot_l4_payload_len":141,"flow_avg_l4_payload_len":70,"midstream":0,"ts_msec":1430069031221,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"10.188.1.1","src_port":4017,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Facebook","breed":"Fun","category":"SocialNetwork"},"dns": {"query":"developers.facebook.com","num_queries":1,"num_answers":3,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"31.13.68.84"}} 00559{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":144,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":28,"flow_packets_processed":1,"flow_first_seen":1430069031230,"flow_last_seen":1430069031230,"flow_idle_time":180000,"flow_min_l4_payload_len":43,"flow_max_l4_payload_len":43,"flow_tot_l4_payload_len":43,"flow_avg_l4_payload_len":43,"midstream":0,"ts_msec":1430069031230,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"10.188.1.1","src_port":14650,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":3} @@ -145,7 +145,7 @@ 00456{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":149,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":29,"flow_packet_id":3,"flow_last_seen":1430069031284,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":56,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":56,"pkt_l4_len":20,"ts_msec":1430069031284,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAAChjD0AAPwYYjAoYUrwfDURUsJsBu8tPaERicJ5RUBA5CM\/qAAA="} 00848{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":150,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":29,"flow_packets_processed":4,"flow_first_seen":1430069031236,"flow_last_seen":1430069031286,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":570,"flow_tot_l4_payload_len":570,"flow_avg_l4_payload_len":142,"midstream":0,"ts_msec":1430069031286,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"31.13.68.84","src_port":45211,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Facebook","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"developers.facebook.com","ja3":"051d20e8adbe8dac78945de300764d5e","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00906{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":161,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":29,"flow_packets_processed":7,"flow_first_seen":1430069031236,"flow_last_seen":1430069031391,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1280,"flow_tot_l4_payload_len":1850,"flow_avg_l4_payload_len":264,"midstream":0,"ts_msec":1430069031391,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"31.13.68.84","src_port":45211,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Facebook","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"developers.facebook.com","ja3":"051d20e8adbe8dac78945de300764d5e","ja3s":"6806b8fe92d7d465715d771eb102ff04","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"}} -01695{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":164,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":29,"flow_packets_processed":10,"flow_first_seen":1430069031236,"flow_last_seen":1430069031408,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1280,"flow_tot_l4_payload_len":4141,"flow_avg_l4_payload_len":414,"midstream":0,"ts_msec":1430069031408,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"31.13.68.84","src_port":45211,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Facebook","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"developers.facebook.com","server_names":"*.facebook.com,facebook.com,*.fbsbx.com,*.fbcdn.net,*.xx.fbcdn.net,*.xy.fbcdn.net,fb.com,*.fb.com,*.facebookcorewwwi.onion,facebookcorewwwi.onion,*.fbcdn23dssr3jqnq.onion,fbcdn23dssr3jqnq.onion,*.fbsbx2q4mvcl63pw.onion,fbsbx2q4mvcl63pw.onion,*.m.facebook.com,*.messenger.com,messenger.com,*.m.facebookcorewwwi.onion,*.xx.fbcdn23dssr3jqnq.onion,xx.fbcdn23dssr3jqnq.onion,*.xy.fbcdn23dssr3jqnq.onion,xy.fbcdn23dssr3jqnq.onion,*.xz.fbcdn.net,xz.fbcdn.net,*.xz.fbcdn23dssr3jqnq.onion,xz.fbcdn23dssr3jqnq.onion,m.facebookcorewwwi.onion","ja3":"051d20e8adbe8dac78945de300764d5e","ja3s":"6806b8fe92d7d465715d771eb102ff04","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3","issuerDN":"C=US, ST=CA, L=Menlo Park, O=Facebook, Inc., CN=*.facebook.com","fingerprint":"A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4"}} +01696{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":164,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":29,"flow_packets_processed":10,"flow_first_seen":1430069031236,"flow_last_seen":1430069031408,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1280,"flow_tot_l4_payload_len":4141,"flow_avg_l4_payload_len":414,"midstream":0,"ts_msec":1430069031408,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"31.13.68.84","src_port":45211,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Facebook","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"developers.facebook.com","server_names":"*.facebook.com,facebook.com,*.fbsbx.com,*.fbcdn.net,*.xx.fbcdn.net,*.xy.fbcdn.net,fb.com,*.fb.com,*.facebookcorewwwi.onion,facebookcorewwwi.onion,*.fbcdn23dssr3jqnq.onion,fbcdn23dssr3jqnq.onion,*.fbsbx2q4mvcl63pw.onion,fbsbx2q4mvcl63pw.onion,*.m.facebook.com,*.messenger.com,messenger.com,*.m.facebookcorewwwi.onion,*.xx.fbcdn23dssr3jqnq.onion,xx.fbcdn23dssr3jqnq.onion,*.xy.fbcdn23dssr3jqnq.onion,xy.fbcdn23dssr3jqnq.onion,*.xz.fbcdn.net,xz.fbcdn.net,*.xz.fbcdn23dssr3jqnq.onion,xz.fbcdn23dssr3jqnq.onion,m.facebookcorewwwi.onion","ja3":"051d20e8adbe8dac78945de300764d5e","ja3s":"6806b8fe92d7d465715d771eb102ff04","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3","subjectDN":"C=US, ST=CA, L=Menlo Park, O=Facebook, Inc., CN=*.facebook.com","fingerprint":"A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4"}} 00566{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":186,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":30,"flow_packets_processed":1,"flow_first_seen":1430069031611,"flow_last_seen":1430069031611,"flow_idle_time":7440000,"flow_min_l4_payload_len":45,"flow_max_l4_payload_len":45,"flow_tot_l4_payload_len":45,"flow_avg_l4_payload_len":45,"midstream":1,"ts_msec":1430069031611,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"54.255.253.199","src_port":58927,"dst_port":5223,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00537{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":186,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":1,"flow_last_seen":1430069031611,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":113,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":113,"pkt_l4_len":77,"ts_msec":1430069031611,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAAGHTnUAAQAbVXgoYUrw2\/\/3H5i8UZ+uf0VkGiXPCgBgCYxkQAAABAQgKAAKTKDTnT0kXAwEAKNOo\/lFrrxEtj1oyrBEybZXAvF7754xqLjvuYfV0gCpDpumAA3\/lW60="} 00561{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":210,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":31,"flow_packets_processed":1,"flow_first_seen":1430069035398,"flow_last_seen":1430069035398,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1430069035398,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"210.103.240.15","src_port":42332,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} @@ -167,9 +167,9 @@ 00456{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":230,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":34,"flow_packet_id":3,"flow_last_seen":1430069036113,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":56,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":56,"pkt_l4_len":20,"ts_msec":1430069036113,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAACgqS0AAPwalsgoYUryt\/GECircBu1PEJ3tm6OliUBA5CLL8AAA="} 00826{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":231,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":34,"flow_packets_processed":4,"flow_first_seen":1430069036068,"flow_last_seen":1430069036116,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":184,"flow_tot_l4_payload_len":184,"flow_avg_l4_payload_len":46,"midstream":0,"ts_msec":1430069036116,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"173.252.97.2","src_port":35511,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Facebook","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"dff8a0aa1c904aaea76c5bf624e88333","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00877{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":232,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":33,"flow_packets_processed":7,"flow_first_seen":1430069035967,"flow_last_seen":1430069036121,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1280,"flow_tot_l4_payload_len":1464,"flow_avg_l4_payload_len":209,"midstream":0,"ts_msec":1430069036121,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"31.13.68.84","src_port":45213,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Facebook","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"dff8a0aa1c904aaea76c5bf624e88333","ja3s":"6c13ac74a6f75099ef2480748e5d94d2","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA"}} -01666{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":240,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":33,"flow_packets_processed":13,"flow_first_seen":1430069035967,"flow_last_seen":1430069036179,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1280,"flow_tot_l4_payload_len":3732,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1430069036179,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"31.13.68.84","src_port":45213,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Facebook","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.facebook.com,facebook.com,*.fbsbx.com,*.fbcdn.net,*.xx.fbcdn.net,*.xy.fbcdn.net,fb.com,*.fb.com,*.facebookcorewwwi.onion,facebookcorewwwi.onion,*.fbcdn23dssr3jqnq.onion,fbcdn23dssr3jqnq.onion,*.fbsbx2q4mvcl63pw.onion,fbsbx2q4mvcl63pw.onion,*.m.facebook.com,*.messenger.com,messenger.com,*.m.facebookcorewwwi.onion,*.xx.fbcdn23dssr3jqnq.onion,xx.fbcdn23dssr3jqnq.onion,*.xy.fbcdn23dssr3jqnq.onion,xy.fbcdn23dssr3jqnq.onion,*.xz.fbcdn.net,xz.fbcdn.net,*.xz.fbcdn23dssr3jqnq.onion,xz.fbcdn23dssr3jqnq.onion,m.facebookcorewwwi.onion","ja3":"dff8a0aa1c904aaea76c5bf624e88333","ja3s":"6c13ac74a6f75099ef2480748e5d94d2","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3","issuerDN":"C=US, ST=CA, L=Menlo Park, O=Facebook, Inc., CN=*.facebook.com","fingerprint":"A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4"}} +01667{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":240,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":33,"flow_packets_processed":13,"flow_first_seen":1430069035967,"flow_last_seen":1430069036179,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1280,"flow_tot_l4_payload_len":3732,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1430069036179,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"31.13.68.84","src_port":45213,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Facebook","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.facebook.com,facebook.com,*.fbsbx.com,*.fbcdn.net,*.xx.fbcdn.net,*.xy.fbcdn.net,fb.com,*.fb.com,*.facebookcorewwwi.onion,facebookcorewwwi.onion,*.fbcdn23dssr3jqnq.onion,fbcdn23dssr3jqnq.onion,*.fbsbx2q4mvcl63pw.onion,fbsbx2q4mvcl63pw.onion,*.m.facebook.com,*.messenger.com,messenger.com,*.m.facebookcorewwwi.onion,*.xx.fbcdn23dssr3jqnq.onion,xx.fbcdn23dssr3jqnq.onion,*.xy.fbcdn23dssr3jqnq.onion,xy.fbcdn23dssr3jqnq.onion,*.xz.fbcdn.net,xz.fbcdn.net,*.xz.fbcdn23dssr3jqnq.onion,xz.fbcdn23dssr3jqnq.onion,m.facebookcorewwwi.onion","ja3":"dff8a0aa1c904aaea76c5bf624e88333","ja3s":"6c13ac74a6f75099ef2480748e5d94d2","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3","subjectDN":"C=US, ST=CA, L=Menlo Park, O=Facebook, Inc., CN=*.facebook.com","fingerprint":"A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4"}} 00878{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":258,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":34,"flow_packets_processed":7,"flow_first_seen":1430069036068,"flow_last_seen":1430069036608,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1280,"flow_tot_l4_payload_len":1464,"flow_avg_l4_payload_len":209,"midstream":0,"ts_msec":1430069036608,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"173.252.97.2","src_port":35511,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Facebook","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"dff8a0aa1c904aaea76c5bf624e88333","ja3s":"6c13ac74a6f75099ef2480748e5d94d2","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA"}} -01666{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":260,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":34,"flow_packets_processed":9,"flow_first_seen":1430069036068,"flow_last_seen":1430069036612,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1280,"flow_tot_l4_payload_len":3731,"flow_avg_l4_payload_len":414,"midstream":0,"ts_msec":1430069036612,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"173.252.97.2","src_port":35511,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Facebook","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.facebook.com,facebook.com,*.fbsbx.com,*.fbcdn.net,*.xx.fbcdn.net,*.xy.fbcdn.net,fb.com,*.fb.com,*.facebookcorewwwi.onion,facebookcorewwwi.onion,*.fbcdn23dssr3jqnq.onion,fbcdn23dssr3jqnq.onion,*.fbsbx2q4mvcl63pw.onion,fbsbx2q4mvcl63pw.onion,*.m.facebook.com,*.messenger.com,messenger.com,*.m.facebookcorewwwi.onion,*.xx.fbcdn23dssr3jqnq.onion,xx.fbcdn23dssr3jqnq.onion,*.xy.fbcdn23dssr3jqnq.onion,xy.fbcdn23dssr3jqnq.onion,*.xz.fbcdn.net,xz.fbcdn.net,*.xz.fbcdn23dssr3jqnq.onion,xz.fbcdn23dssr3jqnq.onion,m.facebookcorewwwi.onion","ja3":"dff8a0aa1c904aaea76c5bf624e88333","ja3s":"6c13ac74a6f75099ef2480748e5d94d2","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3","issuerDN":"C=US, ST=CA, L=Menlo Park, O=Facebook, Inc., CN=*.facebook.com","fingerprint":"A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4"}} +01667{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":260,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":34,"flow_packets_processed":9,"flow_first_seen":1430069036068,"flow_last_seen":1430069036612,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1280,"flow_tot_l4_payload_len":3731,"flow_avg_l4_payload_len":414,"midstream":0,"ts_msec":1430069036612,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"173.252.97.2","src_port":35511,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Facebook","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.facebook.com,facebook.com,*.fbsbx.com,*.fbcdn.net,*.xx.fbcdn.net,*.xy.fbcdn.net,fb.com,*.fb.com,*.facebookcorewwwi.onion,facebookcorewwwi.onion,*.fbcdn23dssr3jqnq.onion,fbcdn23dssr3jqnq.onion,*.fbsbx2q4mvcl63pw.onion,fbsbx2q4mvcl63pw.onion,*.m.facebook.com,*.messenger.com,messenger.com,*.m.facebookcorewwwi.onion,*.xx.fbcdn23dssr3jqnq.onion,xx.fbcdn23dssr3jqnq.onion,*.xy.fbcdn23dssr3jqnq.onion,xy.fbcdn23dssr3jqnq.onion,*.xz.fbcdn.net,xz.fbcdn.net,*.xz.fbcdn23dssr3jqnq.onion,xz.fbcdn23dssr3jqnq.onion,m.facebookcorewwwi.onion","ja3":"dff8a0aa1c904aaea76c5bf624e88333","ja3s":"6c13ac74a6f75099ef2480748e5d94d2","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3","subjectDN":"C=US, ST=CA, L=Menlo Park, O=Facebook, Inc., CN=*.facebook.com","fingerprint":"A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4"}} 00568{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":293,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":35,"flow_packets_processed":1,"flow_first_seen":1430069044758,"flow_last_seen":1430069044758,"flow_idle_time":7440000,"flow_min_l4_payload_len":247,"flow_max_l4_payload_len":247,"flow_tot_l4_payload_len":247,"flow_avg_l4_payload_len":247,"midstream":1,"ts_msec":1430069044758,"l3_proto":"ip4","src_ip":"139.150.0.125","dst_ip":"10.24.82.188","src_port":443,"dst_port":46947,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00796{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":293,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":35,"flow_packet_id":1,"flow_last_seen":1430069044758,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":303,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":303,"pkt_l4_len":267,"ts_msec":1430069044758,"pkt":"AAACEgAAAAAAAAAAAAAIAEUAAR8KJUAAjgb4zIuWAH0KGFK8Abu3Y2Ij0KVRKAPiUBigLueuAADzAAAApDlIVrVdqRc+Gkt7POZ3i2OlkuY4MMfPTZY9G4U0YFfr\/Io7pOCQe3JDBNAmPdEpHGIlOOWztPzNgfmCZdfJbXa\/FjyLrCbe\/cKrmuhEYDyIPsoQcOHY3YFPdOkSmKChheXsyu06po9uQ1CWTJDZfqoByGUY9M3+\/torvsssHclmFyrgMhiQBPDR+\/p96Y\/\/sK6VRP8W+SfBO5i7Jg3brhWvS81m7IbytFR73ZERAlFn0QejuZzhem715ywfbXU8ySrwRBK2cs3ywClzqW\/s7h0teJNcn45XHRR+Z0ZTPA29+kHM57k5C1faf1I\/3jeLMDw\/"} 00455{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":295,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":35,"flow_packet_id":2,"flow_last_seen":1430069044836,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":56,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":56,"pkt_l4_len":20,"ts_msec":1430069044836,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAACjTekAAQAZ+bgoYUryLlgB9t2MBu1EoA+JiI9GcUBCIgOkBAAA="} @@ -184,7 +184,7 @@ 00485{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":342,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":38,"flow_packet_id":1,"flow_last_seen":1430069072986,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"ts_msec":1430069072986,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAADwsMEAAQAZ88QoYUrw2\/\/3H5lQUZzqvj2AAAAAAoAI2sJHJAAACBAV4BAIICgACo1AAAAAAAQMDBQ=="} 00485{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":343,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":38,"flow_packet_id":2,"flow_last_seen":1430069073186,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"ts_msec":1430069073186,"pkt":"AAACEgAAAAAAAAAAAAAIAEUAADwAAEAALQa8ITb\/\/ccKGFK8FGfmVG+Fj0U6r49hoBJF6jkFAAACBAV4BAIICjTom84AAqNQAQMDCA=="} 00473{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":344,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":38,"flow_packet_id":3,"flow_last_seen":1430069073186,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"ts_msec":1430069073186,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAADQsMUAAQAZ8+AoYUrw2\/\/3H5lQUZzqvj2FvhY9GgBABtpHBAAABAQgKAAKjZTTom84="} -00864{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":345,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":38,"flow_packets_processed":4,"flow_first_seen":1430069072986,"flow_last_seen":1430069073201,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":78,"flow_tot_l4_payload_len":78,"flow_avg_l4_payload_len":19,"midstream":0,"ts_msec":1430069073201,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"54.255.253.199","src_port":58964,"dst_port":5223,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"d9ce50c62ab1fd5932da3c6b6d406c65","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} +00869{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":345,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":38,"flow_packets_processed":4,"flow_first_seen":1430069072986,"flow_last_seen":1430069073201,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":78,"flow_tot_l4_payload_len":78,"flow_avg_l4_payload_len":19,"midstream":0,"ts_msec":1430069073201,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"54.255.253.199","src_port":58964,"dst_port":5223,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"d9ce50c62ab1fd5932da3c6b6d406c65","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00560{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":347,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":2,"flow_first_seen":1430069022058,"flow_last_seen":1430069022094,"flow_idle_time":180000,"flow_min_l4_payload_len":40,"flow_max_l4_payload_len":86,"flow_tot_l4_payload_len":126,"flow_avg_l4_payload_len":63,"midstream":0,"ts_msec":1430069073299,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"10.188.1.1","src_port":41909,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":3} 00563{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":347,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":10,"flow_first_seen":1430069030508,"flow_last_seen":1430069052317,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":283,"flow_tot_l4_payload_len":470,"flow_avg_l4_payload_len":47,"midstream":0,"ts_msec":1430069073299,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"31.13.68.84","src_port":37553,"dst_port":80,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00563{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":347,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":32,"flow_packets_processed":11,"flow_first_seen":1430069035840,"flow_last_seen":1430069057806,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":283,"flow_tot_l4_payload_len":470,"flow_avg_l4_payload_len":42,"midstream":0,"ts_msec":1430069073299,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"31.13.68.84","src_port":37557,"dst_port":80,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} @@ -192,7 +192,7 @@ 00568{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":347,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":34,"flow_first_seen":1430069031042,"flow_last_seen":1430069032022,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1280,"flow_tot_l4_payload_len":7723,"flow_avg_l4_payload_len":227,"midstream":0,"ts_msec":1430069073299,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"31.13.68.70","src_port":43581,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00569{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":347,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":38,"flow_first_seen":1430069026370,"flow_last_seen":1430069037135,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1280,"flow_tot_l4_payload_len":5411,"flow_avg_l4_payload_len":142,"midstream":0,"ts_msec":1430069073299,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"173.252.97.2","src_port":35503,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00569{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":347,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":34,"flow_packets_processed":36,"flow_first_seen":1430069036068,"flow_last_seen":1430069065046,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1280,"flow_tot_l4_payload_len":5108,"flow_avg_l4_payload_len":141,"midstream":0,"ts_msec":1430069073299,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"173.252.97.2","src_port":35511,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} -00597{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":347,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":30,"flow_packets_processed":2,"flow_first_seen":1430069031611,"flow_last_seen":1430069072945,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":45,"flow_tot_l4_payload_len":45,"flow_avg_l4_payload_len":22,"midstream":1,"ts_msec":1430069073299,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"54.255.253.199","src_port":58927,"dst_port":5223,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"}} +00602{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":347,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":30,"flow_packets_processed":2,"flow_first_seen":1430069031611,"flow_last_seen":1430069072945,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":45,"flow_tot_l4_payload_len":45,"flow_avg_l4_payload_len":22,"midstream":1,"ts_msec":1430069073299,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"54.255.253.199","src_port":58927,"dst_port":5223,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"}} 00565{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":347,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":30,"flow_packets_processed":2,"flow_first_seen":1430069031611,"flow_last_seen":1430069072945,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":45,"flow_tot_l4_payload_len":45,"flow_avg_l4_payload_len":22,"midstream":1,"ts_msec":1430069073299,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"54.255.253.199","src_port":58927,"dst_port":5223,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00571{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":347,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":38,"flow_packets_processed":6,"flow_first_seen":1430069072986,"flow_last_seen":1430069073299,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":1466,"flow_avg_l4_payload_len":244,"midstream":0,"ts_msec":1430069073299,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"54.255.253.199","src_port":58964,"dst_port":5223,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00560{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":347,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":2,"flow_first_seen":1430069022059,"flow_last_seen":1430069022093,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":70,"flow_tot_l4_payload_len":102,"flow_avg_l4_payload_len":51,"midstream":0,"ts_msec":1430069073299,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"10.188.1.1","src_port":58810,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":3} @@ -207,7 +207,7 @@ 00536{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":347,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":1,"flow_first_seen":1430069030119,"flow_last_seen":1430069030119,"flow_idle_time":120000,"flow_min_l4_payload_len":111,"flow_max_l4_payload_len":111,"flow_tot_l4_payload_len":111,"flow_avg_l4_payload_len":111,"midstream":0,"ts_msec":1430069073299,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"10.188.191.1","l4_proto":"icmp","flow_datalink":113,"flow_max_packets":3} 00561{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":347,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":2,"flow_first_seen":1430069030703,"flow_last_seen":1430069030748,"flow_idle_time":180000,"flow_min_l4_payload_len":34,"flow_max_l4_payload_len":74,"flow_tot_l4_payload_len":108,"flow_avg_l4_payload_len":54,"midstream":0,"ts_msec":1430069073299,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"10.188.1.1","src_port":24596,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":3} 00560{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":347,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":2,"flow_first_seen":1430069022252,"flow_last_seen":1430069022295,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":53,"flow_tot_l4_payload_len":90,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1430069073299,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"10.188.1.1","src_port":43077,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":3} -00599{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":347,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":37,"flow_packets_processed":1,"flow_first_seen":1430069060011,"flow_last_seen":1430069060011,"flow_idle_time":7440000,"flow_min_l4_payload_len":27,"flow_max_l4_payload_len":27,"flow_tot_l4_payload_len":27,"flow_avg_l4_payload_len":27,"midstream":1,"ts_msec":1430069073299,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"216.58.220.174","src_port":49217,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"}} +00597{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":347,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":37,"flow_packets_processed":1,"flow_first_seen":1430069060011,"flow_last_seen":1430069060011,"flow_idle_time":7440000,"flow_min_l4_payload_len":27,"flow_max_l4_payload_len":27,"flow_tot_l4_payload_len":27,"flow_avg_l4_payload_len":27,"midstream":1,"ts_msec":1430069073299,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"216.58.220.174","src_port":49217,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"}} 00566{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":347,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":37,"flow_packets_processed":1,"flow_first_seen":1430069060011,"flow_last_seen":1430069060011,"flow_idle_time":7440000,"flow_min_l4_payload_len":27,"flow_max_l4_payload_len":27,"flow_tot_l4_payload_len":27,"flow_avg_l4_payload_len":27,"midstream":1,"ts_msec":1430069073299,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"216.58.220.174","src_port":49217,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00601{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":347,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":26,"flow_first_seen":1430069022297,"flow_last_seen":1430069069068,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":589,"flow_tot_l4_payload_len":2142,"flow_avg_l4_payload_len":82,"midstream":0,"ts_msec":1430069073299,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"103.246.57.251","src_port":51021,"dst_port":8080,"l4_proto":"tcp","ndpi": {"proto":"HTTP_Proxy","breed":"Acceptable","category":"Web"}} 00570{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":347,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":26,"flow_first_seen":1430069022297,"flow_last_seen":1430069069068,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":589,"flow_tot_l4_payload_len":2142,"flow_avg_l4_payload_len":82,"midstream":0,"ts_msec":1430069073299,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"103.246.57.251","src_port":51021,"dst_port":8080,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} @@ -218,7 +218,7 @@ 00561{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":347,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":2,"flow_first_seen":1430069022252,"flow_last_seen":1430069022295,"flow_idle_time":180000,"flow_min_l4_payload_len":38,"flow_max_l4_payload_len":82,"flow_tot_l4_payload_len":120,"flow_avg_l4_payload_len":60,"midstream":0,"ts_msec":1430069073299,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"10.188.1.1","src_port":25117,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":3} 00597{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":347,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":22,"flow_packets_processed":4,"flow_first_seen":1430069030557,"flow_last_seen":1430069030591,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":27,"flow_tot_l4_payload_len":27,"flow_avg_l4_payload_len":6,"midstream":1,"ts_msec":1430069073299,"l3_proto":"ip4","src_ip":"31.13.68.73","dst_ip":"10.24.82.188","src_port":443,"dst_port":47007,"l4_proto":"tcp","ndpi": {"proto":"TLS.Facebook","breed":"Fun","category":"SocialNetwork"}} 00560{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":347,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":22,"flow_packets_processed":4,"flow_first_seen":1430069030557,"flow_last_seen":1430069030591,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":27,"flow_tot_l4_payload_len":27,"flow_avg_l4_payload_len":6,"midstream":1,"ts_msec":1430069073299,"l3_proto":"ip4","src_ip":"31.13.68.73","dst_ip":"10.24.82.188","src_port":443,"dst_port":47007,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} -00600{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":347,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":36,"flow_packets_processed":1,"flow_first_seen":1430069049770,"flow_last_seen":1430069049770,"flow_idle_time":7440000,"flow_min_l4_payload_len":96,"flow_max_l4_payload_len":96,"flow_tot_l4_payload_len":96,"flow_avg_l4_payload_len":96,"midstream":1,"ts_msec":1430069073299,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"173.194.72.188","src_port":34686,"dst_port":5228,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"}} +00598{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":347,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":36,"flow_packets_processed":1,"flow_first_seen":1430069049770,"flow_last_seen":1430069049770,"flow_idle_time":7440000,"flow_min_l4_payload_len":96,"flow_max_l4_payload_len":96,"flow_tot_l4_payload_len":96,"flow_avg_l4_payload_len":96,"midstream":1,"ts_msec":1430069073299,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"173.194.72.188","src_port":34686,"dst_port":5228,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"}} 00567{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":347,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":36,"flow_packets_processed":1,"flow_first_seen":1430069049770,"flow_last_seen":1430069049770,"flow_idle_time":7440000,"flow_min_l4_payload_len":96,"flow_max_l4_payload_len":96,"flow_tot_l4_payload_len":96,"flow_avg_l4_payload_len":96,"midstream":1,"ts_msec":1430069073299,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"173.194.72.188","src_port":34686,"dst_port":5228,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00560{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":347,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":2,"flow_first_seen":1430069022059,"flow_last_seen":1430069022094,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":80,"flow_tot_l4_payload_len":117,"flow_avg_l4_payload_len":58,"midstream":0,"ts_msec":1430069073299,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"10.188.1.1","src_port":12908,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":3} 00580{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":347,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":31,"flow_packets_processed":5,"flow_first_seen":1430069035398,"flow_last_seen":1430069048679,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1430069073299,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"210.103.240.15","src_port":42332,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"}} @@ -227,7 +227,7 @@ 00568{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":347,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":24,"flow_packets_processed":19,"flow_first_seen":1430069030751,"flow_last_seen":1430069031522,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":6399,"flow_avg_l4_payload_len":336,"midstream":0,"ts_msec":1430069073299,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"31.13.68.84","src_port":45209,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00568{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":347,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":29,"flow_packets_processed":29,"flow_first_seen":1430069031236,"flow_last_seen":1430069031782,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1280,"flow_tot_l4_payload_len":7425,"flow_avg_l4_payload_len":256,"midstream":0,"ts_msec":1430069073299,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"31.13.68.84","src_port":45211,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00568{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":347,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":33,"flow_packets_processed":28,"flow_first_seen":1430069035967,"flow_last_seen":1430069036831,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1280,"flow_tot_l4_payload_len":5965,"flow_avg_l4_payload_len":213,"midstream":0,"ts_msec":1430069073299,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"31.13.68.84","src_port":45213,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} -00606{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":347,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":14,"flow_first_seen":1430069026012,"flow_last_seen":1430069051765,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1430069073299,"l3_proto":"ip4","src_ip":"216.58.221.10","dst_ip":"10.24.82.188","src_port":80,"dst_port":35922,"l4_proto":"tcp","ndpi": {"proto":"HTTP.Google","breed":"Tracker\/Ads","category":"Web"},"http": {}} +00604{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":347,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":14,"flow_first_seen":1430069026012,"flow_last_seen":1430069051765,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1430069073299,"l3_proto":"ip4","src_ip":"216.58.221.10","dst_ip":"10.24.82.188","src_port":80,"dst_port":35922,"l4_proto":"tcp","ndpi": {"proto":"HTTP.Google","breed":"Acceptable","category":"Web"},"http": {}} 00560{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":347,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":14,"flow_first_seen":1430069026012,"flow_last_seen":1430069051765,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1430069073299,"l3_proto":"ip4","src_ip":"216.58.221.10","dst_ip":"10.24.82.188","src_port":80,"dst_port":35922,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00586{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":347,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":35,"flow_packets_processed":18,"flow_first_seen":1430069044758,"flow_last_seen":1430069069274,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":247,"flow_tot_l4_payload_len":1401,"flow_avg_l4_payload_len":77,"midstream":1,"ts_msec":1430069073299,"l3_proto":"ip4","src_ip":"139.150.0.125","dst_ip":"10.24.82.188","src_port":443,"dst_port":46947,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"}} 00568{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":347,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":35,"flow_packets_processed":18,"flow_first_seen":1430069044758,"flow_last_seen":1430069069274,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":247,"flow_tot_l4_payload_len":1401,"flow_avg_l4_payload_len":77,"midstream":1,"ts_msec":1430069073299,"l3_proto":"ip4","src_ip":"139.150.0.125","dst_ip":"10.24.82.188","src_port":443,"dst_port":46947,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} @@ -241,10 +241,10 @@ ~~ total active/idle flows...: 38/38 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2111802 bytes -~~ total memory freed........: 2111802 bytes -~~ total allocations/frees...: 36006/36006 +~~ total memory allocated....: 4758429 bytes +~~ total memory freed........: 4758429 bytes +~~ total allocations/frees...: 100202/100202 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 170 chars -~~ json string max len.......: 1700 chars -~~ json string avg len.......: 1005 chars +~~ json string max len.......: 1701 chars +~~ json string avg len.......: 1006 chars diff --git a/test/results/KakaoTalk_talk.pcap.out b/test/results/KakaoTalk_talk.pcap.out index 573f43b05..45e12f306 100644 --- a/test/results/KakaoTalk_talk.pcap.out +++ b/test/results/KakaoTalk_talk.pcap.out @@ -17,14 +17,14 @@ 00481{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":19,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_last_seen":1430069161833,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"ts_msec":1430069161833,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAADzUv0AAPwaqgwoYUrzLzZPXvWkAUI8S6Z4AAAAAoAI2sOBNAAACBAV4BAIICgALPk8AAAAAAQMDBw=="} 00559{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":22,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1430069161865,"flow_last_seen":1430069161865,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1430069161865,"l3_proto":"ip4","src_ip":"216.58.220.161","dst_ip":"10.24.82.188","src_port":443,"dst_port":56697,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00454{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":22,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_last_seen":1430069161865,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":56,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":56,"pkt_l4_len":20,"ts_msec":1430069161865,"pkt":"AAACEgAAAAAAAAAAAAAIAEUAACioy0AAjgYyVNg63KEKGFK8Abvded6D6B\/TTMkUUBSjubgsAAA="} -00807{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":25,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":8,"flow_first_seen":1430069159456,"flow_last_seen":1430069161892,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":609,"flow_tot_l4_payload_len":609,"flow_avg_l4_payload_len":76,"midstream":0,"ts_msec":1430069161892,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"203.205.147.215","src_port":48489,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.QQ","breed":"Fun","category":"Chat"},"http": {"hostname":"hkminorshort.weixin.qq.com","url":"hkminorshort.weixin.qq.comhttp:\/\/hkminorshort.weixin.qq.com\/cgi-bin\/micromsg-bin\/rtkvreport","code":0,"content_type":"","user_agent":"MicroMessenger Client"}} -00896{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":28,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":11,"flow_first_seen":1430069159456,"flow_last_seen":1430069163198,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":609,"flow_tot_l4_payload_len":815,"flow_avg_l4_payload_len":74,"midstream":0,"ts_msec":1430069163198,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"203.205.147.215","src_port":48489,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"4":"Binary application transfer"},"proto":"HTTP.QQ","breed":"Fun","category":"Download"},"http": {"hostname":"hkminorshort.weixin.qq.com","url":"hkminorshort.weixin.qq.comhttp:\/\/hkminorshort.weixin.qq.com\/cgi-bin\/micromsg-bin\/rtkvreport","code":200,"content_type":"application\/octet-stream","user_agent":"MicroMessenger Client"}} +00781{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":25,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":8,"flow_first_seen":1430069159456,"flow_last_seen":1430069161892,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":609,"flow_tot_l4_payload_len":609,"flow_avg_l4_payload_len":76,"midstream":0,"ts_msec":1430069161892,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"203.205.147.215","src_port":48489,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.QQ","breed":"Fun","category":"Chat"},"http": {"hostname":"hkminorshort.weixin.qq.com","url":"http:\/\/hkminorshort.weixin.qq.com\/cgi-bin\/micromsg-bin\/rtkvreport","code":0,"content_type":"","user_agent":"MicroMessenger Client"}} +00870{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":28,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":11,"flow_first_seen":1430069159456,"flow_last_seen":1430069163198,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":609,"flow_tot_l4_payload_len":815,"flow_avg_l4_payload_len":74,"midstream":0,"ts_msec":1430069163198,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"203.205.147.215","src_port":48489,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"4":"Binary application transfer"},"proto":"HTTP.QQ","breed":"Fun","category":"Download"},"http": {"hostname":"hkminorshort.weixin.qq.com","url":"http:\/\/hkminorshort.weixin.qq.com\/cgi-bin\/micromsg-bin\/rtkvreport","code":200,"content_type":"application\/octet-stream","user_agent":"MicroMessenger Client"}} 00559{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":33,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":1,"flow_first_seen":1430069163715,"flow_last_seen":1430069163715,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1430069163715,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"110.76.143.50","src_port":32968,"dst_port":8080,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00481{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":33,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_last_seen":1430069163715,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"ts_msec":1430069163715,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAADzn5UAAPwb5gwoYUrxuTI8ygMgfkPcR2OkAAAAAoAI5CAV2AAACBAV4BAIICgALPwwAAAAAAQMDBw=="} 00481{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":34,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_last_seen":1430069163856,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"ts_msec":1430069163856,"pkt":"AAACEgAAAAAAAAAAAAAIAEUAADwAAEAALgbyaW5MjzIKGFK8H5CAyJJ42pD3EdjqoBI4kOpNAAACBAV4BAIICkTbaagACz8MAQMDCQ=="} 00470{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":35,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_last_seen":1430069163867,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"ts_msec":1430069163867,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAADTn5kAAPwb5igoYUrxuTI8ygMgfkPcR2OqSeNqRgBAAc1DtAAABAQgKAAs\/HETbaag="} 00850{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":36,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":4,"flow_first_seen":1430069163715,"flow_last_seen":1430069163878,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":142,"flow_tot_l4_payload_len":142,"flow_avg_l4_payload_len":35,"midstream":0,"ts_msec":1430069163878,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"110.76.143.50","src_port":32968,"dst_port":8080,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"4b79ae67eb3b2cf1c75e68ea0100ca1b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -01141{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":38,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":6,"flow_first_seen":1430069163715,"flow_last_seen":1430069164107,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":852,"flow_tot_l4_payload_len":994,"flow_avg_l4_payload_len":165,"midstream":0,"ts_msec":1430069164107,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"110.76.143.50","src_port":32968,"dst_port":8080,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","6":"Self-signed Certificate","7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.KakaoTalk","breed":"Acceptable","category":"Chat"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"4b79ae67eb3b2cf1c75e68ea0100ca1b","ja3s":"4ea82b75038dd27e8a1cb69d8b839b26","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=KR, L=Seoul, O=Kakao, CN=Kakao.com","issuerDN":"C=KR, L=Seoul, O=Kakao, CN=Kakao.com","fingerprint":"65:88:37:51:01:AA:1F:12:E4:44:27:52:F9:32:FD:40:94:C1:08:D9"}} +01142{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":38,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":6,"flow_first_seen":1430069163715,"flow_last_seen":1430069164107,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":852,"flow_tot_l4_payload_len":994,"flow_avg_l4_payload_len":165,"midstream":0,"ts_msec":1430069164107,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"110.76.143.50","src_port":32968,"dst_port":8080,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","6":"Self-signed Certificate","7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.KakaoTalk","breed":"Acceptable","category":"Chat"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"4b79ae67eb3b2cf1c75e68ea0100ca1b","ja3s":"4ea82b75038dd27e8a1cb69d8b839b26","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=KR, L=Seoul, O=Kakao, CN=Kakao.com","subjectDN":"C=KR, L=Seoul, O=Kakao, CN=Kakao.com","fingerprint":"65:88:37:51:01:AA:1F:12:E4:44:27:52:F9:32:FD:40:94:C1:08:D9"}} 00566{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":46,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":1,"flow_first_seen":1430069164656,"flow_last_seen":1430069164656,"flow_idle_time":7440000,"flow_min_l4_payload_len":442,"flow_max_l4_payload_len":442,"flow_tot_l4_payload_len":442,"flow_avg_l4_payload_len":442,"midstream":1,"ts_msec":1430069164656,"l3_proto":"ip4","src_ip":"139.150.0.125","dst_ip":"10.24.82.188","src_port":443,"dst_port":46947,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 01053{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":46,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_last_seen":1430069164656,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":498,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":498,"pkt_l4_len":462,"ts_msec":1430069164656,"pkt":"AAACEgAAAAAAAAAAAAAIAEUAAeIKLkAAjgb4AIuWAH0KGFK8Abu3Y2Ij1H9RKASKUBifhj2IAAC2AQAA7+nGaLVdqRc+Gkt7POZ3izYarM8cfC\/oKc57w3ON8GY\/K1szNYS+6Yytrgv9fJ110+svPWy4JXfqhqsy8n\/Qi0EhBo8vKa7TtIo39CMQrfI1DyAke3OCHinKUbcE7JofE08wNW\/SYiLVq+ch1jInTJlBtTETD6sakW5t+\/pqslJuJu6FErHiOcJlRXUhJ\/w2UMRtIuPzDgq66Pu7iQ4cPuLk01HGBYGyY\/ec8L+8kz8C0iE6HOIH6YT0BKGthN3UTgwPbBq6O4DQcUiN2hgrUDIxq8uw9ZbWllzKNEYrEa8k7r3ZVHoPDQdXWrcQvhxam6oeYyK7V8McoNRiSIayjOQMTgXnysBnscEyik7me1vByK2C0l2He7bBFWQmrSmeZXMFh2H60fcsxZbAlEWK0siSqlB7jvAlTaG4udBSGXSTj4rEL2MZLSGqP2XF68ncz4+WzMi\/pNklQw9YyvrinQJFb3QOjkMePALF9ilvEQ+wMia1\/U8MBwJo9G9KKjVSCXjRCZRheUcgsdenusXElIUwOqnMT+7rwPfeomV3b9fbsOdbRa7VkQEi4icvvEwgda+Sg6Qy"} 00453{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":47,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_last_seen":1430069164657,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":56,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":56,"pkt_l4_len":20,"ts_msec":1430069164657,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAACjTg0AAQAZ+ZQoYUryLlgB9t2MBu1EoBIpiI9Y5UBCiGOkBAAA="} @@ -34,7 +34,7 @@ 00482{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":54,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":2,"flow_last_seen":1430069165114,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"ts_msec":1430069165114,"pkt":"AAACEgAAAAAAAAAAAAAIAEUAADwAAEAALgbyaW5MjzIKGFK8Iynl6dfwna4taY2roBI4kADPAAACBAV4BAIICkTbbpQAAsc\/AQMDCQ=="} 00469{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":55,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_last_seen":1430069165115,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"ts_msec":1430069165115,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAADRKlkAAQAaV2woYUrxuTI8y5ekjKS1pjavX8J2vgBABtlp5AAABAQgKAALHTkTbbpQ="} 00850{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":56,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":4,"flow_first_seen":1430069164966,"flow_last_seen":1430069165129,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":142,"flow_tot_l4_payload_len":142,"flow_avg_l4_payload_len":35,"midstream":0,"ts_msec":1430069165129,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"110.76.143.50","src_port":58857,"dst_port":9001,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"4b79ae67eb3b2cf1c75e68ea0100ca1b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -01141{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":58,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":6,"flow_first_seen":1430069164966,"flow_last_seen":1430069165314,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":852,"flow_tot_l4_payload_len":994,"flow_avg_l4_payload_len":165,"midstream":0,"ts_msec":1430069165314,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"110.76.143.50","src_port":58857,"dst_port":9001,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","6":"Self-signed Certificate","7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.KakaoTalk","breed":"Acceptable","category":"Chat"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"4b79ae67eb3b2cf1c75e68ea0100ca1b","ja3s":"4ea82b75038dd27e8a1cb69d8b839b26","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=KR, L=Seoul, O=Kakao, CN=Kakao.com","issuerDN":"C=KR, L=Seoul, O=Kakao, CN=Kakao.com","fingerprint":"65:88:37:51:01:AA:1F:12:E4:44:27:52:F9:32:FD:40:94:C1:08:D9"}} +01142{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":58,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":6,"flow_first_seen":1430069164966,"flow_last_seen":1430069165314,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":852,"flow_tot_l4_payload_len":994,"flow_avg_l4_payload_len":165,"midstream":0,"ts_msec":1430069165314,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"110.76.143.50","src_port":58857,"dst_port":9001,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","6":"Self-signed Certificate","7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.KakaoTalk","breed":"Acceptable","category":"Chat"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"4b79ae67eb3b2cf1c75e68ea0100ca1b","ja3s":"4ea82b75038dd27e8a1cb69d8b839b26","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=KR, L=Seoul, O=Kakao, CN=Kakao.com","subjectDN":"C=KR, L=Seoul, O=Kakao, CN=Kakao.com","fingerprint":"65:88:37:51:01:AA:1F:12:E4:44:27:52:F9:32:FD:40:94:C1:08:D9"}} 00564{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":65,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":1,"flow_first_seen":1430069170090,"flow_last_seen":1430069170090,"flow_idle_time":7440000,"flow_min_l4_payload_len":96,"flow_max_l4_payload_len":96,"flow_tot_l4_payload_len":96,"flow_avg_l4_payload_len":96,"midstream":1,"ts_msec":1430069170090,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"173.194.72.188","src_port":34686,"dst_port":5228,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00600{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":65,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_last_seen":1430069170090,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":164,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":164,"pkt_l4_len":128,"ts_msec":1430069170090,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAAJSUaEAAQAZSqQoYUrytwki8h34UbGWkOWcyCtXvgBgB1zgmAAABAQgKAALJQHWhBxYXAwEAW9BJTUK7bhQDJS6M4k2xveYn3KZ2THpi3b2p1WnyM44nZ0651+YzJehbLb+jV4nNEd4GZbKLQU+P8abQYninXFhPSKcNuFppnDwsImxNyj3HrOvurwOWRZpYp3o="} 00562{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":75,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":1,"flow_first_seen":1430069170892,"flow_last_seen":1430069170892,"flow_idle_time":180000,"flow_min_l4_payload_len":78,"flow_max_l4_payload_len":78,"flow_tot_l4_payload_len":78,"flow_avg_l4_payload_len":78,"midstream":0,"ts_msec":1430069170892,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"1.201.1.174","src_port":11321,"dst_port":23045,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":3} @@ -86,13 +86,13 @@ 00599{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3203,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":2,"flow_first_seen":1430069211505,"flow_last_seen":1430069211505,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1430069216559,"l3_proto":"ip4","src_ip":"173.252.88.128","dst_ip":"10.24.82.188","src_port":443,"dst_port":59912,"l4_proto":"tcp","ndpi": {"proto":"TLS.Facebook","breed":"Fun","category":"SocialNetwork"}} 00562{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3203,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":2,"flow_first_seen":1430069211505,"flow_last_seen":1430069211505,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1430069216559,"l3_proto":"ip4","src_ip":"173.252.88.128","dst_ip":"10.24.82.188","src_port":443,"dst_port":59912,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00570{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3203,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":29,"flow_first_seen":1430069211639,"flow_last_seen":1430069213599,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":679,"flow_tot_l4_payload_len":2372,"flow_avg_l4_payload_len":81,"midstream":0,"ts_msec":1430069216559,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"173.252.88.128","src_port":59954,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} -00594{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3203,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":4,"flow_first_seen":1430069141923,"flow_last_seen":1430069142383,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":89,"flow_tot_l4_payload_len":124,"flow_avg_l4_payload_len":31,"midstream":1,"ts_msec":1430069216559,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"54.255.185.236","src_port":58916,"dst_port":5222,"l4_proto":"tcp","ndpi": {"proto":"Amazon","breed":"Acceptable","category":"Web"}} +00599{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3203,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":4,"flow_first_seen":1430069141923,"flow_last_seen":1430069142383,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":89,"flow_tot_l4_payload_len":124,"flow_avg_l4_payload_len":31,"midstream":1,"ts_msec":1430069216559,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"54.255.185.236","src_port":58916,"dst_port":5222,"l4_proto":"tcp","ndpi": {"proto":"AmazonAWS","breed":"Acceptable","category":"Cloud"}} 00567{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3203,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":4,"flow_first_seen":1430069141923,"flow_last_seen":1430069142383,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":89,"flow_tot_l4_payload_len":124,"flow_avg_l4_payload_len":31,"midstream":1,"ts_msec":1430069216559,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"54.255.185.236","src_port":58916,"dst_port":5222,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00598{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3203,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":1,"flow_first_seen":1430069193291,"flow_last_seen":1430069193291,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1430069216559,"l3_proto":"ip4","src_ip":"173.252.122.1","dst_ip":"10.24.82.188","src_port":443,"dst_port":52123,"l4_proto":"tcp","ndpi": {"proto":"TLS.Facebook","breed":"Fun","category":"SocialNetwork"}} 00561{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3203,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":1,"flow_first_seen":1430069193291,"flow_last_seen":1430069193291,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1430069216559,"l3_proto":"ip4","src_ip":"173.252.122.1","dst_ip":"10.24.82.188","src_port":443,"dst_port":52123,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} -00595{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3203,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1430069161865,"flow_last_seen":1430069161865,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1430069216559,"l3_proto":"ip4","src_ip":"216.58.220.161","dst_ip":"10.24.82.188","src_port":443,"dst_port":56697,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"}} +00593{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3203,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1430069161865,"flow_last_seen":1430069161865,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1430069216559,"l3_proto":"ip4","src_ip":"216.58.220.161","dst_ip":"10.24.82.188","src_port":443,"dst_port":56697,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"}} 00561{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3203,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1430069161865,"flow_last_seen":1430069161865,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1430069216559,"l3_proto":"ip4","src_ip":"216.58.220.161","dst_ip":"10.24.82.188","src_port":443,"dst_port":56697,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} -00597{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3203,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":1,"flow_first_seen":1430069210863,"flow_last_seen":1430069210863,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1430069216559,"l3_proto":"ip4","src_ip":"173.194.117.229","dst_ip":"10.24.82.188","src_port":443,"dst_port":38380,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"}} +00595{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3203,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":1,"flow_first_seen":1430069210863,"flow_last_seen":1430069210863,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1430069216559,"l3_proto":"ip4","src_ip":"173.194.117.229","dst_ip":"10.24.82.188","src_port":443,"dst_port":38380,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"}} 00563{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3203,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":1,"flow_first_seen":1430069210863,"flow_last_seen":1430069210863,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1430069216559,"l3_proto":"ip4","src_ip":"173.194.117.229","dst_ip":"10.24.82.188","src_port":443,"dst_port":38380,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00573{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3203,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":1488,"flow_first_seen":1430069171389,"flow_last_seen":1430069216410,"flow_idle_time":180000,"flow_min_l4_payload_len":55,"flow_max_l4_payload_len":192,"flow_tot_l4_payload_len":133038,"flow_avg_l4_payload_len":89,"midstream":0,"ts_msec":1430069216559,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"1.201.1.174","src_port":10268,"dst_port":23046,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":3} 00569{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3203,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":22,"flow_first_seen":1430069170975,"flow_last_seen":1430069216076,"flow_idle_time":180000,"flow_min_l4_payload_len":78,"flow_max_l4_payload_len":106,"flow_tot_l4_payload_len":2144,"flow_avg_l4_payload_len":97,"midstream":0,"ts_msec":1430069216559,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"1.201.1.174","src_port":10269,"dst_port":23047,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":3} @@ -100,12 +100,12 @@ 00596{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3203,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":5,"flow_first_seen":1430069141261,"flow_last_seen":1430069141741,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1430069216559,"l3_proto":"ip4","src_ip":"120.28.26.242","dst_ip":"10.24.82.188","src_port":80,"dst_port":34533,"l4_proto":"tcp","ndpi": {"proto":"HTTP","breed":"Acceptable","category":"Web"},"http": {}} 00559{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3203,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":5,"flow_first_seen":1430069141261,"flow_last_seen":1430069141741,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1430069216559,"l3_proto":"ip4","src_ip":"120.28.26.242","dst_ip":"10.24.82.188","src_port":80,"dst_port":34533,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00570{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3203,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":45,"flow_first_seen":1430069163715,"flow_last_seen":1430069216555,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":852,"flow_tot_l4_payload_len":7008,"flow_avg_l4_payload_len":155,"midstream":0,"ts_msec":1430069216559,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"110.76.143.50","src_port":32968,"dst_port":8080,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} -00600{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3203,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":1,"flow_first_seen":1430069180329,"flow_last_seen":1430069180329,"flow_idle_time":7440000,"flow_min_l4_payload_len":27,"flow_max_l4_payload_len":27,"flow_tot_l4_payload_len":27,"flow_avg_l4_payload_len":27,"midstream":1,"ts_msec":1430069216559,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"216.58.220.174","src_port":49217,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"}} +00598{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3203,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":1,"flow_first_seen":1430069180329,"flow_last_seen":1430069180329,"flow_idle_time":7440000,"flow_min_l4_payload_len":27,"flow_max_l4_payload_len":27,"flow_tot_l4_payload_len":27,"flow_avg_l4_payload_len":27,"midstream":1,"ts_msec":1430069216559,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"216.58.220.174","src_port":49217,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"}} 00567{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3203,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":1,"flow_first_seen":1430069180329,"flow_last_seen":1430069180329,"flow_idle_time":7440000,"flow_min_l4_payload_len":27,"flow_max_l4_payload_len":27,"flow_tot_l4_payload_len":27,"flow_avg_l4_payload_len":27,"midstream":1,"ts_msec":1430069216559,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"216.58.220.174","src_port":49217,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00600{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3203,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":11,"flow_first_seen":1430069140120,"flow_last_seen":1430069164894,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":436,"flow_tot_l4_payload_len":740,"flow_avg_l4_payload_len":67,"midstream":1,"ts_msec":1430069216559,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"103.246.57.251","src_port":51021,"dst_port":8080,"l4_proto":"tcp","ndpi": {"proto":"HTTP_Proxy","breed":"Acceptable","category":"Web"}} 00569{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3203,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":11,"flow_first_seen":1430069140120,"flow_last_seen":1430069164894,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":436,"flow_tot_l4_payload_len":740,"flow_avg_l4_payload_len":67,"midstream":1,"ts_msec":1430069216559,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"103.246.57.251","src_port":51021,"dst_port":8080,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00570{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3203,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":40,"flow_first_seen":1430069164966,"flow_last_seen":1430069216555,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":852,"flow_tot_l4_payload_len":7778,"flow_avg_l4_payload_len":194,"midstream":0,"ts_msec":1430069216559,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"110.76.143.50","src_port":58857,"dst_port":9001,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} -00600{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3203,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":1,"flow_first_seen":1430069170090,"flow_last_seen":1430069170090,"flow_idle_time":7440000,"flow_min_l4_payload_len":96,"flow_max_l4_payload_len":96,"flow_tot_l4_payload_len":96,"flow_avg_l4_payload_len":96,"midstream":1,"ts_msec":1430069216559,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"173.194.72.188","src_port":34686,"dst_port":5228,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"}} +00598{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3203,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":1,"flow_first_seen":1430069170090,"flow_last_seen":1430069170090,"flow_idle_time":7440000,"flow_min_l4_payload_len":96,"flow_max_l4_payload_len":96,"flow_tot_l4_payload_len":96,"flow_avg_l4_payload_len":96,"midstream":1,"ts_msec":1430069216559,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"173.194.72.188","src_port":34686,"dst_port":5228,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"}} 00567{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3203,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":1,"flow_first_seen":1430069170090,"flow_last_seen":1430069170090,"flow_idle_time":7440000,"flow_min_l4_payload_len":96,"flow_max_l4_payload_len":96,"flow_tot_l4_payload_len":96,"flow_avg_l4_payload_len":96,"midstream":1,"ts_msec":1430069216559,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"173.194.72.188","src_port":34686,"dst_port":5228,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00562{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3203,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":20,"flow_packets_processed":2,"flow_first_seen":1430069211640,"flow_last_seen":1430069211843,"flow_idle_time":180000,"flow_min_l4_payload_len":35,"flow_max_l4_payload_len":74,"flow_tot_l4_payload_len":109,"flow_avg_l4_payload_len":54,"midstream":0,"ts_msec":1430069216559,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"10.188.1.1","src_port":25223,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":3} 00573{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3203,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":1503,"flow_first_seen":1430069171118,"flow_last_seen":1430069216536,"flow_idle_time":180000,"flow_min_l4_payload_len":55,"flow_max_l4_payload_len":192,"flow_tot_l4_payload_len":134109,"flow_avg_l4_payload_len":89,"midstream":0,"ts_msec":1430069216559,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"1.201.1.174","src_port":11320,"dst_port":23044,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":3} @@ -121,10 +121,10 @@ ~~ total active/idle flows...: 20/20 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2078642 bytes -~~ total memory freed........: 2078642 bytes -~~ total allocations/frees...: 38616/38616 +~~ total memory allocated....: 4732926 bytes +~~ total memory freed........: 4732926 bytes +~~ total allocations/frees...: 102813/102813 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 171 chars -~~ json string max len.......: 1146 chars -~~ json string avg len.......: 728 chars +~~ json string max len.......: 1147 chars +~~ json string avg len.......: 729 chars diff --git a/test/results/NTPv2.pcap.out b/test/results/NTPv2.pcap.out index f874b09e2..f9562868d 100644 --- a/test/results/NTPv2.pcap.out +++ b/test/results/NTPv2.pcap.out @@ -1,7 +1,7 @@ 00439{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"NTPv2.pcap","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} 00548{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"NTPv2.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1436865383632,"flow_last_seen":1436865383632,"flow_idle_time":180000,"flow_min_l4_payload_len":368,"flow_max_l4_payload_len":368,"flow_tot_l4_payload_len":368,"flow_avg_l4_payload_len":368,"midstream":0,"ts_msec":1436865383632,"l3_proto":"ip4","src_ip":"208.104.95.10","dst_ip":"78.46.76.2","src_port":123,"dst_port":80,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00917{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"NTPv2.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1436865383632,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":410,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":410,"pkt_l4_len":376,"ts_msec":1436865383632,"pkt":"RIpbLCrSACaIdf8bCABFAAGMHS4AADERoZDQaF8KTi5MAgB7AFABeH6Xlw4DKgAFAEgAAAAAAAAQOgAAAAAAAAGISO9ZbawQDGUAAAABDAIHAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAQZwAAAAAAAADHQLufDawQDGUAAAABuxwHAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQxAAAAAAAAAa6UEgp0qwQDGUAAAABKtoHAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ2AAAAAAAAAWzX1q4C6wQDGUAAAABAFAHAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ2wAAAAAAAAWRR3um9qwQDGUAAAABAFAHAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="} -00579{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"NTPv2.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1436865383632,"flow_last_seen":1436865383632,"flow_idle_time":180000,"flow_min_l4_payload_len":368,"flow_max_l4_payload_len":368,"flow_tot_l4_payload_len":368,"flow_avg_l4_payload_len":368,"midstream":0,"ts_msec":1436865383632,"l3_proto":"ip4","src_ip":"208.104.95.10","dst_ip":"78.46.76.2","src_port":123,"dst_port":80,"l4_proto":"udp","ndpi": {"proto":"NTP","breed":"Acceptable","category":"System"}} +00619{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"NTPv2.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1436865383632,"flow_last_seen":1436865383632,"flow_idle_time":180000,"flow_min_l4_payload_len":368,"flow_max_l4_payload_len":368,"flow_tot_l4_payload_len":368,"flow_avg_l4_payload_len":368,"midstream":0,"ts_msec":1436865383632,"l3_proto":"ip4","src_ip":"208.104.95.10","dst_ip":"78.46.76.2","src_port":123,"dst_port":80,"l4_proto":"udp","ndpi": {"proto":"NTP","breed":"Acceptable","category":"System"},"ntp": {"request_code":42,"version":42}} 00549{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1,"source":"NTPv2.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1436865383632,"flow_last_seen":1436865383632,"flow_idle_time":180000,"flow_min_l4_payload_len":368,"flow_max_l4_payload_len":368,"flow_tot_l4_payload_len":368,"flow_avg_l4_payload_len":368,"midstream":0,"ts_msec":1436865383632,"l3_proto":"ip4","src_ip":"208.104.95.10","dst_ip":"78.46.76.2","src_port":123,"dst_port":80,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00152{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":1,"source":"NTPv2.pcap","alias":"nDPId-test","total-events-serialized":6} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -12,9 +12,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1928153 bytes -~~ total memory freed........: 1928153 bytes -~~ total allocations/frees...: 35339/35339 +~~ total memory allocated....: 4590468 bytes +~~ total memory freed........: 4590468 bytes +~~ total allocations/frees...: 99535/99535 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 157 chars ~~ json string max len.......: 922 chars diff --git a/test/results/NTPv3.pcap.out b/test/results/NTPv3.pcap.out index 41bf5e10a..b488cf099 100644 --- a/test/results/NTPv3.pcap.out +++ b/test/results/NTPv3.pcap.out @@ -1,7 +1,7 @@ 00439{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"NTPv3.pcap","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} 00545{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"NTPv3.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1436865405371,"flow_last_seen":1436865405371,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1436865405371,"l3_proto":"ip4","src_ip":"175.144.140.29","dst_ip":"78.46.76.2","src_port":123,"dst_port":80,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00486{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"NTPv3.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1436865405371,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"ts_msec":1436865405371,"pkt":"RIpbLCrSACaIdf8bCABFAABMAABAADcRbcOvkIwdTi5MAgB7AFAAOLcYHAAE+gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADZT08RAAAAANlPTxEAAAAA"} -00576{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"NTPv3.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1436865405371,"flow_last_seen":1436865405371,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1436865405371,"l3_proto":"ip4","src_ip":"175.144.140.29","dst_ip":"78.46.76.2","src_port":123,"dst_port":80,"l4_proto":"udp","ndpi": {"proto":"NTP","breed":"Acceptable","category":"System"}} +00614{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"NTPv3.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1436865405371,"flow_last_seen":1436865405371,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1436865405371,"l3_proto":"ip4","src_ip":"175.144.140.29","dst_ip":"78.46.76.2","src_port":123,"dst_port":80,"l4_proto":"udp","ndpi": {"proto":"NTP","breed":"Acceptable","category":"System"},"ntp": {"request_code":0,"version":0}} 00546{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1,"source":"NTPv3.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1436865405371,"flow_last_seen":1436865405371,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1436865405371,"l3_proto":"ip4","src_ip":"175.144.140.29","dst_ip":"78.46.76.2","src_port":123,"dst_port":80,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00152{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":1,"source":"NTPv3.pcap","alias":"nDPId-test","total-events-serialized":6} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -12,10 +12,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1928153 bytes -~~ total memory freed........: 1928153 bytes -~~ total allocations/frees...: 35339/35339 +~~ total memory allocated....: 4590468 bytes +~~ total memory freed........: 4590468 bytes +~~ total allocations/frees...: 99535/99535 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 157 chars -~~ json string max len.......: 581 chars -~~ json string avg len.......: 430 chars +~~ json string max len.......: 619 chars +~~ json string avg len.......: 446 chars diff --git a/test/results/NTPv4.pcap.out b/test/results/NTPv4.pcap.out index 77ebde97b..ce093d534 100644 --- a/test/results/NTPv4.pcap.out +++ b/test/results/NTPv4.pcap.out @@ -1,7 +1,7 @@ 00439{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"NTPv4.pcap","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} 00545{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"NTPv4.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1436865396190,"flow_last_seen":1436865396190,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1436865396190,"l3_proto":"ip4","src_ip":"85.22.62.120","dst_ip":"78.46.76.11","src_port":123,"dst_port":123,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00486{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"NTPv4.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1436865396190,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"ts_msec":1436865396190,"pkt":"RIpb2HMEACaIdf8bCABFAABMrX9AADcRaFpVFj54Ti5MCwB7AHsAOKmfIwIH6wAABFAAAAOrg7wD39lPUcMxZbhg2URXVTAzb9DZRFdVMbTpeNlPUfQtJuL0"} -00576{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"NTPv4.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1436865396190,"flow_last_seen":1436865396190,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1436865396190,"l3_proto":"ip4","src_ip":"85.22.62.120","dst_ip":"78.46.76.11","src_port":123,"dst_port":123,"l4_proto":"udp","ndpi": {"proto":"NTP","breed":"Acceptable","category":"System"}} +00614{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"NTPv4.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1436865396190,"flow_last_seen":1436865396190,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1436865396190,"l3_proto":"ip4","src_ip":"85.22.62.120","dst_ip":"78.46.76.11","src_port":123,"dst_port":123,"l4_proto":"udp","ndpi": {"proto":"NTP","breed":"Acceptable","category":"System"},"ntp": {"request_code":0,"version":0}} 00546{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1,"source":"NTPv4.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1436865396190,"flow_last_seen":1436865396190,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1436865396190,"l3_proto":"ip4","src_ip":"85.22.62.120","dst_ip":"78.46.76.11","src_port":123,"dst_port":123,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00152{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":1,"source":"NTPv4.pcap","alias":"nDPId-test","total-events-serialized":6} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -12,10 +12,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1928153 bytes -~~ total memory freed........: 1928153 bytes -~~ total allocations/frees...: 35339/35339 +~~ total memory allocated....: 4590468 bytes +~~ total memory freed........: 4590468 bytes +~~ total allocations/frees...: 99535/99535 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 157 chars -~~ json string max len.......: 581 chars -~~ json string avg len.......: 430 chars +~~ json string max len.......: 619 chars +~~ json string avg len.......: 446 chars diff --git a/test/results/Oscar.pcap.out b/test/results/Oscar.pcap.out index 68d2a23d8..c8da7733d 100644 --- a/test/results/Oscar.pcap.out +++ b/test/results/Oscar.pcap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1963065 bytes -~~ total memory freed........: 1963065 bytes -~~ total allocations/frees...: 35420/35420 +~~ total memory allocated....: 4625380 bytes +~~ total memory freed........: 4625380 bytes +~~ total allocations/frees...: 99616/99616 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 158 chars ~~ json string max len.......: 580 chars diff --git a/test/results/WebattackRCE.pcap.out b/test/results/WebattackRCE.pcap.out index b0cb99373..5abc00fde 100644 --- a/test/results/WebattackRCE.pcap.out +++ b/test/results/WebattackRCE.pcap.out @@ -3196,9 +3196,9 @@ ~~ total active/idle flows...: 797/797 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 3318845 bytes -~~ total memory freed........: 3318845 bytes -~~ total allocations/frees...: 40108/40108 +~~ total memory allocated....: 5652236 bytes +~~ total memory freed........: 5652236 bytes +~~ total allocations/frees...: 105019/105019 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 169 chars ~~ json string max len.......: 1256 chars diff --git a/test/results/WebattackSQLinj.pcap.out b/test/results/WebattackSQLinj.pcap.out index 1b3f32cc3..9ddb304f0 100644 --- a/test/results/WebattackSQLinj.pcap.out +++ b/test/results/WebattackSQLinj.pcap.out @@ -62,9 +62,9 @@ ~~ total active/idle flows...: 9/9 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1945389 bytes -~~ total memory freed........: 1945389 bytes -~~ total allocations/frees...: 35483/35483 +~~ total memory allocated....: 4604429 bytes +~~ total memory freed........: 4604429 bytes +~~ total allocations/frees...: 99688/99688 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 169 chars ~~ json string max len.......: 942 chars diff --git a/test/results/WebattackXSS.pcap.out b/test/results/WebattackXSS.pcap.out index ad90ea0f0..99faefbaa 100644 --- a/test/results/WebattackXSS.pcap.out +++ b/test/results/WebattackXSS.pcap.out @@ -3974,9 +3974,9 @@ ~~ total active/idle flows...: 661/661 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 3270480 bytes -~~ total memory freed........: 3270480 bytes -~~ total allocations/frees...: 46758/46758 +~~ total memory allocated....: 5653241 bytes +~~ total memory freed........: 5653241 bytes +~~ total allocations/frees...: 110976/110976 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 170 chars ~~ json string max len.......: 990 chars diff --git a/test/results/aimini-http.pcap.out b/test/results/aimini-http.pcap.out index 5a88375a2..444a0aa68 100644 --- a/test/results/aimini-http.pcap.out +++ b/test/results/aimini-http.pcap.out @@ -32,9 +32,9 @@ ~~ total active/idle flows...: 4/4 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1937521 bytes -~~ total memory freed........: 1937521 bytes -~~ total allocations/frees...: 35488/35488 +~~ total memory allocated....: 4598596 bytes +~~ total memory freed........: 4598596 bytes +~~ total allocations/frees...: 99688/99688 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 166 chars ~~ json string max len.......: 912 chars diff --git a/test/results/ajp.pcap.out b/test/results/ajp.pcap.out index cf6641fb4..460151fec 100644 --- a/test/results/ajp.pcap.out +++ b/test/results/ajp.pcap.out @@ -84,9 +84,9 @@ ~~ total active/idle flows...: 0/0 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1926508 bytes -~~ total memory freed........: 1926508 bytes -~~ total allocations/frees...: 35335/35335 +~~ total memory allocated....: 4589247 bytes +~~ total memory freed........: 4589247 bytes +~~ total allocations/frees...: 99531/99531 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 149 chars ~~ json string max len.......: 1501 chars diff --git a/test/results/alexa-app.pcapng.out b/test/results/alexa-app.pcapng.out index 8483c888b..d125010d1 100644 --- a/test/results/alexa-app.pcapng.out +++ b/test/results/alexa-app.pcapng.out @@ -13,11 +13,11 @@ 00498{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_last_seen":1490976022741,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":62,"pkt_len":90,"pkt_l4_len":28,"ts_msec":1490976022741,"pkt":"MzMAAAAWePiC0\/vCht1gAAAAACQAAQAAAAAAAAAAAAAAAAAAAAD\/AgAAAAAAAAAAAAAAAAAWOgAFAgAAAQCPAHL0AAAAAQQAAAD\/AgAAAAAAAAAAAAH\/0\/vC"} 00552{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":7,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1490976023264,"flow_last_seen":1490976023264,"flow_idle_time":180000,"flow_min_l4_payload_len":315,"flow_max_l4_payload_len":315,"flow_tot_l4_payload_len":315,"flow_avg_l4_payload_len":315,"midstream":0,"ts_msec":1490976023264,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00867{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_last_seen":1490976023264,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":357,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":357,"pkt_l4_len":323,"ts_msec":1490976023264,"pkt":"\/\/\/\/\/\/\/\/ePiC0\/vCCABFAAFX84EAAEARhhUAAAAA\/\/\/\/\/wBEAEMBQ5j9AQEGAHxtfzEAAAAAAAAAAAAAAAAAAAAAAAAAAHj4gtP7wgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEDPQcBePiC0\/vCMgSsECrYOQIF3DwMZGhjcGNkLTUuNS42DBhhbmRyb2lkLTFjMTMzNWVjOTVhMjczMTg3CgEhAwYPGhwzOjv\/"} -00629{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":7,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1490976023264,"flow_last_seen":1490976023264,"flow_idle_time":180000,"flow_min_l4_payload_len":315,"flow_max_l4_payload_len":315,"flow_tot_l4_payload_len":315,"flow_avg_l4_payload_len":315,"midstream":0,"ts_msec":1490976023264,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"fingerprint":"1,33,3,6,15,26,28"}} +00696{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":7,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1490976023264,"flow_last_seen":1490976023264,"flow_idle_time":180000,"flow_min_l4_payload_len":315,"flow_max_l4_payload_len":315,"flow_tot_l4_payload_len":315,"flow_avg_l4_payload_len":315,"midstream":0,"ts_msec":1490976023264,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"hostname":"android-1c1335ec95a27318","fingerprint":"1,33,3,6,15,26,28","class_ident":"dhcpcd-5.5.6"}} 00867{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_last_seen":1490976023264,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":357,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":357,"pkt_l4_len":323,"ts_msec":1490976023264,"pkt":"\/\/\/\/\/\/\/\/ePiC0\/vCCABFAAFX84EAAEARhhUAAAAA\/\/\/\/\/wBEAEMBQ5j9AQEGAHxtfzEAAAAAAAAAAAAAAAAAAAAAAAAAAHj4gtP7wgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEDPQcBePiC0\/vCMgSsECrYOQIF3DwMZGhjcGNkLTUuNS42DBhhbmRyb2lkLTFjMTMzNWVjOTVhMjczMTg3CgEhAwYPGhwzOjv\/"} 00554{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":9,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1490976023267,"flow_last_seen":1490976023267,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1490976023267,"l3_proto":"ip4","src_ip":"172.16.42.1","dst_ip":"172.16.42.216","src_port":67,"dst_port":68,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00838{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_last_seen":1490976023267,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":342,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":342,"pkt_l4_len":308,"ts_msec":1490976023267,"pkt":"ePiC0\/vCAMDKkaPvCABFAAFIz1MAAEAR\/VesECoBrBAq2ABDAEQBNCIdAgEGAHxtfzEAAAAAAAAAAKwQKtisECoBAAAAAHj4gtP7wgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEFNgSsECoBMwQAAKjAOgQAAFRgOwQAAJOoAQT\/\/\/8AHASsECr\/AwSsECoBBgSsECoBDwNsYW7\/AAAA"} -00614{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":9,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1490976023267,"flow_last_seen":1490976023267,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1490976023267,"l3_proto":"ip4","src_ip":"172.16.42.1","dst_ip":"172.16.42.216","src_port":67,"dst_port":68,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"fingerprint":""}} +00645{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":9,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1490976023267,"flow_last_seen":1490976023267,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1490976023267,"l3_proto":"ip4","src_ip":"172.16.42.1","dst_ip":"172.16.42.216","src_port":67,"dst_port":68,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"hostname":"","fingerprint":"","class_ident":""}} 00533{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":10,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1490976023731,"flow_last_seen":1490976023731,"flow_idle_time":120000,"flow_min_l4_payload_len":16,"flow_max_l4_payload_len":16,"flow_tot_l4_payload_len":16,"flow_avg_l4_payload_len":16,"midstream":0,"ts_msec":1490976023731,"l3_proto":"ip6","src_ip":"fe80::7af8:82ff:fed3:fbc2","dst_ip":"ff02::2","l4_proto":"icmp6","flow_datalink":1,"flow_max_packets":3} 00476{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":10,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_last_seen":1490976023731,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":70,"pkt_l4_len":16,"ts_msec":1490976023731,"pkt":"MzMAAAACePiC0\/vCht1gAAAAABA6\/\/6AAAAAAAAAeviC\/\/7T+8L\/AgAAAAAAAAAAAAAAAAAChQCMEAAAAAABAXj4gtP7wg=="} 00568{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":10,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1490976023731,"flow_last_seen":1490976023731,"flow_idle_time":120000,"flow_min_l4_payload_len":16,"flow_max_l4_payload_len":16,"flow_tot_l4_payload_len":16,"flow_avg_l4_payload_len":16,"midstream":0,"ts_msec":1490976023731,"l3_proto":"ip6","src_ip":"fe80::7af8:82ff:fed3:fbc2","dst_ip":"ff02::2","l4_proto":"icmp6","ndpi": {"proto":"ICMPV6","breed":"Acceptable","category":"Network"}} @@ -36,15 +36,15 @@ 00479{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":19,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_last_seen":1490976024857,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976024857,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8rxxAAEAG\/k+sECrYrNkJjutWAFC1gOcZAAAAAKAC\/\/\/pcgAAAgQFtAQCCAoA9kgFAAAAAAEDAwg="} 00475{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":20,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":8,"flow_packet_id":2,"flow_last_seen":1490976024894,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976024894,"pkt":"ePiC0\/vCAMDKkVoBCABFAAA8rv4AADQGSm6s2QmOrBAq2ABQ61bhGRrktYDnGqASpajwtAAAAgQFZAQCCApVvgGZAPZIBQEDAwc="} 00464{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":21,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_last_seen":1490976024896,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1490976024896,"pkt":"AMDKkaPvePiC0\/vCCABFAAA0rx1AAEAG\/lasECrYrNkJjutWAFC1gOca4Rka5YAQAVfDfgAAAQEICgD2SAlVvgGZ"} -00812{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":22,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":8,"flow_packets_processed":4,"flow_first_seen":1490976024857,"flow_last_seen":1490976024899,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":188,"flow_tot_l4_payload_len":188,"flow_avg_l4_payload_len":47,"midstream":0,"ts_msec":1490976024899,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.217.9.142","src_port":60246,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.Google","breed":"Tracker\/Ads","category":"ConnCheck"},"http": {"hostname":"connectivitycheck.android.com","url":"connectivitycheck.android.com\/generate_204","code":0,"content_type":"","user_agent":"Dalvik\/2.1.0 (Linux; U; Android 5.1.1; LGLS751 Build\/LMY47V)"}} +00810{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":22,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":8,"flow_packets_processed":4,"flow_first_seen":1490976024857,"flow_last_seen":1490976024899,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":188,"flow_tot_l4_payload_len":188,"flow_avg_l4_payload_len":47,"midstream":0,"ts_msec":1490976024899,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.217.9.142","src_port":60246,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.Google","breed":"Acceptable","category":"ConnCheck"},"http": {"hostname":"connectivitycheck.android.com","url":"connectivitycheck.android.com\/generate_204","code":0,"content_type":"","user_agent":"Dalvik\/2.1.0 (Linux; U; Android 5.1.1; LGLS751 Build\/LMY47V)"}} 00554{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":26,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":9,"flow_packets_processed":1,"flow_first_seen":1490976027514,"flow_last_seen":1490976027514,"flow_idle_time":180000,"flow_min_l4_payload_len":34,"flow_max_l4_payload_len":34,"flow_tot_l4_payload_len":34,"flow_avg_l4_payload_len":34,"midstream":0,"ts_msec":1490976027514,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":53188,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00479{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":26,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_last_seen":1490976027514,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":76,"pkt_l4_len":42,"ts_msec":1490976027514,"pkt":"AMDKkaPvePiC0\/vCCABFAAA+WktAAEARM2qsECrYrBAqAc\/EADUAKrjvz8MBAAABAAAAAAAABW10YWxrBmdvb2dsZQNjb20AAAEAAQ=="} 00729{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":26,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":9,"flow_packets_processed":1,"flow_first_seen":1490976027514,"flow_last_seen":1490976027514,"flow_idle_time":180000,"flow_min_l4_payload_len":34,"flow_max_l4_payload_len":34,"flow_tot_l4_payload_len":34,"flow_avg_l4_payload_len":34,"midstream":0,"ts_msec":1490976027514,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":53188,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.GoogleServices","breed":"Acceptable","category":"Web"},"dns": {"query":"mtalk.google.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00555{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":27,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":10,"flow_packets_processed":1,"flow_first_seen":1490976027522,"flow_last_seen":1490976027522,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1490976027522,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":52603,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00475{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":27,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":10,"flow_packet_id":1,"flow_last_seen":1490976027522,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976027522,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8WkxAAEARM2usECrYrBAqAc17ADUAKKL+U00BAAABAAAAAAAAA3d3dwZnb29nbGUDY29tAAABAAE="} -00722{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":27,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":10,"flow_packets_processed":1,"flow_first_seen":1490976027522,"flow_last_seen":1490976027522,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1490976027522,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":52603,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"www.google.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00720{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":27,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":10,"flow_packets_processed":1,"flow_first_seen":1490976027522,"flow_last_seen":1490976027522,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1490976027522,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":52603,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"www.google.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00495{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":28,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":10,"flow_packet_id":2,"flow_last_seen":1490976027523,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"ts_msec":1490976027523,"pkt":"ePiC0\/vCAMDKkaPvCABFAABM0NFAAEARvNWsECoBrBAq2AA1zXsAOK5EU02BgAABAAEAAAAAA3d3dwZnb29nbGUDY29tAAABAAHADAABAAEAAAEGAATYOtrE"} -00737{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":28,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":10,"flow_packets_processed":2,"flow_first_seen":1490976027522,"flow_last_seen":1490976027523,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":80,"flow_avg_l4_payload_len":40,"midstream":0,"ts_msec":1490976027523,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":52603,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"www.google.com","num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"216.58.218.196"}} +00735{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":28,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":10,"flow_packets_processed":2,"flow_first_seen":1490976027522,"flow_last_seen":1490976027523,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":80,"flow_avg_l4_payload_len":40,"midstream":0,"ts_msec":1490976027523,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":52603,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"www.google.com","num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"216.58.218.196"}} 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":29,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":9,"flow_packet_id":2,"flow_last_seen":1490976027560,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":121,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":121,"pkt_l4_len":87,"ts_msec":1490976027560,"pkt":"ePiC0\/vCAMDKkaPvCABFAABr0NVAAEARvLKsECoBrBAq2AA1z8QAV0oUz8OBgAABAAIAAAAABW10YWxrBmdvb2dsZQNjb20AAAEAAcAMAAUAAQABUX8AEQxtb2JpbGUtZ3RhbGsBbMASwC4AAQABAAABKwAErcLfvA=="} 00746{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":29,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":9,"flow_packets_processed":2,"flow_first_seen":1490976027514,"flow_last_seen":1490976027560,"flow_idle_time":180000,"flow_min_l4_payload_len":34,"flow_max_l4_payload_len":79,"flow_tot_l4_payload_len":113,"flow_avg_l4_payload_len":56,"midstream":0,"ts_msec":1490976027560,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":53188,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.GoogleServices","breed":"Acceptable","category":"Web"},"dns": {"query":"mtalk.google.com","num_queries":1,"num_answers":2,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"173.194.223.188"}} 00558{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":30,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":11,"flow_packets_processed":1,"flow_first_seen":1490976027567,"flow_last_seen":1490976027567,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976027567,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"173.194.223.188","src_port":42878,"dst_port":5228,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -55,18 +55,18 @@ 00950{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":35,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":11,"flow_packets_processed":6,"flow_first_seen":1490976027567,"flow_last_seen":1490976027674,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":656,"flow_avg_l4_payload_len":109,"midstream":0,"ts_msec":1490976027674,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"173.194.223.188","src_port":42878,"dst_port":5228,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.GoogleServices","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mtalk.google.com","ja3":"a5a59633017c3d696d2c69350e5fc004","ja3s":"9b1466fd60cadccb848e09c86e284265","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"}} 00555{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":38,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":12,"flow_packets_processed":1,"flow_first_seen":1490976027724,"flow_last_seen":1490976027724,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1490976027724,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":10462,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00475{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":38,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":12,"flow_packet_id":1,"flow_last_seen":1490976027724,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976027724,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8Wk1AAEARM2qsECrYrBAqASjeADUAKB2sfT0BAAABAAAAAAAAA3d3dwZnb29nbGUDY29tAAABAAE="} -00722{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":38,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":12,"flow_packets_processed":1,"flow_first_seen":1490976027724,"flow_last_seen":1490976027724,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1490976027724,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":10462,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"www.google.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00720{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":38,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":12,"flow_packets_processed":1,"flow_first_seen":1490976027724,"flow_last_seen":1490976027724,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1490976027724,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":10462,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"www.google.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00495{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":39,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":12,"flow_packet_id":2,"flow_last_seen":1490976027725,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"ts_msec":1490976027725,"pkt":"ePiC0\/vCAMDKkaPvCABFAABM0NhAAEARvM6sECoBrBAq2AA1KN4AOCjyfT2BgAABAAEAAAAAA3d3dwZnb29nbGUDY29tAAABAAHADAABAAEAAAEGAATYOtrE"} -00737{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":39,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":12,"flow_packets_processed":2,"flow_first_seen":1490976027724,"flow_last_seen":1490976027725,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":80,"flow_avg_l4_payload_len":40,"midstream":0,"ts_msec":1490976027725,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":10462,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"www.google.com","num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"216.58.218.196"}} +00735{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":39,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":12,"flow_packets_processed":2,"flow_first_seen":1490976027724,"flow_last_seen":1490976027725,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":80,"flow_avg_l4_payload_len":40,"midstream":0,"ts_msec":1490976027725,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":10462,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"www.google.com","num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"216.58.218.196"}} 00554{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":40,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":13,"flow_packets_processed":1,"flow_first_seen":1490976027733,"flow_last_seen":1490976027733,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976027733,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.217.9.142","src_port":35540,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00478{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":40,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":13,"flow_packet_id":1,"flow_last_seen":1490976027733,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976027733,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8c0BAAEAGOiysECrYrNkJjorUAFAegTplAAAAAKAC\/\/+MiQAAAgQFtAQCCAoA9kklAAAAAAEDAwg="} 00476{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":41,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_last_seen":1490976027741,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":70,"pkt_l4_len":16,"ts_msec":1490976027741,"pkt":"MzMAAAACePiC0\/vCht1gAAAAABA6\/\/6AAAAAAAAAeviC\/\/7T+8L\/AgAAAAAAAAAAAAAAAAAChQCMEAAAAAABAXj4gtP7wg=="} 00476{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":43,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":13,"flow_packet_id":2,"flow_last_seen":1490976027776,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976027776,"pkt":"ePiC0\/vCAMDKkVoBCABFAAA8g+MAADQGdYms2QmOrBAq2ABQitTVYWKuHoE6ZqASpahLiwAAAgQFZAQCCApVvw3GAPZJJQEDAwc="} 00464{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":44,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":13,"flow_packet_id":3,"flow_last_seen":1490976027777,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1490976027777,"pkt":"AMDKkaPvePiC0\/vCCABFAAA0c0FAAEAGOjOsECrYrNkJjorUAFAegTpm1WFir4AQAVceVQAAAQEICgD2SSlVvw3G"} -00813{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":45,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":13,"flow_packets_processed":4,"flow_first_seen":1490976027733,"flow_last_seen":1490976027780,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":188,"flow_tot_l4_payload_len":188,"flow_avg_l4_payload_len":47,"midstream":0,"ts_msec":1490976027780,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.217.9.142","src_port":35540,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.Google","breed":"Tracker\/Ads","category":"ConnCheck"},"http": {"hostname":"connectivitycheck.android.com","url":"connectivitycheck.android.com\/generate_204","code":0,"content_type":"","user_agent":"Dalvik\/2.1.0 (Linux; U; Android 5.1.1; LGLS751 Build\/LMY47V)"}} +00811{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":45,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":13,"flow_packets_processed":4,"flow_first_seen":1490976027733,"flow_last_seen":1490976027780,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":188,"flow_tot_l4_payload_len":188,"flow_avg_l4_payload_len":47,"midstream":0,"ts_msec":1490976027780,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.217.9.142","src_port":35540,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.Google","breed":"Acceptable","category":"ConnCheck"},"http": {"hostname":"connectivitycheck.android.com","url":"connectivitycheck.android.com\/generate_204","code":0,"content_type":"","user_agent":"Dalvik\/2.1.0 (Linux; U; Android 5.1.1; LGLS751 Build\/LMY47V)"}} 00525{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":56,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":14,"flow_packets_processed":1,"flow_first_seen":1490976027958,"flow_last_seen":1490976027958,"flow_idle_time":120000,"flow_min_l4_payload_len":60,"flow_max_l4_payload_len":60,"flow_tot_l4_payload_len":60,"flow_avg_l4_payload_len":60,"midstream":0,"ts_msec":1490976027958,"l3_proto":"ip4","src_ip":"172.16.42.1","dst_ip":"172.16.42.216","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} 00505{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":56,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":14,"flow_packet_id":1,"flow_last_seen":1490976027958,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":94,"pkt_l4_len":60,"ts_msec":1490976027958,"pkt":"ePiC0\/vCAMDKkaPvCABFwABQaiwAAEABYsesECoBrBAq2AUBiVKsECoqRQAANNZ6QAA\/BgDirBAq2K3C37ynfhRsXkGjCY7hdlaAEAFbkZsAAAEBCAoA9kk7K\/xGxA=="} -00558{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":56,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":14,"flow_packets_processed":1,"flow_first_seen":1490976027958,"flow_last_seen":1490976027958,"flow_idle_time":120000,"flow_min_l4_payload_len":60,"flow_max_l4_payload_len":60,"flow_tot_l4_payload_len":60,"flow_avg_l4_payload_len":60,"midstream":0,"ts_msec":1490976027958,"l3_proto":"ip4","src_ip":"172.16.42.1","dst_ip":"172.16.42.216","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"}} +00577{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":56,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":14,"flow_packets_processed":1,"flow_first_seen":1490976027958,"flow_last_seen":1490976027958,"flow_idle_time":120000,"flow_min_l4_payload_len":60,"flow_max_l4_payload_len":60,"flow_tot_l4_payload_len":60,"flow_avg_l4_payload_len":60,"midstream":0,"ts_msec":1490976027958,"l3_proto":"ip4","src_ip":"172.16.42.1","dst_ip":"172.16.42.216","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"},"entropy":5.192626} 00555{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":62,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":15,"flow_packets_processed":1,"flow_first_seen":1490976029184,"flow_last_seen":1490976029184,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1490976029184,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":48155,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00475{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":62,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":15,"flow_packet_id":1,"flow_last_seen":1490976029184,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976029184,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8Wk5AAEARM2msECrYrBAqAbwbADUAKEUyqIoBAAABAAAAAAAAA3d3dwZhbWF6b24DY29tAAABAAE="} 00720{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":62,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":15,"flow_packets_processed":1,"flow_first_seen":1490976029184,"flow_last_seen":1490976029184,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1490976029184,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":48155,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Amazon","breed":"Acceptable","category":"Web"},"dns": {"query":"www.amazon.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} @@ -78,7 +78,7 @@ 00464{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":66,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":16,"flow_packet_id":3,"flow_last_seen":1490976029328,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1490976029328,"pkt":"AMDKkaPvePiC0\/vCCABFAAA0xDxAAEAGmYSsECrYNFXRxdfKAbvTso2Ii4QTE4AQAVcgZAAAAQEICgD2ScRtCebi"} 00832{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":67,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":16,"flow_packets_processed":4,"flow_first_seen":1490976029248,"flow_last_seen":1490976029341,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":221,"flow_tot_l4_payload_len":221,"flow_avg_l4_payload_len":55,"midstream":0,"ts_msec":1490976029341,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.197","src_port":55242,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.amazon.com","ja3":"bdf21e38e1f69776df407235625e75e2","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00889{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":69,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":16,"flow_packets_processed":6,"flow_first_seen":1490976029248,"flow_last_seen":1490976029387,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1669,"flow_avg_l4_payload_len":278,"midstream":0,"ts_msec":1490976029387,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.197","src_port":55242,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.amazon.com","ja3":"bdf21e38e1f69776df407235625e75e2","ja3s":"389ed42c02ebecc32e73aa31def07e14","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}} -01366{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":71,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":16,"flow_packets_processed":8,"flow_first_seen":1490976029248,"flow_last_seen":1490976029387,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":3691,"flow_avg_l4_payload_len":461,"midstream":0,"ts_msec":1490976029387,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.197","src_port":55242,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.amazon.com","server_names":"amazon.com,amzn.com,uedata.amazon.com,us.amazon.com,www.amazon.com,www.amzn.com,corporate.amazon.com,buybox.amazon.com,iphone.amazon.com,yp.amazon.com,home.amazon.com,origin-www.amazon.com","ja3":"bdf21e38e1f69776df407235625e75e2","ja3s":"389ed42c02ebecc32e73aa31def07e14","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=www.amazon.com","fingerprint":"EF:14:6C:F1:5C:4A:F8:4D:BA:83:C2:1E:6C:5B:ED:C4:FA:34:1C:3E"}} +01367{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":71,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":16,"flow_packets_processed":8,"flow_first_seen":1490976029248,"flow_last_seen":1490976029387,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":3691,"flow_avg_l4_payload_len":461,"midstream":0,"ts_msec":1490976029387,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.197","src_port":55242,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.amazon.com","server_names":"amazon.com,amzn.com,uedata.amazon.com,us.amazon.com,www.amazon.com,www.amzn.com,corporate.amazon.com,buybox.amazon.com,iphone.amazon.com,yp.amazon.com,home.amazon.com,origin-www.amazon.com","ja3":"bdf21e38e1f69776df407235625e75e2","ja3s":"389ed42c02ebecc32e73aa31def07e14","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=www.amazon.com","fingerprint":"EF:14:6C:F1:5C:4A:F8:4D:BA:83:C2:1E:6C:5B:ED:C4:FA:34:1C:3E"}} 00555{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":79,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":17,"flow_packets_processed":1,"flow_first_seen":1490976029669,"flow_last_seen":1490976029669,"flow_idle_time":180000,"flow_min_l4_payload_len":42,"flow_max_l4_payload_len":42,"flow_tot_l4_payload_len":42,"flow_avg_l4_payload_len":42,"midstream":0,"ts_msec":1490976029669,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":19967,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00488{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":79,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":17,"flow_packet_id":1,"flow_last_seen":1490976029669,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":84,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":84,"pkt_l4_len":50,"ts_msec":1490976029669,"pkt":"AMDKkaPvePiC0\/vCCABFAABGWk9AAEARM16sECrYrBAqAU3\/ADUAMlRV5qsBAAABAAAAAAAABG1hZHMPYW1hem9uLWFkc3lzdGVtA2NvbQAAAQAB"} 00730{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":79,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":17,"flow_packets_processed":1,"flow_first_seen":1490976029669,"flow_last_seen":1490976029669,"flow_idle_time":180000,"flow_min_l4_payload_len":42,"flow_max_l4_payload_len":42,"flow_tot_l4_payload_len":42,"flow_avg_l4_payload_len":42,"midstream":0,"ts_msec":1490976029669,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":19967,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Amazon","breed":"Acceptable","category":"Web"},"dns": {"query":"mads.amazon-adsystem.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} @@ -90,7 +90,7 @@ 00449{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":83,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":18,"flow_packet_id":3,"flow_last_seen":1490976029859,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1490976029859,"pkt":"AMDKkaPvePiC0\/vCCABFAAAoYetAAEAG5Z2sECrYNF7oAIMUAbsV\/ygGz06SC1AQAVeXBwAA"} 00840{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":84,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":18,"flow_packets_processed":4,"flow_first_seen":1490976029756,"flow_last_seen":1490976029862,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":231,"flow_tot_l4_payload_len":231,"flow_avg_l4_payload_len":57,"midstream":0,"ts_msec":1490976029862,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.0","src_port":33556,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mads.amazon-adsystem.com","ja3":"bdf21e38e1f69776df407235625e75e2","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00897{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":88,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":18,"flow_packets_processed":7,"flow_first_seen":1490976029756,"flow_last_seen":1490976030031,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":1691,"flow_avg_l4_payload_len":241,"midstream":0,"ts_msec":1490976030031,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.0","src_port":33556,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mads.amazon-adsystem.com","ja3":"bdf21e38e1f69776df407235625e75e2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}} -01227{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":90,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":18,"flow_packets_processed":9,"flow_first_seen":1490976029756,"flow_last_seen":1490976030031,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":3563,"flow_avg_l4_payload_len":395,"midstream":0,"ts_msec":1490976030031,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.0","src_port":33556,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mads.amazon-adsystem.com","server_names":"mads.amazon-adsystem.com,mads.amazon.com","ja3":"bdf21e38e1f69776df407235625e75e2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=mads.amazon.com","fingerprint":"E0:2E:BD:D6:46:9B:05:03:93:CC:A7:28:7A:F4:57:9C:EB:40:8F:AB"}} +01228{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":90,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":18,"flow_packets_processed":9,"flow_first_seen":1490976029756,"flow_last_seen":1490976030031,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":3563,"flow_avg_l4_payload_len":395,"midstream":0,"ts_msec":1490976030031,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.0","src_port":33556,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mads.amazon-adsystem.com","server_names":"mads.amazon-adsystem.com,mads.amazon.com","ja3":"bdf21e38e1f69776df407235625e75e2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=mads.amazon.com","fingerprint":"E0:2E:BD:D6:46:9B:05:03:93:CC:A7:28:7A:F4:57:9C:EB:40:8F:AB"}} 00555{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":111,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":19,"flow_packets_processed":1,"flow_first_seen":1490976030681,"flow_last_seen":1490976030681,"flow_idle_time":180000,"flow_min_l4_payload_len":40,"flow_max_l4_payload_len":40,"flow_tot_l4_payload_len":40,"flow_avg_l4_payload_len":40,"midstream":0,"ts_msec":1490976030681,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":7358,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00489{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":111,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":19,"flow_packet_id":1,"flow_last_seen":1490976030681,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"ts_msec":1490976030681,"pkt":"AMDKkaPvePiC0\/vCCABFAABEWlBAAEARM1+sECrYrBAqARy+ADUAMIK\/xAMBAAABAAAAAAAAC2ZpcnMtdGEtZzdnBmFtYXpvbgNjb20AAAEAAQ=="} 00728{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":111,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":19,"flow_packets_processed":1,"flow_first_seen":1490976030681,"flow_last_seen":1490976030681,"flow_idle_time":180000,"flow_min_l4_payload_len":40,"flow_max_l4_payload_len":40,"flow_tot_l4_payload_len":40,"flow_avg_l4_payload_len":40,"midstream":0,"ts_msec":1490976030681,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":7358,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Amazon","breed":"Acceptable","category":"Web"},"dns": {"query":"firs-ta-g7g.amazon.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} @@ -103,7 +103,7 @@ 00449{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":119,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":20,"flow_packet_id":3,"flow_last_seen":1490976031103,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1490976031103,"pkt":"AMDKkaPvePiC0\/vCCABFAAAoJ7BAAEAG7o+sECrYNu8WudGyAbvyuG3Pw9jK21AQAVfHQgAA"} 00841{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":120,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":20,"flow_packets_processed":4,"flow_first_seen":1490976030894,"flow_last_seen":1490976031106,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":229,"flow_tot_l4_payload_len":229,"flow_avg_l4_payload_len":57,"midstream":0,"ts_msec":1490976031106,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.22.185","src_port":53682,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"firs-ta-g7g.amazon.com","ja3":"bdf21e38e1f69776df407235625e75e2","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00898{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":123,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":20,"flow_packets_processed":7,"flow_first_seen":1490976030894,"flow_last_seen":1490976031185,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":1689,"flow_avg_l4_payload_len":241,"midstream":0,"ts_msec":1490976031185,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.22.185","src_port":53682,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"firs-ta-g7g.amazon.com","ja3":"bdf21e38e1f69776df407235625e75e2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}} -01217{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":125,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":20,"flow_packets_processed":9,"flow_first_seen":1490976030894,"flow_last_seen":1490976031186,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":3549,"flow_avg_l4_payload_len":394,"midstream":0,"ts_msec":1490976031186,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.22.185","src_port":53682,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"firs-ta-g7g.amazon.com","server_names":"firs-ta-g7g.amazon.com","ja3":"bdf21e38e1f69776df407235625e75e2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=firs-ta-g7g.amazon.com","fingerprint":"A0:32:45:00:21:A0:00:56:62:BA:FE:E7:68:81:40:5F:68:7E:A6:86"}} +01218{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":125,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":20,"flow_packets_processed":9,"flow_first_seen":1490976030894,"flow_last_seen":1490976031186,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":3549,"flow_avg_l4_payload_len":394,"midstream":0,"ts_msec":1490976031186,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.22.185","src_port":53682,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"firs-ta-g7g.amazon.com","server_names":"firs-ta-g7g.amazon.com","ja3":"bdf21e38e1f69776df407235625e75e2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=firs-ta-g7g.amazon.com","fingerprint":"A0:32:45:00:21:A0:00:56:62:BA:FE:E7:68:81:40:5F:68:7E:A6:86"}} 00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":136,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":21,"flow_packets_processed":1,"flow_first_seen":1490976031581,"flow_last_seen":1490976031581,"flow_idle_time":180000,"flow_min_l4_payload_len":34,"flow_max_l4_payload_len":34,"flow_tot_l4_payload_len":34,"flow_avg_l4_payload_len":34,"midstream":0,"ts_msec":1490976031581,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":41030,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00480{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":136,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":21,"flow_packet_id":1,"flow_last_seen":1490976031581,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":76,"pkt_l4_len":42,"ts_msec":1490976031581,"pkt":"AMDKkaPvePiC0\/vCCABFAAA+WlFAAEARM2SsECrYrBAqAaBGADUAKk94StwBAAABAAAAAAAABWFsZXhhBmFtYXpvbgNjb20AAAEAAQ=="} 00738{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":136,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":21,"flow_packets_processed":1,"flow_first_seen":1490976031581,"flow_last_seen":1490976031581,"flow_idle_time":180000,"flow_min_l4_payload_len":34,"flow_max_l4_payload_len":34,"flow_tot_l4_payload_len":34,"flow_avg_l4_payload_len":34,"midstream":0,"ts_msec":1490976031581,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":41030,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.AmazonAlexa","breed":"Acceptable","category":"VirtAssistant"},"dns": {"query":"alexa.amazon.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} @@ -120,22 +120,22 @@ 00503{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":149,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":23,"flow_packet_id":2,"flow_last_seen":1490976032763,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":62,"pkt_len":90,"pkt_l4_len":28,"ts_msec":1490976032763,"pkt":"MzMAAAAWePiC0\/vCht1gAAAAACQAAf6AAAAAAAAAeviC\/\/7T+8L\/AgAAAAAAAAAAAAAAAAAWOgAFAgAAAQCPAHvkAAAAAQQAAAD\/AgAAAAAAAAAAAAH\/0\/vC"} 00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":154,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":24,"flow_packets_processed":1,"flow_first_seen":1490976035502,"flow_last_seen":1490976035502,"flow_idle_time":180000,"flow_min_l4_payload_len":58,"flow_max_l4_payload_len":58,"flow_tot_l4_payload_len":58,"flow_avg_l4_payload_len":58,"midstream":0,"ts_msec":1490976035502,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":23559,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00514{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":154,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":24,"flow_packet_id":1,"flow_last_seen":1490976035502,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":100,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":100,"pkt_l4_len":66,"ts_msec":1490976035502,"pkt":"AMDKkaPvePiC0\/vCCABFAABWWlJAAEARM0usECrYrBAqAVwHADUAQq4NgPsBAAABAAAAAAAAEGNvZ25pdG8taWRlbnRpdHkJdXMtZWFzdC0xCWFtYXpvbmF3cwNjb20AAAEAAQ=="} -00747{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":154,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":24,"flow_packets_processed":1,"flow_first_seen":1490976035502,"flow_last_seen":1490976035502,"flow_idle_time":180000,"flow_min_l4_payload_len":58,"flow_max_l4_payload_len":58,"flow_tot_l4_payload_len":58,"flow_avg_l4_payload_len":58,"midstream":0,"ts_msec":1490976035502,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":23559,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Amazon","breed":"Acceptable","category":"Web"},"dns": {"query":"cognito-identity.us-east-1.amazonaws.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00752{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":154,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":24,"flow_packets_processed":1,"flow_first_seen":1490976035502,"flow_last_seen":1490976035502,"flow_idle_time":180000,"flow_min_l4_payload_len":58,"flow_max_l4_payload_len":58,"flow_tot_l4_payload_len":58,"flow_avg_l4_payload_len":58,"midstream":0,"ts_msec":1490976035502,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":23559,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"dns": {"query":"cognito-identity.us-east-1.amazonaws.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00643{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":157,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":24,"flow_packet_id":2,"flow_last_seen":1490976035549,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":196,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":196,"pkt_l4_len":162,"ts_msec":1490976035549,"pkt":"ePiC0\/vCAMDKkaPvCABFAAC20jNAAEARuwmsECoBrBAq2AA1XAcAoid0gPuBgAABAAYAAAAAEGNvZ25pdG8taWRlbnRpdHkJdXMtZWFzdC0xCWFtYXpvbmF3cwNjb20AAAEAAcAMAAEAAQAAAAIABCLHNPDADAABAAEAAAACAAQ0AM87wAwAAQABAAAAAgAENBT4ysAMAAEAAQAAAAIABCLAPyvADAABAAEAAAACAAQ0ynf3wAwAAQABAAAAAgAENq23qQ=="} -00764{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":157,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":24,"flow_packets_processed":2,"flow_first_seen":1490976035502,"flow_last_seen":1490976035549,"flow_idle_time":180000,"flow_min_l4_payload_len":58,"flow_max_l4_payload_len":154,"flow_tot_l4_payload_len":212,"flow_avg_l4_payload_len":106,"midstream":0,"ts_msec":1490976035549,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":23559,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Amazon","breed":"Acceptable","category":"Web"},"dns": {"query":"cognito-identity.us-east-1.amazonaws.com","num_queries":1,"num_answers":6,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"34.199.52.240"}} +00769{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":157,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":24,"flow_packets_processed":2,"flow_first_seen":1490976035502,"flow_last_seen":1490976035549,"flow_idle_time":180000,"flow_min_l4_payload_len":58,"flow_max_l4_payload_len":154,"flow_tot_l4_payload_len":212,"flow_avg_l4_payload_len":106,"midstream":0,"ts_msec":1490976035549,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":23559,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"dns": {"query":"cognito-identity.us-east-1.amazonaws.com","num_queries":1,"num_answers":6,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"34.199.52.240"}} 00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":158,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":25,"flow_packets_processed":1,"flow_first_seen":1490976035553,"flow_last_seen":1490976035553,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976035553,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"34.199.52.240","src_port":38363,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00480{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":158,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":25,"flow_packet_id":1,"flow_last_seen":1490976035553,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976035553,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8JIdAAEAG55WsECrYIsc08JXbAbv9XGi0AAAAAKAC\/\/\/OjgAAAgQFtAQCCAoA9kwzAAAAAAEDAwg="} 00478{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":159,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":25,"flow_packet_id":2,"flow_last_seen":1490976035610,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976035610,"pkt":"ePiC0\/vCAMDKkVoBCABFAAA8AABAAOsGYRwixzTwrBAq2AG7ldsM0X8G\/VxotaASaN9A1wAAAgQFtAQCCApEF1TYAPZMMwEDAwg="} 00466{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":160,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":25,"flow_packet_id":3,"flow_last_seen":1490976035612,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1490976035612,"pkt":"AMDKkaPvePiC0\/vCCABFAAA0JIhAAEAG55ysECrYIsc08JXbAbv9XGi1DNF\/B4AQAVfXJgAAAQEICgD2TDlEF1TY"} -00825{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":161,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":25,"flow_packets_processed":4,"flow_first_seen":1490976035553,"flow_last_seen":1490976035616,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":228,"flow_tot_l4_payload_len":228,"flow_avg_l4_payload_len":57,"midstream":0,"ts_msec":1490976035616,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"34.199.52.240","src_port":38363,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"cognito-identity.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} -00882{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":163,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":25,"flow_packets_processed":6,"flow_first_seen":1490976035553,"flow_last_seen":1490976035733,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1676,"flow_avg_l4_payload_len":279,"midstream":0,"ts_msec":1490976035733,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"34.199.52.240","src_port":38363,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"cognito-identity.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01268{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":165,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":25,"flow_packets_processed":8,"flow_first_seen":1490976035553,"flow_last_seen":1490976035733,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":3617,"flow_avg_l4_payload_len":452,"midstream":0,"ts_msec":1490976035733,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"34.199.52.240","src_port":38363,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"cognito-identity.us-east-1.amazonaws.com","server_names":"cognito-identity.amazonaws.com,cognito-identity.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=cognito-identity.us-east-1.amazonaws.com","alpn":"h2,http\/1.1","fingerprint":"56:17:8F:E9:45:10:32:78:FF:FD:E3:09:60:5A:B5:3B:8D:8C:F8:34"}} +00830{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":161,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":25,"flow_packets_processed":4,"flow_first_seen":1490976035553,"flow_last_seen":1490976035616,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":228,"flow_tot_l4_payload_len":228,"flow_avg_l4_payload_len":57,"midstream":0,"ts_msec":1490976035616,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"34.199.52.240","src_port":38363,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"cognito-identity.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} +00887{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":163,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":25,"flow_packets_processed":6,"flow_first_seen":1490976035553,"flow_last_seen":1490976035733,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1676,"flow_avg_l4_payload_len":279,"midstream":0,"ts_msec":1490976035733,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"34.199.52.240","src_port":38363,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"cognito-identity.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} +01274{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":165,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":25,"flow_packets_processed":8,"flow_first_seen":1490976035553,"flow_last_seen":1490976035733,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":3617,"flow_avg_l4_payload_len":452,"midstream":0,"ts_msec":1490976035733,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"34.199.52.240","src_port":38363,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"cognito-identity.us-east-1.amazonaws.com","server_names":"cognito-identity.amazonaws.com,cognito-identity.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=cognito-identity.us-east-1.amazonaws.com","alpn":"h2,http\/1.1","fingerprint":"56:17:8F:E9:45:10:32:78:FF:FD:E3:09:60:5A:B5:3B:8D:8C:F8:34"}} 00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":182,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":26,"flow_packets_processed":1,"flow_first_seen":1490976037754,"flow_last_seen":1490976037754,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976037754,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"34.199.52.240","src_port":38364,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00479{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":182,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":26,"flow_packet_id":1,"flow_last_seen":1490976037754,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976037754,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8+KpAAEAGE3KsECrYIsc08JXcAbvRHbWkAAAAAKAC\/\/+tAQAAAgQFtAQCCAoA9k0OAAAAAAEDAwg="} 00477{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":183,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":26,"flow_packet_id":2,"flow_last_seen":1490976037803,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976037803,"pkt":"ePiC0\/vCAMDKkVoBCABFAAA8AABAAOoGYhwixzTwrBAq2AG7ldw4CtRs0R21paASaN+cagAAAgQFtAQCCApEF1cYAPZNDgEDAwg="} 00465{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":184,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":26,"flow_packet_id":3,"flow_last_seen":1490976037807,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1490976037807,"pkt":"AMDKkaPvePiC0\/vCCABFAAA0+KtAAEAGE3msECrYIsc08JXcAbvRHbWlOArUbYAQAVcyugAAAQEICgD2TRREF1cY"} -00825{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":185,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":26,"flow_packets_processed":4,"flow_first_seen":1490976037754,"flow_last_seen":1490976037809,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":260,"flow_tot_l4_payload_len":260,"flow_avg_l4_payload_len":65,"midstream":0,"ts_msec":1490976037809,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"34.199.52.240","src_port":38364,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"cognito-identity.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} -00879{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":187,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":26,"flow_packets_processed":6,"flow_first_seen":1490976037754,"flow_last_seen":1490976037920,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":260,"flow_tot_l4_payload_len":405,"flow_avg_l4_payload_len":67,"midstream":0,"ts_msec":1490976037920,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"34.199.52.240","src_port":38364,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"cognito-identity.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} +00830{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":185,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":26,"flow_packets_processed":4,"flow_first_seen":1490976037754,"flow_last_seen":1490976037809,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":260,"flow_tot_l4_payload_len":260,"flow_avg_l4_payload_len":65,"midstream":0,"ts_msec":1490976037809,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"34.199.52.240","src_port":38364,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"cognito-identity.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} +00884{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":187,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":26,"flow_packets_processed":6,"flow_first_seen":1490976037754,"flow_last_seen":1490976037920,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":260,"flow_tot_l4_payload_len":405,"flow_avg_l4_payload_len":67,"midstream":0,"ts_msec":1490976037920,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"34.199.52.240","src_port":38364,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"cognito-identity.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} 00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":195,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":27,"flow_packets_processed":1,"flow_first_seen":1490976041150,"flow_last_seen":1490976041150,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":37,"flow_tot_l4_payload_len":37,"flow_avg_l4_payload_len":37,"midstream":0,"ts_msec":1490976041150,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":54886,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00485{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":195,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":27,"flow_packet_id":1,"flow_last_seen":1490976041150,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":79,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":79,"pkt_l4_len":45,"ts_msec":1490976041150,"pkt":"AMDKkaPvePiC0\/vCCABFAABBWlNAAEARM1+sECrYrBAqAdZmADUALY4\/ocgBAAABAAAAAAAACHBpdGFuZ3VpBmFtYXpvbgNjb20AAAEAAQ=="} 00726{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":195,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":27,"flow_packets_processed":1,"flow_first_seen":1490976041150,"flow_last_seen":1490976041150,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":37,"flow_tot_l4_payload_len":37,"flow_avg_l4_payload_len":37,"midstream":0,"ts_msec":1490976041150,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":54886,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Amazon","breed":"Acceptable","category":"Web"},"dns": {"query":"pitangui.amazon.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} @@ -146,7 +146,7 @@ 00462{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":198,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":28,"flow_packet_id":2,"flow_last_seen":1490976041212,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1490976041212,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAwBzRAAOcGmMY0XuiGrBAq2AG7sl2f4NcN4WEAFHASH\/5jwQAAAgQFtAEDAwY="} 00449{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":199,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":28,"flow_packet_id":3,"flow_last_seen":1490976041215,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1490976041215,"pkt":"AMDKkaPvePiC0\/vCCABFAAAoTnFAAEAG+JGsECrYNF7ohrJdAbvhYQAUn+DXDlAQAVeuMgAA"} 00804{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":200,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":28,"flow_packets_processed":4,"flow_first_seen":1490976041156,"flow_last_seen":1490976041217,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":207,"flow_tot_l4_payload_len":207,"flow_avg_l4_payload_len":51,"midstream":0,"ts_msec":1490976041217,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45661,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"pitangui.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} -01495{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":203,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":28,"flow_packets_processed":7,"flow_first_seen":1490976041156,"flow_last_seen":1490976041279,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":3472,"flow_avg_l4_payload_len":496,"midstream":0,"ts_msec":1490976041279,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45661,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8":"Weak TLS cipher"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"pitangui.amazon.com","server_names":"pitangui.amazon.com,guipitan.amazon.com,alexa.amazon.com,echo.amazon.com,alexa.amazon.ca,guipitan.amazon.ca,alexa.amazon.co.jp,guipitan.amazon.co.jp,alexa.amazon.com.mx,guipitan.amazon.com.mx,alexa.amazon.com.br,guipitan.amazon.com.br,alexa.amazon.com.au,guipitan.amazon.com.au,alexa.amazon.cn,guipitan.amazon.cn","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=pitangui.amazon.com","alpn":"h2,http\/1.1","fingerprint":"13:E9:3B:22:22:61:41:53:CA:B6:3A:AE:C8:B7:23:FB:A5:11:2F:24"}} +01496{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":203,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":28,"flow_packets_processed":7,"flow_first_seen":1490976041156,"flow_last_seen":1490976041279,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":3472,"flow_avg_l4_payload_len":496,"midstream":0,"ts_msec":1490976041279,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45661,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8":"Weak TLS cipher"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"pitangui.amazon.com","server_names":"pitangui.amazon.com,guipitan.amazon.com,alexa.amazon.com,echo.amazon.com,alexa.amazon.ca,guipitan.amazon.ca,alexa.amazon.co.jp,guipitan.amazon.co.jp,alexa.amazon.com.mx,guipitan.amazon.com.mx,alexa.amazon.com.br,guipitan.amazon.com.br,alexa.amazon.com.au,guipitan.amazon.com.au,alexa.amazon.cn,guipitan.amazon.cn","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=pitangui.amazon.com","alpn":"h2,http\/1.1","fingerprint":"13:E9:3B:22:22:61:41:53:CA:B6:3A:AE:C8:B7:23:FB:A5:11:2F:24"}} 00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":210,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":29,"flow_packets_processed":1,"flow_first_seen":1490976041384,"flow_last_seen":1490976041384,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976041384,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45662,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00479{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":210,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":29,"flow_packet_id":1,"flow_last_seen":1490976041384,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976041384,"pkt":"AMDKkaPvePiC0\/vCCABFAAA807JAAEAGczysECrYNF7ohrJeAbv1uZ3IAAAAAKAC\/\/+9JQAAAgQFtAQCCAoA9k56AAAAAAEDAwg="} 00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":213,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":30,"flow_packets_processed":1,"flow_first_seen":1490976041400,"flow_last_seen":1490976041400,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976041400,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45663,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -168,12 +168,12 @@ 00479{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":248,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":33,"flow_packet_id":1,"flow_last_seen":1490976041680,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976041680,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8WzJAAEAGfuesECrYCsl+8Z0KH5BhrRWqAAAAAKAC\/\/9j3AAAAgQFtAQCCAoA9k6YAAAAAAEDAwg="} 00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":249,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":34,"flow_packets_processed":1,"flow_first_seen":1490976041770,"flow_last_seen":1490976041770,"flow_idle_time":180000,"flow_min_l4_payload_len":57,"flow_max_l4_payload_len":57,"flow_tot_l4_payload_len":57,"flow_avg_l4_payload_len":57,"midstream":0,"ts_msec":1490976041770,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":21391,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00508{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":249,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":34,"flow_packet_id":1,"flow_last_seen":1490976041770,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":99,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":99,"pkt_l4_len":65,"ts_msec":1490976041770,"pkt":"AMDKkaPvePiC0\/vCCABFAABVWlRAAEARM0qsECrYrBAqAVOPADUAQZgzlqMBAAABAAAAAAAAD21vYmlsZWFuYWx5dGljcwl1cy1lYXN0LTEJYW1hem9uYXdzA2NvbQAAAQAB"} -00746{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":249,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":34,"flow_packets_processed":1,"flow_first_seen":1490976041770,"flow_last_seen":1490976041770,"flow_idle_time":180000,"flow_min_l4_payload_len":57,"flow_max_l4_payload_len":57,"flow_tot_l4_payload_len":57,"flow_avg_l4_payload_len":57,"midstream":0,"ts_msec":1490976041770,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":21391,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Amazon","breed":"Acceptable","category":"Web"},"dns": {"query":"mobileanalytics.us-east-1.amazonaws.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00751{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":249,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":34,"flow_packets_processed":1,"flow_first_seen":1490976041770,"flow_last_seen":1490976041770,"flow_idle_time":180000,"flow_min_l4_payload_len":57,"flow_max_l4_payload_len":57,"flow_tot_l4_payload_len":57,"flow_avg_l4_payload_len":57,"midstream":0,"ts_msec":1490976041770,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":21391,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"dns": {"query":"mobileanalytics.us-east-1.amazonaws.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":250,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":35,"flow_packets_processed":1,"flow_first_seen":1490976041806,"flow_last_seen":1490976041806,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1490976041806,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":52077,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00476{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":250,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":35,"flow_packet_id":1,"flow_last_seen":1490976041806,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976041806,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8WlVAAEARM2KsECrYrBAqActtADUAKHKAa+oBAAABAAAAAAAAA3d3dwZhbWF6b24DY29tAAABAAE="} 00721{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":250,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":35,"flow_packets_processed":1,"flow_first_seen":1490976041806,"flow_last_seen":1490976041806,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1490976041806,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":52077,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Amazon","breed":"Acceptable","category":"Web"},"dns": {"query":"www.amazon.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":251,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":34,"flow_packet_id":2,"flow_last_seen":1490976041866,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":115,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":115,"pkt_l4_len":81,"ts_msec":1490976041866,"pkt":"ePiC0\/vCAMDKkaPvCABFAABl0nZAAEARuxesECoBrBAq2AA1U48AUSKClqOBgAABAAEAAAAAD21vYmlsZWFuYWx5dGljcwl1cy1lYXN0LTEJYW1hem9uYXdzA2NvbQAAAQABwAwAAQABAAAAOQAENu8Yug=="} -00761{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":251,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":34,"flow_packets_processed":2,"flow_first_seen":1490976041770,"flow_last_seen":1490976041866,"flow_idle_time":180000,"flow_min_l4_payload_len":57,"flow_max_l4_payload_len":73,"flow_tot_l4_payload_len":130,"flow_avg_l4_payload_len":65,"midstream":0,"ts_msec":1490976041866,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":21391,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Amazon","breed":"Acceptable","category":"Web"},"dns": {"query":"mobileanalytics.us-east-1.amazonaws.com","num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"54.239.24.186"}} +00766{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":251,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":34,"flow_packets_processed":2,"flow_first_seen":1490976041770,"flow_last_seen":1490976041866,"flow_idle_time":180000,"flow_min_l4_payload_len":57,"flow_max_l4_payload_len":73,"flow_tot_l4_payload_len":130,"flow_avg_l4_payload_len":65,"midstream":0,"ts_msec":1490976041866,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":21391,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"dns": {"query":"mobileanalytics.us-east-1.amazonaws.com","num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"54.239.24.186"}} 00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":252,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":36,"flow_packets_processed":1,"flow_first_seen":1490976041870,"flow_last_seen":1490976041870,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976041870,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34019,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00480{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":252,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":36,"flow_packet_id":1,"flow_last_seen":1490976041870,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976041870,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8YDpAAEAGs\/CsECrYNu8YuoTjAbvEzS6RAAAAAKAC\/\/9XzwAAAgQFtAQCCAoA9k6rAAAAAAEDAwg="} 00651{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":253,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":35,"flow_packet_id":2,"flow_last_seen":1490976041938,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":203,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":203,"pkt_l4_len":169,"ts_msec":1490976041938,"pkt":"ePiC0\/vCAMDKkaPvCABFAAC90nlAAEARurysECoBrBAq2AA1y20AqYS4a+qBgAABAAYAAAAAA3d3dwZhbWF6b24DY29tAAABAAHADAAFAAEAAABMAAoDd3d3A2NkbsAQwCwABQABAAAA+AAfDmQzYWc0aHVra2g2MnluCmNsb3VkZnJvbnQDbmV0AMBCAAEAAQAAAAgABDRV0djAQgABAAEAAAAIAAQ0VdHFwEIAAQABAAAACAAENFXRj8BCAAEAAQAAAAgABDRV0Xo="} @@ -184,7 +184,7 @@ 00449{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":256,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":36,"flow_packet_id":3,"flow_last_seen":1490976041953,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1490976041953,"pkt":"AMDKkaPvePiC0\/vCCABFAAAoYDtAAEAGtAOsECrYNu8YuoTjAbvEzS6SzeCOhlAQAVexhgAA"} 00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":257,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":38,"flow_packets_processed":1,"flow_first_seen":1490976041961,"flow_last_seen":1490976041961,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976041961,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54412,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00479{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":257,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":38,"flow_packet_id":1,"flow_last_seen":1490976041961,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976041961,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8261AAEAGgfisECrYNFXR2NSMAbsYT5UZAAAAAKAC\/\/+XjgAAAgQFtAQCCAoA9k60AAAAAAEDAwg="} -00824{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":258,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":36,"flow_packets_processed":4,"flow_first_seen":1490976041870,"flow_last_seen":1490976041962,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":227,"flow_tot_l4_payload_len":227,"flow_avg_l4_payload_len":56,"midstream":0,"ts_msec":1490976041962,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34019,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} +00829{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":258,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":36,"flow_packets_processed":4,"flow_first_seen":1490976041870,"flow_last_seen":1490976041962,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":227,"flow_tot_l4_payload_len":227,"flow_avg_l4_payload_len":56,"midstream":0,"ts_msec":1490976041962,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34019,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} 00478{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":260,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":37,"flow_packet_id":2,"flow_last_seen":1490976041989,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976041989,"pkt":"ePiC0\/vCAMDKkVoBCABFAAA8AABAAPMGqqU0VdHYrBAq2AG71Iuwz0jww\/ZKJqAScSDA4QAAAgQFtAQCCAptm51vAPZOsgEDAwg="} 00465{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":261,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":37,"flow_packet_id":3,"flow_last_seen":1490976041995,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1490976041995,"pkt":"AMDKkaPvePiC0\/vCCABFAAA0BJhAAEAGWRasECrYNFXR2NSLAbvD9komsM9I8YAQAVdfcwAAAQEICgD2Trdtm51v"} 00799{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":262,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":37,"flow_packets_processed":4,"flow_first_seen":1490976041942,"flow_last_seen":1490976041995,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":202,"flow_tot_l4_payload_len":202,"flow_avg_l4_payload_len":50,"midstream":0,"ts_msec":1490976041995,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54411,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} @@ -194,13 +194,13 @@ 00466{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":265,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":38,"flow_packet_id":3,"flow_last_seen":1490976042057,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1490976042057,"pkt":"AMDKkaPvePiC0\/vCCABFAAA0265AAEAGgf+sECrYNFXR2NSMAbsYT5UaPnH5CIAQAVca0QAAAQEICgD2Tr1s\/wWh"} 00799{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":266,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":38,"flow_packets_processed":4,"flow_first_seen":1490976041961,"flow_last_seen":1490976042058,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":202,"flow_tot_l4_payload_len":202,"flow_avg_l4_payload_len":50,"midstream":0,"ts_msec":1490976042058,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54412,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} 00856{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":269,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":37,"flow_packets_processed":7,"flow_first_seen":1490976041942,"flow_last_seen":1490976042081,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1650,"flow_avg_l4_payload_len":235,"midstream":0,"ts_msec":1490976042081,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54411,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01333{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":271,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":37,"flow_packets_processed":9,"flow_first_seen":1490976041942,"flow_last_seen":1490976042082,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":4546,"flow_avg_l4_payload_len":505,"midstream":0,"ts_msec":1490976042082,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54411,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.amazon.com","server_names":"amazon.com,amzn.com,uedata.amazon.com,us.amazon.com,www.amazon.com,www.amzn.com,corporate.amazon.com,buybox.amazon.com,iphone.amazon.com,yp.amazon.com,home.amazon.com,origin-www.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=www.amazon.com","alpn":"h2,http\/1.1","fingerprint":"EF:14:6C:F1:5C:4A:F8:4D:BA:83:C2:1E:6C:5B:ED:C4:FA:34:1C:3E"}} +01334{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":271,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":37,"flow_packets_processed":9,"flow_first_seen":1490976041942,"flow_last_seen":1490976042082,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":4546,"flow_avg_l4_payload_len":505,"midstream":0,"ts_msec":1490976042082,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54411,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.amazon.com","server_names":"amazon.com,amzn.com,uedata.amazon.com,us.amazon.com,www.amazon.com,www.amzn.com,corporate.amazon.com,buybox.amazon.com,iphone.amazon.com,yp.amazon.com,home.amazon.com,origin-www.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=www.amazon.com","alpn":"h2,http\/1.1","fingerprint":"EF:14:6C:F1:5C:4A:F8:4D:BA:83:C2:1E:6C:5B:ED:C4:FA:34:1C:3E"}} 00477{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":278,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":39,"flow_packet_id":2,"flow_last_seen":1490976042099,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976042099,"pkt":"ePiC0\/vCAMDKkVoBCABFAAA8AABAAPMGqqU0VdHYrBAq2AG71I2zekUSpjRPT6AScSDSoAAAAgQFtAQCCAptF6XzAPZOvQEDAwg="} 00465{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":279,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":39,"flow_packet_id":3,"flow_last_seen":1490976042101,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1490976042101,"pkt":"AMDKkaPvePiC0\/vCCABFAAA0AfRAAEAGW7qsECrYNFXR2NSNAbumNE9Ps3pFE4AQAVdxMgAAAQEICgD2TsJtF6Xz"} 00856{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":282,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":38,"flow_packets_processed":6,"flow_first_seen":1490976041961,"flow_last_seen":1490976042149,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1650,"flow_avg_l4_payload_len":275,"midstream":0,"ts_msec":1490976042149,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54412,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01333{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":284,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":38,"flow_packets_processed":8,"flow_first_seen":1490976041961,"flow_last_seen":1490976042150,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":4546,"flow_avg_l4_payload_len":568,"midstream":0,"ts_msec":1490976042150,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54412,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.amazon.com","server_names":"amazon.com,amzn.com,uedata.amazon.com,us.amazon.com,www.amazon.com,www.amzn.com,corporate.amazon.com,buybox.amazon.com,iphone.amazon.com,yp.amazon.com,home.amazon.com,origin-www.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=www.amazon.com","alpn":"h2,http\/1.1","fingerprint":"EF:14:6C:F1:5C:4A:F8:4D:BA:83:C2:1E:6C:5B:ED:C4:FA:34:1C:3E"}} -00881{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":317,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":36,"flow_packets_processed":8,"flow_first_seen":1490976041870,"flow_last_seen":1490976042302,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":1914,"flow_avg_l4_payload_len":239,"midstream":0,"ts_msec":1490976042302,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34019,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01235{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":319,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":36,"flow_packets_processed":10,"flow_first_seen":1490976041870,"flow_last_seen":1490976042302,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":4834,"flow_avg_l4_payload_len":483,"midstream":0,"ts_msec":1490976042302,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34019,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobileanalytics.us-east-1.amazonaws.com","server_names":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=mobileanalytics.us-east-1.amazonaws.com","alpn":"h2,http\/1.1","fingerprint":"87:AD:E9:2D:E8:42:F0:5C:3A:09:13:00:12:93:59:04:84:C3:E2:2D"}} +01334{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":284,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":38,"flow_packets_processed":8,"flow_first_seen":1490976041961,"flow_last_seen":1490976042150,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":4546,"flow_avg_l4_payload_len":568,"midstream":0,"ts_msec":1490976042150,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54412,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.amazon.com","server_names":"amazon.com,amzn.com,uedata.amazon.com,us.amazon.com,www.amazon.com,www.amzn.com,corporate.amazon.com,buybox.amazon.com,iphone.amazon.com,yp.amazon.com,home.amazon.com,origin-www.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=www.amazon.com","alpn":"h2,http\/1.1","fingerprint":"EF:14:6C:F1:5C:4A:F8:4D:BA:83:C2:1E:6C:5B:ED:C4:FA:34:1C:3E"}} +00886{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":317,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":36,"flow_packets_processed":8,"flow_first_seen":1490976041870,"flow_last_seen":1490976042302,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":1914,"flow_avg_l4_payload_len":239,"midstream":0,"ts_msec":1490976042302,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34019,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} +01241{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":319,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":36,"flow_packets_processed":10,"flow_first_seen":1490976041870,"flow_last_seen":1490976042302,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":4834,"flow_avg_l4_payload_len":483,"midstream":0,"ts_msec":1490976042302,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34019,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobileanalytics.us-east-1.amazonaws.com","server_names":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=mobileanalytics.us-east-1.amazonaws.com","alpn":"h2,http\/1.1","fingerprint":"87:AD:E9:2D:E8:42:F0:5C:3A:09:13:00:12:93:59:04:84:C3:E2:2D"}} 00480{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":347,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":31,"flow_packet_id":2,"flow_last_seen":1490976042419,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976042419,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8G69AAEAGvmqsECrYCsl+8Z0IH5CvoFXQAAAAAKAC\/\/\/VegAAAgQFtAQCCAoA9k7iAAAAAAEDAwg="} 00479{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":377,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":33,"flow_packet_id":2,"flow_last_seen":1490976043609,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976043609,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8WzNAAEAGfuasECrYCsl+8Z0KH5BhrRWqAAAAAKAC\/\/9jeAAAAgQFtAQCCAoA9k78AAAAAAEDAwg="} 00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":389,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":40,"flow_packets_processed":1,"flow_first_seen":1490976043611,"flow_last_seen":1490976043611,"flow_idle_time":180000,"flow_min_l4_payload_len":35,"flow_max_l4_payload_len":35,"flow_tot_l4_payload_len":35,"flow_avg_l4_payload_len":35,"midstream":0,"ts_msec":1490976043611,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":43350,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -221,7 +221,7 @@ 00449{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":404,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":41,"flow_packet_id":3,"flow_last_seen":1490976043875,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1490976043875,"pkt":"AMDKkaPvePiC0\/vCCABFAAAoJo1AAEAGJr6sECrYSBXOh6SRAbtDcGnitQQCkVAQAVe1wwAA"} 00802{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":405,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":41,"flow_packets_processed":4,"flow_first_seen":1490976043814,"flow_last_seen":1490976043875,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":205,"flow_tot_l4_payload_len":205,"flow_avg_l4_payload_len":51,"midstream":0,"ts_msec":1490976043875,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.135","src_port":42129,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"fls-na.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} 00859{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":409,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":41,"flow_packets_processed":7,"flow_first_seen":1490976043814,"flow_last_seen":1490976043941,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":1665,"flow_avg_l4_payload_len":237,"midstream":0,"ts_msec":1490976043941,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.135","src_port":42129,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"fls-na.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01227{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":411,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":41,"flow_packets_processed":9,"flow_first_seen":1490976043814,"flow_last_seen":1490976043941,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":4585,"flow_avg_l4_payload_len":509,"midstream":0,"ts_msec":1490976043941,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.135","src_port":42129,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"fls-na.amazon.com","server_names":"fls-na.amazon.ca,fls-na.amazon.com,fls-na.amazon.com.br,fls-na.amazon.com.mx","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=fls-na.amazon.com","alpn":"h2,http\/1.1","fingerprint":"2F:16:23:0F:F8:49:12:18:49:55:48:DA:E6:59:D9:B3:BB:0E:41:8A"}} +01228{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":411,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":41,"flow_packets_processed":9,"flow_first_seen":1490976043814,"flow_last_seen":1490976043941,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":4585,"flow_avg_l4_payload_len":509,"midstream":0,"ts_msec":1490976043941,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.135","src_port":42129,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"fls-na.amazon.com","server_names":"fls-na.amazon.ca,fls-na.amazon.com,fls-na.amazon.com.br,fls-na.amazon.com.mx","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=fls-na.amazon.com","alpn":"h2,http\/1.1","fingerprint":"2F:16:23:0F:F8:49:12:18:49:55:48:DA:E6:59:D9:B3:BB:0E:41:8A"}} 00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":424,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":43,"flow_packets_processed":1,"flow_first_seen":1490976044189,"flow_last_seen":1490976044189,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976044189,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45673,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00479{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":424,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":43,"flow_packet_id":1,"flow_last_seen":1490976044189,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976044189,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8KphAAEAGHFesECrYNF7ohrJpAbvSj2UKAAAAAKAC\/\/8X6wAAAgQFtAQCCAoA9k+SAAAAAAEDAwg="} 00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":425,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":44,"flow_packets_processed":1,"flow_first_seen":1490976044219,"flow_last_seen":1490976044219,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976044219,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45674,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -266,7 +266,7 @@ 00886{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":491,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":49,"flow_packets_processed":5,"flow_first_seen":1490976044521,"flow_last_seen":1490976044687,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":239,"flow_tot_l4_payload_len":324,"flow_avg_l4_payload_len":64,"midstream":0,"ts_msec":1490976044687,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45679,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8":"Weak TLS cipher"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"pitangui.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","alpn":"h2,http\/1.1"}} 00886{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":495,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":48,"flow_packets_processed":6,"flow_first_seen":1490976044509,"flow_last_seen":1490976044687,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":239,"flow_tot_l4_payload_len":324,"flow_avg_l4_payload_len":54,"midstream":0,"ts_msec":1490976044687,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45678,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8":"Weak TLS cipher"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"pitangui.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","alpn":"h2,http\/1.1"}} 00859{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":511,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":42,"flow_packets_processed":9,"flow_first_seen":1490976043814,"flow_last_seen":1490976044708,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":2075,"flow_avg_l4_payload_len":230,"midstream":0,"ts_msec":1490976044708,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.135","src_port":42130,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"fls-na.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01228{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":513,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":42,"flow_packets_processed":11,"flow_first_seen":1490976043814,"flow_last_seen":1490976044708,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":4995,"flow_avg_l4_payload_len":454,"midstream":0,"ts_msec":1490976044708,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.135","src_port":42130,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"fls-na.amazon.com","server_names":"fls-na.amazon.ca,fls-na.amazon.com,fls-na.amazon.com.br,fls-na.amazon.com.mx","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=fls-na.amazon.com","alpn":"h2,http\/1.1","fingerprint":"2F:16:23:0F:F8:49:12:18:49:55:48:DA:E6:59:D9:B3:BB:0E:41:8A"}} +01229{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":513,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":42,"flow_packets_processed":11,"flow_first_seen":1490976043814,"flow_last_seen":1490976044708,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":4995,"flow_avg_l4_payload_len":454,"midstream":0,"ts_msec":1490976044708,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.135","src_port":42130,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"fls-na.amazon.com","server_names":"fls-na.amazon.ca,fls-na.amazon.com,fls-na.amazon.com.br,fls-na.amazon.com.mx","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=fls-na.amazon.com","alpn":"h2,http\/1.1","fingerprint":"2F:16:23:0F:F8:49:12:18:49:55:48:DA:E6:59:D9:B3:BB:0E:41:8A"}} 00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":599,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":50,"flow_packets_processed":1,"flow_first_seen":1490976046418,"flow_last_seen":1490976046418,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976046418,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45680,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00479{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":599,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":50,"flow_packet_id":1,"flow_last_seen":1490976046418,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976046418,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8dehAAEAG0QasECrYNF7ohrJwAbub2CWZAAAAAKAC\/\/+NLQAAAgQFtAQCCAoA9lBxAAAAAAEDAwg="} 00462{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":600,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":50,"flow_packet_id":2,"flow_last_seen":1490976046475,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1490976046475,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAwWCFAAOcGR9k0XuiGrBAq2AG7snCFN7lwm9glmnASH\/679wAAAgQFtAEDAwY="} @@ -279,17 +279,17 @@ 00480{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":618,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":52,"flow_packet_id":1,"flow_last_seen":1490976047050,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976047050,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8zEVAAEAGR+WsECrYNu8YuoTyAbvILJz0AAAAAKAC\/\/\/j9wAAAgQFtAQCCAoA9lCxAAAAAAEDAwg="} 00462{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":620,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":51,"flow_packet_id":2,"flow_last_seen":1490976047071,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1490976047071,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAwYANAAOcGDTM27xi6rBAq2AG7hPHQ2dGWKLR0gXASH\/53JwAAAgQFtAEDAwY="} 00449{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":621,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":51,"flow_packet_id":3,"flow_last_seen":1490976047073,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1490976047073,"pkt":"AMDKkaPvePiC0\/vCCABFAAAoJC5AAEAG8BCsECrYNu8YuoTxAbsotHSB0NnRl1AQAVfBmAAA"} -00824{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":622,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":51,"flow_packets_processed":4,"flow_first_seen":1490976047014,"flow_last_seen":1490976047075,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":259,"flow_tot_l4_payload_len":259,"flow_avg_l4_payload_len":64,"midstream":0,"ts_msec":1490976047075,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34033,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} +00829{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":622,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":51,"flow_packets_processed":4,"flow_first_seen":1490976047014,"flow_last_seen":1490976047075,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":259,"flow_tot_l4_payload_len":259,"flow_avg_l4_payload_len":64,"midstream":0,"ts_msec":1490976047075,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34033,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} 00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":623,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":53,"flow_packets_processed":1,"flow_first_seen":1490976047096,"flow_last_seen":1490976047096,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976047096,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45683,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00479{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":623,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":53,"flow_packet_id":1,"flow_last_seen":1490976047096,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976047096,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8Q4ZAAEAGA2msECrYNF7ohrJzAbuRhBMzAAAAAKAC\/\/+poAAAAgQFtAQCCAoA9lC1AAAAAAEDAwg="} 00462{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":624,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":52,"flow_packet_id":2,"flow_last_seen":1490976047107,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1490976047107,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAwYitAAOcGCws27xi6rBAq2AG7hPIGkxHQyCyc9XASH\/45RwAAAgQFtAEDAwY="} 00450{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":625,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":52,"flow_packet_id":3,"flow_last_seen":1490976047109,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1490976047109,"pkt":"AMDKkaPvePiC0\/vCCABFAAAozEZAAEAGR\/isECrYNu8YuoTyAbvILJz1BpMR0VAQAVeDuAAA"} -00824{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":626,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":52,"flow_packets_processed":4,"flow_first_seen":1490976047050,"flow_last_seen":1490976047111,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":259,"flow_tot_l4_payload_len":259,"flow_avg_l4_payload_len":64,"midstream":0,"ts_msec":1490976047111,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34034,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} -00878{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":632,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":51,"flow_packets_processed":7,"flow_first_seen":1490976047014,"flow_last_seen":1490976047133,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":259,"flow_tot_l4_payload_len":415,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1490976047133,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34033,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"d199ba0af2b08e204c73d6d81a1fd260","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} +00829{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":626,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":52,"flow_packets_processed":4,"flow_first_seen":1490976047050,"flow_last_seen":1490976047111,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":259,"flow_tot_l4_payload_len":259,"flow_avg_l4_payload_len":64,"midstream":0,"ts_msec":1490976047111,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34034,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} +00883{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":632,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":51,"flow_packets_processed":7,"flow_first_seen":1490976047014,"flow_last_seen":1490976047133,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":259,"flow_tot_l4_payload_len":415,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1490976047133,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34033,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"d199ba0af2b08e204c73d6d81a1fd260","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} 00462{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":636,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":53,"flow_packet_id":2,"flow_last_seen":1490976047154,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1490976047154,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAwRp1AAOcGWV00XuiGrBAq2AG7snPq5wFokYQTNHASH\/4rBwAAAgQFtAEDAwY="} 00449{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":637,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":53,"flow_packet_id":3,"flow_last_seen":1490976047155,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1490976047155,"pkt":"AMDKkaPvePiC0\/vCCABFAAAoQ4dAAEAGA3ysECrYNF7ohrJzAbuRhBM06ucBaVAQAVd1eAAA"} 00804{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":638,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":53,"flow_packets_processed":4,"flow_first_seen":1490976047096,"flow_last_seen":1490976047156,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":239,"flow_tot_l4_payload_len":239,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1490976047156,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45683,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"pitangui.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} -00878{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":641,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":52,"flow_packets_processed":7,"flow_first_seen":1490976047050,"flow_last_seen":1490976047169,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":259,"flow_tot_l4_payload_len":415,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1490976047169,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34034,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"d199ba0af2b08e204c73d6d81a1fd260","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} +00883{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":641,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":52,"flow_packets_processed":7,"flow_first_seen":1490976047050,"flow_last_seen":1490976047169,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":259,"flow_tot_l4_payload_len":415,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1490976047169,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34034,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"d199ba0af2b08e204c73d6d81a1fd260","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} 00886{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":645,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":53,"flow_packets_processed":5,"flow_first_seen":1490976047096,"flow_last_seen":1490976047217,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":239,"flow_tot_l4_payload_len":324,"flow_avg_l4_payload_len":64,"midstream":0,"ts_msec":1490976047217,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45683,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8":"Weak TLS cipher"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"pitangui.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","alpn":"h2,http\/1.1"}} 00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":679,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":54,"flow_packets_processed":1,"flow_first_seen":1490976047560,"flow_last_seen":1490976047560,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976047560,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54427,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00480{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":679,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":54,"flow_packet_id":1,"flow_last_seen":1490976047560,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976047560,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8csJAAEAG6uOsECrYNFXR2NSbAbtgrSImAAAAAKAC\/\/+\/5AAAAgQFtAQCCAoA9lDkAAAAAAEDAwg="} @@ -330,8 +330,8 @@ 00480{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":811,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":60,"flow_packet_id":1,"flow_last_seen":1490976058103,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976058103,"pkt":"AMDKkaPvePiC0\/vCCABFAAA87D9AAEAGJ+usECrYNu8YuoT5Abs\/ELk9AAAAAKAC\/\/9McwAAAgQFtAQCCAoA9lUCAAAAAAEDAwg="} 00462{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":815,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":60,"flow_packet_id":2,"flow_last_seen":1490976058160,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1490976058160,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAw5wBAAOcGhjU27xi6rBAq2AG7hPl2s2uGPxC5PnASH\/7cPAAAAgQFtAEDAwY="} 00451{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":816,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":60,"flow_packet_id":3,"flow_last_seen":1490976058162,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1490976058162,"pkt":"AMDKkaPvePiC0\/vCCABFAAAo7EBAAEAGJ\/6sECrYNu8YuoT5Abs\/ELk+drNrh1AQAVcmrgAA"} -00824{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":817,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":60,"flow_packets_processed":4,"flow_first_seen":1490976058103,"flow_last_seen":1490976058166,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":259,"flow_tot_l4_payload_len":259,"flow_avg_l4_payload_len":64,"midstream":0,"ts_msec":1490976058166,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34041,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} -00878{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":822,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":60,"flow_packets_processed":7,"flow_first_seen":1490976058103,"flow_last_seen":1490976058222,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":259,"flow_tot_l4_payload_len":415,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1490976058222,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34041,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"d199ba0af2b08e204c73d6d81a1fd260","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} +00829{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":817,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":60,"flow_packets_processed":4,"flow_first_seen":1490976058103,"flow_last_seen":1490976058166,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":259,"flow_tot_l4_payload_len":259,"flow_avg_l4_payload_len":64,"midstream":0,"ts_msec":1490976058166,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34041,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} +00883{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":822,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":60,"flow_packets_processed":7,"flow_first_seen":1490976058103,"flow_last_seen":1490976058222,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":259,"flow_tot_l4_payload_len":415,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1490976058222,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34041,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"d199ba0af2b08e204c73d6d81a1fd260","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} 00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":843,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":61,"flow_packets_processed":1,"flow_first_seen":1490976064328,"flow_last_seen":1490976064328,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976064328,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.135","src_port":42148,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00479{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":843,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":61,"flow_packet_id":1,"flow_last_seen":1490976064328,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976064328,"pkt":"AMDKkaPvePiC0\/vCCABFAAA88S5AAEAGXAisECrYSBXOh6SkAbuyb6ZBAAAAAKAC\/\/8DBAAAAgQFtAQCCAoA9ldvAAAAAAEDAwg="} 00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":846,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":62,"flow_packets_processed":1,"flow_first_seen":1490976064333,"flow_last_seen":1490976064333,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1490976064333,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":44475,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -360,7 +360,7 @@ 00449{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":902,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":65,"flow_packet_id":3,"flow_last_seen":1490976068064,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1490976068064,"pkt":"AMDKkaPvePiC0\/vCCABFAAAokvhAAEAGfG6sECrYNu8dkqLbAbtu3Mosp8nX+FAQAVclsgAA"} 00833{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":903,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":65,"flow_packets_processed":4,"flow_first_seen":1490976067968,"flow_last_seen":1490976068066,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":221,"flow_tot_l4_payload_len":221,"flow_avg_l4_payload_len":55,"midstream":0,"ts_msec":1490976068066,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.146","src_port":41691,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"api.amazon.com","ja3":"bdf21e38e1f69776df407235625e75e2","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00890{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":907,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":65,"flow_packets_processed":7,"flow_first_seen":1490976067968,"flow_last_seen":1490976068174,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":1681,"flow_avg_l4_payload_len":240,"midstream":0,"ts_msec":1490976068174,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.146","src_port":41691,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"api.amazon.com","ja3":"bdf21e38e1f69776df407235625e75e2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}} -01220{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":909,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":65,"flow_packets_processed":9,"flow_first_seen":1490976067968,"flow_last_seen":1490976068174,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":3551,"flow_avg_l4_payload_len":394,"midstream":0,"ts_msec":1490976068174,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.146","src_port":41691,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"api.amazon.com","server_names":"api.amazon.com,wsync.us-east-1.amazon.com","ja3":"bdf21e38e1f69776df407235625e75e2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=api.amazon.com","fingerprint":"1D:A3:CD:C3:06:9E:9B:A0:61:1E:1A:75:55:C1:A8:B0:DC:F8:75:2D"}} +01221{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":909,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":65,"flow_packets_processed":9,"flow_first_seen":1490976067968,"flow_last_seen":1490976068174,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":3551,"flow_avg_l4_payload_len":394,"midstream":0,"ts_msec":1490976068174,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.146","src_port":41691,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"api.amazon.com","server_names":"api.amazon.com,wsync.us-east-1.amazon.com","ja3":"bdf21e38e1f69776df407235625e75e2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=api.amazon.com","fingerprint":"1D:A3:CD:C3:06:9E:9B:A0:61:1E:1A:75:55:C1:A8:B0:DC:F8:75:2D"}} 00555{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":958,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":66,"flow_packets_processed":1,"flow_first_seen":1490976071237,"flow_last_seen":1490976071237,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976071237,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":49606,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00479{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":958,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":66,"flow_packet_id":1,"flow_last_seen":1490976071237,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976071237,"pkt":"AMDKkaPvePiC0\/vCCABFAAA870hAAEAGV6asECrYNF7ohsHGAFAgR7VrAAAAAKAC\/\/9hTwAAAgQFtAQCCAoA9lojAAAAAAEDAwg="} 00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":959,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":67,"flow_packets_processed":1,"flow_first_seen":1490976071286,"flow_last_seen":1490976071286,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976071286,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45693,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -390,7 +390,7 @@ 00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":975,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":73,"flow_packets_processed":1,"flow_first_seen":1490976071392,"flow_last_seen":1490976071392,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976071392,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":59698,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00480{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":975,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":73,"flow_packet_id":1,"flow_last_seen":1490976071392,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976071392,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8hllAAEAGwJWsECrYNF7ohukyAbtO5dxqAAAAAKAC\/\/\/iygAAAgQFtAQCCAoA9lozAAAAAAEDAwg="} 00462{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":976,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":71,"flow_packet_id":2,"flow_last_seen":1490976071431,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1490976071431,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAwichAAOcGFjI0XuiGrBAq2AG7soCzlhpDnkFxHnASH\/7eyAAAAgQFtAEDAwY="} -01495{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":979,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":68,"flow_packets_processed":7,"flow_first_seen":1490976071306,"flow_last_seen":1490976071432,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":3472,"flow_avg_l4_payload_len":496,"midstream":0,"ts_msec":1490976071432,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45694,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8":"Weak TLS cipher"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"pitangui.amazon.com","server_names":"pitangui.amazon.com,guipitan.amazon.com,alexa.amazon.com,echo.amazon.com,alexa.amazon.ca,guipitan.amazon.ca,alexa.amazon.co.jp,guipitan.amazon.co.jp,alexa.amazon.com.mx,guipitan.amazon.com.mx,alexa.amazon.com.br,guipitan.amazon.com.br,alexa.amazon.com.au,guipitan.amazon.com.au,alexa.amazon.cn,guipitan.amazon.cn","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=pitangui.amazon.com","alpn":"h2,http\/1.1","fingerprint":"13:E9:3B:22:22:61:41:53:CA:B6:3A:AE:C8:B7:23:FB:A5:11:2F:24"}} +01496{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":979,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":68,"flow_packets_processed":7,"flow_first_seen":1490976071306,"flow_last_seen":1490976071432,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":3472,"flow_avg_l4_payload_len":496,"midstream":0,"ts_msec":1490976071432,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45694,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8":"Weak TLS cipher"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"pitangui.amazon.com","server_names":"pitangui.amazon.com,guipitan.amazon.com,alexa.amazon.com,echo.amazon.com,alexa.amazon.ca,guipitan.amazon.ca,alexa.amazon.co.jp,guipitan.amazon.co.jp,alexa.amazon.com.mx,guipitan.amazon.com.mx,alexa.amazon.com.br,guipitan.amazon.com.br,alexa.amazon.com.au,guipitan.amazon.com.au,alexa.amazon.cn,guipitan.amazon.cn","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=pitangui.amazon.com","alpn":"h2,http\/1.1","fingerprint":"13:E9:3B:22:22:61:41:53:CA:B6:3A:AE:C8:B7:23:FB:A5:11:2F:24"}} 00449{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":980,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":71,"flow_packet_id":3,"flow_last_seen":1490976071433,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1490976071433,"pkt":"AMDKkaPvePiC0\/vCCABFAAAoKzBAAEAGG9OsECrYNF7ohrKAAbueQXEes5YaRFAQAVcpOgAA"} 00804{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":983,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":71,"flow_packets_processed":4,"flow_first_seen":1490976071380,"flow_last_seen":1490976071434,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":239,"flow_tot_l4_payload_len":239,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1490976071434,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45696,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"pitangui.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} 00462{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":986,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":70,"flow_packet_id":2,"flow_last_seen":1490976071438,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1490976071438,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAwR+BAAOcGWBo0XuiGrBAq2AG7sn8uyCJ8obvO6XASH\/76GQAAAgQFtAEDAwY="} @@ -402,10 +402,10 @@ 00886{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":993,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":67,"flow_packets_processed":5,"flow_first_seen":1490976071286,"flow_last_seen":1490976071444,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":239,"flow_tot_l4_payload_len":324,"flow_avg_l4_payload_len":64,"midstream":0,"ts_msec":1490976071444,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45693,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8":"Weak TLS cipher"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"pitangui.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","alpn":"h2,http\/1.1"}} 00462{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":998,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":73,"flow_packet_id":2,"flow_last_seen":1490976071448,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1490976071448,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAw0V1AAOcGzpw0XuiGrBAq2AG76TIsDp+yTuXca3ASH\/6OPgAAAgQFtAEDAwY="} 00449{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":999,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":73,"flow_packet_id":3,"flow_last_seen":1490976071449,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1490976071449,"pkt":"AMDKkaPvePiC0\/vCCABFAAAohlpAAEAGwKisECrYNF7ohukyAbtO5dxrLA6fs1AQAVfYrwAA"} -00857{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1000,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":73,"flow_packets_processed":4,"flow_first_seen":1490976071392,"flow_last_seen":1490976071451,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":194,"flow_tot_l4_payload_len":194,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1490976071451,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":59698,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"36e9ceaa96dd810482573844f78a063f","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} +00862{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1000,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":73,"flow_packets_processed":4,"flow_first_seen":1490976071392,"flow_last_seen":1490976071451,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":194,"flow_tot_l4_payload_len":194,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1490976071451,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":59698,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing"},"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"36e9ceaa96dd810482573844f78a063f","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00887{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1006,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":71,"flow_packets_processed":6,"flow_first_seen":1490976071380,"flow_last_seen":1490976071486,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":239,"flow_tot_l4_payload_len":324,"flow_avg_l4_payload_len":54,"midstream":0,"ts_msec":1490976071486,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45696,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8":"Weak TLS cipher"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"pitangui.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","alpn":"h2,http\/1.1"}} 00887{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1013,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":70,"flow_packets_processed":5,"flow_first_seen":1490976071349,"flow_last_seen":1490976071501,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":239,"flow_tot_l4_payload_len":324,"flow_avg_l4_payload_len":64,"midstream":0,"ts_msec":1490976071501,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45695,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8":"Weak TLS cipher"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"pitangui.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","alpn":"h2,http\/1.1"}} -01533{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1020,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":73,"flow_packets_processed":7,"flow_first_seen":1490976071392,"flow_last_seen":1490976071512,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":3459,"flow_avg_l4_payload_len":494,"midstream":0,"ts_msec":1490976071512,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":59698,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8":"Weak TLS cipher","15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","server_names":"pitangui.amazon.com,guipitan.amazon.com,alexa.amazon.com,echo.amazon.com,alexa.amazon.ca,guipitan.amazon.ca,alexa.amazon.co.jp,guipitan.amazon.co.jp,alexa.amazon.com.mx,guipitan.amazon.com.mx,alexa.amazon.com.br,guipitan.amazon.com.br,alexa.amazon.com.au,guipitan.amazon.com.au,alexa.amazon.cn,guipitan.amazon.cn","ja3":"36e9ceaa96dd810482573844f78a063f","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=pitangui.amazon.com","fingerprint":"13:E9:3B:22:22:61:41:53:CA:B6:3A:AE:C8:B7:23:FB:A5:11:2F:24"}} +01534{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1020,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":73,"flow_packets_processed":7,"flow_first_seen":1490976071392,"flow_last_seen":1490976071512,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":3459,"flow_avg_l4_payload_len":494,"midstream":0,"ts_msec":1490976071512,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":59698,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8":"Weak TLS cipher","15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","server_names":"pitangui.amazon.com,guipitan.amazon.com,alexa.amazon.com,echo.amazon.com,alexa.amazon.ca,guipitan.amazon.ca,alexa.amazon.co.jp,guipitan.amazon.co.jp,alexa.amazon.com.mx,guipitan.amazon.com.mx,alexa.amazon.com.br,guipitan.amazon.com.br,alexa.amazon.com.au,guipitan.amazon.com.au,alexa.amazon.cn,guipitan.amazon.cn","ja3":"36e9ceaa96dd810482573844f78a063f","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=pitangui.amazon.com","fingerprint":"13:E9:3B:22:22:61:41:53:CA:B6:3A:AE:C8:B7:23:FB:A5:11:2F:24"}} 00557{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1039,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":74,"flow_packets_processed":1,"flow_first_seen":1490976071583,"flow_last_seen":1490976071583,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976071583,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45698,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00481{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1039,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":74,"flow_packet_id":1,"flow_last_seen":1490976071583,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976071583,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8H+ZAAEAGJwmsECrYNF7ohrKCAbsHHkWgAAAAAKAC\/\/\/3+QAAAgQFtAQCCAoA9lpGAAAAAAEDAwg="} 00463{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1057,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":74,"flow_packet_id":2,"flow_last_seen":1490976071640,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1490976071640,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAwgCVAAOcGH9U0XuiGrBAq2AG7soJWhIA2Bx5FoXASH\/6YhgAAAgQFtAEDAwY="} @@ -417,8 +417,8 @@ 00481{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1113,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":75,"flow_packet_id":1,"flow_last_seen":1490976076042,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976076042,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8BbZAAEAGQTmsECrYNF7ohpD5Abuu0lmyAAAAAKAC\/\/9b\/gAAAgQFtAQCCAoA9lwEAAAAAAEDAwg="} 00463{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1114,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":75,"flow_packet_id":2,"flow_last_seen":1490976076114,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1490976076114,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAwMG5AAOcGb4w0XuiGrBAq2AG7kPnjZM+NrtJZs3ASH\/4iEQAAAgQFtAEDAwY="} 00450{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1115,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":75,"flow_packet_id":3,"flow_last_seen":1490976076117,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1490976076117,"pkt":"AMDKkaPvePiC0\/vCCABFAAAoBbdAAEAGQUysECrYNF7ohpD5Abuu0lmz42TPjlAQAVdsggAA"} -00821{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1116,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":75,"flow_packets_processed":4,"flow_first_seen":1490976076042,"flow_last_seen":1490976076117,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":174,"flow_tot_l4_payload_len":174,"flow_avg_l4_payload_len":43,"midstream":0,"ts_msec":1490976076117,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":37113,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f8f5b71e02603b283e55b50d17ede861","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -00888{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1118,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":75,"flow_packets_processed":6,"flow_first_seen":1490976076042,"flow_last_seen":1490976076167,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":174,"flow_tot_l4_payload_len":259,"flow_avg_l4_payload_len":43,"midstream":0,"ts_msec":1490976076167,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":37113,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f8f5b71e02603b283e55b50d17ede861","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA"}} +00826{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1116,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":75,"flow_packets_processed":4,"flow_first_seen":1490976076042,"flow_last_seen":1490976076117,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":174,"flow_tot_l4_payload_len":174,"flow_avg_l4_payload_len":43,"midstream":0,"ts_msec":1490976076117,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":37113,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f8f5b71e02603b283e55b50d17ede861","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} +00893{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1118,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":75,"flow_packets_processed":6,"flow_first_seen":1490976076042,"flow_last_seen":1490976076167,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":174,"flow_tot_l4_payload_len":259,"flow_avg_l4_payload_len":43,"midstream":0,"ts_msec":1490976076167,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":37113,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f8f5b71e02603b283e55b50d17ede861","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA"}} 00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1128,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":76,"flow_packets_processed":1,"flow_first_seen":1490976076275,"flow_last_seen":1490976076275,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976076275,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":49613,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00480{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1128,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":76,"flow_packet_id":1,"flow_last_seen":1490976076275,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976076275,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8Bx5AAEAGP9GsECrYNF7ohsHNAFDXKVsFAAAAAKAC\/\/8C1AAAAgQFtAQCCAoA9lwbAAAAAAEDAwg="} 00464{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1130,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":76,"flow_packet_id":2,"flow_last_seen":1490976076338,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1490976076338,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAwijBAAOcGFco0XuiGrBAq2ABQwc3F00\/v1ylbBnASH\/5mLQAAAgQFtAEDAwY="} @@ -428,18 +428,18 @@ 00481{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1141,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":77,"flow_packet_id":1,"flow_last_seen":1490976080485,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976080485,"pkt":"AMDKkaPvePiC0\/vCCABFAAA80qBAAEAGOXysECrYIsc08JYEAbs8Ao8fAAAAAKAC\/\/9XyQAAAgQFtAQCCAoA9l2\/AAAAAAEDAwg="} 00478{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1142,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":77,"flow_packet_id":2,"flow_last_seen":1490976080542,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976080542,"pkt":"ePiC0\/vCAMDKkVoBCABFAAA8AABAAOsGYRwixzTwrBAq2AG7lgTyw5w6PAKPIKASaN+a6gAAAgQFtAQCCApEF4DYAPZdvwEDAwg="} 00466{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1143,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":77,"flow_packet_id":3,"flow_last_seen":1490976080543,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1490976080543,"pkt":"AMDKkaPvePiC0\/vCCABFAAA00qFAAEAGOYOsECrYIsc08JYEAbs8Ao8g8sOcO4AQAVcxOQAAAQEICgD2XcZEF4DY"} -00826{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1144,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":77,"flow_packets_processed":4,"flow_first_seen":1490976080485,"flow_last_seen":1490976080544,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":260,"flow_tot_l4_payload_len":260,"flow_avg_l4_payload_len":65,"midstream":0,"ts_msec":1490976080544,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"34.199.52.240","src_port":38404,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"cognito-identity.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} -00883{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1146,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":77,"flow_packets_processed":6,"flow_first_seen":1490976080485,"flow_last_seen":1490976080606,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1708,"flow_avg_l4_payload_len":284,"midstream":0,"ts_msec":1490976080606,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"34.199.52.240","src_port":38404,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"cognito-identity.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01269{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1148,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":77,"flow_packets_processed":8,"flow_first_seen":1490976080485,"flow_last_seen":1490976080607,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":3649,"flow_avg_l4_payload_len":456,"midstream":0,"ts_msec":1490976080607,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"34.199.52.240","src_port":38404,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"cognito-identity.us-east-1.amazonaws.com","server_names":"cognito-identity.amazonaws.com,cognito-identity.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=cognito-identity.us-east-1.amazonaws.com","alpn":"h2,http\/1.1","fingerprint":"56:17:8F:E9:45:10:32:78:FF:FD:E3:09:60:5A:B5:3B:8D:8C:F8:34"}} +00831{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1144,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":77,"flow_packets_processed":4,"flow_first_seen":1490976080485,"flow_last_seen":1490976080544,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":260,"flow_tot_l4_payload_len":260,"flow_avg_l4_payload_len":65,"midstream":0,"ts_msec":1490976080544,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"34.199.52.240","src_port":38404,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"cognito-identity.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} +00888{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1146,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":77,"flow_packets_processed":6,"flow_first_seen":1490976080485,"flow_last_seen":1490976080606,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1708,"flow_avg_l4_payload_len":284,"midstream":0,"ts_msec":1490976080606,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"34.199.52.240","src_port":38404,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"cognito-identity.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} +01275{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1148,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":77,"flow_packets_processed":8,"flow_first_seen":1490976080485,"flow_last_seen":1490976080607,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":3649,"flow_avg_l4_payload_len":456,"midstream":0,"ts_msec":1490976080607,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"34.199.52.240","src_port":38404,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"cognito-identity.us-east-1.amazonaws.com","server_names":"cognito-identity.amazonaws.com,cognito-identity.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=cognito-identity.us-east-1.amazonaws.com","alpn":"h2,http\/1.1","fingerprint":"56:17:8F:E9:45:10:32:78:FF:FD:E3:09:60:5A:B5:3B:8D:8C:F8:34"}} 00557{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1168,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":78,"flow_packets_processed":1,"flow_first_seen":1490976082723,"flow_last_seen":1490976082723,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976082723,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34053,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00481{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1168,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":78,"flow_packet_id":1,"flow_last_seen":1490976082723,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976082723,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8n\/hAAEAGdDKsECrYNu8YuoUFAbsbksFnAAAAAKAC\/\/9eHgAAAgQFtAQCCAoA9l6fAAAAAAEDAwg="} 00557{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1169,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":79,"flow_packets_processed":1,"flow_first_seen":1490976082964,"flow_last_seen":1490976082964,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976082964,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34054,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00480{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1169,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":79,"flow_packet_id":1,"flow_last_seen":1490976082964,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976082964,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8NvRAAEAG3TasECrYNu8YuoUGAbttlGhMAAAAAKAC\/\/9lHQAAAgQFtAQCCAoA9l64AAAAAAEDAwg="} 00463{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1170,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":78,"flow_packet_id":2,"flow_last_seen":1490976082969,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1490976082969,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAwftZAAOcG7l827xi6rBAq2AG7hQU1exHsG5LBaHASH\/6SVwAAAgQFtAEDAwY="} 00451{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1171,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":78,"flow_packet_id":3,"flow_last_seen":1490976082973,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1490976082973,"pkt":"AMDKkaPvePiC0\/vCCABFAAAon\/lAAEAGdEWsECrYNu8YuoUFAbsbksFoNXsR7VAQAVfcyAAA"} -00825{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1172,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":78,"flow_packets_processed":4,"flow_first_seen":1490976082723,"flow_last_seen":1490976082975,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":259,"flow_tot_l4_payload_len":259,"flow_avg_l4_payload_len":64,"midstream":0,"ts_msec":1490976082975,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34053,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} +00830{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1172,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":78,"flow_packets_processed":4,"flow_first_seen":1490976082723,"flow_last_seen":1490976082975,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":259,"flow_tot_l4_payload_len":259,"flow_avg_l4_payload_len":64,"midstream":0,"ts_msec":1490976082975,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34053,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} 00463{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1173,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":79,"flow_packet_id":2,"flow_last_seen":1490976083245,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1490976083245,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAwWypAAOcGEgw27xi6rBAq2AG7hQaUlSPBbZRoTXASH\/4ogAAAAgQFtAEDAwY="} -00879{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1176,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":78,"flow_packets_processed":7,"flow_first_seen":1490976082723,"flow_last_seen":1490976083245,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":259,"flow_tot_l4_payload_len":415,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1490976083245,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34053,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"d199ba0af2b08e204c73d6d81a1fd260","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} +00884{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1176,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":78,"flow_packets_processed":7,"flow_first_seen":1490976082723,"flow_last_seen":1490976083245,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":259,"flow_tot_l4_payload_len":415,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1490976083245,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34053,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"d199ba0af2b08e204c73d6d81a1fd260","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} 00450{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1177,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":79,"flow_packet_id":3,"flow_last_seen":1490976083337,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1490976083337,"pkt":"AMDKkaPvePiC0\/vCCABFAAAoNvVAAEAG3UmsECrYNu8YuoUGAbttlGhNlJUjwlAQAVdy8QAA"} 00525{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1189,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":2,"flow_first_seen":1490976022731,"flow_last_seen":1490976022731,"flow_idle_time":120000,"flow_min_l4_payload_len":24,"flow_max_l4_payload_len":24,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":24,"midstream":0,"ts_msec":1490976084800,"l3_proto":"ip6","src_ip":"::","dst_ip":"ff02::1:ffd3:fbc2","l4_proto":"icmp6","flow_datalink":1,"flow_max_packets":3} 00516{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1189,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":2,"flow_packets_processed":2,"flow_first_seen":1490976022741,"flow_last_seen":1490976022741,"flow_idle_time":120000,"flow_min_l4_payload_len":28,"flow_max_l4_payload_len":28,"flow_tot_l4_payload_len":56,"flow_avg_l4_payload_len":28,"midstream":0,"ts_msec":1490976084800,"l3_proto":"ip6","src_ip":"::","dst_ip":"ff02::16","l4_proto":"icmp6","flow_datalink":1,"flow_max_packets":3} @@ -521,24 +521,24 @@ 00480{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1389,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":94,"flow_packet_id":1,"flow_last_seen":1490976090572,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976090572,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8o8xAAEAGcF6sECrYNu8YuoUVAbs6msJ9AAAAAKAC\/\/863gAAAgQFtAQCCAoA9mGxAAAAAAEDAwg="} 00463{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1396,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":94,"flow_packet_id":2,"flow_last_seen":1490976090753,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1490976090753,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAwZiVAAOcGBxE27xi6rBAq2AG7hRXpU+crOprCfnASH\/7pEAAAAgQFtAEDAwY="} 00450{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1400,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":94,"flow_packet_id":3,"flow_last_seen":1490976090756,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1490976090756,"pkt":"AMDKkaPvePiC0\/vCCABFAAAoo81AAEAGcHGsECrYNu8YuoUVAbs6msJ+6VPnLFAQAVczggAA"} -00825{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1401,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":94,"flow_packets_processed":4,"flow_first_seen":1490976090572,"flow_last_seen":1490976090757,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":259,"flow_tot_l4_payload_len":259,"flow_avg_l4_payload_len":64,"midstream":0,"ts_msec":1490976090757,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34069,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} +00830{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1401,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":94,"flow_packets_processed":4,"flow_first_seen":1490976090572,"flow_last_seen":1490976090757,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":259,"flow_tot_l4_payload_len":259,"flow_avg_l4_payload_len":64,"midstream":0,"ts_msec":1490976090757,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34069,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} 00557{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1409,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":95,"flow_packets_processed":1,"flow_first_seen":1490976090796,"flow_last_seen":1490976090796,"flow_idle_time":180000,"flow_min_l4_payload_len":45,"flow_max_l4_payload_len":45,"flow_tot_l4_payload_len":45,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1490976090796,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":35726,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00493{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1409,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":95,"flow_packet_id":1,"flow_last_seen":1490976090796,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":87,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":87,"pkt_l4_len":53,"ts_msec":1490976090796,"pkt":"AMDKkaPvePiC0\/vCCABFAABJWlpAAEARM1CsECrYrBAqAYuOADUANbcep0QBAAABAAAAAAAADXMzLWV4dGVybmFsLTIJYW1hem9uYXdzA2NvbQAAAQAB"} -00735{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1409,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":95,"flow_packets_processed":1,"flow_first_seen":1490976090796,"flow_last_seen":1490976090796,"flow_idle_time":180000,"flow_min_l4_payload_len":45,"flow_max_l4_payload_len":45,"flow_tot_l4_payload_len":45,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1490976090796,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":35726,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Amazon","breed":"Acceptable","category":"Web"},"dns": {"query":"s3-external-2.amazonaws.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} -00879{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1412,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":94,"flow_packets_processed":7,"flow_first_seen":1490976090572,"flow_last_seen":1490976090959,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":259,"flow_tot_l4_payload_len":415,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1490976090959,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34069,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"d199ba0af2b08e204c73d6d81a1fd260","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} +00740{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1409,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":95,"flow_packets_processed":1,"flow_first_seen":1490976090796,"flow_last_seen":1490976090796,"flow_idle_time":180000,"flow_min_l4_payload_len":45,"flow_max_l4_payload_len":45,"flow_tot_l4_payload_len":45,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1490976090796,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":35726,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"dns": {"query":"s3-external-2.amazonaws.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00884{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1412,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":94,"flow_packets_processed":7,"flow_first_seen":1490976090572,"flow_last_seen":1490976090959,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":259,"flow_tot_l4_payload_len":415,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1490976090959,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34069,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"d199ba0af2b08e204c73d6d81a1fd260","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1424,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":95,"flow_packet_id":2,"flow_last_seen":1490976090982,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":131,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":131,"pkt_l4_len":97,"ts_msec":1490976090982,"pkt":"ePiC0\/vCAMDKkaPvCABFAAB13VlAAEARsCSsECoBrBAq2AA1i44AYd1op0SBgAABAAIAAAAADXMzLWV4dGVybmFsLTIJYW1hem9uYXdzA2NvbQAAAQABwAwABQABAAAADgAQDXMzLWV4dGVybmFsLTHAGsA5AAEAAQAAAAQABDbnSFg="} -00749{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1424,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":95,"flow_packets_processed":2,"flow_first_seen":1490976090796,"flow_last_seen":1490976090982,"flow_idle_time":180000,"flow_min_l4_payload_len":45,"flow_max_l4_payload_len":89,"flow_tot_l4_payload_len":134,"flow_avg_l4_payload_len":67,"midstream":0,"ts_msec":1490976090982,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":35726,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Amazon","breed":"Acceptable","category":"Web"},"dns": {"query":"s3-external-2.amazonaws.com","num_queries":1,"num_answers":2,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"54.231.72.88"}} +00754{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1424,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":95,"flow_packets_processed":2,"flow_first_seen":1490976090796,"flow_last_seen":1490976090982,"flow_idle_time":180000,"flow_min_l4_payload_len":45,"flow_max_l4_payload_len":89,"flow_tot_l4_payload_len":134,"flow_avg_l4_payload_len":67,"midstream":0,"ts_msec":1490976090982,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":35726,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"dns": {"query":"s3-external-2.amazonaws.com","num_queries":1,"num_answers":2,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"54.231.72.88"}} 00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1425,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":96,"flow_packets_processed":1,"flow_first_seen":1490976090991,"flow_last_seen":1490976090991,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976090991,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.231.72.88","src_port":41820,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00481{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1425,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":96,"flow_packet_id":1,"flow_last_seen":1490976090991,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976090991,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8byFAAEAGdXOsECrYNudIWKNcAbsQFQ76AAAAAKAC\/\/\/K3wAAAgQFtAQCCAoA9mHbAAAAAAEDAwg="} 00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1438,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":97,"flow_packets_processed":1,"flow_first_seen":1490976091048,"flow_last_seen":1490976091048,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976091048,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.231.72.88","src_port":41821,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00481{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1438,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":97,"flow_packet_id":1,"flow_last_seen":1490976091048,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976091048,"pkt":"AMDKkaPvePiC0\/vCCABFAAA80ahAAEAGEuysECrYNudIWKNdAbtkFLBIAAAAAKAC\/\/\/ViwAAAgQFtAQCCAoA9mHgAAAAAAEDAwg="} 00468{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1441,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":96,"flow_packet_id":2,"flow_last_seen":1490976091160,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1490976091160,"pkt":"ePiC0\/vCAMDKkVoBCABFAAA0KVkAACcGFEQ250hYrBAq2AG7o1w0YmduEBUO+4AS\/\/+yAwAAAgQFmAMDCAEEAgEB"} 00450{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1442,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":96,"flow_packet_id":3,"flow_last_seen":1490976091163,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1490976091163,"pkt":"AMDKkaPvePiC0\/vCCABFAAAobyJAAEAGdYasECrYNudIWKNcAbsQFQ77NGJnb1AQAVf4XAAA"} -00812{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1443,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":96,"flow_packets_processed":4,"flow_first_seen":1490976090991,"flow_last_seen":1490976091163,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":215,"flow_tot_l4_payload_len":215,"flow_avg_l4_payload_len":53,"midstream":0,"ts_msec":1490976091163,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.231.72.88","src_port":41820,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"s3-external-2.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} +00817{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1443,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":96,"flow_packets_processed":4,"flow_first_seen":1490976090991,"flow_last_seen":1490976091163,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":215,"flow_tot_l4_payload_len":215,"flow_avg_l4_payload_len":53,"midstream":0,"ts_msec":1490976091163,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.231.72.88","src_port":41820,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"s3-external-2.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} 00468{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1449,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":97,"flow_packet_id":2,"flow_last_seen":1490976091217,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1490976091217,"pkt":"ePiC0\/vCAMDKkVoBCABFAAA0Sq8AACcG8u0250hYrBAq2AG7o117lZ8zZBSwSYAS\/\/89vAAAAgQFmAMDCAEEAgEB"} 00450{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1450,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":97,"flow_packet_id":3,"flow_last_seen":1490976091219,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1490976091219,"pkt":"AMDKkaPvePiC0\/vCCABFAAAo0alAAEAGEv+sECrYNudIWKNdAbtkFLBJe5WfNFAQAVeEFQAA"} -00866{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1454,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":96,"flow_packets_processed":6,"flow_first_seen":1490976090991,"flow_last_seen":1490976091345,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":215,"flow_tot_l4_payload_len":307,"flow_avg_l4_payload_len":51,"midstream":0,"ts_msec":1490976091345,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.231.72.88","src_port":41820,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"s3-external-2.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"ea615e28cb25adfb2f261151eab3314f","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01280{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1456,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":96,"flow_packets_processed":8,"flow_first_seen":1490976090991,"flow_last_seen":1490976091346,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1432,"flow_tot_l4_payload_len":2942,"flow_avg_l4_payload_len":367,"midstream":0,"ts_msec":1490976091346,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.231.72.88","src_port":41820,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"s3-external-2.amazonaws.com","server_names":"s3-external-1.amazonaws.com,*.s3-external-1.amazonaws.com,s3-external-2.amazonaws.com,*.s3-external-2.amazonaws.com,*.s3.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"ea615e28cb25adfb2f261151eab3314f","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Baltimore CA-2 G2","issuerDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com Inc., CN=*.s3-external-1.amazonaws.com","alpn":"h2,http\/1.1","fingerprint":"C0:51:D8:FA:6B:58:94:F2:3E:4E:7D:B2:36:5F:02:E4:F0:3F:54:FF"}} +00871{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1454,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":96,"flow_packets_processed":6,"flow_first_seen":1490976090991,"flow_last_seen":1490976091345,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":215,"flow_tot_l4_payload_len":307,"flow_avg_l4_payload_len":51,"midstream":0,"ts_msec":1490976091345,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.231.72.88","src_port":41820,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"s3-external-2.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"ea615e28cb25adfb2f261151eab3314f","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} +01286{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1456,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":96,"flow_packets_processed":8,"flow_first_seen":1490976090991,"flow_last_seen":1490976091346,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1432,"flow_tot_l4_payload_len":2942,"flow_avg_l4_payload_len":367,"midstream":0,"ts_msec":1490976091346,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.231.72.88","src_port":41820,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"s3-external-2.amazonaws.com","server_names":"s3-external-1.amazonaws.com,*.s3-external-1.amazonaws.com,s3-external-2.amazonaws.com,*.s3-external-2.amazonaws.com,*.s3.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"ea615e28cb25adfb2f261151eab3314f","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Baltimore CA-2 G2","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com Inc., CN=*.s3-external-1.amazonaws.com","alpn":"h2,http\/1.1","fingerprint":"C0:51:D8:FA:6B:58:94:F2:3E:4E:7D:B2:36:5F:02:E4:F0:3F:54:FF"}} 00557{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1492,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":98,"flow_packets_processed":1,"flow_first_seen":1490976093238,"flow_last_seen":1490976093238,"flow_idle_time":180000,"flow_min_l4_payload_len":40,"flow_max_l4_payload_len":40,"flow_tot_l4_payload_len":40,"flow_avg_l4_payload_len":40,"midstream":0,"ts_msec":1490976093238,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":41639,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00489{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1492,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":98,"flow_packet_id":1,"flow_last_seen":1490976093238,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"ts_msec":1490976093238,"pkt":"AMDKkaPvePiC0\/vCCABFAABEWltAAEARM1SsECrYrBAqAaKnADUAMOTtwQkBAAABAAAAAAAAC2RwLWd3LW5hLWpzBmFtYXpvbgNjb20AAAEAAQ=="} 00730{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1492,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":98,"flow_packets_processed":1,"flow_first_seen":1490976093238,"flow_last_seen":1490976093238,"flow_idle_time":180000,"flow_min_l4_payload_len":40,"flow_max_l4_payload_len":40,"flow_tot_l4_payload_len":40,"flow_avg_l4_payload_len":40,"midstream":0,"ts_msec":1490976093238,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":41639,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Amazon","breed":"Acceptable","category":"Web"},"dns": {"query":"dp-gw-na-js.amazon.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} @@ -549,7 +549,7 @@ 00464{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1501,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":99,"flow_packet_id":2,"flow_last_seen":1490976093481,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1490976093481,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAwL+xAAOcGd56wIGU0rBAq2AG7q+GBdUC1\/NmTdnASH\/53tgAAAgQFtAEDAwY="} 00450{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1503,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":99,"flow_packet_id":3,"flow_last_seen":1490976093486,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1490976093486,"pkt":"AMDKkaPvePiC0\/vCCABFAAAo8bNAAEAGXN+sECrYsCBlNKvhAbv82ZN2gXVAtlAQAVfCJwAA"} 00842{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1504,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":99,"flow_packets_processed":4,"flow_first_seen":1490976093358,"flow_last_seen":1490976093491,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":192,"flow_tot_l4_payload_len":192,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1490976093491,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"176.32.101.52","src_port":44001,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"dp-gw-na-js.amazon.com","ja3":"731bcada65b0a6f850bada3bdcd716d1","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -01317{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1511,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":99,"flow_packets_processed":8,"flow_first_seen":1490976093358,"flow_last_seen":1490976093953,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":3594,"flow_avg_l4_payload_len":449,"midstream":0,"ts_msec":1490976093953,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"176.32.101.52","src_port":44001,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"dp-gw-na-js.amazon.com","server_names":"dp-gw-na.amazon.com,dp-gw-na-js.amazon.com,dp-gw-na.amazon.co.uk,dp-gw-na.amazon.de,dp-gw-na.amazon.co.jp,dp-gw-na.amazon.in","ja3":"731bcada65b0a6f850bada3bdcd716d1","ja3s":"fbe78c619e7ea20046131294ad087f05","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=dp-gw-na.amazon.com","fingerprint":"27:E5:06:34:82:69:BC:97:5E:28:A3:C1:5A:23:81:C7:E3:28:95:8C"}} +01318{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1511,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":99,"flow_packets_processed":8,"flow_first_seen":1490976093358,"flow_last_seen":1490976093953,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":3594,"flow_avg_l4_payload_len":449,"midstream":0,"ts_msec":1490976093953,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"176.32.101.52","src_port":44001,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"dp-gw-na-js.amazon.com","server_names":"dp-gw-na.amazon.com,dp-gw-na-js.amazon.com,dp-gw-na.amazon.co.uk,dp-gw-na.amazon.de,dp-gw-na.amazon.co.jp,dp-gw-na.amazon.in","ja3":"731bcada65b0a6f850bada3bdcd716d1","ja3s":"fbe78c619e7ea20046131294ad087f05","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=dp-gw-na.amazon.com","fingerprint":"27:E5:06:34:82:69:BC:97:5E:28:A3:C1:5A:23:81:C7:E3:28:95:8C"}} 00365{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":1524,"source":"alexa-app.pcapng","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":35085,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"ts_msec":1490976094729,"pkt":"AMDKkaPvePiC0\/vCiQ0CDAoBZRIAwMqRdPh4+ILT+8IAwMqRo+\/dFACgxgAAAAAAAAAAAAAAAAAAAAAA"} 00155{"basic_event_id":5,"basic_event_name":"Unknown packet type","thread_id":0,"packet_id":1524,"source":"alexa-app.pcapng","alias":"nDPId-test","type":35085} 00531{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1529,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":14,"flow_packets_processed":2,"flow_first_seen":1490976027958,"flow_last_seen":1490976030758,"flow_idle_time":120000,"flow_min_l4_payload_len":60,"flow_max_l4_payload_len":60,"flow_tot_l4_payload_len":120,"flow_avg_l4_payload_len":60,"midstream":0,"ts_msec":1490976094926,"l3_proto":"ip4","src_ip":"172.16.42.1","dst_ip":"172.16.42.216","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} @@ -565,11 +565,11 @@ 00470{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1607,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":102,"flow_packet_id":2,"flow_last_seen":1490976100999,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1490976100999,"pkt":"ePiC0\/vCAMDKkVoBCABFAAA0s4IAACcGiho250hYrBAq2AG7o2ETwX1YiAldXIAS\/\/\/2XwAAAgQFmAMDCAEEAgEB"} 00452{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1608,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":101,"flow_packet_id":3,"flow_last_seen":1490976100999,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1490976100999,"pkt":"AMDKkaPvePiC0\/vCCABFAAAoBwFAAEAGDT6sECrYNu8YuoUaAbt\/SWKyQ51EmVAQAVeW5AAA"} 00451{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1609,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":102,"flow_packet_id":3,"flow_last_seen":1490976101000,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1490976101000,"pkt":"AMDKkaPvePiC0\/vCCABFAAAoOO9AAEAGq7msECrYNudIWKNhAbuICV1cE8F9WVAQAVc8uQAA"} -00826{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1610,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":101,"flow_packets_processed":4,"flow_first_seen":1490976100811,"flow_last_seen":1490976101001,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":259,"flow_tot_l4_payload_len":259,"flow_avg_l4_payload_len":64,"midstream":0,"ts_msec":1490976101001,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34074,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} -00813{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1611,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":102,"flow_packets_processed":4,"flow_first_seen":1490976100859,"flow_last_seen":1490976101001,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":247,"flow_tot_l4_payload_len":247,"flow_avg_l4_payload_len":61,"midstream":0,"ts_msec":1490976101001,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.231.72.88","src_port":41825,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"s3-external-2.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} -00880{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1614,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":101,"flow_packets_processed":7,"flow_first_seen":1490976100811,"flow_last_seen":1490976101100,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":259,"flow_tot_l4_payload_len":415,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1490976101100,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34074,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"d199ba0af2b08e204c73d6d81a1fd260","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -00867{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1621,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":102,"flow_packets_processed":6,"flow_first_seen":1490976100859,"flow_last_seen":1490976101182,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":247,"flow_tot_l4_payload_len":339,"flow_avg_l4_payload_len":56,"midstream":0,"ts_msec":1490976101182,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.231.72.88","src_port":41825,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"s3-external-2.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"ea615e28cb25adfb2f261151eab3314f","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01281{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1623,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":102,"flow_packets_processed":8,"flow_first_seen":1490976100859,"flow_last_seen":1490976101183,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1432,"flow_tot_l4_payload_len":2974,"flow_avg_l4_payload_len":371,"midstream":0,"ts_msec":1490976101183,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.231.72.88","src_port":41825,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"s3-external-2.amazonaws.com","server_names":"s3-external-1.amazonaws.com,*.s3-external-1.amazonaws.com,s3-external-2.amazonaws.com,*.s3-external-2.amazonaws.com,*.s3.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"ea615e28cb25adfb2f261151eab3314f","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Baltimore CA-2 G2","issuerDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com Inc., CN=*.s3-external-1.amazonaws.com","alpn":"h2,http\/1.1","fingerprint":"C0:51:D8:FA:6B:58:94:F2:3E:4E:7D:B2:36:5F:02:E4:F0:3F:54:FF"}} +00831{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1610,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":101,"flow_packets_processed":4,"flow_first_seen":1490976100811,"flow_last_seen":1490976101001,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":259,"flow_tot_l4_payload_len":259,"flow_avg_l4_payload_len":64,"midstream":0,"ts_msec":1490976101001,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34074,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} +00818{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1611,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":102,"flow_packets_processed":4,"flow_first_seen":1490976100859,"flow_last_seen":1490976101001,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":247,"flow_tot_l4_payload_len":247,"flow_avg_l4_payload_len":61,"midstream":0,"ts_msec":1490976101001,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.231.72.88","src_port":41825,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"s3-external-2.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} +00885{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1614,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":101,"flow_packets_processed":7,"flow_first_seen":1490976100811,"flow_last_seen":1490976101100,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":259,"flow_tot_l4_payload_len":415,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1490976101100,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34074,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"d199ba0af2b08e204c73d6d81a1fd260","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} +00872{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1621,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":102,"flow_packets_processed":6,"flow_first_seen":1490976100859,"flow_last_seen":1490976101182,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":247,"flow_tot_l4_payload_len":339,"flow_avg_l4_payload_len":56,"midstream":0,"ts_msec":1490976101182,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.231.72.88","src_port":41825,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"s3-external-2.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"ea615e28cb25adfb2f261151eab3314f","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} +01287{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1623,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":102,"flow_packets_processed":8,"flow_first_seen":1490976100859,"flow_last_seen":1490976101183,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1432,"flow_tot_l4_payload_len":2974,"flow_avg_l4_payload_len":371,"midstream":0,"ts_msec":1490976101183,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.231.72.88","src_port":41825,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"s3-external-2.amazonaws.com","server_names":"s3-external-1.amazonaws.com,*.s3-external-1.amazonaws.com,s3-external-2.amazonaws.com,*.s3-external-2.amazonaws.com,*.s3.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"ea615e28cb25adfb2f261151eab3314f","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Baltimore CA-2 G2","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com Inc., CN=*.s3-external-1.amazonaws.com","alpn":"h2,http\/1.1","fingerprint":"C0:51:D8:FA:6B:58:94:F2:3E:4E:7D:B2:36:5F:02:E4:F0:3F:54:FF"}} 00481{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1637,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":100,"flow_packet_id":2,"flow_last_seen":1490976101550,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976101550,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8EgdAAEAGAiSsECrYNu8YuoUZAbtS0XeRAAAAAKAC\/\/9pRQAAAgQFtAQCCAoA9mX7AAAAAAEDAwg="} 00464{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1642,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":100,"flow_packet_id":3,"flow_last_seen":1490976101623,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1490976101623,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAwX5pAAOcGDZw27xi6rBAq2AG7hRl1e+g1UtF3knASH\/6OkAAAAgQFtAEDAwY="} 00558{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1659,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":103,"flow_packets_processed":1,"flow_first_seen":1490976107217,"flow_last_seen":1490976107217,"flow_idle_time":180000,"flow_min_l4_payload_len":41,"flow_max_l4_payload_len":41,"flow_tot_l4_payload_len":41,"flow_avg_l4_payload_len":41,"midstream":0,"ts_msec":1490976107217,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":14476,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -594,9 +594,9 @@ 00464{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1673,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":107,"flow_packet_id":2,"flow_last_seen":1490976107511,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1490976107511,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAwxddAAOcGohs27x39rBAq2AG7n5iFQQi8Vi4WAXASH\/6ctgAAAgQFtAEDAwY="} 00452{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1674,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":107,"flow_packet_id":3,"flow_last_seen":1490976107513,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1490976107513,"pkt":"AMDKkaPvePiC0\/vCCABFAAAofkpAAEAGkLGsECrYNu8d\/Z+YAbtWLhYBhUEIvVAQAVfnJwAA"} 00810{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1675,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":107,"flow_packets_processed":4,"flow_first_seen":1490976107455,"flow_last_seen":1490976107514,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":211,"flow_tot_l4_payload_len":211,"flow_avg_l4_payload_len":52,"midstream":0,"ts_msec":1490976107514,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40856,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"skills-store.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} -01216{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1679,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":105,"flow_packets_processed":6,"flow_first_seen":1490976107365,"flow_last_seen":1490976107577,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":2906,"flow_avg_l4_payload_len":484,"midstream":0,"ts_msec":1490976107577,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40854,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8":"Weak TLS cipher"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"skills-store.amazon.com","server_names":"skills-store.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=skills-store.amazon.com","alpn":"h2,http\/1.1","fingerprint":"2A:40:0E:E9:9A:EC:7C:0D:40:AA:C9:C5:66:67:00:B8:3E:90:DC:B2"}} -01216{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1689,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":104,"flow_packets_processed":6,"flow_first_seen":1490976107365,"flow_last_seen":1490976107622,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":2906,"flow_avg_l4_payload_len":484,"midstream":0,"ts_msec":1490976107622,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40853,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8":"Weak TLS cipher"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"skills-store.amazon.com","server_names":"skills-store.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=skills-store.amazon.com","alpn":"h2,http\/1.1","fingerprint":"2A:40:0E:E9:9A:EC:7C:0D:40:AA:C9:C5:66:67:00:B8:3E:90:DC:B2"}} -01216{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1693,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":107,"flow_packets_processed":6,"flow_first_seen":1490976107455,"flow_last_seen":1490976107625,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":2906,"flow_avg_l4_payload_len":484,"midstream":0,"ts_msec":1490976107625,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40856,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8":"Weak TLS cipher"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"skills-store.amazon.com","server_names":"skills-store.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=skills-store.amazon.com","alpn":"h2,http\/1.1","fingerprint":"2A:40:0E:E9:9A:EC:7C:0D:40:AA:C9:C5:66:67:00:B8:3E:90:DC:B2"}} +01217{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1679,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":105,"flow_packets_processed":6,"flow_first_seen":1490976107365,"flow_last_seen":1490976107577,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":2906,"flow_avg_l4_payload_len":484,"midstream":0,"ts_msec":1490976107577,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40854,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8":"Weak TLS cipher"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"skills-store.amazon.com","server_names":"skills-store.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=skills-store.amazon.com","alpn":"h2,http\/1.1","fingerprint":"2A:40:0E:E9:9A:EC:7C:0D:40:AA:C9:C5:66:67:00:B8:3E:90:DC:B2"}} +01217{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1689,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":104,"flow_packets_processed":6,"flow_first_seen":1490976107365,"flow_last_seen":1490976107622,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":2906,"flow_avg_l4_payload_len":484,"midstream":0,"ts_msec":1490976107622,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40853,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8":"Weak TLS cipher"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"skills-store.amazon.com","server_names":"skills-store.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=skills-store.amazon.com","alpn":"h2,http\/1.1","fingerprint":"2A:40:0E:E9:9A:EC:7C:0D:40:AA:C9:C5:66:67:00:B8:3E:90:DC:B2"}} +01217{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1693,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":107,"flow_packets_processed":6,"flow_first_seen":1490976107455,"flow_last_seen":1490976107625,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":2906,"flow_avg_l4_payload_len":484,"midstream":0,"ts_msec":1490976107625,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40856,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8":"Weak TLS cipher"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"skills-store.amazon.com","server_names":"skills-store.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=skills-store.amazon.com","alpn":"h2,http\/1.1","fingerprint":"2A:40:0E:E9:9A:EC:7C:0D:40:AA:C9:C5:66:67:00:B8:3E:90:DC:B2"}} 00482{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1812,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":106,"flow_packet_id":2,"flow_last_seen":1490976108360,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976108360,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8yY9AAEAGRVisECrYNu8d\/Z+XAbtod6HOAAAAAKAC\/\/8G+AAAAgQFtAQCCAoA9mikAAAAAAEDAwg="} 00464{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1813,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":106,"flow_packet_id":3,"flow_last_seen":1490976108548,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1490976108548,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAwt7hAAOcGsDo27x39rBAq2AG7n5d09wMmaHehz3ASH\/4UgAAAAgQFtAEDAwY="} 00558{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1856,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":108,"flow_packets_processed":1,"flow_first_seen":1490976114879,"flow_last_seen":1490976114879,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":37,"flow_tot_l4_payload_len":37,"flow_avg_l4_payload_len":37,"midstream":0,"ts_msec":1490976114879,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":20922,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -636,16 +636,16 @@ 00888{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1888,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":113,"flow_packets_processed":5,"flow_first_seen":1490976114940,"flow_last_seen":1490976115201,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":239,"flow_tot_l4_payload_len":324,"flow_avg_l4_payload_len":64,"midstream":0,"ts_msec":1490976115201,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45732,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8":"Weak TLS cipher"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"pitangui.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","alpn":"h2,http\/1.1"}} 00558{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1937,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":114,"flow_packets_processed":1,"flow_first_seen":1490976115835,"flow_last_seen":1490976115835,"flow_idle_time":180000,"flow_min_l4_payload_len":57,"flow_max_l4_payload_len":57,"flow_tot_l4_payload_len":57,"flow_avg_l4_payload_len":57,"midstream":0,"ts_msec":1490976115835,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":28614,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00511{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1937,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":114,"flow_packet_id":1,"flow_last_seen":1490976115835,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":99,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":99,"pkt_l4_len":65,"ts_msec":1490976115835,"pkt":"AMDKkaPvePiC0\/vCCABFAABVWl5AAEARM0CsECrYrBAqAW\/GADUAQT0E1ZsBAAABAAAAAAAAD21vYmlsZWFuYWx5dGljcwl1cy1lYXN0LTEJYW1hem9uYXdzA2NvbQAAAQAB"} -00748{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1937,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":114,"flow_packets_processed":1,"flow_first_seen":1490976115835,"flow_last_seen":1490976115835,"flow_idle_time":180000,"flow_min_l4_payload_len":57,"flow_max_l4_payload_len":57,"flow_tot_l4_payload_len":57,"flow_avg_l4_payload_len":57,"midstream":0,"ts_msec":1490976115835,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":28614,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Amazon","breed":"Acceptable","category":"Web"},"dns": {"query":"mobileanalytics.us-east-1.amazonaws.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00753{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1937,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":114,"flow_packets_processed":1,"flow_first_seen":1490976115835,"flow_last_seen":1490976115835,"flow_idle_time":180000,"flow_min_l4_payload_len":57,"flow_max_l4_payload_len":57,"flow_tot_l4_payload_len":57,"flow_avg_l4_payload_len":57,"midstream":0,"ts_msec":1490976115835,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":28614,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"dns": {"query":"mobileanalytics.us-east-1.amazonaws.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00536{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1940,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":114,"flow_packet_id":2,"flow_last_seen":1490976115901,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":115,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":115,"pkt_l4_len":81,"ts_msec":1490976115901,"pkt":"ePiC0\/vCAMDKkaPvCABFAABl30tAAEARrkKsECoBrBAq2AA1b8YAUeVS1ZuBgAABAAEAAAAAD21vYmlsZWFuYWx5dGljcwl1cy1lYXN0LTEJYW1hem9uYXdzA2NvbQAAAQABwAwAAQABAAAAIQAENu8YtA=="} -00763{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1940,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":114,"flow_packets_processed":2,"flow_first_seen":1490976115835,"flow_last_seen":1490976115901,"flow_idle_time":180000,"flow_min_l4_payload_len":57,"flow_max_l4_payload_len":73,"flow_tot_l4_payload_len":130,"flow_avg_l4_payload_len":65,"midstream":0,"ts_msec":1490976115901,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":28614,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Amazon","breed":"Acceptable","category":"Web"},"dns": {"query":"mobileanalytics.us-east-1.amazonaws.com","num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"54.239.24.180"}} +00768{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1940,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":114,"flow_packets_processed":2,"flow_first_seen":1490976115835,"flow_last_seen":1490976115901,"flow_idle_time":180000,"flow_min_l4_payload_len":57,"flow_max_l4_payload_len":73,"flow_tot_l4_payload_len":130,"flow_avg_l4_payload_len":65,"midstream":0,"ts_msec":1490976115901,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":28614,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"dns": {"query":"mobileanalytics.us-east-1.amazonaws.com","num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"54.239.24.180"}} 00558{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1941,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":115,"flow_packets_processed":1,"flow_first_seen":1490976115905,"flow_last_seen":1490976115905,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976115905,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.180","src_port":37551,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00481{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1941,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":115,"flow_packet_id":1,"flow_last_seen":1490976115905,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976115905,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8JUVAAEAG7uusECrYNu8YtJKvAbsZEE7TAAAAAKAC\/\/+4mQAAAgQFtAQCCAoA9muWAAAAAAEDAwg="} 00558{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1942,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":116,"flow_packets_processed":1,"flow_first_seen":1490976116084,"flow_last_seen":1490976116084,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976116084,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.180","src_port":37552,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00482{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1942,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":116,"flow_packet_id":1,"flow_last_seen":1490976116084,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976116084,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8uXBAAEAGWsCsECrYNu8YtJKwAbtgAdLYAAAAAKAC\/\/\/tjwAAAgQFtAQCCAoA9muoAAAAAAEDAwg="} 00464{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1943,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":115,"flow_packet_id":2,"flow_last_seen":1490976116119,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1490976116119,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAwcfNAAOcG+0g27xi0rBAq2AG7kq+qRjf5GRBO1HASH\/5e8QAAAgQFtAEDAwY="} 00451{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1944,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":115,"flow_packet_id":3,"flow_last_seen":1490976116121,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1490976116121,"pkt":"AMDKkaPvePiC0\/vCCABFAAAoJUZAAEAG7v6sECrYNu8YtJKvAbsZEE7UqkY3+lAQAVepYgAA"} -00826{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1945,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":115,"flow_packets_processed":4,"flow_first_seen":1490976115905,"flow_last_seen":1490976116122,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":259,"flow_tot_l4_payload_len":259,"flow_avg_l4_payload_len":64,"midstream":0,"ts_msec":1490976116122,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.180","src_port":37551,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} +00831{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1945,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":115,"flow_packets_processed":4,"flow_first_seen":1490976115905,"flow_last_seen":1490976116122,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":259,"flow_tot_l4_payload_len":259,"flow_avg_l4_payload_len":64,"midstream":0,"ts_msec":1490976116122,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.180","src_port":37551,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} 00465{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1946,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":116,"flow_packet_id":2,"flow_last_seen":1490976116248,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1490976116248,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAwirZAAOcG4oU27xi0rBAq2AG7krCs\/eb6YAHS2XASH\/7iQAAAAgQFtAEDAwY="} 00451{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1947,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":116,"flow_packet_id":3,"flow_last_seen":1490976116249,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1490976116249,"pkt":"AMDKkaPvePiC0\/vCCABFAAAouXFAAEAGWtOsECrYNu8YtJKwAbtgAdLZrP3m+1AQAVcssgAA"} 00558{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1967,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":3,"flow_packets_processed":2,"flow_first_seen":1490976023264,"flow_last_seen":1490976023264,"flow_idle_time":180000,"flow_min_l4_payload_len":315,"flow_max_l4_payload_len":315,"flow_tot_l4_payload_len":630,"flow_avg_l4_payload_len":315,"midstream":0,"ts_msec":1490976118107,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -655,7 +655,7 @@ 00560{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1967,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":7,"flow_packets_processed":2,"flow_first_seen":1490976024847,"flow_last_seen":1490976024848,"flow_idle_time":180000,"flow_min_l4_payload_len":47,"flow_max_l4_payload_len":63,"flow_tot_l4_payload_len":110,"flow_avg_l4_payload_len":55,"midstream":0,"ts_msec":1490976118107,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":55619,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00559{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1967,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":6,"flow_packets_processed":2,"flow_first_seen":1490976024793,"flow_last_seen":1490976024844,"flow_idle_time":180000,"flow_min_l4_payload_len":47,"flow_max_l4_payload_len":75,"flow_tot_l4_payload_len":122,"flow_avg_l4_payload_len":61,"midstream":0,"ts_msec":1490976118107,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":3440,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00560{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1967,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":10,"flow_packets_processed":2,"flow_first_seen":1490976027522,"flow_last_seen":1490976027523,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":80,"flow_avg_l4_payload_len":40,"midstream":0,"ts_msec":1490976118107,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":52603,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} -00881{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1969,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":115,"flow_packets_processed":9,"flow_first_seen":1490976115905,"flow_last_seen":1490976118335,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":259,"flow_tot_l4_payload_len":933,"flow_avg_l4_payload_len":103,"midstream":0,"ts_msec":1490976118335,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.180","src_port":37551,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"d199ba0af2b08e204c73d6d81a1fd260","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} +00886{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1969,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":115,"flow_packets_processed":9,"flow_first_seen":1490976115905,"flow_last_seen":1490976118335,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":259,"flow_tot_l4_payload_len":933,"flow_avg_l4_payload_len":103,"midstream":0,"ts_msec":1490976118335,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.180","src_port":37551,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"d199ba0af2b08e204c73d6d81a1fd260","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} 00561{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2001,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":21,"flow_packets_processed":2,"flow_first_seen":1490976031581,"flow_last_seen":1490976031687,"flow_idle_time":180000,"flow_min_l4_payload_len":34,"flow_max_l4_payload_len":73,"flow_tot_l4_payload_len":107,"flow_avg_l4_payload_len":53,"midstream":0,"ts_msec":1490976130073,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":41030,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00563{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2001,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":24,"flow_packets_processed":2,"flow_first_seen":1490976035502,"flow_last_seen":1490976035549,"flow_idle_time":180000,"flow_min_l4_payload_len":58,"flow_max_l4_payload_len":154,"flow_tot_l4_payload_len":212,"flow_avg_l4_payload_len":106,"midstream":0,"ts_msec":1490976130073,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":23559,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00562{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2001,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":15,"flow_packets_processed":2,"flow_first_seen":1490976029184,"flow_last_seen":1490976029244,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":161,"flow_tot_l4_payload_len":193,"flow_avg_l4_payload_len":96,"midstream":0,"ts_msec":1490976130073,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":48155,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -781,7 +781,7 @@ 00563{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2549,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":53,"flow_packets_processed":15,"flow_first_seen":1490976047096,"flow_last_seen":1490976048927,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":239,"flow_tot_l4_payload_len":574,"flow_avg_l4_payload_len":38,"midstream":0,"ts_msec":1490976163868,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45683,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00567{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2549,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":37,"flow_packets_processed":78,"flow_first_seen":1490976041942,"flow_last_seen":1490976046399,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":41433,"flow_avg_l4_payload_len":531,"midstream":0,"ts_msec":1490976163868,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54411,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00566{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2549,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":38,"flow_packets_processed":17,"flow_first_seen":1490976041961,"flow_last_seen":1490976042341,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":5681,"flow_avg_l4_payload_len":334,"midstream":0,"ts_msec":1490976163868,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54412,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00591{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":2549,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":39,"flow_packets_processed":6,"flow_first_seen":1490976042054,"flow_last_seen":1490976042398,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976163868,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54413,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"}} +00596{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":2549,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":39,"flow_packets_processed":6,"flow_first_seen":1490976042054,"flow_last_seen":1490976042398,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976163868,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54413,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"}} 00557{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2549,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":39,"flow_packets_processed":6,"flow_first_seen":1490976042054,"flow_last_seen":1490976042398,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976163868,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54413,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00566{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2549,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":54,"flow_packets_processed":21,"flow_first_seen":1490976047560,"flow_last_seen":1490976048909,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":8468,"flow_avg_l4_payload_len":403,"midstream":0,"ts_msec":1490976163868,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54427,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00567{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2549,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":41,"flow_packets_processed":29,"flow_first_seen":1490976043814,"flow_last_seen":1490976046408,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":10383,"flow_avg_l4_payload_len":358,"midstream":0,"ts_msec":1490976163868,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.135","src_port":42129,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -806,8 +806,8 @@ 00483{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2557,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":136,"flow_packet_id":1,"flow_last_seen":1490976165062,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976165062,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8ZaZAAEAG4UisECrYNF7ohptGAbs\/AhtsAAAAAKAC\/\/\/dAQAAAgQFtAQCCAoA9n7KAAAAAAEDAwg="} 00464{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2558,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":136,"flow_packet_id":2,"flow_last_seen":1490976165120,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1490976165120,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAwviBAAOcG4dk0XuiGrBAq2AG7m0ayU5bRPwIbbXASH\/4vqAAAAgQFtAEDAwY="} 00452{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2559,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":136,"flow_packet_id":3,"flow_last_seen":1490976165122,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1490976165122,"pkt":"AMDKkaPvePiC0\/vCCABFAAAoZadAAEAG4VusECrYNF7ohptGAbs\/AhttslOW0lAQAVd6GQAA"} -00822{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2560,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":136,"flow_packets_processed":4,"flow_first_seen":1490976165062,"flow_last_seen":1490976165125,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":174,"flow_tot_l4_payload_len":174,"flow_avg_l4_payload_len":43,"midstream":0,"ts_msec":1490976165125,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":39750,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f8f5b71e02603b283e55b50d17ede861","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -00889{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2561,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":136,"flow_packets_processed":5,"flow_first_seen":1490976165062,"flow_last_seen":1490976165190,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":174,"flow_tot_l4_payload_len":259,"flow_avg_l4_payload_len":51,"midstream":0,"ts_msec":1490976165190,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":39750,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f8f5b71e02603b283e55b50d17ede861","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA"}} +00827{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2560,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":136,"flow_packets_processed":4,"flow_first_seen":1490976165062,"flow_last_seen":1490976165125,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":174,"flow_tot_l4_payload_len":174,"flow_avg_l4_payload_len":43,"midstream":0,"ts_msec":1490976165125,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":39750,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f8f5b71e02603b283e55b50d17ede861","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} +00894{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2561,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":136,"flow_packets_processed":5,"flow_first_seen":1490976165062,"flow_last_seen":1490976165190,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":174,"flow_tot_l4_payload_len":259,"flow_avg_l4_payload_len":51,"midstream":0,"ts_msec":1490976165190,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":39750,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f8f5b71e02603b283e55b50d17ede861","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA"}} 00558{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2576,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":137,"flow_packets_processed":1,"flow_first_seen":1490976169531,"flow_last_seen":1490976169531,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976169531,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45752,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00481{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2576,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":137,"flow_packet_id":1,"flow_last_seen":1490976169531,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976169531,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8anRAAEAG3HqsECrYNF7ohrK4AbvvmuryAAAAAKAC\/\/9DtAAAAgQFtAQCCAoA9oCGAAAAAAEDAwg="} 00464{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2577,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":137,"flow_packet_id":2,"flow_last_seen":1490976169726,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1490976169726,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAwhFlAAOcGG6E0XuiGrBAq2AG7srhwEXla75rq83ASH\/73zwAAAgQFtAEDAwY="} @@ -837,11 +837,11 @@ 00558{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2624,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":142,"flow_packets_processed":1,"flow_first_seen":1490976177276,"flow_last_seen":1490976177276,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976177276,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":50799,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00481{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2624,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":142,"flow_packet_id":1,"flow_last_seen":1490976177276,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976177276,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8ZidAAEAGqgusECrYNu8cssZvAbuB1uWoAAAAAKAC\/\/9pRgAAAgQFtAQCCAoA9oOPAAAAAAEDAwg="} 00464{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2625,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":142,"flow_packet_id":2,"flow_last_seen":1490976177409,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1490976177409,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAwnrRAAOcGyok27xyyrBAq2AG7xm8x5Gl6gdblqXASH\/5ueAAAAgQFtAEDAwY="} -01497{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2628,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":139,"flow_packets_processed":7,"flow_first_seen":1490976177116,"flow_last_seen":1490976177411,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":3472,"flow_avg_l4_payload_len":496,"midstream":0,"ts_msec":1490976177411,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":50796,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8":"Weak TLS cipher"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"pitangui.amazon.com","server_names":"pitangui.amazon.com,guipitan.amazon.com,alexa.amazon.com,echo.amazon.com,alexa.amazon.ca,guipitan.amazon.ca,alexa.amazon.co.jp,guipitan.amazon.co.jp,alexa.amazon.com.mx,guipitan.amazon.com.mx,alexa.amazon.com.br,guipitan.amazon.com.br,alexa.amazon.com.au,guipitan.amazon.com.au,alexa.amazon.cn,guipitan.amazon.cn","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=pitangui.amazon.com","alpn":"h2,http\/1.1","fingerprint":"13:E9:3B:22:22:61:41:53:CA:B6:3A:AE:C8:B7:23:FB:A5:11:2F:24"}} -01497{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2631,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":140,"flow_packets_processed":7,"flow_first_seen":1490976177116,"flow_last_seen":1490976177412,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":3472,"flow_avg_l4_payload_len":496,"midstream":0,"ts_msec":1490976177412,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":50797,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8":"Weak TLS cipher"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"pitangui.amazon.com","server_names":"pitangui.amazon.com,guipitan.amazon.com,alexa.amazon.com,echo.amazon.com,alexa.amazon.ca,guipitan.amazon.ca,alexa.amazon.co.jp,guipitan.amazon.co.jp,alexa.amazon.com.mx,guipitan.amazon.com.mx,alexa.amazon.com.br,guipitan.amazon.com.br,alexa.amazon.com.au,guipitan.amazon.com.au,alexa.amazon.cn,guipitan.amazon.cn","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=pitangui.amazon.com","alpn":"h2,http\/1.1","fingerprint":"13:E9:3B:22:22:61:41:53:CA:B6:3A:AE:C8:B7:23:FB:A5:11:2F:24"}} +01498{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2628,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":139,"flow_packets_processed":7,"flow_first_seen":1490976177116,"flow_last_seen":1490976177411,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":3472,"flow_avg_l4_payload_len":496,"midstream":0,"ts_msec":1490976177411,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":50796,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8":"Weak TLS cipher"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"pitangui.amazon.com","server_names":"pitangui.amazon.com,guipitan.amazon.com,alexa.amazon.com,echo.amazon.com,alexa.amazon.ca,guipitan.amazon.ca,alexa.amazon.co.jp,guipitan.amazon.co.jp,alexa.amazon.com.mx,guipitan.amazon.com.mx,alexa.amazon.com.br,guipitan.amazon.com.br,alexa.amazon.com.au,guipitan.amazon.com.au,alexa.amazon.cn,guipitan.amazon.cn","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=pitangui.amazon.com","alpn":"h2,http\/1.1","fingerprint":"13:E9:3B:22:22:61:41:53:CA:B6:3A:AE:C8:B7:23:FB:A5:11:2F:24"}} +01498{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2631,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":140,"flow_packets_processed":7,"flow_first_seen":1490976177116,"flow_last_seen":1490976177412,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":3472,"flow_avg_l4_payload_len":496,"midstream":0,"ts_msec":1490976177412,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":50797,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8":"Weak TLS cipher"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"pitangui.amazon.com","server_names":"pitangui.amazon.com,guipitan.amazon.com,alexa.amazon.com,echo.amazon.com,alexa.amazon.ca,guipitan.amazon.ca,alexa.amazon.co.jp,guipitan.amazon.co.jp,alexa.amazon.com.mx,guipitan.amazon.com.mx,alexa.amazon.com.br,guipitan.amazon.com.br,alexa.amazon.com.au,guipitan.amazon.com.au,alexa.amazon.cn,guipitan.amazon.cn","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=pitangui.amazon.com","alpn":"h2,http\/1.1","fingerprint":"13:E9:3B:22:22:61:41:53:CA:B6:3A:AE:C8:B7:23:FB:A5:11:2F:24"}} 00451{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2632,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":142,"flow_packet_id":3,"flow_last_seen":1490976177416,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1490976177416,"pkt":"AMDKkaPvePiC0\/vCCABFAAAoZihAAEAGqh6sECrYNu8cssZvAbuB1uWpMeRpe1AQAVe46QAA"} 00806{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2637,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":142,"flow_packets_processed":4,"flow_first_seen":1490976177276,"flow_last_seen":1490976177419,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":207,"flow_tot_l4_payload_len":207,"flow_avg_l4_payload_len":51,"midstream":0,"ts_msec":1490976177419,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":50799,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"pitangui.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} -01497{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2644,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":142,"flow_packets_processed":7,"flow_first_seen":1490976177276,"flow_last_seen":1490976177553,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":3472,"flow_avg_l4_payload_len":496,"midstream":0,"ts_msec":1490976177553,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":50799,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8":"Weak TLS cipher"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"pitangui.amazon.com","server_names":"pitangui.amazon.com,guipitan.amazon.com,alexa.amazon.com,echo.amazon.com,alexa.amazon.ca,guipitan.amazon.ca,alexa.amazon.co.jp,guipitan.amazon.co.jp,alexa.amazon.com.mx,guipitan.amazon.com.mx,alexa.amazon.com.br,guipitan.amazon.com.br,alexa.amazon.com.au,guipitan.amazon.com.au,alexa.amazon.cn,guipitan.amazon.cn","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=pitangui.amazon.com","alpn":"h2,http\/1.1","fingerprint":"13:E9:3B:22:22:61:41:53:CA:B6:3A:AE:C8:B7:23:FB:A5:11:2F:24"}} +01498{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2644,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":142,"flow_packets_processed":7,"flow_first_seen":1490976177276,"flow_last_seen":1490976177553,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":3472,"flow_avg_l4_payload_len":496,"midstream":0,"ts_msec":1490976177553,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":50799,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8":"Weak TLS cipher"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"pitangui.amazon.com","server_names":"pitangui.amazon.com,guipitan.amazon.com,alexa.amazon.com,echo.amazon.com,alexa.amazon.ca,guipitan.amazon.ca,alexa.amazon.co.jp,guipitan.amazon.co.jp,alexa.amazon.com.mx,guipitan.amazon.com.mx,alexa.amazon.com.br,guipitan.amazon.com.br,alexa.amazon.com.au,guipitan.amazon.com.au,alexa.amazon.cn,guipitan.amazon.cn","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=pitangui.amazon.com","alpn":"h2,http\/1.1","fingerprint":"13:E9:3B:22:22:61:41:53:CA:B6:3A:AE:C8:B7:23:FB:A5:11:2F:24"}} 00481{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2670,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":141,"flow_packet_id":2,"flow_last_seen":1490976178110,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976178110,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8lfxAAEAGejasECrYNu8cssZuAbts9RaEAAAAAKAC\/\/9M+QAAAgQFtAQCCAoA9oPjAAAAAAEDAwg="} 00464{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2672,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":141,"flow_packet_id":3,"flow_last_seen":1490976178284,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1490976178284,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAww9ZAAOcGpWc27xyyrBAq2AG7xm5KXM+cbPUWhXASH\/7T5AAAAgQFtAEDAwY="} 00439{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2680,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":58,"flow_packet_id":2,"flow_last_seen":1490976180796,"flow_idle_time":600000,"pkt_oversize":false,"pkt_caplen":46,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":38,"pkt_len":46,"pkt_l4_len":8,"ts_msec":1490976180796,"pkt":"AQBeAAABAMDKkaPvCABGwAAgAABAAAECBBcAAAAA4AAAAZQEAAARZO6bAAAAAA=="} @@ -854,19 +854,19 @@ 00464{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2682,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":143,"flow_packet_id":2,"flow_last_seen":1490976186394,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1490976186394,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAwCmJAAOcGXtw27xyyrBAq2AG7xnDcplSHTg8BHXASH\/7w+wAAAgQFtAEDAwY="} 00451{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2683,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":143,"flow_packet_id":3,"flow_last_seen":1490976186398,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1490976186398,"pkt":"AMDKkaPvePiC0\/vCCABFAAAohhxAAEAGiiqsECrYNu8cssZwAbtODwEd3KZUiFAQAVc7bQAA"} 00806{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2684,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":143,"flow_packets_processed":4,"flow_first_seen":1490976186164,"flow_last_seen":1490976186398,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":207,"flow_tot_l4_payload_len":207,"flow_avg_l4_payload_len":51,"midstream":0,"ts_msec":1490976186398,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":50800,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"pitangui.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} -01497{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2687,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":143,"flow_packets_processed":7,"flow_first_seen":1490976186164,"flow_last_seen":1490976186551,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":3472,"flow_avg_l4_payload_len":496,"midstream":0,"ts_msec":1490976186551,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":50800,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8":"Weak TLS cipher"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"pitangui.amazon.com","server_names":"pitangui.amazon.com,guipitan.amazon.com,alexa.amazon.com,echo.amazon.com,alexa.amazon.ca,guipitan.amazon.ca,alexa.amazon.co.jp,guipitan.amazon.co.jp,alexa.amazon.com.mx,guipitan.amazon.com.mx,alexa.amazon.com.br,guipitan.amazon.com.br,alexa.amazon.com.au,guipitan.amazon.com.au,alexa.amazon.cn,guipitan.amazon.cn","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=pitangui.amazon.com","alpn":"h2,http\/1.1","fingerprint":"13:E9:3B:22:22:61:41:53:CA:B6:3A:AE:C8:B7:23:FB:A5:11:2F:24"}} +01498{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2687,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":143,"flow_packets_processed":7,"flow_first_seen":1490976186164,"flow_last_seen":1490976186551,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":3472,"flow_avg_l4_payload_len":496,"midstream":0,"ts_msec":1490976186551,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":50800,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8":"Weak TLS cipher"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"pitangui.amazon.com","server_names":"pitangui.amazon.com,guipitan.amazon.com,alexa.amazon.com,echo.amazon.com,alexa.amazon.ca,guipitan.amazon.ca,alexa.amazon.co.jp,guipitan.amazon.co.jp,alexa.amazon.com.mx,guipitan.amazon.com.mx,alexa.amazon.com.br,guipitan.amazon.com.br,alexa.amazon.com.au,guipitan.amazon.com.au,alexa.amazon.cn,guipitan.amazon.cn","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=pitangui.amazon.com","alpn":"h2,http\/1.1","fingerprint":"13:E9:3B:22:22:61:41:53:CA:B6:3A:AE:C8:B7:23:FB:A5:11:2F:24"}} 00557{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2698,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":144,"flow_packets_processed":1,"flow_first_seen":1490976186818,"flow_last_seen":1490976186818,"flow_idle_time":180000,"flow_min_l4_payload_len":57,"flow_max_l4_payload_len":57,"flow_tot_l4_payload_len":57,"flow_avg_l4_payload_len":57,"midstream":0,"ts_msec":1490976186818,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":8669,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00510{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2698,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":144,"flow_packet_id":1,"flow_last_seen":1490976186818,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":99,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":99,"pkt_l4_len":65,"ts_msec":1490976186818,"pkt":"AMDKkaPvePiC0\/vCCABFAABVWmJAAEARMzysECrYrBAqASHdADUAQT24ItEBAAABAAAAAAAAD21vYmlsZWFuYWx5dGljcwl1cy1lYXN0LTEJYW1hem9uYXdzA2NvbQAAAQAB"} -00747{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2698,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":144,"flow_packets_processed":1,"flow_first_seen":1490976186818,"flow_last_seen":1490976186818,"flow_idle_time":180000,"flow_min_l4_payload_len":57,"flow_max_l4_payload_len":57,"flow_tot_l4_payload_len":57,"flow_avg_l4_payload_len":57,"midstream":0,"ts_msec":1490976186818,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":8669,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Amazon","breed":"Acceptable","category":"Web"},"dns": {"query":"mobileanalytics.us-east-1.amazonaws.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00752{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2698,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":144,"flow_packets_processed":1,"flow_first_seen":1490976186818,"flow_last_seen":1490976186818,"flow_idle_time":180000,"flow_min_l4_payload_len":57,"flow_max_l4_payload_len":57,"flow_tot_l4_payload_len":57,"flow_avg_l4_payload_len":57,"midstream":0,"ts_msec":1490976186818,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":8669,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"dns": {"query":"mobileanalytics.us-east-1.amazonaws.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00536{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2701,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":144,"flow_packet_id":2,"flow_last_seen":1490976186879,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":115,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":115,"pkt_l4_len":81,"ts_msec":1490976186879,"pkt":"ePiC0\/vCAMDKkaPvCABFAABl6vpAAEARopOsECoBrBAq2AA1Id0AUTsIItGBgAABAAEAAAAAD21vYmlsZWFuYWx5dGljcwl1cy1lYXN0LTEJYW1hem9uYXdzA2NvbQAAAQABwAwAAQABAAAAIgAENu8XXg=="} -00761{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2701,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":144,"flow_packets_processed":2,"flow_first_seen":1490976186818,"flow_last_seen":1490976186879,"flow_idle_time":180000,"flow_min_l4_payload_len":57,"flow_max_l4_payload_len":73,"flow_tot_l4_payload_len":130,"flow_avg_l4_payload_len":65,"midstream":0,"ts_msec":1490976186879,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":8669,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Amazon","breed":"Acceptable","category":"Web"},"dns": {"query":"mobileanalytics.us-east-1.amazonaws.com","num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"54.239.23.94"}} +00766{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2701,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":144,"flow_packets_processed":2,"flow_first_seen":1490976186818,"flow_last_seen":1490976186879,"flow_idle_time":180000,"flow_min_l4_payload_len":57,"flow_max_l4_payload_len":73,"flow_tot_l4_payload_len":130,"flow_avg_l4_payload_len":65,"midstream":0,"ts_msec":1490976186879,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":8669,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"dns": {"query":"mobileanalytics.us-east-1.amazonaws.com","num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"54.239.23.94"}} 00557{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2702,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":145,"flow_packets_processed":1,"flow_first_seen":1490976186884,"flow_last_seen":1490976186884,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976186884,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.23.94","src_port":44912,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00484{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2702,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":145,"flow_packet_id":1,"flow_last_seen":1490976186884,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976186884,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8flZAAEAGlzCsECrYNu8XXq9wAbvy\/\/kGAAAAAKAC\/\/\/9UAAAAgQFtAQCCAoA9odQAAAAAAEDAwg="} 00465{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2703,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":145,"flow_packet_id":2,"flow_last_seen":1490976187052,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1490976187052,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAwqiJAAOcGxG827xderBAq2AG7r3A+ML0a8v\/5B3ASH\/6mVwAAAgQFtAEDAwY="} 00453{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2705,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":145,"flow_packet_id":3,"flow_last_seen":1490976187055,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1490976187055,"pkt":"AMDKkaPvePiC0\/vCCABFAAAofldAAEAGl0OsECrYNu8XXq9wAbvy\/\/kHPjC9G1AQAVfwyAAA"} -00825{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2706,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":145,"flow_packets_processed":4,"flow_first_seen":1490976186884,"flow_last_seen":1490976187057,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":227,"flow_tot_l4_payload_len":227,"flow_avg_l4_payload_len":56,"midstream":0,"ts_msec":1490976187057,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.23.94","src_port":44912,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} -00882{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2709,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":145,"flow_packets_processed":7,"flow_first_seen":1490976186884,"flow_last_seen":1490976187167,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":1687,"flow_avg_l4_payload_len":241,"midstream":0,"ts_msec":1490976187167,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.23.94","src_port":44912,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01236{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2713,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":145,"flow_packets_processed":11,"flow_first_seen":1490976186884,"flow_last_seen":1490976187172,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":4607,"flow_avg_l4_payload_len":418,"midstream":0,"ts_msec":1490976187172,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.23.94","src_port":44912,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobileanalytics.us-east-1.amazonaws.com","server_names":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=mobileanalytics.us-east-1.amazonaws.com","alpn":"h2,http\/1.1","fingerprint":"87:AD:E9:2D:E8:42:F0:5C:3A:09:13:00:12:93:59:04:84:C3:E2:2D"}} +00830{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2706,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":145,"flow_packets_processed":4,"flow_first_seen":1490976186884,"flow_last_seen":1490976187057,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":227,"flow_tot_l4_payload_len":227,"flow_avg_l4_payload_len":56,"midstream":0,"ts_msec":1490976187057,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.23.94","src_port":44912,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} +00887{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2709,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":145,"flow_packets_processed":7,"flow_first_seen":1490976186884,"flow_last_seen":1490976187167,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":1687,"flow_avg_l4_payload_len":241,"midstream":0,"ts_msec":1490976187167,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.23.94","src_port":44912,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} +01242{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2713,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":145,"flow_packets_processed":11,"flow_first_seen":1490976186884,"flow_last_seen":1490976187172,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":4607,"flow_avg_l4_payload_len":418,"midstream":0,"ts_msec":1490976187172,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.23.94","src_port":44912,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobileanalytics.us-east-1.amazonaws.com","server_names":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=mobileanalytics.us-east-1.amazonaws.com","alpn":"h2,http\/1.1","fingerprint":"87:AD:E9:2D:E8:42:F0:5C:3A:09:13:00:12:93:59:04:84:C3:E2:2D"}} 00558{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2724,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":146,"flow_packets_processed":1,"flow_first_seen":1490976187242,"flow_last_seen":1490976187242,"flow_idle_time":180000,"flow_min_l4_payload_len":34,"flow_max_l4_payload_len":34,"flow_tot_l4_payload_len":34,"flow_avg_l4_payload_len":34,"midstream":0,"ts_msec":1490976187242,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":59908,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00482{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2724,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":146,"flow_packet_id":1,"flow_last_seen":1490976187242,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":76,"pkt_l4_len":42,"ts_msec":1490976187242,"pkt":"AMDKkaPvePiC0\/vCCABFAAA+WmNAAEARM1KsECrYrBAqAeoEADUAKipZJj0BAAABAAAAAAAABWFsZXhhBmFtYXpvbgNjb20AAAEAAQ=="} 00740{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2724,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":146,"flow_packets_processed":1,"flow_first_seen":1490976187242,"flow_last_seen":1490976187242,"flow_idle_time":180000,"flow_min_l4_payload_len":34,"flow_max_l4_payload_len":34,"flow_tot_l4_payload_len":34,"flow_avg_l4_payload_len":34,"midstream":0,"ts_msec":1490976187242,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":59908,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.AmazonAlexa","breed":"Acceptable","category":"VirtAssistant"},"dns": {"query":"alexa.amazon.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} @@ -876,8 +876,8 @@ 00481{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2737,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":147,"flow_packet_id":1,"flow_last_seen":1490976187511,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976187511,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8IbxAAEAG7nasECrYNu8cspdlAbtMyaYzAAAAAKAC\/\/8I0wAAAgQFtAQCCAoA9oePAAAAAAEDAwg="} 00464{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2739,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":147,"flow_packet_id":2,"flow_last_seen":1490976187571,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1490976187571,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAw3K9AAOcGjI427xyyrBAq2AG7l2UCDLyqTMmmNHASH\/7urAAAAgQFtAEDAwY="} 00451{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2742,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":147,"flow_packet_id":3,"flow_last_seen":1490976187575,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1490976187575,"pkt":"AMDKkaPvePiC0\/vCCABFAAAoIb1AAEAG7omsECrYNu8cspdlAbtMyaY0Agy8q1AQAVc5HgAA"} -00822{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2743,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":147,"flow_packets_processed":4,"flow_first_seen":1490976187511,"flow_last_seen":1490976187577,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":174,"flow_tot_l4_payload_len":174,"flow_avg_l4_payload_len":43,"midstream":0,"ts_msec":1490976187577,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":38757,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f8f5b71e02603b283e55b50d17ede861","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -01498{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2747,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":147,"flow_packets_processed":7,"flow_first_seen":1490976187511,"flow_last_seen":1490976187704,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":3439,"flow_avg_l4_payload_len":491,"midstream":0,"ts_msec":1490976187704,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":38757,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"pitangui.amazon.com,guipitan.amazon.com,alexa.amazon.com,echo.amazon.com,alexa.amazon.ca,guipitan.amazon.ca,alexa.amazon.co.jp,guipitan.amazon.co.jp,alexa.amazon.com.mx,guipitan.amazon.com.mx,alexa.amazon.com.br,guipitan.amazon.com.br,alexa.amazon.com.au,guipitan.amazon.com.au,alexa.amazon.cn,guipitan.amazon.cn","ja3":"f8f5b71e02603b283e55b50d17ede861","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=pitangui.amazon.com","fingerprint":"13:E9:3B:22:22:61:41:53:CA:B6:3A:AE:C8:B7:23:FB:A5:11:2F:24"}} +00827{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2743,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":147,"flow_packets_processed":4,"flow_first_seen":1490976187511,"flow_last_seen":1490976187577,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":174,"flow_tot_l4_payload_len":174,"flow_avg_l4_payload_len":43,"midstream":0,"ts_msec":1490976187577,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":38757,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f8f5b71e02603b283e55b50d17ede861","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} +01499{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2747,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":147,"flow_packets_processed":7,"flow_first_seen":1490976187511,"flow_last_seen":1490976187704,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":3439,"flow_avg_l4_payload_len":491,"midstream":0,"ts_msec":1490976187704,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":38757,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"pitangui.amazon.com,guipitan.amazon.com,alexa.amazon.com,echo.amazon.com,alexa.amazon.ca,guipitan.amazon.ca,alexa.amazon.co.jp,guipitan.amazon.co.jp,alexa.amazon.com.mx,guipitan.amazon.com.mx,alexa.amazon.com.br,guipitan.amazon.com.br,alexa.amazon.com.au,guipitan.amazon.com.au,alexa.amazon.cn,guipitan.amazon.cn","ja3":"f8f5b71e02603b283e55b50d17ede861","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=pitangui.amazon.com","fingerprint":"13:E9:3B:22:22:61:41:53:CA:B6:3A:AE:C8:B7:23:FB:A5:11:2F:24"}} 00558{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2791,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":148,"flow_packets_processed":1,"flow_first_seen":1490976195484,"flow_last_seen":1490976195484,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1490976195484,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":14934,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00478{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2791,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":148,"flow_packet_id":1,"flow_last_seen":1490976195484,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976195484,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8WmRAAEARM1OsECrYrBAqATpWADUAKI0W4msBAAABAAAAAAAAA3d3dwZhbWF6b24DY29tAAABAAE="} 00723{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2791,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":148,"flow_packets_processed":1,"flow_first_seen":1490976195484,"flow_last_seen":1490976195484,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1490976195484,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":14934,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Amazon","breed":"Acceptable","category":"Web"},"dns": {"query":"www.amazon.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} @@ -892,7 +892,7 @@ 00467{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2799,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":149,"flow_packet_id":3,"flow_last_seen":1490976195573,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1490976195573,"pkt":"AMDKkaPvePiC0\/vCCABFAAA0sulAAEAGqw2sECrYNFXRj6NkAbuAhDhZfMMB0oAQAVdGegAAAQEICgD2irVttHws"} 00801{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2800,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":149,"flow_packets_processed":4,"flow_first_seen":1490976195529,"flow_last_seen":1490976195574,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":202,"flow_tot_l4_payload_len":202,"flow_avg_l4_payload_len":50,"midstream":0,"ts_msec":1490976195574,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.143","src_port":41828,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} 00858{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2802,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":149,"flow_packets_processed":6,"flow_first_seen":1490976195529,"flow_last_seen":1490976195621,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1650,"flow_avg_l4_payload_len":275,"midstream":0,"ts_msec":1490976195621,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.143","src_port":41828,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01335{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2804,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":149,"flow_packets_processed":8,"flow_first_seen":1490976195529,"flow_last_seen":1490976195622,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":4546,"flow_avg_l4_payload_len":568,"midstream":0,"ts_msec":1490976195622,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.143","src_port":41828,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.amazon.com","server_names":"amazon.com,amzn.com,uedata.amazon.com,us.amazon.com,www.amazon.com,www.amzn.com,corporate.amazon.com,buybox.amazon.com,iphone.amazon.com,yp.amazon.com,home.amazon.com,origin-www.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=www.amazon.com","alpn":"h2,http\/1.1","fingerprint":"EF:14:6C:F1:5C:4A:F8:4D:BA:83:C2:1E:6C:5B:ED:C4:FA:34:1C:3E"}} +01336{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2804,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":149,"flow_packets_processed":8,"flow_first_seen":1490976195529,"flow_last_seen":1490976195622,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":4546,"flow_avg_l4_payload_len":568,"midstream":0,"ts_msec":1490976195622,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.143","src_port":41828,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.amazon.com","server_names":"amazon.com,amzn.com,uedata.amazon.com,us.amazon.com,www.amazon.com,www.amzn.com,corporate.amazon.com,buybox.amazon.com,iphone.amazon.com,yp.amazon.com,home.amazon.com,origin-www.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=www.amazon.com","alpn":"h2,http\/1.1","fingerprint":"EF:14:6C:F1:5C:4A:F8:4D:BA:83:C2:1E:6C:5B:ED:C4:FA:34:1C:3E"}} 00549{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2810,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":150,"flow_packet_id":2,"flow_last_seen":1490976195628,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":92,"ts_msec":1490976195628,"pkt":"ePiC0\/vCAMDKkaPvCABFAABw6\/5AAEARoYSsECoBrBAq2AA1nekAXGuw5IqBgAABAAIAAAAAB2FuZHJvaWQHY2xpZW50cwZnb29nbGUDY29tAAABAAHADAAFAAEAAAErAAwHYW5kcm9pZAFswBzAOAABAAEAAAErAATYOsJO"} 00758{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2810,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":150,"flow_packets_processed":2,"flow_first_seen":1490976195545,"flow_last_seen":1490976195628,"flow_idle_time":180000,"flow_min_l4_payload_len":44,"flow_max_l4_payload_len":84,"flow_tot_l4_payload_len":128,"flow_avg_l4_payload_len":64,"midstream":0,"ts_msec":1490976195628,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":40425,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.PlayStore","breed":"Safe","category":"SoftwareUpdate"},"dns": {"query":"android.clients.google.com","num_queries":1,"num_answers":2,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"216.58.194.78"}} 00558{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2811,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":151,"flow_packets_processed":1,"flow_first_seen":1490976195633,"flow_last_seen":1490976195633,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976195633,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"216.58.194.78","src_port":49067,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -901,7 +901,7 @@ 00467{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2816,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":151,"flow_packet_id":3,"flow_last_seen":1490976195672,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1490976195672,"pkt":"AMDKkaPvePiC0\/vCCABFAAA0fD9AAEAGTROsECrY2DrCTr+rAbtBfvaGgb70hIAQAVfBygAAAQEICgD2ir8LBTvA"} 00855{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2820,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":151,"flow_packets_processed":4,"flow_first_seen":1490976195633,"flow_last_seen":1490976195724,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":185,"flow_tot_l4_payload_len":185,"flow_avg_l4_payload_len":46,"midstream":0,"ts_msec":1490976195724,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"216.58.194.78","src_port":49067,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.PlayStore","breed":"Safe","category":"SoftwareUpdate"},"tls": {"version":"TLSv1.2","client_requested_server_name":"android.clients.google.com","ja3":"5bf38a5cbf896cd31eeef4d6ad1503e1","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00920{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2824,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":151,"flow_packets_processed":6,"flow_first_seen":1490976195633,"flow_last_seen":1490976195762,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":1603,"flow_avg_l4_payload_len":267,"midstream":0,"ts_msec":1490976195762,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"216.58.194.78","src_port":49067,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.PlayStore","breed":"Safe","category":"SoftwareUpdate"},"tls": {"version":"TLSv1.2","client_requested_server_name":"android.clients.google.com","ja3":"5bf38a5cbf896cd31eeef4d6ad1503e1","ja3s":"9b1466fd60cadccb848e09c86e284265","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"}} -01983{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2826,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":151,"flow_packets_processed":8,"flow_first_seen":1490976195633,"flow_last_seen":1490976195763,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":4172,"flow_avg_l4_payload_len":521,"midstream":0,"ts_msec":1490976195763,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"216.58.194.78","src_port":49067,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.PlayStore","breed":"Safe","category":"SoftwareUpdate"},"tls": {"version":"TLSv1.2","client_requested_server_name":"android.clients.google.com","server_names":"*.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.gcp.gvt2.com,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleadapis.com,*.googleapis.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.cn,*.gstatic.com,*.gvt1.com,*.gvt2.com,*.metric.gstatic.com,*.urchin.com,*.url.google.com,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.ytimg.com,android.clients.google.com,android.com,developer.android.google.cn,g.co,goo.gl,google-analytics.com,google.com,googlecommerce.com,urchin.com,www.goo.gl,youtu.be,youtube.com,youtubeeducation.com","ja3":"5bf38a5cbf896cd31eeef4d6ad1503e1","ja3s":"9b1466fd60cadccb848e09c86e284265","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","issuerDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com","fingerprint":"54:A0:1E:03:FF:CB:33:BC:9D:65:DC:D7:BF:6B:04:2B:F9:F3:D5:42"}} +01984{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2826,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":151,"flow_packets_processed":8,"flow_first_seen":1490976195633,"flow_last_seen":1490976195763,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":4172,"flow_avg_l4_payload_len":521,"midstream":0,"ts_msec":1490976195763,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"216.58.194.78","src_port":49067,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.PlayStore","breed":"Safe","category":"SoftwareUpdate"},"tls": {"version":"TLSv1.2","client_requested_server_name":"android.clients.google.com","server_names":"*.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.gcp.gvt2.com,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleadapis.com,*.googleapis.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.cn,*.gstatic.com,*.gvt1.com,*.gvt2.com,*.metric.gstatic.com,*.urchin.com,*.url.google.com,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.ytimg.com,android.clients.google.com,android.com,developer.android.google.cn,g.co,goo.gl,google-analytics.com,google.com,googlecommerce.com,urchin.com,www.goo.gl,youtu.be,youtube.com,youtubeeducation.com","ja3":"5bf38a5cbf896cd31eeef4d6ad1503e1","ja3s":"9b1466fd60cadccb848e09c86e284265","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","subjectDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com","fingerprint":"54:A0:1E:03:FF:CB:33:BC:9D:65:DC:D7:BF:6B:04:2B:F9:F3:D5:42"}} 00557{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2861,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":152,"flow_packets_processed":1,"flow_first_seen":1490976195921,"flow_last_seen":1490976195921,"flow_idle_time":180000,"flow_min_l4_payload_len":49,"flow_max_l4_payload_len":49,"flow_tot_l4_payload_len":49,"flow_avg_l4_payload_len":49,"midstream":0,"ts_msec":1490976195921,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":4612,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00503{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2861,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":152,"flow_packet_id":1,"flow_last_seen":1490976195921,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":91,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":91,"pkt_l4_len":57,"ts_msec":1490976195921,"pkt":"AMDKkaPvePiC0\/vCCABFAABNWmZAAEARM0CsECrYrBAqARIEADUAOVP\/iiYBAAABAAAAAAAACWltYWdlcy1uYRFzc2wtaW1hZ2VzLWFtYXpvbgNjb20AAAEAAQ=="} 00739{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2861,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":152,"flow_packets_processed":1,"flow_first_seen":1490976195921,"flow_last_seen":1490976195921,"flow_idle_time":180000,"flow_min_l4_payload_len":49,"flow_max_l4_payload_len":49,"flow_tot_l4_payload_len":49,"flow_avg_l4_payload_len":49,"midstream":0,"ts_msec":1490976195921,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":4612,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Amazon","breed":"Acceptable","category":"Web"},"dns": {"query":"images-na.ssl-images-amazon.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} @@ -925,15 +925,15 @@ 00558{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2878,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":156,"flow_packets_processed":1,"flow_first_seen":1490976196016,"flow_last_seen":1490976196016,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976196016,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":58048,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00481{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2878,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":156,"flow_packet_id":1,"flow_last_seen":1490976196016,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976196016,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8LWlAAEAG4smsECrYNu8csuLAAbtkEKeIAAAAAKAC\/\/+hiQAAAgQFtAQCCAoA9orhAAAAAAEDAwg="} 00874{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2882,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":154,"flow_packets_processed":6,"flow_first_seen":1490976195984,"flow_last_seen":1490976196033,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1667,"flow_avg_l4_payload_len":277,"midstream":0,"ts_msec":1490976196033,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.62.115","src_port":41913,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"images-na.ssl-images-amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01294{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2884,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":154,"flow_packets_processed":8,"flow_first_seen":1490976195984,"flow_last_seen":1490976196034,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":4563,"flow_avg_l4_payload_len":570,"midstream":0,"ts_msec":1490976196034,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.62.115","src_port":41913,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"images-na.ssl-images-amazon.com","server_names":"images-na.ssl-images-amazon.com,images-eu.ssl-images-amazon.com,images-fe.ssl-images-amazon.com,m.media-amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=Images-na.ssl-images-amazon.com","alpn":"h2,http\/1.1","fingerprint":"39:3D:27:B3:4D:FA:B4:04:AB:48:7F:5C:CB:A9:9A:95:F5:22:2A:52"}} +01295{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2884,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":154,"flow_packets_processed":8,"flow_first_seen":1490976195984,"flow_last_seen":1490976196034,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":4563,"flow_avg_l4_payload_len":570,"midstream":0,"ts_msec":1490976196034,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.62.115","src_port":41913,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"images-na.ssl-images-amazon.com","server_names":"images-na.ssl-images-amazon.com,images-eu.ssl-images-amazon.com,images-fe.ssl-images-amazon.com,m.media-amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=Images-na.ssl-images-amazon.com","alpn":"h2,http\/1.1","fingerprint":"39:3D:27:B3:4D:FA:B4:04:AB:48:7F:5C:CB:A9:9A:95:F5:22:2A:52"}} 00874{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2888,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":155,"flow_packets_processed":6,"flow_first_seen":1490976195985,"flow_last_seen":1490976196037,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1667,"flow_avg_l4_payload_len":277,"midstream":0,"ts_msec":1490976196037,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.62.115","src_port":41914,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"images-na.ssl-images-amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01294{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2890,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":155,"flow_packets_processed":8,"flow_first_seen":1490976195985,"flow_last_seen":1490976196038,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":4563,"flow_avg_l4_payload_len":570,"midstream":0,"ts_msec":1490976196038,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.62.115","src_port":41914,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"images-na.ssl-images-amazon.com","server_names":"images-na.ssl-images-amazon.com,images-eu.ssl-images-amazon.com,images-fe.ssl-images-amazon.com,m.media-amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=Images-na.ssl-images-amazon.com","alpn":"h2,http\/1.1","fingerprint":"39:3D:27:B3:4D:FA:B4:04:AB:48:7F:5C:CB:A9:9A:95:F5:22:2A:52"}} +01295{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2890,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":155,"flow_packets_processed":8,"flow_first_seen":1490976195985,"flow_last_seen":1490976196038,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":4563,"flow_avg_l4_payload_len":570,"midstream":0,"ts_msec":1490976196038,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.62.115","src_port":41914,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"images-na.ssl-images-amazon.com","server_names":"images-na.ssl-images-amazon.com,images-eu.ssl-images-amazon.com,images-fe.ssl-images-amazon.com,m.media-amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=Images-na.ssl-images-amazon.com","alpn":"h2,http\/1.1","fingerprint":"39:3D:27:B3:4D:FA:B4:04:AB:48:7F:5C:CB:A9:9A:95:F5:22:2A:52"}} 00874{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2892,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":153,"flow_packets_processed":6,"flow_first_seen":1490976195983,"flow_last_seen":1490976196039,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1667,"flow_avg_l4_payload_len":277,"midstream":0,"ts_msec":1490976196039,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.62.115","src_port":41912,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"images-na.ssl-images-amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01294{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2894,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":153,"flow_packets_processed":8,"flow_first_seen":1490976195983,"flow_last_seen":1490976196041,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":4563,"flow_avg_l4_payload_len":570,"midstream":0,"ts_msec":1490976196041,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.62.115","src_port":41912,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"images-na.ssl-images-amazon.com","server_names":"images-na.ssl-images-amazon.com,images-eu.ssl-images-amazon.com,images-fe.ssl-images-amazon.com,m.media-amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=Images-na.ssl-images-amazon.com","alpn":"h2,http\/1.1","fingerprint":"39:3D:27:B3:4D:FA:B4:04:AB:48:7F:5C:CB:A9:9A:95:F5:22:2A:52"}} +01295{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2894,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":153,"flow_packets_processed":8,"flow_first_seen":1490976195983,"flow_last_seen":1490976196041,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":4563,"flow_avg_l4_payload_len":570,"midstream":0,"ts_msec":1490976196041,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.62.115","src_port":41912,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"images-na.ssl-images-amazon.com","server_names":"images-na.ssl-images-amazon.com,images-eu.ssl-images-amazon.com,images-fe.ssl-images-amazon.com,m.media-amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=Images-na.ssl-images-amazon.com","alpn":"h2,http\/1.1","fingerprint":"39:3D:27:B3:4D:FA:B4:04:AB:48:7F:5C:CB:A9:9A:95:F5:22:2A:52"}} 00464{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2910,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":156,"flow_packet_id":2,"flow_last_seen":1490976196075,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1490976196075,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAwIa5AAOcGR5A27xyyrBAq2AG74sBbwNFvZBCniXASH\/4cPAAAAgQFtAEDAwY="} 00451{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2911,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":156,"flow_packet_id":3,"flow_last_seen":1490976196075,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1490976196075,"pkt":"AMDKkaPvePiC0\/vCCABFAAAoLWpAAEAG4tysECrYNu8csuLAAbtkEKeJW8DRcFAQAVdmrQAA"} -00822{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2913,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":156,"flow_packets_processed":4,"flow_first_seen":1490976196016,"flow_last_seen":1490976196079,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":174,"flow_tot_l4_payload_len":174,"flow_avg_l4_payload_len":43,"midstream":0,"ts_msec":1490976196079,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":58048,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f8f5b71e02603b283e55b50d17ede861","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -00889{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2929,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":156,"flow_packets_processed":6,"flow_first_seen":1490976196016,"flow_last_seen":1490976196143,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":174,"flow_tot_l4_payload_len":259,"flow_avg_l4_payload_len":43,"midstream":0,"ts_msec":1490976196143,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":58048,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f8f5b71e02603b283e55b50d17ede861","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA"}} +00827{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2913,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":156,"flow_packets_processed":4,"flow_first_seen":1490976196016,"flow_last_seen":1490976196079,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":174,"flow_tot_l4_payload_len":174,"flow_avg_l4_payload_len":43,"midstream":0,"ts_msec":1490976196079,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":58048,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f8f5b71e02603b283e55b50d17ede861","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} +00894{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2929,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":156,"flow_packets_processed":6,"flow_first_seen":1490976196016,"flow_last_seen":1490976196143,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":174,"flow_tot_l4_payload_len":259,"flow_avg_l4_payload_len":43,"midstream":0,"ts_msec":1490976196143,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":58048,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f8f5b71e02603b283e55b50d17ede861","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA"}} 00565{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2936,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":66,"flow_packets_processed":10,"flow_first_seen":1490976071237,"flow_last_seen":1490976075957,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1346,"flow_tot_l4_payload_len":2126,"flow_avg_l4_payload_len":212,"midstream":0,"ts_msec":1490976196171,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":49606,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00565{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2936,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":76,"flow_packets_processed":10,"flow_first_seen":1490976076275,"flow_last_seen":1490976077663,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1346,"flow_tot_l4_payload_len":2126,"flow_avg_l4_payload_len":212,"midstream":0,"ts_msec":1490976196171,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":49613,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00566{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2936,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":67,"flow_packets_processed":28,"flow_first_seen":1490976071286,"flow_last_seen":1490976075975,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":8626,"flow_avg_l4_payload_len":308,"midstream":0,"ts_msec":1490976196171,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45693,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -946,13 +946,13 @@ 00481{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2942,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":157,"flow_packet_id":1,"flow_last_seen":1490976196223,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976196223,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8Y0xAAEAG+qKsECrYNFXRj5ZTAbu3TOm6AAAAAKAC\/\/+mLwAAAgQFtAQCCAoA9or2AAAAAAEDAwg="} 00479{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2943,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":157,"flow_packet_id":2,"flow_last_seen":1490976196257,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1490976196257,"pkt":"ePiC0\/vCAMDKkVoBCABFAAA8AABAAPMGqu40VdGPrBAq2AG7llOp3LO0t0zpu6AScSBd6wAAAgQFtAQCCApt5QucAPaK9gEDAwg="} 00467{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2944,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":157,"flow_packet_id":3,"flow_last_seen":1490976196259,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1490976196259,"pkt":"AMDKkaPvePiC0\/vCCABFAAA0Y01AAEAG+qmsECrYNFXRj5ZTAbu3TOm7qdyztYAQAVf8fgAAAQEICgD2ivlt5Quc"} -00858{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2945,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":157,"flow_packets_processed":4,"flow_first_seen":1490976196223,"flow_last_seen":1490976196261,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":194,"flow_tot_l4_payload_len":194,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1490976196261,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.143","src_port":38483,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"36e9ceaa96dd810482573844f78a063f","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -00915{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2950,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":157,"flow_packets_processed":6,"flow_first_seen":1490976196223,"flow_last_seen":1490976196300,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1642,"flow_avg_l4_payload_len":273,"midstream":0,"ts_msec":1490976196300,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.143","src_port":38483,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"36e9ceaa96dd810482573844f78a063f","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}} -01392{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2952,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":157,"flow_packets_processed":8,"flow_first_seen":1490976196223,"flow_last_seen":1490976196301,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":3656,"flow_avg_l4_payload_len":457,"midstream":0,"ts_msec":1490976196301,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.143","src_port":38483,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","server_names":"amazon.com,amzn.com,uedata.amazon.com,us.amazon.com,www.amazon.com,www.amzn.com,corporate.amazon.com,buybox.amazon.com,iphone.amazon.com,yp.amazon.com,home.amazon.com,origin-www.amazon.com","ja3":"36e9ceaa96dd810482573844f78a063f","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=www.amazon.com","fingerprint":"EF:14:6C:F1:5C:4A:F8:4D:BA:83:C2:1E:6C:5B:ED:C4:FA:34:1C:3E"}} +00863{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2945,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":157,"flow_packets_processed":4,"flow_first_seen":1490976196223,"flow_last_seen":1490976196261,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":194,"flow_tot_l4_payload_len":194,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1490976196261,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.143","src_port":38483,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing"},"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"36e9ceaa96dd810482573844f78a063f","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} +00920{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2950,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":157,"flow_packets_processed":6,"flow_first_seen":1490976196223,"flow_last_seen":1490976196300,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1642,"flow_avg_l4_payload_len":273,"midstream":0,"ts_msec":1490976196300,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.143","src_port":38483,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing"},"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"36e9ceaa96dd810482573844f78a063f","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}} +01393{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2952,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":157,"flow_packets_processed":8,"flow_first_seen":1490976196223,"flow_last_seen":1490976196301,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":3656,"flow_avg_l4_payload_len":457,"midstream":0,"ts_msec":1490976196301,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.143","src_port":38483,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","server_names":"amazon.com,amzn.com,uedata.amazon.com,us.amazon.com,www.amazon.com,www.amzn.com,corporate.amazon.com,buybox.amazon.com,iphone.amazon.com,yp.amazon.com,home.amazon.com,origin-www.amazon.com","ja3":"36e9ceaa96dd810482573844f78a063f","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=www.amazon.com","fingerprint":"EF:14:6C:F1:5C:4A:F8:4D:BA:83:C2:1E:6C:5B:ED:C4:FA:34:1C:3E"}} 00557{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3210,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":158,"flow_packets_processed":1,"flow_first_seen":1490976196840,"flow_last_seen":1490976196840,"flow_idle_time":180000,"flow_min_l4_payload_len":35,"flow_max_l4_payload_len":35,"flow_tot_l4_payload_len":35,"flow_avg_l4_payload_len":35,"midstream":0,"ts_msec":1490976196840,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":2707,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00483{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3210,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":158,"flow_packet_id":1,"flow_last_seen":1490976196840,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":77,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":77,"pkt_l4_len":43,"ts_msec":1490976196840,"pkt":"AMDKkaPvePiC0\/vCCABFAAA\/WmdAAEARM02sECrYrBAqAQqTADUAK8ZJ2BYBAAABAAAAAAAABmZscy1uYQZhbWF6b24DY29tAAABAAE="} 00725{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":3210,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":158,"flow_packets_processed":1,"flow_first_seen":1490976196840,"flow_last_seen":1490976196840,"flow_idle_time":180000,"flow_min_l4_payload_len":35,"flow_max_l4_payload_len":35,"flow_tot_l4_payload_len":35,"flow_avg_l4_payload_len":35,"midstream":0,"ts_msec":1490976196840,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":2707,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Amazon","breed":"Acceptable","category":"Web"},"dns": {"query":"fls-na.amazon.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} -01298{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":3228,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":154,"flow_packets_processed":255,"flow_first_seen":1490976195984,"flow_last_seen":1490976196843,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":228473,"flow_avg_l4_payload_len":895,"midstream":0,"ts_msec":1490976196843,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.62.115","src_port":41913,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"images-na.ssl-images-amazon.com","server_names":"images-na.ssl-images-amazon.com,images-eu.ssl-images-amazon.com,images-fe.ssl-images-amazon.com,m.media-amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=Images-na.ssl-images-amazon.com","alpn":"h2,http\/1.1","fingerprint":"39:3D:27:B3:4D:FA:B4:04:AB:48:7F:5C:CB:A9:9A:95:F5:22:2A:52"}} +01299{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":3228,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":154,"flow_packets_processed":255,"flow_first_seen":1490976195984,"flow_last_seen":1490976196843,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":228473,"flow_avg_l4_payload_len":895,"midstream":0,"ts_msec":1490976196843,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.62.115","src_port":41913,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"images-na.ssl-images-amazon.com","server_names":"images-na.ssl-images-amazon.com,images-eu.ssl-images-amazon.com,images-fe.ssl-images-amazon.com,m.media-amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=Images-na.ssl-images-amazon.com","alpn":"h2,http\/1.1","fingerprint":"39:3D:27:B3:4D:FA:B4:04:AB:48:7F:5C:CB:A9:9A:95:F5:22:2A:52"}} 00502{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3347,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":158,"flow_packet_id":2,"flow_last_seen":1490976196938,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":93,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":93,"pkt_l4_len":59,"ts_msec":1490976196938,"pkt":"ePiC0\/vCAMDKkaPvCABFAABP7ApAAEARoZmsECoBrBAq2AA1CpMAO2jR2BaBgAABAAEAAAAABmZscy1uYQZhbWF6b24DY29tAAABAAHADAABAAEAAAA7AARIFc55"} 00739{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":3347,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":158,"flow_packets_processed":2,"flow_first_seen":1490976196840,"flow_last_seen":1490976196938,"flow_idle_time":180000,"flow_min_l4_payload_len":35,"flow_max_l4_payload_len":51,"flow_tot_l4_payload_len":86,"flow_avg_l4_payload_len":43,"midstream":0,"ts_msec":1490976196938,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":2707,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Amazon","breed":"Acceptable","category":"Web"},"dns": {"query":"fls-na.amazon.com","num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"72.21.206.121"}} 00558{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3351,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":159,"flow_packets_processed":1,"flow_first_seen":1490976196942,"flow_last_seen":1490976196942,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976196942,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.121","src_port":47605,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -966,13 +966,13 @@ 00452{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3362,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":160,"flow_packet_id":3,"flow_last_seen":1490976197356,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1490976197356,"pkt":"AMDKkaPvePiC0\/vCCABFAAAoAuBAAEAGSnmsECrYSBXOebn2AbvarIm\/Gg6aPFAQAVfsnQAA"} 00804{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":3363,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":160,"flow_packets_processed":4,"flow_first_seen":1490976197297,"flow_last_seen":1490976197357,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":205,"flow_tot_l4_payload_len":205,"flow_avg_l4_payload_len":51,"midstream":0,"ts_msec":1490976197357,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.121","src_port":47606,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"fls-na.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} 00861{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":3365,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":159,"flow_packets_processed":8,"flow_first_seen":1490976196942,"flow_last_seen":1490976197363,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":1870,"flow_avg_l4_payload_len":233,"midstream":0,"ts_msec":1490976197363,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.121","src_port":47605,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"fls-na.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01230{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":3367,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":159,"flow_packets_processed":10,"flow_first_seen":1490976196942,"flow_last_seen":1490976197363,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":4790,"flow_avg_l4_payload_len":479,"midstream":0,"ts_msec":1490976197363,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.121","src_port":47605,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"fls-na.amazon.com","server_names":"fls-na.amazon.ca,fls-na.amazon.com,fls-na.amazon.com.br,fls-na.amazon.com.mx","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=fls-na.amazon.com","alpn":"h2,http\/1.1","fingerprint":"2F:16:23:0F:F8:49:12:18:49:55:48:DA:E6:59:D9:B3:BB:0E:41:8A"}} +01231{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":3367,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":159,"flow_packets_processed":10,"flow_first_seen":1490976196942,"flow_last_seen":1490976197363,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":4790,"flow_avg_l4_payload_len":479,"midstream":0,"ts_msec":1490976197363,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.121","src_port":47605,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"fls-na.amazon.com","server_names":"fls-na.amazon.ca,fls-na.amazon.com,fls-na.amazon.com.br,fls-na.amazon.com.mx","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=fls-na.amazon.com","alpn":"h2,http\/1.1","fingerprint":"2F:16:23:0F:F8:49:12:18:49:55:48:DA:E6:59:D9:B3:BB:0E:41:8A"}} 00861{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":3377,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":160,"flow_packets_processed":7,"flow_first_seen":1490976197297,"flow_last_seen":1490976197532,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":1665,"flow_avg_l4_payload_len":237,"midstream":0,"ts_msec":1490976197532,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.121","src_port":47606,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"fls-na.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01229{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":3379,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":160,"flow_packets_processed":9,"flow_first_seen":1490976197297,"flow_last_seen":1490976197532,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":4585,"flow_avg_l4_payload_len":509,"midstream":0,"ts_msec":1490976197532,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.121","src_port":47606,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"fls-na.amazon.com","server_names":"fls-na.amazon.ca,fls-na.amazon.com,fls-na.amazon.com.br,fls-na.amazon.com.mx","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=fls-na.amazon.com","alpn":"h2,http\/1.1","fingerprint":"2F:16:23:0F:F8:49:12:18:49:55:48:DA:E6:59:D9:B3:BB:0E:41:8A"}} +01230{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":3379,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":160,"flow_packets_processed":9,"flow_first_seen":1490976197297,"flow_last_seen":1490976197532,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":4585,"flow_avg_l4_payload_len":509,"midstream":0,"ts_msec":1490976197532,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.121","src_port":47606,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"fls-na.amazon.com","server_names":"fls-na.amazon.ca,fls-na.amazon.com,fls-na.amazon.com.br,fls-na.amazon.com.mx","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=fls-na.amazon.com","alpn":"h2,http\/1.1","fingerprint":"2F:16:23:0F:F8:49:12:18:49:55:48:DA:E6:59:D9:B3:BB:0E:41:8A"}} 00558{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":27,"flow_packets_processed":2,"flow_first_seen":1490976041150,"flow_last_seen":1490976041151,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":53,"flow_tot_l4_payload_len":90,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":54886,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00568{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":139,"flow_packets_processed":18,"flow_first_seen":1490976177116,"flow_last_seen":1490976177850,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":6576,"flow_avg_l4_payload_len":365,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":50796,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00568{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":140,"flow_packets_processed":25,"flow_first_seen":1490976177116,"flow_last_seen":1490976187290,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":9507,"flow_avg_l4_payload_len":380,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":50797,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00592{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":141,"flow_packets_processed":7,"flow_first_seen":1490976177116,"flow_last_seen":1490976195547,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":50798,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"}} +00597{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":141,"flow_packets_processed":7,"flow_first_seen":1490976177116,"flow_last_seen":1490976195547,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":50798,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"}} 00558{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":141,"flow_packets_processed":7,"flow_first_seen":1490976177116,"flow_last_seen":1490976195547,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":50798,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00568{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":142,"flow_packets_processed":37,"flow_first_seen":1490976177276,"flow_last_seen":1490976187754,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":12795,"flow_avg_l4_payload_len":345,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":50799,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00568{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":143,"flow_packets_processed":17,"flow_first_seen":1490976186164,"flow_last_seen":1490976186790,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":5152,"flow_avg_l4_payload_len":303,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":50800,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -991,13 +991,13 @@ 00556{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":3,"flow_packets_processed":2,"flow_first_seen":1490976023264,"flow_last_seen":1490976023264,"flow_idle_time":180000,"flow_min_l4_payload_len":315,"flow_max_l4_payload_len":315,"flow_tot_l4_payload_len":630,"flow_avg_l4_payload_len":315,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00512{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":58,"flow_packets_processed":2,"flow_first_seen":1490976055356,"flow_last_seen":1490976180796,"flow_idle_time":600000,"flow_min_l4_payload_len":8,"flow_max_l4_payload_len":8,"flow_tot_l4_payload_len":16,"flow_avg_l4_payload_len":8,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"224.0.0.1","l4_proto":2,"flow_datalink":1,"flow_max_packets":3} 00568{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":147,"flow_packets_processed":21,"flow_first_seen":1490976187511,"flow_last_seen":1490976190310,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":9181,"flow_avg_l4_payload_len":437,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":38757,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00602{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":90,"flow_packets_processed":9,"flow_first_seen":1490976089173,"flow_last_seen":1490976090510,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":49627,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.Amazon","breed":"Acceptable","category":"Web"},"http": {}} +00607{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":90,"flow_packets_processed":9,"flow_first_seen":1490976089173,"flow_last_seen":1490976090510,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":49627,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.AmazonAWS","breed":"Acceptable","category":"Cloud"},"http": {}} 00556{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":90,"flow_packets_processed":9,"flow_first_seen":1490976089173,"flow_last_seen":1490976090510,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":49627,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00567{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":145,"flow_packets_processed":33,"flow_first_seen":1490976186884,"flow_last_seen":1490976197347,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":15483,"flow_avg_l4_payload_len":469,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.23.94","src_port":44912,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00564{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":93,"flow_packets_processed":10,"flow_first_seen":1490976089426,"flow_last_seen":1490976094931,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":996,"flow_tot_l4_payload_len":1179,"flow_avg_l4_payload_len":117,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":49630,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00567{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":104,"flow_packets_processed":23,"flow_first_seen":1490976107365,"flow_last_seen":1490976110047,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":6884,"flow_avg_l4_payload_len":299,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40853,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00568{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":105,"flow_packets_processed":37,"flow_first_seen":1490976107365,"flow_last_seen":1490976110047,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":13077,"flow_avg_l4_payload_len":353,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40854,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00592{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":106,"flow_packets_processed":7,"flow_first_seen":1490976107366,"flow_last_seen":1490976110047,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40855,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"}} +00597{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":106,"flow_packets_processed":7,"flow_first_seen":1490976107366,"flow_last_seen":1490976110047,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40855,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"}} 00558{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":106,"flow_packets_processed":7,"flow_first_seen":1490976107366,"flow_last_seen":1490976110047,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40855,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00568{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":107,"flow_packets_processed":98,"flow_first_seen":1490976107455,"flow_last_seen":1490976110047,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":31431,"flow_avg_l4_payload_len":320,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40856,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00567{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":117,"flow_packets_processed":31,"flow_first_seen":1490976130073,"flow_last_seen":1490976134134,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":8590,"flow_avg_l4_payload_len":277,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40864,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -1023,7 +1023,7 @@ 00567{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":80,"flow_packets_processed":56,"flow_first_seen":1490976085644,"flow_last_seen":1490976098828,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":21353,"flow_avg_l4_payload_len":381,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45703,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00566{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":81,"flow_packets_processed":23,"flow_first_seen":1490976085829,"flow_last_seen":1490976088478,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":4344,"flow_avg_l4_payload_len":188,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45704,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00566{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":82,"flow_packets_processed":19,"flow_first_seen":1490976085832,"flow_last_seen":1490976088478,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":2595,"flow_avg_l4_payload_len":136,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45705,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00591{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":84,"flow_packets_processed":6,"flow_first_seen":1490976085884,"flow_last_seen":1490976088478,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45707,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"}} +00596{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":84,"flow_packets_processed":6,"flow_first_seen":1490976085884,"flow_last_seen":1490976088478,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45707,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"}} 00557{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":84,"flow_packets_processed":6,"flow_first_seen":1490976085884,"flow_last_seen":1490976088478,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45707,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00564{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":86,"flow_packets_processed":20,"flow_first_seen":1490976088605,"flow_last_seen":1490976094930,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":698,"flow_tot_l4_payload_len":1938,"flow_avg_l4_payload_len":96,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45709,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00567{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":87,"flow_packets_processed":49,"flow_first_seen":1490976088631,"flow_last_seen":1490976098828,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":18884,"flow_avg_l4_payload_len":385,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45710,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -1052,14 +1052,14 @@ 00558{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":158,"flow_packets_processed":2,"flow_first_seen":1490976196840,"flow_last_seen":1490976196938,"flow_idle_time":180000,"flow_min_l4_payload_len":35,"flow_max_l4_payload_len":51,"flow_tot_l4_payload_len":86,"flow_avg_l4_payload_len":43,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":2707,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00559{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":98,"flow_packets_processed":2,"flow_first_seen":1490976093238,"flow_last_seen":1490976093355,"flow_idle_time":180000,"flow_min_l4_payload_len":40,"flow_max_l4_payload_len":79,"flow_tot_l4_payload_len":119,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":41639,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00568{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":115,"flow_packets_processed":31,"flow_first_seen":1490976115905,"flow_last_seen":1490976120950,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":10788,"flow_avg_l4_payload_len":348,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.180","src_port":37551,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00592{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":116,"flow_packets_processed":7,"flow_first_seen":1490976116084,"flow_last_seen":1490976117005,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.180","src_port":37552,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"}} +00597{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":116,"flow_packets_processed":7,"flow_first_seen":1490976116084,"flow_last_seen":1490976117005,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.180","src_port":37552,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"}} 00558{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":116,"flow_packets_processed":7,"flow_first_seen":1490976116084,"flow_last_seen":1490976117005,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.180","src_port":37552,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00565{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":156,"flow_packets_processed":19,"flow_first_seen":1490976196016,"flow_last_seen":1490976196282,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":597,"flow_tot_l4_payload_len":1495,"flow_avg_l4_payload_len":78,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":58048,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00567{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":65,"flow_packets_processed":56,"flow_first_seen":1490976067968,"flow_last_seen":1490976168824,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":26805,"flow_avg_l4_payload_len":478,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.146","src_port":41691,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00561{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":118,"flow_packets_processed":2,"flow_first_seen":1490976133936,"flow_last_seen":1490976134135,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":210,"flow_tot_l4_payload_len":249,"flow_avg_l4_payload_len":124,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":4920,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00568{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":151,"flow_packets_processed":19,"flow_first_seen":1490976195633,"flow_last_seen":1490976195989,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":6582,"flow_avg_l4_payload_len":346,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"216.58.194.78","src_port":49067,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00565{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":96,"flow_packets_processed":27,"flow_first_seen":1490976090991,"flow_last_seen":1490976094931,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1432,"flow_tot_l4_payload_len":5257,"flow_avg_l4_payload_len":194,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.231.72.88","src_port":41820,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00590{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":97,"flow_packets_processed":7,"flow_first_seen":1490976091048,"flow_last_seen":1490976094931,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":7,"flow_tot_l4_payload_len":7,"flow_avg_l4_payload_len":1,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.231.72.88","src_port":41821,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"}} +00595{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":97,"flow_packets_processed":7,"flow_first_seen":1490976091048,"flow_last_seen":1490976094931,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":7,"flow_tot_l4_payload_len":7,"flow_avg_l4_payload_len":1,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.231.72.88","src_port":41821,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"}} 00556{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":97,"flow_packets_processed":7,"flow_first_seen":1490976091048,"flow_last_seen":1490976094931,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":7,"flow_tot_l4_payload_len":7,"flow_avg_l4_payload_len":1,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.231.72.88","src_port":41821,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00566{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":102,"flow_packets_processed":29,"flow_first_seen":1490976100859,"flow_last_seen":1490976107676,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1432,"flow_tot_l4_payload_len":5318,"flow_avg_l4_payload_len":183,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.231.72.88","src_port":41825,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00560{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":35,"flow_packets_processed":2,"flow_first_seen":1490976041806,"flow_last_seen":1490976041938,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":161,"flow_tot_l4_payload_len":193,"flow_avg_l4_payload_len":96,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":52077,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -1078,10 +1078,10 @@ 00593{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":83,"flow_packets_processed":7,"flow_first_seen":1490976085883,"flow_last_seen":1490976149040,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"10.201.126.241","src_port":40242,"dst_port":8080,"l4_proto":"tcp","ndpi": {"proto":"HTTP_Proxy","breed":"Acceptable","category":"Web"}} 00560{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":83,"flow_packets_processed":7,"flow_first_seen":1490976085883,"flow_last_seen":1490976149040,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"10.201.126.241","src_port":40242,"dst_port":8080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00566{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":78,"flow_packets_processed":20,"flow_first_seen":1490976082723,"flow_last_seen":1490976084872,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":5020,"flow_avg_l4_payload_len":251,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34053,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00591{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":79,"flow_packets_processed":7,"flow_first_seen":1490976082964,"flow_last_seen":1490976084873,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34054,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"}} +00596{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":79,"flow_packets_processed":7,"flow_first_seen":1490976082964,"flow_last_seen":1490976084873,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34054,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"}} 00557{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":79,"flow_packets_processed":7,"flow_first_seen":1490976082964,"flow_last_seen":1490976084873,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34054,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00567{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":94,"flow_packets_processed":30,"flow_first_seen":1490976090572,"flow_last_seen":1490976094931,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":12466,"flow_avg_l4_payload_len":415,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34069,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00592{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":100,"flow_packets_processed":8,"flow_first_seen":1490976100559,"flow_last_seen":1490976107681,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34073,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"}} +00597{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":100,"flow_packets_processed":8,"flow_first_seen":1490976100559,"flow_last_seen":1490976107681,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34073,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"}} 00558{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":100,"flow_packets_processed":8,"flow_first_seen":1490976100559,"flow_last_seen":1490976107681,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34073,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00567{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":101,"flow_packets_processed":22,"flow_first_seen":1490976100811,"flow_last_seen":1490976107676,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":7423,"flow_avg_l4_payload_len":337,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34074,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00566{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3435,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":99,"flow_packets_processed":41,"flow_first_seen":1490976093358,"flow_last_seen":1490976194991,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":7317,"flow_avg_l4_payload_len":178,"midstream":0,"ts_msec":1490976198776,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"176.32.101.52","src_port":44001,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -1105,10 +1105,10 @@ ~~ total active/idle flows...: 160/160 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2784375 bytes -~~ total memory freed........: 2784375 bytes -~~ total allocations/frees...: 39879/39879 +~~ total memory allocated....: 5379512 bytes +~~ total memory freed........: 5379512 bytes +~~ total allocations/frees...: 104092/104092 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 153 chars -~~ json string max len.......: 1988 chars -~~ json string avg len.......: 1070 chars +~~ json string max len.......: 1989 chars +~~ json string avg len.......: 1071 chars diff --git a/test/results/among_us.pcap.out b/test/results/among_us.pcap.out index 66eb510bb..9a6751f53 100644 --- a/test/results/among_us.pcap.out +++ b/test/results/among_us.pcap.out @@ -12,9 +12,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1928153 bytes -~~ total memory freed........: 1928153 bytes -~~ total allocations/frees...: 35339/35339 +~~ total memory allocated....: 4590468 bytes +~~ total memory freed........: 4590468 bytes +~~ total allocations/frees...: 99535/99535 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 160 chars ~~ json string max len.......: 580 chars diff --git a/test/results/amqp.pcap.out b/test/results/amqp.pcap.out index 43c159ab8..d5b1ae32c 100644 --- a/test/results/amqp.pcap.out +++ b/test/results/amqp.pcap.out @@ -26,9 +26,9 @@ ~~ total active/idle flows...: 3/3 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1942140 bytes -~~ total memory freed........: 1942140 bytes -~~ total allocations/frees...: 35507/35507 +~~ total memory allocated....: 4603607 bytes +~~ total memory freed........: 4603607 bytes +~~ total allocations/frees...: 99703/99703 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 159 chars ~~ json string max len.......: 1064 chars diff --git a/test/results/android.pcap.out b/test/results/android.pcap.out index dc41dd698..d7487bab4 100644 --- a/test/results/android.pcap.out +++ b/test/results/android.pcap.out @@ -11,7 +11,7 @@ 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8,"source":"android.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_last_seen":1582454780907,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":143,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":143,"pkt_l4_len":109,"ts_msec":1582454780907,"pkt":"xGGLNYKpxiwDYGpkCABFAACBAr0AAC4GBL4R+LBLwKgCEQG7xZQAd+\/fhij6wYAZBTC0SwAAAQEIClsVz4YR3+\/bFwMDACkAAAAAAAAACH\/oI1Kw++l3rtTYoEdnoXbMNGznM5xRQS6qcOaP89cv8RUDAwAaAAAAAAAAAAnrqqMQkS3NHZ5e5TBif0pBf0U="} 00549{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":13,"source":"android.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1582454784313,"flow_last_seen":1582454784313,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1582454784313,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00842{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":13,"source":"android.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_last_seen":1582454784313,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":342,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":342,"pkt_l4_len":308,"ts_msec":1582454784313,"pkt":"\/\/\/\/\/\/\/\/2DBiVgAcCABFAAFIeDQAAP8RQnEAAAAA\/\/\/\/\/wBEAEMBNI1GAQEGAHhURwsAAAAAAAAAAAAAAAAAAAAAAAAAANgwYlYAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEBNwoBeQMGD3f8XywuOQIF3D0HAdgwYlYAHDMEAHanAAwKTHVjYXMtaU1hY\/8AAAAAAAAAAAAAAAAA"} -00638{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":13,"source":"android.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1582454784313,"flow_last_seen":1582454784313,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1582454784313,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"fingerprint":"1,121,3,6,15,119,252,95,44,46"}} +00679{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":13,"source":"android.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1582454784313,"flow_last_seen":1582454784313,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1582454784313,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"hostname":"lucas-imac","fingerprint":"1,121,3,6,15,119,252,95,44,46","class_ident":""}} 00842{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":15,"source":"android.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_last_seen":1582454786281,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":342,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":342,"pkt_l4_len":308,"ts_msec":1582454786281,"pkt":"\/\/\/\/\/\/\/\/2DBiVgAcCABFAAFIeDUAAP8RQnAAAAAA\/\/\/\/\/wBEAEMBNI1EAQEGAHhURwsAAgAAAAAAAAAAAAAAAAAAAAAAANgwYlYAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEBNwoBeQMGD3f8XywuOQIF3D0HAdgwYlYAHDMEAHanAAwKTHVjYXMtaU1hY\/8AAAAAAAAAAAAAAAAA"} 00553{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":16,"source":"android.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1582454787658,"flow_last_seen":1582454787658,"flow_idle_time":7440000,"flow_min_l4_payload_len":31,"flow_max_l4_payload_len":31,"flow_tot_l4_payload_len":31,"flow_avg_l4_payload_len":31,"midstream":1,"ts_msec":1582454787658,"l3_proto":"ip4","src_ip":"17.248.185.10","dst_ip":"192.168.2.17","src_port":443,"dst_port":50702,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00502{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":16,"source":"android.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_last_seen":1582454787658,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":97,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":97,"pkt_l4_len":63,"ts_msec":1582454787658,"pkt":"xGGLNYKpxiwDYGpkCABFAgBThkMAADAGdqQR+LkKwKgCEQG7xg7EYLJptSIfH4AYBDV85QAAAQEIChoMpyQR4cyfFQMDABoAAAAAAAAAArlWa60ADWOMgYlfYrlhFGv+Kg=="} @@ -61,7 +61,7 @@ 00496{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":66,"source":"android.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":2,"flow_last_seen":1582454866026,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":62,"pkt_len":90,"pkt_l4_len":28,"ts_msec":1582454866026,"pkt":"MzMAAAAWTGr2n\/Ynht1gAAAAACQAAQAAAAAAAAAAAAAAAAAAAAD\/AgAAAAAAAAAAAAAAAAAWOgAFAgAAAQCPAHjDAAAAAQQAAAD\/AgAAAAAAAAAAAAH\/n\/Yn"} 00551{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":68,"source":"android.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":1,"flow_first_seen":1582454866407,"flow_last_seen":1582454866407,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1582454866407,"l3_proto":"ip4","src_ip":"192.168.2.1","dst_ip":"192.168.2.16","src_port":67,"dst_port":68,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00835{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":68,"source":"android.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":1,"flow_last_seen":1582454866407,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":342,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":342,"pkt_l4_len":308,"ts_msec":1582454866407,"pkt":"TGr2n\/YnxiwDYGpkCABFAAFILXYAAP8RB83AqAIBwKgCEABDAEQBNN9OAgEGAO9+0loAAAAAAAAAAMCoAhDAqAIBAAAAAExq9p\/2JwAAAAAAAAAAAABMdWNhcy1pTWFjLmxvY2FsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQECNgTAqAIBMwQAAU4gAQT\/\/\/8AAwTAqAIBBgTAqAIB\/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} -00611{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":68,"source":"android.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":1,"flow_first_seen":1582454866407,"flow_last_seen":1582454866407,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1582454866407,"l3_proto":"ip4","src_ip":"192.168.2.1","dst_ip":"192.168.2.16","src_port":67,"dst_port":68,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"fingerprint":""}} +00642{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":68,"source":"android.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":1,"flow_first_seen":1582454866407,"flow_last_seen":1582454866407,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1582454866407,"l3_proto":"ip4","src_ip":"192.168.2.1","dst_ip":"192.168.2.16","src_port":67,"dst_port":68,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"hostname":"","fingerprint":"","class_ident":""}} 00560{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":69,"source":"android.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":1,"flow_first_seen":1582454866448,"flow_last_seen":1582454866448,"flow_idle_time":180000,"flow_min_l4_payload_len":52,"flow_max_l4_payload_len":52,"flow_tot_l4_payload_len":52,"flow_avg_l4_payload_len":52,"midstream":0,"ts_msec":1582454866448,"l3_proto":"ip6","src_ip":"fe80::4e6a:f6ff:fe9f:f627","dst_ip":"ff02::1:2","src_port":546,"dst_port":547,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00530{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":69,"source":"android.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":1,"flow_last_seen":1582454866448,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":114,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":114,"pkt_l4_len":60,"ts_msec":1582454866448,"pkt":"MzMAAQACTGr2n\/Ynht1gBNipADwRAf6AAAAAAAAATmr2\/\/6f9if\/AgAAAAAAAAAAAAAAAQACAiICIwA8Uc8B2OT+AAEADgABAAEl5RSOTGr2n\/YnAAMADA4ACMoAAAAAAAAAAAAIAAIAAAAGAAQAFwAY"} 00595{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":69,"source":"android.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":1,"flow_first_seen":1582454866448,"flow_last_seen":1582454866448,"flow_idle_time":180000,"flow_min_l4_payload_len":52,"flow_max_l4_payload_len":52,"flow_tot_l4_payload_len":52,"flow_avg_l4_payload_len":52,"midstream":0,"ts_msec":1582454866448,"l3_proto":"ip6","src_ip":"fe80::4e6a:f6ff:fe9f:f627","dst_ip":"ff02::1:2","src_port":546,"dst_port":547,"l4_proto":"udp","ndpi": {"proto":"DHCPV6","breed":"Acceptable","category":"Network"}} @@ -90,13 +90,13 @@ 00728{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":91,"source":"android.pcap","alias":"nDPId-test","flow_id":20,"flow_packets_processed":2,"flow_first_seen":1582454867244,"flow_last_seen":1582454867284,"flow_idle_time":180000,"flow_min_l4_payload_len":34,"flow_max_l4_payload_len":98,"flow_tot_l4_payload_len":132,"flow_avg_l4_payload_len":66,"midstream":0,"ts_msec":1582454867284,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":35825,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"time.android.com","num_queries":1,"num_answers":4,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"216.239.35.8"}} 00552{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":93,"source":"android.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":1,"flow_first_seen":1582454867323,"flow_last_seen":1582454867323,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1582454867323,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.35.8","src_port":45863,"dst_port":123,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00491{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":93,"source":"android.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":1,"flow_last_seen":1582454867323,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"ts_msec":1582454867323,"pkt":"xiwDYGpkTGr2n\/YnCABFAABMoTdAAEAR2rnAqAIQ2O8jCLMnAHsAOGfAGwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOH81o7jEm7M"} -00592{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":93,"source":"android.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":1,"flow_first_seen":1582454867323,"flow_last_seen":1582454867323,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1582454867323,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.35.8","src_port":45863,"dst_port":123,"l4_proto":"udp","ndpi": {"proto":"NTP.Google","breed":"Tracker\/Ads","category":"System"}} +00628{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":93,"source":"android.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":1,"flow_first_seen":1582454867323,"flow_last_seen":1582454867323,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1582454867323,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.35.8","src_port":45863,"dst_port":123,"l4_proto":"udp","ndpi": {"proto":"NTP.Google","breed":"Acceptable","category":"System"},"ntp": {"request_code":0,"version":0}} 00492{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":94,"source":"android.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":2,"flow_last_seen":1582454867358,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"ts_msec":1582454867358,"pkt":"TGr2n\/YnxiwDYGpkCABFAABMa8oAAGcRKSfY7yMIwKgCEAB7sycAOKcPHAEA7AAAAAAAAAAMR09PR+H81tNW8KhI4fzWjuMSbszh\/NbTVvCoSeH81tNW8KhL"} 00550{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":95,"source":"android.pcap","alias":"nDPId-test","flow_id":22,"flow_packets_processed":1,"flow_first_seen":1582454867637,"flow_last_seen":1582454867637,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":37,"flow_tot_l4_payload_len":37,"flow_avg_l4_payload_len":37,"midstream":0,"ts_msec":1582454867637,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":34540,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00479{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":95,"source":"android.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":1,"flow_last_seen":1582454867637,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":79,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":79,"pkt_l4_len":45,"ts_msec":1582454867637,"pkt":"xiwDYGpkTGr2n\/YnCABFAABBqXVAAEARC9XAqAIQwKgCAYbsADUALQrUr3oBAAABAAAAAAAACGNsaWVudHMxBmdvb2dsZQNjb20AAAEAAQ=="} -00722{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":95,"source":"android.pcap","alias":"nDPId-test","flow_id":22,"flow_packets_processed":1,"flow_first_seen":1582454867637,"flow_last_seen":1582454867637,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":37,"flow_tot_l4_payload_len":37,"flow_avg_l4_payload_len":37,"midstream":0,"ts_msec":1582454867637,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":34540,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"clients1.google.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00720{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":95,"source":"android.pcap","alias":"nDPId-test","flow_id":22,"flow_packets_processed":1,"flow_first_seen":1582454867637,"flow_last_seen":1582454867637,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":37,"flow_tot_l4_payload_len":37,"flow_avg_l4_payload_len":37,"midstream":0,"ts_msec":1582454867637,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":34540,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"clients1.google.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00499{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":96,"source":"android.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":2,"flow_last_seen":1582454867639,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":95,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":95,"pkt_l4_len":61,"ts_msec":1582454867639,"pkt":"TGr2n\/YnxiwDYGpkCABFAABRpSEAAEARUBnAqAIBwKgCEAA1huwAPTVyr3qBgAABAAEAAAAACGNsaWVudHMxBmdvb2dsZQNjb20AAAEAAcAMAAEAAQAAANoABNjvJng="} -00737{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":96,"source":"android.pcap","alias":"nDPId-test","flow_id":22,"flow_packets_processed":2,"flow_first_seen":1582454867637,"flow_last_seen":1582454867639,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":53,"flow_tot_l4_payload_len":90,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1582454867639,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":34540,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"clients1.google.com","num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"216.239.38.120"}} +00735{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":96,"source":"android.pcap","alias":"nDPId-test","flow_id":22,"flow_packets_processed":2,"flow_first_seen":1582454867637,"flow_last_seen":1582454867639,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":53,"flow_tot_l4_payload_len":90,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1582454867639,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":34540,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"clients1.google.com","num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"216.239.38.120"}} 00551{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":97,"source":"android.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":1,"flow_first_seen":1582454867688,"flow_last_seen":1582454867688,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1582454867688,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":32974,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00477{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":97,"source":"android.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":1,"flow_last_seen":1582454867688,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1582454867688,"pkt":"xiwDYGpkTGr2n\/YnCABFAAA8oxlAAEAG1YLAqAIQ2O8meIDOAbtPCpBsAAAAAKAC\/\/\/waQAAAgQFtAQCCAr\/\/zN1AAAAAAEDAwg="} 00475{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":98,"source":"android.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":2,"flow_last_seen":1582454867702,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1582454867702,"pkt":"TGr2n\/YnxiwDYGpkCABFAAA840EAAHYGn1rY7yZ4wKgCEAG7gM7sufL\/TwqQbaAS6yANxQAAAgQFZAQCCAoG5BEl\/\/8zdQEDAwg="} @@ -104,11 +104,11 @@ 00551{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":100,"source":"android.pcap","alias":"nDPId-test","flow_id":24,"flow_packets_processed":1,"flow_first_seen":1582454867723,"flow_last_seen":1582454867723,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":37,"flow_tot_l4_payload_len":37,"flow_avg_l4_payload_len":37,"midstream":0,"ts_msec":1582454867723,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":54837,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00481{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":100,"source":"android.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":1,"flow_last_seen":1582454867723,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":79,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":79,"pkt_l4_len":45,"ts_msec":1582454867723,"pkt":"xiwDYGpkTGr2n\/YnCABFAABBqYtAAEARC7\/AqAIQwKgCAdY1ADUALYAStecBAAABAAAAAAAABHBsYXkKZ29vZ2xlYXBpcwNjb20AAAEAAQ=="} 00729{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":100,"source":"android.pcap","alias":"nDPId-test","flow_id":24,"flow_packets_processed":1,"flow_first_seen":1582454867723,"flow_last_seen":1582454867723,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":37,"flow_tot_l4_payload_len":37,"flow_avg_l4_payload_len":37,"midstream":0,"ts_msec":1582454867723,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":54837,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.GoogleServices","breed":"Acceptable","category":"Web"},"dns": {"query":"play.googleapis.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} -00836{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":101,"source":"android.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":4,"flow_first_seen":1582454867688,"flow_last_seen":1582454867759,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":166,"flow_tot_l4_payload_len":166,"flow_avg_l4_payload_len":41,"midstream":0,"ts_msec":1582454867759,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":32974,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"clients1.google.com","ja3":"c60d01d600aacc2c04844595ce224279","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} +00834{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":101,"source":"android.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":4,"flow_first_seen":1582454867688,"flow_last_seen":1582454867759,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":166,"flow_tot_l4_payload_len":166,"flow_avg_l4_payload_len":41,"midstream":0,"ts_msec":1582454867759,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":32974,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"clients1.google.com","ja3":"c60d01d600aacc2c04844595ce224279","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00500{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":102,"source":"android.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":2,"flow_last_seen":1582454867761,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":95,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":95,"pkt_l4_len":61,"ts_msec":1582454867761,"pkt":"TGr2n\/YnxiwDYGpkCABFAABRO4cAAEARubPAqAIBwKgCEAA11jUAPbDuteeBgAABAAEAAAAABHBsYXkKZ29vZ2xlYXBpcwNjb20AAAEAAcAMAAEAAQAAARgABKzZFEo="} 00743{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":102,"source":"android.pcap","alias":"nDPId-test","flow_id":24,"flow_packets_processed":2,"flow_first_seen":1582454867723,"flow_last_seen":1582454867761,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":53,"flow_tot_l4_payload_len":90,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1582454867761,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":54837,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.GoogleServices","breed":"Acceptable","category":"Web"},"dns": {"query":"play.googleapis.com","num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"172.217.20.74"}} -00895{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":104,"source":"android.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":6,"flow_first_seen":1582454867688,"flow_last_seen":1582454867788,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":1584,"flow_avg_l4_payload_len":264,"midstream":0,"ts_msec":1582454867788,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":32974,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"clients1.google.com","ja3":"c60d01d600aacc2c04844595ce224279","ja3s":"b31c0b82752ea0e2c48b8ce46e9263e5","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"}} -02224{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":106,"source":"android.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":8,"flow_first_seen":1582454867688,"flow_last_seen":1582454867789,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":3887,"flow_avg_l4_payload_len":485,"midstream":0,"ts_msec":1582454867789,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":32974,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"clients1.google.com","server_names":"*.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.crowdsource.google.com,*.g.co,*.gcp.gvt2.com,*.gcpcdn.gvt1.com,*.ggpht.cn,*.gkecnapps.cn,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleadapis.com,*.googleapis.cn,*.googlecnapps.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.cn,*.gstatic.com,*.gstaticcnapps.cn,*.gvt1.com,*.gvt2.com,*.metric.gstatic.com,*.urchin.com,*.url.google.com,*.wear.gkecnapps.cn,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.youtubekids.com,*.yt.be,*.ytimg.com,android.clients.google.com,android.com,developer.android.google.cn,developers.android.google.cn,g.co,ggpht.cn,gkecnapps.cn,goo.gl,google-analytics.com,google.com,googlecnapps.cn,googlecommerce.com,source.android.google.cn,urchin.com,www.goo.gl,youtu.be,youtube.com,youtubeeducation.com,youtubekids.com,yt.be","ja3":"c60d01d600aacc2c04844595ce224279","ja3s":"b31c0b82752ea0e2c48b8ce46e9263e5","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Google Trust Services, CN=GTS CA 1O1","issuerDN":"C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.google.com","fingerprint":"80:50:28:F4:84:F5:C4:C6:41:DE:75:67:38:C4:A6:E2:59:FF:75:42"}} +00893{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":104,"source":"android.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":6,"flow_first_seen":1582454867688,"flow_last_seen":1582454867788,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":1584,"flow_avg_l4_payload_len":264,"midstream":0,"ts_msec":1582454867788,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":32974,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"clients1.google.com","ja3":"c60d01d600aacc2c04844595ce224279","ja3s":"b31c0b82752ea0e2c48b8ce46e9263e5","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"}} +02223{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":106,"source":"android.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":8,"flow_first_seen":1582454867688,"flow_last_seen":1582454867789,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":3887,"flow_avg_l4_payload_len":485,"midstream":0,"ts_msec":1582454867789,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":32974,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"clients1.google.com","server_names":"*.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.crowdsource.google.com,*.g.co,*.gcp.gvt2.com,*.gcpcdn.gvt1.com,*.ggpht.cn,*.gkecnapps.cn,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleadapis.com,*.googleapis.cn,*.googlecnapps.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.cn,*.gstatic.com,*.gstaticcnapps.cn,*.gvt1.com,*.gvt2.com,*.metric.gstatic.com,*.urchin.com,*.url.google.com,*.wear.gkecnapps.cn,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.youtubekids.com,*.yt.be,*.ytimg.com,android.clients.google.com,android.com,developer.android.google.cn,developers.android.google.cn,g.co,ggpht.cn,gkecnapps.cn,goo.gl,google-analytics.com,google.com,googlecnapps.cn,googlecommerce.com,source.android.google.cn,urchin.com,www.goo.gl,youtu.be,youtube.com,youtubeeducation.com,youtubekids.com,yt.be","ja3":"c60d01d600aacc2c04844595ce224279","ja3s":"b31c0b82752ea0e2c48b8ce46e9263e5","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Google Trust Services, CN=GTS CA 1O1","subjectDN":"C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.google.com","fingerprint":"80:50:28:F4:84:F5:C4:C6:41:DE:75:67:38:C4:A6:E2:59:FF:75:42"}} 00551{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":123,"source":"android.pcap","alias":"nDPId-test","flow_id":25,"flow_packets_processed":1,"flow_first_seen":1582454868348,"flow_last_seen":1582454868348,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1582454868348,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.20.74","src_port":52486,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00477{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":123,"source":"android.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":1,"flow_last_seen":1582454868348,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1582454868348,"pkt":"xiwDYGpkTGr2n\/YnCABFAAA8A3VAAEAGs2vAqAIQrNkUSs0GAbvbqzdvAAAAAKAC\/\/+uLAAAAgQFtAQCCAr\/\/zQaAAAAAAEDAwg="} 00475{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":124,"source":"android.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":2,"flow_last_seen":1582454868386,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1582454868386,"pkt":"TGr2n\/YnxiwDYGpkCABFAAA8PjQAAHUGg6ys2RRKwKgCEAG7zQbWjo3E26s3cKAS6yAJ1AAAAgQFZAQCCAq9hJee\/\/80GgEDAwg="} @@ -118,27 +118,27 @@ 00494{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":128,"source":"android.pcap","alias":"nDPId-test","flow_id":26,"flow_packet_id":1,"flow_last_seen":1582454868462,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":89,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":89,"pkt_l4_len":55,"ts_msec":1582454868462,"pkt":"xiwDYGpkTGr2n\/YnCABFAABLqjFAAEARCw\/AqAIQwKgCAbfpADUAN\/8RnJ4BAAABAAAAAAAAEWNvbm5lY3Rpdml0eWNoZWNrB2dzdGF0aWMDY29tAAABAAE="} 00730{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":128,"source":"android.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":1,"flow_first_seen":1582454868462,"flow_last_seen":1582454868462,"flow_idle_time":180000,"flow_min_l4_payload_len":47,"flow_max_l4_payload_len":47,"flow_tot_l4_payload_len":47,"flow_avg_l4_payload_len":47,"midstream":0,"ts_msec":1582454868462,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":47081,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"ConnCheck"},"dns": {"query":"connectivitycheck.gstatic.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00863{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":129,"source":"android.pcap","alias":"nDPId-test","flow_id":25,"flow_packets_processed":6,"flow_first_seen":1582454868348,"flow_last_seen":1582454868466,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":1603,"flow_avg_l4_payload_len":267,"midstream":0,"ts_msec":1582454868466,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.20.74","src_port":52486,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.GoogleServices","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"play.googleapis.com","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"eca9b8f0f3eae50309eaf901cb822d9b","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","alpn":"http\/1.1"}} -01536{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":131,"source":"android.pcap","alias":"nDPId-test","flow_id":25,"flow_packets_processed":8,"flow_first_seen":1582454868348,"flow_last_seen":1582454868466,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":3177,"flow_avg_l4_payload_len":397,"midstream":0,"ts_msec":1582454868466,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.20.74","src_port":52486,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.GoogleServices","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"play.googleapis.com","server_names":"*.storage.googleapis.com,*.appspot.com.storage.googleapis.com,*.commondatastorage.googleapis.com,*.content-storage-download.googleapis.com,*.content-storage-upload.googleapis.com,*.content-storage.googleapis.com,*.googleapis.com,*.storage-download.googleapis.com,*.storage-upload.googleapis.com,*.storage.select.googleapis.com,commondatastorage.googleapis.com,storage.googleapis.com,storage.select.googleapis.com,unfiltered.news","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"eca9b8f0f3eae50309eaf901cb822d9b","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Google Trust Services, CN=GTS CA 1O1","issuerDN":"C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.storage.googleapis.com","alpn":"http\/1.1","fingerprint":"BA:BA:BA:55:69:9F:E0:BD:48:80:23:A4:B3:AD:C1:FF:EA:4E:17:C9"}} +01537{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":131,"source":"android.pcap","alias":"nDPId-test","flow_id":25,"flow_packets_processed":8,"flow_first_seen":1582454868348,"flow_last_seen":1582454868466,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":3177,"flow_avg_l4_payload_len":397,"midstream":0,"ts_msec":1582454868466,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.20.74","src_port":52486,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.GoogleServices","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"play.googleapis.com","server_names":"*.storage.googleapis.com,*.appspot.com.storage.googleapis.com,*.commondatastorage.googleapis.com,*.content-storage-download.googleapis.com,*.content-storage-upload.googleapis.com,*.content-storage.googleapis.com,*.googleapis.com,*.storage-download.googleapis.com,*.storage-upload.googleapis.com,*.storage.select.googleapis.com,commondatastorage.googleapis.com,storage.googleapis.com,storage.select.googleapis.com,unfiltered.news","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"eca9b8f0f3eae50309eaf901cb822d9b","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Google Trust Services, CN=GTS CA 1O1","subjectDN":"C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.storage.googleapis.com","alpn":"http\/1.1","fingerprint":"BA:BA:BA:55:69:9F:E0:BD:48:80:23:A4:B3:AD:C1:FF:EA:4E:17:C9"}} 00514{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":135,"source":"android.pcap","alias":"nDPId-test","flow_id":26,"flow_packet_id":2,"flow_last_seen":1582454868503,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":105,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":105,"pkt_l4_len":71,"ts_msec":1582454868503,"pkt":"TGr2n\/YnxiwDYGpkCABFAABbmZAAAEARW6DAqAIBwKgCEAA1t+kAR93wnJ6BgAABAAEAAAAAEWNvbm5lY3Rpdml0eWNoZWNrB2dzdGF0aWMDY29tAAABAAHADAABAAEAAACxAASs2RID"} -00753{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":135,"source":"android.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":2,"flow_first_seen":1582454868462,"flow_last_seen":1582454868503,"flow_idle_time":180000,"flow_min_l4_payload_len":47,"flow_max_l4_payload_len":63,"flow_tot_l4_payload_len":110,"flow_avg_l4_payload_len":55,"midstream":0,"ts_msec":1582454868503,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":47081,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"ConnCheck"},"dns": {"query":"connectivitycheck.gstatic.com","num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"172.217.18.3"}} +00751{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":135,"source":"android.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":2,"flow_first_seen":1582454868462,"flow_last_seen":1582454868503,"flow_idle_time":180000,"flow_min_l4_payload_len":47,"flow_max_l4_payload_len":63,"flow_tot_l4_payload_len":110,"flow_avg_l4_payload_len":55,"midstream":0,"ts_msec":1582454868503,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":47081,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"ConnCheck"},"dns": {"query":"connectivitycheck.gstatic.com","num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"172.217.18.3"}} 00550{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":136,"source":"android.pcap","alias":"nDPId-test","flow_id":27,"flow_packets_processed":1,"flow_first_seen":1582454868511,"flow_last_seen":1582454868511,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1582454868511,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.18.3","src_port":36888,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00477{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":136,"source":"android.pcap","alias":"nDPId-test","flow_id":27,"flow_packet_id":1,"flow_last_seen":1582454868511,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1582454868511,"pkt":"xiwDYGpkTGr2n\/YnCABFAAA8PG9AAEAGfLjAqAIQrNkSA5AYAbuCdQgsAAAAAKAC\/\/91sgAAAgQFtAQCCAr\/\/zRDAAAAAAEDAwg="} 00550{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":137,"source":"android.pcap","alias":"nDPId-test","flow_id":28,"flow_packets_processed":1,"flow_first_seen":1582454868527,"flow_last_seen":1582454868527,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1582454868527,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.18.3","src_port":36890,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00477{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":137,"source":"android.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":1,"flow_last_seen":1582454868527,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1582454868527,"pkt":"xiwDYGpkTGr2n\/YnCABFAAA8stVAAEAGBlLAqAIQrNkSA5AaAbtdpoaTAAAAAKAC\/\/8cFQAAAgQFtAQCCAr\/\/zRGAAAAAAEDAwg="} 00476{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":138,"source":"android.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":2,"flow_last_seen":1582454868559,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1582454868559,"pkt":"TGr2n\/YnxiwDYGpkCABFAAA8mn0AAHYGKKqs2RIDwKgCEAG7kBpu4mZiXaaGlKAS6yC\/LgAAAgQFZAQCCApPRk15\/\/80RgEDAwg="} 00463{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":139,"source":"android.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":3,"flow_last_seen":1582454868563,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1582454868563,"pkt":"xiwDYGpkTGr2n\/YnCABFAAA0stZAAEAGBlnAqAIQrNkSA5AaAbtdpoaUbuJmY4AQAVfXbAAAAQEICv\/\/NE9PRk15"} -00813{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":140,"source":"android.pcap","alias":"nDPId-test","flow_id":28,"flow_packets_processed":4,"flow_first_seen":1582454868527,"flow_last_seen":1582454868563,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":195,"flow_tot_l4_payload_len":195,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1582454868563,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.18.3","src_port":36890,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"ConnCheck"},"tls": {"version":"TLSv1.2","client_requested_server_name":"connectivitycheck.gstatic.com","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}} +00811{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":140,"source":"android.pcap","alias":"nDPId-test","flow_id":28,"flow_packets_processed":4,"flow_first_seen":1582454868527,"flow_last_seen":1582454868563,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":195,"flow_tot_l4_payload_len":195,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1582454868563,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.18.3","src_port":36890,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"ConnCheck"},"tls": {"version":"TLSv1.2","client_requested_server_name":"connectivitycheck.gstatic.com","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}} 00551{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":142,"source":"android.pcap","alias":"nDPId-test","flow_id":29,"flow_packets_processed":1,"flow_first_seen":1582454868597,"flow_last_seen":1582454868597,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":37,"flow_tot_l4_payload_len":37,"flow_avg_l4_payload_len":37,"midstream":0,"ts_msec":1582454868597,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":51430,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00480{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":142,"source":"android.pcap","alias":"nDPId-test","flow_id":29,"flow_packet_id":1,"flow_last_seen":1582454868597,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":79,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":79,"pkt_l4_len":45,"ts_msec":1582454868597,"pkt":"xiwDYGpkTGr2n\/YnCABFAABBqkFAAEARCwnAqAIQwKgCAcjmADUALYwU2tsBAAABAAAAAAAAD2FwcC1tZWFzdXJlbWVudANjb20AAAEAAQ=="} 00718{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":142,"source":"android.pcap","alias":"nDPId-test","flow_id":29,"flow_packets_processed":1,"flow_first_seen":1582454868597,"flow_last_seen":1582454868597,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":37,"flow_tot_l4_payload_len":37,"flow_avg_l4_payload_len":37,"midstream":0,"ts_msec":1582454868597,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":51430,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"app-measurement.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00500{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":143,"source":"android.pcap","alias":"nDPId-test","flow_id":29,"flow_packet_id":2,"flow_last_seen":1582454868597,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":95,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":95,"pkt_l4_len":61,"ts_msec":1582454868597,"pkt":"TGr2n\/YnxiwDYGpkCABFAABRZjUAAEARjwXAqAIBwKgCEAA1yOYAPQ9d2tuBgAABAAEAAAAAD2FwcC1tZWFzdXJlbWVudANjb20AAAEAAcAMAAEAAQAAAEEABKzZqM4="} 00734{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":143,"source":"android.pcap","alias":"nDPId-test","flow_id":29,"flow_packets_processed":2,"flow_first_seen":1582454868597,"flow_last_seen":1582454868597,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":53,"flow_tot_l4_payload_len":90,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1582454868597,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":51430,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"app-measurement.com","num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"172.217.168.206"}} -00872{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":144,"source":"android.pcap","alias":"nDPId-test","flow_id":28,"flow_packets_processed":6,"flow_first_seen":1582454868527,"flow_last_seen":1582454868603,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":1613,"flow_avg_l4_payload_len":268,"midstream":0,"ts_msec":1582454868603,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.18.3","src_port":36890,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"ConnCheck"},"tls": {"version":"TLSv1.2","client_requested_server_name":"connectivitycheck.gstatic.com","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"eca9b8f0f3eae50309eaf901cb822d9b","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","alpn":"http\/1.1"}} -02201{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":146,"source":"android.pcap","alias":"nDPId-test","flow_id":28,"flow_packets_processed":8,"flow_first_seen":1582454868527,"flow_last_seen":1582454868603,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":3903,"flow_avg_l4_payload_len":487,"midstream":0,"ts_msec":1582454868603,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.18.3","src_port":36890,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"ConnCheck"},"tls": {"version":"TLSv1.2","client_requested_server_name":"connectivitycheck.gstatic.com","server_names":"*.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.crowdsource.google.com,*.g.co,*.gcp.gvt2.com,*.gcpcdn.gvt1.com,*.ggpht.cn,*.gkecnapps.cn,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleadapis.com,*.googleapis.cn,*.googlecnapps.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.cn,*.gstatic.com,*.gstaticcnapps.cn,*.gvt1.com,*.gvt2.com,*.metric.gstatic.com,*.urchin.com,*.url.google.com,*.wear.gkecnapps.cn,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.youtubekids.com,*.yt.be,*.ytimg.com,android.clients.google.com,android.com,developer.android.google.cn,developers.android.google.cn,g.co,ggpht.cn,gkecnapps.cn,goo.gl,google-analytics.com,google.com,googlecnapps.cn,googlecommerce.com,source.android.google.cn,urchin.com,www.goo.gl,youtu.be,youtube.com,youtubeeducation.com,youtubekids.com,yt.be","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"eca9b8f0f3eae50309eaf901cb822d9b","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Google Trust Services, CN=GTS CA 1O1","issuerDN":"C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.google.com","alpn":"http\/1.1","fingerprint":"80:50:28:F4:84:F5:C4:C6:41:DE:75:67:38:C4:A6:E2:59:FF:75:42"}} +00870{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":144,"source":"android.pcap","alias":"nDPId-test","flow_id":28,"flow_packets_processed":6,"flow_first_seen":1582454868527,"flow_last_seen":1582454868603,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":1613,"flow_avg_l4_payload_len":268,"midstream":0,"ts_msec":1582454868603,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.18.3","src_port":36890,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"ConnCheck"},"tls": {"version":"TLSv1.2","client_requested_server_name":"connectivitycheck.gstatic.com","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"eca9b8f0f3eae50309eaf901cb822d9b","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","alpn":"http\/1.1"}} +02200{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":146,"source":"android.pcap","alias":"nDPId-test","flow_id":28,"flow_packets_processed":8,"flow_first_seen":1582454868527,"flow_last_seen":1582454868603,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":3903,"flow_avg_l4_payload_len":487,"midstream":0,"ts_msec":1582454868603,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.18.3","src_port":36890,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"ConnCheck"},"tls": {"version":"TLSv1.2","client_requested_server_name":"connectivitycheck.gstatic.com","server_names":"*.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.crowdsource.google.com,*.g.co,*.gcp.gvt2.com,*.gcpcdn.gvt1.com,*.ggpht.cn,*.gkecnapps.cn,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleadapis.com,*.googleapis.cn,*.googlecnapps.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.cn,*.gstatic.com,*.gstaticcnapps.cn,*.gvt1.com,*.gvt2.com,*.metric.gstatic.com,*.urchin.com,*.url.google.com,*.wear.gkecnapps.cn,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.youtubekids.com,*.yt.be,*.ytimg.com,android.clients.google.com,android.com,developer.android.google.cn,developers.android.google.cn,g.co,ggpht.cn,gkecnapps.cn,goo.gl,google-analytics.com,google.com,googlecnapps.cn,googlecommerce.com,source.android.google.cn,urchin.com,www.goo.gl,youtu.be,youtube.com,youtubeeducation.com,youtubekids.com,yt.be","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"eca9b8f0f3eae50309eaf901cb822d9b","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Google Trust Services, CN=GTS CA 1O1","subjectDN":"C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.google.com","alpn":"http\/1.1","fingerprint":"80:50:28:F4:84:F5:C4:C6:41:DE:75:67:38:C4:A6:E2:59:FF:75:42"}} 00531{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":150,"source":"android.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":2,"flow_last_seen":1582454868606,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":114,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":114,"pkt_l4_len":60,"ts_msec":1582454868606,"pkt":"MzMAAQACTGr2n\/Ynht1gBNipADwRAf6AAAAAAAAATmr2\/\/6f9if\/AgAAAAAAAAAAAAAAAQACAiICIwA8Uc8B2OT+AAEADgABAAEl5RSOTGr2n\/YnAAMADA4ACMoAAAAAAAAAAAAIAAIAAAAGAAQAFwAY"} 00475{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":151,"source":"android.pcap","alias":"nDPId-test","flow_id":27,"flow_packet_id":2,"flow_last_seen":1582454868843,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1582454868843,"pkt":"TGr2n\/YnxiwDYGpkCABFAAA8fo0AAHYGRJqs2RIDwKgCEAG7kBjGuYRJgnUILaAS6yAZNAAAAgQFZAQCCApRt9Th\/\/80QwEDAwg="} 00464{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":152,"source":"android.pcap","alias":"nDPId-test","flow_id":27,"flow_packet_id":3,"flow_last_seen":1582454868844,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1582454868844,"pkt":"xiwDYGpkTGr2n\/YnCABFAAA0PHBAAEAGfL\/AqAIQrNkSA5AYAbuCdQgtxrmESoAQAVcxKAAAAQEICv\/\/NJZRt9Th"} -00813{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":153,"source":"android.pcap","alias":"nDPId-test","flow_id":27,"flow_packets_processed":4,"flow_first_seen":1582454868511,"flow_last_seen":1582454868936,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":195,"flow_tot_l4_payload_len":195,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1582454868936,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.18.3","src_port":36888,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"ConnCheck"},"tls": {"version":"TLSv1.2","client_requested_server_name":"connectivitycheck.gstatic.com","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}} +00811{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":153,"source":"android.pcap","alias":"nDPId-test","flow_id":27,"flow_packets_processed":4,"flow_first_seen":1582454868511,"flow_last_seen":1582454868936,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":195,"flow_tot_l4_payload_len":195,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1582454868936,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.18.3","src_port":36888,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"ConnCheck"},"tls": {"version":"TLSv1.2","client_requested_server_name":"connectivitycheck.gstatic.com","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}} 00551{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":165,"source":"android.pcap","alias":"nDPId-test","flow_id":30,"flow_packets_processed":1,"flow_first_seen":1582454869361,"flow_last_seen":1582454869361,"flow_idle_time":180000,"flow_min_l4_payload_len":34,"flow_max_l4_payload_len":34,"flow_tot_l4_payload_len":34,"flow_avg_l4_payload_len":34,"midstream":0,"ts_msec":1582454869361,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":39008,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00476{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":165,"source":"android.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":1,"flow_last_seen":1582454869361,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":76,"pkt_l4_len":42,"ts_msec":1582454869361,"pkt":"xiwDYGpkTGr2n\/YnCABFAAA+qnVAAEARCtjAqAIQwKgCAZhgADUAKv996DEBAAABAAAAAAAABW10YWxrBmdvb2dsZQNjb20AAAEAAQ=="} 00726{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":165,"source":"android.pcap","alias":"nDPId-test","flow_id":30,"flow_packets_processed":1,"flow_first_seen":1582454869361,"flow_last_seen":1582454869361,"flow_idle_time":180000,"flow_min_l4_payload_len":34,"flow_max_l4_payload_len":34,"flow_tot_l4_payload_len":34,"flow_avg_l4_payload_len":34,"midstream":0,"ts_msec":1582454869361,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":39008,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.GoogleServices","breed":"Acceptable","category":"Web"},"dns": {"query":"mtalk.google.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} @@ -148,11 +148,11 @@ 00478{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":168,"source":"android.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":1,"flow_last_seen":1582454869517,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1582454869517,"pkt":"xiwDYGpkTGr2n\/YnCABFAAA8ooxAAEAGf8\/AqAIQrNmozsTQAbv86pehAAAAAKAC\/\/+fWQAAAgQFtAQCCAr\/\/zUtAAAAAAEDAwg="} 00477{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":169,"source":"android.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":2,"flow_last_seen":1582454869556,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1582454869556,"pkt":"TGr2n\/YnxiwDYGpkCABFAAA80VwAAHUGW\/+s2ajOwKgCEAG7xNCPRbjJ\/OqXoqAS6yAGLQAAAgQFZAQCCApmsf+J\/\/81LQEDAwg="} 00463{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":170,"source":"android.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":3,"flow_last_seen":1582454869557,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1582454869557,"pkt":"xiwDYGpkTGr2n\/YnCABFAAA0oo1AAEAGf9bAqAIQrNmozsTQAbv86peij0W4yoAQAVceWQAAAQEICv\/\/NUhmsf+J"} -00800{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":171,"source":"android.pcap","alias":"nDPId-test","flow_id":31,"flow_packets_processed":4,"flow_first_seen":1582454869517,"flow_last_seen":1582454869614,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":185,"flow_tot_l4_payload_len":185,"flow_avg_l4_payload_len":46,"midstream":0,"ts_msec":1582454869614,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.168.206","src_port":50384,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"app-measurement.com","ja3":"6ec2896feff5746955f700c0023f5804","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}} +00798{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":171,"source":"android.pcap","alias":"nDPId-test","flow_id":31,"flow_packets_processed":4,"flow_first_seen":1582454869517,"flow_last_seen":1582454869614,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":185,"flow_tot_l4_payload_len":185,"flow_avg_l4_payload_len":46,"midstream":0,"ts_msec":1582454869614,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.168.206","src_port":50384,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"app-measurement.com","ja3":"6ec2896feff5746955f700c0023f5804","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}} 00553{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":172,"source":"android.pcap","alias":"nDPId-test","flow_id":32,"flow_packets_processed":1,"flow_first_seen":1582454869626,"flow_last_seen":1582454869626,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1582454869626,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":49510,"dst_port":5228,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00478{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":172,"source":"android.pcap","alias":"nDPId-test","flow_id":32,"flow_packet_id":1,"flow_last_seen":1582454869626,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1582454869626,"pkt":"xiwDYGpkTGr2n\/YnCABFAAA8g2ZAAEAG9TXAqAIQ2O8meMFmFGxVMrY\/AAAAAKAC\/\/9vQQAAAgQFtAQCCAr\/\/zVZAAAAAAEDAwg="} -00857{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":174,"source":"android.pcap","alias":"nDPId-test","flow_id":31,"flow_packets_processed":6,"flow_first_seen":1582454869517,"flow_last_seen":1582454869657,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":1603,"flow_avg_l4_payload_len":267,"midstream":0,"ts_msec":1582454869657,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.168.206","src_port":50384,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"app-measurement.com","ja3":"6ec2896feff5746955f700c0023f5804","ja3s":"9d9ce860f1b1cbef07b019450cb368d8","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"http\/1.1"}} -01351{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":176,"source":"android.pcap","alias":"nDPId-test","flow_id":31,"flow_packets_processed":8,"flow_first_seen":1582454869517,"flow_last_seen":1582454869657,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":3386,"flow_avg_l4_payload_len":423,"midstream":0,"ts_msec":1582454869657,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.168.206","src_port":50384,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"app-measurement.com","server_names":"*.google-analytics.com,*.fps.goog,app-measurement.com,fps.goog,google-analytics.com,googleoptimize.com,googletagmanager.com,service.urchin.com,ssl.google-analytics.com,urchin.com,www.google-analytics.com,www.googleoptimize.com,www.googletagmanager.com","ja3":"6ec2896feff5746955f700c0023f5804","ja3s":"9d9ce860f1b1cbef07b019450cb368d8","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Google Trust Services, CN=GTS CA 1O1","issuerDN":"C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.google-analytics.com","alpn":"http\/1.1","fingerprint":"B0:D9:D3:57:C2:34:87:2C:FB:F5:E6:BD:7F:9F:54:65:08:61:AF:01"}} +00855{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":174,"source":"android.pcap","alias":"nDPId-test","flow_id":31,"flow_packets_processed":6,"flow_first_seen":1582454869517,"flow_last_seen":1582454869657,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":1603,"flow_avg_l4_payload_len":267,"midstream":0,"ts_msec":1582454869657,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.168.206","src_port":50384,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"app-measurement.com","ja3":"6ec2896feff5746955f700c0023f5804","ja3s":"9d9ce860f1b1cbef07b019450cb368d8","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"http\/1.1"}} +01360{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":176,"source":"android.pcap","alias":"nDPId-test","flow_id":31,"flow_packets_processed":8,"flow_first_seen":1582454869517,"flow_last_seen":1582454869657,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":3386,"flow_avg_l4_payload_len":423,"midstream":0,"ts_msec":1582454869657,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.168.206","src_port":50384,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Advertisement"},"tls": {"version":"TLSv1.2","client_requested_server_name":"app-measurement.com","server_names":"*.google-analytics.com,*.fps.goog,app-measurement.com,fps.goog,google-analytics.com,googleoptimize.com,googletagmanager.com,service.urchin.com,ssl.google-analytics.com,urchin.com,www.google-analytics.com,www.googleoptimize.com,www.googletagmanager.com","ja3":"6ec2896feff5746955f700c0023f5804","ja3s":"9d9ce860f1b1cbef07b019450cb368d8","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Google Trust Services, CN=GTS CA 1O1","subjectDN":"C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.google-analytics.com","alpn":"http\/1.1","fingerprint":"B0:D9:D3:57:C2:34:87:2C:FB:F5:E6:BD:7F:9F:54:65:08:61:AF:01"}} 00478{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":199,"source":"android.pcap","alias":"nDPId-test","flow_id":32,"flow_packet_id":2,"flow_last_seen":1582454870649,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1582454870649,"pkt":"xiwDYGpkTGr2n\/YnCABFAAA8g2dAAEAG9TTAqAIQ2O8meMFmFGxVMrY\/AAAAAKAC\/\/9uQgAAAgQFtAQCCAr\/\/zZYAAAAAAEDAwg="} 00551{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":200,"source":"android.pcap","alias":"nDPId-test","flow_id":33,"flow_packets_processed":1,"flow_first_seen":1582454870996,"flow_last_seen":1582454870996,"flow_idle_time":180000,"flow_min_l4_payload_len":44,"flow_max_l4_payload_len":44,"flow_tot_l4_payload_len":44,"flow_avg_l4_payload_len":44,"midstream":0,"ts_msec":1582454870996,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":36613,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00488{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":200,"source":"android.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":1,"flow_last_seen":1582454870996,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"ts_msec":1582454870996,"pkt":"xiwDYGpkTGr2n\/YnCABFAABIq6dAAEARCZzAqAIQwKgCAY8FADUANFCq5z4BAAABAAAAAAAAB2FuZHJvaWQHY2xpZW50cwZnb29nbGUDY29tAAABAAE="} @@ -190,9 +190,9 @@ 00907{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":220,"source":"android.pcap","alias":"nDPId-test","flow_id":34,"flow_packets_processed":4,"flow_first_seen":1582454871042,"flow_last_seen":1582454871105,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1582454871105,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":32986,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.PlayStore","breed":"Safe","category":"SoftwareUpdate"},"tls": {"version":"TLSv1.2","client_requested_server_name":"android.clients.google.com","ja3":"9c815150ea821166faecf80757d8826a","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00551{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":221,"source":"android.pcap","alias":"nDPId-test","flow_id":41,"flow_packets_processed":1,"flow_first_seen":1582454871115,"flow_last_seen":1582454871115,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1582454871115,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":40580,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00472{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":221,"source":"android.pcap","alias":"nDPId-test","flow_id":41,"flow_packet_id":1,"flow_last_seen":1582454871115,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1582454871115,"pkt":"xiwDYGpkTGr2n\/YnCABFAAA8q7VAAEARCZrAqAIQwKgCAZ6EADUAKMiehDwBAAABAAAAAAAAA3d3dwZnb29nbGUDY29tAAABAAE="} -00718{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":221,"source":"android.pcap","alias":"nDPId-test","flow_id":41,"flow_packets_processed":1,"flow_first_seen":1582454871115,"flow_last_seen":1582454871115,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1582454871115,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":40580,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"www.google.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00716{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":221,"source":"android.pcap","alias":"nDPId-test","flow_id":41,"flow_packets_processed":1,"flow_first_seen":1582454871115,"flow_last_seen":1582454871115,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1582454871115,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":40580,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"www.google.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00492{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":223,"source":"android.pcap","alias":"nDPId-test","flow_id":41,"flow_packet_id":2,"flow_last_seen":1582454871117,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"ts_msec":1582454871117,"pkt":"TGr2n\/YnxiwDYGpkCABFAABM2yQAAEARGhvAqAIBwKgCEAA1noQAOIeohDyBgAABAAEAAAAAA3d3dwZnb29nbGUDY29tAAABAAHADAABAAEAAADaAATY7yZ4"} -00733{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":223,"source":"android.pcap","alias":"nDPId-test","flow_id":41,"flow_packets_processed":2,"flow_first_seen":1582454871115,"flow_last_seen":1582454871117,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":80,"flow_avg_l4_payload_len":40,"midstream":0,"ts_msec":1582454871117,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":40580,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"www.google.com","num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"216.239.38.120"}} +00731{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":223,"source":"android.pcap","alias":"nDPId-test","flow_id":41,"flow_packets_processed":2,"flow_first_seen":1582454871115,"flow_last_seen":1582454871117,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":80,"flow_avg_l4_payload_len":40,"midstream":0,"ts_msec":1582454871117,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":40580,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"www.google.com","num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"216.239.38.120"}} 00476{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":225,"source":"android.pcap","alias":"nDPId-test","flow_id":39,"flow_packet_id":2,"flow_last_seen":1582454871128,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1582454871128,"pkt":"TGr2n\/YnxiwDYGpkCABFAAA83d0AAGcGtfGtwk9ywKgCEABQj+ImKPRybuhwKaAS87giVwAAAgQFlgQCCArBhO\/i\/\/82yQEDAwg="} 00466{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":226,"source":"android.pcap","alias":"nDPId-test","flow_id":39,"flow_packet_id":3,"flow_last_seen":1582454871130,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1582454871130,"pkt":"xiwDYGpkTGr2n\/YnCABFAAA0RuJAAEAGM\/XAqAIQrcJPco\/iAFBu6HApJij0c4AQAVdDYAAAAQEICv\/\/NtHBhO\/i"} 00836{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":227,"source":"android.pcap","alias":"nDPId-test","flow_id":39,"flow_packets_processed":4,"flow_first_seen":1582454871094,"flow_last_seen":1582454871131,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":297,"flow_tot_l4_payload_len":297,"flow_avg_l4_payload_len":74,"midstream":0,"ts_msec":1582454871131,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"173.194.79.114","src_port":36834,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.DataSaver","breed":"Fun","category":"Web"},"http": {"hostname":"check.googlezip.net","url":"check.googlezip.net\/connect","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Linux; Android 9; Nokia 2.2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/79.0.3945.93 Mobile Safari\/537.36"}} @@ -206,25 +206,25 @@ 00475{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":246,"source":"android.pcap","alias":"nDPId-test","flow_id":42,"flow_packet_id":2,"flow_last_seen":1582454871166,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1582454871166,"pkt":"TGr2n\/YnxiwDYGpkCABFAAA82hIAAHUGqYnY7yZ4wKgCEAG7gOSVNE5IzGrsb6AS6yB0TQAAAgQFZAQCCArIBAje\/\/821wEDAwg="} 00463{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":249,"source":"android.pcap","alias":"nDPId-test","flow_id":42,"flow_packet_id":3,"flow_last_seen":1582454871167,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1582454871167,"pkt":"xiwDYGpkTGr2n\/YnCABFAAA02rpAAEAGnenAqAIQ2O8meIDkAbvMauxvlTROSYAQAVeMkAAAAQEICv\/\/NtvIBAje"} 00907{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":250,"source":"android.pcap","alias":"nDPId-test","flow_id":40,"flow_packets_processed":6,"flow_first_seen":1582454871103,"flow_last_seen":1582454871175,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":1935,"flow_avg_l4_payload_len":322,"midstream":0,"ts_msec":1582454871175,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.21.202","src_port":51928,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.DataSaver","breed":"Fun","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"datasaver.googleapis.com","ja3":"66918128f1b9b03303d77c6f2eefd128","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -00794{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":256,"source":"android.pcap","alias":"nDPId-test","flow_id":42,"flow_packets_processed":4,"flow_first_seen":1582454871152,"flow_last_seen":1582454871200,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":180,"flow_tot_l4_payload_len":180,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1582454871200,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":32996,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.google.com","ja3":"6ec2896feff5746955f700c0023f5804","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}} +00792{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":256,"source":"android.pcap","alias":"nDPId-test","flow_id":42,"flow_packets_processed":4,"flow_first_seen":1582454871152,"flow_last_seen":1582454871200,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":180,"flow_tot_l4_payload_len":180,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1582454871200,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":32996,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.google.com","ja3":"6ec2896feff5746955f700c0023f5804","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}} 00907{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":257,"source":"android.pcap","alias":"nDPId-test","flow_id":37,"flow_packets_processed":4,"flow_first_seen":1582454871069,"flow_last_seen":1582454871207,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1582454871207,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":32988,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.PlayStore","breed":"Safe","category":"SoftwareUpdate"},"tls": {"version":"TLSv1.2","client_requested_server_name":"android.clients.google.com","ja3":"9c815150ea821166faecf80757d8826a","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -00853{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":260,"source":"android.pcap","alias":"nDPId-test","flow_id":42,"flow_packets_processed":6,"flow_first_seen":1582454871152,"flow_last_seen":1582454871230,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":1598,"flow_avg_l4_payload_len":266,"midstream":0,"ts_msec":1582454871230,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":32996,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.google.com","ja3":"6ec2896feff5746955f700c0023f5804","ja3s":"eca9b8f0f3eae50309eaf901cb822d9b","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","alpn":"http\/1.1"}} -01102{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":261,"source":"android.pcap","alias":"nDPId-test","flow_id":42,"flow_packets_processed":7,"flow_first_seen":1582454871152,"flow_last_seen":1582454871230,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":2734,"flow_avg_l4_payload_len":390,"midstream":0,"ts_msec":1582454871230,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":32996,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.google.com","server_names":"www.google.com","ja3":"6ec2896feff5746955f700c0023f5804","ja3s":"eca9b8f0f3eae50309eaf901cb822d9b","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Google Trust Services, CN=GTS CA 1O1","issuerDN":"C=US, ST=California, L=Mountain View, O=Google LLC, CN=www.google.com","alpn":"http\/1.1","fingerprint":"32:07:6C:9F:96:7D:CE:82:15:C6:C5:7B:49:90:53:A1:CF:80:4F:B0"}} +00851{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":260,"source":"android.pcap","alias":"nDPId-test","flow_id":42,"flow_packets_processed":6,"flow_first_seen":1582454871152,"flow_last_seen":1582454871230,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":1598,"flow_avg_l4_payload_len":266,"midstream":0,"ts_msec":1582454871230,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":32996,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.google.com","ja3":"6ec2896feff5746955f700c0023f5804","ja3s":"eca9b8f0f3eae50309eaf901cb822d9b","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","alpn":"http\/1.1"}} +01101{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":261,"source":"android.pcap","alias":"nDPId-test","flow_id":42,"flow_packets_processed":7,"flow_first_seen":1582454871152,"flow_last_seen":1582454871230,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":2734,"flow_avg_l4_payload_len":390,"midstream":0,"ts_msec":1582454871230,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":32996,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.google.com","server_names":"www.google.com","ja3":"6ec2896feff5746955f700c0023f5804","ja3s":"eca9b8f0f3eae50309eaf901cb822d9b","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Google Trust Services, CN=GTS CA 1O1","subjectDN":"C=US, ST=California, L=Mountain View, O=Google LLC, CN=www.google.com","alpn":"http\/1.1","fingerprint":"32:07:6C:9F:96:7D:CE:82:15:C6:C5:7B:49:90:53:A1:CF:80:4F:B0"}} 00948{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":264,"source":"android.pcap","alias":"nDPId-test","flow_id":37,"flow_packets_processed":6,"flow_first_seen":1582454871069,"flow_last_seen":1582454871237,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":1935,"flow_avg_l4_payload_len":322,"midstream":0,"ts_msec":1582454871237,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":32988,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.PlayStore","breed":"Safe","category":"SoftwareUpdate"},"tls": {"version":"TLSv1.3","client_requested_server_name":"android.clients.google.com","ja3":"9c815150ea821166faecf80757d8826a","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00551{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":274,"source":"android.pcap","alias":"nDPId-test","flow_id":43,"flow_packets_processed":1,"flow_first_seen":1582454871292,"flow_last_seen":1582454871292,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":37,"flow_tot_l4_payload_len":37,"flow_avg_l4_payload_len":37,"midstream":0,"ts_msec":1582454871292,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":46359,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00480{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":274,"source":"android.pcap","alias":"nDPId-test","flow_id":43,"flow_packet_id":1,"flow_last_seen":1582454871292,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":79,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":79,"pkt_l4_len":45,"ts_msec":1582454871292,"pkt":"xiwDYGpkTGr2n\/YnCABFAABBq9RAAEARCXbAqAIQwKgCAbUXADUALUF1Da4BAAABAAAAAAAACGFjY291bnRzBmdvb2dsZQNjb20AAAEAAQ=="} -00723{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":274,"source":"android.pcap","alias":"nDPId-test","flow_id":43,"flow_packets_processed":1,"flow_first_seen":1582454871292,"flow_last_seen":1582454871292,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":37,"flow_tot_l4_payload_len":37,"flow_avg_l4_payload_len":37,"midstream":0,"ts_msec":1582454871292,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":46359,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"accounts.google.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00721{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":274,"source":"android.pcap","alias":"nDPId-test","flow_id":43,"flow_packets_processed":1,"flow_first_seen":1582454871292,"flow_last_seen":1582454871292,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":37,"flow_tot_l4_payload_len":37,"flow_avg_l4_payload_len":37,"midstream":0,"ts_msec":1582454871292,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":46359,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"accounts.google.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00500{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":276,"source":"android.pcap","alias":"nDPId-test","flow_id":43,"flow_packet_id":2,"flow_last_seen":1582454871294,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":95,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":95,"pkt_l4_len":61,"ts_msec":1582454871294,"pkt":"TGr2n\/YnxiwDYGpkCABFAABRfN0AAEAReF3AqAIBwKgCEAA1tRcAPWwTDa6BgAABAAEAAAAACGFjY291bnRzBmdvb2dsZQNjb20AAAEAAcAMAAEAAQAAANoABNjvJng="} -00738{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":276,"source":"android.pcap","alias":"nDPId-test","flow_id":43,"flow_packets_processed":2,"flow_first_seen":1582454871292,"flow_last_seen":1582454871294,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":53,"flow_tot_l4_payload_len":90,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1582454871294,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":46359,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"accounts.google.com","num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"216.239.38.120"}} +00736{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":276,"source":"android.pcap","alias":"nDPId-test","flow_id":43,"flow_packets_processed":2,"flow_first_seen":1582454871292,"flow_last_seen":1582454871294,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":53,"flow_tot_l4_payload_len":90,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1582454871294,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":46359,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"accounts.google.com","num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"216.239.38.120"}} 00552{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":280,"source":"android.pcap","alias":"nDPId-test","flow_id":44,"flow_packets_processed":1,"flow_first_seen":1582454871321,"flow_last_seen":1582454871321,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1582454871321,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":32998,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00478{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":280,"source":"android.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":1,"flow_last_seen":1582454871321,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1582454871321,"pkt":"xiwDYGpkTGr2n\/YnCABFAAA8nfFAAEAG2qrAqAIQ2O8meIDmAbsuQarwAAAAAKAC\/\/\/zCgAAAgQFtAQCCAr\/\/zcBAAAAAAEDAwg="} 00475{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":284,"source":"android.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":2,"flow_last_seen":1582454871334,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1582454871334,"pkt":"TGr2n\/YnxiwDYGpkCABFAAA8saEAAHUG0frY7yZ4wKgCEAG7gOY64cVhLkGq8aAS6yCKsAAAAgQFZAQCCAofL14G\/\/83AQEDAwg="} 00463{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":286,"source":"android.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":3,"flow_last_seen":1582454871335,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1582454871335,"pkt":"xiwDYGpkTGr2n\/YnCABFAAA0nfJAAEAG2rHAqAIQ2O8meIDmAbsuQarxOuHFYoAQAVei8wAAAQEICv\/\/NwUfL14G"} -00867{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":288,"source":"android.pcap","alias":"nDPId-test","flow_id":44,"flow_packets_processed":4,"flow_first_seen":1582454871321,"flow_last_seen":1582454871339,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1582454871339,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":32998,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"accounts.google.com","ja3":"66918128f1b9b03303d77c6f2eefd128","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00865{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":288,"source":"android.pcap","alias":"nDPId-test","flow_id":44,"flow_packets_processed":4,"flow_first_seen":1582454871321,"flow_last_seen":1582454871339,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1582454871339,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":32998,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"accounts.google.com","ja3":"66918128f1b9b03303d77c6f2eefd128","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00551{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":291,"source":"android.pcap","alias":"nDPId-test","flow_id":45,"flow_packets_processed":1,"flow_first_seen":1582454871343,"flow_last_seen":1582454871343,"flow_idle_time":180000,"flow_min_l4_payload_len":52,"flow_max_l4_payload_len":52,"flow_tot_l4_payload_len":52,"flow_avg_l4_payload_len":52,"midstream":0,"ts_msec":1582454871343,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":35689,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00500{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":291,"source":"android.pcap","alias":"nDPId-test","flow_id":45,"flow_packet_id":1,"flow_last_seen":1582454871343,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":94,"pkt_l4_len":60,"ts_msec":1582454871343,"pkt":"xiwDYGpkTGr2n\/YnCABFAABQq9VAAEARCWbAqAIQwKgCAYtpADUAPJHqlgwBAAABAAAAAAAAE3NlbWFudGljbG9jYXRpb24tcGEKZ29vZ2xlYXBpcwNjb20AAAEAAQ=="} 00744{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":291,"source":"android.pcap","alias":"nDPId-test","flow_id":45,"flow_packets_processed":1,"flow_first_seen":1582454871343,"flow_last_seen":1582454871343,"flow_idle_time":180000,"flow_min_l4_payload_len":52,"flow_max_l4_payload_len":52,"flow_tot_l4_payload_len":52,"flow_avg_l4_payload_len":52,"midstream":0,"ts_msec":1582454871343,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":35689,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.GoogleServices","breed":"Acceptable","category":"Web"},"dns": {"query":"semanticlocation-pa.googleapis.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} -00908{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":298,"source":"android.pcap","alias":"nDPId-test","flow_id":44,"flow_packets_processed":7,"flow_first_seen":1582454871321,"flow_last_seen":1582454871370,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":1935,"flow_avg_l4_payload_len":276,"midstream":0,"ts_msec":1582454871370,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":32998,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"accounts.google.com","ja3":"66918128f1b9b03303d77c6f2eefd128","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00906{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":298,"source":"android.pcap","alias":"nDPId-test","flow_id":44,"flow_packets_processed":7,"flow_first_seen":1582454871321,"flow_last_seen":1582454871370,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":1935,"flow_avg_l4_payload_len":276,"midstream":0,"ts_msec":1582454871370,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":32998,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"accounts.google.com","ja3":"66918128f1b9b03303d77c6f2eefd128","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":310,"source":"android.pcap","alias":"nDPId-test","flow_id":45,"flow_packet_id":2,"flow_last_seen":1582454871383,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":110,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":110,"pkt_l4_len":76,"ts_msec":1582454871383,"pkt":"TGr2n\/YnxiwDYGpkCABFAABgqGIAAEARTMnAqAIBwKgCEAA1i2kATI9glgyBgAABAAEAAAAAE3NlbWFudGljbG9jYXRpb24tcGEKZ29vZ2xlYXBpcwNjb20AAAEAAcAMAAEAAQAAALIABKzZFEo="} 00759{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":310,"source":"android.pcap","alias":"nDPId-test","flow_id":45,"flow_packets_processed":2,"flow_first_seen":1582454871343,"flow_last_seen":1582454871383,"flow_idle_time":180000,"flow_min_l4_payload_len":52,"flow_max_l4_payload_len":68,"flow_tot_l4_payload_len":120,"flow_avg_l4_payload_len":60,"midstream":0,"ts_msec":1582454871383,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":35689,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.GoogleServices","breed":"Acceptable","category":"Web"},"dns": {"query":"semanticlocation-pa.googleapis.com","num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"172.217.20.74"}} 00551{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":324,"source":"android.pcap","alias":"nDPId-test","flow_id":46,"flow_packets_processed":1,"flow_first_seen":1582454871496,"flow_last_seen":1582454871496,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":37,"flow_tot_l4_payload_len":37,"flow_avg_l4_payload_len":37,"midstream":0,"ts_msec":1582454871496,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":22850,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -238,22 +238,22 @@ 00465{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":337,"source":"android.pcap","alias":"nDPId-test","flow_id":47,"flow_packet_id":3,"flow_last_seen":1582454871592,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1582454871592,"pkt":"xiwDYGpkTGr2n\/YnCABFAAA0o7dAAEAGEy\/AqAIQrNkUTKpyAbt9gJSOD\/piSoAQAVcYYgAAAQEICv\/\/N0WRSuAV"} 00551{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":338,"source":"android.pcap","alias":"nDPId-test","flow_id":48,"flow_packets_processed":1,"flow_first_seen":1582454871600,"flow_last_seen":1582454871600,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":37,"flow_tot_l4_payload_len":37,"flow_avg_l4_payload_len":37,"midstream":0,"ts_msec":1582454871600,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":58892,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00482{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":338,"source":"android.pcap","alias":"nDPId-test","flow_id":48,"flow_packet_id":1,"flow_last_seen":1582454871600,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":79,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":79,"pkt_l4_len":45,"ts_msec":1582454871600,"pkt":"xiwDYGpkTGr2n\/YnCABFAABBq\/ZAAEARCVTAqAIQwKgCAeYMADUALTc\/5u4BAAABAAAAAAAACGFjY291bnRzBmdvb2dsZQNjb20AAAEAAQ=="} -00723{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":338,"source":"android.pcap","alias":"nDPId-test","flow_id":48,"flow_packets_processed":1,"flow_first_seen":1582454871600,"flow_last_seen":1582454871600,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":37,"flow_tot_l4_payload_len":37,"flow_avg_l4_payload_len":37,"midstream":0,"ts_msec":1582454871600,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":58892,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"accounts.google.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00721{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":338,"source":"android.pcap","alias":"nDPId-test","flow_id":48,"flow_packets_processed":1,"flow_first_seen":1582454871600,"flow_last_seen":1582454871600,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":37,"flow_tot_l4_payload_len":37,"flow_avg_l4_payload_len":37,"midstream":0,"ts_msec":1582454871600,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":58892,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"accounts.google.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00500{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":339,"source":"android.pcap","alias":"nDPId-test","flow_id":48,"flow_packet_id":2,"flow_last_seen":1582454871601,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":95,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":95,"pkt_l4_len":61,"ts_msec":1582454871601,"pkt":"TGr2n\/YnxiwDYGpkCABFAABRUPMAAEARpEfAqAIBwKgCEAA15gwAPWHd5u6BgAABAAEAAAAACGFjY291bnRzBmdvb2dsZQNjb20AAAEAAcAMAAEAAQAAANoABNjvJng="} -00738{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":339,"source":"android.pcap","alias":"nDPId-test","flow_id":48,"flow_packets_processed":2,"flow_first_seen":1582454871600,"flow_last_seen":1582454871601,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":53,"flow_tot_l4_payload_len":90,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1582454871601,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":58892,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"accounts.google.com","num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"216.239.38.120"}} +00736{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":339,"source":"android.pcap","alias":"nDPId-test","flow_id":48,"flow_packets_processed":2,"flow_first_seen":1582454871600,"flow_last_seen":1582454871601,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":53,"flow_tot_l4_payload_len":90,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1582454871601,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":58892,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"accounts.google.com","num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"216.239.38.120"}} 00860{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":340,"source":"android.pcap","alias":"nDPId-test","flow_id":47,"flow_packets_processed":4,"flow_first_seen":1582454871553,"flow_last_seen":1582454871614,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1582454871614,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.20.76","src_port":43634,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.DataSaver","breed":"Fun","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"proxy.googlezip.net","ja3":"66918128f1b9b03303d77c6f2eefd128","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00552{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":342,"source":"android.pcap","alias":"nDPId-test","flow_id":49,"flow_packets_processed":1,"flow_first_seen":1582454871623,"flow_last_seen":1582454871623,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1582454871623,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":33002,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00477{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":342,"source":"android.pcap","alias":"nDPId-test","flow_id":49,"flow_packet_id":1,"flow_last_seen":1582454871623,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1582454871623,"pkt":"xiwDYGpkTGr2n\/YnCABFAAA8E0lAAEAGZVPAqAIQ2O8meIDqAbtXpCQEAAAAAKAC\/\/9QRAAAAgQFtAQCCAr\/\/zdNAAAAAAEDAwg="} 00475{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":345,"source":"android.pcap","alias":"nDPId-test","flow_id":49,"flow_packet_id":2,"flow_last_seen":1582454871636,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1582454871636,"pkt":"TGr2n\/YnxiwDYGpkCABFAAA8YK4AAHYGIe7Y7yZ4wKgCEAG7gOoEIWijV6QkBaAS6yBQGwAAAgQFZAQCCAqpXP8l\/\/83TQEDAwg="} 00463{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":347,"source":"android.pcap","alias":"nDPId-test","flow_id":49,"flow_packet_id":3,"flow_last_seen":1582454871641,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1582454871641,"pkt":"xiwDYGpkTGr2n\/YnCABFAAA0E0pAAEAGZVrAqAIQ2O8meIDqAbtXpCQFBCFopIAQAVdoXgAAAQEICv\/\/N1GpXP8l"} 00901{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":349,"source":"android.pcap","alias":"nDPId-test","flow_id":47,"flow_packets_processed":7,"flow_first_seen":1582454871553,"flow_last_seen":1582454871657,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":1935,"flow_avg_l4_payload_len":276,"midstream":0,"ts_msec":1582454871657,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.20.76","src_port":43634,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.DataSaver","breed":"Fun","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"proxy.googlezip.net","ja3":"66918128f1b9b03303d77c6f2eefd128","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -00867{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":357,"source":"android.pcap","alias":"nDPId-test","flow_id":49,"flow_packets_processed":4,"flow_first_seen":1582454871623,"flow_last_seen":1582454871671,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1582454871671,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":33002,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"accounts.google.com","ja3":"66918128f1b9b03303d77c6f2eefd128","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00865{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":357,"source":"android.pcap","alias":"nDPId-test","flow_id":49,"flow_packets_processed":4,"flow_first_seen":1582454871623,"flow_last_seen":1582454871671,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1582454871671,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":33002,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"accounts.google.com","ja3":"66918128f1b9b03303d77c6f2eefd128","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00551{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":358,"source":"android.pcap","alias":"nDPId-test","flow_id":50,"flow_packets_processed":1,"flow_first_seen":1582454871676,"flow_last_seen":1582454871676,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":37,"flow_tot_l4_payload_len":37,"flow_avg_l4_payload_len":37,"midstream":0,"ts_msec":1582454871676,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":33240,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00480{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":358,"source":"android.pcap","alias":"nDPId-test","flow_id":50,"flow_packet_id":1,"flow_last_seen":1582454871676,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":79,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":79,"pkt_l4_len":45,"ts_msec":1582454871676,"pkt":"xiwDYGpkTGr2n\/YnCABFAABBrABAAEARCUrAqAIQwKgCAYHYADUALeidI0IBAAABAAAAAAAABWNoZWNrCWdvb2dsZXppcANuZXQAAAEAAQ=="} 00717{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":358,"source":"android.pcap","alias":"nDPId-test","flow_id":50,"flow_packets_processed":1,"flow_first_seen":1582454871676,"flow_last_seen":1582454871676,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":37,"flow_tot_l4_payload_len":37,"flow_avg_l4_payload_len":37,"midstream":0,"ts_msec":1582454871676,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":33240,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.DataSaver","breed":"Fun","category":"Web"},"dns": {"query":"check.googlezip.net","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00500{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":359,"source":"android.pcap","alias":"nDPId-test","flow_id":50,"flow_packet_id":2,"flow_last_seen":1582454871677,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":95,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":95,"pkt_l4_len":61,"ts_msec":1582454871677,"pkt":"TGr2n\/YnxiwDYGpkCABFAABRtlYAAEARPuTAqAIBwKgCEAA1gdgAPR0+I0KBgAABAAEAAAAABWNoZWNrCWdvb2dsZXppcANuZXQAAAEAAcAMAAEAAQAAAQMABK3CT3I="} 00732{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":359,"source":"android.pcap","alias":"nDPId-test","flow_id":50,"flow_packets_processed":2,"flow_first_seen":1582454871676,"flow_last_seen":1582454871677,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":53,"flow_tot_l4_payload_len":90,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1582454871677,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":33240,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.DataSaver","breed":"Fun","category":"Web"},"dns": {"query":"check.googlezip.net","num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"173.194.79.114"}} -00908{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":361,"source":"android.pcap","alias":"nDPId-test","flow_id":49,"flow_packets_processed":6,"flow_first_seen":1582454871623,"flow_last_seen":1582454871702,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":1935,"flow_avg_l4_payload_len":322,"midstream":0,"ts_msec":1582454871702,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":33002,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"accounts.google.com","ja3":"66918128f1b9b03303d77c6f2eefd128","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00906{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":361,"source":"android.pcap","alias":"nDPId-test","flow_id":49,"flow_packets_processed":6,"flow_first_seen":1582454871623,"flow_last_seen":1582454871702,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":1935,"flow_avg_l4_payload_len":322,"midstream":0,"ts_msec":1582454871702,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":33002,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"accounts.google.com","ja3":"66918128f1b9b03303d77c6f2eefd128","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00551{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":367,"source":"android.pcap","alias":"nDPId-test","flow_id":51,"flow_packets_processed":1,"flow_first_seen":1582454871741,"flow_last_seen":1582454871741,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1582454871741,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.20.74","src_port":52514,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00477{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":367,"source":"android.pcap","alias":"nDPId-test","flow_id":51,"flow_packet_id":1,"flow_last_seen":1582454871741,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1582454871741,"pkt":"xiwDYGpkTGr2n\/YnCABFAAA8FotAAEAGoFXAqAIQrNkUSs0iAbsOnCHhAAAAAKAC\/\/+NXgAAAgQFtAQCCAr\/\/zdqAAAAAAEDAwg="} 00551{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":368,"source":"android.pcap","alias":"nDPId-test","flow_id":52,"flow_packets_processed":1,"flow_first_seen":1582454871745,"flow_last_seen":1582454871745,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1582454871745,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"173.194.79.114","src_port":36848,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -281,9 +281,9 @@ 00731{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":384,"source":"android.pcap","alias":"nDPId-test","flow_id":56,"flow_packets_processed":2,"flow_first_seen":1582454871823,"flow_last_seen":1582454871824,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":53,"flow_tot_l4_payload_len":90,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1582454871824,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":10677,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.DataSaver","breed":"Fun","category":"Web"},"dns": {"query":"proxy.googlezip.net","num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"172.217.20.76"}} 00551{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":385,"source":"android.pcap","alias":"nDPId-test","flow_id":57,"flow_packets_processed":1,"flow_first_seen":1582454871827,"flow_last_seen":1582454871827,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1582454871827,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":32832,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00472{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":385,"source":"android.pcap","alias":"nDPId-test","flow_id":57,"flow_packet_id":1,"flow_last_seen":1582454871827,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1582454871827,"pkt":"xiwDYGpkTGr2n\/YnCABFAAA8rCNAAEARCSzAqAIQwKgCAYBAADUAKPh7cqMBAAABAAAAAAAAA3d3dwZnb29nbGUDY29tAAABAAE="} -00718{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":385,"source":"android.pcap","alias":"nDPId-test","flow_id":57,"flow_packets_processed":1,"flow_first_seen":1582454871827,"flow_last_seen":1582454871827,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1582454871827,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":32832,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"www.google.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00716{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":385,"source":"android.pcap","alias":"nDPId-test","flow_id":57,"flow_packets_processed":1,"flow_first_seen":1582454871827,"flow_last_seen":1582454871827,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1582454871827,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":32832,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"www.google.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00492{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":386,"source":"android.pcap","alias":"nDPId-test","flow_id":57,"flow_packet_id":2,"flow_last_seen":1582454871827,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"ts_msec":1582454871827,"pkt":"TGr2n\/YnxiwDYGpkCABFAABMd48AAEARfbDAqAIBwKgCEAA1gEAAOLeFcqOBgAABAAEAAAAAA3d3dwZnb29nbGUDY29tAAABAAHADAABAAEAAADaAATY7yZ4"} -00733{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":386,"source":"android.pcap","alias":"nDPId-test","flow_id":57,"flow_packets_processed":2,"flow_first_seen":1582454871827,"flow_last_seen":1582454871827,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":80,"flow_avg_l4_payload_len":40,"midstream":0,"ts_msec":1582454871827,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":32832,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"www.google.com","num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"216.239.38.120"}} +00731{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":386,"source":"android.pcap","alias":"nDPId-test","flow_id":57,"flow_packets_processed":2,"flow_first_seen":1582454871827,"flow_last_seen":1582454871827,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":80,"flow_avg_l4_payload_len":40,"midstream":0,"ts_msec":1582454871827,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":32832,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"www.google.com","num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"216.239.38.120"}} 00551{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":387,"source":"android.pcap","alias":"nDPId-test","flow_id":58,"flow_packets_processed":1,"flow_first_seen":1582454871829,"flow_last_seen":1582454871829,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1582454871829,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.20.76","src_port":43646,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00477{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":387,"source":"android.pcap","alias":"nDPId-test","flow_id":58,"flow_packet_id":1,"flow_last_seen":1582454871829,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1582454871829,"pkt":"xiwDYGpkTGr2n\/YnCABFAAA8SmpAAEAGbHTAqAIQrNkUTKp+Abul3n3qAAAAAKAC\/\/+8ngAAAgQFtAQCCAr\/\/zeAAAAAAAEDAwg="} 00552{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":389,"source":"android.pcap","alias":"nDPId-test","flow_id":59,"flow_packets_processed":1,"flow_first_seen":1582454871839,"flow_last_seen":1582454871839,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1582454871839,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":33014,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -295,12 +295,12 @@ 00475{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":401,"source":"android.pcap","alias":"nDPId-test","flow_id":58,"flow_packet_id":2,"flow_last_seen":1582454871867,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1582454871867,"pkt":"TGr2n\/YnxiwDYGpkCABFAAA8+7cAAHUGxias2RRMwKgCEAG7qn7jcCu5pd5966AS6yBHnwAAAgQFZAQCCArp2ZEZ\/\/83gAEDAwg="} 00463{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":403,"source":"android.pcap","alias":"nDPId-test","flow_id":58,"flow_packet_id":3,"flow_last_seen":1582454871873,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1582454871873,"pkt":"xiwDYGpkTGr2n\/YnCABFAAA0SmtAAEAGbHvAqAIQrNkUTKp+Abul3n3r43AruoAQAVdf2wAAAQEICv\/\/N4vp2ZEZ"} 00866{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":404,"source":"android.pcap","alias":"nDPId-test","flow_id":55,"flow_packets_processed":4,"flow_first_seen":1582454871814,"flow_last_seen":1582454871879,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":594,"flow_tot_l4_payload_len":594,"flow_avg_l4_payload_len":148,"midstream":0,"ts_msec":1582454871879,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.21.202","src_port":51944,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.DataSaver","breed":"Fun","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"datasaver.googleapis.com","ja3":"554719594ba90b02ae410c297c6e50ad","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -00862{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":405,"source":"android.pcap","alias":"nDPId-test","flow_id":59,"flow_packets_processed":4,"flow_first_seen":1582454871839,"flow_last_seen":1582454871880,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1582454871880,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":33014,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.google.com","ja3":"66918128f1b9b03303d77c6f2eefd128","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00860{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":405,"source":"android.pcap","alias":"nDPId-test","flow_id":59,"flow_packets_processed":4,"flow_first_seen":1582454871839,"flow_last_seen":1582454871880,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1582454871880,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":33014,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.google.com","ja3":"66918128f1b9b03303d77c6f2eefd128","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00551{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":406,"source":"android.pcap","alias":"nDPId-test","flow_id":60,"flow_packets_processed":1,"flow_first_seen":1582454871881,"flow_last_seen":1582454871881,"flow_idle_time":180000,"flow_min_l4_payload_len":40,"flow_max_l4_payload_len":40,"flow_tot_l4_payload_len":40,"flow_avg_l4_payload_len":40,"midstream":0,"ts_msec":1582454871881,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":39760,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00484{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":406,"source":"android.pcap","alias":"nDPId-test","flow_id":60,"flow_packet_id":1,"flow_last_seen":1582454871881,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"ts_msec":1582454871881,"pkt":"xiwDYGpkTGr2n\/YnCABFAABErDBAAEARCRfAqAIQwKgCAZtQADUAMNjjuKUBAAABAAAAAAAAB2FuZHJvaWQKZ29vZ2xlYXBpcwNjb20AAAEAAQ=="} 00732{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":406,"source":"android.pcap","alias":"nDPId-test","flow_id":60,"flow_packets_processed":1,"flow_first_seen":1582454871881,"flow_last_seen":1582454871881,"flow_idle_time":180000,"flow_min_l4_payload_len":40,"flow_max_l4_payload_len":40,"flow_tot_l4_payload_len":40,"flow_avg_l4_payload_len":40,"midstream":0,"ts_msec":1582454871881,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":39760,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.GoogleServices","breed":"Acceptable","category":"Web"},"dns": {"query":"android.googleapis.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00860{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":408,"source":"android.pcap","alias":"nDPId-test","flow_id":58,"flow_packets_processed":4,"flow_first_seen":1582454871829,"flow_last_seen":1582454871890,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1582454871890,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.20.76","src_port":43646,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.DataSaver","breed":"Fun","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"proxy.googlezip.net","ja3":"66918128f1b9b03303d77c6f2eefd128","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -00903{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":434,"source":"android.pcap","alias":"nDPId-test","flow_id":59,"flow_packets_processed":6,"flow_first_seen":1582454871839,"flow_last_seen":1582454871911,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":1935,"flow_avg_l4_payload_len":322,"midstream":0,"ts_msec":1582454871911,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":33014,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"www.google.com","ja3":"66918128f1b9b03303d77c6f2eefd128","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00901{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":434,"source":"android.pcap","alias":"nDPId-test","flow_id":59,"flow_packets_processed":6,"flow_first_seen":1582454871839,"flow_last_seen":1582454871911,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":1935,"flow_avg_l4_payload_len":322,"midstream":0,"ts_msec":1582454871911,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":33014,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"www.google.com","ja3":"66918128f1b9b03303d77c6f2eefd128","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00905{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":437,"source":"android.pcap","alias":"nDPId-test","flow_id":55,"flow_packets_processed":6,"flow_first_seen":1582454871814,"flow_last_seen":1582454871913,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":594,"flow_tot_l4_payload_len":806,"flow_avg_l4_payload_len":134,"midstream":0,"ts_msec":1582454871913,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.21.202","src_port":51944,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.DataSaver","breed":"Fun","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"datasaver.googleapis.com","ja3":"554719594ba90b02ae410c297c6e50ad","ja3s":"2b0648ab686ee45e0e7c35fcfb0eea7e","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00504{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":441,"source":"android.pcap","alias":"nDPId-test","flow_id":60,"flow_packet_id":2,"flow_last_seen":1582454871920,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":98,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":98,"pkt_l4_len":64,"ts_msec":1582454871920,"pkt":"TGr2n\/YnxiwDYGpkCABFAABUFXQAAEAR38PAqAIBwKgCEAA1m1AAQNQ0uKWBgAABAAEAAAAAB2FuZHJvaWQKZ29vZ2xlYXBpcwNjb20AAAEAAcAMAAEAAQAAARcABKzZFgo="} 00746{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":441,"source":"android.pcap","alias":"nDPId-test","flow_id":60,"flow_packets_processed":2,"flow_first_seen":1582454871881,"flow_last_seen":1582454871920,"flow_idle_time":180000,"flow_min_l4_payload_len":40,"flow_max_l4_payload_len":56,"flow_tot_l4_payload_len":96,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1582454871920,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":39760,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.GoogleServices","breed":"Acceptable","category":"Web"},"dns": {"query":"android.googleapis.com","num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"172.217.22.10"}} @@ -363,7 +363,7 @@ 00552{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":500,"source":"android.pcap","alias":"nDPId-test","flow_id":50,"flow_packets_processed":2,"flow_first_seen":1582454871676,"flow_last_seen":1582454871677,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":53,"flow_tot_l4_payload_len":90,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1582454872047,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":33240,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00559{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":500,"source":"android.pcap","alias":"nDPId-test","flow_id":39,"flow_packets_processed":13,"flow_first_seen":1582454871094,"flow_last_seen":1582454871395,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":458,"flow_tot_l4_payload_len":1510,"flow_avg_l4_payload_len":116,"midstream":0,"ts_msec":1582454872047,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"173.194.79.114","src_port":36834,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00558{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":500,"source":"android.pcap","alias":"nDPId-test","flow_id":52,"flow_packets_processed":7,"flow_first_seen":1582454871745,"flow_last_seen":1582454871859,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":458,"flow_tot_l4_payload_len":755,"flow_avg_l4_payload_len":107,"midstream":0,"ts_msec":1582454872047,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"173.194.79.114","src_port":36848,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00599{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":500,"source":"android.pcap","alias":"nDPId-test","flow_id":53,"flow_packets_processed":3,"flow_first_seen":1582454871772,"flow_last_seen":1582454871808,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1582454872047,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"173.194.79.114","src_port":36850,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.Google","breed":"Tracker\/Ads","category":"Web"},"http": {}} +00597{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":500,"source":"android.pcap","alias":"nDPId-test","flow_id":53,"flow_packets_processed":3,"flow_first_seen":1582454871772,"flow_last_seen":1582454871808,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1582454872047,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"173.194.79.114","src_port":36850,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.Google","breed":"Acceptable","category":"Web"},"http": {}} 00552{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":500,"source":"android.pcap","alias":"nDPId-test","flow_id":53,"flow_packets_processed":3,"flow_first_seen":1582454871772,"flow_last_seen":1582454871808,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1582454872047,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"173.194.79.114","src_port":36850,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00556{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":500,"source":"android.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":3,"flow_first_seen":1582454796360,"flow_last_seen":1582454856384,"flow_idle_time":180000,"flow_min_l4_payload_len":44,"flow_max_l4_payload_len":44,"flow_tot_l4_payload_len":132,"flow_avg_l4_payload_len":44,"midstream":0,"ts_msec":1582454872047,"l3_proto":"ip4","src_ip":"192.168.2.1","dst_ip":"192.168.2.255","src_port":57621,"dst_port":57621,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00560{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":500,"source":"android.pcap","alias":"nDPId-test","flow_id":27,"flow_packets_processed":16,"flow_first_seen":1582454868511,"flow_last_seen":1582454870126,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":4841,"flow_avg_l4_payload_len":302,"midstream":0,"ts_msec":1582454872047,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.18.3","src_port":36888,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -375,13 +375,13 @@ 00552{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":500,"source":"android.pcap","alias":"nDPId-test","flow_id":62,"flow_packets_processed":2,"flow_first_seen":1582454872021,"flow_last_seen":1582454872022,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":53,"flow_tot_l4_payload_len":90,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1582454872047,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":56312,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00574{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":500,"source":"android.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1582454769772,"flow_last_seen":1582454769772,"flow_idle_time":7440000,"flow_min_l4_payload_len":24,"flow_max_l4_payload_len":24,"flow_tot_l4_payload_len":24,"flow_avg_l4_payload_len":24,"midstream":1,"ts_msec":1582454872047,"l3_proto":"ip4","src_ip":"95.101.24.53","dst_ip":"192.168.2.17","src_port":443,"dst_port":50677,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"}} 00554{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":500,"source":"android.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1582454769772,"flow_last_seen":1582454769772,"flow_idle_time":7440000,"flow_min_l4_payload_len":24,"flow_max_l4_payload_len":24,"flow_tot_l4_payload_len":24,"flow_avg_l4_payload_len":24,"midstream":1,"ts_msec":1582454872047,"l3_proto":"ip4","src_ip":"95.101.24.53","dst_ip":"192.168.2.17","src_port":443,"dst_port":50677,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00585{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":500,"source":"android.pcap","alias":"nDPId-test","flow_id":32,"flow_packets_processed":2,"flow_first_seen":1582454869626,"flow_last_seen":1582454870649,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1582454872047,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":49510,"dst_port":5228,"l4_proto":"tcp","ndpi": {"proto":"Google","breed":"Tracker\/Ads","category":"Web"}} +00583{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":500,"source":"android.pcap","alias":"nDPId-test","flow_id":32,"flow_packets_processed":2,"flow_first_seen":1582454869626,"flow_last_seen":1582454870649,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1582454872047,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":49510,"dst_port":5228,"l4_proto":"tcp","ndpi": {"proto":"Google","breed":"Acceptable","category":"Web"}} 00554{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":500,"source":"android.pcap","alias":"nDPId-test","flow_id":32,"flow_packets_processed":2,"flow_first_seen":1582454869626,"flow_last_seen":1582454870649,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1582454872047,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":49510,"dst_port":5228,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00532{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":500,"source":"android.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":2,"flow_first_seen":1582454866803,"flow_last_seen":1582454871058,"flow_idle_time":120000,"flow_min_l4_payload_len":16,"flow_max_l4_payload_len":16,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":16,"midstream":0,"ts_msec":1582454872047,"l3_proto":"ip6","src_ip":"fe80::4e6a:f6ff:fe9f:f627","dst_ip":"ff02::2","l4_proto":"icmp6","flow_datalink":1,"flow_max_packets":3} 00533{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":500,"source":"android.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":2,"flow_first_seen":1582454866803,"flow_last_seen":1582454866894,"flow_idle_time":120000,"flow_min_l4_payload_len":28,"flow_max_l4_payload_len":28,"flow_tot_l4_payload_len":56,"flow_avg_l4_payload_len":28,"midstream":0,"ts_msec":1582454872047,"l3_proto":"ip6","src_ip":"fe80::4e6a:f6ff:fe9f:f627","dst_ip":"ff02::16","l4_proto":"icmp6","flow_datalink":1,"flow_max_packets":3} 00560{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":500,"source":"android.pcap","alias":"nDPId-test","flow_id":47,"flow_packets_processed":14,"flow_first_seen":1582454871553,"flow_last_seen":1582454871667,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":3573,"flow_avg_l4_payload_len":255,"midstream":0,"ts_msec":1582454872047,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.20.76","src_port":43634,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00560{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":500,"source":"android.pcap","alias":"nDPId-test","flow_id":58,"flow_packets_processed":14,"flow_first_seen":1582454871829,"flow_last_seen":1582454872026,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":3573,"flow_avg_l4_payload_len":255,"midstream":0,"ts_msec":1582454872047,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.20.76","src_port":43646,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00587{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":500,"source":"android.pcap","alias":"nDPId-test","flow_id":63,"flow_packets_processed":1,"flow_first_seen":1582454872031,"flow_last_seen":1582454872031,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1582454872047,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.20.76","src_port":43652,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"}} +00585{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":500,"source":"android.pcap","alias":"nDPId-test","flow_id":63,"flow_packets_processed":1,"flow_first_seen":1582454872031,"flow_last_seen":1582454872031,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1582454872047,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.20.76","src_port":43652,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"}} 00552{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":500,"source":"android.pcap","alias":"nDPId-test","flow_id":63,"flow_packets_processed":1,"flow_first_seen":1582454872031,"flow_last_seen":1582454872031,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1582454872047,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.20.76","src_port":43652,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00552{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":500,"source":"android.pcap","alias":"nDPId-test","flow_id":43,"flow_packets_processed":2,"flow_first_seen":1582454871292,"flow_last_seen":1582454871294,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":53,"flow_tot_l4_payload_len":90,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1582454872047,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":46359,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00562{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":500,"source":"android.pcap","alias":"nDPId-test","flow_id":40,"flow_packets_processed":27,"flow_first_seen":1582454871103,"flow_last_seen":1582454871450,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":5661,"flow_avg_l4_payload_len":209,"midstream":0,"ts_msec":1582454872047,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.21.202","src_port":51928,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -398,10 +398,10 @@ ~~ total active/idle flows...: 63/63 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2252048 bytes -~~ total memory freed........: 2252048 bytes -~~ total allocations/frees...: 36262/36262 +~~ total memory allocated....: 4888108 bytes +~~ total memory freed........: 4888108 bytes +~~ total allocations/frees...: 100461/100461 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 154 chars -~~ json string max len.......: 2229 chars +~~ json string max len.......: 2228 chars ~~ json string avg len.......: 1191 chars diff --git a/test/results/anyconnect-vpn.pcap.out b/test/results/anyconnect-vpn.pcap.out index f83918af5..c2ffdc5a0 100644 --- a/test/results/anyconnect-vpn.pcap.out +++ b/test/results/anyconnect-vpn.pcap.out @@ -49,7 +49,7 @@ 00469{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":25,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":3,"flow_last_seen":1569687245420,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1569687245420,"pkt":"LH6BsEqhNDY7z3UoCABFAAA0AABAAEAGwWEKAADjCCVmW95WAbsTaDYgM80W6oAQ\/\/9YmgAAAQEIChwNeqI\/+VnG"} 00818{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":26,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":4,"flow_first_seen":1569687245379,"flow_last_seen":1569687245420,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":167,"flow_tot_l4_payload_len":167,"flow_avg_l4_payload_len":41,"midstream":0,"ts_msec":1569687245420,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56918,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"24":"SNI TLS extension was missing"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"9f1a41f932f274fe47a992310a26a23a","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}} 00888{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":28,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":6,"flow_first_seen":1569687245379,"flow_last_seen":1569687245469,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1615,"flow_avg_l4_payload_len":269,"midstream":0,"ts_msec":1569687245469,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56918,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8":"Weak TLS cipher","24":"SNI TLS extension was missing"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"9f1a41f932f274fe47a992310a26a23a","ja3s":"82f0d8a75fa483d1cfe4b7085b784d7e","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","alpn":"http\/1.1"}} -01274{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":34,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":12,"flow_first_seen":1569687245379,"flow_last_seen":1569687245547,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":5904,"flow_avg_l4_payload_len":492,"midstream":0,"ts_msec":1569687245547,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56918,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8":"Weak TLS cipher","24":"SNI TLS extension was missing"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","server_names":"*.pandion.viasat.com,pandion.viasat.com","ja3":"9f1a41f932f274fe47a992310a26a23a","ja3s":"82f0d8a75fa483d1cfe4b7085b784d7e","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Entrust, Inc., OU=See www.entrust.net\/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K","issuerDN":"C=US, ST=California, L=Carlsbad, O=Viasat Inc., CN=*.pandion.viasat.com","alpn":"http\/1.1","fingerprint":"92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA"}} +01275{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":34,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":12,"flow_first_seen":1569687245379,"flow_last_seen":1569687245547,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":5904,"flow_avg_l4_payload_len":492,"midstream":0,"ts_msec":1569687245547,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56918,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8":"Weak TLS cipher","24":"SNI TLS extension was missing"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","server_names":"*.pandion.viasat.com,pandion.viasat.com","ja3":"9f1a41f932f274fe47a992310a26a23a","ja3s":"82f0d8a75fa483d1cfe4b7085b784d7e","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Entrust, Inc., OU=See www.entrust.net\/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K","subjectDN":"C=US, ST=California, L=Carlsbad, O=Viasat Inc., CN=*.pandion.viasat.com","alpn":"http\/1.1","fingerprint":"92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA"}} 00559{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":36,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":1,"flow_first_seen":1569687245576,"flow_last_seen":1569687245576,"flow_idle_time":7440000,"flow_min_l4_payload_len":65,"flow_max_l4_payload_len":65,"flow_tot_l4_payload_len":65,"flow_avg_l4_payload_len":65,"midstream":1,"ts_msec":1569687245576,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"52.37.243.173","src_port":56915,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00560{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":36,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":1,"flow_last_seen":1569687245576,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":131,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":131,"pkt_l4_len":97,"ts_msec":1569687245576,"pkt":"LH6BsEqhNDY7z3UoCABFAAB1AABAAEAGB84KAADjNCXzrd5TAbsf\/e\/ecO3V5YAYEAD5fAAAAQEIChwNezsAjX27FwMDADwAAAAAAAAABDacZQu2ja7FJp11i4XaHEcZRuFBd8RaXcXBvhAzXAi\/k3IQYhPu9V\/rSa1OnXc4wt4EKb0="} 00559{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":37,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":1,"flow_first_seen":1569687245576,"flow_last_seen":1569687245576,"flow_idle_time":7440000,"flow_min_l4_payload_len":65,"flow_max_l4_payload_len":65,"flow_tot_l4_payload_len":65,"flow_avg_l4_payload_len":65,"midstream":1,"ts_msec":1569687245576,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"52.37.243.173","src_port":56914,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -62,7 +62,7 @@ 00470{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":59,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":3,"flow_last_seen":1569687245727,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1569687245727,"pkt":"LH6BsEqhNDY7z3UoCABFAAA0AABAAEAGwWEKAADjCCVmW95XAbsu53n0bMwKR4AQ\/\/\/KjAAAAQEIChwNe8w\/+Vr5"} 00818{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":60,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":4,"flow_first_seen":1569687245688,"flow_last_seen":1569687245728,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":167,"flow_tot_l4_payload_len":167,"flow_avg_l4_payload_len":41,"midstream":0,"ts_msec":1569687245728,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56919,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"24":"SNI TLS extension was missing"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"9f1a41f932f274fe47a992310a26a23a","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}} 00888{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":62,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":6,"flow_first_seen":1569687245688,"flow_last_seen":1569687245772,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1615,"flow_avg_l4_payload_len":269,"midstream":0,"ts_msec":1569687245772,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56919,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8":"Weak TLS cipher","24":"SNI TLS extension was missing"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"9f1a41f932f274fe47a992310a26a23a","ja3s":"82f0d8a75fa483d1cfe4b7085b784d7e","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","alpn":"http\/1.1"}} -01274{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":68,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":12,"flow_first_seen":1569687245688,"flow_last_seen":1569687245851,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":5959,"flow_avg_l4_payload_len":496,"midstream":0,"ts_msec":1569687245851,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56919,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8":"Weak TLS cipher","24":"SNI TLS extension was missing"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","server_names":"*.pandion.viasat.com,pandion.viasat.com","ja3":"9f1a41f932f274fe47a992310a26a23a","ja3s":"82f0d8a75fa483d1cfe4b7085b784d7e","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Entrust, Inc., OU=See www.entrust.net\/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K","issuerDN":"C=US, ST=California, L=Carlsbad, O=Viasat Inc., CN=*.pandion.viasat.com","alpn":"http\/1.1","fingerprint":"92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA"}} +01275{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":68,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":12,"flow_first_seen":1569687245688,"flow_last_seen":1569687245851,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":5959,"flow_avg_l4_payload_len":496,"midstream":0,"ts_msec":1569687245851,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56919,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8":"Weak TLS cipher","24":"SNI TLS extension was missing"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","server_names":"*.pandion.viasat.com,pandion.viasat.com","ja3":"9f1a41f932f274fe47a992310a26a23a","ja3s":"82f0d8a75fa483d1cfe4b7085b784d7e","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Entrust, Inc., OU=See www.entrust.net\/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K","subjectDN":"C=US, ST=California, L=Carlsbad, O=Viasat Inc., CN=*.pandion.viasat.com","alpn":"http\/1.1","fingerprint":"92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA"}} 00555{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":93,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":1,"flow_first_seen":1569687246891,"flow_last_seen":1569687246891,"flow_idle_time":180000,"flow_min_l4_payload_len":23,"flow_max_l4_payload_len":23,"flow_tot_l4_payload_len":23,"flow_avg_l4_payload_len":23,"midstream":0,"ts_msec":1569687246891,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"75.75.76.76","src_port":63107,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00465{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":93,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":1,"flow_last_seen":1569687246891,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":65,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":65,"pkt_l4_len":31,"ts_msec":1569687246891,"pkt":"LH6BsEqhNDY7z3UoCABFAAAzrdgAAP8Ra2cKAADjS0tMTPaDADUAH3AoGBgBAAABAAAAAAAABWxvY2FsAAAGAAE="} 00708{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":93,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":1,"flow_first_seen":1569687246891,"flow_last_seen":1569687246891,"flow_idle_time":180000,"flow_min_l4_payload_len":23,"flow_max_l4_payload_len":23,"flow_tot_l4_payload_len":23,"flow_avg_l4_payload_len":23,"midstream":0,"ts_msec":1569687246891,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"75.75.76.76","src_port":63107,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"local","num_queries":0,"num_answers":0,"reply_code":0,"query_type":6,"rsp_type":0,"rsp_addr":"0.0.0.0"}} @@ -70,7 +70,7 @@ 00717{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":94,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":2,"flow_first_seen":1569687246891,"flow_last_seen":1569687246924,"flow_idle_time":180000,"flow_min_l4_payload_len":23,"flow_max_l4_payload_len":98,"flow_tot_l4_payload_len":121,"flow_avg_l4_payload_len":60,"midstream":0,"ts_msec":1569687246924,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"75.75.76.76","src_port":63107,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"local","num_queries":1,"num_answers":1,"reply_code":3,"query_type":6,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00525{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":95,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":1,"flow_first_seen":1569687246924,"flow_last_seen":1569687246924,"flow_idle_time":120000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1569687246924,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"75.75.76.76","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} 00473{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":95,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":1,"flow_last_seen":1569687246924,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"ts_msec":1569687246924,"pkt":"LH6BsEqhNDY7z3UoCABFAAA4dQYAAEABY0UKAADjS0tMTAMDBdoAAAAARQAAfgAAQAA2EaH1S0tMTAoAAOMANfaDAGoAAA=="} -00558{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":95,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":1,"flow_first_seen":1569687246924,"flow_last_seen":1569687246924,"flow_idle_time":120000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1569687246924,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"75.75.76.76","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"}} +00577{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":95,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":1,"flow_first_seen":1569687246924,"flow_last_seen":1569687246924,"flow_idle_time":120000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1569687246924,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"75.75.76.76","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"},"entropy":3.305435} 00560{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":96,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":1,"flow_first_seen":1569687246981,"flow_last_seen":1569687246981,"flow_idle_time":180000,"flow_min_l4_payload_len":112,"flow_max_l4_payload_len":112,"flow_tot_l4_payload_len":112,"flow_avg_l4_payload_len":112,"midstream":0,"ts_msec":1569687246981,"l3_proto":"ip4","src_ip":"10.0.0.213","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00588{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":96,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":18,"flow_packet_id":1,"flow_last_seen":1569687246981,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":154,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":154,"pkt_l4_len":120,"ts_msec":1569687246981,"pkt":"AQBeAAD7GIEORo7ICABFAACMDQUAAP8RwosKAADV4AAA+xTpFOkAeGDHAAAAAAADAAAAAAABD19jb21wYW5pb24tbGluawRfdGNwBWxvY2FsAAAMgAEIX2hvbWVraXTAHAAMgAEMX3NsZWVwLXByb3h5BF91ZHDAIQAMgAEAACkFoAAAEZQAEgAEAA4AmjqBDkaOyBiBDkaOyA=="} 00641{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":96,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":1,"flow_first_seen":1569687246981,"flow_last_seen":1569687246981,"flow_idle_time":180000,"flow_min_l4_payload_len":112,"flow_max_l4_payload_len":112,"flow_tot_l4_payload_len":112,"flow_avg_l4_payload_len":112,"midstream":0,"ts_msec":1569687246981,"l3_proto":"ip4","src_ip":"10.0.0.213","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","ndpi": {"proto":"MDNS","breed":"Acceptable","category":"Network"},"mdns": {"answer":"_companion-link._tcp.local"}} @@ -133,7 +133,7 @@ 00485{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":182,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":2,"flow_last_seen":1569687260620,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1569687260620,"pkt":"NDY7z3UoLH6BsEqhCABFAABAE+xAAPEGAgIIJWDCCgAA4xC\/3lkWZHs7FMxBabASECzSsgAAAgQFZAEDAwIBAQgKeKa\/ZBwNtZEEAgAA"} 00467{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":183,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":3,"flow_last_seen":1569687260620,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1569687260620,"pkt":"LH6BsEqhNDY7z3UoCABFAAA0AABAAEAGxvoKAADjCCVgwt5ZEL8UzEFpFmR7PIAQEAgSNwAAAQEIChwNta14pr9k"} 00884{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":184,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":30,"flow_packets_processed":4,"flow_first_seen":1569687260591,"flow_last_seen":1569687260620,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":148,"flow_tot_l4_payload_len":148,"flow_avg_l4_payload_len":37,"midstream":0,"ts_msec":1569687260620,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.96.194","src_port":56921,"dst_port":4287,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"e3adec914f3893f18136762f1c0d7d81","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -01181{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":186,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":30,"flow_packets_processed":6,"flow_first_seen":1569687260591,"flow_last_seen":1569687260667,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1308,"flow_tot_l4_payload_len":1456,"flow_avg_l4_payload_len":242,"midstream":0,"ts_msec":1569687260667,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.96.194","src_port":56921,"dst_port":4287,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","6":"Self-signed Certificate","15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"e3adec914f3893f18136762f1c0d7d81","ja3s":"e54965894d6b45ecb4323c7ea3d6c115","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"CN=813845657003339838, O=Code42, OU=TEST, ST=MN, C=US","issuerDN":"CN=813845657003339838, O=Code42, OU=TEST, ST=MN, C=US","fingerprint":"86:2A:47:EF:00:68:79:60:7F:94:E2:91:6F:E0:38:82:37:8A:8E:2E"}} +01182{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":186,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":30,"flow_packets_processed":6,"flow_first_seen":1569687260591,"flow_last_seen":1569687260667,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1308,"flow_tot_l4_payload_len":1456,"flow_avg_l4_payload_len":242,"midstream":0,"ts_msec":1569687260667,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.96.194","src_port":56921,"dst_port":4287,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","6":"Self-signed Certificate","15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"e3adec914f3893f18136762f1c0d7d81","ja3s":"e54965894d6b45ecb4323c7ea3d6c115","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"CN=813845657003339838, O=Code42, OU=TEST, ST=MN, C=US","subjectDN":"CN=813845657003339838, O=Code42, OU=TEST, ST=MN, C=US","fingerprint":"86:2A:47:EF:00:68:79:60:7F:94:E2:91:6F:E0:38:82:37:8A:8E:2E"}} 00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":196,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":31,"flow_packets_processed":1,"flow_first_seen":1569687260751,"flow_last_seen":1569687260751,"flow_idle_time":180000,"flow_min_l4_payload_len":59,"flow_max_l4_payload_len":59,"flow_tot_l4_payload_len":59,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1569687260751,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"75.75.75.75","src_port":64972,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00517{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":196,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":1,"flow_last_seen":1569687260751,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":101,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":101,"pkt_l4_len":67,"ts_msec":1569687260751,"pkt":"LH6BsEqhNDY7z3UoCABFAABXLuMAAP8R6zkKAADjS0tLS\/3MADUAQ49kJ8YBAAABAAAAAAAAAmxiB19kbnMtc2QEX3VkcAEwAzEyOAIyOAMxNzIHaW4tYWRkcgRhcnBhAAAMAAE="} 00746{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":196,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":31,"flow_packets_processed":1,"flow_first_seen":1569687260751,"flow_last_seen":1569687260751,"flow_idle_time":180000,"flow_min_l4_payload_len":59,"flow_max_l4_payload_len":59,"flow_tot_l4_payload_len":59,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1569687260751,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"75.75.75.75","src_port":64972,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"lb._dns-sd._udp.0.128.28.172.in-addr.arpa","num_queries":0,"num_answers":0,"reply_code":0,"query_type":12,"rsp_type":0,"rsp_addr":"0.0.0.0"}} @@ -176,7 +176,7 @@ 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":300,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":38,"flow_packet_id":3,"flow_last_seen":1569687267077,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1569687267077,"pkt":"LH6BsEqhNDY7z3UoCABFAAA0AABAAEAGwWEKAADjCCVmW95hAbsGNnxNzhMA9oAQ\/\/\/yvgAAAQEIChwNzpw\/+a5O"} 00841{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":301,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":38,"flow_packets_processed":4,"flow_first_seen":1569687267035,"flow_last_seen":1569687267079,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":152,"flow_tot_l4_payload_len":152,"flow_avg_l4_payload_len":38,"midstream":0,"ts_msec":1569687267079,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56929,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"c9f0b47c9805f516e6d3900cb51f7841","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00911{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":303,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":38,"flow_packets_processed":6,"flow_first_seen":1569687267035,"flow_last_seen":1569687267125,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1600,"flow_avg_l4_payload_len":266,"midstream":0,"ts_msec":1569687267125,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56929,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8":"Weak TLS cipher","15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"c9f0b47c9805f516e6d3900cb51f7841","ja3s":"82f0d8a75fa483d1cfe4b7085b784d7e","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA"}} -01297{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":309,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":38,"flow_packets_processed":12,"flow_first_seen":1569687267035,"flow_last_seen":1569687267203,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":5944,"flow_avg_l4_payload_len":495,"midstream":0,"ts_msec":1569687267203,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56929,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8":"Weak TLS cipher","15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","server_names":"*.pandion.viasat.com,pandion.viasat.com","ja3":"c9f0b47c9805f516e6d3900cb51f7841","ja3s":"82f0d8a75fa483d1cfe4b7085b784d7e","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Entrust, Inc., OU=See www.entrust.net\/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K","issuerDN":"C=US, ST=California, L=Carlsbad, O=Viasat Inc., CN=*.pandion.viasat.com","fingerprint":"92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA"}} +01298{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":309,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":38,"flow_packets_processed":12,"flow_first_seen":1569687267035,"flow_last_seen":1569687267203,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":5944,"flow_avg_l4_payload_len":495,"midstream":0,"ts_msec":1569687267203,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56929,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8":"Weak TLS cipher","15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","server_names":"*.pandion.viasat.com,pandion.viasat.com","ja3":"c9f0b47c9805f516e6d3900cb51f7841","ja3s":"82f0d8a75fa483d1cfe4b7085b784d7e","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Entrust, Inc., OU=See www.entrust.net\/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K","subjectDN":"C=US, ST=California, L=Carlsbad, O=Viasat Inc., CN=*.pandion.viasat.com","fingerprint":"92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA"}} 00554{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":343,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":39,"flow_packets_processed":1,"flow_first_seen":1569687267453,"flow_last_seen":1569687267453,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1569687267453,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"10.0.0.149","src_port":56865,"dst_port":8008,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00467{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":343,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":39,"flow_packet_id":1,"flow_last_seen":1569687267453,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1569687267453,"pkt":"pHczjPFANDY7z3UoCABFAAA0AABAAEAGJU0KAADjCgAAld4hH0glPK3eiXsRe4AREAA75QAAAQEIChwN0AsAIb2q"} 00554{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":344,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":40,"flow_packets_processed":1,"flow_first_seen":1569687267453,"flow_last_seen":1569687267453,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1569687267453,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"10.0.0.151","src_port":56866,"dst_port":8060,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -202,7 +202,6 @@ 00467{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":365,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":40,"flow_packet_id":2,"flow_last_seen":1569687267764,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1569687267764,"pkt":"2DE0IHf7NDY7z3UoCABFAAA0AABAAEAGJUsKAADjCgAAl94iH3wAQcGNmjQa94AREAAihAAAAQEIChwN0TcGksZO"} 00557{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":366,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":44,"flow_packets_processed":1,"flow_first_seen":1569687267797,"flow_last_seen":1569687267797,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1569687267797,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"17.57.144.116","src_port":56886,"dst_port":5223,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00467{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":366,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":1,"flow_last_seen":1569687267797,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1569687267797,"pkt":"LH6BsEqhNDY7z3UoCABFAAA0xfMAAEAGCEEKAADjETmQdN42FGcxHLjbZd23sYAREACqlQAAAQEIChwN0VbVpVJo"} -00593{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":366,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":44,"flow_packets_processed":1,"flow_first_seen":1569687267797,"flow_last_seen":1569687267797,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1569687267797,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"17.57.144.116","src_port":56886,"dst_port":5223,"l4_proto":"tcp","ndpi": {"proto":"ApplePush.Apple","breed":"Safe","category":"Cloud"}} 00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":367,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":45,"flow_packets_processed":1,"flow_first_seen":1569687267799,"flow_last_seen":1569687267799,"flow_idle_time":180000,"flow_min_l4_payload_len":31,"flow_max_l4_payload_len":31,"flow_tot_l4_payload_len":31,"flow_avg_l4_payload_len":31,"midstream":0,"ts_msec":1569687267799,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"75.75.75.75","src_port":60341,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00478{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":367,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":45,"flow_packet_id":1,"flow_last_seen":1569687267799,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":73,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":73,"pkt_l4_len":39,"ts_msec":1569687267799,"pkt":"LH6BsEqhNDY7z3UoCABFAAA72BEAAP8RQicKAADjS0tLS+u1ADUAJxlWhe8BAAABAAAAAAAAA3d3dwVhcHBsZQNjb20AAAEAAQ=="} 00713{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":367,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":45,"flow_packets_processed":1,"flow_first_seen":1569687267799,"flow_last_seen":1569687267799,"flow_idle_time":180000,"flow_min_l4_payload_len":31,"flow_max_l4_payload_len":31,"flow_tot_l4_payload_len":31,"flow_avg_l4_payload_len":31,"midstream":0,"ts_msec":1569687267799,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"75.75.75.75","src_port":60341,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Apple","breed":"Safe","category":"Web"},"dns": {"query":"www.apple.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} @@ -225,6 +224,7 @@ 00637{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":377,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":2,"flow_last_seen":1569687267819,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":190,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":190,"pkt_l4_len":156,"ts_msec":1569687267819,"pkt":"NDY7z3UoLH6BsEqhCABFAACwAABAADoRnsRLS0tLCgAA4wA1x3QAnFOt9V6BgAABAAMAAAAACTEtY291cmllcgRwdXNoBWFwcGxlA2NvbQAAAQABwAwABQABAAAYQwAlATESY291cmllci1wdXNoLWFwcGxlA2NvbQZha2FkbnMDbmV0AMA2AAUAAQAAABcAHQ91cy1zdy1jb3VyaWVyLTQKcHVzaC1hcHBsZcBLwGcAAQABAAAAFwAEETmQdA=="} 00752{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":377,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":46,"flow_packets_processed":2,"flow_first_seen":1569687267799,"flow_last_seen":1569687267819,"flow_idle_time":180000,"flow_min_l4_payload_len":42,"flow_max_l4_payload_len":148,"flow_tot_l4_payload_len":190,"flow_avg_l4_payload_len":95,"midstream":0,"ts_msec":1569687267819,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"75.75.75.75","src_port":51060,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.ApplePush","breed":"Acceptable","category":"Cloud"},"dns": {"query":"1-courier.push.apple.com","num_queries":1,"num_answers":3,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"17.57.144.116"}} 00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":378,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":2,"flow_last_seen":1569687267820,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":119,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":119,"pkt_l4_len":85,"ts_msec":1569687267820,"pkt":"NDY7z3UoLH6BsEqhCABFAABp+WRAADUGn5oROZB0CgAA4xRn3jZl3bexMRy43IAYARnThAAAAQEICtWmYt0cDdFWFQMDADDYQSIj3jkYV2ViIYpeEoheM2HYhDINcbYvi9M0lKa7pHKjHCudSoLIJkInalaEjXI="} +00596{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":378,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":44,"flow_packets_processed":2,"flow_first_seen":1569687267797,"flow_last_seen":1569687267820,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":53,"flow_tot_l4_payload_len":53,"flow_avg_l4_payload_len":26,"midstream":1,"ts_msec":1569687267820,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"17.57.144.116","src_port":56886,"dst_port":5223,"l4_proto":"tcp","ndpi": {"proto":"ApplePush.Apple","breed":"Safe","category":"Cloud"}} 00451{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":379,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":3,"flow_last_seen":1569687267820,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1569687267820,"pkt":"LH6BsEqhNDY7z3UoCABFAAAoAABAAEAGjkAKAADjETmQdN42FGcxHLjcAAAAAFAEAAAmugAA"} 00637{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":382,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":48,"flow_packet_id":2,"flow_last_seen":1569687267824,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":192,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":192,"pkt_l4_len":158,"ts_msec":1569687267824,"pkt":"NDY7z3UoLH6BsEqhCABFAACyAABAADoRnsJLS0tLCgAA4wA1+sEAnlIeE96BgAABAAMAAAAACjI0LWNvdXJpZXIEcHVzaAVhcHBsZQNjb20AAAEAAcAMAAUAAQAASVMAJgIyNBJjb3VyaWVyLXB1c2gtYXBwbGUDY29tBmFrYWRucwNuZXQAwDcABQABAAAAGwAdD3VzLXN3LWNvdXJpZXItNApwdXNoLWFwcGxlwE3AaQABAAEAAAAuAAQROZAU"} 00752{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":382,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":48,"flow_packets_processed":2,"flow_first_seen":1569687267805,"flow_last_seen":1569687267824,"flow_idle_time":180000,"flow_min_l4_payload_len":43,"flow_max_l4_payload_len":150,"flow_tot_l4_payload_len":193,"flow_avg_l4_payload_len":96,"midstream":0,"ts_msec":1569687267824,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"75.75.75.75","src_port":64193,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.ApplePush","breed":"Acceptable","category":"Cloud"},"dns": {"query":"24-courier.push.apple.com","num_queries":1,"num_answers":3,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"17.57.144.20"}} @@ -279,7 +279,7 @@ 00485{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":681,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":63,"flow_packet_id":1,"flow_last_seen":1569687269562,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1569687269562,"pkt":"2DE0IHf7NDY7z3UoCABFAABAAABAAEAGJT8KAADjCgAAl957H3yCfYpEAAAAALAC\/\/8iuwAAAgQFtAEDAwUBAQgKHA3YAQAAAAAEAgAA"} 00479{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":682,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":62,"flow_packet_id":2,"flow_last_seen":1569687269563,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1569687269563,"pkt":"NDY7z3UopHczjPFACABFAAA8AABAAEAGJUUKAACVCgAA4x9I3np8gG11KkHDm6ASOJBP2wAAAgQFtAQCCAoAIeBIHA3YAQEDAwY="} 00467{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":683,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":62,"flow_packet_id":3,"flow_last_seen":1569687269563,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1569687269563,"pkt":"pHczjPFANDY7z3UoCABFAAA0AABAAEAGJU0KAADjCgAAld56H0gqQcObfIBtdoAQEBWnIAAAAQEIChwN2AIAIeBI"} -00924{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":684,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":62,"flow_packets_processed":4,"flow_first_seen":1569687269561,"flow_last_seen":1569687269563,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":251,"flow_tot_l4_payload_len":251,"flow_avg_l4_payload_len":62,"midstream":0,"ts_msec":1569687269563,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"10.0.0.149","src_port":56954,"dst_port":8008,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","12":"HTTP Numeric IP Address"},"proto":"HTTP","breed":"Acceptable","category":"Web"},"http": {"hostname":"10.0.0.149","url":"10.0.0.149:8008\/ssdp\/device-desc.xml","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.90 Safari\/537.36"}} +00643{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":684,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":62,"flow_packets_processed":4,"flow_first_seen":1569687269561,"flow_last_seen":1569687269563,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":251,"flow_tot_l4_payload_len":251,"flow_avg_l4_payload_len":62,"midstream":0,"ts_msec":1569687269563,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"10.0.0.149","src_port":56954,"dst_port":8008,"l4_proto":"tcp","ndpi": {"flow_risk": {"12":"HTTP Numeric IP Address"},"proto":"CiscoVPN.HTTP","breed":"Acceptable","category":"Web"}} 00479{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":686,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":63,"flow_packet_id":2,"flow_last_seen":1569687269567,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1569687269567,"pkt":"NDY7z3Uo2DE0IHf7CABFAAA8AABAAEAGJUMKAACXCgAA4x983nsgu1W7gn2KRaASqbA3ZQAAAgQFtAQCCAoGktWOHA3YAQEDAwc="} 00468{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":687,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":63,"flow_packet_id":3,"flow_last_seen":1569687269567,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1569687269567,"pkt":"2DE0IHf7NDY7z3UoCABFAAA0AABAAEAGJUsKAADjCgAAl957H3yCfYpFILtVvIAQEBX\/yAAAAQEIChwN2AUGktWO"} 00915{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":688,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":63,"flow_packets_processed":4,"flow_first_seen":1569687269562,"flow_last_seen":1569687269567,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":242,"flow_tot_l4_payload_len":242,"flow_avg_l4_payload_len":60,"midstream":0,"ts_msec":1569687269567,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"10.0.0.151","src_port":56955,"dst_port":8060,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","12":"HTTP Numeric IP Address"},"proto":"HTTP","breed":"Acceptable","category":"Web"},"http": {"hostname":"10.0.0.151","url":"10.0.0.151:8060\/dial\/dd.xml","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.90 Safari\/537.36"}} @@ -313,7 +313,7 @@ 00683{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2590,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":68,"flow_packets_processed":4,"flow_first_seen":1569687286917,"flow_last_seen":1569687286919,"flow_idle_time":180000,"flow_min_l4_payload_len":40,"flow_max_l4_payload_len":226,"flow_tot_l4_payload_len":487,"flow_avg_l4_payload_len":121,"midstream":0,"ts_msec":1569687286919,"l3_proto":"ip4","src_ip":"10.0.0.149","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","ndpi": {"proto":"MDNS","breed":"Acceptable","category":"Network"},"mdns": {"answer":"79d88e83-725c-b71b-bad0-5862d5b22386._googlezone._tcp.local"}} 00523{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2723,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":69,"flow_packets_processed":1,"flow_first_seen":1569687287737,"flow_last_seen":1569687287737,"flow_idle_time":120000,"flow_min_l4_payload_len":16,"flow_max_l4_payload_len":16,"flow_tot_l4_payload_len":16,"flow_avg_l4_payload_len":16,"midstream":0,"ts_msec":1569687287737,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"224.0.0.1","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} 00457{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2723,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":69,"flow_packet_id":1,"flow_last_seen":1569687287737,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":56,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":56,"pkt_l4_len":16,"ts_msec":1569687287737,"pkt":"AQBeAAABLH6BsEqhCABFwAAkGHoAAAEBtp0KAAAB4AAAAQkA5rYBAgVGCgAAAQAAAAAAAP\/\/Aiw="} -00556{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2723,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":69,"flow_packets_processed":1,"flow_first_seen":1569687287737,"flow_last_seen":1569687287737,"flow_idle_time":120000,"flow_min_l4_payload_len":16,"flow_max_l4_payload_len":16,"flow_tot_l4_payload_len":16,"flow_avg_l4_payload_len":16,"midstream":0,"ts_msec":1569687287737,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"224.0.0.1","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"}} +00575{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2723,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":69,"flow_packets_processed":1,"flow_first_seen":1569687287737,"flow_last_seen":1569687287737,"flow_idle_time":120000,"flow_min_l4_payload_len":16,"flow_max_l4_payload_len":16,"flow_tot_l4_payload_len":16,"flow_avg_l4_payload_len":16,"midstream":0,"ts_msec":1569687287737,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"224.0.0.1","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"},"entropy":1.061278} 00568{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3001,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":57,"flow_packets_processed":4,"flow_first_seen":1569687268559,"flow_last_seen":1569687271560,"flow_idle_time":180000,"flow_min_l4_payload_len":174,"flow_max_l4_payload_len":174,"flow_tot_l4_payload_len":696,"flow_avg_l4_payload_len":174,"midstream":0,"ts_msec":1569687289262,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"239.255.255.250","src_port":57547,"dst_port":1900,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00564{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3001,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":25,"flow_packets_processed":19,"flow_first_seen":1569687249612,"flow_last_seen":1569687268122,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":384,"flow_tot_l4_payload_len":3455,"flow_avg_l4_payload_len":181,"midstream":1,"ts_msec":1569687289262,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"184.25.56.77","src_port":56884,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00593{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3001,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":3,"flow_first_seen":1569687240992,"flow_last_seen":1569687241009,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1569687289262,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"184.25.56.53","src_port":56885,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP","breed":"Acceptable","category":"Web"},"http": {}} @@ -335,7 +335,7 @@ 00559{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3001,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":2,"flow_first_seen":1569687246891,"flow_last_seen":1569687246924,"flow_idle_time":180000,"flow_min_l4_payload_len":23,"flow_max_l4_payload_len":98,"flow_tot_l4_payload_len":121,"flow_avg_l4_payload_len":60,"midstream":0,"ts_msec":1569687289262,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"75.75.76.76","src_port":63107,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00560{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3001,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":34,"flow_packets_processed":2,"flow_first_seen":1569687261035,"flow_last_seen":1569687261054,"flow_idle_time":180000,"flow_min_l4_payload_len":51,"flow_max_l4_payload_len":132,"flow_tot_l4_payload_len":183,"flow_avg_l4_payload_len":91,"midstream":0,"ts_msec":1569687289262,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"75.75.75.75","src_port":52879,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00557{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3001,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":2,"flow_first_seen":1569687245251,"flow_last_seen":1569687245288,"flow_idle_time":180000,"flow_min_l4_payload_len":40,"flow_max_l4_payload_len":56,"flow_tot_l4_payload_len":96,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1569687289262,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"75.75.76.76","src_port":52879,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} -00595{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3001,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":43,"flow_packets_processed":6,"flow_first_seen":1569687267677,"flow_last_seen":1569687268288,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":148,"flow_avg_l4_payload_len":24,"midstream":1,"ts_msec":1569687289262,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"52.10.115.210","src_port":56879,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"}} +00600{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3001,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":43,"flow_packets_processed":6,"flow_first_seen":1569687267677,"flow_last_seen":1569687268288,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":148,"flow_avg_l4_payload_len":24,"midstream":1,"ts_msec":1569687289262,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"52.10.115.210","src_port":56879,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"}} 00562{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3001,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":43,"flow_packets_processed":6,"flow_first_seen":1569687267677,"flow_last_seen":1569687268288,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":148,"flow_avg_l4_payload_len":24,"midstream":1,"ts_msec":1569687289262,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"52.10.115.210","src_port":56879,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00569{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3001,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":58,"flow_packets_processed":2441,"flow_first_seen":1569687268746,"flow_last_seen":1569687289262,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":1469,"flow_tot_l4_payload_len":789975,"flow_avg_l4_payload_len":323,"midstream":0,"ts_msec":1569687289262,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":54107,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00560{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3001,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":36,"flow_packets_processed":2,"flow_first_seen":1569687261486,"flow_last_seen":1569687261506,"flow_idle_time":180000,"flow_min_l4_payload_len":51,"flow_max_l4_payload_len":103,"flow_tot_l4_payload_len":154,"flow_avg_l4_payload_len":77,"midstream":0,"ts_msec":1569687289262,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"75.75.75.75","src_port":57017,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -362,11 +362,11 @@ 00564{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3001,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":30,"flow_first_seen":1569687245379,"flow_last_seen":1569687245725,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":8058,"flow_avg_l4_payload_len":268,"midstream":0,"ts_msec":1569687289262,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56918,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00565{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3001,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":54,"flow_first_seen":1569687245688,"flow_last_seen":1569687268830,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":22452,"flow_avg_l4_payload_len":415,"midstream":0,"ts_msec":1569687289262,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56919,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00566{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3001,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":38,"flow_packets_processed":92,"flow_first_seen":1569687267035,"flow_last_seen":1569687288923,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":21688,"flow_avg_l4_payload_len":235,"midstream":0,"ts_msec":1569687289262,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56929,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00594{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3001,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":53,"flow_packets_processed":2,"flow_first_seen":1569687267988,"flow_last_seen":1569687268026,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1569687289262,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"74.125.197.188","src_port":56874,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"}} +00592{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3001,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":53,"flow_packets_processed":2,"flow_first_seen":1569687267988,"flow_last_seen":1569687268026,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1569687289262,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"74.125.197.188","src_port":56874,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"}} 00558{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3001,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":53,"flow_packets_processed":2,"flow_first_seen":1569687267988,"flow_last_seen":1569687268026,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1569687289262,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"74.125.197.188","src_port":56874,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00596{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3001,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":15,"flow_first_seen":1569687245576,"flow_last_seen":1569687267323,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":65,"flow_tot_l4_payload_len":508,"flow_avg_l4_payload_len":33,"midstream":1,"ts_msec":1569687289262,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"52.37.243.173","src_port":56914,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"}} +00601{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3001,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":15,"flow_first_seen":1569687245576,"flow_last_seen":1569687267323,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":65,"flow_tot_l4_payload_len":508,"flow_avg_l4_payload_len":33,"midstream":1,"ts_msec":1569687289262,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"52.37.243.173","src_port":56914,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"}} 00563{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3001,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":15,"flow_first_seen":1569687245576,"flow_last_seen":1569687267323,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":65,"flow_tot_l4_payload_len":508,"flow_avg_l4_payload_len":33,"midstream":1,"ts_msec":1569687289262,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"52.37.243.173","src_port":56914,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00596{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3001,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":15,"flow_first_seen":1569687245576,"flow_last_seen":1569687268339,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":65,"flow_tot_l4_payload_len":508,"flow_avg_l4_payload_len":33,"midstream":1,"ts_msec":1569687289262,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"52.37.243.173","src_port":56915,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"}} +00601{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3001,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":15,"flow_first_seen":1569687245576,"flow_last_seen":1569687268339,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":65,"flow_tot_l4_payload_len":508,"flow_avg_l4_payload_len":33,"midstream":1,"ts_msec":1569687289262,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"52.37.243.173","src_port":56915,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"}} 00563{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3001,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":15,"flow_first_seen":1569687245576,"flow_last_seen":1569687268339,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":65,"flow_tot_l4_payload_len":508,"flow_avg_l4_payload_len":33,"midstream":1,"ts_msec":1569687289262,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"52.37.243.173","src_port":56915,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00587{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3001,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":39,"flow_packets_processed":3,"flow_first_seen":1569687267453,"flow_last_seen":1569687267455,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1569687289262,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"10.0.0.149","src_port":56865,"dst_port":8008,"l4_proto":"tcp","ndpi": {"proto":"CiscoVPN","breed":"Acceptable","category":"VPN"}} 00555{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3001,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":39,"flow_packets_processed":3,"flow_first_seen":1569687267453,"flow_last_seen":1569687267455,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1569687289262,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"10.0.0.149","src_port":56865,"dst_port":8008,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -404,10 +404,10 @@ ~~ total active/idle flows...: 69/69 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2189842 bytes -~~ total memory freed........: 2189842 bytes -~~ total allocations/frees...: 38587/38587 +~~ total memory allocated....: 4825461 bytes +~~ total memory freed........: 4825461 bytes +~~ total allocations/frees...: 102788/102788 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 171 chars -~~ json string max len.......: 1302 chars -~~ json string avg len.......: 804 chars +~~ json string max len.......: 1303 chars +~~ json string avg len.......: 805 chars diff --git a/test/results/anydesk-2.pcap.out b/test/results/anydesk-2.pcap.out index 9d366d295..befbd216c 100644 --- a/test/results/anydesk-2.pcap.out +++ b/test/results/anydesk-2.pcap.out @@ -14,13 +14,13 @@ 00462{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6,"source":"anydesk-2.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_last_seen":1613977595380,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1613977595380,"pkt":"2MuK4S0uKDc3AG3ICABFAAA0AABAAEAGtgbAqAGywKgBuxue05RZw\/OWjxh7SYAS\/\/+kVwAAAgQFtAEDAwUEAgAA"} 00443{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7,"source":"anydesk-2.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_last_seen":1613977595380,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1613977595380,"pkt":"KDc3AG3I2MuK4S0uCABFAAAodDRAAIAGAADAqAG7wKgBstOUG56PGHtJWcPzl1AQBAKE2AAA"} 00881{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":8,"source":"anydesk-2.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":4,"flow_first_seen":1613977595379,"flow_last_seen":1613977595380,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":245,"flow_tot_l4_payload_len":245,"flow_avg_l4_payload_len":61,"midstream":0,"ts_msec":1613977595380,"l3_proto":"ip4","src_ip":"192.168.1.187","dst_ip":"192.168.1.178","src_port":54164,"dst_port":7070,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"3f2fba0262b1a22b739126dfb2fe7a7d","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -01123{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":11,"source":"anydesk-2.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":7,"flow_first_seen":1613977595379,"flow_last_seen":1613977595391,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":1705,"flow_avg_l4_payload_len":243,"midstream":0,"ts_msec":1613977595391,"l3_proto":"ip4","src_ip":"192.168.1.187","dst_ip":"192.168.1.178","src_port":54164,"dst_port":7070,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing","30":"Desktop\/File Sharing Session"},"proto":"TLS.AnyDesk","breed":"Acceptable","category":"RemoteAccess"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"3f2fba0262b1a22b739126dfb2fe7a7d","ja3s":"ee644a8a34c434abca4b737ec1d9efad","unsafe_cipher":0,"cipher":"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"CN=AnyDesk Client, CN=AnyDesk Client","fingerprint":"F8:4E:27:4E:F9:33:35:2F:1A:69:71:D5:02:6B:B8:72:EF:B7:BA:B0"}} +01124{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":11,"source":"anydesk-2.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":7,"flow_first_seen":1613977595379,"flow_last_seen":1613977595391,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":1705,"flow_avg_l4_payload_len":243,"midstream":0,"ts_msec":1613977595391,"l3_proto":"ip4","src_ip":"192.168.1.187","dst_ip":"192.168.1.178","src_port":54164,"dst_port":7070,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing","30":"Desktop\/File Sharing Session"},"proto":"TLS.AnyDesk","breed":"Acceptable","category":"RemoteAccess"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"3f2fba0262b1a22b739126dfb2fe7a7d","ja3s":"ee644a8a34c434abca4b737ec1d9efad","unsafe_cipher":0,"cipher":"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384","subjectDN":"CN=AnyDesk Client, CN=AnyDesk Client","fingerprint":"F8:4E:27:4E:F9:33:35:2F:1A:69:71:D5:02:6B:B8:72:EF:B7:BA:B0"}} 00553{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":14,"source":"anydesk-2.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1613977595407,"flow_last_seen":1613977595407,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1613977595407,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"192.168.1.187","src_port":52039,"dst_port":7070,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00478{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14,"source":"anydesk-2.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_last_seen":1613977595407,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1613977595407,"pkt":"2MuK4S0uKDc3AG3ICABFAABAAABAAEAGtfrAqAGywKgBu8tHG54tLA3cAAAAALAC\/\/97PgAAAgQFtAEDAwUBAQgKHE34xQAAAAAEAgAA"} 00463{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":15,"source":"anydesk-2.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_last_seen":1613977595407,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1613977595407,"pkt":"KDc3AG3I2MuK4S0uCABFAAA0dDlAAIAGAADAqAG7wKgBshuey0dV\/SLKLSwN3YAS\/\/+E5AAAAgQFtAEDAwgBAQQC"} 00452{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":16,"source":"anydesk-2.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_last_seen":1613977595407,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"ts_msec":1613977595407,"pkt":"2MuK4S0uKDc3AG3ICABFAAAoAABAAEAGthLAqAGywKgBu8tHG54tLA3dVf0iy1AQIABwXwAAAAAAAAAA"} 00882{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":17,"source":"anydesk-2.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":4,"flow_first_seen":1613977595407,"flow_last_seen":1613977595408,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":263,"flow_tot_l4_payload_len":263,"flow_avg_l4_payload_len":65,"midstream":0,"ts_msec":1613977595408,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"192.168.1.187","src_port":52039,"dst_port":7070,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"201999283915cc31cee6b15472ef3332","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -01140{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":24,"source":"anydesk-2.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":6,"flow_first_seen":1613977595407,"flow_last_seen":1613977595549,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":813,"flow_tot_l4_payload_len":1076,"flow_avg_l4_payload_len":179,"midstream":0,"ts_msec":1613977595549,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"192.168.1.187","src_port":52039,"dst_port":7070,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","8":"Weak TLS cipher","15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing","30":"Desktop\/File Sharing Session"},"proto":"TLS.AnyDesk","breed":"Acceptable","category":"RemoteAccess"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"201999283915cc31cee6b15472ef3332","ja3s":"4b505adfb4a921c5a3a39d293b0811e1","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"CN=AnyDesk Client, CN=AnyDesk Client","fingerprint":"86:4F:2A:9F:24:71:FD:0D:6A:35:56:AC:D8:7B:3A:19:E8:03:CA:2E"}} +01141{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":24,"source":"anydesk-2.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":6,"flow_first_seen":1613977595407,"flow_last_seen":1613977595549,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":813,"flow_tot_l4_payload_len":1076,"flow_avg_l4_payload_len":179,"midstream":0,"ts_msec":1613977595549,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"192.168.1.187","src_port":52039,"dst_port":7070,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","8":"Weak TLS cipher","15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing","30":"Desktop\/File Sharing Session"},"proto":"TLS.AnyDesk","breed":"Acceptable","category":"RemoteAccess"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"201999283915cc31cee6b15472ef3332","ja3s":"4b505adfb4a921c5a3a39d293b0811e1","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_GCM_SHA384","subjectDN":"CN=AnyDesk Client, CN=AnyDesk Client","fingerprint":"86:4F:2A:9F:24:71:FD:0D:6A:35:56:AC:D8:7B:3A:19:E8:03:CA:2E"}} 05662{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":41,"source":"anydesk-2.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":3980,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":3980,"pkt_l4_len":0,"ts_msec":1613977596944,"pkt":"KDc3AG3I2MuK4S0uCABFAAAAdINAAIAGAADAqAG7wKgBstOUG56PGIGVWcP92VAYA\/6ExAAAFwMDD1FZ4hNO+msUnGzaUU1nlPykrkKoqd5IWa\/vA7eRR3EZWBPkhLgUG\/LhKYhOBCw1WETNsRkQ\/Njqm5X16glM7tI+xcqXk3+pstweoYW+cn9Gn62XhRf8R73HpNP8O90ZrBr9CegI\/VdfYrSOHPhA2e99E+0j4+VZ\/OWFINBvKkj3BJnfIY06LJr7sGJtR+dAQOwICx8D4\/W7388S52uXl0lL2KX7WyKVvleG6T8fiXMQLVolTazIJs4yZw9hrrazGCRC9Iqdm+H0azjBk4m3YV2OMKP54OCS8dUcnak2O8dvImZ5iKslxqv2hokAbqvJMaM8mhVBXwGF52ctr4Cwnw77hzC+mSW4bmrp4Tcg5MPiRw1mTQ\/3NPawA+Zq2rxYSvhk\/u9pX+e10AKM2NMlc+XUfDUnwHzrihybSEsYE0XQlkwxxyc+9H9J8YsAbL+BW7EjTLB1jeSl5z2MVP12e9NNW6MZhJjwB+sOhJ+fNX0c\/v9peT6wkv\/tfGsRdmFlHVNXdzWn0O8KPkjxVcY8HmLnhgEm6RUAJURSAsF3ExMd\/sG+P\/mU688tcA+RgLosPwl9z5uDAuz9NZCd12HIAtb95ZBP9rAEaxi82tNAqOYj68rFfzNf\/RpYJfDStItU9FV3A8kHsKEGkFmk4wZ1tfIEOtfaaKe85y9pH6KiteXJy5jBBJnmRZTq3hdyxERiq+Tgi+PIu\/MNnYR6l1Pqrms9rI\/EVyNKDYzOeDBTR2B4i8xQUojiYfz8udZp2jaWACNjoGW1qrXBfIZoN6McfX9bXlxaVklg8xVW2G4CKsbb8dOBkttzzZK1dsazFK18wuUY3+V6Ukg1i3Y7Vlu6oV8qYQjVWhwNKWHFFQz6TJ1f7KJB90kDzgVnWYYn3TfOxejwLeG+nRzfrXzulo72CElL6Z\/lG\/4p+l+2wUPmPUXnPCfsAazCunsNe\/KXGVNe16AsL3LO1LT6UMDW\/nYelajX1pVTfya\/e\/g3PTYERCzcbFUt4y7zrmFbTnT4lxvHFvxanm260ljGYOP06b\/vWg+4pWLrQNkWA9MTICzlcpF\/Wmidlj0qfi29KJjQ8FUqg5l5XTfqACYhtKC63DrEESjMa46mYX5whiXYX2KSGQGVD+QvD+zhP\/CtBWeSzuMorWP+vcKHB6d86IQSfd6cz8qTUxY8QCZj3ANEPGpf51oIB2bip2d1OUvGIxbkaKup8u4V60aDmH2PiICJH7ivyV6sSvDty0QVNDKnid2wk8iOXEnChUfGO5mpd+vrzlTK6CD4G4+lV\/by4D3sFE2TznnhMG2zFDfGeHQM6Wj8gm8KTfbN+XyFgT4o3Ixk+93DyzX5mHvlurk+pBQBuQ9ppDbIH7HFD7iUZuoLbfUqyOgSKk30XQutoXEK7RJmcYeYBWd1LzTpXP+N5O5yfEDTBHxskC82ltKt9sAuTc1sKTSCwKaKWO1X\/efVdDVsf6PBKNtWizrLEymaYbySEtGfJmMlB6uqJtfUm27qL5ujDZ9mIHM3LMDyrXtK4KlpdB5iI\/euSzqF5fQqGYeXiGJN0S41Eb1GzBVvFl0s3aeJb4QFn0CJSOTsL6GyRbOkT1a0vLdMrPBz9u6BivhEd+ZLHaRV3+iJKbIcXbXR9lrCbTCrjSVY49HI76N6tDFWvse7Dr0bXXYFqqkOjweEf0JSWOknOhym3HAWiuHVX+ROnUrPCbEeLIpp8zL9GGOTk8Q2mr5Spw6l4rc37QDj2M6jtgkezE2X86cK+oDpDDOIVj+F1pGcC4UnUPTK3scoEmHGH7LkKEd5RDRudiwg7tbKcGUP4BwRqmS2Gi9LKpIBXdtqiZPGwomBbzdlo+z0RHOWr\/up4gl1dmUxQF+tDc4oHMCMi1e8zspb+grjhj6EezTHv3ji+8yN7mdzS+Gkbpt7QlBarSoY5L48wl08+ZBvrukp07VUSwQcfAn9S8NB43w8+z45JDDrveYZ28KVDUxo6GQB3B0xG4JCzoWvRhSPRa7ni7nu9Gszwc7tPJ9xiDAaAq2gfthjMseLUOdGDz0BISGCxKHZieN864AhI1py+AEI+Htmrh10CW05qpzZwVzz2VFECGzsx3x0C\/nqnxrOECzUm0dPJrMExdTxFcgoqXF011yHCSzXtxwC98icS2pusV+yTjVIhj8CfW1d+8fVhOArSXi3lMMFjUTzDLcJtssGLQ0cjVYbimvwLxyXqTRGVzWkuGVPh50FIqPQeJG1RhCeW0kbFVm7W9b9H9S7klEciP16ZhaTmVvfTTgYqrR2ZJmHH2I61Ib8cJwB7qC65zRSXnWLdZs\/TuFj\/TxT6UrRcMpV1vvOYjns3Gz\/dowyWU9MdFg1sBuoUzdYhOH+xh0gjiOiFR+OmO9yK3di5u27XLW1hOtpPgG+VqRkjURJs2X7eYc\/nVFim9OR2M271rHHTTGmofiA2qRYewVfivK4+jJV2algoPfe78BQVj0lYL8HSL2ZIOVwb7WccV+mHgXVjcaDr8VeGILburQoLgZ3L3Rh6dBmFRFNDAM2F5UvL6rcbC48HPxdFN16gQFsf4yKqOfuTQa4qvxxMeVacwMBH8TyGwIqHd+Tu1k9SeZW9JzAKZNOepT64wLCYsAHDNfrvua7\/DM3Er3\/3ogYsTLe+cEnrJEF0jzT\/pW3BeJvaGd27aJYiI4XXscQqB8hOAXO5tAOPRO2w7cv7WHSnJd8ikF\/boKhx3DSbhEgqQliEpDTKXvGDhrGJ1aXzM83ENzYdrp3w\/qh\/Nf3lFU96DuSvh49grWDQkMeDDWWwXeT35tZD\/9i4Y5fFpZIV6SuRwn5p+R9aNHdnQ\/kTb4S4uHdPEUKPQjKs\/yJMUGcPxicPpB\/EisjPsJJbm7W1mTHU7MIIM\/vWf97H\/qvxLJ4+6dpF7eBxBYIXZp4vqqyNXSe8fXlScBOjZ7KGFq3h5Lsv1iilvMraMq1ISyI1SMlYMJGCypO+r7ZEXKXhAC9eCXv97ngQmCSfOC8yQy0BHfYcR\/GagdbDhHp52TBPv540aa8roHZiDYWEAvRy60ik6jCvbpXWcGapjEPyt9GESjgevqZXh4ByQjZeQa5WOr7Cz5wUS6XJhwdm1wGwlzD8KaiSP5C7Dw5lq8A3RtUTSDSCTiMVWNgdjSc74MQ1jk1g8XF1QA5oCCJKcd6baWRIcuCXGejHzwU++HX+sLNBXpzgm6BOkdcw1rBrXndG\/g9wtAODPp1NIebGIUBA8bwWYJXy3f1MwWV73BLyP6xUng2u8pwIPJ\/w72lzBfeximEN581Pmbzit7uC+88wlAlAmE13UPXh2L6jM7HCsWpxaF79JpkSrnInn8vub5LDlOlRQ7oild8fQrhrbGarKIIrNCdhLZ5aouS96b\/KyopW16Xv2Rc9xFrgSg4ci2RYHCemJZwYuTROMsSoM5X52hZZrrjU0vBuzfjvVO+GgDyIKa39Yoeu51MP+qfWqjdDBZ1wgSVjTNfz3TIE4A4KMb6Cl63\/6TRFZUpnIyceUMCe2IP0kvk+YgXulkcSi0emPStQ4WpWgV8klz3n5cpS0yt5Idvkv4l6FdXHq3kxH\/XTM0niEe1M+4lFJRaB7IvrjklA67KYKUY8KCZs1yVLV3iBzYHV5q5GSPmymAagTbSS0ArTqr6BOKPdX1u6z4BG07x613PW2TE0ODR3DvxyFC+10nNZR4enZpsOrMGbqDyW9yidkPDpiZBhlp7NXIKAxPzV878YoFs420WX+nCtL2rHv69VOeWflwR0tlbrBYDRasBj4Ozy\/MWHHB47HxGgEI6rEo7Bj5A2l4qkAQCBvGYxXrIir5l6wMCH5LO77vM3yVRBZzAmxfDBn1PMfrss3MsnCyKM82azzo1KByvjM7tt+seSzjL4zKeYnBAxt+gpQU9gpBmPO+jlfaa9EfPfXktD24k\/Au+q4dpgZ1kpHdHuNvbEoLWf4GbGEXFcLbRQ85jia+McSrUdVt+gCMMtB4Z9SCaHAATa2UM61MTkweYPjRngskZ+R0ZbPdiORtd\/SbSRFFhpzIJQz\/AsvpOkr6s5utvDByWbKYa8AqQ5Aykc6oJPNVOD8KWUse+gAsIa9vlmRZ2iuMVUUTUHOCazB5EZoseBAlmJ6oc\/B7nctTpL8LmbkTXwj68y1leVMVm9D7vjM0tFwFKja+2ONbRpfRIA0sktOr3ZvqxUJGcKVycsKY4vIDIm5kACo\/TDsPHtL7PoN4CClvCb8kjCdjOHPLu5cD8\/KrvTkAZQtVA9VWz5+hm6Mn+hLgQ7KSw+5NALvBMuWC6ovDO6koaEtI2D2rO5ztN9to\/hy5AEOOCwgnKfOrVYxrml8DM25Ysz0X38zW4Qz+G8fq5qUeDUSWUU\/IZSqDcQC8mgi3n5p\/p3YhvfkfrkJ6vJ6nVIZUWJz+bMTfErsyHKmeoj9Msh7Aw8bNmpqeGEZ8xu1teQ+exP9+TZQWquTpbn2wxK+\/5ziA7OY65TsT44gP6mGlwQXUAUkahCLUd7kfyBjIF5qBtrkbgi0KWQKd4ZWhuLu+o1+dEax\/z5uTA3urCjHPw0CaCWul6eJRh3p18p2GsUeY4YB9AMOs6obyiagcUi+oA8XKl0J\/kC\/2EFYc\/HIECCxc1R5p3Gk8JuXKm8r2pNgmzqVHeTbatHsxapPWERfMh+XtO+ldcvlOBTbgmWeBcfYHu\/js8wOgUStGstFxbu2OwXllx7VU5MkxPvRFteV4cLNjNG+Id35MmSnXrcEEbVEy9p5gZyxXyq79oDrnZ7vw8\/SKfhclqXWwkXIN6Akam13SxsIVdOq6NRuhb01xYXSgIxM7\/qsEwNyCKMzME+EsFyX75nzo4KlkLJdg1M+SYi8T9Ap2MqlAfzWI\/v2YvtEkM0hvK5LqtBgjXdhrrI0roG4RmfJlj+Ll72KiZd+UDQij1bY4IJW4KPauCJZxtpa2lYjenAgTHYgVFVhcxwH6E2QRwdKyyOCSg8BGs+6dP40kQS1hBBfHQsZjaJFUIaEDwoxe8AsdTjTJMdJ+GmcOB2KxLQXTaPKW6EcRL9RPDlWxhV+b5B2wd2Xe7ELG4B8qwKMuIQSfGNkahaIGKLVDksKlHnHebxupiKOsN4L5M5MukkAhKJbldgHZVeYxLih\/FbNPzwMXZ6WJV2P3OausnccFHvzYhRmiN2BsLGpyEh7aonio8QblciYgEQett8fFtbOAKB5idHPPMJme3uSPo25PTlsI4AO8="} 00176{"basic_event_id":9,"basic_event_name":"nDPI IPv4\/L4 payload detection failed","thread_id":0,"packet_id":41,"source":"anydesk-2.pcap","alias":"nDPId-test","l4_data_len":3946} 05959{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":66,"source":"anydesk-2.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":4192,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":4192,"pkt_l4_len":0,"ts_msec":1613977602724,"pkt":"KDc3AG3I2MuK4S0uCABFAAAAdnJAAIAGAADAqAG7wKgBstOUG56PGJQIWcP+aVAYA\/6ExAAAFwMDECVZ4hNO+msUprQQcKaCL\/3yGBAWoUYj64f9cTm86oqZu745SoKxxsuQYAO9mkE+kl3WZU56JyXpeD9Q9dkKY0\/k9HglokoqwD\/PKaeQXGQHDlze3UWZzWX7M3YkbrfXVo9B0XdYNyc1YoVAh1u2fzDxKlINbPfkWoHUMQ8nZIKb6NX\/JxvJt+ZV3z9tNmFDuZ2fKebgx+e+GXzUtLy6s80d0KnKzKguedS\/qqCb+izZscPNxegEW+hE3Fkg7uLTrb5VrOunHlTG+RsEq5B06+8BAo1WgmecznEJtQTnySFeKMQuGFltd7jXYfe\/onB6c7qS1Y79roVLvgSrACtJdJzSr1kWN0UMKLfd08WSUcLbDWPj\/pOjgcmroMSY1Hj7A087KqBIwzPBy2q93CgrnT4HGi4SyaOA\/s958H\/QDZsP\/c3SVYfUxbGFZxwkZxb0DZ9PaVrM8pQ6wBt2NnmsJ\/TJYu3vbCF2mct7AEWW59oLz4c5NEj4rcoY2vmRtaex\/qdpOD6NJXj5pzzu13oUmsxbDxAuQVoyLMQts0w1XSSX9JEWzqVxMQiWJTLz7tnGyC6XC8JeNzutQTlWAQ4Y8q\/VE6YRcgmQehn0Y22BVHZUt3+5kvy7RkmOgRho0xOMGkVCiGszRMuirOFeZvH6wWbLe+Fqj8Mi41Rmi4hce2LXdbh\/nnI+N\/M6LYeTfPpUhZlkDiindRksMlMqNGHRRKo5DXuCgeOhv61elHVCGu2CZbNyUaBb5DSafomMamhLQJShqN6BSJCQMF+WqcTmhrMW9ZJWPgO3bdvXm7PJM3OecPj5zhu3pohdn3NDRHh3PdNbz7zOgSGyDx+ahpDteCKVu50k\/yZTlvDshm\/YyFbn\/\/bMGVsNnRvRpJ98A93CU1UaSTt6hnIBuvkBIbWCyoMWo4peilViV4YoIcTGJfxkhiQRhr\/oPHRvHxl6aKgAh16e1JrhFkxWTIb0IYO73FqZNEjt61DIqtNhgAeckGVHmpFZkBccd36l56nSXidKhRZCHhScRwXsCp9CnbtM14Esfe89RvdsvHKWQQk1wmym8yLa8+8x4APDEKaMExSaHu4yo06DqC3QKwx0A7qUkDDeX6kSWWFyTapoM313GMCgfwncy+02oxDnPtMInB6+4PjZQmCuuyyargXr+VTCW9GbCaPFbAVsKj7wvvZVu+5JPsIF5cGtz2tekBDhaYgSeKrDHBSLijGLXRMttHI1gjAQqLhAPykbBwb49rWbuHep+CXuOnblyov4Z0CQne\/wPcuE5\/MqkJyidSQI0HYwJ80nOYKCz1oqJBpj5BLzm38nHNix+VBypcYqnGAFpB7kGamJHKyVsjT3myN\/vstVsj6+2qofVEtzr2JzCVp5lRGt3nI56wQ5wn69jyak2oqNqzMsR0mtMjO720o+Hvr\/B3Yat3rmjFTJGKcx9XdI6OXYWfUrYU3lcdVfD9BHqVWnYkxtHpKz\/hWy9PkGwdnlBtmVUiEq2T2rbsXjzRWRJCya8huquQm3tH6V2+LvRLToXFBBvqARAac8bdF\/Dq4o2ZChH9gzIVrnG0TthLqMz7Gh8HnmiGoyLFNX2mEc8TAfE75VcjfQnK+F7sMW\/2j2Emvk6kTizYgztT6xdNM+kOFhmgkqaD9auk7yd3Llix4iCr7rC65yxoozOAtnAE7ugv7ryyE+i4KT9zAadUISewEBm\/LHKh7brKdfShfHv4gkvIqy2yNtvlmmr2nXt3qmhdK+JBkCv+eK+pAnjQEFfoy0EXZxQ6hPQQfANQUqHxlfTqWA1W8HcVpgqAtUABMKyJH68BMn1G4VvonTESCw8lPWd+trvPElME4YhaRe\/13eGmjYPu\/4zPZkHLvkz9wwVa8MNG9vBc8pzX6ms68sBeV\/2q366kDZA9QBeDJLpKZevIJ\/sP5Z4DYWiNdSOjRB1jfWALeE+mL4LHNIfHJ7Z4NzaOS+i9+DcHqapIjAOuMaH7CeT0\/Pce2jAxl9MsfNrjXO4nDba5Rj1wtPlrKEgzNx4I8RJAsUg4\/wSOjJCZz4UZqdxa75zjaXlkOqX8uiV0V73GVvlV0lWe+sOp9xbdFSfaG4TVfe9SZDkN+p0pC2ffTWANXAViChoMw6UhCy1+TZvuJjQshHlS+MicWCcQplbbWuCVDhaK9CyCR03rDKWm58a2iPDRvOaTsud2TP2aCmFDhlWEg4lBQdpTqyH1yo9PTeHLk+9EOu5jVl+04ESOb\/N16YGUovGlc43iQrZI6qZSOWcQKkZOu9dbYynxBZfbRu682xdxK\/zH5VIl+uv7FXg0up65DfvJfHWDjz4SKxOoYB4k\/jJgzDQA7yZhJbvxKFLcBP87hDhl3LE+7BEGakOCaw5bkYPN1j5zKMbBj8kfDr3jGr6HrDqCOxtbDg3wQ3MvH59CFwPoZNNk0\/wFxfaJ+sqIM9wQqSJU9W6Iloo5cren5bpayTyUp3Wci0uOoXMteqlZWBI7uEw2k7d+cwi2NJOxbZGdWLHQkdfqHykoXc6BNB69Tp\/7sbE3u6vKOtJvtq\/PvRAxIB7xYJMOZ0aAsu1leVcgg2bXBcVgXv1xihW98mC0nor7WMN5VnPeZ2tm8ZFAK9T9SCDrXxLLDajbpm\/KEcFva8k4cWUtVh6TQPnflts93Z+jyJuM7XYJFHhkKt8RsLCMQ58SISszntDBI+KDmDTpq1qnp7L7DF57PRhbjRLV6ZzW83Jyfo52HzZrzID2A+H4W2xXqJfnWhHT+0f64dmfezHIwfYc31Ff3lQvNOP2JmgEcu1xxlrZ7cj3vAiIrSmhGYJjJb3IGCsfpjeQVpkdTnXJfECE9pFmC8WNuu0xIhcGpbMwAH9FyJEKxYwSCJOBrRwe5xEq61Mk1xrMYVUiusla8COC7gSALtvRXgzba+n+pOse25W4FCEPSotEZyJYm+ZoB94aexu0En9VvCHkr6Bn1kaxQKXkShW+rSVBp8VZCGWZJ5u3E\/v6brFMy5iqhgAHhAIhKRgtmiMgu79drOIsylnBhzE14f\/octGhZkcmqRzN664TfbYCFx8ZB40bGeunML+jrox4HD+f1e9MRdNCZsa\/QKt0gnrEZ7VvIWS0X6u3NVtU\/bHVpmXEEjBilRP67uCI2QAsIjeqK5P3Aywn2mKPyYmiAM9Fuj7fiieYtzZJXCemq3Z54S4KgGjrl3RN1eFKyhLt4UhkB\/voYMQuEDQ0VMp\/7fjZDcrBbsAYAVi\/\/h2i5VFSc22QzmlJKwGg75jJKCtv2BY9UqbpKVARo6wLtF02JNfBoAF4dG7KYqqqJ4aANpjVvzAilQr3\/i\/YLyvuIJkcLcvVLjTPmigaZLFvgdR2BzziOOgyz+rWELhTiZO3O4cvQwDeoGl2VXTV2K6O66nEvnOZs3EO+Rn\/muWs0BvGC5xBpCJiC7We7I2k99BcJHFtlyMJvAIHUIa73dUIOw\/f4gIHxuoGntDGvJhlgvl6RFZmOG+url3+cIzZV4uGJzL5U9MGukmO3qu+C9RsWTrPw\/V4IF0dT8F5\/SUIyiUQn+n4YjtcPn+6aKl43nhmyJCVyvXQtKWk\/mW1GRQRDtOZPbNIViztVETsrfUUSxN95cVPNw1O7eYWi8yCEoLqSREzknZUhgukEfux1h+C4gNWTRiQWaFCY24MKbevWZPfVPKTYIaHusksoNAA7JOEVpVD+hgEla+xn6+w8qS+dRIEa5EJThv\/wYA2hoEzxzwzt\/WKYQVYoY7QC3dw\/aJC6kFV1rW4HPKOQIVQ0WRur3rJzV7cqzPxCAkBQaJNgrP2RYDTEW7a54Ew2BJV7tG27Cv32v8s\/3gwS3ohqFDURP6Zw+ocRcxr8BMI9Az2dqkTJRCrPdubEjy5dGt1K+6bYBejmy18n8HKpKVNffGlqlfaJ70g7w2kYNkUNyoHvPvdK9gp34XV3LJGFi9dTmcdNENQCw94Ftwhn0CLlJEXW9EnfiffZnPJIlev5GAeCQD1+4fgeeS9W8m3VAso6ewPJfBt+xi+LI9j2VjL3H4PXm1d9aVa1FXjVep0uWM9bKdprw6BM0liZaHLKkVHCFcwlsj4kpg\/nvhgsiy4WGOSaKDtNpANBj+bmE8GiRm9CYgEmx5ulTEBvQna1YSQnDxITBSVbC5sYXnOvdUurfH2V+M\/ovvhaTaC7BLTOYK\/DmIQZwFzlpHuchBVOM0dZeSZ2oM7frLsnqqx6ZnNgrpSotYTMtFnxqL+CsfLSCZHGwVdTtBQ6VZeXX3Ke1YnJgeMuINTx8EdGbMT2Gjcy2NAO7JeEP5BD53QX3KPVqP8nTsRQm8KhtFHJQhOZHZGUa4WTjbPEZR+LIGxIxdDGA8A\/+CtvQST2MyyLsB9o8A\/lDjsDRsd2rw6wIq\/xsbNjc2Tpb1u1tbCWpmGUHbsnK6gH8btF+nStO0OMW2hgzOhMFzzmcmZFf5EZbyqonDxHWUejhuXVqlVO3Wkguxmy5MWy0q1HWPa2\/Bmk\/eeduKDzyIbQVIuw\/eSMmG3usQ5ywpqfYGiXHTGsEDke+p28IG0b4jXxxmkpHXxVuN88OHDDfZbBMmU3YIUQSAxSTlfEkSjNBlV4XzAsdoYaiZewSWBGaonP0l7AJZKwlUBRHA9I9Cf44lLDcMG0F6e6ibHSfb30U+Ma8fKc9GX0hpMSVWvnu86dyPsnA+8GYg2Gw516MasDvNv4bAXzm6TheUfHO2p0TEvCE8yK5KTSq6XbTtRcCtpuZwxeEtfaQuefZH\/gGTPDg9XnLrxZGFwKiI70AMN6ud+p0pIgHQ3X3LIoMWHfbj\/Yh3hVi2Whr5vTyfhL71AECyG35auHZMTXMjl\/D4NEj+t+w0kat4W4GuE+tsm7ybUL+V4lTfC7odPRD\/0a0bEkC0TUkihprWUyaQRzAXiYMAmf8JzVm\/zGFbzBZFcCKBSOcf6cjO0SLVwcS78tbxNYlWRzVyrpJawM71C3Pc\/VrySmGIaFr18cRBQEyq2XKLHfR7cnMdcIGCOAEYcidqXcnPvS7r2wBwcU3RXoKnCBq3dnrVlq7kJS7Fk6vjCQX50PmIi0wXdzsHBsC3oeGZmpq4GV\/KBDq3xv2Y5UCt\/3OykZXEZ2p72Dv9pWRjXpAP+ugytg0DqcahOkcwQua19WVcoTvJtZAdb\/ySWYpKHc9rU650iXz+87h5gsYvH7\/qlRPUSzQH4qUTdc1gN1Zj2sp0WCwQziq77v5frBJ9CwPRZBWYf+1VG0gBiHxSBmkNwfKkgh40c9vgXkPn4k+ISkqyzSc4ZJO2oSnHQD4PQr4vQAyjnySF5yx7puR9RNBBA+z9iHLbuilG\/WmezQ236+R6m3tYZAroi4IQz9xPjW\/Wf+i2JFZ155jnPBC41drFwyzHBw5tnEfjhXTEH3kgTxfnxyIp7wz\/Xs61VrXWL7kt9aPCARKkryHxsEDG755drDbrKwXri6PL\/mtmebFDabwfGiNKSSiLalsX7CU59fFMG6A+B++Jzafj\/+8hZCqyp7QLw=="} @@ -125,7 +125,7 @@ 00177{"basic_event_id":9,"basic_event_name":"nDPI IPv4\/L4 payload detection failed","thread_id":0,"packet_id":240,"source":"anydesk-2.pcap","alias":"nDPId-test","l4_data_len":4988} 04006{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":263,"source":"anydesk-2.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":2745,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":2745,"pkt_l4_len":0,"ts_msec":1613977603313,"pkt":"KDc3AG3I2MuK4S0uCABFAAAAd0FAAIAGAADAqAG7wKgBstOUG56PHFwWWcP+5lAYA\/2ExAAAFwMDCn5Z4hNO+msU3mQde8XauUXuibx23ZWOy1lfKlJdZeS7jbArOCdma5G1Oyj\/YHi4OgowtlsF3GCyvWAIcIaf2qvcUvo8xw+u+vFmA88\/ZFtsQrOzjtOQOjqB1w9IVRQDv2grZ\/g+TPfVtI2fmulJ6\/DmyG6skD8\/NJUWgh8nP2od5WwvpSZMAK4lfKeb2z0dUsUOya9f5mvFpFHQtfrBKUxJ+Qi3RehBwzTb55Ty8p+hZJJV7Iwzjy4pVLDEN902w5s1zPRfh8wp6Anmbv2bXEn0A43qLMRFkgBP5BI+igCLV7CUZs1YGzWqE2Qe5LZSZvQs9XJzBdK9uD29IREqU0HJNfHTRP5llSd7+z4nImKHOyeI7anpkMzlguOkoVfJQEajpvI3WE9X\/1CUkRjvlueAQCmBNgaGjBqVDukdBpXNlB3n+105fzXVNBRay4p\/b\/GcjzrAXO3IE9M5nF02cdlxykTYZ\/v51qwrR+BW7MUkGi3iYyceDRneOdImiEA8Fx2ms52erPvVB5WPOPh9wK4Bx+Olb78ikN5Z6ABTeAlOOHzSwfkuoLGi3VXydpd80btVVx94fLuzAnSflm6lw5yfcuyRzOr5GQAuVNsGcgID\/tfJAgJBy5t\/3GV7d0R70TiSGpc0dA8ovueO+whcxGg6XkvNylfFnAymmw0H4NMNkLqqo252fRfF7\/bzwTJQowsRZQOWGBqNMHe+7deiTVbvVwZYIsdMXNebCII3WU2oVVD64POtpmYsGKOTF2T3fYzkHHLWAVWGQXU1SehD\/X6lH4iv0uzHEKfY\/Hw8F02O8iWssDHjxDLKVUsInHxGwWBZgbF1MU72FDnuHR5CGNKs19Jbx9I2Kk7XDMbfxxqgpUygmTtFPYFKryt93oYMUkjkspSKsTBRkCWXQuaQo7qu35UlkH2lUKiV09U1wYPedcqUsQ92UbGj\/siMqOIyeQowgB+tEpc75tZfM8xnZmaiFsP4Vbf7x2c\/9r5dJp0GY03Yhup7L6msnnDvEn666l\/wb26yt\/yCGM\/WN68jMfQ9IAH+C39Dcs3b\/+kwvAnD044ZM3+CUM8hQFmGwe94aPz0bI46AuTKmNNXtxdN\/UJWxOhk3Slo\/7+xVgIu6ryQ\/3gqxm0qSPUTi4uLVp6WeJiJEXZ2OYpVb9Fy8UCEez\/wS41UwuJPv9fT\/EMbWyowl7srODAru\/H73XdW41KrMalzeWf6Mnb80av5KwiOs2Y23EoAu4D5z21i4Djf9v9ODq2KUOHe9qEvjwxVEnt1qjhsgG+OjPvdbTT6\/9Ya7HaguBU9fuN3skEP7nGJfAq5gvs9hwzjCnB2a4GfmzDhmVfHwtgGTFvvXET24NHuZ4K\/8PXaQD8fBsQPzmNoslsonoxEPXlubw07HA7kKD+zNBa6FR1oTEAvBYYHKVjVMGlbNwITm1Qe+SWAuqxnY1eq541bN2ZEe9inXHIZnCVkpt9QFo2+Wnlii6gpZKNvdvJGlt\/Ck9K\/d3yfuDmJ2HoqpJzzoojRioHe9nS6KdtHQiVxWDCHyTmPDoeJjFgmNShc1KNJCxdYSrbkpXIAJvp+2EtxPnijllODqp9E1tFwH\/rzveFmx+Wc1K7P3nLChjoT3ufyQk2mhbp93u\/64NyqZVuH7fRyBlfDOR8yN+BEsixebRyiiK\/FnZJ5fLjfhgVme8+WX021lqeGUdX3m\/VkkyJXsLdoBOPanm+WsGtt6san0iXRmZTigkrHoUlUqrF+qmPvvGm4dgD5dKZXTfVVcTvCeBoWiu84Jakxdh0f5VPyQtD5ET57bn8KGcxpAXRxzH6jCiH4XJoOqxeENkjlNoX\/E9R6S5uAACvvrA+ORK8fhz5MVGKF957Ut5GZNW84r\/Ky2TYqrF46WgAZBGJux69\/T4D1US4ZkgNfUGfpuRGDdidMFNf6yW+ITJBzigOL5NJlsMkQOChbTmqlMe3ls+Sb9u2RcrE33nNSiQxahx1SH2r4CGe4a7tQFwvlhdpZphEQzqrbUvlU3xdCMtTxxne3XgGSF8j88eoUPM0jqDUPlrBbvd5mXogZYZLOEfpyiMSNnbwIvEq3R6cCrmh5DdIorOBdj+RAuOyzSD4Z\/2iae2GDHelQyAemjxPKnVE2d0KVuxBWFPtd1zdWXTDCyFU5H5lDpkgf1mzHiNrvqSpBI7YVjs7mwDQOgbo9RmT4uxCkEDz5IWg47a+P4f5fcyxrdxQTjDQIpN7uN2CBc2Oq7JDZQYuUrbkmwr6hIAG0JW31HQHIKbQw56Eq\/UwylTe5Yw3Xapi+ctffH8Fjo74SgVjOfurQWtPkJ9y1\/XCYJlkQj4Eq9NGKVml798jEO3kWgIeLF2jcL\/xBEFbrjd03vbXKYB1444cMPq+N0eZDETbjBDQsHeHxvCVoTSxbrakgRAQrc3H+aBqBNYRqoVwtvSSFd8iLiG8W+DEr5zp94CSESrQl6Z1\/VXyEAlkGYB4NLUO\/vDEyyviQJyNtmzhFLw76uw+al1LSas8zYAYzxy9kQ4rSDMZ\/wy\/xerQQN8zFOZZ8My4SWoU+5ig+EmAZjEK5XhiKMyvL9KoFQqLei0e8SmBe3lYb\/th5YG37aWDNvw7KvJZCtvAGp55TDsGVsNU7Fcv69v3YfLy66ZJ09UzqvnzQOTuNkBcMftHM1AvQ7FLM5FN49i089r0\/PDCaCegLQIa8yH4jZrCgiAK9DWPBsJOYCcVcnTyElMFGWKAQDuy1ySm9g6fXErhjvXhHTS+t9a7UxzxKaObgCXnBVCEULXe03mmu6RWF8GioBeesdzkyfjBjHk13FB+ujRnul6P\/dcW7e44Iw1Sx6zdRz6QcbuAdMXxeHZ4bm6MuTvlVw85lnaquFyRVNxzYZfjSsR8b3Ny2hF370r70\/0L1mFO4BBnD503vyP5FGEUer6jOORAbVTvjkfv7DfT5ce+mqBnd7hI9nyQza5Z0fatgMDGKwWiclhCNav+XhjFgM+Mwr14C2gJjUDg9mfO52JQBrmzyQuDTC1bfYod7Vodp\/oStGrztMdFIBGm4gqba7qS0CZ7u9eU+lY6j57OMtLpGXhbzy6fEEUkWLB9\/J6wcBps4b9P2obOHVJ45sa+as0LsL1RcdUCU8bHEUzFkgHWDh5Bx6gLVQQmPtT0+kXpnPw8VH7nAt5zbP9PKg9mkYMdlrpXIZQYH\/vYZ\/s4\/AO+h5uy5L+gjfhFfEim+1bTLMvy\/gIapPFI+FVw78Eb39bDVBsZhXArGP72zkjqH60HyLuuVPZr6X+LiRvTF4ct4kmA\/t3Q8QPnOFyiRxqDR82tP4\/aMS0FPR4Sq9rD63\/BKuBBcmRXTwRi82ovnDQdBp35qpuj9GdbPJjSQE2nfmX2hsX6Xk76ZHbaL8KjLyiEkhDJl4ImfOLo1YPuIq1a3DUWjFYRw8EY9o0UkUO568j\/Fc\/yC\/CfR4bTRmkKaj8Hr4ucVe2POT1Wd1gY+y2vQppzcKvXvnmHhNabFyqyW99JpzheV2QazE\/pof2oLvgPRXNjBs9DyMCTvOSAAhuyUC+3+iJ4y7VqFLJJ88sglwH+eYe7d5DWImyW5UB4S"} 00177{"basic_event_id":9,"basic_event_name":"nDPI IPv4\/L4 payload detection failed","thread_id":0,"packet_id":263,"source":"anydesk-2.pcap","alias":"nDPId-test","l4_data_len":2711} -01126{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":326,"source":"anydesk-2.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":255,"flow_first_seen":1613977595379,"flow_last_seen":1613977604238,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":16810,"flow_avg_l4_payload_len":65,"midstream":0,"ts_msec":1613977604238,"l3_proto":"ip4","src_ip":"192.168.1.187","dst_ip":"192.168.1.178","src_port":54164,"dst_port":7070,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing","30":"Desktop\/File Sharing Session"},"proto":"TLS.AnyDesk","breed":"Acceptable","category":"RemoteAccess"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"3f2fba0262b1a22b739126dfb2fe7a7d","ja3s":"ee644a8a34c434abca4b737ec1d9efad","unsafe_cipher":0,"cipher":"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"CN=AnyDesk Client, CN=AnyDesk Client","fingerprint":"F8:4E:27:4E:F9:33:35:2F:1A:69:71:D5:02:6B:B8:72:EF:B7:BA:B0"}} +01127{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":326,"source":"anydesk-2.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":255,"flow_first_seen":1613977595379,"flow_last_seen":1613977604238,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":16810,"flow_avg_l4_payload_len":65,"midstream":0,"ts_msec":1613977604238,"l3_proto":"ip4","src_ip":"192.168.1.187","dst_ip":"192.168.1.178","src_port":54164,"dst_port":7070,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing","30":"Desktop\/File Sharing Session"},"proto":"TLS.AnyDesk","breed":"Acceptable","category":"RemoteAccess"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"3f2fba0262b1a22b739126dfb2fe7a7d","ja3s":"ee644a8a34c434abca4b737ec1d9efad","unsafe_cipher":0,"cipher":"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384","subjectDN":"CN=AnyDesk Client, CN=AnyDesk Client","fingerprint":"F8:4E:27:4E:F9:33:35:2F:1A:69:71:D5:02:6B:B8:72:EF:B7:BA:B0"}} 03241{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":359,"source":"anydesk-2.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":2184,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":2184,"pkt_l4_len":0,"ts_msec":1613977604476,"pkt":"KDc3AG3I2MuK4S0uCABFAAAAd6tAAIAGAADAqAG7wKgBstOUG56PHIiRWcQFglAYIBOExAAAFwMDCE1Z4hNO+msU9LBvnBdfz8pT3uIpAXl9v8baPCclctzafizqusRLc+3yBRrxsTQWeM+z\/j15TWKILyUHSn+85MmEVgMVvQ0naJDIPu9CFBTDGola9mExfWT+oniDrqVp1gDABVnjk7XDV+j312n\/hzyqb4ibRnC+bFrWzgCW1GEKZC1q\/E\/6hCR8a6NWoWAXlJURq1D\/2FNJECXg84tGVTlZUZ1hjKYFe1ajrioO0kHG42Cd8Zjh8z0Xueajz3JAzS640hLUA9UiOwKymZvLlEbzmhvESjy7FaJ9bekboPw3bn\/Jlj8ZF47zmQeEehl2qQ6htreM+LkT10pyuawnjdSA49JLH62hAyXThdYpAqJip7Of2\/W4b1J\/sOcFmX3l9KAFnOoqthb7U+hWo4LNbMBAreRWvbyJBqBBBkZtLMF3OI\/lgS2KRgiGqWPlc5\/8IqmFk9teB0eXT3W90Ps0UUvmRSCUsuyjlE2EUCed5yhGbXvuJ8xSirr7nIFa1dYweQN7QjZ0sg00UI7aXkhkgieHniYh7BkAzTo5ugnGnsZrDAocUbXzyptfnLrllkciPWt6N4rg8c\/xwdNBoEXRr4P2mFanIOSfwLfesF\/8nIMB4jD4dzmMHqwwnijrCTzHMjJCWGjBiVcn\/UQYAqSGPRdj\/olBVabavlmrH9Royswmu55\/v0PdSgyGh\/aF1NdAgMCQWfK4iTLXOnXiEhxUmiaGmwJhqej+pUp9yjksckOwAldsZVm2TEe1KH7VnJBozetryh05+IDLSkv0zfcXCynFCbOfRrXJi9E5rMp+EFcmkCd5du5qCwA7mioeIjdmsg6o\/hZay9NNqv+SjegBeEnWjGidm62Bg2J3ugleU05MdTEjPG\/0WEVFE4YLoZ0+Rmk27LsJ83E69N6EM7LIqHaBy4YgdBXCwRYXMBiZ7\/eXyR8ouKpqBrgyc0zmgTMfEguyU7bGFL8oz\/66InO2PDAb3K1g9EivYV0J8FGZbXrGGgeE23xb1i3E7zCa4xispnmUp8ZnvfmRqlLtxCp9xRo6wVZs\/8OOR3ozRmiI\/PMUf2ocLk1A7EQ06Bysnei2m9sDgUmz3xW18h43AuI3Dq2dw8luofIYO2mIw8PGK3r5t2XcHhzApuS2sJNMJzPVZjPnXGXlhTtPZq8RtPkaHlZqnY8opMkhjFF9Aqz3\/NEmWCFimFinDFcmhKzw4Zc11XVddg6SqbuK6go4CDvysm0p0t9NPekVu4zDVD4EAMuugSYVQPLC+GjcaxjX9UJufqiIKF2iGtSmbJ5\/R0oXR49FUnI9yHKXJ4k1LJbs5ulkD\/zGTnwCq17x21cHuxnM6jXwS\/ZjHHSGC3ISErC25VTJIcskqau\/dLYahxzXBtlEISVUbywuDuTbM8bVfs1bmyjIqYpqoABDoN8znMk4tsz9h\/kXlXKkCe6C+ec5cX0UVZQMIW14dtHVYELwX+yQ11ENYgNnbDvK9eYwU0VtThgC3i1tU+NwupUlXjxfhWt4d9x+S1Drfg2\/F29sYlDkdvYZFNRxoce3hBgJMPkIZEwqQFdENALY7ybsrObH42iP1NFKqM2PiLlHgVkrXHPep5p5nTaEGT1K4XQKFidsDE\/TU5jp+uV5i7tmWslQ3X0hd1lqhRPKzFSxhrdL\/OkYNUrKk8pswZhw3Z5L1hzdrsD27Qhrf+B3glSilptp8X7Eb52KYHrcuXisGa5DME2Lrzq7wHZEcCZuFh\/f9pqqJYEw3qNzgBQZCUbbeWgAPqTdMSOTev3F1ZSLvjeDledsYbcWvH+19SSbYW5Y+wa3pdx8cHj9rgNJObLJ0gF\/YxIeWBWbMgRPm9VI884Bq0CmrSk7ddVJJwqxpMhp3yO6unpbvR+zfTdO\/gFuftha41xabyjq2RbwbJS\/QEAhDCTueFRp8UI79s9E8eeZNx9EvY6Nti3XxVxAo3tbUi6gx1ha8BjET5MrziHMVJP584CS0eGAzo8fj1U9Uc+O6iOZvqO0xkwHZXp+13zpS+c+REzva4Oj9b6ImTr0r\/rqGg9rLH+ngtAU8Go4I7MCxaT+qMw3Sn\/jD1ZwNCOtlEOXIH0ppz6oLuqXGCJt0v8B4q3O9\/iS4Etdlwc5FwSC7vNZeM7RhhTBOd920Cgdf6+edNDGmsNO4htWQFAC0nm4yH7hY\/lMyTQ\/Go58thZciiFw4Cej0V0w9z1lZr0Y19WT5BpU\/41Rhs5jiD4sEvnn5fsC0k7V8yO3RdbF3LAesZcbukPjgqMXj48hBw8gAwlDe4wqdAR8FzU4xAgi67KDy5J9aahTmpodMn3eAlq2seT1sprowIc5H2Jr6vfv0RSDSBv125+qvt0xa5w4kAcrHbM+eOH0yjmMG3GLfBJVMa4Vk1NsKaJ0UQ+RHQJfAUAyJ8xY4LRIPsJajoH2jPGjFbI4LDI8bhoRIdBFUKHN9uZjbq3H5dTZloX6t\/+mVMaOBCiuB0wF96KeaIfPnoIAfsOIL4RAjJpyEA8YqwiLIYneZIciytK4JU0djusymFsgD3QmBLLM3T8wmJfmQs+XxdV6LUZCGbP48aNe2PEu4cgNFp0Gedax29OKBqKQJrrDAOojGxNEFqD+wgFm25xNUI\/oXWJUXCHAhyWvKF06pmsW8PgL9krA7cX3OGZh+fx6Ouf09uuPaEUfCe9q0DYD5wRHLyGMQuCzEVKuvUYxbp4bFbcuyJYIyTf6WEilDAJELMx+kjzm\/H5Jsd3GEHZoFCHlCgDalTY8TAlsEpBNykvZp6\/PHoKQjUrmjAolT9SDrLsJqIlaBNF2AmQ\/Iyl1mM2T2GFnQmg84apLYPcFrVeD"} 00177{"basic_event_id":9,"basic_event_name":"nDPI IPv4\/L4 payload detection failed","thread_id":0,"packet_id":359,"source":"anydesk-2.pcap","alias":"nDPId-test","l4_data_len":2150} 02565{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":429,"source":"anydesk-2.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":1685,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":1685,"pkt_l4_len":0,"ts_msec":1613977605157,"pkt":"KDc3AG3I2MuK4S0uCABFAAAAd+ZAAIAGAADAqAG7wKgBstOUG56PHJqJWcQKplAYIA6ExAAAFwMDBlpZ4hNO+msVBGAU\/CQ+++T94X6aPp5XOKoWc8p1LFmHdGVPh9BmLi6fwPmaM4TfFP18K97w+JrG2mMRmj1tdgTVpDxt1C0Gncnny4rfOTrXTSleZ5fZVTWiCSG7aNbBqkDSL349Eg9z8IeGPlnYoPEN4tP0hVZemLcZgvILCgm49DsuVR3nhYp4sy6rhIgg2ckXEUXDokzjgL1yjIvt0ScqIB4okJR1wK79N4XZqDHUn2McD1b0N9v3pDlMk30O+IeVoz9StvBgQxoSM1A5v2XOynHvcw3I8aid5vEAfPOQwi7MSG1PCJ0p3e78RTR5AvwoWV5tJbAp5WWCvBGG8HYJ6RuplivNDXK02J7ld0qN7u7Q\/nmAnAOYa\/GWwRKg9Tr4zfIcTQXCCMH8YRxab5gJYESXf\/z1ewgfmFdNttFpDtF3N7hOkJJmZHsJzuVof1rADifgRt97Zt+Isn2GstbeNF7UKJMLnv75OfDd2jVaGyCWOSqr\/89o5b0Qcba9pNbd27IaXMZ396LcYhHzQDlZLBOMY+gl3DT40bd0Qn3wMvCOe79J\/29yZ6+yHg0PB8z38SVANS+MLgd5MHawzoK6qP\/KoynzQmsUhdMqkAc0u5QRyWPT6U3NnyyEfroJ1LxXZiO0p\/fJaarHw0cLP1fjQ7KcB\/LPZEOL57GO\/hkiUjKlr9T\/zgfe0MpybuxtbUS5tZFJNfvjqzwCDWxHE6QvgtJYBEYICQ9457KYO\/wcbNLey4CBV4x\/6U3oxvEnGBaUwLbpibk59xCzCzXuzLKOU2h\/EHV6JrEnWQFj7q+IE54AaAPZmfjFNLhs8FI3pZolVNQe96OFf7k5LQqyxz6oZ1rNO+dd9\/S1xOcgbh4tB3VzpRlIif9Xfi6vpxQgpAp\/Ckg4g9P2rmweTngy7EZcRiPY\/bi2lc5tqtIT2YjwokS+09PlxQOwAQPW9v9MUl+HVmH9C+i2v5UfxK\/4ypGKOP4BxiKQOzzNuz++qNx\/SX2yG+XNVmn4xGXdzlc2H8mwNwrvpt0+QLWBHW19hkrtqlSNDdhPAKKnjAc9OMKU7xejzXqyMWinIDTpLMEj5I3dKLCyxRQJXLZTienT2QWOT\/xdc50wNc4XYcA+6WBY7IyfdBJBT+rLgTGDSH1\/zTXELobM+rGuJkzTFRw9bqFFXtxSCc772VJ12sjK0vXDvFWKoFaNoe78LZ5voDtMwqopYvwpV7H6nPpWna\/o4CSRCyA3G14Am\/fxios0att5z9q+drHHVURelxPIt6ukJOio91iJVDLpBHbf1hgwox0kd\/+SeiP1mSjU2kGz8LrctjvSpmSRN6a6sKEorwbTCfZd78Qn2UaEncdDQIPr3BaGwPF4TGFI0Wu\/hgVJlFDzcuBsXN4DnS0YuWlgUdm0mq5mHA6s6lEm9Sw10GlrxnAmjH85PGF8NK+bJAyFRbkgKNmxeLMD2\/fJM9Yy30wqYmAchsBRZiFltsLa0nUe+XTAR9Hq2HXsEEZ4EdZwmwTjJRctTrzyhro2HYoydJS1pGm0+nd1efNqtke4yktOnOtU1KavI+p+2vrcYUysE5QjNXan78ayVsfgNcFNqMFZS8HNwDAfprS4urmn6HN0VMtMdjgGQRPG16qegP966dnrBVAaVqv7RxbWSqR9ZgtQN4kznoApYsQ\/htBNdcpggCk7aEeCp4hqA5E3Dgh9f+uZnbb36LAJBjvyFcmH81G3Lk5YlhF\/zSVvLKUb0MTqYenR0yMx4zxUl4GHoYotJkkka9m13vFT0upUDpqUYIAPW\/ssc5jgoqrMk9Hhi5y+7HWKQgjrdb6nOU4S5uyGOKDW4mE6\/rPBHp0fY5ylYs03GpUua9a\/glfenyNSCemqQlPjbCThLJwe2Q+jRt0ZttjgtfXYUtXdKQPdi9kDvDLF6bC6lPNdETt6RPwULQMHokPt4D2I843jsNIop+cnms6WRAoTEy\/nJlP0Xf6+O2AOve7kIGWj79Hb+Txxi7fe6XvRzr\/AFPz42M5rbE1CpgUgXEzV9+mwpu53B6ibIPrxe165c8h5iqFjNOd91m2C48D0xK3n27tv8SErJpnkzhizKwvbaMs382VOUnMh31zjjLabE7N9jb\/tEo1n8oAFoazbbRyR7uBihqWES0IVOQF2l2EDE0lPDLdJyXw="} @@ -911,9 +911,9 @@ ~~ total active/idle flows...: 4/4 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2005757 bytes -~~ total memory freed........: 2005757 bytes -~~ total allocations/frees...: 37436/37436 +~~ total memory allocated....: 4666800 bytes +~~ total memory freed........: 4666800 bytes +~~ total allocations/frees...: 101632/101632 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 166 chars ~~ json string max len.......: 7845 chars diff --git a/test/results/anydesk.pcap.out b/test/results/anydesk.pcap.out index e3e681123..1c0288797 100644 --- a/test/results/anydesk.pcap.out +++ b/test/results/anydesk.pcap.out @@ -9,9 +9,9 @@ 00442{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":11,"source":"anydesk.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_last_seen":1591342199366,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1591342199366,"pkt":"AFBW5dKtAAwplUdeCABFAAAoCJFAAEAGuebAqJWBM1Pu26oPAFApppzzaHVkfVAQ+vB4cwAA"} 00940{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":12,"source":"anydesk.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":4,"flow_first_seen":1591342199201,"flow_last_seen":1591342199366,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":263,"flow_tot_l4_payload_len":263,"flow_avg_l4_payload_len":65,"midstream":0,"ts_msec":1591342199366,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.238.219","src_port":43535,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing","30":"Desktop\/File Sharing Session"},"proto":"TLS.AnyDesk","breed":"Acceptable","category":"RemoteAccess"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"201999283915cc31cee6b15472ef3332","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00999{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":14,"source":"anydesk.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":6,"flow_first_seen":1591342199201,"flow_last_seen":1591342199532,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1300,"flow_tot_l4_payload_len":1563,"flow_avg_l4_payload_len":260,"midstream":0,"ts_msec":1591342199532,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.238.219","src_port":43535,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing","30":"Desktop\/File Sharing Session"},"proto":"TLS.AnyDesk","breed":"Acceptable","category":"RemoteAccess"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"201999283915cc31cee6b15472ef3332","ja3s":"107030a763c7224285717ff1569a17f3","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"}} -01201{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":16,"source":"anydesk.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":8,"flow_first_seen":1591342199201,"flow_last_seen":1591342199532,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1300,"flow_tot_l4_payload_len":2863,"flow_avg_l4_payload_len":357,"midstream":0,"ts_msec":1591342199532,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.238.219","src_port":43535,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing","30":"Desktop\/File Sharing Session"},"proto":"TLS.AnyDesk","breed":"Acceptable","category":"RemoteAccess"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"201999283915cc31cee6b15472ef3332","ja3s":"107030a763c7224285717ff1569a17f3","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","issuerDN":"CN=AnyNet Root CA, O=philandro Software GmbH, C=DE","issuerDN":"C=DE, O=philandro Software GmbH, CN=AnyNet Relay","fingerprint":"9E:08:D2:58:A9:02:CD:4F:E2:4A:26:B8:48:5C:43:0B:81:29:99:E3"}} -01206{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":263,"source":"anydesk.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":255,"flow_first_seen":1591342199201,"flow_last_seen":1591342212202,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":126748,"flow_avg_l4_payload_len":497,"midstream":0,"ts_msec":1591342212202,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.238.219","src_port":43535,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing","30":"Desktop\/File Sharing Session"},"proto":"TLS.AnyDesk","breed":"Acceptable","category":"RemoteAccess"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"201999283915cc31cee6b15472ef3332","ja3s":"107030a763c7224285717ff1569a17f3","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","issuerDN":"CN=AnyNet Root CA, O=philandro Software GmbH, C=DE","issuerDN":"C=DE, O=philandro Software GmbH, CN=AnyNet Relay","fingerprint":"9E:08:D2:58:A9:02:CD:4F:E2:4A:26:B8:48:5C:43:0B:81:29:99:E3"}} -00615{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":6963,"source":"anydesk.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":20,"flow_first_seen":1591342198821,"flow_last_seen":1591342244652,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":159,"flow_tot_l4_payload_len":607,"flow_avg_l4_payload_len":30,"midstream":1,"ts_msec":1591342255171,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.239.144","src_port":36351,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.AnyDesk","breed":"Acceptable","category":"RemoteAccess"},"http": {}} +01202{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":16,"source":"anydesk.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":8,"flow_first_seen":1591342199201,"flow_last_seen":1591342199532,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1300,"flow_tot_l4_payload_len":2863,"flow_avg_l4_payload_len":357,"midstream":0,"ts_msec":1591342199532,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.238.219","src_port":43535,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing","30":"Desktop\/File Sharing Session"},"proto":"TLS.AnyDesk","breed":"Acceptable","category":"RemoteAccess"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"201999283915cc31cee6b15472ef3332","ja3s":"107030a763c7224285717ff1569a17f3","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","issuerDN":"CN=AnyNet Root CA, O=philandro Software GmbH, C=DE","subjectDN":"C=DE, O=philandro Software GmbH, CN=AnyNet Relay","fingerprint":"9E:08:D2:58:A9:02:CD:4F:E2:4A:26:B8:48:5C:43:0B:81:29:99:E3"}} +01207{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":263,"source":"anydesk.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":255,"flow_first_seen":1591342199201,"flow_last_seen":1591342212202,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":126748,"flow_avg_l4_payload_len":497,"midstream":0,"ts_msec":1591342212202,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.238.219","src_port":43535,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing","30":"Desktop\/File Sharing Session"},"proto":"TLS.AnyDesk","breed":"Acceptable","category":"RemoteAccess"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"201999283915cc31cee6b15472ef3332","ja3s":"107030a763c7224285717ff1569a17f3","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","issuerDN":"CN=AnyNet Root CA, O=philandro Software GmbH, C=DE","subjectDN":"C=DE, O=philandro Software GmbH, CN=AnyNet Relay","fingerprint":"9E:08:D2:58:A9:02:CD:4F:E2:4A:26:B8:48:5C:43:0B:81:29:99:E3"}} +00667{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":6963,"source":"anydesk.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":20,"flow_first_seen":1591342198821,"flow_last_seen":1591342244652,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":159,"flow_tot_l4_payload_len":607,"flow_avg_l4_payload_len":30,"midstream":1,"ts_msec":1591342255171,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.239.144","src_port":36351,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"30":"Desktop\/File Sharing Session"},"proto":"HTTP.AnyDesk","breed":"Acceptable","category":"RemoteAccess"},"http": {}} 00560{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":6963,"source":"anydesk.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":20,"flow_first_seen":1591342198821,"flow_last_seen":1591342244652,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":159,"flow_tot_l4_payload_len":607,"flow_avg_l4_payload_len":30,"midstream":1,"ts_msec":1591342255171,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.239.144","src_port":36351,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00568{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":6963,"source":"anydesk.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":6943,"flow_first_seen":1591342199201,"flow_last_seen":1591342255171,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":2417415,"flow_avg_l4_payload_len":348,"midstream":0,"ts_msec":1591342255171,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.238.219","src_port":43535,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00158{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":6963,"source":"anydesk.pcap","alias":"nDPId-test","total-events-serialized":17} @@ -23,10 +23,10 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2145416 bytes -~~ total memory freed........: 2145416 bytes -~~ total allocations/frees...: 42311/42311 +~~ total memory allocated....: 4807307 bytes +~~ total memory freed........: 4807307 bytes +~~ total allocations/frees...: 106507/106507 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 163 chars -~~ json string max len.......: 1211 chars -~~ json string avg len.......: 754 chars +~~ json string max len.......: 1212 chars +~~ json string avg len.......: 755 chars diff --git a/test/results/avast_securedns.pcapng.out b/test/results/avast_securedns.pcapng.out index 08ea39ca6..5dc9f1e63 100644 --- a/test/results/avast_securedns.pcapng.out +++ b/test/results/avast_securedns.pcapng.out @@ -1,88 +1,88 @@ 00451{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"avast_securedns.pcapng","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} 00563{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1625215624443,"flow_last_seen":1625215624443,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625215624443,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":57970,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00486{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1625215624443,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1625215624443,"pkt":"eJS0JASgYDjgxTWgCABFAABDZa4AAH8ROYTAqAJktdYjleJyAbsAL0mrSMQBAAABAAAAAAAAATIJU2VDVVJlZG5TBWFWYXNUA0NvTQAAEAAB"} -00658{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1625215624443,"flow_last_seen":1625215624443,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625215624443,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":57970,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVAST SecureDNS","breed":"Safe","category":"Network"}} +00657{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1625215624443,"flow_last_seen":1625215624443,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625215624443,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":57970,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVASTSecureDNS","breed":"Safe","category":"Network"}} 00677{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1625215624563,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":218,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":218,"pkt_l4_len":184,"ts_msec":1625215624563,"pkt":"YDjgxTWgeJS0JASgCABFAADM0kQAADIRGWW11iOVwKgCZAG74nIAuMIZSMSBgAABAAEAAAAAATIJU2VDVVJlZG5TBWFWYXNUA0NvTQAAEAABwAwAEAABAAAAAAB9fEROU0MAAQAAdbGG79HauHsEle6YB50xeKMwK8SYUwo5qiWilpDIHq4IRyPqRT3IPG5jxpboE0lko1AuVkiWEeUR9\/u646E\/BRo\/+UHxjIi4wlQScksPLarZO+PfTGW44OCbGa1Eo85vGj\/5QfGMiLgwMDAxXpWkwXFhp8E="} 00567{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":2,"flow_first_seen":1625215624443,"flow_last_seen":1625215624563,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":176,"flow_tot_l4_payload_len":215,"flow_avg_l4_payload_len":107,"midstream":0,"ts_msec":1625241699450,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":57970,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00563{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1625241699450,"flow_last_seen":1625241699450,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625241699450,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":61201,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00486{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_last_seen":1625241699450,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1625241699450,"pkt":"eJS0JASgYDjgxTWgCABFAABDEeYAAH8RjUzAqAJktdYjle8RAbsAL9I803MBAAABAAAAAAAAATIJU0VjdVJlRE5zBUF2YXNUA0NPbQAAEAAB"} -00658{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":3,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1625241699450,"flow_last_seen":1625241699450,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625241699450,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":61201,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVAST SecureDNS","breed":"Safe","category":"Network"}} +00657{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":3,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1625241699450,"flow_last_seen":1625241699450,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625241699450,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":61201,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVASTSecureDNS","breed":"Safe","category":"Network"}} 00677{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_last_seen":1625241699572,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":218,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":218,"pkt_l4_len":184,"ts_msec":1625241699572,"pkt":"YDjgxTWgeJS0JASgCABFAADMLtkAADARvtC11iOVwKgCZAG77xEAuEqr03OBgAABAAEAAAAAATIJU0VjdVJlRE5zBUF2YXNUA0NPbQAAEAABwAwAEAABAAAAAAB9fEROU0MAAQAAdbGG79HauHsEle6YB50xeKMwK8SYUwo5qiWilpDIHq4IRyPqRT3IPG5jxpboE0lko1AuVkiWEeUR9\/u646E\/BRo\/+UHxjIi4wlQScksPLarZO+PfTGW44OCbGa1Eo85vGj\/5QfGMiLgwMDAxXpWkwXFhp8E="} 00563{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":5,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1625241701462,"flow_last_seen":1625241701462,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625241701462,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":60835,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00486{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_last_seen":1625241701462,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1625241701462,"pkt":"eJS0JASgYDjgxTWgCABFAABDEeoAAH8RjUjAqAJktdYjle2jAbsAL7p1TIkBAAABAAAAAAAAATIJU0VDVXJFZE5zBWF2QVN0A0NPTQAAEAAB"} -00658{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":5,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1625241701462,"flow_last_seen":1625241701462,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625241701462,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":60835,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVAST SecureDNS","breed":"Safe","category":"Network"}} +00657{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":5,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1625241701462,"flow_last_seen":1625241701462,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625241701462,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":60835,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVASTSecureDNS","breed":"Safe","category":"Network"}} 00677{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_last_seen":1625241701583,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":218,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":218,"pkt_l4_len":184,"ts_msec":1625241701583,"pkt":"YDjgxTWgeJS0JASgCABFAADMMogAADIRuSG11iOVwKgCZAG77aMAuDLkTImBgAABAAEAAAAAATIJU0VDVXJFZE5zBWF2QVN0A0NPTQAAEAABwAwAEAABAAAAAAB9fEROU0MAAQAAdbGG79HauHsEle6YB50xeKMwK8SYUwo5qiWilpDIHq4IRyPqRT3IPG5jxpboE0lko1AuVkiWEeUR9\/u646E\/BRo\/+UHxjIi4wlQScksPLarZO+PfTGW44OCbGa1Eo85vGj\/5QfGMiLgwMDAxXpWkwXFhp8E="} 00563{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":7,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1625241714666,"flow_last_seen":1625241714666,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625241714666,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":62775,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00486{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_last_seen":1625241714666,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1625241714666,"pkt":"eJS0JASgYDjgxTWgCABFAABDXeQAAH8RQU7AqAJktdYjlfU3AbsAL3hGRwQBAAABAAAAAAAAATIJU2VjVVJlZG5zBUFWYVN0A0NPbQAAEAAB"} -00658{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":7,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1625241714666,"flow_last_seen":1625241714666,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625241714666,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":62775,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVAST SecureDNS","breed":"Safe","category":"Network"}} +00657{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":7,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1625241714666,"flow_last_seen":1625241714666,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625241714666,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":62775,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVASTSecureDNS","breed":"Safe","category":"Network"}} 00677{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_last_seen":1625241714787,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":218,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":218,"pkt_l4_len":184,"ts_msec":1625241714787,"pkt":"YDjgxTWgeJS0JASgCABFAADMRgkAADERpqC11iOVwKgCZAG79TcAuPC0RwSBgAABAAEAAAAAATIJU2VjVVJlZG5zBUFWYVN0A0NPbQAAEAABwAwAEAABAAAAAAB9fEROU0MAAQAAdbGG79HauHsEle6YB50xeKMwK8SYUwo5qiWilpDIHq4IRyPqRT3IPG5jxpboE0lko1AuVkiWEeUR9\/u646E\/BRo\/+UHxjIi4wlQScksPLarZO+PfTGW44OCbGa1Eo85vGj\/5QfGMiLgwMDAxXpWkwXFhp8E="} 00567{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":9,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":2,"flow_packets_processed":2,"flow_first_seen":1625241699450,"flow_last_seen":1625241699572,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":176,"flow_tot_l4_payload_len":215,"flow_avg_l4_payload_len":107,"midstream":0,"ts_msec":1625320207133,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":61201,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00567{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":9,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":4,"flow_packets_processed":2,"flow_first_seen":1625241714666,"flow_last_seen":1625241714787,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":176,"flow_tot_l4_payload_len":215,"flow_avg_l4_payload_len":107,"midstream":0,"ts_msec":1625320207133,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":62775,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00567{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":9,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":3,"flow_packets_processed":2,"flow_first_seen":1625241701462,"flow_last_seen":1625241701583,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":176,"flow_tot_l4_payload_len":215,"flow_avg_l4_payload_len":107,"midstream":0,"ts_msec":1625320207133,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":60835,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00563{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":9,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1625320207133,"flow_last_seen":1625320207133,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625320207133,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":56581,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00486{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_last_seen":1625320207133,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1625320207133,"pkt":"eJS0JASgYDjgxTWgCABFAABDS9IAAH8RU2DAqAJktdYjld0FAbsALycJUJMBAAABAAAAAAAAATIJc2VjVVJlZG5TBUF2YXNUA2NvTQAAEAAB"} -00658{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":9,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1625320207133,"flow_last_seen":1625320207133,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625320207133,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":56581,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVAST SecureDNS","breed":"Safe","category":"Network"}} +00657{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":9,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1625320207133,"flow_last_seen":1625320207133,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625320207133,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":56581,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVASTSecureDNS","breed":"Safe","category":"Network"}} 00678{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":10,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_last_seen":1625320207252,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":218,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":218,"pkt_l4_len":184,"ts_msec":1625320207252,"pkt":"YDjgxTWgeJS0JASgCABFAADMnAoAADMRTp+11iOVwKgCZAG73QUAuJ93UJOBgAABAAEAAAAAATIJc2VjVVJlZG5TBUF2YXNUA2NvTQAAEAABwAwAEAABAAAAAAB9fEROU0MAAQAAdbGG79HauHsEle6YB50xeKMwK8SYUwo5qiWilpDIHq4IRyPqRT3IPG5jxpboE0lko1AuVkiWEeUR9\/u646E\/BRo\/+UHxjIi4wlQScksPLarZO+PfTGW44OCbGa1Eo85vGj\/5QfGMiLgwMDAxXpWkwXFhp8E="} 00564{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":11,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":6,"flow_packets_processed":1,"flow_first_seen":1625320209063,"flow_last_seen":1625320209063,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625320209063,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":56765,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00487{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":11,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_last_seen":1625320209063,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1625320209063,"pkt":"eJS0JASgYDjgxTWgCABFAABDS9YAAH8RU1zAqAJktdYjld29AbsAL+vXy0wBAAABAAAAAAAAATIJU2VjdVJFRG5TBWFWYVNUA0NvTQAAEAAB"} -00659{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":11,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":6,"flow_packets_processed":1,"flow_first_seen":1625320209063,"flow_last_seen":1625320209063,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625320209063,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":56765,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVAST SecureDNS","breed":"Safe","category":"Network"}} +00658{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":11,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":6,"flow_packets_processed":1,"flow_first_seen":1625320209063,"flow_last_seen":1625320209063,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625320209063,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":56765,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVASTSecureDNS","breed":"Safe","category":"Network"}} 00678{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":12,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_last_seen":1625320209184,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":218,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":218,"pkt_l4_len":184,"ts_msec":1625320209184,"pkt":"YDjgxTWgeJS0JASgCABFAADMnWsAADMRTT611iOVwKgCZAG73b0AuGRGy0yBgAABAAEAAAAAATIJU2VjdVJFRG5TBWFWYVNUA0NvTQAAEAABwAwAEAABAAAAAAB9fEROU0MAAQAAdbGG79HauHsEle6YB50xeKMwK8SYUwo5qiWilpDIHq4IRyPqRT3IPG5jxpboE0lko1AuVkiWEeUR9\/u646E\/BRo\/+UHxjIi4wlQScksPLarZO+PfTGW44OCbGa1Eo85vGj\/5QfGMiLgwMDAxXpWkwXFhp8E="} 00568{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":13,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":5,"flow_packets_processed":2,"flow_first_seen":1625320207133,"flow_last_seen":1625320207252,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":176,"flow_tot_l4_payload_len":215,"flow_avg_l4_payload_len":107,"midstream":0,"ts_msec":1625321673727,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":56581,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00568{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":13,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":6,"flow_packets_processed":2,"flow_first_seen":1625320209063,"flow_last_seen":1625320209184,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":176,"flow_tot_l4_payload_len":215,"flow_avg_l4_payload_len":107,"midstream":0,"ts_msec":1625321673727,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":56765,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00564{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":13,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":7,"flow_packets_processed":1,"flow_first_seen":1625321673727,"flow_last_seen":1625321673727,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625321673727,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":50581,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00487{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":13,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_last_seen":1625321673727,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1625321673727,"pkt":"eJS0JASgYDjgxTWgCABFAABDS9wAAH8RU1bAqAJktdYjlcWVAbsAL1g+dw4BAAABAAAAAAAAATIJc2VDdXJFRE5TBUFWQXN0A0NvTQAAEAAB"} -00659{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":13,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":7,"flow_packets_processed":1,"flow_first_seen":1625321673727,"flow_last_seen":1625321673727,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625321673727,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":50581,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVAST SecureDNS","breed":"Safe","category":"Network"}} +00658{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":13,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":7,"flow_packets_processed":1,"flow_first_seen":1625321673727,"flow_last_seen":1625321673727,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625321673727,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":50581,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVASTSecureDNS","breed":"Safe","category":"Network"}} 00678{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_last_seen":1625321673848,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":218,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":218,"pkt_l4_len":184,"ts_msec":1625321673848,"pkt":"YDjgxTWgeJS0JASgCABFAADMus8AADIRMNq11iOVwKgCZAG7xZUAuNCsdw6BgAABAAEAAAAAATIJc2VDdXJFRE5TBUFWQXN0A0NvTQAAEAABwAwAEAABAAAAAAB9fEROU0MAAQAAdbGG79HauHsEle6YB50xeKMwK8SYUwo5qiWilpDIHq4IRyPqRT3IPG5jxpboE0lko1AuVkiWEeUR9\/u646E\/BRo\/+UHxjIi4wlQScksPLarZO+PfTGW44OCbGa1Eo85vGj\/5QfGMiLgwMDAxXpWkwXFhp8E="} 00564{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":15,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":8,"flow_packets_processed":1,"flow_first_seen":1625321675283,"flow_last_seen":1625321675283,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625321675283,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":61107,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00487{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":15,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_last_seen":1625321675283,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1625321675283,"pkt":"eJS0JASgYDjgxTWgCABFAABDS98AAH8RU1PAqAJktdYjle6zAbsAL9OvEl8BAAABAAAAAAAAATIJU0VDdVJFZE5zBWFWYXNUA0NPTQAAEAAB"} -00659{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":15,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":8,"flow_packets_processed":1,"flow_first_seen":1625321675283,"flow_last_seen":1625321675283,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625321675283,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":61107,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVAST SecureDNS","breed":"Safe","category":"Network"}} +00658{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":15,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":8,"flow_packets_processed":1,"flow_first_seen":1625321675283,"flow_last_seen":1625321675283,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625321675283,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":61107,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVASTSecureDNS","breed":"Safe","category":"Network"}} 00678{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":16,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":8,"flow_packet_id":2,"flow_last_seen":1625321675403,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":218,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":218,"pkt_l4_len":184,"ts_msec":1625321675403,"pkt":"YDjgxTWgeJS0JASgCABFAADMuxcAADMRL5K11iOVwKgCZAG77rMAuEweEl+BgAABAAEAAAAAATIJU0VDdVJFZE5zBWFWYXNUA0NPTQAAEAABwAwAEAABAAAAAAB9fEROU0MAAQAAdbGG79HauHsEle6YB50xeKMwK8SYUwo5qiWilpDIHq4IRyPqRT3IPG5jxpboE0lko1AuVkiWEeUR9\/u646E\/BRo\/+UHxjIi4wlQScksPLarZO+PfTGW44OCbGa1Eo85vGj\/5QfGMiLgwMDAxXpWkwXFhp8E="} 00568{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":17,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":7,"flow_packets_processed":2,"flow_first_seen":1625321673727,"flow_last_seen":1625321673848,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":176,"flow_tot_l4_payload_len":215,"flow_avg_l4_payload_len":107,"midstream":0,"ts_msec":1625395217252,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":50581,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00568{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":17,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":8,"flow_packets_processed":2,"flow_first_seen":1625321675283,"flow_last_seen":1625321675403,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":176,"flow_tot_l4_payload_len":215,"flow_avg_l4_payload_len":107,"midstream":0,"ts_msec":1625395217252,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":61107,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00564{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":17,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":9,"flow_packets_processed":1,"flow_first_seen":1625395217252,"flow_last_seen":1625395217252,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625395217252,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":64954,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00487{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":17,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_last_seen":1625395217252,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1625395217252,"pkt":"eJS0JASgYDjgxTWgCABFAABDKckAAH8RdWnAqAJktdYjlf26AbsAL3dTP5QBAAABAAAAAAAAATIJc0VjdVJlZE5zBUFWQVNUA2NvTQAAEAAB"} -00659{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":17,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":9,"flow_packets_processed":1,"flow_first_seen":1625395217252,"flow_last_seen":1625395217252,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625395217252,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":64954,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVAST SecureDNS","breed":"Safe","category":"Network"}} +00658{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":17,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":9,"flow_packets_processed":1,"flow_first_seen":1625395217252,"flow_last_seen":1625395217252,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625395217252,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":64954,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVASTSecureDNS","breed":"Safe","category":"Network"}} 00680{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":18,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":9,"flow_packet_id":2,"flow_last_seen":1625395217373,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":218,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":218,"pkt_l4_len":184,"ts_msec":1625395217373,"pkt":"YDjgxTWgeJS0JASgCABFAADMg3oAADIRaC+11iOVwKgCZAG7\/boAuO\/BP5SBgAABAAEAAAAAATIJc0VjdVJlZE5zBUFWQVNUA2NvTQAAEAABwAwAEAABAAAAAAB9fEROU0MAAQAAdbGG79HauHsEle6YB50xeKMwK8SYUwo5qiWilpDIHq4IRyPqRT3IPG5jxpboE0lko1AuVkiWEeUR9\/u646E\/BRo\/+UHxjIi4wlQScksPLarZO+PfTGW44OCbGa1Eo85vGj\/5QfGMiLgwMDAxXpWkwXFhp8E="} 00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":19,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":10,"flow_packets_processed":1,"flow_first_seen":1625395217373,"flow_last_seen":1625395217373,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625395217373,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":59621,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00488{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":19,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":10,"flow_packet_id":1,"flow_last_seen":1625395217373,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1625395217373,"pkt":"eJS0JASgYDjgxTWgCABFAABDKcUAAH8RdW3AqAJktdYjlejlAbsAL0m4oeQBAAABAAAAAAAAATIJc0VjVXJlRE5TBWF2QVNUA2NPbQAAEAAB"} -00660{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":19,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":10,"flow_packets_processed":1,"flow_first_seen":1625395217373,"flow_last_seen":1625395217373,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625395217373,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":59621,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVAST SecureDNS","breed":"Safe","category":"Network"}} +00659{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":19,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":10,"flow_packets_processed":1,"flow_first_seen":1625395217373,"flow_last_seen":1625395217373,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625395217373,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":59621,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVASTSecureDNS","breed":"Safe","category":"Network"}} 00679{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":20,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":10,"flow_packet_id":2,"flow_last_seen":1625395217373,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":218,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":218,"pkt_l4_len":184,"ts_msec":1625395217373,"pkt":"YDjgxTWgeJS0JASgCABFAADMf00AADMRa1y11iOVwKgCZAG76OUAuMImoeSBgAABAAEAAAAAATIJc0VjVXJlRE5TBWF2QVNUA2NPbQAAEAABwAwAEAABAAAAAAB9fEROU0MAAQAAdbGG79HauHsEle6YB50xeKMwK8SYUwo5qiWilpDIHq4IRyPqRT3IPG5jxpboE0lko1AuVkiWEeUR9\/u646E\/BRo\/+UHxjIi4wlQScksPLarZO+PfTGW44OCbGa1Eo85vGj\/5QfGMiLgwMDAxXpWkwXFhp8E="} 00569{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":21,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":10,"flow_packets_processed":2,"flow_first_seen":1625395217373,"flow_last_seen":1625395217373,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":176,"flow_tot_l4_payload_len":215,"flow_avg_l4_payload_len":107,"midstream":0,"ts_msec":1625401091063,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":59621,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00568{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":21,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":9,"flow_packets_processed":2,"flow_first_seen":1625395217252,"flow_last_seen":1625395217373,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":176,"flow_tot_l4_payload_len":215,"flow_avg_l4_payload_len":107,"midstream":0,"ts_msec":1625401091063,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":64954,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":21,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":11,"flow_packets_processed":1,"flow_first_seen":1625401091063,"flow_last_seen":1625401091063,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625401091063,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":52485,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00488{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":21,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":11,"flow_packet_id":1,"flow_last_seen":1625401091063,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1625401091063,"pkt":"eJS0JASgYDjgxTWgCABFAABDKc0AAH8RdWXAqAJktdYjlc0FAbsAL8xY+0MBAAABAAAAAAAAATIJc2VDdVJFZE5TBWF2YXNUA0NPbQAAEAAB"} -00660{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":21,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":11,"flow_packets_processed":1,"flow_first_seen":1625401091063,"flow_last_seen":1625401091063,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625401091063,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":52485,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVAST SecureDNS","breed":"Safe","category":"Network"}} +00659{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":21,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":11,"flow_packets_processed":1,"flow_first_seen":1625401091063,"flow_last_seen":1625401091063,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625401091063,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":52485,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVASTSecureDNS","breed":"Safe","category":"Network"}} 00679{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":22,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":11,"flow_packet_id":2,"flow_last_seen":1625401091190,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":218,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":218,"pkt_l4_len":184,"ts_msec":1625401091190,"pkt":"YDjgxTWgeJS0JASgCABFAADMtpAAADMRNBm11iOVwKgCZAG7zQUAuETH+0OBgAABAAEAAAAAATIJc2VDdVJFZE5TBWF2YXNUA0NPbQAAEAABwAwAEAABAAAAAAB9fEROU0MAAQAAdbGG79HauHsEle6YB50xeKMwK8SYUwo5qiWilpDIHq4IRyPqRT3IPG5jxpboE0lko1AuVkiWEeUR9\/u646E\/BRo\/+UHxjIi4wlQScksPLarZO+PfTGW44OCbGa1Eo85vGj\/5QfGMiLgwMDAxXpWkwXFhp8E="} 00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":23,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":12,"flow_packets_processed":1,"flow_first_seen":1625401093323,"flow_last_seen":1625401093323,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625401093323,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":54938,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00488{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":23,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":12,"flow_packet_id":1,"flow_last_seen":1625401093323,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1625401093323,"pkt":"eJS0JASgYDjgxTWgCABFAABDKdEAAH8RdWHAqAJktdYjldaaAbsALxAyzbUBAAABAAAAAAAAATIJc2VjVVJlRE5zBWFWQVN0A2NvTQAAEAAB"} -00660{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":23,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":12,"flow_packets_processed":1,"flow_first_seen":1625401093323,"flow_last_seen":1625401093323,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625401093323,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":54938,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVAST SecureDNS","breed":"Safe","category":"Network"}} +00659{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":23,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":12,"flow_packets_processed":1,"flow_first_seen":1625401093323,"flow_last_seen":1625401093323,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625401093323,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":54938,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVASTSecureDNS","breed":"Safe","category":"Network"}} 00679{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":12,"flow_packet_id":2,"flow_last_seen":1625401093443,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":218,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":218,"pkt_l4_len":184,"ts_msec":1625401093443,"pkt":"YDjgxTWgeJS0JASgCABFAADMuwEAADIRMKi11iOVwKgCZAG71poAuIigzbWBgAABAAEAAAAAATIJc2VjVVJlRE5zBWFWQVN0A2NvTQAAEAABwAwAEAABAAAAAAB9fEROU0MAAQAAdbGG79HauHsEle6YB50xeKMwK8SYUwo5qiWilpDIHq4IRyPqRT3IPG5jxpboE0lko1AuVkiWEeUR9\/u646E\/BRo\/+UHxjIi4wlQScksPLarZO+PfTGW44OCbGa1Eo85vGj\/5QfGMiLgwMDAxXpWkwXFhp8E="} 00569{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":25,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":11,"flow_packets_processed":2,"flow_first_seen":1625401091063,"flow_last_seen":1625401091190,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":176,"flow_tot_l4_payload_len":215,"flow_avg_l4_payload_len":107,"midstream":0,"ts_msec":1625413810414,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":52485,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00569{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":25,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":12,"flow_packets_processed":2,"flow_first_seen":1625401093323,"flow_last_seen":1625401093443,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":176,"flow_tot_l4_payload_len":215,"flow_avg_l4_payload_len":107,"midstream":0,"ts_msec":1625413810414,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":54938,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":25,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":13,"flow_packets_processed":1,"flow_first_seen":1625413810414,"flow_last_seen":1625413810414,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625413810414,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":56839,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00488{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":25,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":13,"flow_packet_id":1,"flow_last_seen":1625413810414,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1625413810414,"pkt":"eJS0JASgYDjgxTWgCABFAABDy3cAAH8R07rAqAJktdYjld4HAbsAL+Cz9gYBAAABAAAAAAAAATIJU0VDdXJlZE5TBUFWQXN0A0NPbQAAEAAB"} -00660{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":25,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":13,"flow_packets_processed":1,"flow_first_seen":1625413810414,"flow_last_seen":1625413810414,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625413810414,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":56839,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVAST SecureDNS","breed":"Safe","category":"Network"}} +00659{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":25,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":13,"flow_packets_processed":1,"flow_first_seen":1625413810414,"flow_last_seen":1625413810414,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625413810414,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":56839,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVASTSecureDNS","breed":"Safe","category":"Network"}} 00679{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":26,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":13,"flow_packet_id":2,"flow_last_seen":1625413810531,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":218,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":218,"pkt_l4_len":184,"ts_msec":1625413810531,"pkt":"YDjgxTWgeJS0JASgCABFAADMKHAAADERxDm11iOVwKgCZAG73gcAuFki9gaBgAABAAEAAAAAATIJU0VDdXJlZE5TBUFWQXN0A0NPbQAAEAABwAwAEAABAAAAAAB9fEROU0MAAQAAdbGG79HauHsEle6YB50xeKMwK8SYUwo5qiWilpDIHq4IRyPqRT3IPG5jxpboE0lko1AuVkiWEeUR9\/u646E\/BRo\/+UHxjIi4wlQScksPLarZO+PfTGW44OCbGa1Eo85vGj\/5QfGMiLgwMDAxXpWkwXFhp8E="} 00569{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":27,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":13,"flow_packets_processed":2,"flow_first_seen":1625413810414,"flow_last_seen":1625413810531,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":176,"flow_tot_l4_payload_len":215,"flow_avg_l4_payload_len":107,"midstream":0,"ts_msec":1625477697370,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":56839,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":27,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":14,"flow_packets_processed":1,"flow_first_seen":1625477697370,"flow_last_seen":1625477697370,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625477697370,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":58155,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00488{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":27,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":14,"flow_packet_id":1,"flow_last_seen":1625477697370,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1625477697370,"pkt":"eJS0JASgYDjgxTWgCABFAABDQqcAAH8RXIvAqAJktdYjleMrAbsAL7nVV2EBAAABAAAAAAAAATIJc0VjVVJFZE5zBWFWQVN0A0NvbQAAEAAB"} -00660{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":27,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":14,"flow_packets_processed":1,"flow_first_seen":1625477697370,"flow_last_seen":1625477697370,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625477697370,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":58155,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVAST SecureDNS","breed":"Safe","category":"Network"}} +00659{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":27,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":14,"flow_packets_processed":1,"flow_first_seen":1625477697370,"flow_last_seen":1625477697370,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625477697370,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":58155,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVASTSecureDNS","breed":"Safe","category":"Network"}} 00679{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":28,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":14,"flow_packet_id":2,"flow_last_seen":1625477697487,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":218,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":218,"pkt_l4_len":184,"ts_msec":1625477697487,"pkt":"YDjgxTWgeJS0JASgCABFAADMthcAADIRNZK11iOVwKgCZAG74ysAuDJEV2GBgAABAAEAAAAAATIJc0VjVVJFZE5zBWFWQVN0A0NvbQAAEAABwAwAEAABAAAAAAB9fEROU0MAAQAAdbGG79HauHsEle6YB50xeKMwK8SYUwo5qiWilpDIHq4IRyPqRT3IPG5jxpboE0lko1AuVkiWEeUR9\/u646E\/BRo\/+UHxjIi4wlQScksPLarZO+PfTGW44OCbGa1Eo85vGj\/5QfGMiLgwMDAxXpWkwXFhp8E="} 00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":29,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":15,"flow_packets_processed":1,"flow_first_seen":1625477700767,"flow_last_seen":1625477700767,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625477700767,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":64487,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00488{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":29,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":15,"flow_packet_id":1,"flow_last_seen":1625477700767,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1625477700767,"pkt":"eJS0JASgYDjgxTWgCABFAABD4k8AAH8RvOLAqAJktdYjlfvnAbsAL7tgPVoBAAABAAAAAAAAATIJc0VjVXJFRE5zBUFWQXN0A0NPTQAAEAAB"} -00660{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":29,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":15,"flow_packets_processed":1,"flow_first_seen":1625477700767,"flow_last_seen":1625477700767,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625477700767,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":64487,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVAST SecureDNS","breed":"Safe","category":"Network"}} +00659{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":29,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":15,"flow_packets_processed":1,"flow_first_seen":1625477700767,"flow_last_seen":1625477700767,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625477700767,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":64487,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVASTSecureDNS","breed":"Safe","category":"Network"}} 00679{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":30,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":15,"flow_packet_id":2,"flow_last_seen":1625477700884,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":218,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":218,"pkt_l4_len":184,"ts_msec":1625477700884,"pkt":"YDjgxTWgeJS0JASgCABFAADMuTUAADIRMnS11iOVwKgCZAG7++cAuDPPPVqBgAABAAEAAAAAATIJc0VjVXJFRE5zBUFWQXN0A0NPTQAAEAABwAwAEAABAAAAAAB9fEROU0MAAQAAdbGG79HauHsEle6YB50xeKMwK8SYUwo5qiWilpDIHq4IRyPqRT3IPG5jxpboE0lko1AuVkiWEeUR9\/u646E\/BRo\/+UHxjIi4wlQScksPLarZO+PfTGW44OCbGa1Eo85vGj\/5QfGMiLgwMDAxXpWkwXFhp8E="} 00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":31,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":16,"flow_packets_processed":1,"flow_first_seen":1625477702850,"flow_last_seen":1625477702850,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625477702850,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":49704,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00488{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":31,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":16,"flow_packet_id":1,"flow_last_seen":1625477702850,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1625477702850,"pkt":"eJS0JASgYDjgxTWgCABFAABD4lMAAH8RvN7AqAJktdYjlcIoAbsAL9+b0x0BAAABAAAAAAAAATIJU0VDdXJFZG5TBUF2QXNUA2NvTQAAEAAB"} -00660{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":31,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":16,"flow_packets_processed":1,"flow_first_seen":1625477702850,"flow_last_seen":1625477702850,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625477702850,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":49704,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVAST SecureDNS","breed":"Safe","category":"Network"}} +00659{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":31,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":16,"flow_packets_processed":1,"flow_first_seen":1625477702850,"flow_last_seen":1625477702850,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625477702850,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":49704,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVASTSecureDNS","breed":"Safe","category":"Network"}} 00679{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":32,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":16,"flow_packet_id":2,"flow_last_seen":1625477702968,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":218,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":218,"pkt_l4_len":184,"ts_msec":1625477702968,"pkt":"YDjgxTWgeJS0JASgCABFAADMurcAADERMfK11iOVwKgCZAG7wigAuFgK0x2BgAABAAEAAAAAATIJU0VDdXJFZG5TBUF2QXNUA2NvTQAAEAABwAwAEAABAAAAAAB9fEROU0MAAQAAdbGG79HauHsEle6YB50xeKMwK8SYUwo5qiWilpDIHq4IRyPqRT3IPG5jxpboE0lko1AuVkiWEeUR9\/u646E\/BRo\/+UHxjIi4wlQScksPLarZO+PfTGW44OCbGa1Eo85vGj\/5QfGMiLgwMDAxXpWkwXFhp8E="} 00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":33,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":17,"flow_packets_processed":1,"flow_first_seen":1625477738051,"flow_last_seen":1625477738051,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625477738051,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":55311,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00488{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":33,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":17,"flow_packet_id":1,"flow_last_seen":1625477738051,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1625477738051,"pkt":"eJS0JASgYDjgxTWgCABFAABD1LsAAH8RynbAqAJktdYjldgPAbsAL4PhWDEBAAABAAAAAAAAATIJc2VjdXJFZE5TBWF2YVN0A2NPbQAAEAAB"} -00660{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":33,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":17,"flow_packets_processed":1,"flow_first_seen":1625477738051,"flow_last_seen":1625477738051,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625477738051,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":55311,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVAST SecureDNS","breed":"Safe","category":"Network"}} +00659{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":33,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":17,"flow_packets_processed":1,"flow_first_seen":1625477738051,"flow_last_seen":1625477738051,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625477738051,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":55311,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVASTSecureDNS","breed":"Safe","category":"Network"}} 00679{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":34,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":17,"flow_packet_id":2,"flow_last_seen":1625477738172,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":218,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":218,"pkt_l4_len":184,"ts_msec":1625477738172,"pkt":"YDjgxTWgeJS0JASgCABFAADMCxkAADER4ZC11iOVwKgCZAG72A8AuPxPWDGBgAABAAEAAAAAATIJc2VjdXJFZE5TBWF2YVN0A2NPbQAAEAABwAwAEAABAAAAAAB9fEROU0MAAQAAdbGG79HauHsEle6YB50xeKMwK8SYUwo5qiWilpDIHq4IRyPqRT3IPG5jxpboE0lko1AuVkiWEeUR9\/u646E\/BRo\/+UHxjIi4wlQScksPLarZO+PfTGW44OCbGa1Eo85vGj\/5QfGMiLgwMDAxXpWkwXFhp8E="} 00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":35,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":18,"flow_packets_processed":1,"flow_first_seen":1625477739836,"flow_last_seen":1625477739836,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625477739836,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":56111,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00488{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":35,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":18,"flow_packet_id":1,"flow_last_seen":1625477739836,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1625477739836,"pkt":"eJS0JASgYDjgxTWgCABFAABD1L8AAH8RynLAqAJktdYjldsvAbsAL1UmhCwBAAABAAAAAAAAATIJc0VjVXJlRG5TBWF2QVN0A2NPTQAAEAAB"} -00660{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":35,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":18,"flow_packets_processed":1,"flow_first_seen":1625477739836,"flow_last_seen":1625477739836,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625477739836,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":56111,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVAST SecureDNS","breed":"Safe","category":"Network"}} +00659{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":35,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":18,"flow_packets_processed":1,"flow_first_seen":1625477739836,"flow_last_seen":1625477739836,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625477739836,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":56111,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVASTSecureDNS","breed":"Safe","category":"Network"}} 00679{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":36,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":18,"flow_packet_id":2,"flow_last_seen":1625477739952,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":218,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":218,"pkt_l4_len":184,"ts_msec":1625477739952,"pkt":"YDjgxTWgeJS0JASgCABFAADMDM8AADIR3tq11iOVwKgCZAG72y8AuM2UhCyBgAABAAEAAAAAATIJc0VjVXJlRG5TBWF2QVN0A2NPTQAAEAABwAwAEAABAAAAAAB9fEROU0MAAQAAdbGG79HauHsEle6YB50xeKMwK8SYUwo5qiWilpDIHq4IRyPqRT3IPG5jxpboE0lko1AuVkiWEeUR9\/u646E\/BRo\/+UHxjIi4wlQScksPLarZO+PfTGW44OCbGa1Eo85vGj\/5QfGMiLgwMDAxXpWkwXFhp8E="} 00569{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":37,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":17,"flow_packets_processed":2,"flow_first_seen":1625477738051,"flow_last_seen":1625477738172,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":176,"flow_tot_l4_payload_len":215,"flow_avg_l4_payload_len":107,"midstream":0,"ts_msec":1625482316411,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":55311,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00569{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":37,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":16,"flow_packets_processed":2,"flow_first_seen":1625477702850,"flow_last_seen":1625477702968,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":176,"flow_tot_l4_payload_len":215,"flow_avg_l4_payload_len":107,"midstream":0,"ts_msec":1625482316411,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":49704,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -91,37 +91,37 @@ 00569{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":37,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":15,"flow_packets_processed":2,"flow_first_seen":1625477700767,"flow_last_seen":1625477700884,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":176,"flow_tot_l4_payload_len":215,"flow_avg_l4_payload_len":107,"midstream":0,"ts_msec":1625482316411,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":64487,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":37,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":19,"flow_packets_processed":1,"flow_first_seen":1625482316411,"flow_last_seen":1625482316411,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625482316411,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":64494,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00488{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":37,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":19,"flow_packet_id":1,"flow_last_seen":1625482316411,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1625482316411,"pkt":"eJS0JASgYDjgxTWgCABFAABDyvUAAH8R1DzAqAJktdYjlfvuAbsAL4YFMq4BAAABAAAAAAAAATIJU2VDVVJFZE5zBWFWYXNUA0NvbQAAEAAB"} -00660{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":37,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":19,"flow_packets_processed":1,"flow_first_seen":1625482316411,"flow_last_seen":1625482316411,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625482316411,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":64494,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVAST SecureDNS","breed":"Safe","category":"Network"}} +00659{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":37,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":19,"flow_packets_processed":1,"flow_first_seen":1625482316411,"flow_last_seen":1625482316411,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625482316411,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":64494,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVASTSecureDNS","breed":"Safe","category":"Network"}} 00679{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":38,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":19,"flow_packet_id":2,"flow_last_seen":1625482316532,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":218,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":218,"pkt_l4_len":184,"ts_msec":1625482316532,"pkt":"YDjgxTWgeJS0JASgCABFAADMlTUAADMRVXS11iOVwKgCZAG7++4AuP5zMq6BgAABAAEAAAAAATIJU2VDVVJFZE5zBWFWYXNUA0NvbQAAEAABwAwAEAABAAAAAAB9fEROU0MAAQAAdbGG79HauHsEle6YB50xeKMwK8SYUwo5qiWilpDIHq4IRyPqRT3IPG5jxpboE0lko1AuVkiWEeUR9\/u646E\/BRo\/+UHxjIi4wlQScksPLarZO+PfTGW44OCbGa1Eo85vGj\/5QfGMiLgwMDAxXpWkwXFhp8E="} 00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":39,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":20,"flow_packets_processed":1,"flow_first_seen":1625482318517,"flow_last_seen":1625482318517,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625482318517,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":51415,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00488{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":39,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":20,"flow_packet_id":1,"flow_last_seen":1625482318517,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1625482318517,"pkt":"eJS0JASgYDjgxTWgCABFAABDyvkAAH8R1DjAqAJktdYjlcjXAbsALzxZb7EBAAABAAAAAAAAATIJU2VDdXJlRG5TBUFWQVN0A0NvbQAAEAAB"} -00660{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":39,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":20,"flow_packets_processed":1,"flow_first_seen":1625482318517,"flow_last_seen":1625482318517,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625482318517,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":51415,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVAST SecureDNS","breed":"Safe","category":"Network"}} +00659{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":39,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":20,"flow_packets_processed":1,"flow_first_seen":1625482318517,"flow_last_seen":1625482318517,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625482318517,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":51415,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVASTSecureDNS","breed":"Safe","category":"Network"}} 00679{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":40,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":20,"flow_packet_id":2,"flow_last_seen":1625482318634,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":218,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":218,"pkt_l4_len":184,"ts_msec":1625482318634,"pkt":"YDjgxTWgeJS0JASgCABFAADMmQwAADIRUp211iOVwKgCZAG7yNcAuLTHb7GBgAABAAEAAAAAATIJU2VDdXJlRG5TBUFWQVN0A0NvbQAAEAABwAwAEAABAAAAAAB9fEROU0MAAQAAdbGG79HauHsEle6YB50xeKMwK8SYUwo5qiWilpDIHq4IRyPqRT3IPG5jxpboE0lko1AuVkiWEeUR9\/u646E\/BRo\/+UHxjIi4wlQScksPLarZO+PfTGW44OCbGa1Eo85vGj\/5QfGMiLgwMDAxXpWkwXFhp8E="} 00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":41,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":21,"flow_packets_processed":1,"flow_first_seen":1625482396199,"flow_last_seen":1625482396199,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625482396199,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":63776,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00488{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":41,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":21,"flow_packet_id":1,"flow_last_seen":1625482396199,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1625482396199,"pkt":"eJS0JASgYDjgxTWgCABFAABD9goAAH8RqSfAqAJktdYjlfkgAbsALyRTl04BAAABAAAAAAAAATIJc0VDdVJlZG5TBUFWQVN0A0NPbQAAEAAB"} -00660{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":41,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":21,"flow_packets_processed":1,"flow_first_seen":1625482396199,"flow_last_seen":1625482396199,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625482396199,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":63776,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVAST SecureDNS","breed":"Safe","category":"Network"}} +00659{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":41,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":21,"flow_packets_processed":1,"flow_first_seen":1625482396199,"flow_last_seen":1625482396199,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625482396199,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":63776,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVASTSecureDNS","breed":"Safe","category":"Network"}} 00679{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":42,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":21,"flow_packet_id":2,"flow_last_seen":1625482396320,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":218,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":218,"pkt_l4_len":184,"ts_msec":1625482396320,"pkt":"YDjgxTWgeJS0JASgCABFAADMN0IAADMRs2e11iOVwKgCZAG7+SAAuJzBl06BgAABAAEAAAAAATIJc0VDdVJlZG5TBUFWQVN0A0NPbQAAEAABwAwAEAABAAAAAAB9fEROU0MAAQAAdbGG79HauHsEle6YB50xeKMwK8SYUwo5qiWilpDIHq4IRyPqRT3IPG5jxpboE0lko1AuVkiWEeUR9\/u646E\/BRo\/+UHxjIi4wlQScksPLarZO+PfTGW44OCbGa1Eo85vGj\/5QfGMiLgwMDAxXpWkwXFhp8E="} 00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":43,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":22,"flow_packets_processed":1,"flow_first_seen":1625482399044,"flow_last_seen":1625482399044,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625482399044,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":50008,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00488{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":43,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":22,"flow_packet_id":1,"flow_last_seen":1625482399044,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1625482399044,"pkt":"eJS0JASgYDjgxTWgCABFAABD9g4AAH8RqSPAqAJktdYjlcNYAbsAL0Y+i0sBAAABAAAAAAAAATIJU0VjVVJFRG5TBUF2QXN0A0NvbQAAEAAB"} -00660{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":43,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":22,"flow_packets_processed":1,"flow_first_seen":1625482399044,"flow_last_seen":1625482399044,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625482399044,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":50008,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVAST SecureDNS","breed":"Safe","category":"Network"}} +00659{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":43,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":22,"flow_packets_processed":1,"flow_first_seen":1625482399044,"flow_last_seen":1625482399044,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625482399044,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":50008,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVASTSecureDNS","breed":"Safe","category":"Network"}} 00679{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":44,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":22,"flow_packet_id":2,"flow_last_seen":1625482399165,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":218,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":218,"pkt_l4_len":184,"ts_msec":1625482399165,"pkt":"YDjgxTWgeJS0JASgCABFAADMOy8AADIRsHq11iOVwKgCZAG7w1gAuL6si0uBgAABAAEAAAAAATIJU0VjVVJFRG5TBUF2QXN0A0NvbQAAEAABwAwAEAABAAAAAAB9fEROU0MAAQAAdbGG79HauHsEle6YB50xeKMwK8SYUwo5qiWilpDIHq4IRyPqRT3IPG5jxpboE0lko1AuVkiWEeUR9\/u646E\/BRo\/+UHxjIi4wlQScksPLarZO+PfTGW44OCbGa1Eo85vGj\/5QfGMiLgwMDAxXpWkwXFhp8E="} 00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":45,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":23,"flow_packets_processed":1,"flow_first_seen":1625482401089,"flow_last_seen":1625482401089,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625482401089,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":49737,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00489{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":45,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":23,"flow_packet_id":1,"flow_last_seen":1625482401089,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1625482401089,"pkt":"eJS0JASgYDjgxTWgCABFAABD9hIAAH8RqR\/AqAJktdYjlcJJAbsAL3PfnlkBAAABAAAAAAAAATIJc0VjVVJFZE5zBUFWYXNUA2NvTQAAEAAB"} -00660{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":45,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":23,"flow_packets_processed":1,"flow_first_seen":1625482401089,"flow_last_seen":1625482401089,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625482401089,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":49737,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVAST SecureDNS","breed":"Safe","category":"Network"}} +00659{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":45,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":23,"flow_packets_processed":1,"flow_first_seen":1625482401089,"flow_last_seen":1625482401089,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625482401089,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":49737,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVASTSecureDNS","breed":"Safe","category":"Network"}} 00679{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":46,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":23,"flow_packet_id":2,"flow_last_seen":1625482401211,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":218,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":218,"pkt_l4_len":184,"ts_msec":1625482401211,"pkt":"YDjgxTWgeJS0JASgCABFAADMPeEAADIRrci11iOVwKgCZAG7wkkAuOxNnlmBgAABAAEAAAAAATIJc0VjVVJFZE5zBUFWYXNUA2NvTQAAEAABwAwAEAABAAAAAAB9fEROU0MAAQAAdbGG79HauHsEle6YB50xeKMwK8SYUwo5qiWilpDIHq4IRyPqRT3IPG5jxpboE0lko1AuVkiWEeUR9\/u646E\/BRo\/+UHxjIi4wlQScksPLarZO+PfTGW44OCbGa1Eo85vGj\/5QfGMiLgwMDAxXpWkwXFhp8E="} 00571{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":47,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":20,"flow_packets_processed":2,"flow_first_seen":1625482318517,"flow_last_seen":1625482318634,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":176,"flow_tot_l4_payload_len":215,"flow_avg_l4_payload_len":107,"midstream":0,"ts_msec":1625482484544,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":51415,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00571{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":47,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":19,"flow_packets_processed":2,"flow_first_seen":1625482316411,"flow_last_seen":1625482316532,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":176,"flow_tot_l4_payload_len":215,"flow_avg_l4_payload_len":107,"midstream":0,"ts_msec":1625482484544,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":64494,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":47,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":24,"flow_packets_processed":1,"flow_first_seen":1625482484544,"flow_last_seen":1625482484544,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625482484544,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":51887,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00489{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":47,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":24,"flow_packet_id":1,"flow_last_seen":1625482484544,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1625482484544,"pkt":"eJS0JASgYDjgxTWgCABFAABD\/EEAAH8RovDAqAJktdYjlcqvAbsAL8hTAb8BAAABAAAAAAAAATIJU0VDVXJlRG5zBUFWYXN0A0NvTQAAEAAB"} -00660{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":47,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":24,"flow_packets_processed":1,"flow_first_seen":1625482484544,"flow_last_seen":1625482484544,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625482484544,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":51887,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVAST SecureDNS","breed":"Safe","category":"Network"}} +00659{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":47,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":24,"flow_packets_processed":1,"flow_first_seen":1625482484544,"flow_last_seen":1625482484544,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625482484544,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":51887,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVASTSecureDNS","breed":"Safe","category":"Network"}} 00679{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":48,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":24,"flow_packet_id":2,"flow_last_seen":1625482484661,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":218,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":218,"pkt_l4_len":184,"ts_msec":1625482484661,"pkt":"YDjgxTWgeJS0JASgCABFAADMsJIAADIROxe11iOVwKgCZAG7yq8AuEDCAb+BgAABAAEAAAAAATIJU0VDVXJlRG5zBUFWYXN0A0NvTQAAEAABwAwAEAABAAAAAAB9fEROU0MAAQAAdbGG79HauHsEle6YB50xeKMwK8SYUwo5qiWilpDIHq4IRyPqRT3IPG5jxpboE0lko1AuVkiWEeUR9\/u646E\/BRo\/+UHxjIi4wlQScksPLarZO+PfTGW44OCbGa1Eo85vGj\/5QfGMiLgwMDAxXpWkwXFhp8E="} 00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":49,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":25,"flow_packets_processed":1,"flow_first_seen":1625482484661,"flow_last_seen":1625482484661,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625482484661,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":60127,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00489{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":49,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":25,"flow_packet_id":1,"flow_last_seen":1625482484661,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1625482484661,"pkt":"eJS0JASgYDjgxTWgCABFAABD\/D0AAH8RovTAqAJktdYjlerfAbsAL5AIOXoBAAABAAAAAAAAATIJc0VjVXJlZE5TBUF2YXN0A2NPTQAAEAAB"} -00660{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":49,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":25,"flow_packets_processed":1,"flow_first_seen":1625482484661,"flow_last_seen":1625482484661,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625482484661,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":60127,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVAST SecureDNS","breed":"Safe","category":"Network"}} +00659{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":49,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":25,"flow_packets_processed":1,"flow_first_seen":1625482484661,"flow_last_seen":1625482484661,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625482484661,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":60127,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVASTSecureDNS","breed":"Safe","category":"Network"}} 00679{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":50,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":25,"flow_packet_id":2,"flow_last_seen":1625482484661,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":218,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":218,"pkt_l4_len":184,"ts_msec":1625482484661,"pkt":"YDjgxTWgeJS0JASgCABFAADMo38AADIRSCq11iOVwKgCZAG76t8AuAh3OXqBgAABAAEAAAAAATIJc0VjVXJlZE5TBUF2YXN0A2NPTQAAEAABwAwAEAABAAAAAAB9fEROU0MAAQAAdbGG79HauHsEle6YB50xeKMwK8SYUwo5qiWilpDIHq4IRyPqRT3IPG5jxpboE0lko1AuVkiWEeUR9\/u646E\/BRo\/+UHxjIi4wlQScksPLarZO+PfTGW44OCbGa1Eo85vGj\/5QfGMiLgwMDAxXpWkwXFhp8E="} 00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":51,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":26,"flow_packets_processed":1,"flow_first_seen":1625482486856,"flow_last_seen":1625482486856,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625482486856,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":54546,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00490{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":51,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":26,"flow_packet_id":1,"flow_last_seen":1625482486856,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1625482486856,"pkt":"eJS0JASgYDjgxTWgCABFAABD\/EUAAH8RouzAqAJktdYjldUSAbsAL8JN\/WEBAAABAAAAAAAAATIJc2VDVXJlZG5TBUFWQXN0A0NPTQAAEAAB"} -00660{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":51,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":26,"flow_packets_processed":1,"flow_first_seen":1625482486856,"flow_last_seen":1625482486856,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625482486856,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":54546,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVAST SecureDNS","breed":"Safe","category":"Network"}} +00659{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":51,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":26,"flow_packets_processed":1,"flow_first_seen":1625482486856,"flow_last_seen":1625482486856,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625482486856,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":54546,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVASTSecureDNS","breed":"Safe","category":"Network"}} 00681{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":52,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":26,"flow_packet_id":2,"flow_last_seen":1625482486976,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":218,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":218,"pkt_l4_len":184,"ts_msec":1625482486976,"pkt":"YDjgxTWgeJS0JASgCABFAADMt\/IAADMRMre11iOVwKgCZAG71RIAuDq8\/WGBgAABAAEAAAAAATIJc2VDVXJlZG5TBUFWQXN0A0NPTQAAEAABwAwAEAABAAAAAAB9fEROU0MAAQAAdbGG79HauHsEle6YB50xeKMwK8SYUwo5qiWilpDIHq4IRyPqRT3IPG5jxpboE0lko1AuVkiWEeUR9\/u646E\/BRo\/+UHxjIi4wlQScksPLarZO+PfTGW44OCbGa1Eo85vGj\/5QfGMiLgwMDAxXpWkwXFhp8E="} 00569{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":53,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":20,"flow_packets_processed":2,"flow_first_seen":1625482318517,"flow_last_seen":1625482318634,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":176,"flow_tot_l4_payload_len":215,"flow_avg_l4_payload_len":107,"midstream":0,"ts_msec":1625482998213,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":51415,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00569{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":53,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":21,"flow_packets_processed":2,"flow_first_seen":1625482396199,"flow_last_seen":1625482396320,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":176,"flow_tot_l4_payload_len":215,"flow_avg_l4_payload_len":107,"midstream":0,"ts_msec":1625482998213,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":63776,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -133,23 +133,23 @@ 00569{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":53,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":26,"flow_packets_processed":2,"flow_first_seen":1625482486856,"flow_last_seen":1625482486976,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":176,"flow_tot_l4_payload_len":215,"flow_avg_l4_payload_len":107,"midstream":0,"ts_msec":1625482998213,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":54546,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":53,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":27,"flow_packets_processed":1,"flow_first_seen":1625482998213,"flow_last_seen":1625482998213,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625482998213,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":64432,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00488{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":53,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":27,"flow_packet_id":1,"flow_last_seen":1625482998213,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1625482998213,"pkt":"eJS0JASgYDjgxTWgCABFAABDf48AAH8RH6PAqAJktdYjlfuwAbsAL9NLpcUBAAABAAAAAAAAATIJc0VjdVJlZE5TBUF2YXNUA0NvTQAAEAAB"} -00660{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":53,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":27,"flow_packets_processed":1,"flow_first_seen":1625482998213,"flow_last_seen":1625482998213,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625482998213,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":64432,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVAST SecureDNS","breed":"Safe","category":"Network"}} +00659{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":53,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":27,"flow_packets_processed":1,"flow_first_seen":1625482998213,"flow_last_seen":1625482998213,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625482998213,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":64432,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVASTSecureDNS","breed":"Safe","category":"Network"}} 00680{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":54,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":27,"flow_packet_id":2,"flow_last_seen":1625482998333,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":218,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":218,"pkt_l4_len":184,"ts_msec":1625482998333,"pkt":"YDjgxTWgeJS0JASgCABFAADM\/oEAADMR7Ce11iOVwKgCZAG7+7AAuEu6pcWBgAABAAEAAAAAATIJc0VjdVJlZE5TBUF2YXNUA0NvTQAAEAABwAwAEAABAAAAAAB9fEROU0MAAQAAdbGG79HauHsEle6YB50xeKMwK8SYUwo5qiWilpDIHq4IRyPqRT3IPG5jxpboE0lko1AuVkiWEeUR9\/u646E\/BRo\/+UHxjIi4wlQScksPLarZO+PfTGW44OCbGa1Eo85vGj\/5QfGMiLgwMDAxXpWkwXFhp8E="} 00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":55,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":28,"flow_packets_processed":1,"flow_first_seen":1625483010449,"flow_last_seen":1625483010449,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625483010449,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":59613,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00489{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":55,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":28,"flow_packet_id":1,"flow_last_seen":1625483010449,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1625483010449,"pkt":"eJS0JASgYDjgxTWgCABFAABDf5MAAH8RH5\/AqAJktdYjlejdAbsALyrioMIBAAABAAAAAAAAATIJc0VDVXJFRG5zBWFWQXN0A2NvTQAAEAAB"} -00660{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":55,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":28,"flow_packets_processed":1,"flow_first_seen":1625483010449,"flow_last_seen":1625483010449,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625483010449,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":59613,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVAST SecureDNS","breed":"Safe","category":"Network"}} +00659{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":55,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":28,"flow_packets_processed":1,"flow_first_seen":1625483010449,"flow_last_seen":1625483010449,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625483010449,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":59613,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVASTSecureDNS","breed":"Safe","category":"Network"}} 00679{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":56,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":28,"flow_packet_id":2,"flow_last_seen":1625483010570,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":218,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":218,"pkt_l4_len":184,"ts_msec":1625483010570,"pkt":"YDjgxTWgeJS0JASgCABFAADMH70AADMRyuy11iOVwKgCZAG76N0AuKNQoMKBgAABAAEAAAAAATIJc0VDVXJFRG5zBWFWQXN0A2NvTQAAEAABwAwAEAABAAAAAAB9fEROU0MAAQAAdbGG79HauHsEle6YB50xeKMwK8SYUwo5qiWilpDIHq4IRyPqRT3IPG5jxpboE0lko1AuVkiWEeUR9\/u646E\/BRo\/+UHxjIi4wlQScksPLarZO+PfTGW44OCbGa1Eo85vGj\/5QfGMiLgwMDAxXpWkwXFhp8E="} 00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":57,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":29,"flow_packets_processed":1,"flow_first_seen":1625483073336,"flow_last_seen":1625483073336,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625483073336,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":65063,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00489{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":57,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":29,"flow_packet_id":1,"flow_last_seen":1625483073336,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1625483073336,"pkt":"eJS0JASgYDjgxTWgCABFAABDR0IAAH8RV\/DAqAJktdYjlf4nAbsAL7S54cABAAABAAAAAAAAATIJc0VDVXJFRG5zBWF2QXN0A0NvTQAAEAAB"} -00660{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":57,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":29,"flow_packets_processed":1,"flow_first_seen":1625483073336,"flow_last_seen":1625483073336,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625483073336,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":65063,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVAST SecureDNS","breed":"Safe","category":"Network"}} +00659{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":57,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":29,"flow_packets_processed":1,"flow_first_seen":1625483073336,"flow_last_seen":1625483073336,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625483073336,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":65063,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVASTSecureDNS","breed":"Safe","category":"Network"}} 00680{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":58,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":29,"flow_packet_id":2,"flow_last_seen":1625483073457,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":218,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":218,"pkt_l4_len":184,"ts_msec":1625483073457,"pkt":"YDjgxTWgeJS0JASgCABFAADMaN0AADIRgsy11iOVwKgCZAG7\/icAuC0o4cCBgAABAAEAAAAAATIJc0VDVXJFRG5zBWF2QXN0A0NvTQAAEAABwAwAEAABAAAAAAB9fEROU0MAAQAAdbGG79HauHsEle6YB50xeKMwK8SYUwo5qiWilpDIHq4IRyPqRT3IPG5jxpboE0lko1AuVkiWEeUR9\/u646E\/BRo\/+UHxjIi4wlQScksPLarZO+PfTGW44OCbGa1Eo85vGj\/5QfGMiLgwMDAxXpWkwXFhp8E="} 00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":59,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":30,"flow_packets_processed":1,"flow_first_seen":1625483073457,"flow_last_seen":1625483073457,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625483073457,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":51929,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00489{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":59,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":30,"flow_packet_id":1,"flow_last_seen":1625483073457,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1625483073457,"pkt":"eJS0JASgYDjgxTWgCABFAABDRz4AAH8RV\/TAqAJktdYjlcrZAbsAL46OWvoBAAABAAAAAAAAATIJU0VjVXJlRG5zBWFWQXN0A2NPbQAAEAAB"} -00660{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":59,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":30,"flow_packets_processed":1,"flow_first_seen":1625483073457,"flow_last_seen":1625483073457,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625483073457,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":51929,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVAST SecureDNS","breed":"Safe","category":"Network"}} +00659{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":59,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":30,"flow_packets_processed":1,"flow_first_seen":1625483073457,"flow_last_seen":1625483073457,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625483073457,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":51929,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVASTSecureDNS","breed":"Safe","category":"Network"}} 00679{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":60,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":30,"flow_packet_id":2,"flow_last_seen":1625483073457,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":218,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":218,"pkt_l4_len":184,"ts_msec":1625483073457,"pkt":"YDjgxTWgeJS0JASgCABFAADMZ5oAADIRhA+11iOVwKgCZAG7ytkAuAb9WvqBgAABAAEAAAAAATIJU0VjVXJlRG5zBWFWQXN0A2NPbQAAEAABwAwAEAABAAAAAAB9fEROU0MAAQAAdbGG79HauHsEle6YB50xeKMwK8SYUwo5qiWilpDIHq4IRyPqRT3IPG5jxpboE0lko1AuVkiWEeUR9\/u646E\/BRo\/+UHxjIi4wlQScksPLarZO+PfTGW44OCbGa1Eo85vGj\/5QfGMiLgwMDAxXpWkwXFhp8E="} 00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":61,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":31,"flow_packets_processed":1,"flow_first_seen":1625483073457,"flow_last_seen":1625483073457,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625483073457,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":52417,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00490{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":61,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":31,"flow_packet_id":1,"flow_last_seen":1625483073457,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1625483073457,"pkt":"eJS0JASgYDjgxTWgCABFAABDRzoAAH8RV\/jAqAJktdYjlczBAbsAL78\/SIEBAAABAAAAAAAAATIJc2VDVXJlZE5zBWFWQVNUA2NPTQAAEAAB"} -00660{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":61,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":31,"flow_packets_processed":1,"flow_first_seen":1625483073457,"flow_last_seen":1625483073457,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625483073457,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":52417,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVAST SecureDNS","breed":"Safe","category":"Network"}} +00659{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":61,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":31,"flow_packets_processed":1,"flow_first_seen":1625483073457,"flow_last_seen":1625483073457,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625483073457,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":52417,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVASTSecureDNS","breed":"Safe","category":"Network"}} 00680{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":62,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":31,"flow_packet_id":2,"flow_last_seen":1625483073457,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":218,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":218,"pkt_l4_len":184,"ts_msec":1625483073457,"pkt":"YDjgxTWgeJS0JASgCABFAADMX7kAADIRi\/C11iOVwKgCZAG7zMEAuDeuSIGBgAABAAEAAAAAATIJc2VDVXJlZE5zBWFWQVNUA2NPTQAAEAABwAwAEAABAAAAAAB9fEROU0MAAQAAdbGG79HauHsEle6YB50xeKMwK8SYUwo5qiWilpDIHq4IRyPqRT3IPG5jxpboE0lko1AuVkiWEeUR9\/u646E\/BRo\/+UHxjIi4wlQScksPLarZO+PfTGW44OCbGa1Eo85vGj\/5QfGMiLgwMDAxXpWkwXFhp8E="} 00569{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":63,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":28,"flow_packets_processed":2,"flow_first_seen":1625483010449,"flow_last_seen":1625483010570,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":176,"flow_tot_l4_payload_len":215,"flow_avg_l4_payload_len":107,"midstream":0,"ts_msec":1625511643408,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":59613,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00569{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":63,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":30,"flow_packets_processed":2,"flow_first_seen":1625483073457,"flow_last_seen":1625483073457,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":176,"flow_tot_l4_payload_len":215,"flow_avg_l4_payload_len":107,"midstream":0,"ts_msec":1625511643408,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":51929,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -158,28 +158,28 @@ 00569{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":63,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":29,"flow_packets_processed":2,"flow_first_seen":1625483073336,"flow_last_seen":1625483073457,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":176,"flow_tot_l4_payload_len":215,"flow_avg_l4_payload_len":107,"midstream":0,"ts_msec":1625511643408,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":65063,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":63,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":32,"flow_packets_processed":1,"flow_first_seen":1625511643408,"flow_last_seen":1625511643408,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625511643408,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":59474,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00488{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":63,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":32,"flow_packet_id":1,"flow_last_seen":1625511643408,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1625511643408,"pkt":"eJS0JASgYDjgxTWgCABFAABDhScAAH8RGgvAqAJktdYjlehSAbsAL7NiOO0BAAABAAAAAAAAATIJU2VDVVJFZG5zBUFWYVN0A2NPTQAAEAAB"} -00660{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":63,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":32,"flow_packets_processed":1,"flow_first_seen":1625511643408,"flow_last_seen":1625511643408,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625511643408,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":59474,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVAST SecureDNS","breed":"Safe","category":"Network"}} +00659{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":63,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":32,"flow_packets_processed":1,"flow_first_seen":1625511643408,"flow_last_seen":1625511643408,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625511643408,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":59474,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVASTSecureDNS","breed":"Safe","category":"Network"}} 00679{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":64,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":32,"flow_packet_id":2,"flow_last_seen":1625511643529,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":218,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":218,"pkt_l4_len":184,"ts_msec":1625511643529,"pkt":"YDjgxTWgeJS0JASgCABFAADM0vYAADMRF7O11iOVwKgCZAG76FIAuCvROO2BgAABAAEAAAAAATIJU2VDVVJFZG5zBUFWYVN0A2NPTQAAEAABwAwAEAABAAAAAAB9fEROU0MAAQAAdbGG79HauHsEle6YB50xeKMwK8SYUwo5qiWilpDIHq4IRyPqRT3IPG5jxpboE0lko1AuVkiWEeUR9\/u646E\/BRo\/+UHxjIi4wlQScksPLarZO+PfTGW44OCbGa1Eo85vGj\/5QfGMiLgwMDAxXpWkwXFhp8E="} 00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":65,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":33,"flow_packets_processed":1,"flow_first_seen":1625511645426,"flow_last_seen":1625511645426,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625511645426,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":53839,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00488{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":65,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":33,"flow_packet_id":1,"flow_last_seen":1625511645426,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1625511645426,"pkt":"eJS0JASgYDjgxTWgCABFAABDhSsAAH8RGgfAqAJktdYjldJPAbsAL0czmx8BAAABAAAAAAAAATIJc2VDVVJFRE5TBWF2QVN0A2NvbQAAEAAB"} -00660{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":65,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":33,"flow_packets_processed":1,"flow_first_seen":1625511645426,"flow_last_seen":1625511645426,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625511645426,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":53839,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVAST SecureDNS","breed":"Safe","category":"Network"}} +00659{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":65,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":33,"flow_packets_processed":1,"flow_first_seen":1625511645426,"flow_last_seen":1625511645426,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625511645426,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":53839,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVASTSecureDNS","breed":"Safe","category":"Network"}} 00679{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":66,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":33,"flow_packet_id":2,"flow_last_seen":1625511645546,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":218,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":218,"pkt_l4_len":184,"ts_msec":1625511645546,"pkt":"YDjgxTWgeJS0JASgCABFAADM008AADMRF1q11iOVwKgCZAG70k8AuL+hmx+BgAABAAEAAAAAATIJc2VDVVJFRE5TBWF2QVN0A2NvbQAAEAABwAwAEAABAAAAAAB9fEROU0MAAQAAdbGG79HauHsEle6YB50xeKMwK8SYUwo5qiWilpDIHq4IRyPqRT3IPG5jxpboE0lko1AuVkiWEeUR9\/u646E\/BRo\/+UHxjIi4wlQScksPLarZO+PfTGW44OCbGa1Eo85vGj\/5QfGMiLgwMDAxXpWkwXFhp8E="} 00569{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":67,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":32,"flow_packets_processed":2,"flow_first_seen":1625511643408,"flow_last_seen":1625511643529,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":176,"flow_tot_l4_payload_len":215,"flow_avg_l4_payload_len":107,"midstream":0,"ts_msec":1625556065479,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":59474,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00569{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":67,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":33,"flow_packets_processed":2,"flow_first_seen":1625511645426,"flow_last_seen":1625511645546,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":176,"flow_tot_l4_payload_len":215,"flow_avg_l4_payload_len":107,"midstream":0,"ts_msec":1625556065479,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":53839,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":67,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":34,"flow_packets_processed":1,"flow_first_seen":1625556065479,"flow_last_seen":1625556065479,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625556065479,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":55948,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00488{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":67,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":34,"flow_packet_id":1,"flow_last_seen":1625556065479,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1625556065479,"pkt":"eJS0JASgYDjgxTWgCABFAABDHAQAAH8Rgy7AqAJktdYjldqMAbsAL9sh3zMBAAABAAAAAAAAATIJU2VDVXJlRG5zBUF2QVNUA0NPbQAAEAAB"} -00660{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":67,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":34,"flow_packets_processed":1,"flow_first_seen":1625556065479,"flow_last_seen":1625556065479,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625556065479,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":55948,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVAST SecureDNS","breed":"Safe","category":"Network"}} +00659{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":67,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":34,"flow_packets_processed":1,"flow_first_seen":1625556065479,"flow_last_seen":1625556065479,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625556065479,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":55948,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVASTSecureDNS","breed":"Safe","category":"Network"}} 00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":68,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":35,"flow_packets_processed":1,"flow_first_seen":1625556067432,"flow_last_seen":1625556067432,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625556067432,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":51383,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00488{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":68,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":35,"flow_packet_id":1,"flow_last_seen":1625556067432,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1625556067432,"pkt":"eJS0JASgYDjgxTWgCABFAABDHAgAAH8RgyrAqAJktdYjlci3AbsAL6ehZCkBAAABAAAAAAAAATIJc0VDVXJlRE5zBWF2YVNUA2NPTQAAEAAB"} -00660{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":68,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":35,"flow_packets_processed":1,"flow_first_seen":1625556067432,"flow_last_seen":1625556067432,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625556067432,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":51383,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVAST SecureDNS","breed":"Safe","category":"Network"}} +00659{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":68,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":35,"flow_packets_processed":1,"flow_first_seen":1625556067432,"flow_last_seen":1625556067432,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625556067432,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":51383,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVASTSecureDNS","breed":"Safe","category":"Network"}} 00679{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":69,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":35,"flow_packet_id":2,"flow_last_seen":1625556067553,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":218,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":218,"pkt_l4_len":184,"ts_msec":1625556067553,"pkt":"YDjgxTWgeJS0JASgCABFAADMazAAADIRgHm11iOVwKgCZAG7yLcAuCAQZCmBgAABAAEAAAAAATIJc0VDVXJlRE5zBWF2YVNUA2NPTQAAEAABwAwAEAABAAAAAAB9fEROU0MAAQAAdbGG79HauHsEle6YB50xeKMwK8SYUwo5qiWilpDIHq4IRyPqRT3IPG5jxpboE0lko1AuVkiWEeUR9\/u646E\/BRo\/+UHxjIi4wlQScksPLarZO+PfTGW44OCbGa1Eo85vGj\/5QfGMiLgwMDAxXpWkwXFhp8E="} 00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":70,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":36,"flow_packets_processed":1,"flow_first_seen":1625556100118,"flow_last_seen":1625556100118,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625556100118,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":64700,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00488{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":70,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":36,"flow_packet_id":1,"flow_last_seen":1625556100118,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1625556100118,"pkt":"eJS0JASgYDjgxTWgCABFAABDGwQAAH8RhC7AqAJktdYjlfy8AbsAL4gY7+wBAAABAAAAAAAAATIJU2VjdXJlRG5TBWFWYVNUA0NvTQAAEAAB"} -00660{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":70,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":36,"flow_packets_processed":1,"flow_first_seen":1625556100118,"flow_last_seen":1625556100118,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625556100118,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":64700,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVAST SecureDNS","breed":"Safe","category":"Network"}} +00659{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":70,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":36,"flow_packets_processed":1,"flow_first_seen":1625556100118,"flow_last_seen":1625556100118,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625556100118,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":64700,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVASTSecureDNS","breed":"Safe","category":"Network"}} 00680{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":71,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":36,"flow_packet_id":2,"flow_last_seen":1625556100236,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":218,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":218,"pkt_l4_len":184,"ts_msec":1625556100236,"pkt":"YDjgxTWgeJS0JASgCABFAADMlbkAADIRVfC11iOVwKgCZAG7\/LwAuACH7+yBgAABAAEAAAAAATIJU2VjdXJlRG5TBWFWYVNUA0NvTQAAEAABwAwAEAABAAAAAAB9fEROU0MAAQAAdbGG79HauHsEle6YB50xeKMwK8SYUwo5qiWilpDIHq4IRyPqRT3IPG5jxpboE0lko1AuVkiWEeUR9\/u646E\/BRo\/+UHxjIi4wlQScksPLarZO+PfTGW44OCbGa1Eo85vGj\/5QfGMiLgwMDAxXpWkwXFhp8E="} 00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":72,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":37,"flow_packets_processed":1,"flow_first_seen":1625556102196,"flow_last_seen":1625556102196,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625556102196,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":54549,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00488{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":72,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":37,"flow_packet_id":1,"flow_last_seen":1625556102196,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1625556102196,"pkt":"eJS0JASgYDjgxTWgCABFAABDGwgAAH8RhCrAqAJktdYjldUVAbsAL6kdFo8BAAABAAAAAAAAATIJU0VjVXJlRG5TBUFWYXN0A0NvTQAAEAAB"} -00660{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":72,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":37,"flow_packets_processed":1,"flow_first_seen":1625556102196,"flow_last_seen":1625556102196,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625556102196,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":54549,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVAST SecureDNS","breed":"Safe","category":"Network"}} +00659{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":72,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":37,"flow_packets_processed":1,"flow_first_seen":1625556102196,"flow_last_seen":1625556102196,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625556102196,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":54549,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVASTSecureDNS","breed":"Safe","category":"Network"}} 00679{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":73,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":37,"flow_packet_id":2,"flow_last_seen":1625556102314,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":218,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":218,"pkt_l4_len":184,"ts_msec":1625556102314,"pkt":"YDjgxTWgeJS0JASgCABFAADMmGEAADMRUki11iOVwKgCZAG71RUAuCGMFo+BgAABAAEAAAAAATIJU0VjVXJlRG5TBUFWYXN0A0NvTQAAEAABwAwAEAABAAAAAAB9fEROU0MAAQAAdbGG79HauHsEle6YB50xeKMwK8SYUwo5qiWilpDIHq4IRyPqRT3IPG5jxpboE0lko1AuVkiWEeUR9\/u646E\/BRo\/+UHxjIi4wlQScksPLarZO+PfTGW44OCbGa1Eo85vGj\/5QfGMiLgwMDAxXpWkwXFhp8E="} 00569{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":74,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":35,"flow_packets_processed":2,"flow_first_seen":1625556067432,"flow_last_seen":1625556067553,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":176,"flow_tot_l4_payload_len":215,"flow_avg_l4_payload_len":107,"midstream":0,"ts_msec":1625558730271,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":51383,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00566{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":74,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":34,"flow_packets_processed":1,"flow_first_seen":1625556065479,"flow_last_seen":1625556065479,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625558730271,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":55948,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -187,11 +187,11 @@ 00569{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":74,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":37,"flow_packets_processed":2,"flow_first_seen":1625556102196,"flow_last_seen":1625556102314,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":176,"flow_tot_l4_payload_len":215,"flow_avg_l4_payload_len":107,"midstream":0,"ts_msec":1625558730271,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":54549,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":74,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":38,"flow_packets_processed":1,"flow_first_seen":1625558730271,"flow_last_seen":1625558730271,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625558730271,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":54760,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00488{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":74,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":38,"flow_packet_id":1,"flow_last_seen":1625558730271,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1625558730271,"pkt":"eJS0JASgYDjgxTWgCABFAABDLFIAAH8RcuDAqAJktdYjldXoAbsALw4O0KsBAAABAAAAAAAAATIJU0VDdXJlZE5zBUFWYVNUA2NvTQAAEAAB"} -00660{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":74,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":38,"flow_packets_processed":1,"flow_first_seen":1625558730271,"flow_last_seen":1625558730271,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625558730271,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":54760,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVAST SecureDNS","breed":"Safe","category":"Network"}} +00659{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":74,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":38,"flow_packets_processed":1,"flow_first_seen":1625558730271,"flow_last_seen":1625558730271,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625558730271,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":54760,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVASTSecureDNS","breed":"Safe","category":"Network"}} 00680{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":75,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":38,"flow_packet_id":2,"flow_last_seen":1625558730389,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":218,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":218,"pkt_l4_len":184,"ts_msec":1625558730389,"pkt":"YDjgxTWgeJS0JASgCABFAADM7EMAADIR\/2W11iOVwKgCZAG71egAuIZ80KuBgAABAAEAAAAAATIJU0VDdXJlZE5zBUFWYVNUA2NvTQAAEAABwAwAEAABAAAAAAB9fEROU0MAAQAAdbGG79HauHsEle6YB50xeKMwK8SYUwo5qiWilpDIHq4IRyPqRT3IPG5jxpboE0lko1AuVkiWEeUR9\/u646E\/BRo\/+UHxjIi4wlQScksPLarZO+PfTGW44OCbGa1Eo85vGj\/5QfGMiLgwMDAxXpWkwXFhp8E="} 00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":76,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":39,"flow_packets_processed":1,"flow_first_seen":1625558735043,"flow_last_seen":1625558735043,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625558735043,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":49152,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00489{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":76,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":39,"flow_packet_id":1,"flow_last_seen":1625558735043,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1625558735043,"pkt":"eJS0JASgYDjgxTWgCABFAABDLFYAAH8RctzAqAJktdYjlcAAAbsAL9\/2VKsBAAABAAAAAAAAATIJc0VjVVJFZE5TBUFWQVN0A2NvTQAAEAAB"} -00660{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":76,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":39,"flow_packets_processed":1,"flow_first_seen":1625558735043,"flow_last_seen":1625558735043,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625558735043,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":49152,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVAST SecureDNS","breed":"Safe","category":"Network"}} +00659{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":76,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":39,"flow_packets_processed":1,"flow_first_seen":1625558735043,"flow_last_seen":1625558735043,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1625558735043,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":49152,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"AVASTSecureDNS","breed":"Safe","category":"Network"}} 00680{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":77,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":39,"flow_packet_id":2,"flow_last_seen":1625558735164,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":218,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":218,"pkt_l4_len":184,"ts_msec":1625558735164,"pkt":"YDjgxTWgeJS0JASgCABFAADM7yMAADIR\/IW11iOVwKgCZAG7wAAAuFhlVKuBgAABAAEAAAAAATIJc0VjVVJFZE5TBUFWQVN0A2NvTQAAEAABwAwAEAABAAAAAAB9fEROU0MAAQAAdbGG79HauHsEle6YB50xeKMwK8SYUwo5qiWilpDIHq4IRyPqRT3IPG5jxpboE0lko1AuVkiWEeUR9\/u646E\/BRo\/+UHxjIi4wlQScksPLarZO+PfTGW44OCbGa1Eo85vGj\/5QfGMiLgwMDAxXpWkwXFhp8E="} 00569{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":77,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":39,"flow_packets_processed":2,"flow_first_seen":1625558735043,"flow_last_seen":1625558735164,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":176,"flow_tot_l4_payload_len":215,"flow_avg_l4_payload_len":107,"midstream":0,"ts_msec":1625558735164,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":49152,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00569{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":77,"source":"avast_securedns.pcapng","alias":"nDPId-test","flow_id":38,"flow_packets_processed":2,"flow_first_seen":1625558730271,"flow_last_seen":1625558730389,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":176,"flow_tot_l4_payload_len":215,"flow_avg_l4_payload_len":107,"midstream":0,"ts_msec":1625558735164,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"181.214.35.149","src_port":54760,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -204,9 +204,9 @@ ~~ total active/idle flows...: 39/39 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1991765 bytes -~~ total memory freed........: 1991765 bytes -~~ total allocations/frees...: 35529/35529 +~~ total memory allocated....: 4637968 bytes +~~ total memory freed........: 4637968 bytes +~~ total allocations/frees...: 99725/99725 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 172 chars ~~ json string max len.......: 686 chars diff --git a/test/results/bad-dns-traffic.pcap.out b/test/results/bad-dns-traffic.pcap.out index 53c558eeb..978c7065a 100644 --- a/test/results/bad-dns-traffic.pcap.out +++ b/test/results/bad-dns-traffic.pcap.out @@ -44,9 +44,9 @@ ~~ total active/idle flows...: 3/3 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1942434 bytes -~~ total memory freed........: 1942434 bytes -~~ total allocations/frees...: 35726/35726 +~~ total memory allocated....: 4603901 bytes +~~ total memory freed........: 4603901 bytes +~~ total allocations/frees...: 99922/99922 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 170 chars ~~ json string max len.......: 847 chars diff --git a/test/results/badpackets.pcap.out b/test/results/badpackets.pcap.out index e21e45fdb..f2e224e93 100644 --- a/test/results/badpackets.pcap.out +++ b/test/results/badpackets.pcap.out @@ -208,9 +208,9 @@ ~~ total active/idle flows...: 0/0 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1926508 bytes -~~ total memory freed........: 1926508 bytes -~~ total allocations/frees...: 35335/35335 +~~ total memory allocated....: 4589247 bytes +~~ total memory freed........: 4589247 bytes +~~ total allocations/frees...: 99531/99531 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 165 chars ~~ json string max len.......: 2322 chars diff --git a/test/results/bitcoin.pcap.out b/test/results/bitcoin.pcap.out index e7005d4bc..019c152df 100644 --- a/test/results/bitcoin.pcap.out +++ b/test/results/bitcoin.pcap.out @@ -23,17 +23,17 @@ 00609{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":521,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_last_seen":1301329304767,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":171,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":171,"pkt_l4_len":137,"ts_msec":1301329304767,"pkt":"ACPrIpS0ACNshovhCABFAACdDAhAAEAGDmvAqAGOuDqld9i\/II0stRatNDMFDIAY\/\/9S8AAAAQEICiczELoAVdzf+b602XZlcnNpb24AAAAAAFUAAAABfQAAAQAAAAAAAACYtZBNAAAAAAEAAAAAAAAAAAAAAAAAAAAAAP\/\/uDqldyCNAQAAAAAAAAAAAAAAAAAAAAAA\/\/8mYIQeII0b7ZMAlkQ1dwALwwEA"} 00607{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":522,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_last_seen":1301329304813,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":171,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":171,"pkt_l4_len":137,"ts_msec":1301329304813,"pkt":"ACNshovhACPrIpS0CABFAACdBMxAAHQG4aa4OqV3wKgBjiCN2L80MwUMLLUWrYAYAQTgGAAAAQEICgBV3OcnMxC6+b602XZlcnNpb24AAAAAAFUAAAACfQAAAQAAAAAAAACQtZBNAAAAAAEAAAAAAAAAAAAAAAAAAAAAAP\/\/JmCEHti\/AQAAAAAAAAAAAAAAAAAAAAAA\/\/+4OqV3II2BHa1kLxLeCgCuwgEA"} 00599{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":523,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_last_seen":1301329305005,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":165,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":165,"pkt_l4_len":131,"ts_msec":1301329305005,"pkt":"ACPrIpS0ACNshovhCABFAACX6RJAAEAGMWbAqAGOuDqld9i\/II0stRcWNDMFdYAY\/\/+hogAAAQEICiczEL0AVdz7+b602XZlcmFjawAAAAAAAAAAAAD5vrTZZ2V0YWRkcgAAAAAAAAAAAF324OL5vrTZYWRkcgAAAAAAAAAAHwAAAKr+QCYBbLWQTQEAAAAAAAAAAAAAAAAAAAAAAP\/\/JmCEHiCN"} -00594{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":637,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":172,"flow_first_seen":1301328319392,"flow_last_seen":1301329810648,"flow_idle_time":7440000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":152141,"flow_avg_l4_payload_len":884,"midstream":1,"ts_msec":1301329810839,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"74.89.181.229","src_port":55348,"dst_port":8333,"l4_proto":"tcp","ndpi": {"proto":"Mining","breed":"Unsafe","category":"Mining"}} +00632{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":637,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":172,"flow_first_seen":1301328319392,"flow_last_seen":1301329810648,"flow_idle_time":7440000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":152141,"flow_avg_l4_payload_len":884,"midstream":1,"ts_msec":1301329810839,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"74.89.181.229","src_port":55348,"dst_port":8333,"l4_proto":"tcp","ndpi": {"flow_risk": {"22":"Unsafe Protocol"},"proto":"Mining","breed":"Unsafe","category":"Mining"}} 00566{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":637,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":172,"flow_first_seen":1301328319392,"flow_last_seen":1301329810648,"flow_idle_time":7440000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":152141,"flow_avg_l4_payload_len":884,"midstream":1,"ts_msec":1301329810839,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"74.89.181.229","src_port":55348,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00594{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":637,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":119,"flow_first_seen":1301328699728,"flow_last_seen":1301329807659,"flow_idle_time":7440000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":74897,"flow_avg_l4_payload_len":629,"midstream":1,"ts_msec":1301329810839,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"195.218.16.178","src_port":55400,"dst_port":8333,"l4_proto":"tcp","ndpi": {"proto":"Mining","breed":"Unsafe","category":"Mining"}} +00632{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":637,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":119,"flow_first_seen":1301328699728,"flow_last_seen":1301329807659,"flow_idle_time":7440000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":74897,"flow_avg_l4_payload_len":629,"midstream":1,"ts_msec":1301329810839,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"195.218.16.178","src_port":55400,"dst_port":8333,"l4_proto":"tcp","ndpi": {"flow_risk": {"22":"Unsafe Protocol"},"proto":"Mining","breed":"Unsafe","category":"Mining"}} 00566{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":637,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":119,"flow_first_seen":1301328699728,"flow_last_seen":1301329807659,"flow_idle_time":7440000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":74897,"flow_avg_l4_payload_len":629,"midstream":1,"ts_msec":1301329810839,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"195.218.16.178","src_port":55400,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00591{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":637,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":27,"flow_first_seen":1301329304767,"flow_last_seen":1301329810839,"flow_idle_time":7440000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":1061,"flow_tot_l4_payload_len":2684,"flow_avg_l4_payload_len":99,"midstream":1,"ts_msec":1301329810839,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"184.58.165.119","src_port":55487,"dst_port":8333,"l4_proto":"tcp","ndpi": {"proto":"Mining","breed":"Unsafe","category":"Mining"}} +00629{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":637,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":27,"flow_first_seen":1301329304767,"flow_last_seen":1301329810839,"flow_idle_time":7440000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":1061,"flow_tot_l4_payload_len":2684,"flow_avg_l4_payload_len":99,"midstream":1,"ts_msec":1301329810839,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"184.58.165.119","src_port":55487,"dst_port":8333,"l4_proto":"tcp","ndpi": {"flow_risk": {"22":"Unsafe Protocol"},"proto":"Mining","breed":"Unsafe","category":"Mining"}} 00563{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":637,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":27,"flow_first_seen":1301329304767,"flow_last_seen":1301329810839,"flow_idle_time":7440000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":1061,"flow_tot_l4_payload_len":2684,"flow_avg_l4_payload_len":99,"midstream":1,"ts_msec":1301329810839,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"184.58.165.119","src_port":55487,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00592{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":637,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":161,"flow_first_seen":1301328472925,"flow_last_seen":1301329809936,"flow_idle_time":7440000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":104984,"flow_avg_l4_payload_len":652,"midstream":1,"ts_msec":1301329810839,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"66.68.83.22","src_port":55383,"dst_port":8333,"l4_proto":"tcp","ndpi": {"proto":"Mining","breed":"Unsafe","category":"Mining"}} +00630{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":637,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":161,"flow_first_seen":1301328472925,"flow_last_seen":1301329809936,"flow_idle_time":7440000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":104984,"flow_avg_l4_payload_len":652,"midstream":1,"ts_msec":1301329810839,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"66.68.83.22","src_port":55383,"dst_port":8333,"l4_proto":"tcp","ndpi": {"flow_risk": {"22":"Unsafe Protocol"},"proto":"Mining","breed":"Unsafe","category":"Mining"}} 00564{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":637,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":161,"flow_first_seen":1301328472925,"flow_last_seen":1301329809936,"flow_idle_time":7440000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":104984,"flow_avg_l4_payload_len":652,"midstream":1,"ts_msec":1301329810839,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"66.68.83.22","src_port":55383,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00595{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":637,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":19,"flow_first_seen":1301327937725,"flow_last_seen":1301327939000,"flow_idle_time":7440000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":22190,"flow_avg_l4_payload_len":1167,"midstream":1,"ts_msec":1301329810839,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"188.165.213.169","src_port":55317,"dst_port":8333,"l4_proto":"tcp","ndpi": {"proto":"Mining","breed":"Unsafe","category":"Mining"}} +00633{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":637,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":19,"flow_first_seen":1301327937725,"flow_last_seen":1301327939000,"flow_idle_time":7440000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":22190,"flow_avg_l4_payload_len":1167,"midstream":1,"ts_msec":1301329810839,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"188.165.213.169","src_port":55317,"dst_port":8333,"l4_proto":"tcp","ndpi": {"flow_risk": {"22":"Unsafe Protocol"},"proto":"Mining","breed":"Unsafe","category":"Mining"}} 00567{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":637,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":19,"flow_first_seen":1301327937725,"flow_last_seen":1301327939000,"flow_idle_time":7440000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":22190,"flow_avg_l4_payload_len":1167,"midstream":1,"ts_msec":1301329810839,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"188.165.213.169","src_port":55317,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00595{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":637,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":139,"flow_first_seen":1301328089970,"flow_last_seen":1301328420526,"flow_idle_time":7440000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":182136,"flow_avg_l4_payload_len":1310,"midstream":1,"ts_msec":1301329810839,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"69.118.54.122","src_port":55328,"dst_port":8333,"l4_proto":"tcp","ndpi": {"proto":"Mining","breed":"Unsafe","category":"Mining"}} +00633{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":637,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":139,"flow_first_seen":1301328089970,"flow_last_seen":1301328420526,"flow_idle_time":7440000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":182136,"flow_avg_l4_payload_len":1310,"midstream":1,"ts_msec":1301329810839,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"69.118.54.122","src_port":55328,"dst_port":8333,"l4_proto":"tcp","ndpi": {"flow_risk": {"22":"Unsafe Protocol"},"proto":"Mining","breed":"Unsafe","category":"Mining"}} 00567{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":637,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":139,"flow_first_seen":1301328089970,"flow_last_seen":1301328420526,"flow_idle_time":7440000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":182136,"flow_avg_l4_payload_len":1310,"midstream":1,"ts_msec":1301329810839,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"69.118.54.122","src_port":55328,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00157{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":637,"source":"bitcoin.pcap","alias":"nDPId-test","total-events-serialized":38} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -44,9 +44,9 @@ ~~ total active/idle flows...: 6/6 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 3068487 bytes -~~ total memory freed........: 3068487 bytes -~~ total allocations/frees...: 36068/36068 +~~ total memory allocated....: 5728682 bytes +~~ total memory freed........: 5728682 bytes +~~ total allocations/frees...: 100264/100264 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 162 chars ~~ json string max len.......: 1826 chars diff --git a/test/results/bittorrent.pcap.out b/test/results/bittorrent.pcap.out index 6f7700d6e..f7bab0936 100644 --- a/test/results/bittorrent.pcap.out +++ b/test/results/bittorrent.pcap.out @@ -139,9 +139,9 @@ ~~ total active/idle flows...: 24/24 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2019019 bytes -~~ total memory freed........: 2019019 bytes -~~ total allocations/frees...: 35728/35728 +~~ total memory allocated....: 4933742 bytes +~~ total memory freed........: 4933742 bytes +~~ total allocations/frees...: 99926/99926 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 166 chars ~~ json string max len.......: 1454 chars diff --git a/test/results/bittorrent_ip.pcap.out b/test/results/bittorrent_ip.pcap.out index 805db733f..57e0ab631 100644 --- a/test/results/bittorrent_ip.pcap.out +++ b/test/results/bittorrent_ip.pcap.out @@ -21,9 +21,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2222108 bytes -~~ total memory freed........: 2222108 bytes -~~ total allocations/frees...: 35847/35847 +~~ total memory allocated....: 4883999 bytes +~~ total memory freed........: 4883999 bytes +~~ total allocations/frees...: 100043/100043 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 168 chars ~~ json string max len.......: 2443 chars diff --git a/test/results/bittorrent_utp.pcap.out b/test/results/bittorrent_utp.pcap.out index feae21b63..6ccddfaa8 100644 --- a/test/results/bittorrent_utp.pcap.out +++ b/test/results/bittorrent_utp.pcap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1930618 bytes -~~ total memory freed........: 1930618 bytes -~~ total allocations/frees...: 35424/35424 +~~ total memory allocated....: 4855093 bytes +~~ total memory freed........: 4855093 bytes +~~ total allocations/frees...: 99622/99622 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 167 chars ~~ json string max len.......: 691 chars diff --git a/test/results/bt_search.pcap.out b/test/results/bt_search.pcap.out index 57f59d292..d70c3b4a2 100644 --- a/test/results/bt_search.pcap.out +++ b/test/results/bt_search.pcap.out @@ -16,9 +16,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1929798 bytes -~~ total memory freed........: 1929798 bytes -~~ total allocations/frees...: 35343/35343 +~~ total memory allocated....: 4853849 bytes +~~ total memory freed........: 4853849 bytes +~~ total allocations/frees...: 99541/99541 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 162 chars ~~ json string max len.......: 631 chars diff --git a/test/results/capwap.pcap.out b/test/results/capwap.pcap.out index e0465092c..9fb59816f 100644 --- a/test/results/capwap.pcap.out +++ b/test/results/capwap.pcap.out @@ -58,9 +58,9 @@ ~~ total active/idle flows...: 5/5 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1946101 bytes -~~ total memory freed........: 1946101 bytes -~~ total allocations/frees...: 35747/35747 +~~ total memory allocated....: 4606720 bytes +~~ total memory freed........: 4606720 bytes +~~ total allocations/frees...: 99943/99943 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 150 chars ~~ json string max len.......: 813 chars diff --git a/test/results/cassandra.pcap.out b/test/results/cassandra.pcap.out index 5423b7d75..a560b0596 100644 --- a/test/results/cassandra.pcap.out +++ b/test/results/cassandra.pcap.out @@ -20,9 +20,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1938034 bytes -~~ total memory freed........: 1938034 bytes -~~ total allocations/frees...: 35627/35627 +~~ total memory allocated....: 4599925 bytes +~~ total memory freed........: 4599925 bytes +~~ total allocations/frees...: 99823/99823 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 164 chars ~~ json string max len.......: 589 chars diff --git a/test/results/check_mk_new.pcap.out b/test/results/check_mk_new.pcap.out index 81c90adda..3340ca53a 100644 --- a/test/results/check_mk_new.pcap.out +++ b/test/results/check_mk_new.pcap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1930966 bytes -~~ total memory freed........: 1930966 bytes -~~ total allocations/frees...: 35436/35436 +~~ total memory allocated....: 4593281 bytes +~~ total memory freed........: 4593281 bytes +~~ total allocations/frees...: 99632/99632 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 165 chars ~~ json string max len.......: 605 chars diff --git a/test/results/chrome.pcap.out b/test/results/chrome.pcap.out index b84ed2024..e7dd886fd 100644 --- a/test/results/chrome.pcap.out +++ b/test/results/chrome.pcap.out @@ -55,9 +55,9 @@ ~~ total active/idle flows...: 6/6 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2533434 bytes -~~ total memory freed........: 2533434 bytes -~~ total allocations/frees...: 41057/41057 +~~ total memory allocated....: 5193629 bytes +~~ total memory freed........: 5193629 bytes +~~ total allocations/frees...: 105253/105253 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 162 chars ~~ json string max len.......: 895 chars diff --git a/test/results/coap_mqtt.pcap.out b/test/results/coap_mqtt.pcap.out index c9bc570f1..d7d0e149c 100644 --- a/test/results/coap_mqtt.pcap.out +++ b/test/results/coap_mqtt.pcap.out @@ -95,9 +95,9 @@ ~~ total active/idle flows...: 16/16 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2207462 bytes -~~ total memory freed........: 2207462 bytes -~~ total allocations/frees...: 43901/43901 +~~ total memory allocated....: 4863417 bytes +~~ total memory freed........: 4863417 bytes +~~ total allocations/frees...: 108097/108097 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 165 chars ~~ json string max len.......: 650 chars diff --git a/test/results/cpha.pcap.out b/test/results/cpha.pcap.out index 79fcdbf48..affe19a42 100644 --- a/test/results/cpha.pcap.out +++ b/test/results/cpha.pcap.out @@ -10,9 +10,9 @@ ~~ total active/idle flows...: 0/0 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1926508 bytes -~~ total memory freed........: 1926508 bytes -~~ total allocations/frees...: 35335/35335 +~~ total memory allocated....: 4589247 bytes +~~ total memory freed........: 4589247 bytes +~~ total allocations/frees...: 99531/99531 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 150 chars ~~ json string max len.......: 443 chars diff --git a/test/results/dcerpc.pcap.out b/test/results/dcerpc.pcap.out index a00ecb706..715634a4a 100644 --- a/test/results/dcerpc.pcap.out +++ b/test/results/dcerpc.pcap.out @@ -30,9 +30,9 @@ ~~ total active/idle flows...: 4/4 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1933436 bytes -~~ total memory freed........: 1933436 bytes -~~ total allocations/frees...: 35363/35363 +~~ total memory allocated....: 4594479 bytes +~~ total memory freed........: 4594479 bytes +~~ total allocations/frees...: 99559/99559 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 160 chars ~~ json string max len.......: 1725 chars diff --git a/test/results/dhcp-fuzz.pcapng.out b/test/results/dhcp-fuzz.pcapng.out new file mode 100644 index 000000000..86665faba --- /dev/null +++ b/test/results/dhcp-fuzz.pcapng.out @@ -0,0 +1,21 @@ +00445{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"dhcp-fuzz.pcapng","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} +00560{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"dhcp-fuzz.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1268519154926,"flow_last_seen":1268519154926,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1268519154926,"l3_proto":"ip4","src_ip":"192.168.155.104","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00845{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"dhcp-fuzz.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1268519154926,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":342,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":342,"pkt_l4_len":308,"ts_msec":1268519154926,"pkt":"\/\/\/\/\/\/\/\/AB8p2i15CABFAAFIfVQAAIAR+kDAqJto\/\/\/\/\/wBEAEMBNNQyAQEGAMl5uWAAAAAAwKgBaAAAAAAAAAAAAAAAAAAfKdoteQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1wAAAAAAAFMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZQAAAAAAAAAAAABjglNjNQFqPQcBAB8p2i15DAdNSzAzODYyPDFNU0ZUIDUuMDcMAQ8DBiwuLx8h+Sv8KwPcAQD\/AAAAACUAAAAA"} +00650{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1,"source":"dhcp-fuzz.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1268519154926,"flow_last_seen":1268519154926,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1268519154926,"l3_proto":"ip4","src_ip":"192.168.155.104","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"hostname":"","fingerprint":"","class_ident":""}} +00561{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1,"source":"dhcp-fuzz.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1268519154926,"flow_last_seen":1268519154926,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1268519154926,"l3_proto":"ip4","src_ip":"192.168.155.104","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00158{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":1,"source":"dhcp-fuzz.pcapng","alias":"nDPId-test","total-events-serialized":6} +~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ +~~ packets captured/processed: 1/1 +~~ skipped flows.............: 0 +~~ total layer4 data length..: 300 bytes +~~ total detected protocols..: 0 +~~ total active/idle flows...: 1/1 +~~ total timeout flows.......: 0 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ total memory allocated....: 4590468 bytes +~~ total memory freed........: 4590468 bytes +~~ total allocations/frees...: 99535/99535 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ json string min len.......: 163 chars +~~ json string max len.......: 850 chars +~~ json string avg len.......: 560 chars diff --git a/test/results/diameter.pcap.out b/test/results/diameter.pcap.out index b1303777c..888e30fce 100644 --- a/test/results/diameter.pcap.out +++ b/test/results/diameter.pcap.out @@ -1,23 +1,23 @@ 00442{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"diameter.pcap","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} 00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"diameter.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1263278878271,"flow_last_seen":1263278878271,"flow_idle_time":7440000,"flow_min_l4_payload_len":344,"flow_max_l4_payload_len":344,"flow_tot_l4_payload_len":344,"flow_avg_l4_payload_len":344,"midstream":1,"ts_msec":1263278878271,"l3_proto":"ip4","src_ip":"10.201.9.245","dst_ip":"10.201.9.11","src_port":50957,"dst_port":3868,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00905{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"diameter.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1263278878271,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":398,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":398,"pkt_l4_len":364,"ts_msec":1263278878271,"pkt":"ABpk3ZWLACYYlIbACABFAAGABtlAAIAGAAAKyQn1CskJC8cNDxz34fq2+LwvkFAY+gQqBAAAAQABWIAAARAAAAAEAupJMCbwAAMAAAEHQAAAHW54bDthcGk7MTI2MzI3ODg3ODE0NwAAAAAAAc1AAAAUQ29tdmVyc2UuRENJAAABAkAAAAwAAAAEAAABCEAAABlueGwxLm5ldHhjZWxsLmNvbQAAAAAAAShAAAAUbmV0eGNlbGwuY29tAAABn0AAAAwAAAAAAAABJUAAABlkZ3UyLmNvbXZlcnNlLmNvbQAAAAAAARtAAAAUY29tdmVyc2UuY29tAAAAN0AAAAzO9pmeAAABu0AAACgAAAG8QAAAFDkxOTA4MDAwMDAxNgAAAcJAAAAMAAAAAAAAAbhAAAAkAAABuUAAAAwAAAACAAABukAAAA1kYmlsbAAAAAAAAaBAAAAMAAAAAQAAAbVAAAA0AAABnUAAACwAAAG9QAAAGAAAAb9AAAAQAAAAAAAAAAIAAAGpQAAADAAAAWQ="} +00593{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"diameter.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1263278878271,"flow_last_seen":1263278878271,"flow_idle_time":7440000,"flow_min_l4_payload_len":344,"flow_max_l4_payload_len":344,"flow_tot_l4_payload_len":344,"flow_avg_l4_payload_len":344,"midstream":1,"ts_msec":1263278878271,"l3_proto":"ip4","src_ip":"10.201.9.245","dst_ip":"10.201.9.11","src_port":50957,"dst_port":3868,"l4_proto":"tcp","ndpi": {"proto":"Diameter","breed":"Acceptable","category":"Network"}} 00761{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"diameter.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1263278878292,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":290,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":290,"pkt_l4_len":256,"ts_msec":1263278878292,"pkt":"ACYYlIbAABpk3ZWLCABFAAEUlYlAAEAGe8kKyQkLCskJ9Q8cxw34vC+Q9+H8DlAYGSCUIQAAAQAA7EAAARAAAAAEAupJMCbwAAMAAAEHQAAAHW54bDthcGk7MTI2MzI3ODg3ODE0NwAAAAAAAQxAAAAMAAAH0QAAAQhAAAAaZHNsdTEuY29tdmVyc2UuY29tAAAAAAEoQAAAFGNvbXZlcnNlLmNvbQAAAQJAAAAMAAAABAAAAaBAAAAMAAAAAQAAAZ9AAAAMAAAAAAAAARZAAAAMAABBbQAAADdAAAAMzvaZ5QAAAcBAAAAMAAAABQAAAa9AAAA0AAABnUAAACwAAAG9QAAAGAAAAb9AAAAQAAAAAAAAAAIAAAGpQAAADAAAAWQ="} 00926{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"diameter.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1263278878336,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":414,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":414,"pkt_l4_len":380,"ts_msec":1263278878336,"pkt":"ABpk3ZWLACYYlIbACABFAAGQBtpAAIAGAAAKyQn1CskJC8cNDxz34fwO+LwwfFAY+RgqFAAAAQABaIAAARAAAAAEAupJMSbwAAUAAAEHQAAAHW54bDthcGk7MTI2MzI3ODg3ODE0NwAAAAAAAc1AAAAUQ29tdmVyc2UuRENJAAABAkAAAAwAAAAEAAABCEAAABlueGwxLm5ldHhjZWxsLmNvbQAAAAAAAShAAAAUbmV0eGNlbGwuY29tAAABn0AAAAwAAAABAAABJUAAABlkZ3UyLmNvbXZlcnNlLmNvbQAAAAAAARtAAAAUY29tdmVyc2UuY29tAAAAN0AAAAzO9pmeAAABu0AAACgAAAG8QAAAFDkxOTA4MDAwMDAxNgAAAcJAAAAMAAAAAAAAAaBAAAAMAAAAAgAAAbVAAAA0AAABnUAAACwAAAG9QAAAGAAAAb9AAAAQAAAAAAAAAAIAAAGpQAAADAAAAWQAAAG+QAAANAAAAZ1AAAAsAAABvUAAABgAAAG\/QAAAEAAAAAAAAAABAAABqUAAAAwAAAFk"} -00593{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":6,"source":"diameter.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":1263278878271,"flow_last_seen":1263278878357,"flow_idle_time":7440000,"flow_min_l4_payload_len":172,"flow_max_l4_payload_len":360,"flow_tot_l4_payload_len":1656,"flow_avg_l4_payload_len":276,"midstream":1,"ts_msec":1263278878357,"l3_proto":"ip4","src_ip":"10.201.9.245","dst_ip":"10.201.9.11","src_port":50957,"dst_port":3868,"l4_proto":"tcp","ndpi": {"proto":"Diameter","breed":"Acceptable","category":"Network"}} 00558{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":6,"source":"diameter.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":1263278878271,"flow_last_seen":1263278878357,"flow_idle_time":7440000,"flow_min_l4_payload_len":172,"flow_max_l4_payload_len":360,"flow_tot_l4_payload_len":1656,"flow_avg_l4_payload_len":276,"midstream":1,"ts_msec":1263278878357,"l3_proto":"ip4","src_ip":"10.201.9.245","dst_ip":"10.201.9.11","src_port":50957,"dst_port":3868,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00155{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":6,"source":"diameter.pcap","alias":"nDPId-test","total-events-serialized":8} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ ~~ packets captured/processed: 6/6 ~~ skipped flows.............: 0 ~~ total layer4 data length..: 1656 bytes -~~ total detected protocols..: 0 +~~ total detected protocols..: 1 ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1930346 bytes -~~ total memory freed........: 1930346 bytes -~~ total allocations/frees...: 35345/35345 +~~ total memory allocated....: 4590613 bytes +~~ total memory freed........: 4590613 bytes +~~ total allocations/frees...: 99540/99540 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 160 chars ~~ json string max len.......: 931 chars -~~ json string avg len.......: 611 chars +~~ json string avg len.......: 610 chars diff --git a/test/results/dlt_ppp.pcap.out b/test/results/dlt_ppp.pcap.out index b42e88f65..269a0b339 100644 --- a/test/results/dlt_ppp.pcap.out +++ b/test/results/dlt_ppp.pcap.out @@ -10,9 +10,9 @@ ~~ total active/idle flows...: 0/0 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1926508 bytes -~~ total memory freed........: 1926508 bytes -~~ total allocations/frees...: 35335/35335 +~~ total memory allocated....: 4589247 bytes +~~ total memory freed........: 4589247 bytes +~~ total allocations/frees...: 99531/99531 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 154 chars ~~ json string max len.......: 1942 chars diff --git a/test/results/dnp3.pcap.out b/test/results/dnp3.pcap.out index bb42ba5f5..183d87a4f 100644 --- a/test/results/dnp3.pcap.out +++ b/test/results/dnp3.pcap.out @@ -60,9 +60,9 @@ ~~ total active/idle flows...: 8/8 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1957231 bytes -~~ total memory freed........: 1957231 bytes -~~ total allocations/frees...: 35903/35903 +~~ total memory allocated....: 4616578 bytes +~~ total memory freed........: 4616578 bytes +~~ total allocations/frees...: 100099/100099 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 159 chars ~~ json string max len.......: 582 chars diff --git a/test/results/dns-invalid-chars.pcap.out b/test/results/dns-invalid-chars.pcap.out new file mode 100644 index 000000000..17a919544 --- /dev/null +++ b/test/results/dns-invalid-chars.pcap.out @@ -0,0 +1,23 @@ +00451{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"dns-invalid-chars.pcap","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} +00550{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"dns-invalid-chars.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":946734886956,"flow_last_seen":946734886956,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":946734886956,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":35980,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00497{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"dns-invalid-chars.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":946734886956,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"ts_msec":946734886956,"pkt":"AAAAAAAAAAAAAAAACABFAABMyRJAAEARc4x\/AAABfwAAAYyMADUAOP5Ln2wBAAABAAAAAAAAA3d3dxdhbGx5b3VyYmEEBQZhcmViZWxvbmd0bwJjbgAAAQAB"} +00728{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"dns-invalid-chars.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":946734886956,"flow_last_seen":946734886956,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":946734886956,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":35980,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"www.allyourba???arebelongto.cn","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"dns-invalid-chars.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":946734886957,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":106,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":106,"pkt_l4_len":72,"ts_msec":946734886957,"pkt":"AAAAAAAAAAAAAAAACABFAABcAABAAEARPI9\/AAABfwAAAQA1jIwASP5bn2yBgAABAAEAAAAAA3d3dxdhbGx5b3VyYmFzZXNhcmUBAgNvbmd0bwJjbgAAAQABwAwAAQABAAAAPAAEE7mN8Q=="} +00744{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2,"source":"dns-invalid-chars.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":2,"flow_first_seen":946734886956,"flow_last_seen":946734886957,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":64,"flow_tot_l4_payload_len":112,"flow_avg_l4_payload_len":56,"midstream":0,"ts_msec":946734886957,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":35980,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"www.allyourbasesare???ongto.cn","num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"19.185.141.241"}} +00552{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2,"source":"dns-invalid-chars.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":2,"flow_first_seen":946734886956,"flow_last_seen":946734886957,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":64,"flow_tot_l4_payload_len":112,"flow_avg_l4_payload_len":56,"midstream":0,"ts_msec":946734886957,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":35980,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00164{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":2,"source":"dns-invalid-chars.pcap","alias":"nDPId-test","total-events-serialized":8} +~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ +~~ packets captured/processed: 2/2 +~~ skipped flows.............: 0 +~~ total layer4 data length..: 112 bytes +~~ total detected protocols..: 1 +~~ total active/idle flows...: 1/1 +~~ total timeout flows.......: 0 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ total memory allocated....: 4590497 bytes +~~ total memory freed........: 4590497 bytes +~~ total allocations/frees...: 99536/99536 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ json string min len.......: 169 chars +~~ json string max len.......: 749 chars +~~ json string avg len.......: 524 chars diff --git a/test/results/dns-tunnel-iodine.pcap.out b/test/results/dns-tunnel-iodine.pcap.out index 89cd877e5..2ee693234 100644 --- a/test/results/dns-tunnel-iodine.pcap.out +++ b/test/results/dns-tunnel-iodine.pcap.out @@ -20,9 +20,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1940710 bytes -~~ total memory freed........: 1940710 bytes -~~ total allocations/frees...: 35772/35772 +~~ total memory allocated....: 4603025 bytes +~~ total memory freed........: 4603025 bytes +~~ total allocations/frees...: 99968/99968 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 172 chars ~~ json string max len.......: 840 chars diff --git a/test/results/dns_ambiguous_names.pcap.out b/test/results/dns_ambiguous_names.pcap.out index 3bae4668b..c96af2228 100644 --- a/test/results/dns_ambiguous_names.pcap.out +++ b/test/results/dns_ambiguous_names.pcap.out @@ -31,9 +31,9 @@ 00741{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":12,"source":"dns_ambiguous_names.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":2,"flow_first_seen":1625744123890,"flow_last_seen":1625744123973,"flow_idle_time":180000,"flow_min_l4_payload_len":50,"flow_max_l4_payload_len":124,"flow_tot_l4_payload_len":174,"flow_avg_l4_payload_len":87,"midstream":0,"ts_msec":1625744123973,"l3_proto":"ip4","src_ip":"10.200.2.11","dst_ip":"8.8.8.8","src_port":42790,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Teams","breed":"Safe","category":"Collaborative"},"dns": {"query":"_.teams.microsoft.com","num_queries":1,"num_answers":2,"reply_code":3,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":13,"source":"dns_ambiguous_names.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":1,"flow_first_seen":1625744123977,"flow_last_seen":1625744123977,"flow_idle_time":180000,"flow_min_l4_payload_len":54,"flow_max_l4_payload_len":54,"flow_tot_l4_payload_len":54,"flow_avg_l4_payload_len":54,"midstream":0,"ts_msec":1625744123977,"l3_proto":"ip4","src_ip":"10.200.2.11","dst_ip":"8.8.8.8","src_port":44198,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00509{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":13,"source":"dns_ambiguous_names.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_last_seen":1625744123977,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":96,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":96,"pkt_l4_len":62,"ts_msec":1625744123977,"pkt":"ABshv2HAVASmitEsCABFAABS3y4AAEARfooKyAILCAgICKymADUAPh0yDWEBIAABAAAAAAABDHdpZGUteW91dHViZQFsBmdvb2dsZQNjb20AAAEAAQAAKRAAAAAAAAAA"} -00734{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":13,"source":"dns_ambiguous_names.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":1,"flow_first_seen":1625744123977,"flow_last_seen":1625744123977,"flow_idle_time":180000,"flow_min_l4_payload_len":54,"flow_max_l4_payload_len":54,"flow_tot_l4_payload_len":54,"flow_avg_l4_payload_len":54,"midstream":0,"ts_msec":1625744123977,"l3_proto":"ip4","src_ip":"10.200.2.11","dst_ip":"8.8.8.8","src_port":44198,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"wide-youtube.l.google.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00732{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":13,"source":"dns_ambiguous_names.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":1,"flow_first_seen":1625744123977,"flow_last_seen":1625744123977,"flow_idle_time":180000,"flow_min_l4_payload_len":54,"flow_max_l4_payload_len":54,"flow_tot_l4_payload_len":54,"flow_avg_l4_payload_len":54,"midstream":0,"ts_msec":1625744123977,"l3_proto":"ip4","src_ip":"10.200.2.11","dst_ip":"8.8.8.8","src_port":44198,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"wide-youtube.l.google.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00535{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14,"source":"dns_ambiguous_names.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_last_seen":1625744124006,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":112,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":112,"pkt_l4_len":78,"ts_msec":1625744124006,"pkt":"VASmitEsEL9IThY0CABFAABiUocAADwRDyIICAgICsgCCwA1rKYATu57DWGBgAABAAEAAAABDHdpZGUteW91dHViZQFsBmdvb2dsZQNjb20AAAEAAcAMAAEAAQAAASsABEDppMYAACkCAAAAAAAAAA=="} -00750{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":14,"source":"dns_ambiguous_names.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":2,"flow_first_seen":1625744123977,"flow_last_seen":1625744124006,"flow_idle_time":180000,"flow_min_l4_payload_len":54,"flow_max_l4_payload_len":70,"flow_tot_l4_payload_len":124,"flow_avg_l4_payload_len":62,"midstream":0,"ts_msec":1625744124006,"l3_proto":"ip4","src_ip":"10.200.2.11","dst_ip":"8.8.8.8","src_port":44198,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"wide-youtube.l.google.com","num_queries":1,"num_answers":2,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"64.233.164.198"}} +00748{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":14,"source":"dns_ambiguous_names.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":2,"flow_first_seen":1625744123977,"flow_last_seen":1625744124006,"flow_idle_time":180000,"flow_min_l4_payload_len":54,"flow_max_l4_payload_len":70,"flow_tot_l4_payload_len":124,"flow_avg_l4_payload_len":62,"midstream":0,"ts_msec":1625744124006,"l3_proto":"ip4","src_ip":"10.200.2.11","dst_ip":"8.8.8.8","src_port":44198,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"wide-youtube.l.google.com","num_queries":1,"num_answers":2,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"64.233.164.198"}} 00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":15,"source":"dns_ambiguous_names.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":1,"flow_first_seen":1625744124010,"flow_last_seen":1625744124010,"flow_idle_time":180000,"flow_min_l4_payload_len":46,"flow_max_l4_payload_len":46,"flow_tot_l4_payload_len":46,"flow_avg_l4_payload_len":46,"midstream":0,"ts_msec":1625744124010,"l3_proto":"ip4","src_ip":"10.200.2.11","dst_ip":"8.8.8.8","src_port":52541,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00501{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":15,"source":"dns_ambiguous_names.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_last_seen":1625744124010,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":88,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":88,"pkt_l4_len":54,"ts_msec":1625744124010,"pkt":"ABshv2HAVASmitEsCABFAABK30QAAEARfnwKyAILCAgICM09ADUANh0qX5cBIAABAAAAAAABB2d1enpvbmkFYXBwbGUDY29tAAABAAEAACkQAAAAAAAAAA=="} 00737{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":15,"source":"dns_ambiguous_names.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":1,"flow_first_seen":1625744124010,"flow_last_seen":1625744124010,"flow_idle_time":180000,"flow_min_l4_payload_len":46,"flow_max_l4_payload_len":46,"flow_tot_l4_payload_len":46,"flow_avg_l4_payload_len":46,"midstream":0,"ts_msec":1625744124010,"l3_proto":"ip4","src_ip":"10.200.2.11","dst_ip":"8.8.8.8","src_port":52541,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.AppleSiri","breed":"Acceptable","category":"VirtAssistant"},"dns": {"query":"guzzoni.apple.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} @@ -68,9 +68,9 @@ ~~ total active/idle flows...: 10/10 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1943248 bytes -~~ total memory freed........: 1943248 bytes -~~ total allocations/frees...: 35385/35385 +~~ total memory allocated....: 4601747 bytes +~~ total memory freed........: 4601747 bytes +~~ total allocations/frees...: 99581/99581 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 173 chars ~~ json string max len.......: 894 chars diff --git a/test/results/dns_doh.pcap.out b/test/results/dns_doh.pcap.out index 9ee0f525b..4f4926d1a 100644 --- a/test/results/dns_doh.pcap.out +++ b/test/results/dns_doh.pcap.out @@ -3,8 +3,8 @@ 00475{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"dns_doh.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1571089200789,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1571089200789,"pkt":"WkBO7NFkeDHBvV4kCABFAABAAABAAEAGI5asFAoEaBD4+cLVAbuk7FgiAAAAALAC\/\/+OlwAAAgQFtAEDAwYBAQgKHZWyDQAAAAAEAgAA"} 00457{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"dns_doh.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1571089200876,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1571089200876,"pkt":"eDHBvV4kWkBO7NFkCABFAAA0AAAAADAGc6JoEPj5rBQKBAG7wtXKYdwupOxYI4ASchB+OgAAAgQFFAEBBAIBAwMK"} 00441{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"dns_doh.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1571089200876,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1571089200876,"pkt":"WkBO7NFkeDHBvV4kCABFAAAoAABAAEAGI66sFAoEaBD4+cLVAbuk7FgjymHcL1AQEAAggAAA"} -00859{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"dns_doh.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1571089200789,"flow_last_seen":1571089200878,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1571089200878,"l3_proto":"ip4","src_ip":"172.20.10.4","dst_ip":"104.16.248.249","src_port":49877,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.DoH_DoT","breed":"Fun","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mozilla.cloudflare-dns.com","ja3":"f6ce47303dce394049af395fc6d0bc20","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -00900{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"dns_doh.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":1571089200789,"flow_last_seen":1571089200968,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1300,"flow_tot_l4_payload_len":1817,"flow_avg_l4_payload_len":302,"midstream":0,"ts_msec":1571089200968,"l3_proto":"ip4","src_ip":"172.20.10.4","dst_ip":"104.16.248.249","src_port":49877,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.DoH_DoT","breed":"Fun","category":"Network"},"tls": {"version":"TLSv1.3","client_requested_server_name":"mozilla.cloudflare-dns.com","ja3":"f6ce47303dce394049af395fc6d0bc20","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00859{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"dns_doh.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1571089200789,"flow_last_seen":1571089200878,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1571089200878,"l3_proto":"ip4","src_ip":"172.20.10.4","dst_ip":"104.16.248.249","src_port":49877,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.DoH_DoT","breed":"Fun","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mozilla.cloudflare-dns.com","ja3":"b20b44b18b853ef29ab773e921b03422","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00900{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"dns_doh.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":1571089200789,"flow_last_seen":1571089200968,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1300,"flow_tot_l4_payload_len":1817,"flow_avg_l4_payload_len":302,"midstream":0,"ts_msec":1571089200968,"l3_proto":"ip4","src_ip":"172.20.10.4","dst_ip":"104.16.248.249","src_port":49877,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.DoH_DoT","breed":"Fun","category":"Network"},"tls": {"version":"TLSv1.3","client_requested_server_name":"mozilla.cloudflare-dns.com","ja3":"b20b44b18b853ef29ab773e921b03422","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00561{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":142,"source":"dns_doh.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":142,"flow_first_seen":1571089200789,"flow_last_seen":1571089204031,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1300,"flow_tot_l4_payload_len":12658,"flow_avg_l4_payload_len":89,"midstream":0,"ts_msec":1571089204031,"l3_proto":"ip4","src_ip":"172.20.10.4","dst_ip":"104.16.248.249","src_port":49877,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00156{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":142,"source":"dns_doh.pcap","alias":"nDPId-test","total-events-serialized":9} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1939717 bytes -~~ total memory freed........: 1939717 bytes -~~ total allocations/frees...: 35485/35485 +~~ total memory allocated....: 4602032 bytes +~~ total memory freed........: 4602032 bytes +~~ total allocations/frees...: 99681/99681 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 161 chars ~~ json string max len.......: 905 chars diff --git a/test/results/dns_dot.pcap.out b/test/results/dns_dot.pcap.out index 4e585f029..f652ab20c 100644 --- a/test/results/dns_dot.pcap.out +++ b/test/results/dns_dot.pcap.out @@ -3,8 +3,8 @@ 00469{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"dns_dot.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1572783663234,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1572783663234,"pkt":"uCfrK5DxCAAnjau+CABFAAA8w6dAAEAGpKPAqAG5CAgICOOyA1VVRPv3AAAAAKAC+vDSnwAAAgQFtAQCCAoqL5UTAAAAAAEDAwc="} 00470{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"dns_dot.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1572783663269,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1572783663269,"pkt":"CAAnjau+uCfrK5DxCABFAAA8cqUAAHcG\/qUICAgIwKgBuQNV47LuO0vYVUT7+KAS6yDKxQAAAgQFZAQCCAqOOwAQKi+VEwEDAwg="} 00457{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"dns_dot.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1572783663269,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1572783663269,"pkt":"uCfrK5DxCAAnjau+CABFAAA0w6hAAEAGpKrAqAG5CAgICOOyA1VVRPv47jtL2YAQAfbSlwAAAQEICiovlTaOOwAQ"} -00887{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"dns_dot.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1572783663234,"flow_last_seen":1572783663269,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":198,"flow_tot_l4_payload_len":198,"flow_avg_l4_payload_len":49,"midstream":0,"ts_msec":1572783663269,"l3_proto":"ip4","src_ip":"192.168.1.185","dst_ip":"8.8.8.8","src_port":58290,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing"},"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"4fe4099926d0acdc9b2fe4b02013659f","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -01248{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"dns_dot.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":1572783663234,"flow_last_seen":1572783663319,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3069,"flow_tot_l4_payload_len":3267,"flow_avg_l4_payload_len":544,"midstream":0,"ts_msec":1572783663319,"l3_proto":"ip4","src_ip":"192.168.1.185","dst_ip":"8.8.8.8","src_port":58290,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing"},"proto":"TLS.DoH_DoT","breed":"Fun","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","server_names":"dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google","ja3":"4fe4099926d0acdc9b2fe4b02013659f","ja3s":"2b341b88c742e940cfb485ce7d93dde7","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","issuerDN":"C=US, O=Google Trust Services, CN=GTS CA 1O1","issuerDN":"C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google","fingerprint":"BE:73:46:2A:2E:FB:A9:E9:42:D0:71:10:1B:8C:BF:44:6A:5D:AD:53"}} +00885{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"dns_dot.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1572783663234,"flow_last_seen":1572783663269,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":198,"flow_tot_l4_payload_len":198,"flow_avg_l4_payload_len":49,"midstream":0,"ts_msec":1572783663269,"l3_proto":"ip4","src_ip":"192.168.1.185","dst_ip":"8.8.8.8","src_port":58290,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing"},"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"4fa5e77b91a47e7cdcf5a5e6d25f8449","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} +01347{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"dns_dot.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":1572783663234,"flow_last_seen":1572783663319,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3069,"flow_tot_l4_payload_len":3267,"flow_avg_l4_payload_len":544,"midstream":0,"ts_msec":1572783663319,"l3_proto":"ip4","src_ip":"192.168.1.185","dst_ip":"8.8.8.8","src_port":58290,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing"},"proto":"TLS.DoH_DoT","breed":"Fun","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","server_names":"dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google,2001:4860:4860::64,2001:4860:4860::6464,2001:4860:4860::8844,2001:4860:4860::8888,8.8.4.4,8.8.8.8","ja3":"4fa5e77b91a47e7cdcf5a5e6d25f8449","ja3s":"2b341b88c742e940cfb485ce7d93dde7","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","issuerDN":"C=US, O=Google Trust Services, CN=GTS CA 1O1","subjectDN":"C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google","fingerprint":"BE:73:46:2A:2E:FB:A9:E9:42:D0:71:10:1B:8C:BF:44:6A:5D:AD:53"}} 00554{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":24,"source":"dns_dot.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":24,"flow_first_seen":1572783663234,"flow_last_seen":1572783666246,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3069,"flow_tot_l4_payload_len":4269,"flow_avg_l4_payload_len":177,"midstream":0,"ts_msec":1572783666246,"l3_proto":"ip4","src_ip":"192.168.1.185","dst_ip":"8.8.8.8","src_port":58290,"dst_port":853,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00155{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":24,"source":"dns_dot.pcap","alias":"nDPId-test","total-events-serialized":9} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -15,10 +15,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1934255 bytes -~~ total memory freed........: 1934255 bytes -~~ total allocations/frees...: 35371/35371 +~~ total memory allocated....: 4597392 bytes +~~ total memory freed........: 4597392 bytes +~~ total allocations/frees...: 99573/99573 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 160 chars -~~ json string max len.......: 1253 chars -~~ json string avg len.......: 743 chars +~~ json string max len.......: 1352 chars +~~ json string avg len.......: 786 chars diff --git a/test/results/dns_exfiltration.pcap.out b/test/results/dns_exfiltration.pcap.out index 17f97719c..2ed0817d0 100644 --- a/test/results/dns_exfiltration.pcap.out +++ b/test/results/dns_exfiltration.pcap.out @@ -1,12 +1,12 @@ 00450{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"dns_exfiltration.pcap","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} 00567{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"dns_exfiltration.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1580978146717,"flow_last_seen":1580978146717,"flow_idle_time":180000,"flow_min_l4_payload_len":173,"flow_max_l4_payload_len":173,"flow_tot_l4_payload_len":173,"flow_avg_l4_payload_len":173,"midstream":0,"ts_msec":1580978146717,"l3_proto":"ip4","src_ip":"192.168.220.56","dst_ip":"192.168.203.167","src_port":56373,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00668{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"dns_exfiltration.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1580978146717,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":215,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":215,"pkt_l4_len":181,"ts_msec":1580978146717,"pkt":"qqru7hERjNzURr7ECABFAADJegRAAD8RAADAqNw4wKjLp9w1ADUAtSn4OR0BAAABAAAAAAAABmRuc2NhdDw1NDZiMDNmNTAwMDAwMDAwMDBhNjAyM2VkNGRmMTg0ZDZhYzVjMjYyOGI0NzcxNGZkZWU1ODRmZWQ3Mzk8NWEwM2I1YjFlMWFhOGY4ZmRiMWJiZThkNWUwNDk1MjE0MWY3ZDRmODJjN2UzYjA2ZGNjOGI4N2ZhZDdhGjE5ZTRkMDk4ZGM4YzYxOGY4ZDgxY2ZlYjAyAAAPAAE="} -00920{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"dns_exfiltration.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1580978146717,"flow_last_seen":1580978146717,"flow_idle_time":180000,"flow_min_l4_payload_len":173,"flow_max_l4_payload_len":173,"flow_tot_l4_payload_len":173,"flow_avg_l4_payload_len":173,"midstream":0,"ts_msec":1580978146717,"l3_proto":"ip4","src_ip":"192.168.220.56","dst_ip":"192.168.203.167","src_port":56373,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"16":"Suspicious DGA domain name"},"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"dnscat.546b03f50000000000a6023ed4df184d6ac5c2628b47714fdee584fed739.5a03b5b1e1aa8f8fdb1bbe8d5e04952141f7d4f82c7e3b06dcc8b87fad7a.19e4d098dc8c618f8d81cfeb02","num_queries":0,"num_answers":0,"reply_code":0,"query_type":15,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00844{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"dns_exfiltration.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1580978146717,"flow_last_seen":1580978146717,"flow_idle_time":180000,"flow_min_l4_payload_len":173,"flow_max_l4_payload_len":173,"flow_tot_l4_payload_len":173,"flow_avg_l4_payload_len":173,"midstream":0,"ts_msec":1580978146717,"l3_proto":"ip4","src_ip":"192.168.220.56","dst_ip":"192.168.203.167","src_port":56373,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"16":"Suspicious DGA domain name"},"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"e1aa8f8fdb1bbe8d5e04952141f7d4f82c7e3b06dcc8b87fad7a.19e4d098dc8c618f8d81cfeb02","num_queries":0,"num_answers":0,"reply_code":0,"query_type":15,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00897{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"dns_exfiltration.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1580978146888,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":386,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":386,"pkt_l4_len":352,"ts_msec":1580978146888,"pkt":"jNzURr7Eqqru7hERCABFAAF0PC1AAD8R1RrAqMunwKjcOAA13DUBYD3xOR2BgAABAAEAAAAABmRuc2NhdDw1NDZiMDNmNTAwMDAwMDAwMDBhNjAyM2VkNGRmMTg0ZDZhYzVjMjYyOGI0NzcxNGZkZWU1ODRmZWQ3Mzk8NWEwM2I1YjFlMWFhOGY4ZmRiMWJiZThkNWUwNDk1MjE0MWY3ZDRmODJjN2UzYjA2ZGNjOGI4N2ZhZDdhGjE5ZTRkMDk4ZGM4YzYxOGY4ZDgxY2ZlYjAyAAAPAAHADAAPAAEAAAA8AJ8ACgZkbnNjYXQ\/MjAxZjAzZjUwMDAwMDAwMDAwNzEzYjkyNzFmMDExZGM3NjQyM2RhYjM5MmMzMmMxOGJmYzk2YjZkMjY5NWEyPzZhOTExYzk0NDcyZjU5NDA5YTVmNTI2MDEzZTc2MDE5MzY2YTA3NzkyOWUzNDgwZmJlNmQ3YzRlZGE2ZjkwOBRmMmJjOTlhNjAxZTFhODIyMTMzNgA="} -00929{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2,"source":"dns_exfiltration.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":2,"flow_first_seen":1580978146717,"flow_last_seen":1580978146888,"flow_idle_time":180000,"flow_min_l4_payload_len":173,"flow_max_l4_payload_len":344,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":258,"midstream":0,"ts_msec":1580978146888,"l3_proto":"ip4","src_ip":"192.168.220.56","dst_ip":"192.168.203.167","src_port":56373,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"16":"Suspicious DGA domain name"},"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"dnscat.546b03f50000000000a6023ed4df184d6ac5c2628b47714fdee584fed739.5a03b5b1e1aa8f8fdb1bbe8d5e04952141f7d4f82c7e3b06dcc8b87fad7a.19e4d098dc8c618f8d81cfeb02","num_queries":1,"num_answers":1,"reply_code":0,"query_type":15,"rsp_type":15,"rsp_addr":"0.0.0.0"}} +00853{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2,"source":"dns_exfiltration.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":2,"flow_first_seen":1580978146717,"flow_last_seen":1580978146888,"flow_idle_time":180000,"flow_min_l4_payload_len":173,"flow_max_l4_payload_len":344,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":258,"midstream":0,"ts_msec":1580978146888,"l3_proto":"ip4","src_ip":"192.168.220.56","dst_ip":"192.168.203.167","src_port":56373,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"16":"Suspicious DGA domain name"},"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"e1aa8f8fdb1bbe8d5e04952141f7d4f82c7e3b06dcc8b87fad7a.19e4d098dc8c618f8d81cfeb02","num_queries":1,"num_answers":1,"reply_code":0,"query_type":15,"rsp_type":15,"rsp_addr":"0.0.0.0"}} 00604{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"dns_exfiltration.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1580978147753,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":166,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":166,"pkt_l4_len":132,"ts_msec":1580978147753,"pkt":"qqru7hERjNzURr7ECABFAACYekZAAD8RAADAqNw4wKjLp9w1ADUAhCnHfRoBAAABAAAAAAAABmRuc2NhdDw5MWYwMDNmNTAwZjYxMjIxODEwYWVhMDAwMDA0ODYzYzY5MTU4MGVjYWQ2NmY2NGFjN2RkYjg3Yjg5YzcmOTIwMDgyMWU1MjdkNGUxNzYzMjUzYzI1ZTI5N2UyYWE0MTEzZDAAAAUAAQ=="} -00879{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":3,"source":"dns_exfiltration.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":3,"flow_first_seen":1580978146717,"flow_last_seen":1580978147753,"flow_idle_time":180000,"flow_min_l4_payload_len":124,"flow_max_l4_payload_len":344,"flow_tot_l4_payload_len":641,"flow_avg_l4_payload_len":213,"midstream":0,"ts_msec":1580978147753,"l3_proto":"ip4","src_ip":"192.168.220.56","dst_ip":"192.168.203.167","src_port":56373,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"16":"Suspicious DGA domain name"},"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"dnscat.91f003f500f61221810aea000004863c691580ecad66f64ac7ddb87b89c7.9200821e527d4e1763253c25e297e2aa4113d0","num_queries":1,"num_answers":1,"reply_code":0,"query_type":5,"rsp_type":15,"rsp_addr":"0.0.0.0"}} -00878{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":4,"source":"dns_exfiltration.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1580978146717,"flow_last_seen":1580978147755,"flow_idle_time":180000,"flow_min_l4_payload_len":124,"flow_max_l4_payload_len":344,"flow_tot_l4_payload_len":885,"flow_avg_l4_payload_len":221,"midstream":0,"ts_msec":1580978147755,"l3_proto":"ip4","src_ip":"192.168.220.56","dst_ip":"192.168.203.167","src_port":56373,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"16":"Suspicious DGA domain name"},"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"dnscat.91f003f500f61221810aea000004863c691580ecad66f64ac7ddb87b89c7.9200821e527d4e1763253c25e297e2aa4113d0","num_queries":1,"num_answers":1,"reply_code":0,"query_type":5,"rsp_type":5,"rsp_addr":"0.0.0.0"}} +00852{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":3,"source":"dns_exfiltration.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":3,"flow_first_seen":1580978146717,"flow_last_seen":1580978147753,"flow_idle_time":180000,"flow_min_l4_payload_len":124,"flow_max_l4_payload_len":344,"flow_tot_l4_payload_len":641,"flow_avg_l4_payload_len":213,"midstream":0,"ts_msec":1580978147753,"l3_proto":"ip4","src_ip":"192.168.220.56","dst_ip":"192.168.203.167","src_port":56373,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"16":"Suspicious DGA domain name"},"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"ea000004863c691580ecad66f64ac7ddb87b89c7.9200821e527d4e1763253c25e297e2aa4113d0","num_queries":1,"num_answers":1,"reply_code":0,"query_type":5,"rsp_type":15,"rsp_addr":"0.0.0.0"}} +00851{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":4,"source":"dns_exfiltration.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1580978146717,"flow_last_seen":1580978147755,"flow_idle_time":180000,"flow_min_l4_payload_len":124,"flow_max_l4_payload_len":344,"flow_tot_l4_payload_len":885,"flow_avg_l4_payload_len":221,"midstream":0,"ts_msec":1580978147755,"l3_proto":"ip4","src_ip":"192.168.220.56","dst_ip":"192.168.203.167","src_port":56373,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"16":"Suspicious DGA domain name"},"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"ea000004863c691580ecad66f64ac7ddb87b89c7.9200821e527d4e1763253c25e297e2aa4113d0","num_queries":1,"num_answers":1,"reply_code":0,"query_type":5,"rsp_type":5,"rsp_addr":"0.0.0.0"}} 00848{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":5,"source":"dns_exfiltration.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":5,"flow_first_seen":1580978146717,"flow_last_seen":1580978148768,"flow_idle_time":180000,"flow_min_l4_payload_len":94,"flow_max_l4_payload_len":344,"flow_tot_l4_payload_len":979,"flow_avg_l4_payload_len":195,"midstream":0,"ts_msec":1580978148768,"l3_proto":"ip4","src_ip":"192.168.220.56","dst_ip":"192.168.203.167","src_port":56373,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"16":"Suspicious DGA domain name"},"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"dnscat.a35c00f5005703c8b1b8cd000118b52347aeb1d73340c97cca43c34b27cf.edf0dbda","num_queries":1,"num_answers":1,"reply_code":0,"query_type":15,"rsp_type":5,"rsp_addr":"0.0.0.0"}} 00850{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"dns_exfiltration.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":1580978146717,"flow_last_seen":1580978148770,"flow_idle_time":180000,"flow_min_l4_payload_len":94,"flow_max_l4_payload_len":344,"flow_tot_l4_payload_len":1130,"flow_avg_l4_payload_len":188,"midstream":0,"ts_msec":1580978148770,"l3_proto":"ip4","src_ip":"192.168.220.56","dst_ip":"192.168.203.167","src_port":56373,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"16":"Suspicious DGA domain name"},"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"dnscat.a35c00f5005703c8b1b8cd000118b52347aeb1d73340c97cca43c34b27cf.edf0dbda","num_queries":1,"num_answers":1,"reply_code":0,"query_type":15,"rsp_type":15,"rsp_addr":"0.0.0.0"}} 00855{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":255,"source":"dns_exfiltration.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":255,"flow_first_seen":1580978146717,"flow_last_seen":1580978206666,"flow_idle_time":180000,"flow_min_l4_payload_len":59,"flow_max_l4_payload_len":344,"flow_tot_l4_payload_len":48096,"flow_avg_l4_payload_len":188,"midstream":0,"ts_msec":1580978206666,"l3_proto":"ip4","src_ip":"192.168.220.56","dst_ip":"192.168.203.167","src_port":56373,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"16":"Suspicious DGA domain name"},"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"dnscat.a35c00f5005703c8b1b8cd000118b52347aeb1d73340c97cca43c34b27cf.edf0dbda","num_queries":1,"num_answers":1,"reply_code":0,"query_type":15,"rsp_type":15,"rsp_addr":"0.0.0.0"}} @@ -20,10 +20,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1936824 bytes -~~ total memory freed........: 1936824 bytes -~~ total allocations/frees...: 35638/35638 +~~ total memory allocated....: 4599139 bytes +~~ total memory freed........: 4599139 bytes +~~ total allocations/frees...: 99834/99834 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 171 chars -~~ json string max len.......: 934 chars -~~ json string avg len.......: 622 chars +~~ json string max len.......: 902 chars +~~ json string avg len.......: 606 chars diff --git a/test/results/dns_fragmented.pcap.out b/test/results/dns_fragmented.pcap.out index d0420620f..e733ba3db 100644 --- a/test/results/dns_fragmented.pcap.out +++ b/test/results/dns_fragmented.pcap.out @@ -1,49 +1,49 @@ 00448{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"dns_fragmented.pcap","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} 00559{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1558968008021,"flow_last_seen":1558968008021,"flow_idle_time":180000,"flow_min_l4_payload_len":40,"flow_max_l4_payload_len":40,"flow_tot_l4_payload_len":40,"flow_avg_l4_payload_len":40,"midstream":0,"ts_msec":1558968008021,"l3_proto":"ip4","src_ip":"172.217.40.76","dst_ip":"193.24.227.238","src_port":56680,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00487{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1558968008021,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"ts_msec":1558968008021,"pkt":"AAwpil3XAIac51UUCABFAABE5WoAAG8R7BGs2ShMwRjj7t1oADUAMAwz1D8AEAABAAAAAAABCHdlYmVybGFiAmRlAAAwAAEAACkQAAAAgAAAAA=="} -00724{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1558968008021,"flow_last_seen":1558968008021,"flow_idle_time":180000,"flow_min_l4_payload_len":40,"flow_max_l4_payload_len":40,"flow_tot_l4_payload_len":40,"flow_avg_l4_payload_len":40,"midstream":0,"ts_msec":1558968008021,"l3_proto":"ip4","src_ip":"172.217.40.76","dst_ip":"193.24.227.238","src_port":56680,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"weberlab.de","num_queries":0,"num_answers":0,"reply_code":0,"query_type":48,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00722{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1558968008021,"flow_last_seen":1558968008021,"flow_idle_time":180000,"flow_min_l4_payload_len":40,"flow_max_l4_payload_len":40,"flow_tot_l4_payload_len":40,"flow_avg_l4_payload_len":40,"midstream":0,"ts_msec":1558968008021,"l3_proto":"ip4","src_ip":"172.217.40.76","dst_ip":"193.24.227.238","src_port":56680,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"weberlab.de","num_queries":0,"num_answers":0,"reply_code":0,"query_type":48,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 02432{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1558968008021,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1514,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1514,"pkt_l4_len":1480,"ts_msec":1558968008021,"pkt":"AIac51UUAAwpil3XCABFAAXc0P4gAEARCebBGOPurNkoTAA13WgGrrRj1D+EEAABAAQAAAABCHdlYmVybGFiAmRlAAAwAAHADAAwAAEAAAA8AggBAQMKAwEAAd3v\/e0irXYKOwtYEB3VPe7z99qvi5le9\/y1XXyplp5y\/5xaqrm\/relG8pgx8GsNW2IgviJKAJ6UiU45ERKoH+fz2qf2SUFHFWwkweiWyLZ4EZHhowviCEx94P4OswNKXmdYHe38rlHPa+3OypW9gYfR9lhCKK3neCPq8\/aFFsTTI7dQ+Q2kERWiCMCybl4WOwsBo\/RlnPM4yufMKIlABiM5NWQPNmI6jYzAYpYoyUhd9HnnIIDlNQ89HpXQdFmysMraXYb7qDOoOEiOodttKH0y\/vtJ2SRU05RF4AEumacIUzAi5LL2cMQxC7t7rlDI4X42NRfOLAqGuOeclFjzqz3OdAJWeg\/AAnSbb02AGCkQ370TX1hWveAXt6xpPWOLgHXSLIF\/lz+wl+Dm8ZNWDnn5zEJuEj3xova1g8zmRXJOmqA6VhGqewxF8c+yKeNEOHz4X4\/RLmWHIuEbvboP00Dk5A9bhyZGVsytOJg+NwhFQtvBWLmD82FFtfSt2vmbFFNwAZOnRZWJOG9L7TFcGIm1OEULmohUyFLsBGMXDFOu1k0o6pqm495tsBuMyJNpfdQoPwOkUpsKi6jmNq6vRjvvNiJbcFylTQrqHGTGuOopuUsBbUXj\/nOr4I6j42k6GDIuTyLDkaVrdrxXmGnfNnStdqWmvHXo\/YFwdls9bcT7wAwAMAABAAAAPAEIAQADCgMBAAHQVNwo8VCsO0nmM2u3Mcqv14N851ULDM7hf1Hi2ooDrm7SR4cYS\/ptdvSMUJEyqPCUSF3Clw\/mlYs7YppfPvATwlxTT37RaXRQswUTRh4\/3GtYPxZXJOr+Wr2nwf4Rqm1imNixBim+ZLWFho\/CQdJqyhqg2VT8ongtHWFb9Nojmjr1IXZe0LYFcm0d1eoB5YaBtAcRvhm41KfjcjwpW7jDiMH5W1RgefeOj8kBkIJxjV9i9TB7pjmmAvw91J8s0GTTJqo\/ORsAzT8BHg3y6usJtQVH8ezMMHBFbjtgdGJlMoj4kn1KBk8Jtj9ZxjTIZWIo922PVb8sQqj0JytLOU69wAwALgABAAAAPAIfADAKAgAAADxdChURXOJ+MzN7CHdlYmVybGFiAmRlAB+yP4V\/njTX1ZrAUX52Q4ppNzTYQFwUb\/fZ7UyQYLNxrrstLuUEImGhNwZoGn47E0jCxJscYiApT\/lYiL2L1ySUl4RKqHIjPNuYuibs67t5ZabkYsahlYEA\/lOcM3eIQx9pu5Og7p1d2yBSUETOBiGw2mFf2+ESni6Ue4XPXEEYzAhiMRhuYOJAy8gBqoPjkRBcJfWJSQLCsK1uYySkTZfbAzgJeVM0nXd6azgG0BhRE+LeaO6rN3QVHDtfgnwRdZ0mqwEcP9Ixz7o9MUVSKZ24Kp1QfS5nvEHn5PilNALbZYZOO0cQAeV8BhlxVuALLDecEOLC8sY1mx6ozY5\/aRypyHA9HCrJT0qIHJwgtxE7ldoWyzsz32MKgZvCYMZSPOXK\/W3p61FPtD4iT4Id6xXDvyRuALL3waMUMwy3mSjXDHAdpXWaCOMfYx2IzRk4rN5TDQtUohYwaoSbystwDYKnhZGi9jS0G8FObyWhTrKCl7aTkMBaFEejCh0dfD5WJP+MDS\/TR32BG0S+GtGTl4n1Y8wgyP7nkz3\/REcevkIvpJRUImVc8A\/VPTI+9KvBSkoLPA9Za\/IpqUpgDVsKWU5bp0V0TdEryxvtwOnVXXdH0\/hJMgIgWhmZzY2\/UVoRBVGptWsAIhn5sO+UhcjvZ41p3t\/1mWp23BdUACblNtHcw2MALgABAAAAPAEfADAKAgAAADxdChURXOJ+M5BHCHdlYmVybGFiAmRlAHoYKuiyNMNSWsfXwtRR8n\/pKy73at02yEwt1EoWyfptV8sUoxs="} -00823{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":2,"flow_first_seen":1558968008021,"flow_last_seen":1558968008021,"flow_idle_time":180000,"flow_min_l4_payload_len":40,"flow_max_l4_payload_len":1472,"flow_tot_l4_payload_len":1512,"flow_avg_l4_payload_len":756,"midstream":0,"ts_msec":1558968008021,"l3_proto":"ip4","src_ip":"172.217.40.76","dst_ip":"193.24.227.238","src_port":56680,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"37":"DNS packet larger than 512 bytes","38":"Fragmented DNS message"},"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"weberlab.de","num_queries":1,"num_answers":5,"reply_code":0,"query_type":48,"rsp_type":48,"rsp_addr":"0.0.0.0"}} +00736{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":2,"flow_first_seen":1558968008021,"flow_last_seen":1558968008021,"flow_idle_time":180000,"flow_min_l4_payload_len":40,"flow_max_l4_payload_len":1472,"flow_tot_l4_payload_len":1512,"flow_avg_l4_payload_len":756,"midstream":0,"ts_msec":1558968008021,"l3_proto":"ip4","src_ip":"172.217.40.76","dst_ip":"193.24.227.238","src_port":56680,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"weberlab.de","num_queries":1,"num_answers":5,"reply_code":0,"query_type":48,"rsp_type":48,"rsp_addr":"0.0.0.0"}} 00638{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":3,"source":"dns_fragmented.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":264,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":264,"pkt_l4_len":0,"ts_msec":1558968008021,"pkt":"AIac51UUAAwpil3XCABFAAD60P4AuUARLg\/BGOPurNkoTJJWaQ8FS9tIHo+oVjY51cy6+fgiJNB2zCSb2h1J8D40RJyUZYc0lguNGrMzvogBYnbxInuDKD2B8SGaumxsynJulBSZTde74knucmk+7g4DbM0zyfRD0W3RhD3u0NFdji\/0zmiI817VkCE2GpVvuL3F8KDCC+EMYjJlOHqM+STJxPq9ZF8xJcVITkC6EY6CdRmYmQdqvRYWzDXPjGtyu5XT13H1VC8IJisNUehBDr2PeppANUdXFlyqVQ6mARL6UnTBT0xam7DpmuxycO7BOql2rC7KBJb4lykg9AAAKRAAAACAAAAA"} 00179{"basic_event_id":9,"basic_event_name":"nDPI IPv4\/L4 payload detection failed","thread_id":0,"packet_id":3,"source":"dns_fragmented.pcap","alias":"nDPId-test","l4_data_len":230} 00576{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":4,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1558968010233,"flow_last_seen":1558968010233,"flow_idle_time":180000,"flow_min_l4_payload_len":58,"flow_max_l4_payload_len":58,"flow_tot_l4_payload_len":58,"flow_avg_l4_payload_len":58,"midstream":0,"ts_msec":1558968010233,"l3_proto":"ip6","src_ip":"2a00:1450:4013:c03::10a","dst_ip":"2001:470:765b::a25:53","src_port":46433,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_last_seen":1558968010233,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":120,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":120,"pkt_l4_len":66,"ts_msec":1558968010233,"pkt":"AAwpil3XAIac51UUht1gArj8AEIRayoAFFBAEwwDAAAAAAAAAQogAQRwdlsAAAAAAAAKJQBTtWEANQBC7JLpxAAQAAEAAAAAAAECcGEId2ViZXJsYWICZGUAABwAAQAAKRAAAACAAAAPAAgACwACOAAgAQRwHwsW"} 00739{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1558968010233,"flow_last_seen":1558968010233,"flow_idle_time":180000,"flow_min_l4_payload_len":58,"flow_max_l4_payload_len":58,"flow_tot_l4_payload_len":58,"flow_avg_l4_payload_len":58,"midstream":0,"ts_msec":1558968010233,"l3_proto":"ip6","src_ip":"2a00:1450:4013:c03::10a","dst_ip":"2001:470:765b::a25:53","src_port":46433,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"pa.weberlab.de","num_queries":0,"num_answers":0,"reply_code":0,"query_type":28,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 02413{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_last_seen":1558968010234,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1510,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":62,"pkt_len":1510,"pkt_l4_len":1448,"ts_msec":1558968010234,"pkt":"AIac51UUAAwpil3Xht1gB4f9BbAsQCABBHB2WwAAAAAAAAolAFMqABRQQBMMAwAAAAAAAAEKEQAAAShAPAsANbVhBeUUjunEhBAAAQACAAMACQJwYQh3ZWJlcmxhYgJkZQAAHAABwAwAHAABAAAAPAAQIAEEcB8LECQAAAAAAAAAAsAMAC4AAQAAADwBHwAcCgMAAAA8XQZZ\/FzevuyQRwh3ZWJlcmxhYgJkZQC1pnXN9aJB47xcEl0t+RyJPr\/p+1OSRyBEPleyPVcVG13SY1au\/jvJTdnRA4lySA7r3bi4LlJCEattffR4fjevK4f+NrGd0s5mJ+PRg85+C1QnHQmbvL9v+MI2zPL2z8n5PSX3Yf1y4VNvPCJ7YmzWzkyABQys7VcUh58r0Vf2MDfcX+p\/oqdfN5wH3piEMrifXVk3S1jvEgqm3k\/0jIc5bfsXYFPDiziLSsKruSCkr5Ydv6DPypeAQh8lSdezjVxYVAOnbrtC88Q7QQ04+1dWXmZGW9cG+PBKFrFDsPDKsCvsJ0ggc3+bJXpyZZ0SaqfH4Zgi8NjO\/iMCsrSxLkS9wFoAAgABAAAAPAAPA25zMgh3ZWJlcmRuc8BjwFoAAgABAAAAPAAGA25zMcF3wFoALgABAAAAPAEfAAIKAgAAADxdCgDsXOJvNZBHCHdlYmVybGFiAmRlAHSoxNqqAKym4hw9iI9\/cGB9AOyri1gZ9PRCVa3kokohNFwwgJZHh\/GYLEe5aVQ16NDPaZsaEDNFKVzAqyIPhTpD66im4JiAdIma3+zQ6MM9+50XgE4zD34pXPziEN3\/hpyx0OsRaMDdi+fLJ+VSFGsK+dEf7olAlTzREwS8gAhMxbir6bK5GyMP0HpB+N56qoJQqvHlvC11N4HQ1PiAfHGM\/e0cnoTP4HtNoJs4zlO01ipMUjuZ2yl3aHqydGgSm9jswrVneievkN6cP9\/osHneUEe3pq+Na767DBQ6GotyiL0ifYjqRt+tp11FZgz+RwhCI599k5mxFSecocr80szBjgAcAAEAAA4QABAgAQRwdlsAAAAAAAAKJQBTwXMAHAABAAAOEAAQIAEEcB8LFrAAAAAACiYAU8GOAAEAAQAADhAABMEY4+7BcwABAAEAAA4QAATC9wUOwY4ALgABAAAOEACfAAEIAwAADhBdCiqqXOKPrjDwCHdlYmVyZG5zAmRlALFKzqMjh9BzTzk7te1fsFGook8hWPtH0Dh2qeLmkPiC00JY45Dj2PARXv44katX35tAeXg4ix8QZs+c1GIcPatTaDXZe6J7CgZjoERP+ecNOmJ3vNLtj8s3UGq5X1b66ao4qdZN6E8DXjYpPWxeaD+6KZd7ytQjBmRNzONHV4CNwY4ALgABAAAOEACfABwIAwAADhBdCiqqXOKPrjDwCHdlYmVyZG5zAmRlAEEPt\/jvpNYZTaxUf\/hq3Z6tUps6XBA9Yu325Bwy3LukMjtOntkxZ48rvFNij79Ioq3EbGxCb4PD0EVLtA5lKR6U69jYrdbsh11ahmIq4c0voBJAKVJkpfioqYTXkZCppD5DWEnFc7+3dmCZtR6n7cdLRMGXeU0ee7boqf+ntG0ywXMALgABAAAOEACfAAEIAwAADhBdCiqqXOKPrjDwCHdlYmVyZG5zAmRlAAdbeEFbg2lg4i3rnV+6yQt2VeYizGmT\/rDt7rXbe9Gvg0bs7cCzKvh3nLNc7lfkw3Toxu3h2m\/NqvAJNkxLRmrtfxw68cyy4lkHhL2NLL3Y19jvp2qm25mZVgwcJylB9Dlvk0ReqgeiL8E1GyKZ+bYJb4PW+X45ewaJrdYFgGv4wXMALgABAAAOEACfABwIAwAADhBdCiqqXOKPrjDwCHdlYmVyZG5zAmRlALY71RRfBids18YMqfb3pDV95vjCv9gQTwdXg7KIz9hcjsWC4LdX4rCK4Rics7xQ5QaBNODVJNd5alz0R5hMDerxbEpzVvoggNs6EwCYRezdSpP5C3DJFx6i88C2SQ=="} -00842{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":5,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":2,"flow_first_seen":1558968010233,"flow_last_seen":1558968010234,"flow_idle_time":180000,"flow_min_l4_payload_len":58,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1498,"flow_avg_l4_payload_len":749,"midstream":0,"ts_msec":1558968010234,"l3_proto":"ip6","src_ip":"2a00:1450:4013:c03::10a","dst_ip":"2001:470:765b::a25:53","src_port":46433,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"37":"DNS packet larger than 512 bytes","38":"Fragmented DNS message"},"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"pa.weberlab.de","num_queries":1,"num_answers":14,"reply_code":0,"query_type":28,"rsp_type":28,"rsp_addr":"32.1.4.112"}} +00757{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":5,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":2,"flow_first_seen":1558968010233,"flow_last_seen":1558968010234,"flow_idle_time":180000,"flow_min_l4_payload_len":58,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1498,"flow_avg_l4_payload_len":749,"midstream":0,"ts_msec":1558968010234,"l3_proto":"ip6","src_ip":"2a00:1450:4013:c03::10a","dst_ip":"2001:470:765b::a25:53","src_port":46433,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"pa.weberlab.de","num_queries":1,"num_answers":14,"reply_code":0,"query_type":28,"rsp_type":28,"rsp_addr":"32.1.4.112"}} 00450{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":6,"source":"dns_fragmented.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":123,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":123,"pkt_l4_len":0,"ts_msec":1558968010234,"pkt":"AIac51UUAAwpil3Xht1gB4f9AEUsQCABBHB2WwAAAAAAAAolAFMqABRQQBMMAwAAAAAAAAEKEQAFqChAPAtderZqHOphjXllMk8sHswGkSaaDoR\/AL9bqSnISQXKcnns5gAAKRAAAACAAAAPAAgACwACOAAgAQRwHwsW"} 00179{"basic_event_id":12,"basic_event_name":"nDPI IPv6\/L4 payload detection failed","thread_id":0,"packet_id":6,"source":"dns_fragmented.pcap","alias":"nDPId-test","l4_data_len":89} 00576{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":7,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1558968018074,"flow_last_seen":1558968018074,"flow_idle_time":180000,"flow_min_l4_payload_len":59,"flow_max_l4_payload_len":59,"flow_tot_l4_payload_len":59,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1558968018074,"l3_proto":"ip6","src_ip":"2a00:1450:4013:c06::105","dst_ip":"2001:470:765b::a25:53","src_port":63369,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_last_seen":1558968018074,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":121,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":121,"pkt_l4_len":67,"ts_msec":1558968018074,"pkt":"AAwpil3XAIac51UUht1gCQGuAEMRayoAFFBAEwwGAAAAAAAAAQUgAQRwdlsAAAAAAAAKJQBT94kANQBDODsKMgAQAAEAAAAAAAEDZmcyCHdlYmVybGFiAmRlAAABAAEAACkQAAAAgAAADwAIAAsAAjgAIAEEcB8LFg=="} 00739{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":7,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1558968018074,"flow_last_seen":1558968018074,"flow_idle_time":180000,"flow_min_l4_payload_len":59,"flow_max_l4_payload_len":59,"flow_tot_l4_payload_len":59,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1558968018074,"l3_proto":"ip6","src_ip":"2a00:1450:4013:c06::105","dst_ip":"2001:470:765b::a25:53","src_port":63369,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"fg2.weberlab.de","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 02419{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_last_seen":1558968018075,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1510,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":62,"pkt_len":1510,"pkt_l4_len":1448,"ts_msec":1558968018075,"pkt":"AIac51UUAAwpil3Xht1gAmIVBbAsQCABBHB2WwAAAAAAAAolAFMqABRQQBMMBgAAAAAAAAEFEQAAASR\/DLMANfeJBdraSAoyhBAAAQACAAMACQNmZzIId2ViZXJsYWICZGUAAAEAAcAMAAEAAQAAADwABML3BArADAAuAAEAAAA8AR8AAQoDAAAAPF0J+51c4m0NkEcId2ViZXJsYWICZGUATmqKLyXYlD7oC1wjnJdPzxr55pJoGn6h+biEYxUlvjgkAKYGVr2OkUzNi9dPZZCT1\/wXWro5BadVhTNlYhGA9J99DHUUB5NEITFfyeoCqRwORKOIN8F3N4260XT5uRwPgDtpnX9J6IRQN3Hg639ASVUfreGkxN2At0j1oxD21UcoFDfwz5Fn7owm5vE3RP6EyTqHCPkRSCJvvZO+Lb6nyRwRS\/BgbrTAjIDB9gxMtXs7GIKlm\/T21iqqa\/CM0K3y9nYSv2Mbgyh+nhDaTp4WmMKZfRzP6DKGL+Myx7893ekGgWnaQNeZGzB3BTQVSEJFLULyYavsqtvSpVIspLF1IcBPAAIAAQAAADwADwNuczIId2ViZXJkbnPAWMBPAAIAAQAAADwABgNuczHBbMBPAC4AAQAAADwBHwACCgIAAAA8XQoA7FzibzWQRwh3ZWJlcmxhYgJkZQB0qMTaqgCspuIcPYiPf3BgfQDsq4tYGfT0QlWt5KJKITRcMICWR4fxmCxHuWlUNejQz2mbGhAzRSlcwKsiD4U6Q+uopuCYgHSJmt\/s0OjDPfudF4BOMw9+KVz84hDd\/4acsdDrEWjA3YvnyyflUhRrCvnRH+6JQJU80RMEvIAITMW4q+myuRsjD9B6QfjeeqqCUKrx5bwtdTeB0NT4gHxxjP3tHJ6Ez+B7TaCbOM5TtNYqTFI7mdspd2h6snRoEpvY7MK1Z3onr5DenD\/f6LB53lBHt6avjWu+uwwUOhqLcoi9In2I6kbfraddRWYM\/kcIQiOffZOZsRUnnKHK\/NLMwYMAHAABAAAOEAAQIAEEcHZbAAAAAAAACiUAU8FoABwAAQAADhAAECABBHAfCxawAAAAAAomAFPBgwABAAEAAA4QAATBGOPuwWgAAQABAAAOEAAEwvcFDsGDAC4AAQAADhAAnwABCAMAAA4QXQoqqlzij64w8Ah3ZWJlcmRucwJkZQCxSs6jI4fQc085O7XtX7BRqKJPIVj7R9A4dqni5pD4gtNCWOOQ49jwEV7+OJGrV9+bQHl4OIsfEGbPnNRiHD2rU2g12XuiewoGY6BET\/nnDTpid7zS7Y\/LN1BquV9W+umqOKnWTehPA142KT1sXmg\/uimXe8rUIwZkTczjR1eAjcGDAC4AAQAADhAAnwAcCAMAAA4QXQoqqlzij64w8Ah3ZWJlcmRucwJkZQBBD7f476TWGU2sVH\/4at2erVKbOlwQPWLt9uQcMty7pDI7Tp7ZMWePK7xTYo+\/SKKtxGxsQm+Dw9BFS7QOZSkelOvY2K3W7IddWoZiKuHNL6ASQClSZKX4qKmE15GQqaQ+Q1hJxXO\/t3ZgmbUep+3HS0TBl3lNHnu26Kn\/p7RtMsFoAC4AAQAADhAAnwABCAMAAA4QXQoqqlzij64w8Ah3ZWJlcmRucwJkZQAHW3hBW4NpYOIt651fuskLdlXmIsxpk\/6w7e6123vRr4NG7O3Asyr4d5yzXO5X5MN06Mbt4dpvzarwCTZMS0Zq7X8cOvHMsuJZB4S9jSy92NfY76dqptuZmVYMHCcpQfQ5b5NEXqoHoi\/BNRsimfm2CW+D1vl+OXsGia3WBYBr+MFoAC4AAQAADhAAnwAcCAMAAA4QXQoqqlzij64w8Ah3ZWJlcmRucwJkZQC2O9UUXwYnbNfGDKn296Q1feb4wr\/YEE8HV4OyiM\/YXI7FguC3V+KwiuEYnLO8UOUGgTTg1STXeWpc9EeYTA3q8WxKc1b6IIDbOhMAmEXs3UqT+QtwyRceovPAtklderZqHOphjXllMg=="} -00843{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":8,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":2,"flow_first_seen":1558968018074,"flow_last_seen":1558968018075,"flow_idle_time":180000,"flow_min_l4_payload_len":59,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1499,"flow_avg_l4_payload_len":749,"midstream":0,"ts_msec":1558968018075,"l3_proto":"ip6","src_ip":"2a00:1450:4013:c06::105","dst_ip":"2001:470:765b::a25:53","src_port":63369,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"37":"DNS packet larger than 512 bytes","38":"Fragmented DNS message"},"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"fg2.weberlab.de","num_queries":1,"num_answers":14,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"194.247.4.10"}} +00758{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":8,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":2,"flow_first_seen":1558968018074,"flow_last_seen":1558968018075,"flow_idle_time":180000,"flow_min_l4_payload_len":59,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1499,"flow_avg_l4_payload_len":749,"midstream":0,"ts_msec":1558968018075,"l3_proto":"ip6","src_ip":"2a00:1450:4013:c06::105","dst_ip":"2001:470:765b::a25:53","src_port":63369,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"fg2.weberlab.de","num_queries":1,"num_answers":14,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"194.247.4.10"}} 00439{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":9,"source":"dns_fragmented.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":112,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":112,"pkt_l4_len":0,"ts_msec":1558968018075,"pkt":"AIac51UUAAwpil3Xht1gAmIVADosQCABBHB2WwAAAAAAAAolAFMqABRQQBMMBgAAAAAAAAEFEQAFqCR\/DLNPLB7MBpEmmg6EfwC\/W6kpyEkFynJ57OYAACkQAAAAgAAADwAIAAsAAjgAIAEEcB8LFg=="} 00179{"basic_event_id":12,"basic_event_name":"nDPI IPv6\/L4 payload detection failed","thread_id":0,"packet_id":9,"source":"dns_fragmented.pcap","alias":"nDPId-test","l4_data_len":78} 00562{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":10,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1558968019069,"flow_last_seen":1558968019069,"flow_idle_time":180000,"flow_min_l4_payload_len":59,"flow_max_l4_payload_len":59,"flow_tot_l4_payload_len":59,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1558968019069,"l3_proto":"ip4","src_ip":"173.194.169.104","dst_ip":"193.24.227.238","src_port":59464,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00514{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":10,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_last_seen":1558968019069,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":101,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":101,"pkt_l4_len":67,"ts_msec":1558968019069,"pkt":"AAwpil3XAIac51UUCABFAABXnz0AAGwRsyatwqlowRjj7uhIADUAQ+SwoX0AEAABAAAAAAABA2ZnMgh3ZWJlcmxhYgJkZQAAAQABAAApEAAAAIAAAA8ACAALAAI4ACABBHAfCxY="} -00730{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":10,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1558968019069,"flow_last_seen":1558968019069,"flow_idle_time":180000,"flow_min_l4_payload_len":59,"flow_max_l4_payload_len":59,"flow_tot_l4_payload_len":59,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1558968019069,"l3_proto":"ip4","src_ip":"173.194.169.104","dst_ip":"193.24.227.238","src_port":59464,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"fg2.weberlab.de","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00728{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":10,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1558968019069,"flow_last_seen":1558968019069,"flow_idle_time":180000,"flow_min_l4_payload_len":59,"flow_max_l4_payload_len":59,"flow_tot_l4_payload_len":59,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1558968019069,"l3_proto":"ip4","src_ip":"173.194.169.104","dst_ip":"193.24.227.238","src_port":59464,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"fg2.weberlab.de","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 02419{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":11,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_last_seen":1558968019069,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1514,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1514,"pkt_l4_len":1480,"ts_msec":1558968019069,"pkt":"AIac51UUAAwpil3XCABFAAXc4hEgAEARds3BGOPurcKpaAA16EgF2oW\/oX2EEAABAAIAAwAJA2ZnMgh3ZWJlcmxhYgJkZQAAAQABwAwAAQABAAAAPAAEwvcECsAMAC4AAQAAADwBHwABCgMAAAA8XQn7nVzibQ2QRwh3ZWJlcmxhYgJkZQBOaoovJdiUPugLXCOcl0\/PGvnmkmgafqH5uIRjFSW+OCQApgZWvY6RTM2L109lkJPX\/BdaujkFp1WFM2ViEYD0n30MdRQHk0QhMV\/J6gKpHA5Eo4g3wXc3jbrRdPm5HA+AO2mdf0nohFA3ceDrf0BJVR+t4aTE3YC3SPWjEPbVRygUN\/DPkWfujCbm8TdE\/oTJOocI+RFIIm+9k74tvqfJHBFL8GButMCMgMH2DEy1ezsYgqWb9PbWKqpr8IzQrfL2dhK\/YxuDKH6eENpOnhaYwpl9HM\/oMoYv4zLHvz3d6QaBadpA15kbMHcFNBVIQkUtQvJhq+yq29KlUiyksXUhwE8AAgABAAAAPAAPA25zMQh3ZWJlcmRuc8BYwE8AAgABAAAAPAAGA25zMsFswE8ALgABAAAAPAEfAAIKAgAAADxdCgDsXOJvNZBHCHdlYmVybGFiAmRlAHSoxNqqAKym4hw9iI9\/cGB9AOyri1gZ9PRCVa3kokohNFwwgJZHh\/GYLEe5aVQ16NDPaZsaEDNFKVzAqyIPhTpD66im4JiAdIma3+zQ6MM9+50XgE4zD34pXPziEN3\/hpyx0OsRaMDdi+fLJ+VSFGsK+dEf7olAlTzREwS8gAhMxbir6bK5GyMP0HpB+N56qoJQqvHlvC11N4HQ1PiAfHGM\/e0cnoTP4HtNoJs4zlO01ipMUjuZ2yl3aHqydGgSm9jswrVneievkN6cP9\/osHneUEe3pq+Na767DBQ6GotyiL0ifYjqRt+tp11FZgz+RwhCI599k5mxFSecocr80szBaAABAAEAAA4QAATBGOPuwYMAAQABAAAOEAAEwvcFDsFoABwAAQAADhAAECABBHB2WwAAAAAAAAolAFPBgwAcAAEAAA4QABAgAQRwHwsWsAAAAAAKJgBTwWgALgABAAAOEACfAAEIAwAADhBdCiqqXOKPrjDwCHdlYmVyZG5zAmRlALFKzqMjh9BzTzk7te1fsFGook8hWPtH0Dh2qeLmkPiC00JY45Dj2PARXv44katX35tAeXg4ix8QZs+c1GIcPatTaDXZe6J7CgZjoERP+ecNOmJ3vNLtj8s3UGq5X1b66ao4qdZN6E8DXjYpPWxeaD+6KZd7ytQjBmRNzONHV4CNwWgALgABAAAOEACfABwIAwAADhBdCiqqXOKPrjDwCHdlYmVyZG5zAmRlAEEPt\/jvpNYZTaxUf\/hq3Z6tUps6XBA9Yu325Bwy3LukMjtOntkxZ48rvFNij79Ioq3EbGxCb4PD0EVLtA5lKR6U69jYrdbsh11ahmIq4c0voBJAKVJkpfioqYTXkZCppD5DWEnFc7+3dmCZtR6n7cdLRMGXeU0ee7boqf+ntG0ywYMALgABAAAOEACfAAEIAwAADhBdCiqqXOKPrjDwCHdlYmVyZG5zAmRlAAdbeEFbg2lg4i3rnV+6yQt2VeYizGmT\/rDt7rXbe9Gvg0bs7cCzKvh3nLNc7lfkw3Toxu3h2m\/NqvAJNkxLRmrtfxw68cyy4lkHhL2NLL3Y19jvp2qm25mZVgwcJylB9Dlvk0ReqgeiL8E1GyKZ+bYJb4PW+X45ewaJrdYFgGv4wYMALgABAAAOEACfABwIAwAADhBdCiqqXOKPrjDwCHdlYmVyZG5zAmRlALY71RRfBids18YMqfb3pDV95vjCv9gQTwdXg7KIz9hcjsWC4LdX4rCK4Rics7xQ5QaBNODVJNd5alz0R5hMDerxbEpzVvoggNs6EwCYRezdSpP5C3DJFx6i88C2SV16tmoc6mGNeWUyTywezAaRJpoOhH8Av1upKchJBcpyeezmAAApEAAAAIA="} -00834{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":11,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":2,"flow_first_seen":1558968019069,"flow_last_seen":1558968019069,"flow_idle_time":180000,"flow_min_l4_payload_len":59,"flow_max_l4_payload_len":1472,"flow_tot_l4_payload_len":1531,"flow_avg_l4_payload_len":765,"midstream":0,"ts_msec":1558968019069,"l3_proto":"ip4","src_ip":"173.194.169.104","dst_ip":"193.24.227.238","src_port":59464,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"37":"DNS packet larger than 512 bytes","38":"Fragmented DNS message"},"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"fg2.weberlab.de","num_queries":1,"num_answers":14,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"194.247.4.10"}} +00747{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":11,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":2,"flow_first_seen":1558968019069,"flow_last_seen":1558968019069,"flow_idle_time":180000,"flow_min_l4_payload_len":59,"flow_max_l4_payload_len":1472,"flow_tot_l4_payload_len":1531,"flow_avg_l4_payload_len":765,"midstream":0,"ts_msec":1558968019069,"l3_proto":"ip4","src_ip":"173.194.169.104","dst_ip":"193.24.227.238","src_port":59464,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"fg2.weberlab.de","num_queries":1,"num_answers":14,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"194.247.4.10"}} 00355{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":12,"source":"dns_fragmented.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":52,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":52,"pkt_l4_len":0,"ts_msec":1558968019069,"pkt":"AIac51UUAAwpil3XCABFAAAm4hEAuUARm8rBGOPurcKpaAAADwAIAAsAAjgAIAEEcB8LFg=="} 00179{"basic_event_id":9,"basic_event_name":"nDPI IPv4\/L4 payload detection failed","thread_id":0,"packet_id":12,"source":"dns_fragmented.pcap","alias":"nDPId-test","l4_data_len":18} 00577{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":13,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1558968021013,"flow_last_seen":1558968021013,"flow_idle_time":180000,"flow_min_l4_payload_len":59,"flow_max_l4_payload_len":59,"flow_tot_l4_payload_len":59,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1558968021013,"l3_proto":"ip6","src_ip":"2a00:1450:400c:c00::106","dst_ip":"2001:470:765b::a25:53","src_port":54430,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00544{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":13,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_last_seen":1558968021013,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":121,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":121,"pkt_l4_len":67,"ts_msec":1558968021013,"pkt":"AAwpil3XAIac51UUht1gBi\/8AEMRayoAFFBADAwAAAAAAAAAAQYgAQRwdlsAAAAAAAAKJQBT1J4ANQBDpiukOAAQAAEAAAAAAAEDZmcyCHdlYmVybGFiAmRlAAAcAAEAACkQAAAAgAAADwAIAAsAAjgAIAEEcB8LFg=="} 00741{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":13,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1558968021013,"flow_last_seen":1558968021013,"flow_idle_time":180000,"flow_min_l4_payload_len":59,"flow_max_l4_payload_len":59,"flow_tot_l4_payload_len":59,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1558968021013,"l3_proto":"ip6","src_ip":"2a00:1450:400c:c00::106","dst_ip":"2001:470:765b::a25:53","src_port":54430,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"fg2.weberlab.de","num_queries":0,"num_answers":0,"reply_code":0,"query_type":28,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 01575{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_last_seen":1558968021014,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":886,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":886,"pkt_l4_len":832,"ts_msec":1558968021014,"pkt":"AIac51UUAAwpil3Xht1gCbz6A0ARQCABBHB2WwAAAAAAAAolAFMqABRQQAwMAAAAAAAAAAEGADXUngNAM\/ikOIQQAAEAAAAEAAEDZmcyCHdlYmVybGFiAmRlAAAcAAHAEAAGAAEAAAA8ADwDbnMwCHdlYmVyZG5zwBkJd2VibWFzdGVyCXdlYmVybmV0egNuZXQAeFhI6QAADhAAAAOEACTqAAAAADzAEAAuAAEAAAA8AR8ABgoCAAAAPF0SKiBc6o8QkEcId2ViZXJsYWICZGUAsAsLORY9T68251zcXXrXYMubapdXlnVZdczSZ8VjQS3g0dStlbXNUxRf4FJCpZevgIdkz+OzavU4Y3EyCKf5qxw7GiEllt+hznji85+jlwbqxa7BHuVrNf4YxsbIr0kaSblmtIn8e12vMQAgQIzOeK4VKGey+3rFftx2Cs7v0mw4V0Rd+gTYttfq+PLvGu8vSZibXFxqlj86VVzTwvOCEmjqKNyjon+\/djMG\/LpzWXoT2evp9l8K1VcJU\/8uUY9ZE4WS0WjV4uuPKKqmHeTkethHG1xsLp0jKFQP8kYfYkdlxDBuNu6KhurVxO4RiM92K63vMdmIW\/4VjMYm2cPPQCBWTlI1U0hKRjVHQ1RFQ1RIN0wwRUNLTEoxTkRGNE04S8CHADIAAQAAALQAMgEAABQQM4lV2XYIwLE0ewVnw5K1+BQAQBNLJ89Pbt3WSJZWXFg+eo1pkwAGQAAAAAACwZQALgABAAAAtAEfADIKAwAAALRdChEDXOJ73JBHCHdlYmVybGFiAmRlAFwWgMgEjrA1OcHB+Qo5dWmMix1bJ7WFGsQIkPmTlF\/KVvK6k5dVU4FDCZtKPuPYCkg0XLBOcR\/wguOUuuyBL7cbjUoN0UHJur34eNeWLngpBhaxFTmuqY80vKjed0ttFQ6uVnd2OAmDzRp6YxYtTin4\/XGlVO6lMt+k2mYftwRyr5Ohjp6NH+J8dbjX7gkD3ENGAHspVLSTz4LxrhUH8dsbFK8rT\/kUhlCBvTuJYAxOkSEWqp4vVZ54PXcY61pn5KAT8mJWdw+HLsa\/lUjZNXicEmky99XDlPLcJk7OI3ZM83QYPgYAFE\/lMHbTSiiue2rS4deUwWxFmnQYlhv0FA4AACkQAAAAgAAADwAIAAsAAjgAIAEEcB8LFg=="} -00807{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":14,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":2,"flow_first_seen":1558968021013,"flow_last_seen":1558968021014,"flow_idle_time":180000,"flow_min_l4_payload_len":59,"flow_max_l4_payload_len":824,"flow_tot_l4_payload_len":883,"flow_avg_l4_payload_len":441,"midstream":0,"ts_msec":1558968021014,"l3_proto":"ip6","src_ip":"2a00:1450:400c:c00::106","dst_ip":"2001:470:765b::a25:53","src_port":54430,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"37":"DNS packet larger than 512 bytes"},"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"fg2.weberlab.de","num_queries":1,"num_answers":5,"reply_code":0,"query_type":28,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00752{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":14,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":2,"flow_first_seen":1558968021013,"flow_last_seen":1558968021014,"flow_idle_time":180000,"flow_min_l4_payload_len":59,"flow_max_l4_payload_len":824,"flow_tot_l4_payload_len":883,"flow_avg_l4_payload_len":441,"midstream":0,"ts_msec":1558968021014,"l3_proto":"ip6","src_ip":"2a00:1450:400c:c00::106","dst_ip":"2001:470:765b::a25:53","src_port":54430,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"fg2.weberlab.de","num_queries":1,"num_answers":5,"reply_code":0,"query_type":28,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00560{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":15,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":1,"flow_first_seen":1558968021026,"flow_last_seen":1558968021026,"flow_idle_time":180000,"flow_min_l4_payload_len":40,"flow_max_l4_payload_len":40,"flow_tot_l4_payload_len":40,"flow_avg_l4_payload_len":40,"midstream":0,"ts_msec":1558968021026,"l3_proto":"ip4","src_ip":"74.125.47.136","dst_ip":"193.24.227.238","src_port":59330,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00488{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":15,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_last_seen":1558968021026,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"ts_msec":1558968021026,"pkt":"AAwpil3XAIac51UUCABFAABEdWYAAGwRujZKfS+IwRjj7ufCADUAMBuRFagAEAABAAAAAAABCHdlYmVybGFiAmRlAAAwAAEAACkQAAAAgAAAAA=="} -00725{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":15,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":1,"flow_first_seen":1558968021026,"flow_last_seen":1558968021026,"flow_idle_time":180000,"flow_min_l4_payload_len":40,"flow_max_l4_payload_len":40,"flow_tot_l4_payload_len":40,"flow_avg_l4_payload_len":40,"midstream":0,"ts_msec":1558968021026,"l3_proto":"ip4","src_ip":"74.125.47.136","dst_ip":"193.24.227.238","src_port":59330,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"weberlab.de","num_queries":0,"num_answers":0,"reply_code":0,"query_type":48,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00723{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":15,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":1,"flow_first_seen":1558968021026,"flow_last_seen":1558968021026,"flow_idle_time":180000,"flow_min_l4_payload_len":40,"flow_max_l4_payload_len":40,"flow_tot_l4_payload_len":40,"flow_avg_l4_payload_len":40,"midstream":0,"ts_msec":1558968021026,"l3_proto":"ip4","src_ip":"74.125.47.136","dst_ip":"193.24.227.238","src_port":59330,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"weberlab.de","num_queries":0,"num_answers":0,"reply_code":0,"query_type":48,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 02434{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":16,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_last_seen":1558968021027,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1514,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1514,"pkt_l4_len":1480,"ts_msec":1558968021027,"pkt":"AIac51UUAAwpil3XCABFAAXciTwgAEARrMjBGOPuSn0viAA158IGrsPBFaiEEAABAAQAAAABCHdlYmVybGFiAmRlAAAwAAHADAAwAAEAAAA8AQgBAAMKAwEAAdBU3CjxUKw7SeYza7cxyq\/Xg3znVQsMzuF\/UeLaigOubtJHhxhL+m129IxQkTKo8JRIXcKXD+aViztiml8+8BPCXFNPftFpdFCzBRNGHj\/ca1g\/Flck6v5avafB\/hGqbWKY2LEGKb5ktYWGj8JB0mrKGqDZVPyieC0dYVv02iOaOvUhdl7QtgVybR3V6gHlhoG0BxG+GbjUp+NyPClbuMOIwflbVGB5946PyQGQgnGNX2L1MHumOaYC\/D3UnyzQZNMmqj85GwDNPwEeDfLq6wm1BUfx7MwwcEVuO2B0YmUyiPiSfUoGTwm2P1nGNMhlYij3bY9VvyxCqPQnK0s5Tr3ADAAwAAEAAAA8AggBAQMKAwEAAd3v\/e0irXYKOwtYEB3VPe7z99qvi5le9\/y1XXyplp5y\/5xaqrm\/relG8pgx8GsNW2IgviJKAJ6UiU45ERKoH+fz2qf2SUFHFWwkweiWyLZ4EZHhowviCEx94P4OswNKXmdYHe38rlHPa+3OypW9gYfR9lhCKK3neCPq8\/aFFsTTI7dQ+Q2kERWiCMCybl4WOwsBo\/RlnPM4yufMKIlABiM5NWQPNmI6jYzAYpYoyUhd9HnnIIDlNQ89HpXQdFmysMraXYb7qDOoOEiOodttKH0y\/vtJ2SRU05RF4AEumacIUzAi5LL2cMQxC7t7rlDI4X42NRfOLAqGuOeclFjzqz3OdAJWeg\/AAnSbb02AGCkQ370TX1hWveAXt6xpPWOLgHXSLIF\/lz+wl+Dm8ZNWDnn5zEJuEj3xova1g8zmRXJOmqA6VhGqewxF8c+yKeNEOHz4X4\/RLmWHIuEbvboP00Dk5A9bhyZGVsytOJg+NwhFQtvBWLmD82FFtfSt2vmbFFNwAZOnRZWJOG9L7TFcGIm1OEULmohUyFLsBGMXDFOu1k0o6pqm495tsBuMyJNpfdQoPwOkUpsKi6jmNq6vRjvvNiJbcFylTQrqHGTGuOopuUsBbUXj\/nOr4I6j42k6GDIuTyLDkaVrdrxXmGnfNnStdqWmvHXo\/YFwdls9bcT7wAwALgABAAAAPAIfADAKAgAAADxdChURXOJ+MzN7CHdlYmVybGFiAmRlAB+yP4V\/njTX1ZrAUX52Q4ppNzTYQFwUb\/fZ7UyQYLNxrrstLuUEImGhNwZoGn47E0jCxJscYiApT\/lYiL2L1ySUl4RKqHIjPNuYuibs67t5ZabkYsahlYEA\/lOcM3eIQx9pu5Og7p1d2yBSUETOBiGw2mFf2+ESni6Ue4XPXEEYzAhiMRhuYOJAy8gBqoPjkRBcJfWJSQLCsK1uYySkTZfbAzgJeVM0nXd6azgG0BhRE+LeaO6rN3QVHDtfgnwRdZ0mqwEcP9Ixz7o9MUVSKZ24Kp1QfS5nvEHn5PilNALbZYZOO0cQAeV8BhlxVuALLDecEOLC8sY1mx6ozY5\/aRypyHA9HCrJT0qIHJwgtxE7ldoWyzsz32MKgZvCYMZSPOXK\/W3p61FPtD4iT4Id6xXDvyRuALL3waMUMwy3mSjXDHAdpXWaCOMfYx2IzRk4rN5TDQtUohYwaoSbystwDYKnhZGi9jS0G8FObyWhTrKCl7aTkMBaFEejCh0dfD5WJP+MDS\/TR32BG0S+GtGTl4n1Y8wgyP7nkz3\/REcevkIvpJRUImVc8A\/VPTI+9KvBSkoLPA9Za\/IpqUpgDVsKWU5bp0V0TdEryxvtwOnVXXdH0\/hJMgIgWhmZzY2\/UVoRBVGptWsAIhn5sO+UhcjvZ41p3t\/1mWp23BdUACblNtHcw2MALgABAAAAPAEfADAKAgAAADxdChURXOJ+M5BHCHdlYmVybGFiAmRlAHoYKuiyNMNSWsfXwtRR8n\/pKy73at02yEwt1EoWyfptV8sUoxs="} -00824{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":16,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":2,"flow_first_seen":1558968021026,"flow_last_seen":1558968021027,"flow_idle_time":180000,"flow_min_l4_payload_len":40,"flow_max_l4_payload_len":1472,"flow_tot_l4_payload_len":1512,"flow_avg_l4_payload_len":756,"midstream":0,"ts_msec":1558968021027,"l3_proto":"ip4","src_ip":"74.125.47.136","dst_ip":"193.24.227.238","src_port":59330,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"37":"DNS packet larger than 512 bytes","38":"Fragmented DNS message"},"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"weberlab.de","num_queries":1,"num_answers":5,"reply_code":0,"query_type":48,"rsp_type":48,"rsp_addr":"0.0.0.0"}} +00737{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":16,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":2,"flow_first_seen":1558968021026,"flow_last_seen":1558968021027,"flow_idle_time":180000,"flow_min_l4_payload_len":40,"flow_max_l4_payload_len":1472,"flow_tot_l4_payload_len":1512,"flow_avg_l4_payload_len":756,"midstream":0,"ts_msec":1558968021027,"l3_proto":"ip4","src_ip":"74.125.47.136","dst_ip":"193.24.227.238","src_port":59330,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"weberlab.de","num_queries":1,"num_answers":5,"reply_code":0,"query_type":48,"rsp_type":48,"rsp_addr":"0.0.0.0"}} 00638{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":17,"source":"dns_fragmented.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":264,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":264,"pkt_l4_len":0,"ts_msec":1558968021027,"pkt":"AIac51UUAAwpil3XCABFAAD6iTwAuUAR0PHBGOPuSn0viJJWaQ8FS9tIHo+oVjY51cy6+fgiJNB2zCSb2h1J8D40RJyUZYc0lguNGrMzvogBYnbxInuDKD2B8SGaumxsynJulBSZTde74knucmk+7g4DbM0zyfRD0W3RhD3u0NFdji\/0zmiI817VkCE2GpVvuL3F8KDCC+EMYjJlOHqM+STJxPq9ZF8xJcVITkC6EY6CdRmYmQdqvRYWzDXPjGtyu5XT13H1VC8IJisNUehBDr2PeppANUdXFlyqVQ6mARL6UnTBT0xam7DpmuxycO7BOql2rC7KBJb4lykg9AAAKRAAAACAAAAA"} 00180{"basic_event_id":9,"basic_event_name":"nDPI IPv4\/L4 payload detection failed","thread_id":0,"packet_id":17,"source":"dns_fragmented.pcap","alias":"nDPId-test","l4_data_len":230} 00577{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":18,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":1,"flow_first_seen":1558968031134,"flow_last_seen":1558968031134,"flow_idle_time":180000,"flow_min_l4_payload_len":59,"flow_max_l4_payload_len":59,"flow_tot_l4_payload_len":59,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1558968031134,"l3_proto":"ip6","src_ip":"2a00:1450:4013:c05::10e","dst_ip":"2001:470:765b::a25:53","src_port":34944,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":18,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_last_seen":1558968031134,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":121,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":121,"pkt_l4_len":67,"ts_msec":1558968031134,"pkt":"AAwpil3XAIac51UUht1gCRS7AEMRbCoAFFBAEwwFAAAAAAAAAQ4gAQRwdlsAAAAAAAAKJQBTiIAANQBD+GeeBgAQAAEAAAAAAAEDZmcyCHdlYmVybGFiAmRlAAAcAAEAACkQAAAAgAAADwAIAAsAAjgAIAEEcB8LFg=="} 00741{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":18,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":1,"flow_first_seen":1558968031134,"flow_last_seen":1558968031134,"flow_idle_time":180000,"flow_min_l4_payload_len":59,"flow_max_l4_payload_len":59,"flow_tot_l4_payload_len":59,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1558968031134,"l3_proto":"ip6","src_ip":"2a00:1450:4013:c05::10e","dst_ip":"2001:470:765b::a25:53","src_port":34944,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"fg2.weberlab.de","num_queries":0,"num_answers":0,"reply_code":0,"query_type":28,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 01574{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":19,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_last_seen":1558968031134,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":886,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":886,"pkt_l4_len":832,"ts_msec":1558968031134,"pkt":"AIac51UUAAwpil3Xht1gAJ7uA0ARQCABBHB2WwAAAAAAAAolAFMqABRQQBMMBQAAAAAAAAEOADWIgANANAyeBoQQAAEAAAAEAAEDZmcyCHdlYmVybGFiAmRlAAAcAAHAEAAGAAEAAAA8ADwDbnMwCHdlYmVyZG5zwBkJd2VibWFzdGVyCXdlYmVybmV0egNuZXQAeFhI6QAADhAAAAOEACTqAAAAADzAEAAuAAEAAAA8AR8ABgoCAAAAPF0SKiBc6o8QkEcId2ViZXJsYWICZGUAsAsLORY9T68251zcXXrXYMubapdXlnVZdczSZ8VjQS3g0dStlbXNUxRf4FJCpZevgIdkz+OzavU4Y3EyCKf5qxw7GiEllt+hznji85+jlwbqxa7BHuVrNf4YxsbIr0kaSblmtIn8e12vMQAgQIzOeK4VKGey+3rFftx2Cs7v0mw4V0Rd+gTYttfq+PLvGu8vSZibXFxqlj86VVzTwvOCEmjqKNyjon+\/djMG\/LpzWXoT2evp9l8K1VcJU\/8uUY9ZE4WS0WjV4uuPKKqmHeTkethHG1xsLp0jKFQP8kYfYkdlxDBuNu6KhurVxO4RiM92K63vMdmIW\/4VjMYm2cPPQCBWTlI1U0hKRjVHQ1RFQ1RIN0wwRUNLTEoxTkRGNE04S8CHADIAAQAAALQAMgEAABQQM4lV2XYIwLE0ewVnw5K1+BQAQBNLJ89Pbt3WSJZWXFg+eo1pkwAGQAAAAAACwZQALgABAAAAtAEfADIKAwAAALRdChEDXOJ73JBHCHdlYmVybGFiAmRlAFwWgMgEjrA1OcHB+Qo5dWmMix1bJ7WFGsQIkPmTlF\/KVvK6k5dVU4FDCZtKPuPYCkg0XLBOcR\/wguOUuuyBL7cbjUoN0UHJur34eNeWLngpBhaxFTmuqY80vKjed0ttFQ6uVnd2OAmDzRp6YxYtTin4\/XGlVO6lMt+k2mYftwRyr5Ohjp6NH+J8dbjX7gkD3ENGAHspVLSTz4LxrhUH8dsbFK8rT\/kUhlCBvTuJYAxOkSEWqp4vVZ54PXcY61pn5KAT8mJWdw+HLsa\/lUjZNXicEmky99XDlPLcJk7OI3ZM83QYPgYAFE\/lMHbTSiiue2rS4deUwWxFmnQYlhv0FA4AACkQAAAAgAAADwAIAAsAAjgAIAEEcB8LFg=="} -00807{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":19,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":2,"flow_first_seen":1558968031134,"flow_last_seen":1558968031134,"flow_idle_time":180000,"flow_min_l4_payload_len":59,"flow_max_l4_payload_len":824,"flow_tot_l4_payload_len":883,"flow_avg_l4_payload_len":441,"midstream":0,"ts_msec":1558968031134,"l3_proto":"ip6","src_ip":"2a00:1450:4013:c05::10e","dst_ip":"2001:470:765b::a25:53","src_port":34944,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"37":"DNS packet larger than 512 bytes"},"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"fg2.weberlab.de","num_queries":1,"num_answers":5,"reply_code":0,"query_type":28,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00752{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":19,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":2,"flow_first_seen":1558968031134,"flow_last_seen":1558968031134,"flow_idle_time":180000,"flow_min_l4_payload_len":59,"flow_max_l4_payload_len":824,"flow_tot_l4_payload_len":883,"flow_avg_l4_payload_len":441,"midstream":0,"ts_msec":1558968031134,"l3_proto":"ip6","src_ip":"2a00:1450:4013:c05::10e","dst_ip":"2001:470:765b::a25:53","src_port":34944,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"fg2.weberlab.de","num_queries":1,"num_answers":5,"reply_code":0,"query_type":28,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00566{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":20,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":2,"flow_first_seen":1558968008021,"flow_last_seen":1558968008021,"flow_idle_time":180000,"flow_min_l4_payload_len":40,"flow_max_l4_payload_len":1472,"flow_tot_l4_payload_len":1512,"flow_avg_l4_payload_len":756,"midstream":0,"ts_msec":1559042371783,"l3_proto":"ip4","src_ip":"172.217.40.76","dst_ip":"193.24.227.238","src_port":56680,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00583{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":20,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":2,"flow_first_seen":1558968018074,"flow_last_seen":1558968018075,"flow_idle_time":180000,"flow_min_l4_payload_len":59,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1499,"flow_avg_l4_payload_len":749,"midstream":0,"ts_msec":1559042371783,"l3_proto":"ip6","src_ip":"2a00:1450:4013:c06::105","dst_ip":"2001:470:765b::a25:53","src_port":63369,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00581{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":20,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":2,"flow_first_seen":1558968031134,"flow_last_seen":1558968031134,"flow_idle_time":180000,"flow_min_l4_payload_len":59,"flow_max_l4_payload_len":824,"flow_tot_l4_payload_len":883,"flow_avg_l4_payload_len":441,"midstream":0,"ts_msec":1559042371783,"l3_proto":"ip6","src_ip":"2a00:1450:4013:c05::10e","dst_ip":"2001:470:765b::a25:53","src_port":34944,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -100,14 +100,14 @@ 00752{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":36,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":1,"flow_first_seen":1560869900222,"flow_last_seen":1560869900222,"flow_idle_time":180000,"flow_min_l4_payload_len":52,"flow_max_l4_payload_len":52,"flow_tot_l4_payload_len":52,"flow_avg_l4_payload_len":52,"midstream":0,"ts_msec":1560869900222,"l3_proto":"ip6","src_ip":"2001:470:1f0b:16b0:20c:29ff:fe7c:a4cb","dst_ip":"2001:470:765b::a25:53","src_port":55729,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"weberlab.de","num_queries":0,"num_answers":0,"reply_code":0,"query_type":48,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":37,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":2,"flow_last_seen":1560869905222,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":114,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":114,"pkt_l4_len":60,"ts_msec":1560869905222,"pkt":"CFsOoYNeAAwpfKTLht1gDZ0NADwRQCABBHAfCxawAgwp\/\/58pMsgAQRwdlsAAAAAAAAKJQBT2bEANQA8zxHCoAEgAAEAAAAAAAEId2ViZXJsYWICZGUAADAAAQAAKRAAAACAAAAMAAoACPFs5uYvfUZc"} 02406{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":38,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":3,"flow_last_seen":1560869905232,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1494,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":62,"pkt_len":1494,"pkt_l4_len":1432,"ts_msec":1560869905232,"pkt":"AAwpfKTLCFsOoYNeht1gC9IyBaAsPCABBHB2WwAAAAAAAAolAFMgAQRwHwsWsAIMKf\/+fKTLEQAAAQAABpoANdmxBspAOcKghQAAAQAEAAAAAQh3ZWJlcmxhYgJkZQAAMAABwAwAMAABAAAAPAIIAQEDCgMBAAHd7\/3tIq12CjsLWBAd1T3u8\/far4uZXvf8tV18qZaecv+cWqq5v63pRvKYMfBrDVtiIL4iSgCelIlOORESqB\/n89qn9klBRxVsJMHolsi2eBGR4aML4ghMfeD+DrMDSl5nWB3t\/K5Rz2vtzsqVvYGH0fZYQiit53gj6vP2hRbE0yO3UPkNpBEVogjAsm5eFjsLAaP0ZZzzOMrnzCiJQAYjOTVkDzZiOo2MwGKWKMlIXfR55yCA5TUPPR6V0HRZsrDK2l2G+6gzqDhIjqHbbSh9Mv77SdkkVNOUReABLpmnCFMwIuSy9nDEMQu7e65QyOF+NjUXziwKhrjnnJRY86s9znQCVnoPwAJ0m29NgBgpEN+9E19YVr3gF7esaT1ji4B10iyBf5c\/sJfg5vGTVg55+cxCbhI98aL2tYPM5kVyTpqgOlYRqnsMRfHPsinjRDh8+F+P0S5lhyLhG726D9NA5OQPW4cmRlbMrTiYPjcIRULbwVi5g\/NhRbX0rdr5mxRTcAGTp0WViThvS+0xXBiJtThFC5qIVMhS7ARjFwxTrtZNKOqapuPebbAbjMiTaX3UKD8DpFKbCouo5jaur0Y77zYiW3BcpU0K6hxkxrjqKblLAW1F4\/5zq+COo+NpOhgyLk8iw5Gla3a8V5hp3zZ0rXalprx16P2BcHZbPW3E+8AMADAAAQAAADwBCAEAAwoDAQAB0FTcKPFQrDtJ5jNrtzHKr9eDfOdVCwzO4X9R4tqKA65u0keHGEv6bXb0jFCRMqjwlEhdwpcP5pWLO2KaXz7wE8JcU09+0Wl0ULMFE0YeP9xrWD8WVyTq\/lq9p8H+EaptYpjYsQYpvmS1hYaPwkHSasoaoNlU\/KJ4LR1hW\/TaI5o69SF2XtC2BXJtHdXqAeWGgbQHEb4ZuNSn43I8KVu4w4jB+VtUYHn3jo\/JAZCCcY1fYvUwe6Y5pgL8PdSfLNBk0yaqPzkbAM0\/AR4N8urrCbUFR\/HszDBwRW47YHRiZTKI+JJ9SgZPCbY\/WcY0yGViKPdtj1W\/LEKo9CcrSzlOvcAMAC4AAQAAADwCHwAwCgIAAAA8XSexsF0AI8Ezewh3ZWJlcmxhYgJkZQDDZMohasNCzdZy+qXT+i9EuX\/inlaoHckoPQ6pZUM55HOKiXWwbCF2bgR2vTatltfgdQMYsjHLb9y8\/8K16x1bINo7jHhPhiQ3mZPnhRDbC819\/mg\/DAJlEfo4\/PIHroaOXHkEsxclA3Sfl5XzqMY8dIIjCMSIRohmpz3ajd1g8Q5nPhvruiTi3rbkkaFuvAu6JBazSxvplBTGRsLiwD\/keT1H0ch7BVc1oZ6xmkqy68vIsD63Fj1r1Prt7pmrCHTCuEgsO78D9dCQuWCLkJQxGUVXJj5CI3Hv7xFFgpu2WdK7EiEBH5rHphjb8hJPFep1cggzgdSO7gr4PL16UQJ4paFWEovlSSSKN6CqV0KlzY5UKpoC4bOcRMiiujkcgLRcJzDNjTcP59699eiRBYcnSUNu7NR\/AQOsLe1gcGBMYVI28uXABijFJJPUYQFFRKKQYYy7U8augfodJClNM+5PjDrN7VUaoyW\/CtbFigLZaje\/SbLFkod9oTkuhnetL7fyEnlGfxKmEZ218qPcsKDJRrRyymc+WdZ+tPcZvQXr6AVS7RZSoUTV\/+5dVd2kWuuF2w5rsnAIOU3wwIEPhsTwq9njhb9Bp9jOMH3FFbo4srNvY4pocOs9Lic1Os813bu7VyQz3Nrv\/xfPOPvvG\/\/ufcPEO13FnB7dwg\/ymTeeu8NjAC4AAQAAADwBHwAwCgIAAAA8XSexsF0AI8GQRwh3"} -00851{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":38,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":3,"flow_first_seen":1560869900222,"flow_last_seen":1560869905232,"flow_idle_time":180000,"flow_min_l4_payload_len":52,"flow_max_l4_payload_len":1424,"flow_tot_l4_payload_len":1528,"flow_avg_l4_payload_len":509,"midstream":0,"ts_msec":1560869905232,"l3_proto":"ip6","src_ip":"2001:470:1f0b:16b0:20c:29ff:fe7c:a4cb","dst_ip":"2001:470:765b::a25:53","src_port":55729,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"37":"DNS packet larger than 512 bytes","38":"Fragmented DNS message"},"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"weberlab.de","num_queries":1,"num_answers":5,"reply_code":0,"query_type":48,"rsp_type":48,"rsp_addr":"0.0.0.0"}} +00766{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":38,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":3,"flow_first_seen":1560869900222,"flow_last_seen":1560869905232,"flow_idle_time":180000,"flow_min_l4_payload_len":52,"flow_max_l4_payload_len":1424,"flow_tot_l4_payload_len":1528,"flow_avg_l4_payload_len":509,"midstream":0,"ts_msec":1560869905232,"l3_proto":"ip6","src_ip":"2001:470:1f0b:16b0:20c:29ff:fe7c:a4cb","dst_ip":"2001:470:765b::a25:53","src_port":55729,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"weberlab.de","num_queries":1,"num_answers":5,"reply_code":0,"query_type":48,"rsp_type":48,"rsp_addr":"0.0.0.0"}} 00783{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":39,"source":"dns_fragmented.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":368,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":368,"pkt_l4_len":0,"ts_msec":1560869905233,"pkt":"AAwpfKTLCFsOoYNeht1gC9IyATosPCABBHB2WwAAAAAAAAolAFMgAQRwHwsWsAIMKf\/+fKTLEQAFmAAABpplYmVybGFiAmRlAKU8TJxFacYrnzjzribJyhzI\/PZTM81o7M0N53bVhGij+9zhJRNeoUG2ZbhJAUMEBAu7geapxJ7U1z+UqhkFSi8Qu6jROnMih5xzmixXOjO2RiHT8eMzQMHqilreexmdz+7rH4jCggpAg2YenRMzpvhrf0+OEWUNhwq6dNYVlNWg1Yf1oxCRsZ6Xiq2pemle4KOkgobWECgdELaMnIZKUJ0WtpAZJuCbAIPvak3YgHcNPR4Sbx1lKRTPW6QxjFsHJ5X\/B6mNMVtqG97wzaO\/ugVwH81Qt2Llpj5Wb873AtMbd7OQYLwhJ7fhxJ9xNJn6SlVRp6C+1P2Wyu\/7U0mgP+sAACkQAAAAgAAAHAAKABjxbObmL31GXCozdz5dCPwRZU4FwINgbJY="} 00181{"basic_event_id":12,"basic_event_name":"nDPI IPv6\/L4 payload detection failed","thread_id":0,"packet_id":39,"source":"dns_fragmented.pcap","alias":"nDPId-test","l4_data_len":334} 00559{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":40,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":1,"flow_first_seen":1560869910534,"flow_last_seen":1560869910534,"flow_idle_time":180000,"flow_min_l4_payload_len":52,"flow_max_l4_payload_len":52,"flow_tot_l4_payload_len":52,"flow_avg_l4_payload_len":52,"midstream":0,"ts_msec":1560869910534,"l3_proto":"ip4","src_ip":"194.247.5.6","dst_ip":"193.24.227.238","src_port":51791,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00505{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":40,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":1,"flow_last_seen":1560869910534,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":94,"pkt_l4_len":60,"ts_msec":1560869910534,"pkt":"CFsOoYNeAAwpfKTLCABFAABQVdgAAEARt8DC9wUGwRjj7spPADUAPG1Sic4BIAABAAAAAAABCHdlYmVybGFiAmRlAAAwAAEAACkQAAAAgAAADAAKAAgdxATcWA6WbA=="} 00719{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":40,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":1,"flow_first_seen":1560869910534,"flow_last_seen":1560869910534,"flow_idle_time":180000,"flow_min_l4_payload_len":52,"flow_max_l4_payload_len":52,"flow_tot_l4_payload_len":52,"flow_avg_l4_payload_len":52,"midstream":0,"ts_msec":1560869910534,"l3_proto":"ip4","src_ip":"194.247.5.6","dst_ip":"193.24.227.238","src_port":51791,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"weberlab.de","num_queries":0,"num_answers":0,"reply_code":0,"query_type":48,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 02432{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":41,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":2,"flow_last_seen":1560869910547,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1514,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1514,"pkt_l4_len":1480,"ts_msec":1560869910547,"pkt":"AAwpfKTLCFsOoYNeCABFAAXc3KUgAEARC2fBGOPuwvcFBgA1yk8Gysn4ic6FAAABAAQAAAABCHdlYmVybGFiAmRlAAAwAAHADAAwAAEAAAA8AQgBAAMKAwEAAdBU3CjxUKw7SeYza7cxyq\/Xg3znVQsMzuF\/UeLaigOubtJHhxhL+m129IxQkTKo8JRIXcKXD+aViztiml8+8BPCXFNPftFpdFCzBRNGHj\/ca1g\/Flck6v5avafB\/hGqbWKY2LEGKb5ktYWGj8JB0mrKGqDZVPyieC0dYVv02iOaOvUhdl7QtgVybR3V6gHlhoG0BxG+GbjUp+NyPClbuMOIwflbVGB5946PyQGQgnGNX2L1MHumOaYC\/D3UnyzQZNMmqj85GwDNPwEeDfLq6wm1BUfx7MwwcEVuO2B0YmUyiPiSfUoGTwm2P1nGNMhlYij3bY9VvyxCqPQnK0s5Tr3ADAAwAAEAAAA8AggBAQMKAwEAAd3v\/e0irXYKOwtYEB3VPe7z99qvi5le9\/y1XXyplp5y\/5xaqrm\/relG8pgx8GsNW2IgviJKAJ6UiU45ERKoH+fz2qf2SUFHFWwkweiWyLZ4EZHhowviCEx94P4OswNKXmdYHe38rlHPa+3OypW9gYfR9lhCKK3neCPq8\/aFFsTTI7dQ+Q2kERWiCMCybl4WOwsBo\/RlnPM4yufMKIlABiM5NWQPNmI6jYzAYpYoyUhd9HnnIIDlNQ89HpXQdFmysMraXYb7qDOoOEiOodttKH0y\/vtJ2SRU05RF4AEumacIUzAi5LL2cMQxC7t7rlDI4X42NRfOLAqGuOeclFjzqz3OdAJWeg\/AAnSbb02AGCkQ370TX1hWveAXt6xpPWOLgHXSLIF\/lz+wl+Dm8ZNWDnn5zEJuEj3xova1g8zmRXJOmqA6VhGqewxF8c+yKeNEOHz4X4\/RLmWHIuEbvboP00Dk5A9bhyZGVsytOJg+NwhFQtvBWLmD82FFtfSt2vmbFFNwAZOnRZWJOG9L7TFcGIm1OEULmohUyFLsBGMXDFOu1k0o6pqm495tsBuMyJNpfdQoPwOkUpsKi6jmNq6vRjvvNiJbcFylTQrqHGTGuOopuUsBbUXj\/nOr4I6j42k6GDIuTyLDkaVrdrxXmGnfNnStdqWmvHXo\/YFwdls9bcT7wAwALgABAAAAPAIfADAKAgAAADxdJ7GwXQAjwTN7CHdlYmVybGFiAmRlAMNkyiFqw0LN1nL6pdP6L0S5f+KeVqgdySg9DqllQznkc4qJdbBsIXZuBHa9Nq2W1+B1AxiyMctv3Lz\/wrXrHVsg2juMeE+GJDeZk+eFENsLzX3+aD8MAmUR+jj88geuho5ceQSzFyUDdJ+XlfOoxjx0giMIxIhGiGanPdqN3WDxDmc+G+u6JOLetuSRoW68C7okFrNLG+mUFMZGwuLAP+R5PUfRyHsFVzWhnrGaSrLry8iwPrcWPWvU+u3umasIdMK4SCw7vwP10JC5YIuQlDEZRVcmPkIjce\/vEUWCm7ZZ0rsSIQEfmsemGNvyEk8V6nVyCDOB1I7uCvg8vXpRAniloVYSi+VJJIo3oKpXQqXNjlQqmgLhs5xEyKK6ORyAtFwnMM2NNw\/n3r316JEFhydJQ27s1H8BA6wt7WBwYExhUjby5cAGKMUkk9RhAUVEopBhjLtTxq6B+h0kKU0z7k+MOs3tVRqjJb8K1sWKAtlqN79JssWSh32hOS6Gd60vt\/ISeUZ\/EqYRnbXyo9ywoMlGtHLKZz5Z1n609xm9BevoBVLtFlKhRNX\/7l1V3aRa64XbDmuycAg5TfDAgQ+GxPCr2eOFv0Gn2M4wfcUVujiys29jimhw6z0uJzU6zzXdu7tXJDPc2u\/\/F884++8b\/+59w8Q7XcWcHt3CD\/KZN567w2MALgABAAAAPAEfADAKAgAAADxdJ7GwXQAjwZBHCHdlYmVybGFiAmRlAKU8TJxFacYrnzjzribJyhzI\/PZTM81o7M0N53bVhGij+9zhJRM="} -00818{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":41,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":2,"flow_first_seen":1560869910534,"flow_last_seen":1560869910547,"flow_idle_time":180000,"flow_min_l4_payload_len":52,"flow_max_l4_payload_len":1472,"flow_tot_l4_payload_len":1524,"flow_avg_l4_payload_len":762,"midstream":0,"ts_msec":1560869910547,"l3_proto":"ip4","src_ip":"194.247.5.6","dst_ip":"193.24.227.238","src_port":51791,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"37":"DNS packet larger than 512 bytes","38":"Fragmented DNS message"},"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"weberlab.de","num_queries":1,"num_answers":5,"reply_code":0,"query_type":48,"rsp_type":48,"rsp_addr":"0.0.0.0"}} +00733{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":41,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":2,"flow_first_seen":1560869910534,"flow_last_seen":1560869910547,"flow_idle_time":180000,"flow_min_l4_payload_len":52,"flow_max_l4_payload_len":1472,"flow_tot_l4_payload_len":1524,"flow_avg_l4_payload_len":762,"midstream":0,"ts_msec":1560869910547,"l3_proto":"ip4","src_ip":"194.247.5.6","dst_ip":"193.24.227.238","src_port":51791,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"weberlab.de","num_queries":1,"num_answers":5,"reply_code":0,"query_type":48,"rsp_type":48,"rsp_addr":"0.0.0.0"}} 00684{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":42,"source":"dns_fragmented.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":292,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":292,"pkt_l4_len":0,"ts_msec":1560869910547,"pkt":"AAwpfKTLCFsOoYNeCABFAAEW3KUAuUARL3TBGOPuwvcFBl6hQbZluEkBQwQEC7uB5qnEntTXP5SqGQVKLxC7qNE6cyKHnHOaLFc6M7ZGIdPx4zNAweqKWt57GZ3P7usfiMKCCkCDZh6dEzOm+Gt\/T44RZQ2HCrp01hWU1aDVh\/WjEJGxnpeKral6aV7go6SChtYQKB0QtoychkpQnRa2kBkm4JsAg+9qTdiAdw09HhJvHWUpFM9bpDGMWwcnlf8HqY0xW2ob3vDNo7+6BXAfzVC3YuWmPlZvzvcC0xt3s5BgvCEnt+HEn3E0mfpKVVGnoL7U\/ZbK7\/tTSaA\/6wAAKRAAAACAAAAcAAoAGB3EBNxYDpZslD4VVl0I\/BakNFp6chM\/YQ=="} 00180{"basic_event_id":9,"basic_event_name":"nDPI IPv4\/L4 payload detection failed","thread_id":0,"packet_id":42,"source":"dns_fragmented.pcap","alias":"nDPId-test","l4_data_len":258} 00591{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":43,"source":"dns_fragmented.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":1,"flow_first_seen":1560869913732,"flow_last_seen":1560869913732,"flow_idle_time":180000,"flow_min_l4_payload_len":44,"flow_max_l4_payload_len":44,"flow_tot_l4_payload_len":44,"flow_avg_l4_payload_len":44,"midstream":0,"ts_msec":1560869913732,"l3_proto":"ip6","src_ip":"2001:470:1f0b:16b0:20c:29ff:fe7c:a4cb","dst_ip":"2606:4700:4700::1111","src_port":60550,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -151,9 +151,9 @@ ~~ total active/idle flows...: 21/21 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1962155 bytes -~~ total memory freed........: 1962155 bytes -~~ total allocations/frees...: 35457/35457 +~~ total memory allocated....: 4615990 bytes +~~ total memory freed........: 4615990 bytes +~~ total allocations/frees...: 99653/99653 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 169 chars ~~ json string max len.......: 2439 chars diff --git a/test/results/dns_invert_query.pcapng.out b/test/results/dns_invert_query.pcapng.out new file mode 100644 index 000000000..9f681b15b --- /dev/null +++ b/test/results/dns_invert_query.pcapng.out @@ -0,0 +1,22 @@ +00452{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"dns_invert_query.pcapng","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} +00563{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"dns_invert_query.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1618744019230,"flow_last_seen":1618744019230,"flow_idle_time":180000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1618744019230,"l3_proto":"ip4","src_ip":"173.147.108.174","dst_ip":"244.187.95.1","src_port":18427,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00484{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"dns_invert_query.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1618744019230,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1618744019230,"pkt":"AAAAAAAAAAEAVKCBCABFAABAAABAAEARzK6tk2yu9LtfAUf7ADUALMGVd\/wJAAAAAAEAAAAAAzIxNgI1OAMyMDIBNAAAAQABAAAAAAAA"} +00723{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"dns_invert_query.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1618744019230,"flow_last_seen":1618744019230,"flow_idle_time":180000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1618744019230,"l3_proto":"ip4","src_ip":"173.147.108.174","dst_ip":"244.187.95.1","src_port":18427,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"216.58.202.4","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00457{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"dns_invert_query.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1618744019235,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":56,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":56,"pkt_l4_len":20,"ts_msec":1618744019235,"pkt":"AAAAAAAAAAEAVKCBCABFAAAoAABAADsR0cb0u18BrZNsrgA1R\/sAFEgWd\/yJhAAAAAAAAAAAAAA="} +00564{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2,"source":"dns_invert_query.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":2,"flow_first_seen":1618744019230,"flow_last_seen":1618744019235,"flow_idle_time":180000,"flow_min_l4_payload_len":12,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":24,"midstream":0,"ts_msec":1618744019235,"l3_proto":"ip4","src_ip":"173.147.108.174","dst_ip":"244.187.95.1","src_port":18427,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00165{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":2,"source":"dns_invert_query.pcapng","alias":"nDPId-test","total-events-serialized":7} +~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ +~~ packets captured/processed: 2/2 +~~ skipped flows.............: 0 +~~ total layer4 data length..: 48 bytes +~~ total detected protocols..: 1 +~~ total active/idle flows...: 1/1 +~~ total timeout flows.......: 0 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ total memory allocated....: 4590497 bytes +~~ total memory freed........: 4590497 bytes +~~ total allocations/frees...: 99536/99536 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ json string min len.......: 170 chars +~~ json string max len.......: 728 chars +~~ json string avg len.......: 511 chars diff --git a/test/results/dns_long_domainname.pcap.out b/test/results/dns_long_domainname.pcap.out index fc3b94e0d..c702a6657 100644 --- a/test/results/dns_long_domainname.pcap.out +++ b/test/results/dns_long_domainname.pcap.out @@ -1,9 +1,9 @@ 00453{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"dns_long_domainname.pcap","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} 00557{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"dns_long_domainname.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1599686652555,"flow_last_seen":1599686652555,"flow_idle_time":180000,"flow_min_l4_payload_len":61,"flow_max_l4_payload_len":61,"flow_tot_l4_payload_len":61,"flow_avg_l4_payload_len":61,"midstream":0,"ts_msec":1599686652555,"l3_proto":"ip4","src_ip":"192.168.1.168","dst_ip":"8.8.8.8","src_port":65311,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"dns_long_domainname.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1599686652555,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":103,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":103,"pkt_l4_len":69,"ts_msec":1599686652555,"pkt":"EBMx8Tl2KDc3AG3ICABFAABZsREAAEAR9yLAqAGoCAgICP8fADUARcOpi1QBAAABAAAAAAAABmdtcjAyYwIxNgEwDGZoa2Zoc2RrZmhzawZ0dW5uZWwHZXhhbXBsZQNjb20AAAEAAQ=="} -00753{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"dns_long_domainname.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1599686652555,"flow_last_seen":1599686652555,"flow_idle_time":180000,"flow_min_l4_payload_len":61,"flow_max_l4_payload_len":61,"flow_tot_l4_payload_len":61,"flow_avg_l4_payload_len":61,"midstream":0,"ts_msec":1599686652555,"l3_proto":"ip4","src_ip":"192.168.1.168","dst_ip":"8.8.8.8","src_port":65311,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"gmr02c.16.0.fhkfhsdkfhsk.tunnel.example.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00751{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"dns_long_domainname.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1599686652555,"flow_last_seen":1599686652555,"flow_idle_time":180000,"flow_min_l4_payload_len":61,"flow_max_l4_payload_len":61,"flow_tot_l4_payload_len":61,"flow_avg_l4_payload_len":61,"midstream":0,"ts_msec":1599686652555,"l3_proto":"ip4","src_ip":"192.168.1.168","dst_ip":"8.8.8.8","src_port":65311,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"gmr02c.16.0.fhkfhsdkfhsk.tunnel.example.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00596{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"dns_long_domainname.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1599686652578,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":159,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":159,"pkt_l4_len":125,"ts_msec":1599686652578,"pkt":"KDc3AG3IEBMx8Tl2CABFAACR3WoAAHYRlJEICAgIwKgBqAA1\/x8AfQAAi1SBgwABAAAAAQAABmdtcjAyYwIxNgEwDGZoa2Zoc2RrZmhzawZ0dW5uZWwHZXhhbXBsZQNjb20AAAEAAcAsAAYAAQAABcMALAJucwVpY2FubgNvcmcAA25vYwNkbnPATHhn+r4AABwgAAAOEAASdQAAAA4Q"} -00763{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2,"source":"dns_long_domainname.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":2,"flow_first_seen":1599686652555,"flow_last_seen":1599686652578,"flow_idle_time":180000,"flow_min_l4_payload_len":61,"flow_max_l4_payload_len":117,"flow_tot_l4_payload_len":178,"flow_avg_l4_payload_len":89,"midstream":0,"ts_msec":1599686652578,"l3_proto":"ip4","src_ip":"192.168.1.168","dst_ip":"8.8.8.8","src_port":65311,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"gmr02c.16.0.fhkfhsdkfhsk.tunnel.example.com","num_queries":1,"num_answers":1,"reply_code":3,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00761{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2,"source":"dns_long_domainname.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":2,"flow_first_seen":1599686652555,"flow_last_seen":1599686652578,"flow_idle_time":180000,"flow_min_l4_payload_len":61,"flow_max_l4_payload_len":117,"flow_tot_l4_payload_len":178,"flow_avg_l4_payload_len":89,"midstream":0,"ts_msec":1599686652578,"l3_proto":"ip4","src_ip":"192.168.1.168","dst_ip":"8.8.8.8","src_port":65311,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"gmr02c.16.0.fhkfhsdkfhsk.tunnel.example.com","num_queries":1,"num_answers":1,"reply_code":3,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00560{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2,"source":"dns_long_domainname.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":2,"flow_first_seen":1599686652555,"flow_last_seen":1599686652578,"flow_idle_time":180000,"flow_min_l4_payload_len":61,"flow_max_l4_payload_len":117,"flow_tot_l4_payload_len":178,"flow_avg_l4_payload_len":89,"midstream":0,"ts_msec":1599686652578,"l3_proto":"ip4","src_ip":"192.168.1.168","dst_ip":"8.8.8.8","src_port":65311,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00166{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":2,"source":"dns_long_domainname.pcap","alias":"nDPId-test","total-events-serialized":8} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -14,10 +14,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1928182 bytes -~~ total memory freed........: 1928182 bytes -~~ total allocations/frees...: 35340/35340 +~~ total memory allocated....: 4590497 bytes +~~ total memory freed........: 4590497 bytes +~~ total allocations/frees...: 99536/99536 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 171 chars -~~ json string max len.......: 768 chars -~~ json string avg len.......: 535 chars +~~ json string max len.......: 766 chars +~~ json string avg len.......: 534 chars diff --git a/test/results/dnscrypt-v1-and-resolver-pings.pcap.out b/test/results/dnscrypt-v1-and-resolver-pings.pcap.out index 65ef946f3..9d56cc0fc 100644 --- a/test/results/dnscrypt-v1-and-resolver-pings.pcap.out +++ b/test/results/dnscrypt-v1-and-resolver-pings.pcap.out @@ -423,26 +423,26 @@ 00702{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":206,"source":"dnscrypt-v1-and-resolver-pings.pcap","alias":"nDPId-test","flow_id":83,"flow_packet_id":2,"flow_last_seen":946739311314,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":224,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":224,"pkt_l4_len":190,"ts_msec":946739311314,"pkt":"ZmZmZmZmRERERERECABFAADShQMAADIRAC7NuXR0CgAAAQIplYYAvqc0nSaBgAABAAEAAAAAATINZG5zY3J5cHQtY2VydAdmcmVldHNhA29yZwAAEAABwAwAEAABAAAAAAB9fEROU0MAAQAAn\/hr1LBKsWo8ISWGing3CJIxyJebVH0i+FiEft0kNqLwa8d8MG0HYasP8XBuGRRYuXbJWON+8OmftD\/GOCqkDQBv6De0v2\/+w89vsWNxuh1o1S9D9qyf\/kIslLiOA5h7AG\/oN7S\/b\/5fU2VhX1NlYV9UtuE="} 00574{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":207,"source":"dnscrypt-v1-and-resolver-pings.pcap","alias":"nDPId-test","flow_id":85,"flow_packets_processed":1,"flow_first_seen":946739311802,"flow_last_seen":946739311802,"flow_idle_time":180000,"flow_min_l4_payload_len":512,"flow_max_l4_payload_len":512,"flow_tot_l4_payload_len":512,"flow_avg_l4_payload_len":512,"midstream":0,"ts_msec":946739311802,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"52.65.235.129","src_port":55834,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 01135{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":207,"source":"dnscrypt-v1-and-resolver-pings.pcap","alias":"nDPId-test","flow_id":85,"flow_packet_id":1,"flow_last_seen":946739311802,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":554,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":554,"pkt_l4_len":520,"ts_msec":946739311802,"pkt":"REREREREZmZmZmZmCABFAAIcgu5AAL0RWGMKAAABNEHrgdoaAbsCCOKYCnMBAAABAAAAAAABATINZG5zY3J5cHQtY2VydApkZWZmZXItZG5zAmF1AAAQAAEAAAAAAAAAAAABxgAMAcIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="} -00675{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":207,"source":"dnscrypt-v1-and-resolver-pings.pcap","alias":"nDPId-test","flow_id":85,"flow_packets_processed":1,"flow_first_seen":946739311802,"flow_last_seen":946739311802,"flow_idle_time":180000,"flow_min_l4_payload_len":512,"flow_max_l4_payload_len":512,"flow_tot_l4_payload_len":512,"flow_avg_l4_payload_len":512,"midstream":0,"ts_msec":946739311802,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"52.65.235.129","src_port":55834,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"DNScrypt.Amazon","breed":"Acceptable","category":"Network"}} +00678{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":207,"source":"dnscrypt-v1-and-resolver-pings.pcap","alias":"nDPId-test","flow_id":85,"flow_packets_processed":1,"flow_first_seen":946739311802,"flow_last_seen":946739311802,"flow_idle_time":180000,"flow_min_l4_payload_len":512,"flow_max_l4_payload_len":512,"flow_tot_l4_payload_len":512,"flow_avg_l4_payload_len":512,"midstream":0,"ts_msec":946739311802,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"52.65.235.129","src_port":55834,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"DNScrypt.AmazonAWS","breed":"Acceptable","category":"Network"}} 00578{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":208,"source":"dnscrypt-v1-and-resolver-pings.pcap","alias":"nDPId-test","flow_id":86,"flow_packets_processed":1,"flow_first_seen":946739311802,"flow_last_seen":946739311802,"flow_idle_time":180000,"flow_min_l4_payload_len":1472,"flow_max_l4_payload_len":1472,"flow_tot_l4_payload_len":1472,"flow_avg_l4_payload_len":1472,"midstream":0,"ts_msec":946739311802,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"52.65.235.129","src_port":46313,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02418{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":208,"source":"dnscrypt-v1-and-resolver-pings.pcap","alias":"nDPId-test","flow_id":86,"flow_packet_id":1,"flow_last_seen":946739311802,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1514,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1514,"pkt_l4_len":1480,"ts_msec":946739311802,"pkt":"REREREREZmZmZmZmCABFAAXcgu8gAL0RdKIKAAABNEHrgbTpAbsGBA+NCnABAAABAAAAAAABATINZG5zY3J5cHQtY2VydApkZWZmZXItZG5zAmF1AAAQAAEAAAAAAAAAAAAFwgAMBb4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="} -00679{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":208,"source":"dnscrypt-v1-and-resolver-pings.pcap","alias":"nDPId-test","flow_id":86,"flow_packets_processed":1,"flow_first_seen":946739311802,"flow_last_seen":946739311802,"flow_idle_time":180000,"flow_min_l4_payload_len":1472,"flow_max_l4_payload_len":1472,"flow_tot_l4_payload_len":1472,"flow_avg_l4_payload_len":1472,"midstream":0,"ts_msec":946739311802,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"52.65.235.129","src_port":46313,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"DNScrypt.Amazon","breed":"Acceptable","category":"Network"}} +00682{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":208,"source":"dnscrypt-v1-and-resolver-pings.pcap","alias":"nDPId-test","flow_id":86,"flow_packets_processed":1,"flow_first_seen":946739311802,"flow_last_seen":946739311802,"flow_idle_time":180000,"flow_min_l4_payload_len":1472,"flow_max_l4_payload_len":1472,"flow_tot_l4_payload_len":1472,"flow_avg_l4_payload_len":1472,"midstream":0,"ts_msec":946739311802,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"52.65.235.129","src_port":46313,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"DNScrypt.AmazonAWS","breed":"Acceptable","category":"Network"}} 00574{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":209,"source":"dnscrypt-v1-and-resolver-pings.pcap","alias":"nDPId-test","flow_id":87,"flow_packets_processed":1,"flow_first_seen":946739311802,"flow_last_seen":946739311802,"flow_idle_time":180000,"flow_min_l4_payload_len":512,"flow_max_l4_payload_len":512,"flow_tot_l4_payload_len":512,"flow_avg_l4_payload_len":512,"midstream":0,"ts_msec":946739311802,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"52.65.235.129","src_port":52911,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 01135{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":209,"source":"dnscrypt-v1-and-resolver-pings.pcap","alias":"nDPId-test","flow_id":87,"flow_packet_id":1,"flow_last_seen":946739311802,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":554,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":554,"pkt_l4_len":520,"ts_msec":946739311802,"pkt":"REREREREZmZmZmZmCABFAAIcgvBAAL0RWGEKAAABNEHrgc6vAbsCCOKYCnEBAAABAAAAAAABATINZG5zY3J5cHQtY2VydApkZWZmZXItZG5zAmF1AAAQAAEAAAAAAAAAAAABxgAMAcIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="} -00675{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":209,"source":"dnscrypt-v1-and-resolver-pings.pcap","alias":"nDPId-test","flow_id":87,"flow_packets_processed":1,"flow_first_seen":946739311802,"flow_last_seen":946739311802,"flow_idle_time":180000,"flow_min_l4_payload_len":512,"flow_max_l4_payload_len":512,"flow_tot_l4_payload_len":512,"flow_avg_l4_payload_len":512,"midstream":0,"ts_msec":946739311802,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"52.65.235.129","src_port":52911,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"DNScrypt.Amazon","breed":"Acceptable","category":"Network"}} +00678{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":209,"source":"dnscrypt-v1-and-resolver-pings.pcap","alias":"nDPId-test","flow_id":87,"flow_packets_processed":1,"flow_first_seen":946739311802,"flow_last_seen":946739311802,"flow_idle_time":180000,"flow_min_l4_payload_len":512,"flow_max_l4_payload_len":512,"flow_tot_l4_payload_len":512,"flow_avg_l4_payload_len":512,"midstream":0,"ts_msec":946739311802,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"52.65.235.129","src_port":52911,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"DNScrypt.AmazonAWS","breed":"Acceptable","category":"Network"}} 00427{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":210,"source":"dnscrypt-v1-and-resolver-pings.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":94,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":94,"pkt_l4_len":0,"ts_msec":946739311802,"pkt":"REREREREZmZmZmZmCABFAABQgu8Aub0RmXUKAAABNEHrgQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="} 00196{"basic_event_id":9,"basic_event_name":"nDPI IPv4\/L4 payload detection failed","thread_id":0,"packet_id":210,"source":"dnscrypt-v1-and-resolver-pings.pcap","alias":"nDPId-test","l4_data_len":60} 00578{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":211,"source":"dnscrypt-v1-and-resolver-pings.pcap","alias":"nDPId-test","flow_id":88,"flow_packets_processed":1,"flow_first_seen":946739311802,"flow_last_seen":946739311802,"flow_idle_time":180000,"flow_min_l4_payload_len":1472,"flow_max_l4_payload_len":1472,"flow_tot_l4_payload_len":1472,"flow_avg_l4_payload_len":1472,"midstream":0,"ts_msec":946739311802,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"52.65.235.129","src_port":47685,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02418{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":211,"source":"dnscrypt-v1-and-resolver-pings.pcap","alias":"nDPId-test","flow_id":88,"flow_packet_id":1,"flow_last_seen":946739311802,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1514,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1514,"pkt_l4_len":1480,"ts_msec":946739311802,"pkt":"REREREREZmZmZmZmCABFAAXcgvEgAL0RdKAKAAABNEHrgbpFAbsGBAozCm4BAAABAAAAAAABATINZG5zY3J5cHQtY2VydApkZWZmZXItZG5zAmF1AAAQAAEAAAAAAAAAAAAFwgAMBb4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="} -00679{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":211,"source":"dnscrypt-v1-and-resolver-pings.pcap","alias":"nDPId-test","flow_id":88,"flow_packets_processed":1,"flow_first_seen":946739311802,"flow_last_seen":946739311802,"flow_idle_time":180000,"flow_min_l4_payload_len":1472,"flow_max_l4_payload_len":1472,"flow_tot_l4_payload_len":1472,"flow_avg_l4_payload_len":1472,"midstream":0,"ts_msec":946739311802,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"52.65.235.129","src_port":47685,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"DNScrypt.Amazon","breed":"Acceptable","category":"Network"}} +00682{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":211,"source":"dnscrypt-v1-and-resolver-pings.pcap","alias":"nDPId-test","flow_id":88,"flow_packets_processed":1,"flow_first_seen":946739311802,"flow_last_seen":946739311802,"flow_idle_time":180000,"flow_min_l4_payload_len":1472,"flow_max_l4_payload_len":1472,"flow_tot_l4_payload_len":1472,"flow_avg_l4_payload_len":1472,"midstream":0,"ts_msec":946739311802,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"52.65.235.129","src_port":47685,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"DNScrypt.AmazonAWS","breed":"Acceptable","category":"Network"}} 00574{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":212,"source":"dnscrypt-v1-and-resolver-pings.pcap","alias":"nDPId-test","flow_id":89,"flow_packets_processed":1,"flow_first_seen":946739311802,"flow_last_seen":946739311802,"flow_idle_time":180000,"flow_min_l4_payload_len":512,"flow_max_l4_payload_len":512,"flow_tot_l4_payload_len":512,"flow_avg_l4_payload_len":512,"midstream":0,"ts_msec":946739311802,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"52.65.235.129","src_port":55979,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 01135{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":212,"source":"dnscrypt-v1-and-resolver-pings.pcap","alias":"nDPId-test","flow_id":89,"flow_packet_id":1,"flow_last_seen":946739311802,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":554,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":554,"pkt_l4_len":520,"ts_msec":946739311802,"pkt":"REREREREZmZmZmZmCABFAAIcgvJAAL0RWF8KAAABNEHrgdqrAbsCCOKYCm8BAAABAAAAAAABATINZG5zY3J5cHQtY2VydApkZWZmZXItZG5zAmF1AAAQAAEAAAAAAAAAAAABxgAMAcIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="} -00675{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":212,"source":"dnscrypt-v1-and-resolver-pings.pcap","alias":"nDPId-test","flow_id":89,"flow_packets_processed":1,"flow_first_seen":946739311802,"flow_last_seen":946739311802,"flow_idle_time":180000,"flow_min_l4_payload_len":512,"flow_max_l4_payload_len":512,"flow_tot_l4_payload_len":512,"flow_avg_l4_payload_len":512,"midstream":0,"ts_msec":946739311802,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"52.65.235.129","src_port":55979,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"DNScrypt.Amazon","breed":"Acceptable","category":"Network"}} +00678{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":212,"source":"dnscrypt-v1-and-resolver-pings.pcap","alias":"nDPId-test","flow_id":89,"flow_packets_processed":1,"flow_first_seen":946739311802,"flow_last_seen":946739311802,"flow_idle_time":180000,"flow_min_l4_payload_len":512,"flow_max_l4_payload_len":512,"flow_tot_l4_payload_len":512,"flow_avg_l4_payload_len":512,"midstream":0,"ts_msec":946739311802,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"52.65.235.129","src_port":55979,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"DNScrypt.AmazonAWS","breed":"Acceptable","category":"Network"}} 00427{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":213,"source":"dnscrypt-v1-and-resolver-pings.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":94,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":94,"pkt_l4_len":0,"ts_msec":946739311802,"pkt":"REREREREZmZmZmZmCABFAABQgvEAub0RmXMKAAABNEHrgQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="} 00196{"basic_event_id":9,"basic_event_name":"nDPI IPv4\/L4 payload detection failed","thread_id":0,"packet_id":213,"source":"dnscrypt-v1-and-resolver-pings.pcap","alias":"nDPId-test","l4_data_len":60} 00578{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":214,"source":"dnscrypt-v1-and-resolver-pings.pcap","alias":"nDPId-test","flow_id":90,"flow_packets_processed":1,"flow_first_seen":946739311802,"flow_last_seen":946739311802,"flow_idle_time":180000,"flow_min_l4_payload_len":1472,"flow_max_l4_payload_len":1472,"flow_tot_l4_payload_len":1472,"flow_avg_l4_payload_len":1472,"midstream":0,"ts_msec":946739311802,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"52.65.235.129","src_port":55409,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02418{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":214,"source":"dnscrypt-v1-and-resolver-pings.pcap","alias":"nDPId-test","flow_id":90,"flow_packet_id":1,"flow_last_seen":946739311802,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1514,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1514,"pkt_l4_len":1480,"ts_msec":946739311802,"pkt":"REREREREZmZmZmZmCABFAAXcgvMgAL0RdJ4KAAABNEHrgdhxAbsGBOwCCnIBAAABAAAAAAABATINZG5zY3J5cHQtY2VydApkZWZmZXItZG5zAmF1AAAQAAEAAAAAAAAAAAAFwgAMBb4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="} -00679{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":214,"source":"dnscrypt-v1-and-resolver-pings.pcap","alias":"nDPId-test","flow_id":90,"flow_packets_processed":1,"flow_first_seen":946739311802,"flow_last_seen":946739311802,"flow_idle_time":180000,"flow_min_l4_payload_len":1472,"flow_max_l4_payload_len":1472,"flow_tot_l4_payload_len":1472,"flow_avg_l4_payload_len":1472,"midstream":0,"ts_msec":946739311802,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"52.65.235.129","src_port":55409,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"DNScrypt.Amazon","breed":"Acceptable","category":"Network"}} +00682{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":214,"source":"dnscrypt-v1-and-resolver-pings.pcap","alias":"nDPId-test","flow_id":90,"flow_packets_processed":1,"flow_first_seen":946739311802,"flow_last_seen":946739311802,"flow_idle_time":180000,"flow_min_l4_payload_len":1472,"flow_max_l4_payload_len":1472,"flow_tot_l4_payload_len":1472,"flow_avg_l4_payload_len":1472,"midstream":0,"ts_msec":946739311802,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"52.65.235.129","src_port":55409,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"DNScrypt.AmazonAWS","breed":"Acceptable","category":"Network"}} 00427{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":215,"source":"dnscrypt-v1-and-resolver-pings.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":94,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":94,"pkt_l4_len":0,"ts_msec":946739311802,"pkt":"REREREREZmZmZmZmCABFAABQgvMAub0RmXEKAAABNEHrgQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="} 00196{"basic_event_id":9,"basic_event_name":"nDPI IPv4\/L4 payload detection failed","thread_id":0,"packet_id":215,"source":"dnscrypt-v1-and-resolver-pings.pcap","alias":"nDPId-test","l4_data_len":60} 00702{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":216,"source":"dnscrypt-v1-and-resolver-pings.pcap","alias":"nDPId-test","flow_id":85,"flow_packet_id":2,"flow_last_seen":946739312102,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":226,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":226,"pkt_l4_len":192,"ts_msec":946739312102,"pkt":"ZmZmZmZmRERERERECABFAADUhiJAACkR6nc0QeuBCgAAAQG72hoAwNtICnOBgAABAAEAAAAAATINZG5zY3J5cHQtY2VydApkZWZmZXItZG5zAmF1AAAQAAHADAAQAAEAAHCAAH18RE5TQwACAAAHR7dJhGoyFx8KdrkIsoh61C8rxtxAaFzxQo\/agVQzzjpZ5APiE6q3FOpAI96QjakMreCrdTAjP8EJbJX\/I6UH9uHXHTkXq4cOyA70iJwlafDxONoi+u6\/0zTNviG6FU724dcdORerhwAAAAFfU2DvX1Sybw=="} @@ -1594,9 +1594,9 @@ ~~ total active/idle flows...: 251/251 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2346276 bytes -~~ total memory freed........: 2346276 bytes -~~ total allocations/frees...: 36576/36576 +~~ total memory allocated....: 4902591 bytes +~~ total memory freed........: 4902591 bytes +~~ total allocations/frees...: 100772/100772 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 187 chars ~~ json string max len.......: 2426 chars diff --git a/test/results/dnscrypt-v2-doh.pcap.out b/test/results/dnscrypt-v2-doh.pcap.out index c26ff468e..ca7bfd9c5 100644 --- a/test/results/dnscrypt-v2-doh.pcap.out +++ b/test/results/dnscrypt-v2-doh.pcap.out @@ -45,7 +45,7 @@ 00829{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":91,"source":"dnscrypt-v2-doh.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_last_seen":946739310980,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":335,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":335,"pkt_l4_len":301,"ts_msec":946739310980,"pkt":"REREREREZmZmZmZmCABFAAFBYCBAAL0GW60KAAABuSuHAZUqAburhCguMeSlTVAYAfYCHQAAFgMBARQBAAEQAwM7gJo4OG7S+iUgpLXTuxo5Xw1OBGj4DiyxVBvpcTjrrSC1ygzgmnU02BGfASVXjVBWPNfoJIqu28ODMXbR4UvXGQAmwC\/AMMArwCzMqMypwBPACcAUwAoAnACdAC8ANcASAAoTARMDEwIBAAChAAAAEAAOAAALb2R2ci5uaWMuY3oABQAFAQAAAAAACgAKAAgAHQAXABgAGQALAAIBAAANABoAGAgEBAMIBwgFCAYEAQUBBgEFAwYDAgECA\/8BAAEAABAADgAMAmgyCGh0dHAvMS4xABIAAAArAAkIAwQDAwMCAwEAMwAmACQAHQAg+HQ6d2TRAhXiPlV4SzYTTgVvyRFR0ttaRH8caXLPDAE="} 00847{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":91,"source":"dnscrypt-v2-doh.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":1,"flow_first_seen":946739310980,"flow_last_seen":946739310980,"flow_idle_time":7440000,"flow_min_l4_payload_len":281,"flow_max_l4_payload_len":281,"flow_tot_l4_payload_len":281,"flow_avg_l4_payload_len":281,"midstream":1,"ts_msec":946739310980,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"185.43.135.1","src_port":38186,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.DoH_DoT","breed":"Fun","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"odvr.nic.cz","ja3":"d0ee3237a14bbd89ca4d2b5356ab20ba","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 04503{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":92,"source":"dnscrypt-v2-doh.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":2,"flow_last_seen":946739311016,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":3057,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":3057,"pkt_l4_len":3023,"ts_msec":946739311016,"pkt":"ZmZmZmZmRERERERECABFAAvj5XlAADUGU7K5K4cBCgAAAQG7lSox5KVNq4QpR1AYAO0MvwAAFgMDAGICAABeAwOYp2uqwk2kagwv1bFvuG7BP4gwxFJK\/HnbYlDDBgxtByBtkhDnIYlAH5FeNvmtcy43X+awJKk1khM1gLQ9O4\/1KcAvAAAW\/wEAAQAACwAEAwABAgAQAAUAAwJoMhYDAwn0CwAJ8AAJ7QAFUTCCBU0wggQ1oAMCAQICEgOvzNhD6HsqkMaua9kU943O+TANBgkqhkiG9w0BAQsFADBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3MgRW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDMwHhcNMjAwODAzMDY1MzUwWhcNMjAxMTAxMDY1MzUwWjAWMRQwEgYDVQQDEwtvZHZyLm5pYy5jejCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMSBtMaoOIrrVwbIP2cWYEJHSXjqgj\/\/9tkWX5PXpNopleDTdQVoDYtrhgWWdCxKvyghVnCCvqzpAdxH9iHJ+YDCJvMhSONvyUnQC+8wqGClBPGGgWuYJiWCNGWLq05jQxU5OjFamZYLeA83J41w0hXJ0caGVgR+ZmGHFjjdBCJABPqlSZbx4n\/8eqoqwv3W6903WKQrR8zszV5MtKKlTANB6QP2yhXI+UhhzdoeLxrEImAA6gxL2BOHWdKuBhBuV+ph8YRaL5IiMHVdXgcmxhPMtLDMaXcrlQWC6XO\/mVYjsQjycz9NHwfX9HBGmqdB8EpxpqAzOMv4Pfea+srqI+sCAwEAAaOCAl8wggJbMA4GA1UdDwEB\/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH\/BAIwADAdBgNVHQ4EFgQUiF81uRjtpDLZWzD7gWIvMHk\/TcYwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7\/Oo7KEwbwYIKwYBBQUHAQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQub3JnLzAWBgNVHREEDzANggtvZHZyLm5pYy5jejBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB2AF6nc\/nfVsDntTZIfdBJ4DJ6kZoMhKESEoQYdZaBcUVYAAABc7NP+yAAAAQDAEcwRQIhAKJu6NqRyIYQsDPHU\/A2REhgeKHjM4x+XnuUUYMuSVKBAiBvFXWETRjBcg4jaK4iYqlFL3MxxHaFAihU4M5Y1\/QWIQB1AAe3XBvlfWj\/8bDGHSMVx7rmV3xXlLdq7rxhOhpp06IcAAABc7NP+0kAAAQDAEYwRAIgbhSITSEVzSp\/pS3dsOxVrCnCOPr0QsQS\/Z8OeZ0VJL4CIEqFJZjRYER6kq4HNRyZ4yzxaPbu\/njrCFn4rfkG\/MO7MA0GCSqGSIb3DQEBCwUAA4IBAQCGEOIQRUNcWjsX719Aj278yDJZeRktrpYQiEzTApT2VFFAVk9RNpDtIgove0nygMmo0gYcRhVp8veJjqVoyBOpTj8fBZ0k4jHFaDhaRBi5aQXOMln+cU\/N+ZZyxOF\/OvhfMIgmGnNpnX15fmj0DD6pQOeMMvjd9\/6LhaAOIYehc8T\/qnYYgS+NN4PGwZ62L8NBcloKk78UBZkehMmgkPB4R4UGWU+P\/9wBXoct8xHeSEI\/RKypAvQONIxcx+PGOfY7cug8EawYjQxeC0dBrCPA4HuTbflrjLpxCEjs2nsPD4SXJGGl7AoG4paGMGZjt4DcZO2jhWz5unIehkjqEM\/fAASWMIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA\/MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0NlowSjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMTGkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EFq6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan\/PQeGdxyGkOlZHP\/uaZ6WA8SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0Z8h\/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWAa6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB\/onkxEz0tNvjj\/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0TAQH\/BAgwBgEB\/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIGCCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNvbTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9kc3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf\/EFWCFiRAwVAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcCARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwuY3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsFAAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJouM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr\/1wXKtx8\/wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so\/joWUoHOUgwuX4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlGPfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6KOqkqm57TH2H3eDJAkSnh6\/DNFu0QhYDAwFNDAABSQMAF0EE7OwduzycCFyh5foVYUYJfj2csLLoqbmNrs4ksDiqkMaHC2NulFxfST4jcCRZ19YEaLojL5JVRvlluRb8LA6yDQQBAQARbpzNdpCTfHNn9Bz14lNKRHZrsXa4X4EmfyVVEagU6WSCW5UKp3bMis8UAzosg4RFbcIE\/BqKgmQG64Bt\/cGitnxq47bonIC\/OFLylrM320R6R6uLkQuGNQpkUlgrZKL\/+YkYqd4ToLlZjenqQeguYlPWOUvDEduCfvOd+A9y2fcGuSyrbb0En99qwYiK1PUm11WXjEDQ91vzKm5Pz2wWWFYuywvRbHOtLetuqGEfMtz5QTTP+GA2fJf1SHhqAtT7v7XaP+5Wvee65IgIoNU6aiAVYz3hwW\/AkDmTqCcqZ608Q7A+R1MIFZgfnWqkxiaXPHcpFh\/8pcgjckhLtTiSFgMDAAQOAAAA"} -01148{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":92,"source":"dnscrypt-v2-doh.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":2,"flow_first_seen":946739310980,"flow_last_seen":946739311016,"flow_idle_time":7440000,"flow_min_l4_payload_len":281,"flow_max_l4_payload_len":3003,"flow_tot_l4_payload_len":3284,"flow_avg_l4_payload_len":1642,"midstream":1,"ts_msec":946739311016,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"185.43.135.1","src_port":38186,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9":"TLS Expired Certificate"},"proto":"TLS.DoH_DoT","breed":"Fun","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"odvr.nic.cz","server_names":"odvr.nic.cz","ja3":"d0ee3237a14bbd89ca4d2b5356ab20ba","ja3s":"1089ea6f0461a29006cc96dfe7a11d80","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3","issuerDN":"CN=odvr.nic.cz","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"15:57:4E:06:5B:3D:23:22:EF:BC:2E:5B:A3:3E:A5:76:BD:14:01:4B"}} +01149{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":92,"source":"dnscrypt-v2-doh.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":2,"flow_first_seen":946739310980,"flow_last_seen":946739311016,"flow_idle_time":7440000,"flow_min_l4_payload_len":281,"flow_max_l4_payload_len":3003,"flow_tot_l4_payload_len":3284,"flow_avg_l4_payload_len":1642,"midstream":1,"ts_msec":946739311016,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"185.43.135.1","src_port":38186,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9":"TLS Expired Certificate"},"proto":"TLS.DoH_DoT","breed":"Fun","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"odvr.nic.cz","server_names":"odvr.nic.cz","ja3":"d0ee3237a14bbd89ca4d2b5356ab20ba","ja3s":"1089ea6f0461a29006cc96dfe7a11d80","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3","subjectDN":"CN=odvr.nic.cz","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"15:57:4E:06:5B:3D:23:22:EF:BC:2E:5B:A3:3E:A5:76:BD:14:01:4B"}} 00622{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":93,"source":"dnscrypt-v2-doh.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_last_seen":946739311048,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":180,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":180,"pkt_l4_len":146,"ts_msec":946739311048,"pkt":"REREREREZmZmZmZmCABFAACmYCJAAL0GXEYKAAABuSuHAZUqAburhClHMeSxCFAYAfUBggAAFgMDAEYQAABCQQS+L1tdhkv27psDloITDJmmm+nkuKGJ6kBYeGBEdwUOSK4polbbfA55gXHwNtK3Y1Aq1CUhl++X\/zqhOD+IGqi8FAMDAAEBFgMDACgAAAAAAAAAALayQyzNIxhtoOFefQYzbs\/rDW3NZGb\/HW2xO7qHfaVY"} 00554{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":113,"source":"dnscrypt-v2-doh.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":1,"flow_first_seen":946739311335,"flow_last_seen":946739311335,"flow_idle_time":7440000,"flow_min_l4_payload_len":285,"flow_max_l4_payload_len":285,"flow_tot_l4_payload_len":285,"flow_avg_l4_payload_len":285,"midstream":1,"ts_msec":946739311335,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"9.9.9.10","src_port":51770,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00837{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":113,"source":"dnscrypt-v2-doh.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_last_seen":946739311335,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":339,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":339,"pkt_l4_len":305,"ts_msec":946739311335,"pkt":"REREREREZmZmZmZmCABFAAFF8W5AAL0G+HQKAAABCQkJCso6Abuxr7nkL4f0JVAYAfbUBgAAFgMBARgBAAEUAwN330DAziY7Qy75ow2vvPPweI0WjrfNmIygzjgDJAOaiiBkC+TeFnwD\/kQWoA8NwSkWiR\/ZS3JD6l8yhQXJVgAa3gAmwC\/AMMArwCzMqMypwBPACcAUwAoAnACdAC8ANcASAAoTARMDEwIBAAClAAAAFAASAAAPZG5zMTAucXVhZDkubmV0AAUABQEAAAAAAAoACgAIAB0AFwAYABkACwACAQAADQAaABgIBAQDCAcIBQgGBAEFAQYBBQMGAwIBAgP\/AQABAAAQAA4ADAJoMghodHRwLzEuMQASAAAAKwAJCAMEAwMDAgMBADMAJgAkAB0AICW+8u6SZcrHjrKSceEpWhhd\/sXKRaui0Qq2OMNRWOwf"} @@ -173,7 +173,7 @@ 03217{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":470,"source":"dnscrypt-v2-doh.pcap","alias":"nDPId-test","flow_id":29,"flow_packet_id":2,"flow_last_seen":946739400727,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":2102,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":2102,"pkt_l4_len":2068,"ts_msec":946739400727,"pkt":"ZmZmZmZmRERERERECABFAAgouN1AADcG\/yHR+vEZCgAAAQG7i4LAB6RFUka0c1AYAfWL6wAAFgMDAGYCAABiAwNagb8+u4y1yd1xwzS1nH\/nTUIdC4eY2A55MtUayrM8fyDO5yrWZS4Aa1iS7gSLPLT\/C8LAuC029TJv1sr4CTESSMAwAAAa\/wEAAQAACwAEAwABAgAFAAAAEAAFAAMCaDIWAwMKAwsACf8ACfwABWAwggVcMIIERKADAgECAhIDDKJHTnwjwsnrm2DLrI1zNLUwDQYJKoZIhvcNAQELBQAwSjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMTGkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMB4XDTIwMDcxNDIzNDcyMVoXDTIwMTAxMjIzNDcyMVowHTEbMBkGA1UEAxMSamFyamFyLm1lZ2FuZXJkLm5sMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv9OPyuZ6JwIE6bPDfiRhbYPMkVlSRq93tijiXoOFC9OQc4eXtoMomU6kKPy5Z0NTzEB3WAHxrA4SRx6q3\/yefPeWA8HsMuYfQZpftg95obbyxbYYejVTJGcDt7bBAbyfyHwpa9VQXCZ1NM6170XCwqiTXQ5pCT67h001VbP663EnKohkf0MUwppbn6Q5xEFc+o+3D6IU\/rxkzW1SQTh0phbzb1Op8DfM63A\/ZtxaA5UoEOBp23CMkB\/vP5ul2uJharTqU\/BfvvV3HB\/zu9o43hkbooUEyMuBJn0+O6orVhwG1QVKM6xj5TM6ZcijU2+3rS+x7vNJUt\/bTHh7sHDviQIDAQABo4ICZzCCAmMwDgYDVR0PAQH\/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRLbCV+QerkMWgquQ7dzQvZqcefiTAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcvMB0GA1UdEQQWMBSCEmphcmphci5tZWdhbmVyZC5ubDBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB3AF6nc\/nfVsDntTZIfdBJ4DJ6kZoMhKESEoQYdZaBcUVYAAABc0\/ws2wAAAQDAEgwRgIhAMWgM8fCSKocSMS6vNmRTIKDzMWXKgtHRh\/4TftRR0QHAiEA3JSerrntM9u7waurWrvwybuL6dB9RsJnzjR8MMY9tuIAdQAHt1wb5X1o\/\/Gwxh0jFce65ld8V5S3au68YToaadOiHAAAAXNP8LOOAAAEAwBGMEQCIG6J2T+qpPVVFxjS27cFglwKmn3u\/zi2QCL4kFgVvwefAiAZm3eKKyeMogTwUuYzbx+RsfIEqA9nNOdkRRv\/z1FxuzANBgkqhkiG9w0BAQsFAAOCAQEAcAija84yR1ADOoiyrdQFCgxJZB2BUUNBtRgi8ZPFZIdUaVPomyGL3oK59c6IO+gMw6xbSeGsLaVjettLRMJ2uMl6JZkgjV1Bhp3NdPQKieFpoaEiEBUAwqL8TSBKdJ\/mAMQLAKadqZ1hZKcVTPtXVdd5Q28iLasE\/NjtopLZOa1XOJt0sUbRAHa2FOZzb42ureqnIdzzYgm+hY18KJUkfrSxCg2dd4MTgQuYu+ZhUpaMB2rAm94XcTgVTGO5ADi5NM0oEFFNdNKrAyCom1jWC2m8LyYfCzUJEAYCAUd1WL438vW1Z0FQZK5dAca9qTf6FxrRdYRYrY7oGND3IwvyWwAEljCCBJIwggN6oAMCAQICEAoBQUIAAAFThXNqC4XspwgwDQYJKoZIhvcNAQELBQAwPzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQDEw5EU1QgUm9vdCBDQSBYMzAeFw0xNjAzMTcxNjQwNDZaFw0yMTAzMTcxNjQwNDZaMEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQDExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJzTDPBa5S5Ht3JdN4OzaGMw6tc1Jhkl4b2+NfFwki+3uEtBBaupnjUIWOyxKsRohwuj43Xk5vOnYnG6eYFgH9eRmp\/z0HhncchpDpWRz\/7mmelgPEjMfspNdxIknUcbWuu57B43ABycrHunBerOSuu9QeU2mLnL\/W08lmjfIypCkAyGdGfIf6WauFJhFBM\/ZemCh8vb+g5W9oaJ84U\/l4avsNwa72sNlRZ9xCugZbKZBDZ1gGusSvMbkEl4L6KWTyogJSkExnTA0DHNjzE4lRa6qDO4Q\/GxH8Mwf6J5MRM9LTb44\/zyM2q5OTHFr8SNDR1kFjOq+oQpttQLwNh9w5MCAwEAAaOCAX0wggF5MBIGA1UdEwEB\/wQIMAYBAf8CAQAwDgYDVR0="} 00915{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":470,"source":"dnscrypt-v2-doh.pcap","alias":"nDPId-test","flow_id":29,"flow_packets_processed":2,"flow_first_seen":946739400702,"flow_last_seen":946739400727,"flow_idle_time":7440000,"flow_min_l4_payload_len":288,"flow_max_l4_payload_len":2048,"flow_tot_l4_payload_len":2336,"flow_avg_l4_payload_len":1168,"midstream":1,"ts_msec":946739400727,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"209.250.241.25","src_port":35714,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.DoH_DoT","breed":"Fun","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"jarjar.meganerd.nl","ja3":"d0ee3237a14bbd89ca4d2b5356ab20ba","ja3s":"2464432ec440b95b36263230c3148d11","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 02453{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":471,"source":"dnscrypt-v2-doh.pcap","alias":"nDPId-test","flow_id":29,"flow_packet_id":3,"flow_last_seen":946739400727,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":1535,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1535,"pkt_l4_len":1501,"ts_msec":946739400727,"pkt":"ZmZmZmZmRERERERECABFAAXxuN9AADcGAVfR+vEZCgAAAQG7i4LAB6xFUka0c1AYAfWJtAAADwEB\/wQEAwIBhjB\/BggrBgEFBQcBAQRzMHEwMgYIKwYBBQUHMAGGJmh0dHA6Ly9pc3JnLnRydXN0aWQub2NzcC5pZGVudHJ1c3QuY29tMDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx+tvhS5B1\/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA\/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFKhKamMEfd265tE5t6ZFZe\/zqOyhMA0GCSqGSIb3DQEBCwUAA4IBAQDdM9cR82NYON0YFfsJVb52VrlwSKVpRyd7wiQIkvFaH0oSKTckdFEcYmi4zZVwZ+X3pLxOKFHNm+iuh53q2LpaoQGa3PDdah1q2D5XI56mHgRimv\/XBcq3Hz\/ACki8lLC2ZWLgwVTloyqtIMTp5rvcyPa1wzKjmMx3qOZ5ZQcryyj+OhZSgc5SDC5fg+jVBjP7d2zOQOoynh+SXEHBdGxbXQpfM8xNn6w48C97LGKd2aORbyUbL5CxGUY99n4bpnqHuaN6bRj6JaWRhxXg8hYvWLAGLyxoJsZLmM3anwz5f5DtQ0oSRE5vc3oo6qSqbntMfYfd4MkCRKeHr8M0W7RCFgMDAhcWAAITAQACDzCCAgsKAQCgggIEMIICAAYJKwYBBQUHMAEBBIIB8TCCAe0wgdahTDBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3MgRW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDMYDzIwMjAwOTA0MDA0OTAwWjB1MHMwSzAJBgUrDgMCGgUABBR+5mrncpqz\/PiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7\/Oo7KECEgMMokdOfCPCyeubYMusjXM0tYAAGA8yMDIwMDkwNDAwMDAwMFqgERgPMjAyMDA5MTEwMDAwMDBaMA0GCSqGSIb3DQEBCwUAA4IBAQAoMB1ePZKC8NpTy2434kCI6h8NAXGSDejnRZYFr2QSx+TpoZipUWbMWCq8UzrMIxKC8UJACJQc6RIM+Xgz0ZRbGx25OD3V4vLxsczn\/nEIsXCHGvGoEBJqPqesQfpmU9r+oB2CbUgxGaJxDFqnidG6tH5KNxFVbrX2lPzXeDzKwLN1eUiZU\/lMuAOJwkK8zmwVXP5H7g6aco+MiZp06K8b\/Da3w0YGUY9fjEablMtV5ViuxARhZw1pWYWZo\/jGfvICDNvPKmx8V1X1Z4R8rNjm8UiPRR8P0NarasVvNtWs+6fXGpl\/hFMZzj6z4oAVh0vYNXKYxmaDs8l6pH8OOZ\/cFgMDASwMAAEoAwAdIBuLZjnTB3Kjce7+mNxfaBiRgPo4iNkyTjzm6+fh98MBCAQBAAD35z4OurpaleuYyQXrRwgunZx5itw99f\/qns7fqVRPpCakkPBqYtIkrAQds7t3x9gcyB3pN\/ek7QU4lXsRRnsrWpFsVpkkgouj8noQcYPmvp55cuzOEjLxYK5KOB1bU10ZmdANW3hMqgjTathZk6jfjNOD8MgF15uckgPUXOITOpG7UYd\/YtxRx7xgMGY0jlH\/+xeUF+NSAiy6s9oSi0oU\/QlatPOidPhVmRC84vWQNkgJhZubcKWseKLjiRRL9zUmMJ2fjig0R0EKUVh0pAUSNWsA0m3x1YIPV6kX\/fzGNkCBx4kijVkxENgEgAD9si+WguAjMtSH5qQYN0CMxwsWAwMABA4AAAA="} -01173{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":471,"source":"dnscrypt-v2-doh.pcap","alias":"nDPId-test","flow_id":29,"flow_packets_processed":3,"flow_first_seen":946739400702,"flow_last_seen":946739400727,"flow_idle_time":7440000,"flow_min_l4_payload_len":288,"flow_max_l4_payload_len":2048,"flow_tot_l4_payload_len":3817,"flow_avg_l4_payload_len":1272,"midstream":1,"ts_msec":946739400727,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"209.250.241.25","src_port":35714,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9":"TLS Expired Certificate"},"proto":"TLS.DoH_DoT","breed":"Fun","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"jarjar.meganerd.nl","server_names":"jarjar.meganerd.nl","ja3":"d0ee3237a14bbd89ca4d2b5356ab20ba","ja3s":"2464432ec440b95b36263230c3148d11","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3","issuerDN":"CN=jarjar.meganerd.nl","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"17:C9:8C:F5:DD:1F:0E:0F:DC:C5:42:4F:ED:C4:CD:57:5A:5D:7A:4F"}} +01174{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":471,"source":"dnscrypt-v2-doh.pcap","alias":"nDPId-test","flow_id":29,"flow_packets_processed":3,"flow_first_seen":946739400702,"flow_last_seen":946739400727,"flow_idle_time":7440000,"flow_min_l4_payload_len":288,"flow_max_l4_payload_len":2048,"flow_tot_l4_payload_len":3817,"flow_avg_l4_payload_len":1272,"midstream":1,"ts_msec":946739400727,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"209.250.241.25","src_port":35714,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9":"TLS Expired Certificate"},"proto":"TLS.DoH_DoT","breed":"Fun","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"jarjar.meganerd.nl","server_names":"jarjar.meganerd.nl","ja3":"d0ee3237a14bbd89ca4d2b5356ab20ba","ja3s":"2464432ec440b95b36263230c3148d11","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3","subjectDN":"CN=jarjar.meganerd.nl","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"17:C9:8C:F5:DD:1F:0E:0F:DC:C5:42:4F:ED:C4:CD:57:5A:5D:7A:4F"}} 00561{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":486,"source":"dnscrypt-v2-doh.pcap","alias":"nDPId-test","flow_id":30,"flow_packets_processed":1,"flow_first_seen":946739401864,"flow_last_seen":946739401864,"flow_idle_time":7440000,"flow_min_l4_payload_len":292,"flow_max_l4_payload_len":292,"flow_tot_l4_payload_len":292,"flow_avg_l4_payload_len":292,"midstream":1,"ts_msec":946739401864,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"95.216.229.153","src_port":43888,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00848{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":486,"source":"dnscrypt-v2-doh.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":1,"flow_last_seen":946739401864,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":346,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":346,"pkt_l4_len":312,"ts_msec":946739401864,"pkt":"REREREREZmZmZmZmCABFAAFMN1VAAH4GvigKAAABX9jlmatwAbtGU6iimu8Jz1AYAfYHbQAAFgMBAR8BAAEbAwOH23fm3DrJaQXLovxzyYyk5R\/PesPVPPqPMsnNPw9NhCA+BKUjIeM9NnmcNXI7jO56RaAWoMnCcXIJRfPvBK89HQAmwC\/AMMArwCzMqMypwBPACcAUwAoAnACdAC8ANcASAAoTARMDEwIBAACsAAAAGwAZAAAWZmkuZG9oLmRucy5zbm9weXRhLm9yZwAFAAUBAAAAAAAKAAoACAAdABcAGAAZAAsAAgEAAA0AGgAYCAQEAwgHCAUIBgQBBQEGAQUDBgMCAQID\/wEAAQAAEAAOAAwCaDIIaHR0cC8xLjEAEgAAACsACQgDBAMDAwIDAQAzACYAJAAdACAgB93oNekrupxQPrzRHifFos9GGTUaOGYLuLqXCSqLFg=="} 00862{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":486,"source":"dnscrypt-v2-doh.pcap","alias":"nDPId-test","flow_id":30,"flow_packets_processed":1,"flow_first_seen":946739401864,"flow_last_seen":946739401864,"flow_idle_time":7440000,"flow_min_l4_payload_len":292,"flow_max_l4_payload_len":292,"flow_tot_l4_payload_len":292,"flow_avg_l4_payload_len":292,"midstream":1,"ts_msec":946739401864,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"95.216.229.153","src_port":43888,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.DoH_DoT","breed":"Fun","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"fi.doh.dns.snopyta.org","ja3":"d0ee3237a14bbd89ca4d2b5356ab20ba","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} @@ -204,7 +204,7 @@ 03216{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":565,"source":"dnscrypt-v2-doh.pcap","alias":"nDPId-test","flow_id":34,"flow_packet_id":2,"flow_last_seen":946739879647,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":2102,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":2102,"pkt_l4_len":2068,"ts_msec":946739879647,"pkt":"ZmZmZmZmRERERERECABFAAgoIhBAADcGle\/R+vEZCgAAAQG7i56PZDiQBaQESFAYAfWL6wAAFgMDAGYCAABiAwOvuIoBv9aLdY9+pRuVYLTvaIEBB5j8JJqoUP\/T+o4DJyAaq0H4FgIYS60khmCU6D9TGVas7XFToGUgExNzFU9aPcAwAAAa\/wEAAQAACwAEAwABAgAFAAAAEAAFAAMCaDIWAwMKAwsACf8ACfwABWAwggVcMIIERKADAgECAhIDDKJHTnwjwsnrm2DLrI1zNLUwDQYJKoZIhvcNAQELBQAwSjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMTGkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMB4XDTIwMDcxNDIzNDcyMVoXDTIwMTAxMjIzNDcyMVowHTEbMBkGA1UEAxMSamFyamFyLm1lZ2FuZXJkLm5sMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv9OPyuZ6JwIE6bPDfiRhbYPMkVlSRq93tijiXoOFC9OQc4eXtoMomU6kKPy5Z0NTzEB3WAHxrA4SRx6q3\/yefPeWA8HsMuYfQZpftg95obbyxbYYejVTJGcDt7bBAbyfyHwpa9VQXCZ1NM6170XCwqiTXQ5pCT67h001VbP663EnKohkf0MUwppbn6Q5xEFc+o+3D6IU\/rxkzW1SQTh0phbzb1Op8DfM63A\/ZtxaA5UoEOBp23CMkB\/vP5ul2uJharTqU\/BfvvV3HB\/zu9o43hkbooUEyMuBJn0+O6orVhwG1QVKM6xj5TM6ZcijU2+3rS+x7vNJUt\/bTHh7sHDviQIDAQABo4ICZzCCAmMwDgYDVR0PAQH\/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRLbCV+QerkMWgquQ7dzQvZqcefiTAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcvMB0GA1UdEQQWMBSCEmphcmphci5tZWdhbmVyZC5ubDBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB3AF6nc\/nfVsDntTZIfdBJ4DJ6kZoMhKESEoQYdZaBcUVYAAABc0\/ws2wAAAQDAEgwRgIhAMWgM8fCSKocSMS6vNmRTIKDzMWXKgtHRh\/4TftRR0QHAiEA3JSerrntM9u7waurWrvwybuL6dB9RsJnzjR8MMY9tuIAdQAHt1wb5X1o\/\/Gwxh0jFce65ld8V5S3au68YToaadOiHAAAAXNP8LOOAAAEAwBGMEQCIG6J2T+qpPVVFxjS27cFglwKmn3u\/zi2QCL4kFgVvwefAiAZm3eKKyeMogTwUuYzbx+RsfIEqA9nNOdkRRv\/z1FxuzANBgkqhkiG9w0BAQsFAAOCAQEAcAija84yR1ADOoiyrdQFCgxJZB2BUUNBtRgi8ZPFZIdUaVPomyGL3oK59c6IO+gMw6xbSeGsLaVjettLRMJ2uMl6JZkgjV1Bhp3NdPQKieFpoaEiEBUAwqL8TSBKdJ\/mAMQLAKadqZ1hZKcVTPtXVdd5Q28iLasE\/NjtopLZOa1XOJt0sUbRAHa2FOZzb42ureqnIdzzYgm+hY18KJUkfrSxCg2dd4MTgQuYu+ZhUpaMB2rAm94XcTgVTGO5ADi5NM0oEFFNdNKrAyCom1jWC2m8LyYfCzUJEAYCAUd1WL438vW1Z0FQZK5dAca9qTf6FxrRdYRYrY7oGND3IwvyWwAEljCCBJIwggN6oAMCAQICEAoBQUIAAAFThXNqC4XspwgwDQYJKoZIhvcNAQELBQAwPzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQDEw5EU1QgUm9vdCBDQSBYMzAeFw0xNjAzMTcxNjQwNDZaFw0yMTAzMTcxNjQwNDZaMEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQDExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJzTDPBa5S5Ht3JdN4OzaGMw6tc1Jhkl4b2+NfFwki+3uEtBBaupnjUIWOyxKsRohwuj43Xk5vOnYnG6eYFgH9eRmp\/z0HhncchpDpWRz\/7mmelgPEjMfspNdxIknUcbWuu57B43ABycrHunBerOSuu9QeU2mLnL\/W08lmjfIypCkAyGdGfIf6WauFJhFBM\/ZemCh8vb+g5W9oaJ84U\/l4avsNwa72sNlRZ9xCugZbKZBDZ1gGusSvMbkEl4L6KWTyogJSkExnTA0DHNjzE4lRa6qDO4Q\/GxH8Mwf6J5MRM9LTb44\/zyM2q5OTHFr8SNDR1kFjOq+oQpttQLwNh9w5MCAwEAAaOCAX0wggF5MBIGA1UdEwEB\/wQIMAYBAf8CAQAwDgYDVR0="} 00915{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":565,"source":"dnscrypt-v2-doh.pcap","alias":"nDPId-test","flow_id":34,"flow_packets_processed":2,"flow_first_seen":946739879619,"flow_last_seen":946739879647,"flow_idle_time":7440000,"flow_min_l4_payload_len":288,"flow_max_l4_payload_len":2048,"flow_tot_l4_payload_len":2336,"flow_avg_l4_payload_len":1168,"midstream":1,"ts_msec":946739879647,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"209.250.241.25","src_port":35742,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.DoH_DoT","breed":"Fun","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"jarjar.meganerd.nl","ja3":"d0ee3237a14bbd89ca4d2b5356ab20ba","ja3s":"2464432ec440b95b36263230c3148d11","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 02458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":566,"source":"dnscrypt-v2-doh.pcap","alias":"nDPId-test","flow_id":34,"flow_packet_id":3,"flow_last_seen":946739879647,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":1535,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1535,"pkt_l4_len":1501,"ts_msec":946739879647,"pkt":"ZmZmZmZmRERERERECABFAAXxIhJAADcGmCTR+vEZCgAAAQG7i56PZECQBaQESFAYAfWJtAAADwEB\/wQEAwIBhjB\/BggrBgEFBQcBAQRzMHEwMgYIKwYBBQUHMAGGJmh0dHA6Ly9pc3JnLnRydXN0aWQub2NzcC5pZGVudHJ1c3QuY29tMDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx+tvhS5B1\/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA\/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFKhKamMEfd265tE5t6ZFZe\/zqOyhMA0GCSqGSIb3DQEBCwUAA4IBAQDdM9cR82NYON0YFfsJVb52VrlwSKVpRyd7wiQIkvFaH0oSKTckdFEcYmi4zZVwZ+X3pLxOKFHNm+iuh53q2LpaoQGa3PDdah1q2D5XI56mHgRimv\/XBcq3Hz\/ACki8lLC2ZWLgwVTloyqtIMTp5rvcyPa1wzKjmMx3qOZ5ZQcryyj+OhZSgc5SDC5fg+jVBjP7d2zOQOoynh+SXEHBdGxbXQpfM8xNn6w48C97LGKd2aORbyUbL5CxGUY99n4bpnqHuaN6bRj6JaWRhxXg8hYvWLAGLyxoJsZLmM3anwz5f5DtQ0oSRE5vc3oo6qSqbntMfYfd4MkCRKeHr8M0W7RCFgMDAhcWAAITAQACDzCCAgsKAQCgggIEMIICAAYJKwYBBQUHMAEBBIIB8TCCAe0wgdahTDBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3MgRW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDMYDzIwMjAwOTA0MDA0OTAwWjB1MHMwSzAJBgUrDgMCGgUABBR+5mrncpqz\/PiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7\/Oo7KECEgMMokdOfCPCyeubYMusjXM0tYAAGA8yMDIwMDkwNDAwMDAwMFqgERgPMjAyMDA5MTEwMDAwMDBaMA0GCSqGSIb3DQEBCwUAA4IBAQAoMB1ePZKC8NpTy2434kCI6h8NAXGSDejnRZYFr2QSx+TpoZipUWbMWCq8UzrMIxKC8UJACJQc6RIM+Xgz0ZRbGx25OD3V4vLxsczn\/nEIsXCHGvGoEBJqPqesQfpmU9r+oB2CbUgxGaJxDFqnidG6tH5KNxFVbrX2lPzXeDzKwLN1eUiZU\/lMuAOJwkK8zmwVXP5H7g6aco+MiZp06K8b\/Da3w0YGUY9fjEablMtV5ViuxARhZw1pWYWZo\/jGfvICDNvPKmx8V1X1Z4R8rNjm8UiPRR8P0NarasVvNtWs+6fXGpl\/hFMZzj6z4oAVh0vYNXKYxmaDs8l6pH8OOZ\/cFgMDASwMAAEoAwAdIKQoxhH\/Z4NdCHDs7qK8wmGbCtHgbBpAtyYYPJoz0BNpCAQBAI2s5yjtMrI9QJNozqSEdCsumaSKt\/QNxoJ5PFMWs10MAWl+5CjGLSlpjhytuQkP602gJ28TSQHyyO39DQ2pHRZ1MjKiwLUGQnSrx7B1qsIRx8U65WEhaQ\/Oefjv8VGGg2Nnh0hcGrHjYUxlGavnUge+GnGDrvgzWTdBb6fu\/ASgdFWYo\/L\/cx\/DQSF7KqdfFLYtqS\/mVGjCi+aU3DGzfokfH8gTddjOpZA9DbKNE5R+fiOUj+uHJsETXL1+AHkZ1DyEVNTPTtlzClPqiVFZoiQLHaM5Rks\/r\/SATzjVrNW7MyikygwLvRY4rKK4uz5N88k\/vqkRvVB4EA04vef95bIWAwMABA4AAAA="} -01173{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":566,"source":"dnscrypt-v2-doh.pcap","alias":"nDPId-test","flow_id":34,"flow_packets_processed":3,"flow_first_seen":946739879619,"flow_last_seen":946739879647,"flow_idle_time":7440000,"flow_min_l4_payload_len":288,"flow_max_l4_payload_len":2048,"flow_tot_l4_payload_len":3817,"flow_avg_l4_payload_len":1272,"midstream":1,"ts_msec":946739879647,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"209.250.241.25","src_port":35742,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9":"TLS Expired Certificate"},"proto":"TLS.DoH_DoT","breed":"Fun","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"jarjar.meganerd.nl","server_names":"jarjar.meganerd.nl","ja3":"d0ee3237a14bbd89ca4d2b5356ab20ba","ja3s":"2464432ec440b95b36263230c3148d11","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3","issuerDN":"CN=jarjar.meganerd.nl","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"17:C9:8C:F5:DD:1F:0E:0F:DC:C5:42:4F:ED:C4:CD:57:5A:5D:7A:4F"}} +01174{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":566,"source":"dnscrypt-v2-doh.pcap","alias":"nDPId-test","flow_id":34,"flow_packets_processed":3,"flow_first_seen":946739879619,"flow_last_seen":946739879647,"flow_idle_time":7440000,"flow_min_l4_payload_len":288,"flow_max_l4_payload_len":2048,"flow_tot_l4_payload_len":3817,"flow_avg_l4_payload_len":1272,"midstream":1,"ts_msec":946739879647,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"209.250.241.25","src_port":35742,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"9":"TLS Expired Certificate"},"proto":"TLS.DoH_DoT","breed":"Fun","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"jarjar.meganerd.nl","server_names":"jarjar.meganerd.nl","ja3":"d0ee3237a14bbd89ca4d2b5356ab20ba","ja3s":"2464432ec440b95b36263230c3148d11","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3","subjectDN":"CN=jarjar.meganerd.nl","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"17:C9:8C:F5:DD:1F:0E:0F:DC:C5:42:4F:ED:C4:CD:57:5A:5D:7A:4F"}} 00564{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":577,"source":"dnscrypt-v2-doh.pcap","alias":"nDPId-test","flow_id":29,"flow_packets_processed":18,"flow_first_seen":946739400702,"flow_last_seen":946739407673,"flow_idle_time":7440000,"flow_min_l4_payload_len":31,"flow_max_l4_payload_len":2048,"flow_tot_l4_payload_len":5567,"flow_avg_l4_payload_len":309,"midstream":1,"ts_msec":946739888204,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"209.250.241.25","src_port":35714,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00565{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":577,"source":"dnscrypt-v2-doh.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":22,"flow_first_seen":946739312203,"flow_last_seen":946739327905,"flow_idle_time":7440000,"flow_min_l4_payload_len":24,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":5116,"flow_avg_l4_payload_len":232,"midstream":1,"ts_msec":946739888204,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"116.203.179.248","src_port":41720,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00564{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":577,"source":"dnscrypt-v2-doh.pcap","alias":"nDPId-test","flow_id":34,"flow_packets_processed":14,"flow_first_seen":946739879619,"flow_last_seen":946739888204,"flow_idle_time":7440000,"flow_min_l4_payload_len":31,"flow_max_l4_payload_len":2048,"flow_tot_l4_payload_len":4885,"flow_avg_l4_payload_len":348,"midstream":1,"ts_msec":946739888204,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"209.250.241.25","src_port":35742,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -248,9 +248,9 @@ ~~ total active/idle flows...: 34/34 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2210795 bytes -~~ total memory freed........: 2210795 bytes -~~ total allocations/frees...: 36171/36171 +~~ total memory allocated....: 4859118 bytes +~~ total memory freed........: 4859118 bytes +~~ total allocations/frees...: 100367/100367 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 171 chars ~~ json string max len.......: 4706 chars diff --git a/test/results/dnscrypt_skype_false_positive.pcapng.out b/test/results/dnscrypt_skype_false_positive.pcapng.out index 1d16dde88..2c2d0fdcb 100644 --- a/test/results/dnscrypt_skype_false_positive.pcapng.out +++ b/test/results/dnscrypt_skype_false_positive.pcapng.out @@ -23,9 +23,9 @@ ~~ total active/idle flows...: 3/3 ~~ total timeout flows.......: 2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1931530 bytes -~~ total memory freed........: 1931530 bytes -~~ total allocations/frees...: 35350/35350 +~~ total memory allocated....: 4592997 bytes +~~ total memory freed........: 4592997 bytes +~~ total allocations/frees...: 99546/99546 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 184 chars ~~ json string max len.......: 1152 chars diff --git a/test/results/doq.pcapng.out b/test/results/doq.pcapng.out index 1175b30d1..73b35bf46 100644 --- a/test/results/doq.pcapng.out +++ b/test/results/doq.pcapng.out @@ -20,9 +20,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1935772 bytes -~~ total memory freed........: 1935772 bytes -~~ total allocations/frees...: 35373/35373 +~~ total memory allocated....: 4597663 bytes +~~ total memory freed........: 4597663 bytes +~~ total allocations/frees...: 99569/99569 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 159 chars ~~ json string max len.......: 2137 chars diff --git a/test/results/doq_adguard.pcapng.out b/test/results/doq_adguard.pcapng.out index e46066d14..13c6dbc74 100644 --- a/test/results/doq_adguard.pcapng.out +++ b/test/results/doq_adguard.pcapng.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1942112 bytes -~~ total memory freed........: 1942112 bytes -~~ total allocations/frees...: 35646/35646 +~~ total memory allocated....: 4604427 bytes +~~ total memory freed........: 4604427 bytes +~~ total allocations/frees...: 99842/99842 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 167 chars ~~ json string max len.......: 2113 chars diff --git a/test/results/dos_win98_smb_netbeui.pcap.out b/test/results/dos_win98_smb_netbeui.pcap.out index d36170ef1..aefc3cd66 100644 --- a/test/results/dos_win98_smb_netbeui.pcap.out +++ b/test/results/dos_win98_smb_netbeui.pcap.out @@ -350,9 +350,9 @@ ~~ total active/idle flows...: 4/4 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1934770 bytes -~~ total memory freed........: 1934770 bytes -~~ total allocations/frees...: 35409/35409 +~~ total memory allocated....: 4595813 bytes +~~ total memory freed........: 4595813 bytes +~~ total allocations/frees...: 99605/99605 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 164 chars ~~ json string max len.......: 1910 chars diff --git a/test/results/drda_db2.pcap.out b/test/results/drda_db2.pcap.out index cdf564999..6e25db0d9 100644 --- a/test/results/drda_db2.pcap.out +++ b/test/results/drda_db2.pcap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1931274 bytes -~~ total memory freed........: 1931274 bytes -~~ total allocations/frees...: 35377/35377 +~~ total memory allocated....: 4593589 bytes +~~ total memory freed........: 4593589 bytes +~~ total allocations/frees...: 99573/99573 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 161 chars ~~ json string max len.......: 597 chars diff --git a/test/results/dropbox.pcap.out b/test/results/dropbox.pcap.out index 2219c0cec..e3271abb5 100644 --- a/test/results/dropbox.pcap.out +++ b/test/results/dropbox.pcap.out @@ -106,9 +106,9 @@ ~~ total active/idle flows...: 15/15 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1975340 bytes -~~ total memory freed........: 1975340 bytes -~~ total allocations/frees...: 36228/36228 +~~ total memory allocated....: 4631719 bytes +~~ total memory freed........: 4631719 bytes +~~ total allocations/frees...: 100424/100424 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 163 chars ~~ json string max len.......: 823 chars diff --git a/test/results/dtls.pcap.out b/test/results/dtls.pcap.out index 1fb4f1f23..3dd25bc15 100644 --- a/test/results/dtls.pcap.out +++ b/test/results/dtls.pcap.out @@ -13,9 +13,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1928182 bytes -~~ total memory freed........: 1928182 bytes -~~ total allocations/frees...: 35340/35340 +~~ total memory allocated....: 4590497 bytes +~~ total memory freed........: 4590497 bytes +~~ total allocations/frees...: 99536/99536 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 156 chars ~~ json string max len.......: 845 chars diff --git a/test/results/dtls2.pcap.out b/test/results/dtls2.pcap.out index 3e1e769b4..73de52196 100644 --- a/test/results/dtls2.pcap.out +++ b/test/results/dtls2.pcap.out @@ -4,7 +4,7 @@ 00836{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"dtls2.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1507911659748,"flow_last_seen":1507911659748,"flow_idle_time":180000,"flow_min_l4_payload_len":81,"flow_max_l4_payload_len":81,"flow_tot_l4_payload_len":81,"flow_avg_l4_payload_len":81,"midstream":0,"ts_msec":1507911659748,"l3_proto":"ip4","src_ip":"61.68.110.153","dst_ip":"212.32.214.39","src_port":53045,"dst_port":61457,"l4_proto":"udp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing"},"proto":"DTLS","breed":"Safe","category":"Web"},"tls": {"version":"DTLSv1.0","client_requested_server_name":"","ja3":"1b45c913a0c0fde5f263502e65999485","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00508{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"dtls2.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1507911659964,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":102,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":102,"pkt_l4_len":68,"ts_msec":1507911659964,"pkt":"AAAAjZtQSEb7zh73CABFAABYGTZAAHIRmTnUINYnPURumfARzzUARCmdFv7\/AAAAAAAAAAAALwMAACMAAAAAAAAAI\/7\/IGQQTc4aUtGjb8ohVEQdgum4T0i11AHiQi9xw2nai\/UG"} 00581{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"dtls2.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1507911659975,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":155,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":155,"pkt_l4_len":121,"ts_msec":1507911659975,"pkt":"AAAAjZtQSEb7zh73CABFAACN5wIAAD8RPjg9RG6Z1CDWJ8818BEAeRSaFv7\/AAAAAAAAAAEAZAEAAFgAAQAAAAAAWP7\/xZOd2weR7n4d5xLXjiJT803Vm2GyIJyqcktro0p9KtUAIGQQTc4aUtGjb8ohVEQdgum4T0i11AHiQi9xw2nai\/UGABAANQAvAAUABAAKAPsA\/AD9AQA="} -01053{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":4,"source":"dtls2.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1507911659748,"flow_last_seen":1507911660332,"flow_idle_time":180000,"flow_min_l4_payload_len":60,"flow_max_l4_payload_len":825,"flow_tot_l4_payload_len":1079,"flow_avg_l4_payload_len":269,"midstream":0,"ts_msec":1507911660332,"l3_proto":"ip4","src_ip":"61.68.110.153","dst_ip":"212.32.214.39","src_port":53045,"dst_port":61457,"l4_proto":"udp","ndpi": {"flow_risk": {"8":"Weak TLS cipher","15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing"},"proto":"DTLS","breed":"Safe","category":"Web"},"tls": {"version":"DTLSv1.0","client_requested_server_name":"","ja3":"1b45c913a0c0fde5f263502e65999485","ja3s":"749bd1edea60396ffaa65213b7971718","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US","issuerDN":"C=US, CN=*.relay.ros.rockstargames.com","fingerprint":"AB:59:0E:11:EC:94:4D:D5:D3:40:7E:6E:3B:8B:6A:19:CA:B7:85:2C"}} +01054{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":4,"source":"dtls2.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1507911659748,"flow_last_seen":1507911660332,"flow_idle_time":180000,"flow_min_l4_payload_len":60,"flow_max_l4_payload_len":825,"flow_tot_l4_payload_len":1079,"flow_avg_l4_payload_len":269,"midstream":0,"ts_msec":1507911660332,"l3_proto":"ip4","src_ip":"61.68.110.153","dst_ip":"212.32.214.39","src_port":53045,"dst_port":61457,"l4_proto":"udp","ndpi": {"flow_risk": {"8":"Weak TLS cipher","15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing"},"proto":"DTLS","breed":"Safe","category":"Web"},"tls": {"version":"DTLSv1.0","client_requested_server_name":"","ja3":"1b45c913a0c0fde5f263502e65999485","ja3s":"749bd1edea60396ffaa65213b7971718","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US","subjectDN":"C=US, CN=*.relay.ros.rockstargames.com","fingerprint":"AB:59:0E:11:EC:94:4D:D5:D3:40:7E:6E:3B:8B:6A:19:CA:B7:85:2C"}} 00561{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":19,"source":"dtls2.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":18,"flow_first_seen":1507911659748,"flow_last_seen":1507911740891,"flow_idle_time":180000,"flow_min_l4_payload_len":60,"flow_max_l4_payload_len":825,"flow_tot_l4_payload_len":2583,"flow_avg_l4_payload_len":143,"midstream":0,"ts_msec":1507911800410,"l3_proto":"ip4","src_ip":"61.68.110.153","dst_ip":"212.32.214.39","src_port":53045,"dst_port":61457,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00561{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":25,"source":"dtls2.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":24,"flow_first_seen":1507911659748,"flow_last_seen":1507911868551,"flow_idle_time":180000,"flow_min_l4_payload_len":60,"flow_max_l4_payload_len":825,"flow_tot_l4_payload_len":3173,"flow_avg_l4_payload_len":132,"midstream":0,"ts_msec":1507911920885,"l3_proto":"ip4","src_ip":"61.68.110.153","dst_ip":"212.32.214.39","src_port":53045,"dst_port":61457,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00561{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":29,"source":"dtls2.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":28,"flow_first_seen":1507911659748,"flow_last_seen":1507911981652,"flow_idle_time":180000,"flow_min_l4_payload_len":60,"flow_max_l4_payload_len":825,"flow_tot_l4_payload_len":3545,"flow_avg_l4_payload_len":126,"midstream":0,"ts_msec":1507912041681,"l3_proto":"ip4","src_ip":"61.68.110.153","dst_ip":"212.32.214.39","src_port":53045,"dst_port":61457,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -18,10 +18,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1929038 bytes -~~ total memory freed........: 1929038 bytes -~~ total allocations/frees...: 35370/35370 +~~ total memory allocated....: 4591353 bytes +~~ total memory freed........: 4591353 bytes +~~ total allocations/frees...: 99566/99566 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 159 chars -~~ json string max len.......: 1058 chars +~~ json string max len.......: 1059 chars ~~ json string avg len.......: 677 chars diff --git a/test/results/dtls_certificate_fragments.pcap.out b/test/results/dtls_certificate_fragments.pcap.out index c85700392..4f0460030 100644 --- a/test/results/dtls_certificate_fragments.pcap.out +++ b/test/results/dtls_certificate_fragments.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1928704 bytes -~~ total memory freed........: 1928704 bytes -~~ total allocations/frees...: 35358/35358 +~~ total memory allocated....: 4591019 bytes +~~ total memory freed........: 4591019 bytes +~~ total allocations/frees...: 99554/99554 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 179 chars ~~ json string max len.......: 935 chars diff --git a/test/results/dtls_session_id_and_coockie_both.pcap.out b/test/results/dtls_session_id_and_coockie_both.pcap.out index 4560f0770..13ffc23b5 100644 --- a/test/results/dtls_session_id_and_coockie_both.pcap.out +++ b/test/results/dtls_session_id_and_coockie_both.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1928240 bytes -~~ total memory freed........: 1928240 bytes -~~ total allocations/frees...: 35342/35342 +~~ total memory allocated....: 4590555 bytes +~~ total memory freed........: 4590555 bytes +~~ total allocations/frees...: 99538/99538 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 184 chars ~~ json string max len.......: 931 chars diff --git a/test/results/encrypted_sni.pcap.out b/test/results/encrypted_sni.pcap.out index f2f2d71e4..6f8ab4e2e 100644 --- a/test/results/encrypted_sni.pcap.out +++ b/test/results/encrypted_sni.pcap.out @@ -1,13 +1,13 @@ 00447{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"encrypted_sni.pcap","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} 00562{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"encrypted_sni.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1590680386576,"flow_last_seen":1590680386576,"flow_idle_time":7440000,"flow_min_l4_payload_len":716,"flow_max_l4_payload_len":716,"flow_tot_l4_payload_len":716,"flow_avg_l4_payload_len":716,"midstream":1,"ts_msec":1590680386576,"l3_proto":"ip4","src_ip":"192.168.1.12","dst_ip":"104.27.129.77","src_port":49886,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 01415{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"encrypted_sni.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1590680386576,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":770,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":770,"pkt_l4_len":736,"ts_msec":1590680386576,"pkt":"EBMx8Tl2KDc3AG3ICABFAAL0AABAAEAGjOfAqAEMaBuBTcLeAbt3Q5LX\/48DFVAYIACwHgAAFgMBAscBAALDAwOTwM86TEdZaYZx77QiKeLaOUyI6FPS+J3L+0S3MA31OCDtrXy2AkmiC5EC8aXH8NKs5TG5ofTGvlsmIWUcTFlOhgAkEwETAxMCwCvAL8ypzKjALMAwwArACcATwBQAMwA5AC8ANQAKAQACVgAXAAD\/AQABAAAKAA4ADAAdABcAGAAZAQABAQALAAIBAAAjAAAAEAAOAAwCaDIIaHR0cC8xLjEABQAFAQAAAAAAMwBrAGkAHQAg9C+VXLX0pUAYcvwRMlm2BfjMFL+A2Ha+teHeYm8XszAAFwBBBKhP+5j\/iIqKULsVEv1xkLdgIoxwczB5EVKfTq\/0aLaIOqqUx255GoGIKzaHGdYeWvgG2FTscntynOjMKiH+1xMAKwAJCAMEAwMDAgMBAA0AGAAWBAMFAwYDCAQIBQgGBAEFAQYBAgMCAQAtAAIBAf\/OAW4TAQAdACAoJey8d6KdccaSJO2lCYt20kw0EEYFyldVNE\/b+wVlLQAgHyQSymUyoBaYNvGbjOJlOzPcW4r7yiRdTxErCb+vUsgBJJYkyzxOIwgn94z1v2QNIt6jP8xZjqajLZOZBVhvvpl7nmhmH4lW1IkwcuGd4kzR+4ip9x\/EzAG6tckU\/flqZH1nG16JhZuu6rEiIYaISW303wwyjD1flAsQnOsqJ0PVy+NZQoiiKbjH4viDA+P+GiaonlAB8r2TaJD+948G4F7MBjpovbjBjfrBFM8f7NuL4fwv7ssjFdJ5mNaCsSn9Hj6115hdy9xFKhCCzMA44L9pVw\/vrGvG+5UfibZ5LK2nZAPALOtdzhzm7d0W1ff7a4XSuSSFRI3gCI5CHoPx4osmf747Wa4ElvuEUhPCcdTFrF6efl9qMHJEUwf8zrcwZxBFmZHEDMTcH8MlFUx5dN14A3E5eAVFahmuI+6IR1wd8HaXtmYAHAACQAE="} -00847{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"encrypted_sni.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1590680386576,"flow_last_seen":1590680386576,"flow_idle_time":7440000,"flow_min_l4_payload_len":716,"flow_max_l4_payload_len":716,"flow_tot_l4_payload_len":716,"flow_avg_l4_payload_len":716,"midstream":1,"ts_msec":1590680386576,"l3_proto":"ip4","src_ip":"192.168.1.12","dst_ip":"104.27.129.77","src_port":49886,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Cloudflare","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"e5ef852e686954ba9fe060fbfa881e15","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00847{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"encrypted_sni.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1590680386576,"flow_last_seen":1590680386576,"flow_idle_time":7440000,"flow_min_l4_payload_len":716,"flow_max_l4_payload_len":716,"flow_tot_l4_payload_len":716,"flow_avg_l4_payload_len":716,"midstream":1,"ts_msec":1590680386576,"l3_proto":"ip4","src_ip":"192.168.1.12","dst_ip":"104.27.129.77","src_port":49886,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Cloudflare","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"957015a0b1e2500d8777219893a09495","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00563{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2,"source":"encrypted_sni.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1590680387847,"flow_last_seen":1590680387847,"flow_idle_time":7440000,"flow_min_l4_payload_len":716,"flow_max_l4_payload_len":716,"flow_tot_l4_payload_len":716,"flow_avg_l4_payload_len":716,"midstream":1,"ts_msec":1590680387847,"l3_proto":"ip4","src_ip":"192.168.1.12","dst_ip":"104.16.125.175","src_port":49887,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 01419{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"encrypted_sni.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_last_seen":1590680387847,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":770,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":770,"pkt_l4_len":736,"ts_msec":1590680387847,"pkt":"EBMx8Tl2KDc3AG3ICABFAAL0AABAAEAGkJDAqAEMaBB9r8LfAbu98X4VZuCG7lAYIACqfgAAFgMBAscBAALDAwPZvt6xqK7JiSO2eRBioUk2Uu867QdPWpn6Sv4hYS472iAz8c+AKNafKEsBeorsjdYMXk2HdHvKJL23Af8gga\/qxAAkEwETAxMCwCvAL8ypzKjALMAwwArACcATwBQAMwA5AC8ANQAKAQACVgAXAAD\/AQABAAAKAA4ADAAdABcAGAAZAQABAQALAAIBAAAjAAAAEAAOAAwCaDIIaHR0cC8xLjEABQAFAQAAAAAAMwBrAGkAHQAg0HCVKAanlLS9J1B8hdchDfkoKDxcPc3B5hBZYsZWdz8AFwBBBCakAur\/e3rF+tGl0au7NOTY4DQpBg\/YjV6ew74w8otvaCGiCdoeWGhEGjsldqwZrBxN3o59i8BSdRX+YPQ+GgkAKwAJCAMEAwMDAgMBAA0AGAAWBAMFAwYDCAQIBQgGBAEFAQYBAgMCAQAtAAIBAf\/OAW4TAQAdACAFyK2kXV21yqtAW2T62b\/NDTnJgxOrhECle3qcjynhZQAgHyQSymUyoBaYNvGbjOJlOzPcW4r7yiRdTxErCb+vUsgBJLkAAE456EuY9a6HsKAg7En+2G8rSItqsoven5V2IfJ3Q2bekOZcTKgIZokRYkaF7ExtxsFhqXy+gigbwIQnaXqjvmpA5fAKz4tj4ykxew5OhWQtUKuHkOYZfaYtn1syOdzFlDd5f+dopSDJ1HH+q6E3XfYeSjmwk2PLEJ57JKeThEiW3dFrbufb5XbXZxYdeC179v7EU6Bakj2Njpvv\/Jfo5WxPGqtw\/pm8l4GeHZCKXzswlPS\/Jet6JKlP28PhB6QjuLs0HyKQD3u9h3gOMLbs85P+uPv\/61THn6BnP+Gq0XsiHUv\/ZFCqDNSvUTBmtmCAtgIUfzrLcUWkNsVonaILrLi\/m6vYUQElVuyPe7nXS\/qvJdz0NipXdWB8POXCwp8YOWkAHAACQAE="} -00848{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2,"source":"encrypted_sni.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1590680387847,"flow_last_seen":1590680387847,"flow_idle_time":7440000,"flow_min_l4_payload_len":716,"flow_max_l4_payload_len":716,"flow_tot_l4_payload_len":716,"flow_avg_l4_payload_len":716,"midstream":1,"ts_msec":1590680387847,"l3_proto":"ip4","src_ip":"192.168.1.12","dst_ip":"104.16.125.175","src_port":49887,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Cloudflare","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"e5ef852e686954ba9fe060fbfa881e15","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00848{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2,"source":"encrypted_sni.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1590680387847,"flow_last_seen":1590680387847,"flow_idle_time":7440000,"flow_min_l4_payload_len":716,"flow_max_l4_payload_len":716,"flow_tot_l4_payload_len":716,"flow_avg_l4_payload_len":716,"midstream":1,"ts_msec":1590680387847,"l3_proto":"ip4","src_ip":"192.168.1.12","dst_ip":"104.16.125.175","src_port":49887,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Cloudflare","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"957015a0b1e2500d8777219893a09495","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00562{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3,"source":"encrypted_sni.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1590680391590,"flow_last_seen":1590680391590,"flow_idle_time":7440000,"flow_min_l4_payload_len":716,"flow_max_l4_payload_len":716,"flow_tot_l4_payload_len":716,"flow_avg_l4_payload_len":716,"midstream":1,"ts_msec":1590680391590,"l3_proto":"ip4","src_ip":"192.168.1.12","dst_ip":"104.22.71.197","src_port":49897,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 01413{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"encrypted_sni.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_last_seen":1590680391590,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":770,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":770,"pkt_l4_len":736,"ts_msec":1590680391590,"pkt":"EBMx8Tl2KDc3AG3ICABFAAL0AABAAEAGxnTAqAEMaBZHxcLpAbsLJg40SW6gUlAYIAANXgAAFgMBAscBAALDAwMJLl9l\/OldUJYbpqd0xOpts3Kv4zg2hroTXcdX9KeB2CBjkfBVUTqX532YPuVZHQd0J5lIK2OZH9nsSRBnWwKDWwAkEwETAxMCwCvAL8ypzKjALMAwwArACcATwBQAMwA5AC8ANQAKAQACVgAXAAD\/AQABAAAKAA4ADAAdABcAGAAZAQABAQALAAIBAAAjAAAAEAAOAAwCaDIIaHR0cC8xLjEABQAFAQAAAAAAMwBrAGkAHQAgsbxhJX9IcnjB7rdgEb2YIBohnnxEhKIToNk1er8CIioAFwBBBLtlLNXLCuP0okhISXwuyj6tgeyLGZ5yaSZ9uT3zAbum2y5l1gYjS6RGBBL9dNcuY2pA4Ze582sOuuo0cAvw2TsAKwAJCAMEAwMDAgMBAA0AGAAWBAMFAwYDCAQIBQgGBAEFAQYBAgMCAQAtAAIBAf\/OAW4TAQAdACCgcq\/jSZGFwhXJHl9nfU84W9RHblecX+XHXi+knd++egAgHyQSymUyoBaYNvGbjOJlOzPcW4r7yiRdTxErCb+vUsgBJM1prHJ\/+qDqcKEqpG5xU365kjS5loGMkTxyoKwRhL+l3TthfgE+TKCSsunPt4vNjTPLrxKpdN+3jkm4v5pXmXQY7xTIeDCWHjyEgNKkvyfWHZEc70MAkkqfNhBXSLrthF\/1heQEBlRbs1xtqteJZDPsTf1rb0lyjahdcH23rHhPVaZljcat4wh7Hka7vt+kTz6HVLMaa8+FGdKR02KYBfqCbkN5nqbjMCHPCoPKBXF7APN9aYQZNPW1vyVMZGeIilksOKMAfbO31cu423QrZX+PlzwFC6qBeqVxOTzYpLwLIxJGCnfdBRD0u85D1TvPM05OjHVwJVu9F3FEA\/S2klQ0zWf5b6ngXXAHdoEO61eGscgYik1z+CCLYUuTKEqAk5KVlL4AHAACQAE="} -00847{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":3,"source":"encrypted_sni.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1590680391590,"flow_last_seen":1590680391590,"flow_idle_time":7440000,"flow_min_l4_payload_len":716,"flow_max_l4_payload_len":716,"flow_tot_l4_payload_len":716,"flow_avg_l4_payload_len":716,"midstream":1,"ts_msec":1590680391590,"l3_proto":"ip4","src_ip":"192.168.1.12","dst_ip":"104.22.71.197","src_port":49897,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Cloudflare","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"e5ef852e686954ba9fe060fbfa881e15","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00847{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":3,"source":"encrypted_sni.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1590680391590,"flow_last_seen":1590680391590,"flow_idle_time":7440000,"flow_min_l4_payload_len":716,"flow_max_l4_payload_len":716,"flow_tot_l4_payload_len":716,"flow_avg_l4_payload_len":716,"midstream":1,"ts_msec":1590680391590,"l3_proto":"ip4","src_ip":"192.168.1.12","dst_ip":"104.22.71.197","src_port":49897,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Cloudflare","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"957015a0b1e2500d8777219893a09495","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00563{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3,"source":"encrypted_sni.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1590680386576,"flow_last_seen":1590680386576,"flow_idle_time":7440000,"flow_min_l4_payload_len":716,"flow_max_l4_payload_len":716,"flow_tot_l4_payload_len":716,"flow_avg_l4_payload_len":716,"midstream":1,"ts_msec":1590680391590,"l3_proto":"ip4","src_ip":"192.168.1.12","dst_ip":"104.27.129.77","src_port":49886,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00563{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3,"source":"encrypted_sni.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1590680391590,"flow_last_seen":1590680391590,"flow_idle_time":7440000,"flow_min_l4_payload_len":716,"flow_max_l4_payload_len":716,"flow_tot_l4_payload_len":716,"flow_avg_l4_payload_len":716,"midstream":1,"ts_msec":1590680391590,"l3_proto":"ip4","src_ip":"192.168.1.12","dst_ip":"104.22.71.197","src_port":49897,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00564{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3,"source":"encrypted_sni.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1590680387847,"flow_last_seen":1590680387847,"flow_idle_time":7440000,"flow_min_l4_payload_len":716,"flow_max_l4_payload_len":716,"flow_tot_l4_payload_len":716,"flow_avg_l4_payload_len":716,"midstream":1,"ts_msec":1590680391590,"l3_proto":"ip4","src_ip":"192.168.1.12","dst_ip":"104.16.125.175","src_port":49887,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -20,9 +20,9 @@ ~~ total active/idle flows...: 3/3 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1939468 bytes -~~ total memory freed........: 1939468 bytes -~~ total allocations/frees...: 35359/35359 +~~ total memory allocated....: 4600935 bytes +~~ total memory freed........: 4600935 bytes +~~ total allocations/frees...: 99555/99555 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 166 chars ~~ json string max len.......: 1424 chars diff --git a/test/results/ethereum.pcap.out b/test/results/ethereum.pcap.out index 85a7e9f23..d644cc5bc 100644 --- a/test/results/ethereum.pcap.out +++ b/test/results/ethereum.pcap.out @@ -130,7 +130,7 @@ 00630{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":288,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":30,"flow_packets_processed":4,"flow_first_seen":1578508364714,"flow_last_seen":1578508364790,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":442,"flow_tot_l4_payload_len":442,"flow_avg_l4_payload_len":110,"midstream":0,"ts_msec":1578508364790,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"82.145.220.249","src_port":56633,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22":"Unsafe Protocol"},"proto":"Mining","breed":"Unsafe","category":"Mining"}} 00473{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":297,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":27,"flow_packet_id":2,"flow_last_seen":1578508364817,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1578508364817,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAACgG15goQ5CAwKgBuHZf3TZG9x3QfGwlk6AScSARhwAAAgQFoAQCCApyLMYFItiU0QEDAwc="} 00461{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":298,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":27,"flow_packet_id":3,"flow_last_seen":1578508364817,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1578508364817,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGv6DAqAG4KEOQgN02dl98bCWTRvcd0YAQEAmgwgAAAQEICiLYlWVyLMYF"} -00629{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":299,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":27,"flow_packets_processed":4,"flow_first_seen":1578508364659,"flow_last_seen":1578508364819,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":431,"flow_tot_l4_payload_len":431,"flow_avg_l4_payload_len":107,"midstream":0,"ts_msec":1578508364819,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"40.67.144.128","src_port":56630,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22":"Unsafe Protocol"},"proto":"Mining","breed":"Unsafe","category":"Mining"}} +00601{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":299,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":27,"flow_packets_processed":4,"flow_first_seen":1578508364659,"flow_last_seen":1578508364819,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":431,"flow_tot_l4_payload_len":431,"flow_avg_l4_payload_len":107,"midstream":0,"ts_msec":1578508364819,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"40.67.144.128","src_port":56630,"dst_port":30303,"l4_proto":"tcp","ndpi": {"proto":"Mining.Azure","breed":"Acceptable","category":"Mining"}} 00474{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":314,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":18,"flow_packet_id":2,"flow_last_seen":1578508364823,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1578508364823,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAACYGE48SimxDwKgBuHZf3S4uwDPtE20MrKAS\/ogQ2gAAAgQFrAQCCAqmusMwItiUTwEDAwc="} 00461{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":316,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":18,"flow_packet_id":3,"flow_last_seen":1578508364823,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1578508364823,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAG+ZbAqAG4EopsQ90udl8TbQysLsAz7oAQECws4QAAAQEICiLYlWmmusMw"} 00555{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":328,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":33,"flow_packets_processed":1,"flow_first_seen":1578508364824,"flow_last_seen":1578508364824,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1578508364824,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"159.203.84.31","src_port":56634,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -156,7 +156,7 @@ 00480{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":445,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":36,"flow_packet_id":1,"flow_last_seen":1578508364924,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1578508364924,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGtY\/AqAG40frwzd0+dl+QvttrAAAAALAC\/\/85bQAAAgQFtAEDAwUBAQgKItiVxgAAAAAEAgAA"} 00563{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":447,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":37,"flow_packets_processed":1,"flow_first_seen":1578508364925,"flow_last_seen":1578508364925,"flow_idle_time":180000,"flow_min_l4_payload_len":171,"flow_max_l4_payload_len":171,"flow_tot_l4_payload_len":171,"flow_avg_l4_payload_len":171,"midstream":0,"ts_msec":1578508364925,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"35.180.246.169","src_port":30303,"dst_port":30301,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00663{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":447,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":37,"flow_packet_id":1,"flow_last_seen":1578508364925,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":213,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":213,"pkt_l4_len":179,"ts_msec":1578508364925,"pkt":"EBMx8Tl2KDc3AG3ICABFAADHG4wAAEARgdzAqAG4I7T2qXZfdl0As6VnAUq3Z7jOf6Ug2frhkOredmKGawH96dNwPwCsVwwwAuHNRLachJG6Hj8pd5+\/iUKj3xzFalkHy\/4zo7e13\/nakEgcyoOcntMlISOmld4GtANNEoWSHW0IYrUbIiG7qvHSAQP4R7hAGwckxV38aoEQ3R3z6i1sbxgztMaJbhd8mlK6anhGQ6H0+w6JOUS\/FIH4b+eX+gcKRXXgkrfcf69BwK1A+Siq+4ReFiBg"} -00604{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":447,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":37,"flow_packets_processed":1,"flow_first_seen":1578508364925,"flow_last_seen":1578508364925,"flow_idle_time":180000,"flow_min_l4_payload_len":171,"flow_max_l4_payload_len":171,"flow_tot_l4_payload_len":171,"flow_avg_l4_payload_len":171,"midstream":0,"ts_msec":1578508364925,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"35.180.246.169","src_port":30303,"dst_port":30301,"l4_proto":"udp","ndpi": {"proto":"Mining.Amazon","breed":"Acceptable","category":"Mining"}} +00607{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":447,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":37,"flow_packets_processed":1,"flow_first_seen":1578508364925,"flow_last_seen":1578508364925,"flow_idle_time":180000,"flow_min_l4_payload_len":171,"flow_max_l4_payload_len":171,"flow_tot_l4_payload_len":171,"flow_avg_l4_payload_len":171,"midstream":0,"ts_msec":1578508364925,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"35.180.246.169","src_port":30303,"dst_port":30301,"l4_proto":"udp","ndpi": {"proto":"Mining.AmazonAWS","breed":"Acceptable","category":"Mining"}} 00473{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":464,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":2,"flow_last_seen":1578508364932,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1578508364932,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADQGkHGfy1QfwKgBuHZf3TprW2X93LDPrKAScSCdQwAAAgQFrAQCCApPeKo9ItiVagEDAwc="} 00463{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":465,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":3,"flow_last_seen":1578508364932,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1578508364932,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGhHnAqAG4n8tUH906dl\/csM+sa1tl\/oAQECwsmQAAAQEICiLYlc1PeKo9"} 00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":472,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":38,"flow_packets_processed":1,"flow_first_seen":1578508364932,"flow_last_seen":1578508364932,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1578508364932,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"18.219.167.159","src_port":56639,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -255,7 +255,7 @@ 00631{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1323,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":53,"flow_packets_processed":4,"flow_first_seen":1578508365239,"flow_last_seen":1578508365420,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":583,"flow_tot_l4_payload_len":583,"flow_avg_l4_payload_len":145,"midstream":0,"ts_msec":1578508365420,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"157.230.152.87","src_port":56658,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22":"Unsafe Protocol"},"proto":"Mining","breed":"Unsafe","category":"Mining"}} 00475{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1339,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":2,"flow_last_seen":1578508365458,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1578508365458,"pkt":"KDc3AG3IEBMx8Tl2CABFCAA8AABAACwG2AY0CYBEwKgBuHZf3VXR7JfX7e3rXKASaN9TlwAAAgQFrAQCCAqDIEEYItiW\/gEDAwc="} 00463{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1340,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":3,"flow_last_seen":1578508365458,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1578508365458,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGxBbAqAG4NAmARN1Vdl\/t7etc0eyX2IAQECzabQAAAQEICiLYl5+DIEEY"} -00601{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1341,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":55,"flow_packets_processed":4,"flow_first_seen":1578508365279,"flow_last_seen":1578508365460,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":472,"flow_tot_l4_payload_len":472,"flow_avg_l4_payload_len":118,"midstream":0,"ts_msec":1578508365460,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"52.9.128.68","src_port":56661,"dst_port":30303,"l4_proto":"tcp","ndpi": {"proto":"Mining.Amazon","breed":"Acceptable","category":"Mining"}} +00604{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1341,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":55,"flow_packets_processed":4,"flow_first_seen":1578508365279,"flow_last_seen":1578508365460,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":472,"flow_tot_l4_payload_len":472,"flow_avg_l4_payload_len":118,"midstream":0,"ts_msec":1578508365460,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"52.9.128.68","src_port":56661,"dst_port":30303,"l4_proto":"tcp","ndpi": {"proto":"Mining.AmazonAWS","breed":"Acceptable","category":"Mining"}} 00564{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1342,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":59,"flow_packets_processed":1,"flow_first_seen":1578508365461,"flow_last_seen":1578508365461,"flow_idle_time":180000,"flow_min_l4_payload_len":128,"flow_max_l4_payload_len":128,"flow_tot_l4_payload_len":128,"flow_avg_l4_payload_len":128,"midstream":0,"ts_msec":1578508365461,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"202.112.28.106","src_port":30303,"dst_port":30303,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00606{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1342,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":59,"flow_packet_id":1,"flow_last_seen":1578508365461,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":170,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":170,"pkt_l4_len":136,"ts_msec":1578508365461,"pkt":"EBMx8Tl2KDc3AG3ICABFAACcQtMAAEARjkPAqAG4ynAcanZfdl8AiDkPCEixaJX\/9thQC0r9cGcsCeen+iETb10JXBU9BZQL28M1nK8vCE6bMd2SC2XGliMqSbi8oqYHUjyrBa753h2KySNTFNso18+nMzMVWvdibnHX4lluxe+\/vRPiYB2kYX3uAAHdBMuEfwAAAYJ2X4J2X8mEynAcaoJ2X4CEXhYgYQU="} 00632{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1342,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":59,"flow_packets_processed":1,"flow_first_seen":1578508365461,"flow_last_seen":1578508365461,"flow_idle_time":180000,"flow_min_l4_payload_len":128,"flow_max_l4_payload_len":128,"flow_tot_l4_payload_len":128,"flow_avg_l4_payload_len":128,"midstream":0,"ts_msec":1578508365461,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"202.112.28.106","src_port":30303,"dst_port":30303,"l4_proto":"udp","ndpi": {"flow_risk": {"22":"Unsafe Protocol"},"proto":"Mining","breed":"Unsafe","category":"Mining"}} @@ -347,7 +347,7 @@ 00480{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1930,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":74,"flow_packet_id":1,"flow_last_seen":1578508366073,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1578508366073,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGPnfAqAG4zr1rI91udl8AOSk+AAAAALAC\/\/8AywAAAgQFtAEDAwUBAQgKItiZ0wAAAAAEAgAA"} 00474{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1939,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":67,"flow_packet_id":2,"flow_last_seen":1578508366081,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1578508366081,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8jPoAACgGJqAN+w7HwKgBuHZf3WZ3LeB+TwsEYqASaN+zCgAAAgQFrAQCCAoTnX6eItiY9AEDAws="} 00462{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1941,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":67,"flow_packet_id":3,"flow_last_seen":1578508366081,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1578508366081,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGW6LAqAG4DfsOx91mdl9PCwRidy3gf4AQECw5oQAAAQEICiLYmdkTnX6e"} -00603{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1951,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":67,"flow_packets_processed":4,"flow_first_seen":1578508365828,"flow_last_seen":1578508366083,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":404,"flow_tot_l4_payload_len":404,"flow_avg_l4_payload_len":101,"midstream":0,"ts_msec":1578508366083,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"13.251.14.199","src_port":56678,"dst_port":30303,"l4_proto":"tcp","ndpi": {"proto":"Mining.Amazon","breed":"Acceptable","category":"Mining"}} +00606{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1951,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":67,"flow_packets_processed":4,"flow_first_seen":1578508365828,"flow_last_seen":1578508366083,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":404,"flow_tot_l4_payload_len":404,"flow_avg_l4_payload_len":101,"midstream":0,"ts_msec":1578508366083,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"13.251.14.199","src_port":56678,"dst_port":30303,"l4_proto":"tcp","ndpi": {"proto":"Mining.AmazonAWS","breed":"Acceptable","category":"Mining"}} 00474{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1968,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":74,"flow_packet_id":2,"flow_last_seen":1578508366117,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1578508366117,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADQGSnvOvWsjwKgBuHZf3W6FBUsAADkpP6AScSCofQAAAgQFrAQCCApn2sBGItiZ0wEDAwc="} 00463{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1969,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":74,"flow_packet_id":3,"flow_last_seen":1578508366117,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1578508366117,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGPoPAqAG4zr1rI91udl8AOSk\/hQVLAYAQECw4DwAAAQEICiLYmfpn2sBG"} 00631{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1970,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":74,"flow_packets_processed":4,"flow_first_seen":1578508366073,"flow_last_seen":1578508366119,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":407,"flow_tot_l4_payload_len":407,"flow_avg_l4_payload_len":101,"midstream":0,"ts_msec":1578508366119,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"206.189.107.35","src_port":56686,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22":"Unsafe Protocol"},"proto":"Mining","breed":"Unsafe","category":"Mining"}} @@ -366,7 +366,7 @@ 00564{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2000,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":60,"flow_packets_processed":1,"flow_first_seen":1578508365567,"flow_last_seen":1578508365567,"flow_idle_time":180000,"flow_min_l4_payload_len":128,"flow_max_l4_payload_len":128,"flow_tot_l4_payload_len":128,"flow_avg_l4_payload_len":128,"midstream":0,"ts_msec":1578508366135,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"106.12.39.168","src_port":30303,"dst_port":30333,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00564{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2000,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":74,"flow_packets_processed":4,"flow_first_seen":1578508366073,"flow_last_seen":1578508366119,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":407,"flow_tot_l4_payload_len":407,"flow_avg_l4_payload_len":101,"midstream":0,"ts_msec":1578508366135,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"206.189.107.35","src_port":56686,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00564{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2000,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":42,"flow_first_seen":1578508364522,"flow_last_seen":1578508364664,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":495,"flow_tot_l4_payload_len":1247,"flow_avg_l4_payload_len":29,"midstream":0,"ts_msec":1578508366135,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"35.158.244.151","src_port":56615,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00593{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":2000,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":42,"flow_packets_processed":1,"flow_first_seen":1578508365038,"flow_last_seen":1578508365038,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1578508366135,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"13.230.108.42","src_port":56644,"dst_port":30303,"l4_proto":"tcp","ndpi": {"proto":"Mining.Amazon","breed":"Acceptable","category":"Web"}} +00598{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":2000,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":42,"flow_packets_processed":1,"flow_first_seen":1578508365038,"flow_last_seen":1578508365038,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1578508366135,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"13.230.108.42","src_port":56644,"dst_port":30303,"l4_proto":"tcp","ndpi": {"proto":"Mining.AmazonAWS","breed":"Acceptable","category":"Cloud"}} 00557{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2000,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":42,"flow_packets_processed":1,"flow_first_seen":1578508365038,"flow_last_seen":1578508365038,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1578508366135,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"13.230.108.42","src_port":56644,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00561{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2000,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":25,"flow_packets_processed":38,"flow_first_seen":1578508364632,"flow_last_seen":1578508364787,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":421,"flow_tot_l4_payload_len":1065,"flow_avg_l4_payload_len":28,"midstream":0,"ts_msec":1578508366135,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"51.38.60.79","src_port":56629,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00562{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2000,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":28,"flow_packets_processed":41,"flow_first_seen":1578508364682,"flow_last_seen":1578508364899,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":479,"flow_tot_l4_payload_len":1222,"flow_avg_l4_payload_len":29,"midstream":0,"ts_msec":1578508366135,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"51.38.81.180","src_port":56632,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -390,11 +390,11 @@ 00565{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2000,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":58,"flow_packets_processed":4,"flow_first_seen":1578508365408,"flow_last_seen":1578508365790,"flow_idle_time":180000,"flow_min_l4_payload_len":128,"flow_max_l4_payload_len":150,"flow_tot_l4_payload_len":554,"flow_avg_l4_payload_len":138,"midstream":0,"ts_msec":1578508366135,"l3_proto":"ip4","src_ip":"183.129.242.164","dst_ip":"192.168.1.184","src_port":1024,"dst_port":30303,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00565{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2000,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":22,"flow_packets_processed":69,"flow_first_seen":1578508364523,"flow_last_seen":1578508364687,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":546,"flow_tot_l4_payload_len":1846,"flow_avg_l4_payload_len":26,"midstream":0,"ts_msec":1578508366135,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"178.128.195.220","src_port":56626,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00565{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2000,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":51,"flow_packets_processed":24,"flow_first_seen":1578508365194,"flow_last_seen":1578508366069,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":494,"flow_tot_l4_payload_len":1326,"flow_avg_l4_payload_len":55,"midstream":0,"ts_msec":1578508366135,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"202.112.28.106","src_port":56655,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00582{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":2000,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":2,"flow_first_seen":1578508364523,"flow_last_seen":1578508365619,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1578508366135,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"5.1.83.226","src_port":56625,"dst_port":30303,"l4_proto":"tcp","ndpi": {"proto":"Mining","breed":"Unsafe","category":"Mining"}} +00620{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":2000,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":2,"flow_first_seen":1578508364523,"flow_last_seen":1578508365619,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1578508366135,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"5.1.83.226","src_port":56625,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22":"Unsafe Protocol"},"proto":"Mining","breed":"Unsafe","category":"Mining"}} 00554{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2000,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":2,"flow_first_seen":1578508364523,"flow_last_seen":1578508365619,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1578508366135,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"5.1.83.226","src_port":56625,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00561{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2000,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":24,"flow_packets_processed":42,"flow_first_seen":1578508364523,"flow_last_seen":1578508364937,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":470,"flow_tot_l4_payload_len":1169,"flow_avg_l4_payload_len":27,"midstream":0,"ts_msec":1578508366135,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"3.209.45.79","src_port":56628,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00562{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2000,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":29,"flow_first_seen":1578508364523,"flow_last_seen":1578508365656,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":472,"flow_tot_l4_payload_len":1379,"flow_avg_l4_payload_len":47,"midstream":0,"ts_msec":1578508366135,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"34.97.172.22","src_port":56617,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00586{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":2000,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":35,"flow_packets_processed":2,"flow_first_seen":1578508364922,"flow_last_seen":1578508366029,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1578508366135,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"35.233.197.131","src_port":56637,"dst_port":30303,"l4_proto":"tcp","ndpi": {"proto":"Mining","breed":"Unsafe","category":"Mining"}} +00624{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":2000,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":35,"flow_packets_processed":2,"flow_first_seen":1578508364922,"flow_last_seen":1578508366029,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1578508366135,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"35.233.197.131","src_port":56637,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22":"Unsafe Protocol"},"proto":"Mining","breed":"Unsafe","category":"Mining"}} 00558{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2000,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":35,"flow_packets_processed":2,"flow_first_seen":1578508364922,"flow_last_seen":1578508366029,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1578508366135,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"35.233.197.131","src_port":56637,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00562{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2000,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":54,"flow_packets_processed":65,"flow_first_seen":1578508365271,"flow_last_seen":1578508365838,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":573,"flow_tot_l4_payload_len":1762,"flow_avg_l4_payload_len":27,"midstream":0,"ts_msec":1578508366135,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"51.161.23.12","src_port":56660,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00561{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2000,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":55,"flow_packets_processed":53,"flow_first_seen":1578508365279,"flow_last_seen":1578508366038,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":472,"flow_tot_l4_payload_len":1652,"flow_avg_l4_payload_len":31,"midstream":0,"ts_msec":1578508366135,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"52.9.128.68","src_port":56661,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -437,9 +437,9 @@ ~~ total active/idle flows...: 74/74 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2220844 bytes -~~ total memory freed........: 2220844 bytes -~~ total allocations/frees...: 37612/37612 +~~ total memory allocated....: 4852207 bytes +~~ total memory freed........: 4852207 bytes +~~ total allocations/frees...: 101808/101808 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 165 chars ~~ json string max len.......: 1978 chars diff --git a/test/results/ethernetIP.pcap.out b/test/results/ethernetIP.pcap.out new file mode 100644 index 000000000..806533a26 --- /dev/null +++ b/test/results/ethernetIP.pcap.out @@ -0,0 +1,41 @@ +00444{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"ethernetIP.pcap","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} +00554{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"ethernetIP.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1352718180263,"flow_last_seen":1352718180263,"flow_idle_time":7440000,"flow_min_l4_payload_len":82,"flow_max_l4_payload_len":82,"flow_tot_l4_payload_len":82,"flow_avg_l4_payload_len":82,"midstream":1,"ts_msec":1352718180263,"l3_proto":"ip4","src_ip":"141.81.0.10","dst_ip":"141.81.0.83","src_port":50275,"dst_port":44818,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00559{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"ethernetIP.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1352718180263,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":136,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":136,"pkt_l4_len":102,"ts_msec":1352718180263,"pkt":"AAC80WDaeOfR4AJeCABFAAB6cCZAAIAGAACNUQAKjVEAU8RjrxLdiI2HlJVDUVAY+XQbbAAAcAA6AAABAhAAAAAAGjkvAAAAAAAAAAAAAAAAAAoAAgChAAQACRM1ALEAJgDkagoCIAIkAQIABgASAEwCIHIkAADOBAABAEwCIHIkACw9BAABAA=="} +00452{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"ethernetIP.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1352718180264,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"ts_msec":1352718180264,"pkt":"eOfR4AJeAAC80WDaCABFAAAowW9AAEAGXmGNUQBTjVEACq8SxGOUlUNR3YiN2VAQD8bOTwAAAAAAAI1R"} +02063{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"ethernetIP.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1352718180264,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":1258,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1258,"pkt_l4_len":1224,"ts_msec":1352718180264,"pkt":"AAC80WDaeOfR4AJeCABFAATccChAAIAGAACNUQAKjVEAU8RjrxLdiI3ZlJVDUVAY+XQfzgAAcAAsAAABAhAAAAAAGzkvAAAAAAAAAAAAAAAAAAoAAgChAAQAChU1ALEAGACvuAoCIAIkAQEABABMAiByJAAEggYAAQBwADoAAAECEAAAAAAcOS8AAAAAAAAAAAAAAAAACgACAKEABAAFCzUAsQAmAHuyCgIgAiQBAgAGABIATAIgciQAGLcEAAEATAIgciQAvFQGAAEAcAAsAAABAhAAAAAAHTkvAAAAAAAAAAAAAAAAAAoAAgChAAQABg01ALEAGAAHpAoCIAIkAQEABABMAiByJAAEggYAAQBwAKoAAAECEAAAAAAeOS8AAAAAAAAAAAAAAAAACgACAKEABAABAzUAsQCWABkzCgIgAiQBCgAWACIALgA6AEYAUgBeAGoAdgCCAEwCIHIkAHR\/BwABAEwCIHIkANiMBAABAEwCIHIkAITEBAABAEwCIHIkAAznBQABAEwCIHIkABh0BwABAEwCIHIkADS+BgABAEwCIHIkABDjBAABAEwCIHIkADQ\/BgABAEwCIHIkADS8BQABAEwCIHIkADTGBgABAHAA4gAAAQIQAAAAAB85LwAAAAAAAAAAAAAAAAAKAAIAoQAEAAIFNQCxAM4AoxkKAiACJAEOAB4AKgA2AEIATgBaAGYAcgB+AIoAlgCiAK4AugBMAiByJACUpgQAAQBMAiByJABAoQYAAQBMAiByJADc\/QUAAQBMAiByJAD0hgUABgBMAiByJAAs5QUAAQBMAiByJACYFAcAAQBMAiByJACkkwYAAQBMAiByJABstwQABABMAiByJAA8cgQAAQBMAiByJAC8oAQAAQBMAiByJABQpQUAAQBMAiByJABY4wQAAQBMAiByJAC4xwcAAwBMAiByJAC0zwQAAQBwACwAAAECEAAAAAAgOS8AAAAAAAAAAAAAAAAACgACAKEABAADBzUAsQAYAHenCgIgAiQBAQAEAEwCIHIkAGiiBwAJAHAAwgEAAQIQAAAAACE5LwAAAAAAAAAAAAAAAAAKAAIAoQAEAAQJNQCxAK4Bf58KAiACJAEeAD4ASgBWAGIAbgB6AIYAkgCeAKoAtgDCAM4A2gDmAPIA\/gAKARYBIgEuAToBRgFSAV4BagF2AYIBjgGaAUwCIHIkAIx0BwABAEwCIHIkAKiiBwABAEwCIHIkAJg0BAABAEwCIHIkADgxBwABAEwCIHIkAChvBgABAEwCIHIkACiNBgABAEwCIHIkAAgQBgABAEwCIHIkANRpBwABAEwCIHIkAEB1BgABAEwCIHIkAPQcBgABAEwCIHIkAOwZBgABAEwCIHIkAIizBwABAEwCIHIkAOQgBgABAEwCIHIkAMgaBgABAEwCIHIkAGQ5BwABAEwCIHIkADi\/BgABAEwCIHIkACivBQABAEwCIHIkABwhBgABAEwCIHIkAEj1BQABAEwCIHIkAFT1BgABAEwCIHIkAAA8BgABAEwCIHIkAMRfBwABAEwCIHIkALCqBQABAEwCIHIkAKC1BgABAEwCIHIkAMT8BwABAEwCIHIkAMB0BgABAEwCIHIkAEzoBwABAEwCIHIkAGguBAABAEwCIHIkAHyvBQABAEwCIHIkALwJBgABAA=="} +00554{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":4,"source":"ethernetIP.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1352718180265,"flow_last_seen":1352718180265,"flow_idle_time":7440000,"flow_min_l4_payload_len":72,"flow_max_l4_payload_len":72,"flow_tot_l4_payload_len":72,"flow_avg_l4_payload_len":72,"midstream":1,"ts_msec":1352718180265,"l3_proto":"ip4","src_ip":"141.81.0.63","dst_ip":"141.81.0.10","src_port":44818,"dst_port":52593,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4,"source":"ethernetIP.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_last_seen":1352718180265,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":92,"ts_msec":1352718180265,"pkt":"eOfR4AJeAAC8x85WCABFAABwk1RAAEAGjEiNUQA\/jVEACq8SzXF9dCfmE+ef0VAYEACJaQAAcAAwAAAFAhMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgChAAQAncYAgLEAHAAzNYoAAAACAAYADgDMAAAAAQAAAMwAAAAFAAAA"} +00893{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5,"source":"ethernetIP.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_last_seen":1352718180265,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":386,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":386,"pkt_l4_len":352,"ts_msec":1352718180265,"pkt":"AAC8x85WeOfR4AJeCABFAAF0cCpAAIAGAACNUQAKjVEAP81xrxIT55\/RfXQoLlAY9kIcUgAAcAA6AAAFAhMAAAAAZsC+AAAAAAAAAAAAAAAAAAoAAgChAAQABy8uALEAJgDoRwoCIAIkAQIABgASAEwCIHIkABi3BAABAEwCIHIkADxUBgABAHAA4gAABQITAAAAAGfAvgAAAAAAAAAAAAAAAAAKAAIAoQAEAAMnLgCxAM4AUkkKAiACJAEOAB4AKgA2AEIATgBaAGYAcgB+AIoAlgCiAK4AugBMAiByJACUpgQAAQBMAiByJABEoQYAAQBMAiByJABc\/QUAAQBMAiByJAB0hgUABgBMAiByJACs5AUAAQBMAiByJACcFAcAAQBMAiByJACokwYAAQBMAiByJABstwQABABMAiByJAA8cgQAAQBMAiByJAC8oAQAAQBMAiByJADQpAUAAQBMAiByJABY4wQAAQBMAiByJAC8xwcAAwBMAiByJAC0zwQAAQA="} +00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8,"source":"ethernetIP.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_last_seen":1352718180276,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":92,"ts_msec":1352718180276,"pkt":"eOfR4AJeAAC8x85WCABFAABwk1ZAAEAGjEaNUQA\/jVEACq8SzXF9dCguE+ehHVAYEADbwgAAcAAwAAAFAhMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgChAAQAlcYAgLEAHADoR4oAAAACAAYADgDMAAAAAAAAAMwAAAAFAAAA"} +00559{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":33,"source":"ethernetIP.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1352718180390,"flow_last_seen":1352718180390,"flow_idle_time":7440000,"flow_min_l4_payload_len":194,"flow_max_l4_payload_len":194,"flow_tot_l4_payload_len":194,"flow_avg_l4_payload_len":194,"midstream":1,"ts_msec":1352718180390,"l3_proto":"ip4","src_ip":"141.81.0.10","dst_ip":"141.81.0.43","src_port":52594,"dst_port":44818,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00708{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":33,"source":"ethernetIP.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_last_seen":1352718180390,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":248,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":248,"pkt_l4_len":214,"ts_msec":1352718180390,"pkt":"AAC8X0j6eOfR4AJeCABFAADqcEVAAIAGAACNUQAKjVEAK81yrxIurdArV0tI1VAY+M4btAAAcACqAAAEAhAAAAAAVgG6AAAAAAAAAAAAAAAAAAoAAgChAAQAASuWALEAlgBI5QoCIAIkAQoAFgAiAC4AOgBGAFIAXgBqAHYAggBMAiByJABI8gcAAQBMAiByJAAY8QQAAQBMAiByJABUPgUAAQBMAiByJAB42QcAAQBMAiByJAC8YQYAAQBMAiByJAAgzgQAAQBMAiByJAC8LgUAAQBMAiByJACcBgQAAQBMAiByJACwAQYAAQBMAiByJAD8DwQAAQA="} +00653{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":34,"source":"ethernetIP.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_last_seen":1352718180392,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":206,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":206,"pkt_l4_len":172,"ts_msec":1352718180392,"pkt":"eOfR4AJeAAC8X0j6CABFAADAqJJAAEAGds6NUQArjVEACq8SzXJXS0jVLq3Q7VAYEAA2UAAAcACAAAAEAhAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgChAAQApcYAgLEAbABI5YoAAAAKABYAHgAmAC4ANgA+AEYATgBWAF4AzAAAAGC0GD\/MAAAAM1O1QswAAAC1P4xBzAAAAAAAAADMAAAAYLQYP8wAAAAAAKBAzAAAAAAAAEDMAAAAAAAAAMwAAAAAAAAAzAAAAAAAAAA="} +01080{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":35,"source":"ethernetIP.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_last_seen":1352718180392,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":528,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":528,"pkt_l4_len":494,"ts_msec":1352718180392,"pkt":"AAC8X0j6eOfR4AJeCABFAAICcEdAAIAGAACNUQAKjVEAK81yrxIurdDtV0tJbVAY+DYczAAAcADCAQAEAhAAAAAAVwG6AAAAAAAAAAAAAAAAAAoAAgChAAQAAi2WALEArgFJUwoCIAIkAR4APgBKAFYAYgBuAHoAhgCSAJ4AqgC2AMIAzgDaAOYA8gD+AAoBFgEiAS4BOgFGAVIBXgFqAXYBggGOAZoBTAIgciQALBwHAAEATAIgciQA0BsGAAEATAIgciQAsBQHAAEATAIgciQA3PMHAAEATAIgciQAnDYFAAEATAIgciQAvAcHAAEATAIgciQAkNEFAAEATAIgciQAAH8HAAEATAIgciQATCMGAAEATAIgciQAOEkGAAEATAIgciQALIcEAAEATAIgciQAALQFAAEATAIgciQAqHwFAAEATAIgciQATJYHAAEATAIgciQAaBgHAAEATAIgciQA3PsGAAEATAIgciQATLwGAAEATAIgciQAGB0IAAEATAIgciQAcFMHAAEATAIgciQAvIMFAAEATAIgciQAvBkGAAEATAIgciQAOJQFAAEATAIgciQATLEFAAEATAIgciQA9HoGAAEATAIgciQApPIGAAEATAIgciQAFIEEAAEATAIgciQA2PAEAAEATAIgciQA+FMGAAEATAIgciQA2PUGAAEATAIgciQApF8HAAEA"} +00559{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":37,"source":"ethernetIP.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1352718180397,"flow_last_seen":1352718180397,"flow_idle_time":7440000,"flow_min_l4_payload_len":194,"flow_max_l4_payload_len":194,"flow_tot_l4_payload_len":194,"flow_avg_l4_payload_len":194,"midstream":1,"ts_msec":1352718180397,"l3_proto":"ip4","src_ip":"141.81.0.10","dst_ip":"141.81.0.23","src_port":62717,"dst_port":44818,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00709{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":37,"source":"ethernetIP.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_last_seen":1352718180397,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":248,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":248,"pkt_l4_len":214,"ts_msec":1352718180397,"pkt":"AAC8X0lReOfR4AJeCABFAADqcEpAAIAGAACNUQAKjVEAF\/T9rxIm2H0TxmFi41AY9W4boAAAcACqAAABAhAAAAAAo6iTAAAAAAAAAAAAAAAAAAoAAgChAAQAAQOLALEAlgBx7AoCIAIkAQQACgAoAEYAagBODJEWTE1TX0RJU0FCTEVfMkRTQ0FOTkVSMQEAAf9ODJEWTE1TX0RJU0FCTEVfMkRTQ0FOTkVSMgEAAf9OD5EbTE1TX0RJU0FCTEVfQkFSQ09ERV9TQ0FOTkVSAAEAAP5OD5EbTE1TX1NFVFBPSU5UQ0hBTkdFX1JFQ0VJVkVEAAEAAP4="} +00551{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":38,"source":"ethernetIP.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_last_seen":1352718180400,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":130,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":130,"pkt_l4_len":96,"ts_msec":1352718180400,"pkt":"eOfR4AJeAAC8X0lRCABFAAB0TSZAAEAG0pqNUQAXjVEACq8S9P3GYWLjJth91VAYEADGbgAAcAA0AAABAhAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgChAAQAtccAgLEAIABx7IoAAAAEAAoADgASABYAzgAAAM4AAADOAAAAzgAAAA=="} +00446{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":52,"source":"ethernetIP.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_last_seen":1352718180599,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1352718180599,"pkt":"AAC8X0lReOfR4AJeCABFAAAocJ5AAIAGAACNUQAKjVEAF\/T9rxIm2H3VxmFjL1AQ+vAa3gAA"} +00599{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":100,"source":"ethernetIP.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":28,"flow_first_seen":1352718180263,"flow_last_seen":1352718180959,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1204,"flow_tot_l4_payload_len":3766,"flow_avg_l4_payload_len":134,"midstream":1,"ts_msec":1352718181050,"l3_proto":"ip4","src_ip":"141.81.0.10","dst_ip":"141.81.0.83","src_port":50275,"dst_port":44818,"l4_proto":"tcp","ndpi": {"proto":"EthernetIP","breed":"Acceptable","category":"Network"}} +00562{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"ethernetIP.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":28,"flow_first_seen":1352718180263,"flow_last_seen":1352718180959,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1204,"flow_tot_l4_payload_len":3766,"flow_avg_l4_payload_len":134,"midstream":1,"ts_msec":1352718181050,"l3_proto":"ip4","src_ip":"141.81.0.10","dst_ip":"141.81.0.83","src_port":50275,"dst_port":44818,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00598{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":100,"source":"ethernetIP.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":22,"flow_first_seen":1352718180397,"flow_last_seen":1352718181046,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":474,"flow_tot_l4_payload_len":2398,"flow_avg_l4_payload_len":109,"midstream":1,"ts_msec":1352718181050,"l3_proto":"ip4","src_ip":"141.81.0.10","dst_ip":"141.81.0.23","src_port":62717,"dst_port":44818,"l4_proto":"tcp","ndpi": {"proto":"EthernetIP","breed":"Acceptable","category":"Network"}} +00561{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"ethernetIP.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":22,"flow_first_seen":1352718180397,"flow_last_seen":1352718181046,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":474,"flow_tot_l4_payload_len":2398,"flow_avg_l4_payload_len":109,"midstream":1,"ts_msec":1352718181050,"l3_proto":"ip4","src_ip":"141.81.0.10","dst_ip":"141.81.0.23","src_port":62717,"dst_port":44818,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00598{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":100,"source":"ethernetIP.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":29,"flow_first_seen":1352718180265,"flow_last_seen":1352718181047,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":474,"flow_tot_l4_payload_len":3114,"flow_avg_l4_payload_len":107,"midstream":1,"ts_msec":1352718181050,"l3_proto":"ip4","src_ip":"141.81.0.63","dst_ip":"141.81.0.10","src_port":44818,"dst_port":52593,"l4_proto":"tcp","ndpi": {"proto":"EthernetIP","breed":"Acceptable","category":"Network"}} +00561{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"ethernetIP.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":29,"flow_first_seen":1352718180265,"flow_last_seen":1352718181047,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":474,"flow_tot_l4_payload_len":3114,"flow_avg_l4_payload_len":107,"midstream":1,"ts_msec":1352718181050,"l3_proto":"ip4","src_ip":"141.81.0.63","dst_ip":"141.81.0.10","src_port":44818,"dst_port":52593,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00598{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":100,"source":"ethernetIP.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":21,"flow_first_seen":1352718180390,"flow_last_seen":1352718181050,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":474,"flow_tot_l4_payload_len":2598,"flow_avg_l4_payload_len":123,"midstream":1,"ts_msec":1352718181050,"l3_proto":"ip4","src_ip":"141.81.0.10","dst_ip":"141.81.0.43","src_port":52594,"dst_port":44818,"l4_proto":"tcp","ndpi": {"proto":"EthernetIP","breed":"Acceptable","category":"Network"}} +00561{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"ethernetIP.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":21,"flow_first_seen":1352718180390,"flow_last_seen":1352718181050,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":474,"flow_tot_l4_payload_len":2598,"flow_avg_l4_payload_len":123,"midstream":1,"ts_msec":1352718181050,"l3_proto":"ip4","src_ip":"141.81.0.10","dst_ip":"141.81.0.43","src_port":52594,"dst_port":44818,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00160{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":100,"source":"ethernetIP.pcap","alias":"nDPId-test","total-events-serialized":26} +~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ +~~ packets captured/processed: 100/100 +~~ skipped flows.............: 0 +~~ total layer4 data length..: 11876 bytes +~~ total detected protocols..: 0 +~~ total active/idle flows...: 4/4 +~~ total timeout flows.......: 0 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ total memory allocated....: 4672833 bytes +~~ total memory freed........: 4672833 bytes +~~ total allocations/frees...: 99671/99671 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ json string min len.......: 165 chars +~~ json string max len.......: 2068 chars +~~ json string avg len.......: 1186 chars diff --git a/test/results/exe_download.pcap.out b/test/results/exe_download.pcap.out index a3cc22653..7fb69079b 100644 --- a/test/results/exe_download.pcap.out +++ b/test/results/exe_download.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1948591 bytes -~~ total memory freed........: 1948591 bytes -~~ total allocations/frees...: 36044/36044 +~~ total memory allocated....: 4610906 bytes +~~ total memory freed........: 4610906 bytes +~~ total allocations/frees...: 100240/100240 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 166 chars ~~ json string max len.......: 856 chars diff --git a/test/results/exe_download_as_png.pcap.out b/test/results/exe_download_as_png.pcap.out index 9fbbdea29..20c8f38dd 100644 --- a/test/results/exe_download_as_png.pcap.out +++ b/test/results/exe_download_as_png.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1943665 bytes -~~ total memory freed........: 1943665 bytes -~~ total allocations/frees...: 35875/35875 +~~ total memory allocated....: 4605980 bytes +~~ total memory freed........: 4605980 bytes +~~ total allocations/frees...: 100071/100071 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 173 chars ~~ json string max len.......: 834 chars diff --git a/test/results/facebook.pcap.out b/test/results/facebook.pcap.out index 82852a24d..3f4896cdc 100644 --- a/test/results/facebook.pcap.out +++ b/test/results/facebook.pcap.out @@ -5,7 +5,7 @@ 00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"facebook.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1472393122668,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1472393122668,"pkt":"mAyC0zx8MFLLbJwbCABFAAA04NBAAEAGjxjAqCsSQtycRMtiAbv14btz7B3zc4AQAOXLAQAAAQEICgBLXBi7uwhk"} 00806{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"facebook.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1472393122365,"flow_last_seen":1472393122668,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":196,"flow_tot_l4_payload_len":196,"flow_avg_l4_payload_len":49,"midstream":0,"ts_msec":1472393122668,"l3_proto":"ip4","src_ip":"192.168.43.18","dst_ip":"66.220.156.68","src_port":52066,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Facebook","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"facebook.com","ja3":"bfcc1a3891601edb4f137ab7ab25b840","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,spdy\/3.1,http\/1.1"}} 00865{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"facebook.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":1472393122365,"flow_last_seen":1472393122981,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":1584,"flow_avg_l4_payload_len":264,"midstream":0,"ts_msec":1472393122981,"l3_proto":"ip4","src_ip":"192.168.43.18","dst_ip":"66.220.156.68","src_port":52066,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Facebook","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"facebook.com","ja3":"bfcc1a3891601edb4f137ab7ab25b840","ja3s":"2d1eb5817ece335c24904f516ad5da12","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","alpn":"h2,spdy\/3.1,http\/1.1"}} -01309{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":10,"source":"facebook.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":10,"flow_first_seen":1472393122365,"flow_last_seen":1472393122982,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":3369,"flow_avg_l4_payload_len":336,"midstream":0,"ts_msec":1472393122982,"l3_proto":"ip4","src_ip":"192.168.43.18","dst_ip":"66.220.156.68","src_port":52066,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Facebook","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"facebook.com","server_names":"*.facebook.com,*.facebook.net,*.fb.com,*.fbcdn.net,*.fbsbx.com,*.m.facebook.com,*.messenger.com,*.xx.fbcdn.net,*.xy.fbcdn.net,*.xz.fbcdn.net,facebook.com,fb.com,messenger.com","ja3":"bfcc1a3891601edb4f137ab7ab25b840","ja3s":"2d1eb5817ece335c24904f516ad5da12","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","issuerDN":"C=US, ST=CA, L=Menlo Park, O=Facebook, Inc., CN=*.facebook.com","alpn":"h2,spdy\/3.1,http\/1.1","fingerprint":"A0:4E:AF:B3:48:C2:6B:15:A8:C1:AA:87:A3:33:CA:A3:CD:EE:C9:C9"}} +01310{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":10,"source":"facebook.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":10,"flow_first_seen":1472393122365,"flow_last_seen":1472393122982,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":3369,"flow_avg_l4_payload_len":336,"midstream":0,"ts_msec":1472393122982,"l3_proto":"ip4","src_ip":"192.168.43.18","dst_ip":"66.220.156.68","src_port":52066,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Facebook","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"facebook.com","server_names":"*.facebook.com,*.facebook.net,*.fb.com,*.fbcdn.net,*.fbsbx.com,*.m.facebook.com,*.messenger.com,*.xx.fbcdn.net,*.xy.fbcdn.net,*.xz.fbcdn.net,facebook.com,fb.com,messenger.com","ja3":"bfcc1a3891601edb4f137ab7ab25b840","ja3s":"2d1eb5817ece335c24904f516ad5da12","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=CA, L=Menlo Park, O=Facebook, Inc., CN=*.facebook.com","alpn":"h2,spdy\/3.1,http\/1.1","fingerprint":"A0:4E:AF:B3:48:C2:6B:15:A8:C1:AA:87:A3:33:CA:A3:CD:EE:C9:C9"}} 00549{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":19,"source":"facebook.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1472393123550,"flow_last_seen":1472393123550,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1472393123550,"l3_proto":"ip4","src_ip":"192.168.43.18","dst_ip":"31.13.86.36","src_port":44614,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":19,"source":"facebook.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_last_seen":1472393123550,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1472393123550,"pkt":"mAyC0zx8MFLLbJwbCABFAAA8dR1AAEAGZLPAqCsSHw1WJK5GAbsvASg9AAAAAKACchBhGgAAAgQFtAQCCAoAS10gAAAAAAEDAwc="} 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":21,"source":"facebook.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_last_seen":1472393123682,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1472393123682,"pkt":"MFLLbJwbmAyC0zx8CABFAAA8AABAAFMGxtAfDVYkwKgrEgG7rkZw6dh2LwEoPqASNpwMewAAAgQFeAQCCAolRdDWAEtdIAEDAwg="} @@ -23,10 +23,10 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1942801 bytes -~~ total memory freed........: 1942801 bytes -~~ total allocations/frees...: 35422/35422 +~~ total memory allocated....: 4604692 bytes +~~ total memory freed........: 4604692 bytes +~~ total allocations/frees...: 99618/99618 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 162 chars -~~ json string max len.......: 1314 chars -~~ json string avg len.......: 808 chars +~~ json string max len.......: 1315 chars +~~ json string avg len.......: 809 chars diff --git a/test/results/firefox.pcap.out b/test/results/firefox.pcap.out index cf0e738e1..9ee50b235 100644 --- a/test/results/firefox.pcap.out +++ b/test/results/firefox.pcap.out @@ -3,20 +3,20 @@ 00475{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1620927997754,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1620927997754,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGrBvAqAGykjA6Esl5AbuZmizAAAAAALAC\/\/9OVwAAAgQFtAEDAwUBAQgKNAyUbQAAAAAEAgAA"} 00470{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1620927997781,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1620927997781,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADQGuB+SMDoSwKgBsgG7yXkJiZGFmZoswaAS\/oiCawAAAgQFrAQCCAo8IAcuNAyUbQEDAwc="} 00457{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1620927997781,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1620927997781,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGrCfAqAGykjA6Esl5AbuZmizBCYmRhoAQECyfcgAAAQEICjQMlIc8IAcu"} -00822{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1620927997754,"flow_last_seen":1620927997782,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1620927997782,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51577,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.iit.cnr.it","ja3":"1fd36067223570569bbf156fece40978","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} -00863{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":1620927997754,"flow_last_seen":1620927997814,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1957,"flow_avg_l4_payload_len":326,"midstream":0,"ts_msec":1620927997814,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51577,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"www.iit.cnr.it","ja3":"1fd36067223570569bbf156fece40978","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} +00822{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1620927997754,"flow_last_seen":1620927997782,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1620927997782,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51577,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.iit.cnr.it","ja3":"aa7744226c695c0b2e440419848cf700","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} +00863{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":1620927997754,"flow_last_seen":1620927997814,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1957,"flow_avg_l4_payload_len":326,"midstream":0,"ts_msec":1620927997814,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51577,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"www.iit.cnr.it","ja3":"aa7744226c695c0b2e440419848cf700","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} 00549{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":30,"source":"firefox.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1620927998782,"flow_last_seen":1620927998782,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1620927998782,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51583,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00478{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":30,"source":"firefox.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_last_seen":1620927998782,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1620927998782,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGrBvAqAGykjA6Esl\/AbveSGQcAAAAALAC\/\/\/OTgAAAgQFtAEDAwUBAQgKNAyYZQAAAAAEAgAA"} 00549{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":42,"source":"firefox.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1620927998806,"flow_last_seen":1620927998806,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1620927998806,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51588,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00477{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":42,"source":"firefox.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_last_seen":1620927998806,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1620927998806,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGrBvAqAGykjA6EsmEAbtCftk8AAAAALAC\/\/\/03wAAAgQFtAEDAwUBAQgKNAyYeQAAAAAEAgAA"} 00472{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":43,"source":"firefox.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_last_seen":1620927998817,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1620927998817,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADQGuB+SMDoSwKgBsgG7yX\/JSxfE3khkHaAS\/oi4VgAAAgQFrAQCCAo8IAs5NAyYZQEDAwc="} 00459{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":44,"source":"firefox.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_last_seen":1620927998817,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1620927998817,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGrCfAqAGykjA6Esl\/AbveSGQdyUsXxYAQECzVWgAAAQEICjQMmII8IAs5"} -00823{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":45,"source":"firefox.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":4,"flow_first_seen":1620927998782,"flow_last_seen":1620927998820,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":680,"flow_tot_l4_payload_len":680,"flow_avg_l4_payload_len":170,"midstream":0,"ts_msec":1620927998820,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51583,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.iit.cnr.it","ja3":"ab78a7ef7106e8144808f22ab4a26dc8","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} +00823{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":45,"source":"firefox.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":4,"flow_first_seen":1620927998782,"flow_last_seen":1620927998820,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":680,"flow_tot_l4_payload_len":680,"flow_avg_l4_payload_len":170,"midstream":0,"ts_msec":1620927998820,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51583,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.iit.cnr.it","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":48,"source":"firefox.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_last_seen":1620927998833,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1620927998833,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADQGuB+SMDoSwKgBsgG7yYRFBnlrQn7ZPaAS\/ogBdQAAAgQFrAQCCAo8IAtKNAyYeQEDAwc="} 00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":49,"source":"firefox.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_last_seen":1620927998833,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1620927998833,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGrCfAqAGykjA6EsmEAbtCftk9RQZ5bIAQECwefwAAAQEICjQMmJA8IAtK"} -00823{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":62,"source":"firefox.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":4,"flow_first_seen":1620927998806,"flow_last_seen":1620927998850,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":680,"flow_tot_l4_payload_len":680,"flow_avg_l4_payload_len":170,"midstream":0,"ts_msec":1620927998850,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51588,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.iit.cnr.it","ja3":"ab78a7ef7106e8144808f22ab4a26dc8","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} -00862{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":63,"source":"firefox.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":6,"flow_first_seen":1620927998782,"flow_last_seen":1620927998850,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":680,"flow_tot_l4_payload_len":940,"flow_avg_l4_payload_len":156,"midstream":0,"ts_msec":1620927998850,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51583,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"www.iit.cnr.it","ja3":"ab78a7ef7106e8144808f22ab4a26dc8","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} -00862{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":68,"source":"firefox.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":6,"flow_first_seen":1620927998806,"flow_last_seen":1620927998877,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":680,"flow_tot_l4_payload_len":940,"flow_avg_l4_payload_len":156,"midstream":0,"ts_msec":1620927998877,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51588,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"www.iit.cnr.it","ja3":"ab78a7ef7106e8144808f22ab4a26dc8","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} +00823{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":62,"source":"firefox.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":4,"flow_first_seen":1620927998806,"flow_last_seen":1620927998850,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":680,"flow_tot_l4_payload_len":680,"flow_avg_l4_payload_len":170,"midstream":0,"ts_msec":1620927998850,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51588,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.iit.cnr.it","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} +00862{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":63,"source":"firefox.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":6,"flow_first_seen":1620927998782,"flow_last_seen":1620927998850,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":680,"flow_tot_l4_payload_len":940,"flow_avg_l4_payload_len":156,"midstream":0,"ts_msec":1620927998850,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51583,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"www.iit.cnr.it","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} +00862{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":68,"source":"firefox.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":6,"flow_first_seen":1620927998806,"flow_last_seen":1620927998877,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":680,"flow_tot_l4_payload_len":940,"flow_avg_l4_payload_len":156,"midstream":0,"ts_msec":1620927998877,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51588,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"www.iit.cnr.it","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} 00549{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":84,"source":"firefox.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1620927999109,"flow_last_seen":1620927999109,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1620927999109,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51599,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00476{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":84,"source":"firefox.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_last_seen":1620927999109,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1620927999109,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGrBvAqAGykjA6EsmPAbugsPXqAAAAALAC\/\/947AAAAgQFtAEDAwUBAQgKNAyZgQAAAAAEAgAA"} 00549{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":85,"source":"firefox.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1620927999111,"flow_last_seen":1620927999111,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1620927999111,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51600,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -29,16 +29,16 @@ 00459{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":119,"source":"firefox.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_last_seen":1620927999138,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1620927999138,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGrCfAqAGykjA6EsmQAbsCvXBxSS7VUoAQECxktgAAAQEICjQMmZw8IAx6"} 00472{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":122,"source":"firefox.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_last_seen":1620927999140,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1620927999140,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADQGuB+SMDoSwKgBsgG7yZFyBGfZy0T4r6AS\/og7hgAAAgQFrAQCCAo8IAx9NAyZgwEDAwc="} 00459{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":123,"source":"firefox.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_last_seen":1620927999140,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1620927999140,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGrCfAqAGykjA6EsmRAbvLRPivcgRn2oAQECxYiwAAAQEICjQMmZ88IAx9"} -00824{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":124,"source":"firefox.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":4,"flow_first_seen":1620927999111,"flow_last_seen":1620927999141,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":680,"flow_tot_l4_payload_len":680,"flow_avg_l4_payload_len":170,"midstream":0,"ts_msec":1620927999141,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51600,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.iit.cnr.it","ja3":"ab78a7ef7106e8144808f22ab4a26dc8","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} -00824{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":125,"source":"firefox.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":4,"flow_first_seen":1620927999109,"flow_last_seen":1620927999143,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":680,"flow_tot_l4_payload_len":680,"flow_avg_l4_payload_len":170,"midstream":0,"ts_msec":1620927999143,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51599,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.iit.cnr.it","ja3":"ab78a7ef7106e8144808f22ab4a26dc8","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} -00824{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":126,"source":"firefox.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":4,"flow_first_seen":1620927999112,"flow_last_seen":1620927999148,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":680,"flow_tot_l4_payload_len":680,"flow_avg_l4_payload_len":170,"midstream":0,"ts_msec":1620927999148,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51601,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.iit.cnr.it","ja3":"ab78a7ef7106e8144808f22ab4a26dc8","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} -00863{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":156,"source":"firefox.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":6,"flow_first_seen":1620927999111,"flow_last_seen":1620927999169,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":680,"flow_tot_l4_payload_len":940,"flow_avg_l4_payload_len":156,"midstream":0,"ts_msec":1620927999169,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51600,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"www.iit.cnr.it","ja3":"ab78a7ef7106e8144808f22ab4a26dc8","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} -00863{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":159,"source":"firefox.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":6,"flow_first_seen":1620927999109,"flow_last_seen":1620927999170,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":680,"flow_tot_l4_payload_len":940,"flow_avg_l4_payload_len":156,"midstream":0,"ts_msec":1620927999170,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51599,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"www.iit.cnr.it","ja3":"ab78a7ef7106e8144808f22ab4a26dc8","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} -00863{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":163,"source":"firefox.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":6,"flow_first_seen":1620927999112,"flow_last_seen":1620927999179,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":680,"flow_tot_l4_payload_len":940,"flow_avg_l4_payload_len":156,"midstream":0,"ts_msec":1620927999179,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51601,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"www.iit.cnr.it","ja3":"ab78a7ef7106e8144808f22ab4a26dc8","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} -00870{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1330,"source":"firefox.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":255,"flow_first_seen":1620927998806,"flow_last_seen":1620927999354,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":195425,"flow_avg_l4_payload_len":766,"midstream":0,"ts_msec":1620927999354,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51588,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"www.iit.cnr.it","ja3":"ab78a7ef7106e8144808f22ab4a26dc8","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} -00870{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1636,"source":"firefox.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":255,"flow_first_seen":1620927999109,"flow_last_seen":1620927999385,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":200954,"flow_avg_l4_payload_len":788,"midstream":0,"ts_msec":1620927999385,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51599,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"www.iit.cnr.it","ja3":"ab78a7ef7106e8144808f22ab4a26dc8","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} -00870{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2615,"source":"firefox.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":255,"flow_first_seen":1620927999112,"flow_last_seen":1620927999490,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":207776,"flow_avg_l4_payload_len":814,"midstream":0,"ts_msec":1620927999490,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51601,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"www.iit.cnr.it","ja3":"ab78a7ef7106e8144808f22ab4a26dc8","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} -00870{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":3808,"source":"firefox.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":255,"flow_first_seen":1620927999111,"flow_last_seen":1620927999648,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":203554,"flow_avg_l4_payload_len":798,"midstream":0,"ts_msec":1620927999648,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51600,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"www.iit.cnr.it","ja3":"ab78a7ef7106e8144808f22ab4a26dc8","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} +00824{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":124,"source":"firefox.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":4,"flow_first_seen":1620927999111,"flow_last_seen":1620927999141,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":680,"flow_tot_l4_payload_len":680,"flow_avg_l4_payload_len":170,"midstream":0,"ts_msec":1620927999141,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51600,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.iit.cnr.it","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} +00824{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":125,"source":"firefox.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":4,"flow_first_seen":1620927999109,"flow_last_seen":1620927999143,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":680,"flow_tot_l4_payload_len":680,"flow_avg_l4_payload_len":170,"midstream":0,"ts_msec":1620927999143,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51599,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.iit.cnr.it","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} +00824{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":126,"source":"firefox.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":4,"flow_first_seen":1620927999112,"flow_last_seen":1620927999148,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":680,"flow_tot_l4_payload_len":680,"flow_avg_l4_payload_len":170,"midstream":0,"ts_msec":1620927999148,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51601,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.iit.cnr.it","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} +00863{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":156,"source":"firefox.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":6,"flow_first_seen":1620927999111,"flow_last_seen":1620927999169,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":680,"flow_tot_l4_payload_len":940,"flow_avg_l4_payload_len":156,"midstream":0,"ts_msec":1620927999169,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51600,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"www.iit.cnr.it","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} +00863{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":159,"source":"firefox.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":6,"flow_first_seen":1620927999109,"flow_last_seen":1620927999170,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":680,"flow_tot_l4_payload_len":940,"flow_avg_l4_payload_len":156,"midstream":0,"ts_msec":1620927999170,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51599,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"www.iit.cnr.it","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} +00863{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":163,"source":"firefox.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":6,"flow_first_seen":1620927999112,"flow_last_seen":1620927999179,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":680,"flow_tot_l4_payload_len":940,"flow_avg_l4_payload_len":156,"midstream":0,"ts_msec":1620927999179,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51601,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"www.iit.cnr.it","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} +00870{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1330,"source":"firefox.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":255,"flow_first_seen":1620927998806,"flow_last_seen":1620927999354,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":195425,"flow_avg_l4_payload_len":766,"midstream":0,"ts_msec":1620927999354,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51588,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"www.iit.cnr.it","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} +00870{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1636,"source":"firefox.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":255,"flow_first_seen":1620927999109,"flow_last_seen":1620927999385,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":200954,"flow_avg_l4_payload_len":788,"midstream":0,"ts_msec":1620927999385,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51599,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"www.iit.cnr.it","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} +00870{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2615,"source":"firefox.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":255,"flow_first_seen":1620927999112,"flow_last_seen":1620927999490,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":207776,"flow_avg_l4_payload_len":814,"midstream":0,"ts_msec":1620927999490,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51601,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"www.iit.cnr.it","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} +00870{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":3808,"source":"firefox.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":255,"flow_first_seen":1620927999111,"flow_last_seen":1620927999648,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":203554,"flow_avg_l4_payload_len":798,"midstream":0,"ts_msec":1620927999648,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51600,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"www.iit.cnr.it","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} 00565{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":5441,"source":"firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1065,"flow_first_seen":1620927997754,"flow_last_seen":1620927999853,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":891202,"flow_avg_l4_payload_len":836,"midstream":0,"ts_msec":1620927999948,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51577,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00565{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":5441,"source":"firefox.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1031,"flow_first_seen":1620927998782,"flow_last_seen":1620927999948,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":869503,"flow_avg_l4_payload_len":843,"midstream":0,"ts_msec":1620927999948,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51583,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00566{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":5441,"source":"firefox.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1387,"flow_first_seen":1620927998806,"flow_last_seen":1620927999915,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1189641,"flow_avg_l4_payload_len":857,"midstream":0,"ts_msec":1620927999948,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51588,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -54,9 +54,9 @@ ~~ total active/idle flows...: 6/6 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2427763 bytes -~~ total memory freed........: 2427763 bytes -~~ total allocations/frees...: 40853/40853 +~~ total memory allocated....: 5087958 bytes +~~ total memory freed........: 5087958 bytes +~~ total allocations/frees...: 105049/105049 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 163 chars ~~ json string max len.......: 875 chars diff --git a/test/results/fix.pcap.out b/test/results/fix.pcap.out index d176539b2..ca12f4743 100644 --- a/test/results/fix.pcap.out +++ b/test/results/fix.pcap.out @@ -80,9 +80,9 @@ ~~ total active/idle flows...: 12/12 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2007045 bytes -~~ total memory freed........: 2007045 bytes -~~ total allocations/frees...: 36644/36644 +~~ total memory allocated....: 4664696 bytes +~~ total memory freed........: 4664696 bytes +~~ total allocations/frees...: 100840/100840 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 159 chars ~~ json string max len.......: 586 chars diff --git a/test/results/forticlient.pcap.out b/test/results/forticlient.pcap.out index 8b75517fd..0e8d13d2d 100644 --- a/test/results/forticlient.pcap.out +++ b/test/results/forticlient.pcap.out @@ -5,35 +5,35 @@ 00461{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1621067203633,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1621067203633,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAG+AvAqAGyUlEuDfFtKMutlmzPZBHKQoAQECzFugAAAQEICienPKAGP5Ck"} 00856{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1621067203571,"flow_last_seen":1621067203776,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":171,"flow_tot_l4_payload_len":171,"flow_avg_l4_payload_len":42,"midstream":0,"ts_msec":1621067203776,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61805,"dst_port":10443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"82.81.46.13","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00913{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":1621067203571,"flow_last_seen":1621067203852,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1611,"flow_avg_l4_payload_len":268,"midstream":0,"ts_msec":1621067203852,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61805,"dst_port":10443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"82.81.46.13","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"0debd3853f330c574b05e0b6d882dc27","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"}} -01190{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":7,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":7,"flow_first_seen":1621067203571,"flow_last_seen":1621067203854,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":2620,"flow_avg_l4_payload_len":374,"midstream":0,"ts_msec":1621067203854,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61805,"dst_port":10443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.FortiClient","breed":"Safe","category":"VPN"},"tls": {"version":"TLSv1.2","client_requested_server_name":"82.81.46.13","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"0debd3853f330c574b05e0b6d882dc27","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=Certificate Authority, CN=support","issuerDN":"C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=FortiGate, CN=FWF60E4Q16012050","fingerprint":"AA:8A:CE:95:99:2A:E0:A4:11:42:E4:C8:40:D7:DB:87:1F:4A:23:45"}} +01191{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":7,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":7,"flow_first_seen":1621067203571,"flow_last_seen":1621067203854,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":2620,"flow_avg_l4_payload_len":374,"midstream":0,"ts_msec":1621067203854,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61805,"dst_port":10443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.FortiClient","breed":"Safe","category":"VPN"},"tls": {"version":"TLSv1.2","client_requested_server_name":"82.81.46.13","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"0debd3853f330c574b05e0b6d882dc27","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=Certificate Authority, CN=support","subjectDN":"C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=FortiGate, CN=FWF60E4Q16012050","fingerprint":"AA:8A:CE:95:99:2A:E0:A4:11:42:E4:C8:40:D7:DB:87:1F:4A:23:45"}} 00554{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":21,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1621067204622,"flow_last_seen":1621067204622,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1621067204622,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61806,"dst_port":10443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00483{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":21,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_last_seen":1621067204622,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1621067204622,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAG9\/\/AqAGyUlEuDfFuKMux1NwAAAAAALAC\/\/\/kHgAAAgQFtAEDAwUBAQgKJ6dAbwAAAAAEAgAA"} 00475{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":22,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_last_seen":1621067204682,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1621067204682,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8DZFAADQG9nJSUS4NwKgBsijL8W6yVLN5sdTcAaASOEC\/ugAAAgQFrAQCCAoGP5ENJ6dAbwEDAwo="} 00462{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_last_seen":1621067204682,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1621067204682,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAG+AvAqAGyUlEuDfFuKMux1NwBslSzeoAQECwWWwAAAQEICienQKoGP5EN"} -00857{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":25,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":4,"flow_first_seen":1621067204622,"flow_last_seen":1621067204827,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":203,"flow_tot_l4_payload_len":203,"flow_avg_l4_payload_len":50,"midstream":0,"ts_msec":1621067204827,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61806,"dst_port":10443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"82.81.46.13","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -00914{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":27,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":6,"flow_first_seen":1621067204622,"flow_last_seen":1621067204898,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1643,"flow_avg_l4_payload_len":273,"midstream":0,"ts_msec":1621067204898,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61806,"dst_port":10443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"82.81.46.13","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"0debd3853f330c574b05e0b6d882dc27","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"}} -01191{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":28,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":7,"flow_first_seen":1621067204622,"flow_last_seen":1621067204900,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":2652,"flow_avg_l4_payload_len":378,"midstream":0,"ts_msec":1621067204900,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61806,"dst_port":10443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.FortiClient","breed":"Safe","category":"VPN"},"tls": {"version":"TLSv1.2","client_requested_server_name":"82.81.46.13","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"0debd3853f330c574b05e0b6d882dc27","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=Certificate Authority, CN=support","issuerDN":"C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=FortiGate, CN=FWF60E4Q16012050","fingerprint":"AA:8A:CE:95:99:2A:E0:A4:11:42:E4:C8:40:D7:DB:87:1F:4A:23:45"}} +00869{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":25,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":4,"flow_first_seen":1621067204622,"flow_last_seen":1621067204827,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":203,"flow_tot_l4_payload_len":203,"flow_avg_l4_payload_len":50,"midstream":0,"ts_msec":1621067204827,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61806,"dst_port":10443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.FortiClient","breed":"Safe","category":"VPN"},"tls": {"version":"TLSv1.2","client_requested_server_name":"82.81.46.13","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} +00926{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":27,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":6,"flow_first_seen":1621067204622,"flow_last_seen":1621067204898,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1643,"flow_avg_l4_payload_len":273,"midstream":0,"ts_msec":1621067204898,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61806,"dst_port":10443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.FortiClient","breed":"Safe","category":"VPN"},"tls": {"version":"TLSv1.2","client_requested_server_name":"82.81.46.13","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"0debd3853f330c574b05e0b6d882dc27","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"}} +01192{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":28,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":7,"flow_first_seen":1621067204622,"flow_last_seen":1621067204900,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":2652,"flow_avg_l4_payload_len":378,"midstream":0,"ts_msec":1621067204900,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61806,"dst_port":10443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.FortiClient","breed":"Safe","category":"VPN"},"tls": {"version":"TLSv1.2","client_requested_server_name":"82.81.46.13","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"0debd3853f330c574b05e0b6d882dc27","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=Certificate Authority, CN=support","subjectDN":"C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=FortiGate, CN=FWF60E4Q16012050","fingerprint":"AA:8A:CE:95:99:2A:E0:A4:11:42:E4:C8:40:D7:DB:87:1F:4A:23:45"}} 00554{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":46,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1621067205651,"flow_last_seen":1621067205651,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1621067205651,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61811,"dst_port":10443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00482{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":46,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_last_seen":1621067205651,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1621067205651,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAG9\/\/AqAGyUlEuDfFzKMsSeiBCAAAAALAC\/\/87PQAAAgQFtAEDAwUBAQgKJ6dEZQAAAAAEAgAA"} 00474{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":48,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_last_seen":1621067205710,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1621067205710,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8c5FAADQGkHJSUS4NwKgBsijL8XP7CfxqEnogQ6ASOECEzAAAAgQFrAQCCAoGP5FzJ6dEZQEDAwo="} 00462{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":49,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_last_seen":1621067205710,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1621067205710,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAG+AvAqAGyUlEuDfFzKMsSeiBD+wn8a4AQECzbbQAAAQEICienRJ8GP5Fz"} -00857{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":50,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":4,"flow_first_seen":1621067205651,"flow_last_seen":1621067205856,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":203,"flow_tot_l4_payload_len":203,"flow_avg_l4_payload_len":50,"midstream":0,"ts_msec":1621067205856,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61811,"dst_port":10443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"82.81.46.13","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -00914{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":52,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":6,"flow_first_seen":1621067205651,"flow_last_seen":1621067205926,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1643,"flow_avg_l4_payload_len":273,"midstream":0,"ts_msec":1621067205926,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61811,"dst_port":10443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"82.81.46.13","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"0debd3853f330c574b05e0b6d882dc27","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"}} -01191{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":53,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":7,"flow_first_seen":1621067205651,"flow_last_seen":1621067205928,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":2652,"flow_avg_l4_payload_len":378,"midstream":0,"ts_msec":1621067205928,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61811,"dst_port":10443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.FortiClient","breed":"Safe","category":"VPN"},"tls": {"version":"TLSv1.2","client_requested_server_name":"82.81.46.13","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"0debd3853f330c574b05e0b6d882dc27","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=Certificate Authority, CN=support","issuerDN":"C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=FortiGate, CN=FWF60E4Q16012050","fingerprint":"AA:8A:CE:95:99:2A:E0:A4:11:42:E4:C8:40:D7:DB:87:1F:4A:23:45"}} +00869{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":50,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":4,"flow_first_seen":1621067205651,"flow_last_seen":1621067205856,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":203,"flow_tot_l4_payload_len":203,"flow_avg_l4_payload_len":50,"midstream":0,"ts_msec":1621067205856,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61811,"dst_port":10443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.FortiClient","breed":"Safe","category":"VPN"},"tls": {"version":"TLSv1.2","client_requested_server_name":"82.81.46.13","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} +00926{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":52,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":6,"flow_first_seen":1621067205651,"flow_last_seen":1621067205926,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1643,"flow_avg_l4_payload_len":273,"midstream":0,"ts_msec":1621067205926,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61811,"dst_port":10443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.FortiClient","breed":"Safe","category":"VPN"},"tls": {"version":"TLSv1.2","client_requested_server_name":"82.81.46.13","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"0debd3853f330c574b05e0b6d882dc27","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"}} +01192{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":53,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":7,"flow_first_seen":1621067205651,"flow_last_seen":1621067205928,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":2652,"flow_avg_l4_payload_len":378,"midstream":0,"ts_msec":1621067205928,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61811,"dst_port":10443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.FortiClient","breed":"Safe","category":"VPN"},"tls": {"version":"TLSv1.2","client_requested_server_name":"82.81.46.13","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"0debd3853f330c574b05e0b6d882dc27","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=Certificate Authority, CN=support","subjectDN":"C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=FortiGate, CN=FWF60E4Q16012050","fingerprint":"AA:8A:CE:95:99:2A:E0:A4:11:42:E4:C8:40:D7:DB:87:1F:4A:23:45"}} 00554{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":71,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1621067206773,"flow_last_seen":1621067206773,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1621067206773,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61812,"dst_port":10443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00482{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":71,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_last_seen":1621067206773,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1621067206773,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAG9\/\/AqAGyUlEuDfF0KMspKYnJAAAAALAC\/\/+2swAAAgQFtAEDAwUBAQgKJ6dItwAAAAAEAgAA"} 00474{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":72,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_last_seen":1621067206833,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1621067206833,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA85JFAADQGH3JSUS4NwKgBsijL8XTNezJoKSmJyqASOED3YgAAAgQFrAQCCAoGP5HkJ6dItwEDAwo="} 00462{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":73,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_last_seen":1621067206833,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1621067206833,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAG+AvAqAGyUlEuDfF0KMspKYnKzXsyaYAQECxOAgAAAQEICienSPMGP5Hk"} -00857{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":74,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":4,"flow_first_seen":1621067206773,"flow_last_seen":1621067206977,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":203,"flow_tot_l4_payload_len":203,"flow_avg_l4_payload_len":50,"midstream":0,"ts_msec":1621067206977,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61812,"dst_port":10443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"82.81.46.13","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -00914{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":76,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":6,"flow_first_seen":1621067206773,"flow_last_seen":1621067207049,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1643,"flow_avg_l4_payload_len":273,"midstream":0,"ts_msec":1621067207049,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61812,"dst_port":10443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"82.81.46.13","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"0debd3853f330c574b05e0b6d882dc27","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"}} -01191{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":77,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":7,"flow_first_seen":1621067206773,"flow_last_seen":1621067207050,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":2652,"flow_avg_l4_payload_len":378,"midstream":0,"ts_msec":1621067207050,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61812,"dst_port":10443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.FortiClient","breed":"Safe","category":"VPN"},"tls": {"version":"TLSv1.2","client_requested_server_name":"82.81.46.13","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"0debd3853f330c574b05e0b6d882dc27","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=Certificate Authority, CN=support","issuerDN":"C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=FortiGate, CN=FWF60E4Q16012050","fingerprint":"AA:8A:CE:95:99:2A:E0:A4:11:42:E4:C8:40:D7:DB:87:1F:4A:23:45"}} +00869{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":74,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":4,"flow_first_seen":1621067206773,"flow_last_seen":1621067206977,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":203,"flow_tot_l4_payload_len":203,"flow_avg_l4_payload_len":50,"midstream":0,"ts_msec":1621067206977,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61812,"dst_port":10443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.FortiClient","breed":"Safe","category":"VPN"},"tls": {"version":"TLSv1.2","client_requested_server_name":"82.81.46.13","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} +00926{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":76,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":6,"flow_first_seen":1621067206773,"flow_last_seen":1621067207049,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1643,"flow_avg_l4_payload_len":273,"midstream":0,"ts_msec":1621067207049,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61812,"dst_port":10443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.FortiClient","breed":"Safe","category":"VPN"},"tls": {"version":"TLSv1.2","client_requested_server_name":"82.81.46.13","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"0debd3853f330c574b05e0b6d882dc27","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"}} +01192{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":77,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":7,"flow_first_seen":1621067206773,"flow_last_seen":1621067207050,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":2652,"flow_avg_l4_payload_len":378,"midstream":0,"ts_msec":1621067207050,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61812,"dst_port":10443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.FortiClient","breed":"Safe","category":"VPN"},"tls": {"version":"TLSv1.2","client_requested_server_name":"82.81.46.13","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"0debd3853f330c574b05e0b6d882dc27","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=Certificate Authority, CN=support","subjectDN":"C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=FortiGate, CN=FWF60E4Q16012050","fingerprint":"AA:8A:CE:95:99:2A:E0:A4:11:42:E4:C8:40:D7:DB:87:1F:4A:23:45"}} 00555{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":100,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1621067209199,"flow_last_seen":1621067209199,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1621067209199,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61820,"dst_port":10443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00483{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":100,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_last_seen":1621067209199,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1621067209199,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAG9\/\/AqAGyUlEuDfF8KMsekCMzAAAAALAC\/\/8eiQAAAgQFtAEDAwUBAQgKJ6dSCQAAAAAEAgAA"} 00475{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":101,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_last_seen":1621067209262,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1621067209262,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA81pJAADQGLXFSUS4NwKgBsijL8XxcuXqIHpAjNKASOECG6AAAAgQFrAQCCAoGP5LWJ6dSCQEDAwo="} 00463{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":102,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_last_seen":1621067209262,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1621067209262,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAG+AvAqAGyUlEuDfF8KMsekCM0XLl6iYAQECzdhQAAAQEICienUkcGP5LW"} -00915{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":103,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":4,"flow_first_seen":1621067209199,"flow_last_seen":1621067209264,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":313,"flow_tot_l4_payload_len":313,"flow_avg_l4_payload_len":78,"midstream":0,"ts_msec":1621067209264,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61820,"dst_port":10443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"82.81.46.13","ja3":"40adfd923eb82b89d8836ba37a19bca1","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -00972{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":105,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":6,"flow_first_seen":1621067209199,"flow_last_seen":1621067209346,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1753,"flow_avg_l4_payload_len":292,"midstream":0,"ts_msec":1621067209346,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61820,"dst_port":10443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"82.81.46.13","ja3":"40adfd923eb82b89d8836ba37a19bca1","ja3s":"e35df3e00ca4ef31d42b34bebaa2f86e","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -01249{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":106,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":7,"flow_first_seen":1621067209199,"flow_last_seen":1621067209348,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":2734,"flow_avg_l4_payload_len":390,"midstream":0,"ts_msec":1621067209348,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61820,"dst_port":10443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.FortiClient","breed":"Safe","category":"VPN"},"tls": {"version":"TLSv1.2","client_requested_server_name":"82.81.46.13","ja3":"40adfd923eb82b89d8836ba37a19bca1","ja3s":"e35df3e00ca4ef31d42b34bebaa2f86e","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=Certificate Authority, CN=support","issuerDN":"C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=FortiGate, CN=FWF60E4Q16012050","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"AA:8A:CE:95:99:2A:E0:A4:11:42:E4:C8:40:D7:DB:87:1F:4A:23:45"}} +00927{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":103,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":4,"flow_first_seen":1621067209199,"flow_last_seen":1621067209264,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":313,"flow_tot_l4_payload_len":313,"flow_avg_l4_payload_len":78,"midstream":0,"ts_msec":1621067209264,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61820,"dst_port":10443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.FortiClient","breed":"Safe","category":"VPN"},"tls": {"version":"TLSv1.2","client_requested_server_name":"82.81.46.13","ja3":"40adfd923eb82b89d8836ba37a19bca1","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00984{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":105,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":6,"flow_first_seen":1621067209199,"flow_last_seen":1621067209346,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1753,"flow_avg_l4_payload_len":292,"midstream":0,"ts_msec":1621067209346,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61820,"dst_port":10443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.FortiClient","breed":"Safe","category":"VPN"},"tls": {"version":"TLSv1.2","client_requested_server_name":"82.81.46.13","ja3":"40adfd923eb82b89d8836ba37a19bca1","ja3s":"e35df3e00ca4ef31d42b34bebaa2f86e","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +01250{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":106,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":7,"flow_first_seen":1621067209199,"flow_last_seen":1621067209348,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":2734,"flow_avg_l4_payload_len":390,"midstream":0,"ts_msec":1621067209348,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61820,"dst_port":10443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.FortiClient","breed":"Safe","category":"VPN"},"tls": {"version":"TLSv1.2","client_requested_server_name":"82.81.46.13","ja3":"40adfd923eb82b89d8836ba37a19bca1","ja3s":"e35df3e00ca4ef31d42b34bebaa2f86e","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=Certificate Authority, CN=support","subjectDN":"C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=FortiGate, CN=FWF60E4Q16012050","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"AA:8A:CE:95:99:2A:E0:A4:11:42:E4:C8:40:D7:DB:87:1F:4A:23:45"}} 00565{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2000,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":21,"flow_first_seen":1621067203571,"flow_last_seen":1621067204682,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":3422,"flow_avg_l4_payload_len":162,"midstream":0,"ts_msec":1621067222261,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61805,"dst_port":10443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00565{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2000,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":25,"flow_first_seen":1621067204622,"flow_last_seen":1621067205708,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":6751,"flow_avg_l4_payload_len":270,"midstream":0,"ts_msec":1621067222261,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61806,"dst_port":10443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00565{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2000,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":24,"flow_first_seen":1621067205651,"flow_last_seen":1621067206738,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":3853,"flow_avg_l4_payload_len":160,"midstream":0,"ts_msec":1621067222261,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61811,"dst_port":10443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -48,10 +48,10 @@ ~~ total active/idle flows...: 5/5 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2037175 bytes -~~ total memory freed........: 2037175 bytes -~~ total allocations/frees...: 37377/37377 +~~ total memory allocated....: 4697794 bytes +~~ total memory freed........: 4697794 bytes +~~ total allocations/frees...: 101573/101573 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 167 chars -~~ json string max len.......: 1254 chars -~~ json string avg len.......: 780 chars +~~ json string max len.......: 1255 chars +~~ json string avg len.......: 781 chars diff --git a/test/results/ftp-start-tls.pcap.out b/test/results/ftp-start-tls.pcap.out index ea92dd659..a725755ab 100644 --- a/test/results/ftp-start-tls.pcap.out +++ b/test/results/ftp-start-tls.pcap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1931651 bytes -~~ total memory freed........: 1931651 bytes -~~ total allocations/frees...: 35390/35390 +~~ total memory allocated....: 4593966 bytes +~~ total memory freed........: 4593966 bytes +~~ total allocations/frees...: 99586/99586 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 166 chars ~~ json string max len.......: 687 chars diff --git a/test/results/ftp.pcap.out b/test/results/ftp.pcap.out index 543b7bee9..01e1fd17c 100644 --- a/test/results/ftp.pcap.out +++ b/test/results/ftp.pcap.out @@ -3,7 +3,7 @@ 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"ftp.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1552590234892,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1552590234892,"pkt":"EBMx8Tl2xCwDBkn+CABFAABAAABAAEAGAADAqAHUWoJGScYGABWjI5ftAAAAALAC\/\/9jegAAAgQFtAEDAwUBAQgKO1eYmQAAAAAEAgAA"} 00466{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"ftp.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1552590234919,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1552590234919,"pkt":"xCwDBkn+EBMx8Tl2CABFAAA8AABAADYG4XRagkZJwKgB1AAVxgZYKsHSoyOX7qASqbA+KAAAAgQFrAQCCAoSZ\/tNO1eYmQEDAw4="} 00454{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"ftp.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1552590234919,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1552590234919,"pkt":"EBMx8Tl2xCwDBkn+CABFAAA0AABAAEAGAADAqAHUWoJGScYGABWjI5fuWCrB04AQECxjbgAAAQEICjtXmLQSZ\/tN"} -00717{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":12,"source":"ftp.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":12,"flow_first_seen":1552590234892,"flow_last_seen":1552590235066,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":34,"flow_tot_l4_payload_len":106,"flow_avg_l4_payload_len":8,"midstream":0,"ts_msec":1552590235066,"l3_proto":"ip4","src_ip":"192.168.1.212","dst_ip":"90.130.70.73","src_port":50694,"dst_port":21,"l4_proto":"tcp","ndpi": {"flow_risk": {"22":"Unsafe Protocol","36":"Clear-text credentials"},"proto":"FTP_CONTROL","breed":"Unsafe","category":"Download"},"ftp": {"user":"anonymous","password":"NcFTP@","auth_failed":0}} +00687{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":12,"source":"ftp.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":12,"flow_first_seen":1552590234892,"flow_last_seen":1552590235066,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":34,"flow_tot_l4_payload_len":106,"flow_avg_l4_payload_len":8,"midstream":0,"ts_msec":1552590235066,"l3_proto":"ip4","src_ip":"192.168.1.212","dst_ip":"90.130.70.73","src_port":50694,"dst_port":21,"l4_proto":"tcp","ndpi": {"flow_risk": {"22":"Unsafe Protocol"},"proto":"FTP_CONTROL","breed":"Unsafe","category":"Download"},"ftp": {"user":"anonymous","password":"NcFTP@","auth_failed":0}} 00547{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":37,"source":"ftp.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1552590236580,"flow_last_seen":1552590236580,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1552590236580,"l3_proto":"ip4","src_ip":"192.168.1.212","dst_ip":"90.130.70.73","src_port":50695,"dst_port":25685,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00472{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":37,"source":"ftp.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_last_seen":1552590236580,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1552590236580,"pkt":"EBMx8Tl2xCwDBkn+CABFAABAAABAAEAGAADAqAHUWoJGScYHZFXuwKKMAAAAALAC\/\/9jegAAAgQFtAEDAwUBAQgKO1efIQAAAAAEAgAA"} 00467{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":38,"source":"ftp.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_last_seen":1552590236608,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1552590236608,"pkt":"xCwDBkn+EBMx8Tl2CABFAAA8AABAADYG4XRagkZJwKgB1GRVxgdmK2Nw7sCijaASqbDL3QAAAgQFrAQCCAoSZ\/zzO1efIQEDAw4="} @@ -26,10 +26,10 @@ ~~ total active/idle flows...: 3/3 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1972068 bytes -~~ total memory freed........: 1972068 bytes -~~ total allocations/frees...: 36539/36539 +~~ total memory allocated....: 4633535 bytes +~~ total memory freed........: 4633535 bytes +~~ total allocations/frees...: 100735/100735 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 159 chars -~~ json string max len.......: 722 chars -~~ json string avg len.......: 510 chars +~~ json string max len.......: 692 chars +~~ json string avg len.......: 495 chars diff --git a/test/results/ftp_failed.pcap.out b/test/results/ftp_failed.pcap.out index 90a8e0a72..0c133930b 100644 --- a/test/results/ftp_failed.pcap.out +++ b/test/results/ftp_failed.pcap.out @@ -3,7 +3,7 @@ 00503{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"ftp_failed.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1574361625864,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1574361625864,"pkt":"9LUv\/K\/wZABqYzXMht1gC5eXACgGQCoADUAAAQADAZIAEgGTABEqAAgAEBAAAAAAAAAAAAABrrQAFZk3QbUAAAAAoAJwgHzLAAACBAWgBAIICpYFXqIAAAAAAQMDBw=="} 00505{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"ftp_failed.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1574361625878,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1574361625878,"pkt":"ZABqYzXM9LUv\/K\/wht1gC1mOACgGOioACAAQEAAAAAAAAAAAAAEqAA1AAAEAAwGSABIBkwARABWutHAVBmyZN0G2oBL\/\/zbpAAACBAWgBAIIClbTSMOWBV6iAQMDDg=="} 00491{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"ftp_failed.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1574361625878,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1574361625878,"pkt":"9LUv\/K\/wZABqYzXMht1gC5eXACAGQCoADUAAAQADAZIAEgGTABEqAAgAEBAAAAAAAAAAAAABrrQAFZk3QbZwFQZtgBAA4XzDAAABAQgKlgVesFbTSMM="} -00707{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":18,"source":"ftp_failed.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":18,"flow_first_seen":1574361625864,"flow_last_seen":1574361633102,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":40,"flow_tot_l4_payload_len":136,"flow_avg_l4_payload_len":7,"midstream":0,"ts_msec":1574361633102,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:192:12:193:11","dst_ip":"2a00:800:1010::1","src_port":44724,"dst_port":21,"l4_proto":"tcp","ndpi": {"flow_risk": {"36":"Clear-text credentials"},"proto":"FTP_CONTROL","breed":"Unsafe","category":"Download"},"ftp": {"user":"hello","password":"","auth_failed":1}} +00700{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":18,"source":"ftp_failed.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":18,"flow_first_seen":1574361625864,"flow_last_seen":1574361633102,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":40,"flow_tot_l4_payload_len":136,"flow_avg_l4_payload_len":7,"midstream":0,"ts_msec":1574361633102,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:192:12:193:11","dst_ip":"2a00:800:1010::1","src_port":44724,"dst_port":21,"l4_proto":"tcp","ndpi": {"flow_risk": {"22":"Unsafe Protocol"},"proto":"FTP_CONTROL","breed":"Unsafe","category":"Download"},"ftp": {"user":"hello","password":"","auth_failed":1}} 00572{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":18,"source":"ftp_failed.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":18,"flow_first_seen":1574361625864,"flow_last_seen":1574361633102,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":40,"flow_tot_l4_payload_len":136,"flow_avg_l4_payload_len":7,"midstream":0,"ts_msec":1574361633102,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:192:12:193:11","dst_ip":"2a00:800:1010::1","src_port":44724,"dst_port":21,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00158{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":18,"source":"ftp_failed.pcap","alias":"nDPId-test","total-events-serialized":8} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -14,10 +14,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1930694 bytes -~~ total memory freed........: 1930694 bytes -~~ total allocations/frees...: 35357/35357 +~~ total memory allocated....: 4593009 bytes +~~ total memory freed........: 4593009 bytes +~~ total allocations/frees...: 99553/99553 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 163 chars -~~ json string max len.......: 712 chars -~~ json string avg len.......: 497 chars +~~ json string max len.......: 705 chars +~~ json string avg len.......: 494 chars diff --git a/test/results/genshin-impact.pcap.out b/test/results/genshin-impact.pcap.out index bde09bc56..372245753 100644 --- a/test/results/genshin-impact.pcap.out +++ b/test/results/genshin-impact.pcap.out @@ -26,9 +26,9 @@ ~~ total active/idle flows...: 3/3 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1932661 bytes -~~ total memory freed........: 1932661 bytes -~~ total allocations/frees...: 35389/35389 +~~ total memory allocated....: 4594128 bytes +~~ total memory freed........: 4594128 bytes +~~ total allocations/frees...: 99585/99585 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 168 chars ~~ json string max len.......: 671 chars diff --git a/test/results/git.pcap.out b/test/results/git.pcap.out index ac87e5ab2..ca98b2255 100644 --- a/test/results/git.pcap.out +++ b/test/results/git.pcap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1930734 bytes -~~ total memory freed........: 1930734 bytes -~~ total allocations/frees...: 35428/35428 +~~ total memory allocated....: 4593049 bytes +~~ total memory freed........: 4593049 bytes +~~ total allocations/frees...: 99624/99624 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 156 chars ~~ json string max len.......: 584 chars diff --git a/test/results/google_ssl.pcap.out b/test/results/google_ssl.pcap.out index 902882da3..cb379a1ae 100644 --- a/test/results/google_ssl.pcap.out +++ b/test/results/google_ssl.pcap.out @@ -3,7 +3,7 @@ 00452{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"google_ssl.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1434443394683,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"ts_msec":1434443394683,"pkt":"AA6OTbSogMbKAJ6fCABFAAAsBqJAAEAG14usHwPg2DrUZKdTAbt6Z3LqAAAAAGACFtCOVwAAAgQFtA=="} 00452{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"google_ssl.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1434443394717,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"ts_msec":1434443394717,"pkt":"gMbKAJ6fAA6OTbSoCABFAAAseLYAADMGsnfYOtRkrB8D4AG7p1PuIxETemdy62ASp5T+aAAAAgQFlgAA"} 00444{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"google_ssl.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1434443394851,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1434443394851,"pkt":"AA6OTbSogMbKAJ6fCABFAAAoBqNAAEAG146sHwPg2DrUZKdTAbt6Z3Lr7iMRFFAQFtCmzAAA"} -00598{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":28,"source":"google_ssl.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":28,"flow_first_seen":1434443394683,"flow_last_seen":1434443401353,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1430,"flow_tot_l4_payload_len":7568,"flow_avg_l4_payload_len":270,"midstream":0,"ts_msec":1434443401353,"l3_proto":"ip4","src_ip":"172.31.3.224","dst_ip":"216.58.212.100","src_port":42835,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"}} +00596{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":28,"source":"google_ssl.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":28,"flow_first_seen":1434443394683,"flow_last_seen":1434443401353,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1430,"flow_tot_l4_payload_len":7568,"flow_avg_l4_payload_len":270,"midstream":0,"ts_msec":1434443401353,"l3_proto":"ip4","src_ip":"172.31.3.224","dst_ip":"216.58.212.100","src_port":42835,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"}} 00562{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":28,"source":"google_ssl.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":28,"flow_first_seen":1434443394683,"flow_last_seen":1434443401353,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1430,"flow_tot_l4_payload_len":7568,"flow_avg_l4_payload_len":270,"midstream":0,"ts_msec":1434443401353,"l3_proto":"ip4","src_ip":"172.31.3.224","dst_ip":"216.58.212.100","src_port":42835,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00158{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":28,"source":"google_ssl.pcap","alias":"nDPId-test","total-events-serialized":8} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -14,10 +14,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1930984 bytes -~~ total memory freed........: 1930984 bytes -~~ total allocations/frees...: 35367/35367 +~~ total memory allocated....: 4593299 bytes +~~ total memory freed........: 4593299 bytes +~~ total allocations/frees...: 99563/99563 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 163 chars -~~ json string max len.......: 603 chars -~~ json string avg len.......: 449 chars +~~ json string max len.......: 601 chars +~~ json string avg len.......: 448 chars diff --git a/test/results/googledns_android10.pcap.out b/test/results/googledns_android10.pcap.out index 0a55bc6ec..6db249253 100644 --- a/test/results/googledns_android10.pcap.out +++ b/test/results/googledns_android10.pcap.out @@ -14,19 +14,19 @@ 00474{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":11,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_last_seen":1592552825929,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1592552825929,"pkt":"EBMx8Tl2ag\/ahpuQCABFAAA0yAJAAEAGoGrAqAGfCAgICNrYA1WXsATBw\/3toIAQAVd7uAAAAQEICv\/\/zMVkDcpF"} 00827{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":12,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":4,"flow_first_seen":1592552825913,"flow_last_seen":1592552825929,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":154,"flow_tot_l4_payload_len":154,"flow_avg_l4_payload_len":38,"midstream":0,"ts_msec":1592552825929,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.8.8","src_port":56024,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.DoH_DoT","breed":"Fun","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"dns.google","ja3":"2c776785ee603cc85d37df996bb90cc8","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00884{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":15,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":6,"flow_first_seen":1592552825913,"flow_last_seen":1592552825957,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":1572,"flow_avg_l4_payload_len":262,"midstream":0,"ts_msec":1592552825957,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48044,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.DoH_DoT","breed":"Fun","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"dns.google","ja3":"2c776785ee603cc85d37df996bb90cc8","ja3s":"b44baa8a20901c5663b3a9664ba8a767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}} -01186{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":16,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":7,"flow_first_seen":1592552825913,"flow_last_seen":1592552825957,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":2990,"flow_avg_l4_payload_len":427,"midstream":0,"ts_msec":1592552825957,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48044,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.DoH_DoT","breed":"Fun","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"dns.google","server_names":"dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google","ja3":"2c776785ee603cc85d37df996bb90cc8","ja3s":"b44baa8a20901c5663b3a9664ba8a767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Google Trust Services, CN=GTS CA 1O1","issuerDN":"C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google","fingerprint":"5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC"}} +01285{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":16,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":7,"flow_first_seen":1592552825913,"flow_last_seen":1592552825957,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":2990,"flow_avg_l4_payload_len":427,"midstream":0,"ts_msec":1592552825957,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48044,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.DoH_DoT","breed":"Fun","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"dns.google","server_names":"dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google,2001:4860:4860::64,2001:4860:4860::6464,2001:4860:4860::8844,2001:4860:4860::8888,8.8.4.4,8.8.8.8","ja3":"2c776785ee603cc85d37df996bb90cc8","ja3s":"b44baa8a20901c5663b3a9664ba8a767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Google Trust Services, CN=GTS CA 1O1","subjectDN":"C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google","fingerprint":"5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC"}} 00884{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":18,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":6,"flow_first_seen":1592552825913,"flow_last_seen":1592552825959,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":1572,"flow_avg_l4_payload_len":262,"midstream":0,"ts_msec":1592552825959,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.8.8","src_port":56024,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.DoH_DoT","breed":"Fun","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"dns.google","ja3":"2c776785ee603cc85d37df996bb90cc8","ja3s":"b44baa8a20901c5663b3a9664ba8a767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}} -01186{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":19,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":7,"flow_first_seen":1592552825913,"flow_last_seen":1592552825960,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":2990,"flow_avg_l4_payload_len":427,"midstream":0,"ts_msec":1592552825960,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.8.8","src_port":56024,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.DoH_DoT","breed":"Fun","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"dns.google","server_names":"dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google","ja3":"2c776785ee603cc85d37df996bb90cc8","ja3s":"b44baa8a20901c5663b3a9664ba8a767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Google Trust Services, CN=GTS CA 1O1","issuerDN":"C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google","fingerprint":"5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC"}} +01285{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":19,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":7,"flow_first_seen":1592552825913,"flow_last_seen":1592552825960,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":2990,"flow_avg_l4_payload_len":427,"midstream":0,"ts_msec":1592552825960,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.8.8","src_port":56024,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.DoH_DoT","breed":"Fun","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"dns.google","server_names":"dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google,2001:4860:4860::64,2001:4860:4860::6464,2001:4860:4860::8844,2001:4860:4860::8888,8.8.4.4,8.8.8.8","ja3":"2c776785ee603cc85d37df996bb90cc8","ja3s":"b44baa8a20901c5663b3a9664ba8a767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Google Trust Services, CN=GTS CA 1O1","subjectDN":"C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google","fingerprint":"5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC"}} 00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":42,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1592552826036,"flow_last_seen":1592552826036,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1592552826036,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48048,"dst_port":853,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00487{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":42,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_last_seen":1592552826036,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1592552826036,"pkt":"EBMx8Tl2ag\/ahpuQCABFAAA80uBAAEAGmYjAqAGfCAgEBLuwA1WtLB4AAAAAAKAC\/\/8imQAAAgQFtAQCCAr\/\/8zgAAAAAAEDAwg="} 00486{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":45,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_last_seen":1592552826049,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1592552826049,"pkt":"ag\/ahpuQEBMx8Tl2CABFAAA8wHkAAHcGtO8ICAQEwKgBnwNVu7B94BEWrSweAaAS6yCziAAAAgQFZAQCCAq0eUC+\/\/\/M4AEDAwg="} 00474{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":46,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_last_seen":1592552826051,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1592552826051,"pkt":"EBMx8Tl2ag\/ahpuQCABFAAA00uFAAEAGmY\/AqAGfCAgEBLuwA1WtLB4BfeARF4AQAVfLywAAAQEICv\/\/zOS0eUC+"} 00827{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":47,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":4,"flow_first_seen":1592552826036,"flow_last_seen":1592552826051,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":154,"flow_tot_l4_payload_len":154,"flow_avg_l4_payload_len":38,"midstream":0,"ts_msec":1592552826051,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48048,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.DoH_DoT","breed":"Fun","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"dns.google","ja3":"2c776785ee603cc85d37df996bb90cc8","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00884{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":52,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":6,"flow_first_seen":1592552826036,"flow_last_seen":1592552826080,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":1572,"flow_avg_l4_payload_len":262,"midstream":0,"ts_msec":1592552826080,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48048,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.DoH_DoT","breed":"Fun","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"dns.google","ja3":"2c776785ee603cc85d37df996bb90cc8","ja3s":"b44baa8a20901c5663b3a9664ba8a767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}} -01186{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":53,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":7,"flow_first_seen":1592552826036,"flow_last_seen":1592552826081,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":2990,"flow_avg_l4_payload_len":427,"midstream":0,"ts_msec":1592552826081,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48048,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.DoH_DoT","breed":"Fun","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"dns.google","server_names":"dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google","ja3":"2c776785ee603cc85d37df996bb90cc8","ja3s":"b44baa8a20901c5663b3a9664ba8a767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Google Trust Services, CN=GTS CA 1O1","issuerDN":"C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google","fingerprint":"5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC"}} +01285{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":53,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":7,"flow_first_seen":1592552826036,"flow_last_seen":1592552826081,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":2990,"flow_avg_l4_payload_len":427,"midstream":0,"ts_msec":1592552826081,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48048,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.DoH_DoT","breed":"Fun","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"dns.google","server_names":"dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google,2001:4860:4860::64,2001:4860:4860::6464,2001:4860:4860::8844,2001:4860:4860::8888,8.8.4.4,8.8.8.8","ja3":"2c776785ee603cc85d37df996bb90cc8","ja3s":"b44baa8a20901c5663b3a9664ba8a767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Google Trust Services, CN=GTS CA 1O1","subjectDN":"C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google","fingerprint":"5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC"}} 00528{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":81,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1592552827426,"flow_last_seen":1592552827426,"flow_idle_time":120000,"flow_min_l4_payload_len":64,"flow_max_l4_payload_len":64,"flow_tot_l4_payload_len":64,"flow_avg_l4_payload_len":64,"midstream":0,"ts_msec":1592552827426,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.8.8","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} 00514{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":81,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_last_seen":1592552827426,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":98,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":98,"pkt_l4_len":64,"ts_msec":1592552827426,"pkt":"EBMx8Tl2ag\/ahpuQCABFAABUl9BAAEAB0IHAqAGfCAgICAgA4JUAAgABem3sXgAAAADqxwcAAAAAABAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc="} -00589{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":81,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1592552827426,"flow_last_seen":1592552827426,"flow_idle_time":120000,"flow_min_l4_payload_len":64,"flow_max_l4_payload_len":64,"flow_tot_l4_payload_len":64,"flow_avg_l4_payload_len":64,"midstream":0,"ts_msec":1592552827426,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.8.8","l4_proto":"icmp","ndpi": {"entropy":5.297900,"proto":"ICMP.Google","breed":"Tracker\/Ads","category":"Network"}} +00587{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":81,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1592552827426,"flow_last_seen":1592552827426,"flow_idle_time":120000,"flow_min_l4_payload_len":64,"flow_max_l4_payload_len":64,"flow_tot_l4_payload_len":64,"flow_avg_l4_payload_len":64,"midstream":0,"ts_msec":1592552827426,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.8.8","l4_proto":"icmp","ndpi": {"proto":"ICMP.Google","breed":"Acceptable","category":"Network"},"entropy":5.297900} 00514{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":83,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_last_seen":1592552827440,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":98,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":98,"pkt_l4_len":64,"ts_msec":1592552827440,"pkt":"ag\/ahpuQEBMx8Tl2CABFoABUAAAAAHEBdrIICAgIwKgBnwAA6JUAAgABem3sXgAAAADqxwcAAAAAABAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc="} 00515{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":87,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_last_seen":1592552828402,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":98,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":98,"pkt_l4_len":64,"ts_msec":1592552828402,"pkt":"EBMx8Tl2ag\/ahpuQCABFAABUl\/5AAEAB0FPAqAGfCAgICAgAgPEAAwABe23sXgAAAABJawcAAAAAABAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc="} 00557{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":157,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":1,"flow_first_seen":1592552871852,"flow_last_seen":1592552871852,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1592552871852,"l3_proto":"ip4","src_ip":"8.8.4.4","dst_ip":"192.168.1.159","src_port":853,"dst_port":47968,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -40,11 +40,11 @@ 00883{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":164,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":6,"flow_first_seen":1592552878549,"flow_last_seen":1592552878577,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":664,"flow_avg_l4_payload_len":110,"midstream":0,"ts_msec":1592552878577,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48098,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.DoH_DoT","breed":"Fun","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"dns.google","ja3":"b734f75d22aaff9866fbd5d27eef9106","ja3s":"1249fb68f48c0444718e4d3b48b27188","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}} 00533{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":208,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":4,"flow_first_seen":1592552827426,"flow_last_seen":1592552828415,"flow_idle_time":120000,"flow_min_l4_payload_len":64,"flow_max_l4_payload_len":64,"flow_tot_l4_payload_len":256,"flow_avg_l4_payload_len":64,"midstream":0,"ts_msec":1592552889402,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.8.8","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} 00531{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":265,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":4,"flow_first_seen":1592552827426,"flow_last_seen":1592552828415,"flow_idle_time":120000,"flow_min_l4_payload_len":64,"flow_max_l4_payload_len":64,"flow_tot_l4_payload_len":256,"flow_avg_l4_payload_len":64,"midstream":0,"ts_msec":1592552946554,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.8.8","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} -00597{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":265,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":1592552824409,"flow_last_seen":1592552826208,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1592552946554,"l3_proto":"ip4","src_ip":"8.8.8.8","dst_ip":"192.168.1.159","src_port":853,"dst_port":55856,"l4_proto":"tcp","ndpi": {"proto":"DoH_DoT.Google","breed":"Tracker\/Ads","category":"Web"}} +00595{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":265,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":1592552824409,"flow_last_seen":1592552826208,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1592552946554,"l3_proto":"ip4","src_ip":"8.8.8.8","dst_ip":"192.168.1.159","src_port":853,"dst_port":55856,"l4_proto":"tcp","ndpi": {"proto":"DoH_DoT.Google","breed":"Acceptable","category":"Web"}} 00557{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":265,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":1592552824409,"flow_last_seen":1592552826208,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1592552946554,"l3_proto":"ip4","src_ip":"8.8.8.8","dst_ip":"192.168.1.159","src_port":853,"dst_port":55856,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00566{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":265,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":21,"flow_first_seen":1592552825913,"flow_last_seen":1592552826054,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":3843,"flow_avg_l4_payload_len":183,"midstream":0,"ts_msec":1592552946554,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.8.8","src_port":56024,"dst_port":853,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00566{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":265,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":21,"flow_first_seen":1592552825913,"flow_last_seen":1592552826030,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":3843,"flow_avg_l4_payload_len":183,"midstream":0,"ts_msec":1592552946554,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48044,"dst_port":853,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00597{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":285,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":2,"flow_first_seen":1592552871852,"flow_last_seen":1592552871941,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1592552991281,"l3_proto":"ip4","src_ip":"8.8.4.4","dst_ip":"192.168.1.159","src_port":853,"dst_port":47968,"l4_proto":"tcp","ndpi": {"proto":"DoH_DoT.Google","breed":"Tracker\/Ads","category":"Web"}} +00595{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":285,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":2,"flow_first_seen":1592552871852,"flow_last_seen":1592552871941,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1592552991281,"l3_proto":"ip4","src_ip":"8.8.4.4","dst_ip":"192.168.1.159","src_port":853,"dst_port":47968,"l4_proto":"tcp","ndpi": {"proto":"DoH_DoT.Google","breed":"Acceptable","category":"Web"}} 00557{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":285,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":2,"flow_first_seen":1592552871852,"flow_last_seen":1592552871941,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1592552991281,"l3_proto":"ip4","src_ip":"8.8.4.4","dst_ip":"192.168.1.159","src_port":853,"dst_port":47968,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00568{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":285,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":104,"flow_first_seen":1592552826036,"flow_last_seen":1592552867048,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":21215,"flow_avg_l4_payload_len":203,"midstream":0,"ts_msec":1592552991281,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48048,"dst_port":853,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00557{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":292,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":1,"flow_first_seen":1592553007037,"flow_last_seen":1592553007037,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1592553007037,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48210,"dst_port":853,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -53,7 +53,7 @@ 00473{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":294,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_last_seen":1592553007078,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1592553007078,"pkt":"EBMx8Tl2ag\/ahpuQCABFAAA0FgtAAEAGVmbAqAGfCAgEBLxSA1VGZWusr3aVwIAQAVeQUgAAAQEICgAAfa1\/c2Kv"} 00828{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":295,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":4,"flow_first_seen":1592553007037,"flow_last_seen":1592553007088,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":154,"flow_tot_l4_payload_len":154,"flow_avg_l4_payload_len":38,"midstream":0,"ts_msec":1592553007088,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48210,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.DoH_DoT","breed":"Fun","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"dns.google","ja3":"2c776785ee603cc85d37df996bb90cc8","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00885{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":297,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":6,"flow_first_seen":1592553007037,"flow_last_seen":1592553007118,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":1572,"flow_avg_l4_payload_len":262,"midstream":0,"ts_msec":1592553007118,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48210,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.DoH_DoT","breed":"Fun","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"dns.google","ja3":"2c776785ee603cc85d37df996bb90cc8","ja3s":"b44baa8a20901c5663b3a9664ba8a767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}} -01187{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":298,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":7,"flow_first_seen":1592553007037,"flow_last_seen":1592553007118,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":2990,"flow_avg_l4_payload_len":427,"midstream":0,"ts_msec":1592553007118,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48210,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.DoH_DoT","breed":"Fun","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"dns.google","server_names":"dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google","ja3":"2c776785ee603cc85d37df996bb90cc8","ja3s":"b44baa8a20901c5663b3a9664ba8a767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Google Trust Services, CN=GTS CA 1O1","issuerDN":"C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google","fingerprint":"5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC"}} +01286{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":298,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":7,"flow_first_seen":1592553007037,"flow_last_seen":1592553007118,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":2990,"flow_avg_l4_payload_len":427,"midstream":0,"ts_msec":1592553007118,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48210,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.DoH_DoT","breed":"Fun","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"dns.google","server_names":"dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google,2001:4860:4860::64,2001:4860:4860::6464,2001:4860:4860::8844,2001:4860:4860::8888,8.8.4.4,8.8.8.8","ja3":"2c776785ee603cc85d37df996bb90cc8","ja3s":"b44baa8a20901c5663b3a9664ba8a767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Google Trust Services, CN=GTS CA 1O1","subjectDN":"C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google","fingerprint":"5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC"}} 00567{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":532,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":133,"flow_first_seen":1592552878549,"flow_last_seen":1592552996502,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":19828,"flow_avg_l4_payload_len":149,"midstream":0,"ts_msec":1592553079303,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48098,"dst_port":853,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00569{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":532,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":241,"flow_first_seen":1592553007037,"flow_last_seen":1592553079303,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":48857,"flow_avg_l4_payload_len":202,"midstream":0,"ts_msec":1592553079303,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48210,"dst_port":853,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00169{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":532,"source":"googledns_android10.pcap","alias":"nDPId-test","total-events-serialized":59} @@ -65,10 +65,10 @@ ~~ total active/idle flows...: 8/8 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1977448 bytes -~~ total memory freed........: 1977448 bytes -~~ total allocations/frees...: 35928/35928 +~~ total memory allocated....: 4640083 bytes +~~ total memory freed........: 4640083 bytes +~~ total allocations/frees...: 100148/100148 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 174 chars -~~ json string max len.......: 1192 chars -~~ json string avg len.......: 753 chars +~~ json string max len.......: 1291 chars +~~ json string avg len.......: 802 chars diff --git a/test/results/gquic.pcap.out b/test/results/gquic.pcap.out index 16d137fa6..ec322ec28 100644 --- a/test/results/gquic.pcap.out +++ b/test/results/gquic.pcap.out @@ -1,7 +1,7 @@ 00439{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"gquic.pcap","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} 00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"gquic.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1591876186378,"flow_last_seen":1591876186378,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1591876186378,"l3_proto":"ip4","src_ip":"10.44.5.25","dst_ip":"216.58.213.163","src_port":61097,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02260{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"gquic.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1591876186378,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1591876186378,"pkt":"6PckTkFdoMWJ9P+XCABFAAVieo1AAIARvdoKLAUZ2DrVo+6pAbsFTko2w1EwNTAIAXaX8XoV5u8AAEU0NFnBgsF5hkBVQ9QcdhAQB7AX4STVuX+cZkTXcyq7Q06MKI3IMV7nn3XwVsYd8lSM2UQ2Mh\/Lz0P54TH133\/BjF8sKcZx48\/VepMyZjozNf6hUhocgBAvamo29IXHVqILxpkl4wjCzjbjeV119chifFcXxaTjllFkxsh3XmLG5348E\/qK2TLLnMy43JAHw6S2e1v2BO4WXkya\/bcrsjPnQYikRvTxH8li9ZflQ5PttsYcSUtQigVmzX+3zu6YljUMgwCKrGbUc4ym0tN37M5ly\/uhm21+A6fvtyySGNQfP7wJOsR1iWGsA6NR+V\/fmgbvfd72gKd0sTHFADbRPSKYDc0XDK\/X8vG8GXGEknHbOT7DGSzLKpHYvLrwIaFjsweHE6gkta44k2oP3lJ5y\/ohylLleMWOzrznvbvHmPDTo6fznFlCwcMwiT5bU7kKdr22dfJC4HZKXgrfdx\/kyr9W7YgF8ndv1gEMp60hGoa3HeIkNrwcimMUj8lo1MQMLSdfIURLgLYuYXeqNU9nrCpCTOHF8rljnTLtemFl5GKnW4QO+Vn8YQU0wC2WniPFD0JOSE\/9\/8uhjdFWVDMbiGWhYk1SCdcSCnwwatMyU\/DcpZqDI25eb58WZqvNqtnsCmojU\/8N4SjVKXFe6sqZF9Vu2GvgHDvSqxDzjeY9qlts4TuIbe+gH+w1MKU7JxNtGZ08YyKdDEVfiklQ\/xyvSgH5AGRqlnD6igJ7NF54pjKD67q+V\/b7AzUVhGIbpajDS4rvn+fDdhXSGqLFbtHNBw9zOlfyLlg3QCkztn+awCGkuUrUQJWRuzHeXcQ9Pm+GTWr4ztxdNe8GOdcH0fw\/02FqwqbZa0xgXb6ogDH\/Z7u3OTt5CsB\/hPp4imvHezect7LAbuRcIJ+tmXKeqwNdUGoyV614kYKA0aTDm4QbBmp4nIg9dspzjXHExZ33U9zxLwZ8DYwQJDoYhywocb4+jKp5OhFT0Egt5ANj4PPsKNBEjNDxnpAKCiI11YkYMyYj1BSFJ2mKW5kFXZ2\/Uk7W0jKMRykBFSaIJ+fwu1W4yhNjDR69KpOGwGw5d47DA9U+Gj7qbRCpjgb1v145AzbIQNTU\/mwU8gqij0o+rVb\/pUEtWMRho\/Yukqvj0PDpk20u\/iMNduvSEQAQLt7IA31zZMJsdzUDXqeH4lvAJTdAXDM+BfHOutfryXO0ilZKrrhbJmj03RyAieSkoI7y9TYI7udqZUukM2QcgXS180FYjb94yLuFlXG0La9U7oT6UzgYEOrDdq4bcoWorhw9j4EjTTcsFMkNO8f65TlicSD0KdGh7ggCR8NtD2qMSi4KIMxq9IHmGPWBJODrdc1+LXcmA3ApoiY81zbK2QPTdK0LHWSdeauC3LCzY9zJ5bEtZvA4hiamdfZl4E5cxC\/raRilWW9+sNuXDrAH9rw48q66KiLSEC63yDpS1q549REO+OCEIx8SKQQoN1W6tspnVZ3EKLwuCby00TS84gP7\/ke1UZsRSUTrMeCETmkIya9DRfJn3gxYto584jg1Sk6Axi4aJ8MlnhdHfC\/0XWQrVM1UOD3\/J3K5XZUZKJ5vUWJzfBTgAe8J4\/heUMD2WmkBuQIER6hh9JGvwyZ2I6vJO7KXsorNCeXZA6iFfdtk90sqEl67LnWUAJmZ\/6NzgV\/JXrGoQRR0uqoWVC\/xj1u+c66MRH8y3Tf8DUoZ1L57SrRzGrkWBB6B2RSkfxWVzZUSCgEgPU4Lp+fnv6pDzh8zifmLUphU5Jycotx7"} -00723{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"gquic.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1591876186378,"flow_last_seen":1591876186378,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1591876186378,"l3_proto":"ip4","src_ip":"10.44.5.25","dst_ip":"216.58.213.163","src_port":61097,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Google","breed":"Tracker\/Ads","category":"Web"},"quic": {"client_requested_server_name":"www.gstatic.com","user_agent":"canary Chrome\/85.0.4169.0 Windows NT 10.0; Win64; x64"}} +00721{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"gquic.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1591876186378,"flow_last_seen":1591876186378,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1591876186378,"l3_proto":"ip4","src_ip":"10.44.5.25","dst_ip":"216.58.213.163","src_port":61097,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Google","breed":"Acceptable","category":"Web"},"quic": {"client_requested_server_name":"www.gstatic.com","user_agent":"canary Chrome\/85.0.4169.0 Windows NT 10.0; Win64; x64"}} 00557{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1,"source":"gquic.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1591876186378,"flow_last_seen":1591876186378,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1591876186378,"l3_proto":"ip4","src_ip":"10.44.5.25","dst_ip":"216.58.213.163","src_port":61097,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00152{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":1,"source":"gquic.pcap","alias":"nDPId-test","total-events-serialized":6} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -12,9 +12,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1933713 bytes -~~ total memory freed........: 1933713 bytes -~~ total allocations/frees...: 35350/35350 +~~ total memory allocated....: 4596028 bytes +~~ total memory freed........: 4596028 bytes +~~ total allocations/frees...: 99546/99546 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 157 chars ~~ json string max len.......: 2265 chars diff --git a/test/results/gtp_false_positive.pcapng.out b/test/results/gtp_false_positive.pcapng.out new file mode 100644 index 000000000..e47fe2dfa --- /dev/null +++ b/test/results/gtp_false_positive.pcapng.out @@ -0,0 +1,31 @@ +00454{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"gtp_false_positive.pcapng","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} +00563{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"gtp_false_positive.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1638856441836,"flow_last_seen":1638856441836,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1638856441836,"l3_proto":"ip4","src_ip":"24.1.33.66","dst_ip":"62.56.122.232","src_port":29255,"dst_port":3386,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00489{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"gtp_false_positive.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1638856441836,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1638856441836,"pkt":"AAAAAAAAAAEAm1OyCABFAABDuMQAAD8R0IIYASFCPjh66HJHDToAL3+GJwAAAAJZAADIADJepW8BAAAAHa0lUAAAAAAAAAAAAAAAAAEAAAAA"} +00489{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"gtp_false_positive.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1638856442050,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1638856442050,"pkt":"AAAAAAAAAAEAm1OyCABFAABDLq0AAD8RWpoYASFCPjh66HJHDToAL3+GJwAAAAJZAADIADJepW8BAAAAHa0lUAAAAAAAAAAAAAAAAAEAAAAA"} +00501{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"gtp_false_positive.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1638856501910,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":89,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":89,"pkt_l4_len":55,"ts_msec":1638856501910,"pkt":"AAAAAAAAAAEAm1OyCABFAABLxYgAAD8Rw7YYASFCPjh66HJHDToANyFgLwAAAALBDwDIAAEAAADTFLeVMl6lbwABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="} +00580{"flow_event_id":8,"flow_event_name":"not-detected","thread_id":0,"packet_id":6,"source":"gtp_false_positive.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":5,"flow_first_seen":1638856441836,"flow_last_seen":1638856511476,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":47,"flow_tot_l4_payload_len":218,"flow_avg_l4_payload_len":43,"midstream":0,"ts_msec":1639664897536,"l3_proto":"ip4","src_ip":"24.1.33.66","dst_ip":"62.56.122.232","src_port":29255,"dst_port":3386,"l4_proto":"udp","ndpi": {"proto":"Unknown","breed":"Unrated"}} +00565{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":6,"source":"gtp_false_positive.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":5,"flow_first_seen":1638856441836,"flow_last_seen":1638856511476,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":47,"flow_tot_l4_payload_len":218,"flow_avg_l4_payload_len":43,"midstream":0,"ts_msec":1639664897536,"l3_proto":"ip4","src_ip":"24.1.33.66","dst_ip":"62.56.122.232","src_port":29255,"dst_port":3386,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00563{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":6,"source":"gtp_false_positive.pcapng","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1639664897536,"flow_last_seen":1639664897536,"flow_idle_time":180000,"flow_min_l4_payload_len":8,"flow_max_l4_payload_len":8,"flow_tot_l4_payload_len":8,"flow_avg_l4_payload_len":8,"midstream":0,"ts_msec":1639664897536,"l3_proto":"ip4","src_ip":"50.7.111.134","dst_ip":"103.225.103.159","src_port":17000,"dst_port":2123,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00457{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6,"source":"gtp_false_positive.pcapng","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_last_seen":1639664897536,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":56,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":56,"pkt_l4_len":16,"ts_msec":1639664897536,"pkt":"AAAAAAAAAAgAcgnYCABFaAAk3R5AADMR+TQyB2+GZ+Fnn0JoCEsAEMsJNwMAAEIAAAAAAAAAAAA="} +00594{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":7,"source":"gtp_false_positive.pcapng","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1639664897536,"flow_last_seen":1639664897536,"flow_idle_time":180000,"flow_min_l4_payload_len":8,"flow_max_l4_payload_len":8,"flow_tot_l4_payload_len":8,"flow_avg_l4_payload_len":8,"midstream":0,"ts_msec":1640630605457,"l3_proto":"ip4","src_ip":"50.7.111.134","dst_ip":"103.225.103.159","src_port":17000,"dst_port":2123,"l4_proto":"udp","ndpi": {"proto":"GTP","breed":"Acceptable","category":"Network"}} +00564{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":7,"source":"gtp_false_positive.pcapng","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1639664897536,"flow_last_seen":1639664897536,"flow_idle_time":180000,"flow_min_l4_payload_len":8,"flow_max_l4_payload_len":8,"flow_tot_l4_payload_len":8,"flow_avg_l4_payload_len":8,"midstream":0,"ts_msec":1640630605457,"l3_proto":"ip4","src_ip":"50.7.111.134","dst_ip":"103.225.103.159","src_port":17000,"dst_port":2123,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00571{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":7,"source":"gtp_false_positive.pcapng","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1640630605457,"flow_last_seen":1640630605457,"flow_idle_time":180000,"flow_min_l4_payload_len":326,"flow_max_l4_payload_len":326,"flow_tot_l4_payload_len":326,"flow_avg_l4_payload_len":326,"midstream":0,"ts_msec":1640630605457,"l3_proto":"ip4","src_ip":"119.185.190.173","dst_ip":"66.86.98.114","src_port":2123,"dst_port":50140,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00879{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7,"source":"gtp_false_positive.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_last_seen":1640630605457,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":368,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":368,"pkt_l4_len":334,"ts_msec":1640630605457,"pkt":"AAAAAAAAAAgAF2izCABFAAFiEjRAAD0RTyh3ub6tQlZicghLw9wBTnl2RgEAAAJ5AwDIAMWLvaZzN8g7AAAAAHAALV6UJ\/cTHdx+UcbekdlVsrIQyORBtJYGjhwit4VPN8cgIpZwuzYVz0TO+kH8rnowgXXPb2P\/JTt2WeT4FCyPlfScgvudUxqPf1kwZMd0KmXiXleYPXTNqftx0xJj\/Kb2FN1yrSOQIVUjnqcH8TbL6jgJymGUAAAAfj1DGkvghwUAAAAAAQAAAAABAAAAAAAAAAAAAgBvbQcAAAAAAAAASgABBwAAAAgAYXV0b0FsZ28BADEQAGF1dG9Jbml0TGltaXRSZXMBADAMAGF1dG9MaW1pdFJlcwEAMAcAYndlQWxnbwEAMQwAZG91Ymxlaml0dGVyAQAwCQBwcm9iZVN0cmEBADAGAHNka2JiciAAYWNrVGltZU91dDoyMDB8YWNrVGltZUxlbmd0aDo2MDA="} +00602{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":7,"source":"gtp_false_positive.pcapng","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1640630605457,"flow_last_seen":1640630605457,"flow_idle_time":180000,"flow_min_l4_payload_len":326,"flow_max_l4_payload_len":326,"flow_tot_l4_payload_len":326,"flow_avg_l4_payload_len":326,"midstream":0,"ts_msec":1640630605457,"l3_proto":"ip4","src_ip":"119.185.190.173","dst_ip":"66.86.98.114","src_port":2123,"dst_port":50140,"l4_proto":"udp","ndpi": {"proto":"GTP","breed":"Acceptable","category":"Network"}} +00572{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":7,"source":"gtp_false_positive.pcapng","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1640630605457,"flow_last_seen":1640630605457,"flow_idle_time":180000,"flow_min_l4_payload_len":326,"flow_max_l4_payload_len":326,"flow_tot_l4_payload_len":326,"flow_avg_l4_payload_len":326,"midstream":0,"ts_msec":1640630605457,"l3_proto":"ip4","src_ip":"119.185.190.173","dst_ip":"66.86.98.114","src_port":2123,"dst_port":50140,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00168{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":7,"source":"gtp_false_positive.pcapng","alias":"nDPId-test","total-events-serialized":16} +~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ +~~ packets captured/processed: 7/7 +~~ skipped flows.............: 0 +~~ total layer4 data length..: 552 bytes +~~ total detected protocols..: 0 +~~ total active/idle flows...: 3/3 +~~ total timeout flows.......: 2 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ total memory allocated....: 4593026 bytes +~~ total memory freed........: 4593026 bytes +~~ total allocations/frees...: 99547/99547 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ json string min len.......: 173 chars +~~ json string max len.......: 884 chars +~~ json string avg len.......: 590 chars diff --git a/test/results/h323-overflow.pcap.out b/test/results/h323-overflow.pcap.out index 1128fd5b9..431f03294 100644 --- a/test/results/h323-overflow.pcap.out +++ b/test/results/h323-overflow.pcap.out @@ -12,9 +12,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1930201 bytes -~~ total memory freed........: 1930201 bytes -~~ total allocations/frees...: 35340/35340 +~~ total memory allocated....: 4592516 bytes +~~ total memory freed........: 4592516 bytes +~~ total allocations/frees...: 99536/99536 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 165 chars ~~ json string max len.......: 591 chars diff --git a/test/results/hangout.pcap.out b/test/results/hangout.pcap.out index 0628cd1f9..596f0dea2 100644 --- a/test/results/hangout.pcap.out +++ b/test/results/hangout.pcap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1936883 bytes -~~ total memory freed........: 1936883 bytes -~~ total allocations/frees...: 35359/35359 +~~ total memory allocated....: 4599198 bytes +~~ total memory freed........: 4599198 bytes +~~ total allocations/frees...: 99555/99555 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 160 chars ~~ json string max len.......: 666 chars diff --git a/test/results/hpvirtgrp.pcap.out b/test/results/hpvirtgrp.pcap.out index 274597961..cc0edf07c 100644 --- a/test/results/hpvirtgrp.pcap.out +++ b/test/results/hpvirtgrp.pcap.out @@ -3,35 +3,35 @@ 00474{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1614852331255,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1614852331255,"pkt":"eJS0JASgYDjgxTWgCABFAAA85EJAAD8GMf7AqAJkoCzCQrXqFGfdahKJAAAAAKAC\/\/\/rnAAAAgQFtAQCCAoReGspAAAAAAEDAwg="} 00451{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1614852331284,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"ts_msec":1614852331284,"pkt":"YDjgxTWgeJS0JASgCABFAAAsAABAADQGIVGgLMJCwKgCZBRnteoCmmbE3WoSimASchDc7QAAAgQFrAAA"} 00445{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1614852331288,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1614852331288,"pkt":"eJS0JASgYDjgxTWgCABFAAAo5ENAAD8GMhHAqAJkoCzCQrXqFGfdahKKAppmxVAQ\/\/9mswAA"} -00621{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1614852331255,"flow_last_seen":1614852331296,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":132,"flow_tot_l4_payload_len":132,"flow_avg_l4_payload_len":33,"midstream":0,"ts_msec":1614852331296,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"160.44.194.66","src_port":46570,"dst_port":5223,"l4_proto":"tcp","ndpi": {"proto":"HP Virtual Machine Group Management","breed":"Acceptable","category":"Network"}} +00596{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1614852331255,"flow_last_seen":1614852331296,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":132,"flow_tot_l4_payload_len":132,"flow_avg_l4_payload_len":33,"midstream":0,"ts_msec":1614852331296,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"160.44.194.66","src_port":46570,"dst_port":5223,"l4_proto":"tcp","ndpi": {"proto":"HP_VIRTGRP","breed":"Acceptable","category":"Network"}} 00560{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":16,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":15,"flow_first_seen":1614852331255,"flow_last_seen":1614852568996,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":163,"flow_tot_l4_payload_len":522,"flow_avg_l4_payload_len":34,"midstream":0,"ts_msec":1614861892925,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"160.44.194.66","src_port":46570,"dst_port":5223,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00553{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":16,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1614861892925,"flow_last_seen":1614861892925,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1614861892925,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"160.44.194.66","src_port":59200,"dst_port":5223,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00474{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":16,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_last_seen":1614861892925,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1614861892925,"pkt":"eJS0JASgYDjgxTWgCABFAAA85WdAAD8GMNnAqAJkoCzCQudAFGcyIeJoAAAAAKAC\/\/9iNQAAAgQFtAQCCAoAALAcAAAAAAEDAwg="} 00452{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":17,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_last_seen":1614861892952,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"ts_msec":1614861892952,"pkt":"YDjgxTWgeJS0JASgCABFAAAsAABAADQGIVGgLMJCwKgCZBRn50AGwaaHMiHiaWASchBDFwAAAgQFrAAA"} 00447{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":18,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_last_seen":1614861892955,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1614861892955,"pkt":"eJS0JASgYDjgxTWgCABFAAAo5WhAAD8GMOzAqAJkoCzCQudAFGcyIeJpBsGmiFAQ\/\/\/M3AAA"} -00622{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":19,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":4,"flow_first_seen":1614861892925,"flow_last_seen":1614861893049,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":132,"flow_tot_l4_payload_len":132,"flow_avg_l4_payload_len":33,"midstream":0,"ts_msec":1614861893049,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"160.44.194.66","src_port":59200,"dst_port":5223,"l4_proto":"tcp","ndpi": {"proto":"HP Virtual Machine Group Management","breed":"Acceptable","category":"Network"}} +00597{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":19,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":4,"flow_first_seen":1614861892925,"flow_last_seen":1614861893049,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":132,"flow_tot_l4_payload_len":132,"flow_avg_l4_payload_len":33,"midstream":0,"ts_msec":1614861893049,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"160.44.194.66","src_port":59200,"dst_port":5223,"l4_proto":"tcp","ndpi": {"proto":"HP_VIRTGRP","breed":"Acceptable","category":"Network"}} 00553{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":31,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1614861998723,"flow_last_seen":1614861998723,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1614861998723,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"160.44.194.66","src_port":59324,"dst_port":5223,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00474{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":31,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_last_seen":1614861998723,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1614861998723,"pkt":"eJS0JASgYDjgxTWgCABFAAA8bUJAAD8GqP7AqAJkoCzCQue8FGe3KQNZAAAAAKAC\/\/8fjgAAAgQFtAQCCAoAAkxNAAAAAAEDAwg="} 00452{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":32,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_last_seen":1614861998752,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"ts_msec":1614861998752,"pkt":"YDjgxTWgeJS0JASgCABFAAAsAABAADQGIVGgLMJCwKgCZBRn57x0ZsiytykDWmASchAM0gAAAgQFrAAA"} 00446{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":33,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_last_seen":1614861998755,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1614861998755,"pkt":"eJS0JASgYDjgxTWgCABFAAAobUNAAD8GqRHAqAJkoCzCQue8FGe3KQNadGbIs1AQ\/\/+WlwAA"} -00622{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":34,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":4,"flow_first_seen":1614861998723,"flow_last_seen":1614861998769,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":132,"flow_tot_l4_payload_len":132,"flow_avg_l4_payload_len":33,"midstream":0,"ts_msec":1614861998769,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"160.44.194.66","src_port":59324,"dst_port":5223,"l4_proto":"tcp","ndpi": {"proto":"HP Virtual Machine Group Management","breed":"Acceptable","category":"Network"}} +00597{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":34,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":4,"flow_first_seen":1614861998723,"flow_last_seen":1614861998769,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":132,"flow_tot_l4_payload_len":132,"flow_avg_l4_payload_len":33,"midstream":0,"ts_msec":1614861998769,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"160.44.194.66","src_port":59324,"dst_port":5223,"l4_proto":"tcp","ndpi": {"proto":"HP_VIRTGRP","breed":"Acceptable","category":"Network"}} 00560{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":46,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":15,"flow_first_seen":1614861892925,"flow_last_seen":1614861898114,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":163,"flow_tot_l4_payload_len":522,"flow_avg_l4_payload_len":34,"midstream":0,"ts_msec":1614876808445,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"160.44.194.66","src_port":59200,"dst_port":5223,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00560{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":46,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":15,"flow_first_seen":1614861998723,"flow_last_seen":1614862060713,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":163,"flow_tot_l4_payload_len":522,"flow_avg_l4_payload_len":34,"midstream":0,"ts_msec":1614876808445,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"160.44.194.66","src_port":59324,"dst_port":5223,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00553{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":46,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1614876808445,"flow_last_seen":1614876808445,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1614876808445,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"160.44.194.66","src_port":59920,"dst_port":5223,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00475{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":46,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_last_seen":1614876808445,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1614876808445,"pkt":"eJS0JASgYDjgxTWgCABFAAA8MDtAAD8G5gXAqAJkoCzCQuoQFGeH4ylZAAAAAKAC\/\/91KwAAAgQFtAQCCAoAZP0\/AAAAAAEDAwg="} 00452{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":47,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_last_seen":1614876808474,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"ts_msec":1614876808474,"pkt":"YDjgxTWgeJS0JASgCABFAAAsAABAADQGIVGgLMJCwKgCZBRn6hA0hHo5h+MpWmASchCiHwAAAgQFrAAA"} 00446{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":48,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_last_seen":1614876808478,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1614876808478,"pkt":"eJS0JASgYDjgxTWgCABFAAAoMDxAAD8G5hjAqAJkoCzCQuoQFGeH4ylaNIR6OlAQ\/\/8r5QAA"} -00622{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":49,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":4,"flow_first_seen":1614876808445,"flow_last_seen":1614876811615,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":132,"flow_tot_l4_payload_len":132,"flow_avg_l4_payload_len":33,"midstream":0,"ts_msec":1614876811615,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"160.44.194.66","src_port":59920,"dst_port":5223,"l4_proto":"tcp","ndpi": {"proto":"HP Virtual Machine Group Management","breed":"Acceptable","category":"Network"}} +00597{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":49,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":4,"flow_first_seen":1614876808445,"flow_last_seen":1614876811615,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":132,"flow_tot_l4_payload_len":132,"flow_avg_l4_payload_len":33,"midstream":0,"ts_msec":1614876811615,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"160.44.194.66","src_port":59920,"dst_port":5223,"l4_proto":"tcp","ndpi": {"proto":"HP_VIRTGRP","breed":"Acceptable","category":"Network"}} 00553{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":61,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1614877863379,"flow_last_seen":1614877863379,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1614877863379,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"160.44.194.66","src_port":40152,"dst_port":5223,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00474{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":61,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_last_seen":1614877863379,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1614877863379,"pkt":"eJS0JASgYDjgxTWgCABFAAA8nQJAAD8GeT7AqAJkoCzCQpzYFGd4ZLUSAAAAAKAC\/\/8PXgAAAgQFtAQCCAoAcTP+AAAAAAEDAwg="} 00452{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":62,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_last_seen":1614877863406,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"ts_msec":1614877863406,"pkt":"YDjgxTWgeJS0JASgCABFAAAsAABAADQGIVGgLMJCwKgCZBRnnNj+cl67eGS1E2ASchDErAAAAgQFrAAA"} 00447{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":63,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_last_seen":1614877863410,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1614877863410,"pkt":"eJS0JASgYDjgxTWgCABFAAAonQNAAD8GeVHAqAJkoCzCQpzYFGd4ZLUT\/nJevFAQ\/\/9OcgAA"} -00622{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":64,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":4,"flow_first_seen":1614877863379,"flow_last_seen":1614877863430,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":132,"flow_tot_l4_payload_len":132,"flow_avg_l4_payload_len":33,"midstream":0,"ts_msec":1614877863430,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"160.44.194.66","src_port":40152,"dst_port":5223,"l4_proto":"tcp","ndpi": {"proto":"HP Virtual Machine Group Management","breed":"Acceptable","category":"Network"}} +00597{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":64,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":4,"flow_first_seen":1614877863379,"flow_last_seen":1614877863430,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":132,"flow_tot_l4_payload_len":132,"flow_avg_l4_payload_len":33,"midstream":0,"ts_msec":1614877863430,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"160.44.194.66","src_port":40152,"dst_port":5223,"l4_proto":"tcp","ndpi": {"proto":"HP_VIRTGRP","breed":"Acceptable","category":"Network"}} 00553{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":76,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":1,"flow_first_seen":1614880256676,"flow_last_seen":1614880256676,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1614880256676,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"160.44.194.66","src_port":35634,"dst_port":5223,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00474{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":76,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_last_seen":1614880256676,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1614880256676,"pkt":"eJS0JASgYDjgxTWgCABFAAA87gNAAD8GKD3AqAJkoCzCQosyFGf2oDFeAAAAAKAC\/\/9JKQAAAgQFtAQCCAoAlBEuAAAAAAEDAwg="} 00452{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":77,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_last_seen":1614880256703,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"ts_msec":1614880256703,"pkt":"YDjgxTWgeJS0JASgCABFAAAsAABAADQGIVGgLMJCwKgCZBRnizKJqg+b9qAxX2ASchCfswAAAgQFrAAA"} 00446{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":78,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_last_seen":1614880256708,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1614880256708,"pkt":"eJS0JASgYDjgxTWgCABFAAAo7gRAAD8GKFDAqAJkoCzCQosyFGf2oDFfiaoPnFAQ\/\/8peQAA"} -00622{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":79,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":4,"flow_first_seen":1614880256676,"flow_last_seen":1614880256732,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":132,"flow_tot_l4_payload_len":132,"flow_avg_l4_payload_len":33,"midstream":0,"ts_msec":1614880256732,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"160.44.194.66","src_port":35634,"dst_port":5223,"l4_proto":"tcp","ndpi": {"proto":"HP Virtual Machine Group Management","breed":"Acceptable","category":"Network"}} +00597{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":79,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":4,"flow_first_seen":1614880256676,"flow_last_seen":1614880256732,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":132,"flow_tot_l4_payload_len":132,"flow_avg_l4_payload_len":33,"midstream":0,"ts_msec":1614880256732,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"160.44.194.66","src_port":35634,"dst_port":5223,"l4_proto":"tcp","ndpi": {"proto":"HP_VIRTGRP","breed":"Acceptable","category":"Network"}} 00560{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":91,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":15,"flow_first_seen":1614876808445,"flow_last_seen":1614876926772,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":163,"flow_tot_l4_payload_len":522,"flow_avg_l4_payload_len":34,"midstream":0,"ts_msec":1614892184461,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"160.44.194.66","src_port":59920,"dst_port":5223,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00560{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":91,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":15,"flow_first_seen":1614880256676,"flow_last_seen":1614880490568,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":163,"flow_tot_l4_payload_len":615,"flow_avg_l4_payload_len":41,"midstream":0,"ts_msec":1614892184461,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"160.44.194.66","src_port":35634,"dst_port":5223,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00560{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":91,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":15,"flow_first_seen":1614877863379,"flow_last_seen":1614877864559,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":163,"flow_tot_l4_payload_len":778,"flow_avg_l4_payload_len":51,"midstream":0,"ts_msec":1614892184461,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"160.44.194.66","src_port":40152,"dst_port":5223,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -39,18 +39,18 @@ 00475{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":91,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_last_seen":1614892184461,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1614892184461,"pkt":"eJS0JASgYDjgxTWgCABFAAA8o7JAAD8Gco7AqAJkoCzCQsKuFGf4RqT8AAAAAKAC\/\/\/8FAAAAgQFtAQCCAoBLLDpAAAAAAEDAwg="} 00475{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":92,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_last_seen":1614892184487,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1614892184487,"pkt":"eJS0JASgYDjgxTWgCABFAAA8o7NAAD8Gco3AqAJkoCzCQsKuFGf4RqT8AAAAAKAC\/\/\/4LwAAAgQFtAQCCAoBLLTOAAAAAAEDAwg="} 00453{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":93,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_last_seen":1614892184489,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"ts_msec":1614892184489,"pkt":"YDjgxTWgeJS0JASgCABFAAAsAABAADQGIVGgLMJCwKgCZBRnwq4QVsoE+Eak\/WASchCx3QAAAgQFrAAA"} -00622{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":95,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":5,"flow_first_seen":1614892184461,"flow_last_seen":1614892184500,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":132,"flow_tot_l4_payload_len":132,"flow_avg_l4_payload_len":26,"midstream":0,"ts_msec":1614892184500,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"160.44.194.66","src_port":49838,"dst_port":5223,"l4_proto":"tcp","ndpi": {"proto":"HP Virtual Machine Group Management","breed":"Acceptable","category":"Network"}} +00597{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":95,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":5,"flow_first_seen":1614892184461,"flow_last_seen":1614892184500,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":132,"flow_tot_l4_payload_len":132,"flow_avg_l4_payload_len":26,"midstream":0,"ts_msec":1614892184500,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"160.44.194.66","src_port":49838,"dst_port":5223,"l4_proto":"tcp","ndpi": {"proto":"HP_VIRTGRP","breed":"Acceptable","category":"Network"}} 00554{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":106,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":1,"flow_first_seen":1614894888601,"flow_last_seen":1614894888601,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1614894888601,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"160.44.194.66","src_port":42552,"dst_port":5223,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00475{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":106,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_last_seen":1614894888601,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1614894888601,"pkt":"eJS0JASgYDjgxTWgCABFAAA8czZAAD8GowrAqAJkoCzCQqY4FGfLLz4YAAAAAKAC\/\/+U4AAAAgQFtAQCCAoBVchmAAAAAAEDAwg="} 00453{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":107,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":2,"flow_last_seen":1614894888628,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"ts_msec":1614894888628,"pkt":"YDjgxTWgeJS0JASgCABFAAAsAABAADQGIVGgLMJCwKgCZBRnpjjVSzZFyy8+GWASchAxGQAAAgQFrAAA"} 00447{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":108,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_last_seen":1614894888632,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1614894888632,"pkt":"eJS0JASgYDjgxTWgCABFAAAoczdAAD8Gox3AqAJkoCzCQqY4FGfLLz4Z1Us2RlAQ\/\/+63gAA"} -00623{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":109,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":4,"flow_first_seen":1614894888601,"flow_last_seen":1614894888640,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":132,"flow_tot_l4_payload_len":132,"flow_avg_l4_payload_len":33,"midstream":0,"ts_msec":1614894888640,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"160.44.194.66","src_port":42552,"dst_port":5223,"l4_proto":"tcp","ndpi": {"proto":"HP Virtual Machine Group Management","breed":"Acceptable","category":"Network"}} +00598{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":109,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":4,"flow_first_seen":1614894888601,"flow_last_seen":1614894888640,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":132,"flow_tot_l4_payload_len":132,"flow_avg_l4_payload_len":33,"midstream":0,"ts_msec":1614894888640,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"160.44.194.66","src_port":42552,"dst_port":5223,"l4_proto":"tcp","ndpi": {"proto":"HP_VIRTGRP","breed":"Acceptable","category":"Network"}} 00563{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":121,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":15,"flow_first_seen":1614892184461,"flow_last_seen":1614892314046,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":163,"flow_tot_l4_payload_len":580,"flow_avg_l4_payload_len":38,"midstream":0,"ts_msec":1614898090218,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"160.44.194.66","src_port":49838,"dst_port":5223,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00554{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":121,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":1,"flow_first_seen":1614898090218,"flow_last_seen":1614898090218,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1614898090218,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"160.44.194.66","src_port":42764,"dst_port":5223,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00476{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":121,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_last_seen":1614898090218,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1614898090218,"pkt":"eJS0JASgYDjgxTWgCABFAAA8EFJAAD8GBe\/AqAJkoCzCQqcMFGeOCpYjAAAAAKAC\/\/+UDgAAAgQFtAQCCAoBYq1xAAAAAAEDAwg="} 00453{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":122,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":2,"flow_last_seen":1614898090245,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"ts_msec":1614898090245,"pkt":"YDjgxTWgeJS0JASgCABFAAAsAABAADQGIVGgLMJCwKgCZBRnpwwosEHQjgqWJGASchC2bwAAAgQFrAAA"} 00447{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":123,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":3,"flow_last_seen":1614898090249,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1614898090249,"pkt":"eJS0JASgYDjgxTWgCABFAAAoEFNAAD8GBgLAqAJkoCzCQqcMFGeOCpYkKLBB0VAQ\/\/9ANQAA"} -00623{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":124,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":4,"flow_first_seen":1614898090218,"flow_last_seen":1614898090270,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":132,"flow_tot_l4_payload_len":132,"flow_avg_l4_payload_len":33,"midstream":0,"ts_msec":1614898090270,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"160.44.194.66","src_port":42764,"dst_port":5223,"l4_proto":"tcp","ndpi": {"proto":"HP Virtual Machine Group Management","breed":"Acceptable","category":"Network"}} +00598{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":124,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":4,"flow_first_seen":1614898090218,"flow_last_seen":1614898090270,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":132,"flow_tot_l4_payload_len":132,"flow_avg_l4_payload_len":33,"midstream":0,"ts_msec":1614898090270,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"160.44.194.66","src_port":42764,"dst_port":5223,"l4_proto":"tcp","ndpi": {"proto":"HP_VIRTGRP","breed":"Acceptable","category":"Network"}} 00561{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":135,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":15,"flow_first_seen":1614894888601,"flow_last_seen":1614895277767,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":163,"flow_tot_l4_payload_len":522,"flow_avg_l4_payload_len":34,"midstream":0,"ts_msec":1614898324173,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"160.44.194.66","src_port":42552,"dst_port":5223,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00561{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":135,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":15,"flow_first_seen":1614898090218,"flow_last_seen":1614898324173,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":163,"flow_tot_l4_payload_len":522,"flow_avg_l4_payload_len":34,"midstream":0,"ts_msec":1614898324173,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"160.44.194.66","src_port":42764,"dst_port":5223,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00561{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":135,"source":"hpvirtgrp.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":15,"flow_first_seen":1614892184461,"flow_last_seen":1614892314046,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":163,"flow_tot_l4_payload_len":580,"flow_avg_l4_payload_len":38,"midstream":0,"ts_msec":1614898324173,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"160.44.194.66","src_port":49838,"dst_port":5223,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -63,10 +63,10 @@ ~~ total active/idle flows...: 9/9 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1963399 bytes -~~ total memory freed........: 1963399 bytes -~~ total allocations/frees...: 35506/35506 +~~ total memory allocated....: 4622322 bytes +~~ total memory freed........: 4622322 bytes +~~ total allocations/frees...: 99702/99702 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 164 chars -~~ json string max len.......: 628 chars -~~ json string avg len.......: 466 chars +~~ json string max len.......: 603 chars +~~ json string avg len.......: 454 chars diff --git a/test/results/http-crash-content-disposition.pcap.out b/test/results/http-crash-content-disposition.pcap.out index 8ab9287ce..d2cd88f4f 100644 --- a/test/results/http-crash-content-disposition.pcap.out +++ b/test/results/http-crash-content-disposition.pcap.out @@ -26,9 +26,9 @@ ~~ total active/idle flows...: 0/0 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1926508 bytes -~~ total memory freed........: 1926508 bytes -~~ total allocations/frees...: 35335/35335 +~~ total memory allocated....: 4589247 bytes +~~ total memory freed........: 4589247 bytes +~~ total allocations/frees...: 99531/99531 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 173 chars ~~ json string max len.......: 2295 chars diff --git a/test/results/http-lines-split.pcap.out b/test/results/http-lines-split.pcap.out index e604ec15a..c8a5742f7 100644 --- a/test/results/http-lines-split.pcap.out +++ b/test/results/http-lines-split.pcap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1928560 bytes -~~ total memory freed........: 1928560 bytes -~~ total allocations/frees...: 35354/35354 +~~ total memory allocated....: 4590875 bytes +~~ total memory freed........: 4590875 bytes +~~ total allocations/frees...: 99550/99550 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 169 chars ~~ json string max len.......: 750 chars diff --git a/test/results/http-manipulated.pcap.out b/test/results/http-manipulated.pcap.out index 46daeee79..88d773de2 100644 --- a/test/results/http-manipulated.pcap.out +++ b/test/results/http-manipulated.pcap.out @@ -20,9 +20,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1939420 bytes -~~ total memory freed........: 1939420 bytes -~~ total allocations/frees...: 35675/35675 +~~ total memory allocated....: 4601324 bytes +~~ total memory freed........: 4601324 bytes +~~ total allocations/frees...: 99872/99872 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 171 chars ~~ json string max len.......: 856 chars diff --git a/test/results/http_auth.pcap.out b/test/results/http_auth.pcap.out index 2ff6269cf..804088f9a 100644 --- a/test/results/http_auth.pcap.out +++ b/test/results/http_auth.pcap.out @@ -3,7 +3,7 @@ 00478{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"http_auth.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1381844050222,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1381844050222,"pkt":"TBfruiThKM\/pITwrCABFAABARSdAAEAGtjzAqAAEwP69qdRBAFCa4jGyAAAAALAC\/\/8jTAAAAgQFtAEDAwQBAQgKH38TuAAAAAAEAgAA"} 00474{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"http_auth.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1381844050402,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1381844050402,"pkt":"KM\/pITwrTBfruiThCABFAAA8AABAADgGA2jA\/r2pwKgABABQ1EEDZtH9muIxs6ASOJA\/hAAAAgQFtAQCCAowzbX3H38TuAEDAwc="} 00462{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"http_auth.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1381844050402,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1381844050402,"pkt":"TBfruiThKM\/pITwrCABFAAA0XSJAAEAGnk3AqAAEwP69qdRBAFCa4jGzA2bR\/oAQICuGBAAAAQEICh9\/FGkwzbX3"} -00872{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"http_auth.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1381844050222,"flow_last_seen":1381844050402,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":739,"flow_tot_l4_payload_len":739,"flow_avg_l4_payload_len":184,"midstream":0,"ts_msec":1381844050402,"l3_proto":"ip4","src_ip":"192.168.0.4","dst_ip":"192.254.189.169","src_port":54337,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"36":"Clear-text credentials"},"proto":"HTTP","breed":"Acceptable","category":"Web"},"http": {"hostname":"browserspy.dk","url":"browserspy.dk\/password-ok.php","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.69 Safari\/537.36"}} +00827{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"http_auth.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1381844050222,"flow_last_seen":1381844050402,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":739,"flow_tot_l4_payload_len":739,"flow_avg_l4_payload_len":184,"midstream":0,"ts_msec":1381844050402,"l3_proto":"ip4","src_ip":"192.168.0.4","dst_ip":"192.254.189.169","src_port":54337,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP","breed":"Acceptable","category":"Web"},"http": {"hostname":"browserspy.dk","url":"browserspy.dk\/password-ok.php","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.69 Safari\/537.36"}} 00561{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":33,"source":"http_auth.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":33,"flow_first_seen":1381844050222,"flow_last_seen":1381844057320,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":18376,"flow_avg_l4_payload_len":556,"midstream":0,"ts_msec":1381844057320,"l3_proto":"ip4","src_ip":"192.168.0.4","dst_ip":"192.254.189.169","src_port":54337,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00157{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":33,"source":"http_auth.pcap","alias":"nDPId-test","total-events-serialized":8} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -14,10 +14,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1929241 bytes -~~ total memory freed........: 1929241 bytes -~~ total allocations/frees...: 35374/35374 +~~ total memory allocated....: 4591578 bytes +~~ total memory freed........: 4591578 bytes +~~ total allocations/frees...: 99571/99571 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 162 chars -~~ json string max len.......: 877 chars -~~ json string avg len.......: 568 chars +~~ json string max len.......: 832 chars +~~ json string avg len.......: 548 chars diff --git a/test/results/http_ipv6.pcap.out b/test/results/http_ipv6.pcap.out index 8df04a9b2..6c877078d 100644 --- a/test/results/http_ipv6.pcap.out +++ b/test/results/http_ipv6.pcap.out @@ -7,7 +7,7 @@ 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_last_seen":1448269127395,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":124,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":124,"pkt_l4_len":70,"ts_msec":1448269127395,"pkt":"UMWNrEEBeKzApw1Mht1gAAAAAEYGQCoADUAAAQADeqzA\/\/6nDUwqABRQQAEIAwAAAAAAABAXozABuw3EcyYKcmsggBgBYRWcAAABAQgKEg1sPOPdU5wXAwMAISEEhc9+XaFrGjMSta2tz\/npJ9wouC3HutuqGdJZFlD+8g=="} 00591{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":5,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1448269127400,"flow_last_seen":1448269127400,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1448269127400,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a00:1450:4001:803::1017","src_port":45931,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02268{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_last_seen":1448269127400,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1412,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":1412,"pkt_l4_len":1358,"ts_msec":1448269127400,"pkt":"UMWNrEEBeKzApw1Mht1gAAAABU4RQCoADUAAAQADeqzA\/\/6nDUwqABRQQAEIAwAAAAAAABAXs2sBuwVOGq8NSb7i0\/DtzNZRMDI1AdhpfiGrZQ0z8Xo88wCgAQAEQ0hMTxcAAABQQUQAlQEAAFNOSQCiAQAAU1RLANwBAABWRVIA4AEAAENDUwDoAQAATk9OQwgCAABNU1BDDAIAAEFFQUQQAgAAVUFJRDACAABTQ0lEQAIAAFRDSUREAgAAUERNREgCAABTUkJGTAIAAElDU0xQAgAAUFVCU3ACAABTQ0xTdAIAAEtFWFN4AgAAQ09QVHgCAABDQ1JUkAIAAElSVFSUAgAAQ0VUVjgDAABDRkNXPAMAAFNGQ1dAAwAALS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0td3d3Lmdvb2dsZS5pdP6VATCysYcS+6UyHFs91qYSgNdeDzmk0IEyIe5t2+bJKAI2qamMt0i7KMYplR0K0jnCGwmAm\/d3HOJRMDI1eybp5+Rccf9WUtVHu\/cGtxBbc83x\/ixhHuZYGb85GDRSl0WTDzqXHGQAAABDQzEyQ2hyb21lLzQ2LjAuMjQ5MC44MCBMaW51eCB4ODZfNjRJY0N+fBRzPpi9ZOX2cffRAAAAAFg1MDkAABAAHgAAAKnIKfkyK+SzUnB6164ARpx8JYjcWyR0opR8VfpSZa5LAQAAAEMyNTWqEkFTJwbowuJjGoJ9cYVfQAt7kKmueesKxAMAMPg3G85FTSE++LOaAtQpI1KVeq729JfhjhoCsaupNHH2PFh7nIyQFBUHu\/yG69qYF+ZOXnLeZQlagMSAtKsuormBERnE1N5BArSjLGqyjEsI7xMsjf+GWiD9zqRxEMc6cBgFvzaEvMvxi2SGPZg7npVciNOVP9ZU7k0lklFQEmkIVXhAz857PhdAM9F8uaoJzSnjSvvppgNKNbAOmmtmPDeC+pIAAPAAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="} -00735{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":5,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1448269127400,"flow_last_seen":1448269127400,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1448269127400,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a00:1450:4001:803::1017","src_port":45931,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Google","breed":"Tracker\/Ads","category":"Web"},"quic": {"client_requested_server_name":"www.google.it","user_agent":"Chrome\/46.0.2490.80 Linux x86_64"}} +00733{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":5,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1448269127400,"flow_last_seen":1448269127400,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1448269127400,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a00:1450:4001:803::1017","src_port":45931,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Google","breed":"Acceptable","category":"Web"},"quic": {"client_requested_server_name":"www.google.it","user_agent":"Chrome\/46.0.2490.80 Linux x86_64"}} 00491{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_last_seen":1448269127419,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1448269127419,"pkt":"eKzApw1M9LUv\/K\/Cht1gAAAAACAGOSoAFFBAAQgDAAAAAAAAEBcqAA1AAAEAA3qswP\/+pw1MAbujMApyayANxHMmgBABMJ3AAAABAQgK493E7RINbDw="} 02298{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":10,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_last_seen":1448269127425,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1412,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":1412,"pkt_l4_len":1358,"ts_msec":1448269127425,"pkt":"eKzApw1M9LUv\/K\/Cht1gAAAABU4ROCoAFFBAAQgDAAAAAAAAEBcqAA1AAAEAA3qswP\/+pw1MAbuzawVOyY8AAb8WJ6Bcd8sMmCgT1ZAbf9HJtJU65m4+bYpFMYi142VYaY8+t63\/dljK20Pk6Hvm9ZGbc4Et8i29+QvT1kI6MUSu9s3cUHjnw2xTVTxhsAZQm3P8lhXGD3mDtRkg1sEr5Q7cUyyDCLFUAAa6oJdZ2+wjH2gcLInCstN8U\/9bx6mOB4zttEHtP4c5+\/9wVsqFhWr8fRfl3NhWM5wR+Zg8+H9Dwriy2djsTqMxZ15btYw8HWKV3SpS+cchPqkycwN+jDrgd3LuUYlETydIegf69eD\/JtLcKLFbEN5\/5QkOg9oAmwqqCClTPJLTkbez9M4pFkrM2VJDxnT19PvnGpVdwH0wIvKNgr8RVKNTlGILXC+9jJMPkA9tVfHgEWzHqgG+WxljhwAd4QSufx6LSzCoBsf86nBeKfgcGq9lFFZLToMS1VjjSASPtZOvlSLyuxjHryC2XTxpVHUN\/PBKPgXBScR4DFFlJHRdFSNH3eaciyVInAjiCfV6HJYS+DuTQgUqjcyAG5tuDXYslL4LNyVesK76J8Q9FVPv6Ab4vTklEVJejFK80Cn8IouJ9WHz8uTM24UHbOmpAA\/c+EPPNLCB9F8iGG66BwJvUEBHZ3Ygj9rnWqSJgSU55vdrYi5luNP1KoXM4YmziEg8e+xJprdp11YpNV+0lAxdI0zR9s3KRF+wKmv6XtU8gBoCwTHodAHf32dQGfVior2u\/KHctDxD8nHTXU0AZV0DGAOL04YVg9K9w3y4THfVYJpIoP+uyoruQl0rsX9ENsZ5qS+dOXnu5LcoS2EGP16jbi7uY9ogtSWghhTOmmCzmJAGprVn6JTMBLO193Vra3mqDuGuMUOZM\/l8mB81H2MusGIWIde9dns9dj2AG\/cfGaDWSays\/fK3VtGGTBv7FaSH\/aw\/Q2zkhNIJX\/WFH6YUEleLUh25ypFwius1sBxwKIcgK2ijlBJ8pqokusSGJDg\/c4+DqzUrA93\/HrO5AiXdFCeRaHb7qWTzL0p26M50TOgV5ZhM261i0CZOTvKrCn9iZeIH3z5r82ZP101c8INU8PByLFZYWSBQLEx1DNpqjwLojRfhTpMW5JdNN\/sTmhr77P3fBJRr6WfjS8BevHVq9cSi8laxJh0JQkiYq6WSdgUPITf15zal35ZU99gHjN8lHKLEe4ulo25UZrSeatzSMZUm5A91iw1tGWfGpH4DfLZt8Ntly9VWHd\/87hCB87\/piwS6u4+4ryQp4GDxllbW\/SkuP\/IAA9Zuq742fzBVuJkS4BpNCthxU0Qle\/rg\/gQjlJJVbj2FDnbMgmtbocxxIFkNS+NNJJEtuvLnbQCDuw8uZDIIX7G8SvS+F8HVI+jLOPdR15E6Pnf84ervCPA5o0JfpJr+Ni3PIRv3FKi+p5DZaL1kmCkPEBtHdwkl3y2psiuigxSpcsFcwghyrpx9hiMFpPOeQbZd1kDbqrcKz3DwJXNrOM5TljZcc+q\/sTNd3axpOt7TtQGaRTUzdKfgFeiq5EoRUpye4hhSuSwq98WPbz5OcLGEG00xOPY3pwtztgP3Hft4qU9pxAWCD6O+UUk1tCU0r2xCd25EV4iBdLikeLpIHEfcmHIJd72ETZjpLfti3i9QaSkD\/AsqiENwvRS6H7x34vPid3KkvLGz\/SjeWjBz44e2RAwUEkK\/6QdG765SHEZEytfd\/\/s1VN9Lrlmg\/JhogP6qMLZp6e145R0qbs7qAEZeb\/fZQhZM2cMG0S3vs2+Qg8KLzxAegZ7RC0gS+QzKcRpj6NRz\/TYo6NL+7\/Uv2rcnFhb6N0M="} 00508{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":11,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_last_seen":1448269127426,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":99,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":99,"pkt_l4_len":45,"ts_msec":1448269127426,"pkt":"UMWNrEEBeKzApw1Mht1gAAAAAC0RQCoADUAAAQADeqzA\/\/6nDUwqABRQQAEIAwAAAAAAABAXs2sBuwAtFY4MSb7i0\/DtzNYC4PYSufRYk3sdRNPxvPTHCMs5+9cyKuKyC\/5g"} @@ -30,15 +30,15 @@ 00833{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":91,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":4,"flow_first_seen":1448269138575,"flow_last_seen":1448269138600,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":212,"flow_tot_l4_payload_len":212,"flow_avg_l4_payload_len":53,"midstream":0,"ts_msec":1448269138600,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a03:b0c0:3:d0::70:1001","src_port":37488,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.ntop","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.ntop.org","ja3":"d3e627f423a33ea41841c19b8af79293","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1,spdy\/3.1,h2-14,h2"}} 00890{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":94,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":6,"flow_first_seen":1448269138575,"flow_last_seen":1448269138627,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":1640,"flow_avg_l4_payload_len":273,"midstream":0,"ts_msec":1448269138627,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a03:b0c0:3:d0::70:1001","src_port":37488,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.ntop","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.ntop.org","ja3":"d3e627f423a33ea41841c19b8af79293","ja3s":"389ed42c02ebecc32e73aa31def07e14","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"http\/1.1,spdy\/3.1,h2-14,h2"}} 00890{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":98,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":6,"flow_first_seen":1448269138575,"flow_last_seen":1448269138628,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":1640,"flow_avg_l4_payload_len":273,"midstream":0,"ts_msec":1448269138628,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a03:b0c0:3:d0::70:1001","src_port":37486,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.ntop","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.ntop.org","ja3":"d3e627f423a33ea41841c19b8af79293","ja3s":"389ed42c02ebecc32e73aa31def07e14","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"http\/1.1,spdy\/3.1,h2-14,h2"}} -01262{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":104,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":12,"flow_first_seen":1448269138575,"flow_last_seen":1448269138635,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":4964,"flow_avg_l4_payload_len":413,"midstream":0,"ts_msec":1448269138635,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a03:b0c0:3:d0::70:1001","src_port":37486,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"10":"TLS Certificate Mismatch"},"proto":"TLS.ntop","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.ntop.org","server_names":"shop.ntop.org,www.shop.ntop.org","ja3":"d3e627f423a33ea41841c19b8af79293","ja3s":"389ed42c02ebecc32e73aa31def07e14","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA","issuerDN":"OU=Domain Control Validated, OU=PositiveSSL, CN=shop.ntop.org","alpn":"http\/1.1,spdy\/3.1,h2-14,h2","fingerprint":"FB:A6:FF:A7:58:F3:9D:54:24:45:E5:A0:C4:04:18:D5:58:91:E0:34"}} -01262{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":106,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":10,"flow_first_seen":1448269138575,"flow_last_seen":1448269138636,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2668,"flow_tot_l4_payload_len":4964,"flow_avg_l4_payload_len":496,"midstream":0,"ts_msec":1448269138636,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a03:b0c0:3:d0::70:1001","src_port":37488,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"10":"TLS Certificate Mismatch"},"proto":"TLS.ntop","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.ntop.org","server_names":"shop.ntop.org,www.shop.ntop.org","ja3":"d3e627f423a33ea41841c19b8af79293","ja3s":"389ed42c02ebecc32e73aa31def07e14","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA","issuerDN":"OU=Domain Control Validated, OU=PositiveSSL, CN=shop.ntop.org","alpn":"http\/1.1,spdy\/3.1,h2-14,h2","fingerprint":"FB:A6:FF:A7:58:F3:9D:54:24:45:E5:A0:C4:04:18:D5:58:91:E0:34"}} +01263{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":104,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":12,"flow_first_seen":1448269138575,"flow_last_seen":1448269138635,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":4964,"flow_avg_l4_payload_len":413,"midstream":0,"ts_msec":1448269138635,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a03:b0c0:3:d0::70:1001","src_port":37486,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"10":"TLS Certificate Mismatch"},"proto":"TLS.ntop","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.ntop.org","server_names":"shop.ntop.org,www.shop.ntop.org","ja3":"d3e627f423a33ea41841c19b8af79293","ja3s":"389ed42c02ebecc32e73aa31def07e14","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA","subjectDN":"OU=Domain Control Validated, OU=PositiveSSL, CN=shop.ntop.org","alpn":"http\/1.1,spdy\/3.1,h2-14,h2","fingerprint":"FB:A6:FF:A7:58:F3:9D:54:24:45:E5:A0:C4:04:18:D5:58:91:E0:34"}} +01263{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":106,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":10,"flow_first_seen":1448269138575,"flow_last_seen":1448269138636,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2668,"flow_tot_l4_payload_len":4964,"flow_avg_l4_payload_len":496,"midstream":0,"ts_msec":1448269138636,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a03:b0c0:3:d0::70:1001","src_port":37488,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"10":"TLS Certificate Mismatch"},"proto":"TLS.ntop","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.ntop.org","server_names":"shop.ntop.org,www.shop.ntop.org","ja3":"d3e627f423a33ea41841c19b8af79293","ja3s":"389ed42c02ebecc32e73aa31def07e14","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA","subjectDN":"OU=Domain Control Validated, OU=PositiveSSL, CN=shop.ntop.org","alpn":"http\/1.1,spdy\/3.1,h2-14,h2","fingerprint":"FB:A6:FF:A7:58:F3:9D:54:24:45:E5:A0:C4:04:18:D5:58:91:E0:34"}} 00581{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":120,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":1,"flow_first_seen":1448269139219,"flow_last_seen":1448269139219,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1448269139219,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a03:b0c0:3:d0::70:1001","src_port":37494,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00504{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":120,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_last_seen":1448269139219,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1448269139219,"pkt":"UMWNrEEBeKzApw1Mht1gAAAAACgGQCoADUAAAQADeqzA\/\/6nDUwqA7DAAAMA0AAAAAAAcBABknYBuw4c9NoAAAAAoAJwgGsaAAACBAWgBAIIChINd8gAAAAAAQMDBw=="} 00505{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":121,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":2,"flow_last_seen":1448269139239,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1448269139239,"pkt":"eKzApw1M9LUv\/K\/Cht1gAAAAACgGNyoDsMAAAwDQAAAAAABwEAEqAA1AAAEAA3qswP\/+pw1MAbuSdnTlL8YOHPTboBJvkPn2AAACBAWgBAIICgBerYcSDXfIAQMDCA=="} 00493{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":122,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_last_seen":1448269139239,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1448269139239,"pkt":"UMWNrEEBeKzApw1Mht1gAAAAACAGQCoADUAAAQADeqzA\/\/6nDUwqA7DAAAMA0AAAAAAAcBABknYBuw4c9Nt05S\/HgBAA4WsSAAABAQgKEg13zQBerYc="} 00834{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":123,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":4,"flow_first_seen":1448269139219,"flow_last_seen":1448269139239,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":212,"flow_tot_l4_payload_len":212,"flow_avg_l4_payload_len":53,"midstream":0,"ts_msec":1448269139239,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a03:b0c0:3:d0::70:1001","src_port":37494,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.ntop","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.ntop.org","ja3":"d3e627f423a33ea41841c19b8af79293","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1,spdy\/3.1,h2-14,h2"}} 00891{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":125,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":6,"flow_first_seen":1448269139219,"flow_last_seen":1448269139263,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":1640,"flow_avg_l4_payload_len":273,"midstream":0,"ts_msec":1448269139263,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a03:b0c0:3:d0::70:1001","src_port":37494,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.ntop","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.ntop.org","ja3":"d3e627f423a33ea41841c19b8af79293","ja3s":"389ed42c02ebecc32e73aa31def07e14","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"http\/1.1,spdy\/3.1,h2-14,h2"}} -01262{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":131,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":12,"flow_first_seen":1448269139219,"flow_last_seen":1448269139267,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":4964,"flow_avg_l4_payload_len":413,"midstream":0,"ts_msec":1448269139267,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a03:b0c0:3:d0::70:1001","src_port":37494,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"10":"TLS Certificate Mismatch"},"proto":"TLS.ntop","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.ntop.org","server_names":"shop.ntop.org,www.shop.ntop.org","ja3":"d3e627f423a33ea41841c19b8af79293","ja3s":"389ed42c02ebecc32e73aa31def07e14","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA","issuerDN":"OU=Domain Control Validated, OU=PositiveSSL, CN=shop.ntop.org","alpn":"http\/1.1,spdy\/3.1,h2-14,h2","fingerprint":"FB:A6:FF:A7:58:F3:9D:54:24:45:E5:A0:C4:04:18:D5:58:91:E0:34"}} +01263{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":131,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":12,"flow_first_seen":1448269139219,"flow_last_seen":1448269139267,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":4964,"flow_avg_l4_payload_len":413,"midstream":0,"ts_msec":1448269139267,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a03:b0c0:3:d0::70:1001","src_port":37494,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"10":"TLS Certificate Mismatch"},"proto":"TLS.ntop","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.ntop.org","server_names":"shop.ntop.org,www.shop.ntop.org","ja3":"d3e627f423a33ea41841c19b8af79293","ja3s":"389ed42c02ebecc32e73aa31def07e14","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA","subjectDN":"OU=Domain Control Validated, OU=PositiveSSL, CN=shop.ntop.org","alpn":"http\/1.1,spdy\/3.1,h2-14,h2","fingerprint":"FB:A6:FF:A7:58:F3:9D:54:24:45:E5:A0:C4:04:18:D5:58:91:E0:34"}} 00579{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":135,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":1,"flow_first_seen":1448269139314,"flow_last_seen":1448269139314,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1448269139314,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a02:26f0:ad:1a1::eed","src_port":60124,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00492{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":135,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_last_seen":1448269139314,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1448269139314,"pkt":"UMWNrEEBeKzApw1Mht1gAAAAACAGQCoADUAAAQADeqzA\/\/6nDUwqAibwAK0BoQAAAAAAAA7t6twBuwxnksLpg7gmgBABC+E3AAABAQgKEg134BvnLVo="} 00494{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":137,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":2,"flow_last_seen":1448269139321,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1448269139321,"pkt":"eKzApw1M9LUv\/K\/Cht1gAAAAACAGOyoCJvAArQGhAAAAAAAADu0qAA1AAAEAA3qswP\/+pw1MAbvq3OmDuCYMZ5LDgBAD0zk\/AAABAQgKG+fdWhINH94="} @@ -54,7 +54,7 @@ 00493{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":146,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":3,"flow_last_seen":1448269144475,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1448269144475,"pkt":"UMWNrEEBeKzApw1Mht1gAAAAACAGQCoADUAAAQADeqzA\/\/6nDUwqA7DAAAMA0AAAAAAAcBABkoIBuwefNhZ4xPkwgBAA4WsSAAABAQgKEg186gBesqQ="} 00835{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":147,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":4,"flow_first_seen":1448269144450,"flow_last_seen":1448269144475,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":212,"flow_tot_l4_payload_len":212,"flow_avg_l4_payload_len":53,"midstream":0,"ts_msec":1448269144475,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a03:b0c0:3:d0::70:1001","src_port":37506,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.ntop","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.ntop.org","ja3":"d3e627f423a33ea41841c19b8af79293","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1,spdy\/3.1,h2-14,h2"}} 00892{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":149,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":6,"flow_first_seen":1448269144450,"flow_last_seen":1448269144502,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":1640,"flow_avg_l4_payload_len":273,"midstream":0,"ts_msec":1448269144502,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a03:b0c0:3:d0::70:1001","src_port":37506,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.ntop","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.ntop.org","ja3":"d3e627f423a33ea41841c19b8af79293","ja3s":"389ed42c02ebecc32e73aa31def07e14","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"http\/1.1,spdy\/3.1,h2-14,h2"}} -01263{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":155,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":12,"flow_first_seen":1448269144450,"flow_last_seen":1448269144508,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":4964,"flow_avg_l4_payload_len":413,"midstream":0,"ts_msec":1448269144508,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a03:b0c0:3:d0::70:1001","src_port":37506,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"10":"TLS Certificate Mismatch"},"proto":"TLS.ntop","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.ntop.org","server_names":"shop.ntop.org,www.shop.ntop.org","ja3":"d3e627f423a33ea41841c19b8af79293","ja3s":"389ed42c02ebecc32e73aa31def07e14","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA","issuerDN":"OU=Domain Control Validated, OU=PositiveSSL, CN=shop.ntop.org","alpn":"http\/1.1,spdy\/3.1,h2-14,h2","fingerprint":"FB:A6:FF:A7:58:F3:9D:54:24:45:E5:A0:C4:04:18:D5:58:91:E0:34"}} +01264{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":155,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":12,"flow_first_seen":1448269144450,"flow_last_seen":1448269144508,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":4964,"flow_avg_l4_payload_len":413,"midstream":0,"ts_msec":1448269144508,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a03:b0c0:3:d0::70:1001","src_port":37506,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"10":"TLS Certificate Mismatch"},"proto":"TLS.ntop","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.ntop.org","server_names":"shop.ntop.org,www.shop.ntop.org","ja3":"d3e627f423a33ea41841c19b8af79293","ja3s":"389ed42c02ebecc32e73aa31def07e14","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA","subjectDN":"OU=Domain Control Validated, OU=PositiveSSL, CN=shop.ntop.org","alpn":"http\/1.1,spdy\/3.1,h2-14,h2","fingerprint":"FB:A6:FF:A7:58:F3:9D:54:24:45:E5:A0:C4:04:18:D5:58:91:E0:34"}} 00583{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":170,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":1,"flow_first_seen":1448269145458,"flow_last_seen":1448269145458,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1448269145458,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a00:1450:4001:803::1012","src_port":59690,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00493{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":170,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":1,"flow_last_seen":1448269145458,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1448269145458,"pkt":"UMWNrEEBeKzApw1Mht1gAAAAACAGQCoADUAAAQADeqzA\/\/6nDUwqABRQQAEIAwAAAAAAABAS6SoBu3aemNPcvXclgBAA6hVxAAABAQgKEg194OPdWG4="} 00494{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":171,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":2,"flow_last_seen":1448269145478,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1448269145478,"pkt":"eKzApw1M9LUv\/K\/Cht1gAAAAACAGOSoAFFBAAQgDAAAAAAAAEBIqAA1AAAEAA3qswP\/+pw1MAbvpKty9dyV2npjUgBAA8BoIAAABAQgK494IbhIM+eU="} @@ -68,9 +68,9 @@ 00494{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":177,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":3,"flow_last_seen":1448269146912,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1448269146912,"pkt":"UMWNrEEBeKzApw1Mht1gAAAAACAGQCoADUAAAQADeqzA\/\/6nDUwqAibwAK0BlwAAAAAAAAI2z4wBuwtKuyrowZlAgBAA4dR2AAABAQgKEg1\/Sxvn+wE="} 00854{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":178,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":4,"flow_first_seen":1448269146905,"flow_last_seen":1448269146912,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":224,"flow_tot_l4_payload_len":224,"flow_avg_l4_payload_len":56,"midstream":0,"ts_msec":1448269146912,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a02:26f0:ad:197::236","src_port":53134,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Facebook","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"s-static.ak.facebook.com","ja3":"d3e627f423a33ea41841c19b8af79293","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1,spdy\/3.1,h2-14,h2"}} 00854{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":179,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":4,"flow_first_seen":1448269146905,"flow_last_seen":1448269146912,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":224,"flow_tot_l4_payload_len":224,"flow_avg_l4_payload_len":56,"midstream":0,"ts_msec":1448269146912,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a02:26f0:ad:197::236","src_port":53132,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Facebook","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"s-static.ak.facebook.com","ja3":"d3e627f423a33ea41841c19b8af79293","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1,spdy\/3.1,h2-14,h2"}} -01338{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":182,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":6,"flow_first_seen":1448269146905,"flow_last_seen":1448269146921,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3547,"flow_tot_l4_payload_len":3771,"flow_avg_l4_payload_len":628,"midstream":0,"ts_msec":1448269146921,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a02:26f0:ad:197::236","src_port":53134,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Facebook","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"s-static.ak.facebook.com","server_names":"*.ak.fbcdn.net,s-static.ak.fbcdn.net,igsonar.com,*.igsonar.com,ak.facebook.com,*.ak.facebook.com,*.s-static.ak.facebook.com,connect.facebook.net,s-static.ak.facebook.com","ja3":"d3e627f423a33ea41841c19b8af79293","ja3s":"b898351eb5e266aefd3723d466935494","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3","issuerDN":"C=US, ST=CA, L=Menlo Park, O=Facebook, Inc., CN=*.ak.fbcdn.net","alpn":"http\/1.1,spdy\/3.1,h2-14,h2","fingerprint":"E7:62:76:74:8D:09:F7:E9:69:05:B8:1A:37:A1:30:2D:FF:3B:BC:0A"}} +01339{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":182,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":6,"flow_first_seen":1448269146905,"flow_last_seen":1448269146921,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3547,"flow_tot_l4_payload_len":3771,"flow_avg_l4_payload_len":628,"midstream":0,"ts_msec":1448269146921,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a02:26f0:ad:197::236","src_port":53134,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Facebook","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"s-static.ak.facebook.com","server_names":"*.ak.fbcdn.net,s-static.ak.fbcdn.net,igsonar.com,*.igsonar.com,ak.facebook.com,*.ak.facebook.com,*.s-static.ak.facebook.com,connect.facebook.net,s-static.ak.facebook.com","ja3":"d3e627f423a33ea41841c19b8af79293","ja3s":"b898351eb5e266aefd3723d466935494","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3","subjectDN":"C=US, ST=CA, L=Menlo Park, O=Facebook, Inc., CN=*.ak.fbcdn.net","alpn":"http\/1.1,spdy\/3.1,h2-14,h2","fingerprint":"E7:62:76:74:8D:09:F7:E9:69:05:B8:1A:37:A1:30:2D:FF:3B:BC:0A"}} 00911{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":184,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":6,"flow_first_seen":1448269146905,"flow_last_seen":1448269146921,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2856,"flow_tot_l4_payload_len":3080,"flow_avg_l4_payload_len":513,"midstream":0,"ts_msec":1448269146921,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a02:26f0:ad:197::236","src_port":53132,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Facebook","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"s-static.ak.facebook.com","ja3":"d3e627f423a33ea41841c19b8af79293","ja3s":"b898351eb5e266aefd3723d466935494","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"http\/1.1,spdy\/3.1,h2-14,h2"}} -01338{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":186,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":8,"flow_first_seen":1448269146905,"flow_last_seen":1448269146921,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2856,"flow_tot_l4_payload_len":3771,"flow_avg_l4_payload_len":471,"midstream":0,"ts_msec":1448269146921,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a02:26f0:ad:197::236","src_port":53132,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Facebook","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"s-static.ak.facebook.com","server_names":"*.ak.fbcdn.net,s-static.ak.fbcdn.net,igsonar.com,*.igsonar.com,ak.facebook.com,*.ak.facebook.com,*.s-static.ak.facebook.com,connect.facebook.net,s-static.ak.facebook.com","ja3":"d3e627f423a33ea41841c19b8af79293","ja3s":"b898351eb5e266aefd3723d466935494","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3","issuerDN":"C=US, ST=CA, L=Menlo Park, O=Facebook, Inc., CN=*.ak.fbcdn.net","alpn":"http\/1.1,spdy\/3.1,h2-14,h2","fingerprint":"E7:62:76:74:8D:09:F7:E9:69:05:B8:1A:37:A1:30:2D:FF:3B:BC:0A"}} +01339{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":186,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":8,"flow_first_seen":1448269146905,"flow_last_seen":1448269146921,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2856,"flow_tot_l4_payload_len":3771,"flow_avg_l4_payload_len":471,"midstream":0,"ts_msec":1448269146921,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a02:26f0:ad:197::236","src_port":53132,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Facebook","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"s-static.ak.facebook.com","server_names":"*.ak.fbcdn.net,s-static.ak.fbcdn.net,igsonar.com,*.igsonar.com,ak.facebook.com,*.ak.facebook.com,*.s-static.ak.facebook.com,connect.facebook.net,s-static.ak.facebook.com","ja3":"d3e627f423a33ea41841c19b8af79293","ja3s":"b898351eb5e266aefd3723d466935494","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3","subjectDN":"C=US, ST=CA, L=Menlo Park, O=Facebook, Inc., CN=*.ak.fbcdn.net","alpn":"http\/1.1,spdy\/3.1,h2-14,h2","fingerprint":"E7:62:76:74:8D:09:F7:E9:69:05:B8:1A:37:A1:30:2D:FF:3B:BC:0A"}} 00590{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":193,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":12,"flow_first_seen":1448269146905,"flow_last_seen":1448269146970,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2856,"flow_tot_l4_payload_len":4139,"flow_avg_l4_payload_len":344,"midstream":0,"ts_msec":1448269146970,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a02:26f0:ad:197::236","src_port":53132,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00590{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":193,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":10,"flow_first_seen":1448269146905,"flow_last_seen":1448269146966,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3547,"flow_tot_l4_payload_len":4139,"flow_avg_l4_payload_len":413,"midstream":0,"ts_msec":1448269146970,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a02:26f0:ad:197::236","src_port":53134,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00610{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":193,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":14,"flow_first_seen":1448269127395,"flow_last_seen":1448269127510,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":506,"flow_tot_l4_payload_len":1009,"flow_avg_l4_payload_len":72,"midstream":1,"ts_msec":1448269146970,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a00:1450:4001:803::1017","src_port":41776,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"}} @@ -103,9 +103,9 @@ ~~ total active/idle flows...: 15/15 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2026574 bytes -~~ total memory freed........: 2026574 bytes -~~ total allocations/frees...: 35639/35639 +~~ total memory allocated....: 4682953 bytes +~~ total memory freed........: 4682953 bytes +~~ total allocations/frees...: 99835/99835 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 164 chars ~~ json string max len.......: 2303 chars diff --git a/test/results/iec60780-5-104.pcap.out b/test/results/iec60780-5-104.pcap.out index 2bb93d39a..135d41ac1 100644 --- a/test/results/iec60780-5-104.pcap.out +++ b/test/results/iec60780-5-104.pcap.out @@ -44,9 +44,9 @@ ~~ total active/idle flows...: 6/6 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1940467 bytes -~~ total memory freed........: 1940467 bytes -~~ total allocations/frees...: 35500/35500 +~~ total memory allocated....: 4600662 bytes +~~ total memory freed........: 4600662 bytes +~~ total allocations/frees...: 99696/99696 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 169 chars ~~ json string max len.......: 603 chars diff --git a/test/results/imap-starttls.pcap.out b/test/results/imap-starttls.pcap.out new file mode 100644 index 000000000..709e723b6 --- /dev/null +++ b/test/results/imap-starttls.pcap.out @@ -0,0 +1,23 @@ +00447{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"imap-starttls.pcap","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} +00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"imap-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1437584567812,"flow_last_seen":1437584567812,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1437584567812,"l3_proto":"ip4","src_ip":"192.168.17.53","dst_ip":"212.227.17.186","src_port":49640,"dst_port":143,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00482{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"imap-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1437584567812,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1437584567812,"pkt":"kFmvW2bUaKhtGGkOCABFAABAc8pAAEAGDnPAqBE11OMRusHoAI+CJObQAAAAALAC\/\/\/XTwAAAgQFtAEDAwQBAQgKKoxROgAAAAAEAgAA"} +00463{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"imap-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1437584568002,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1437584568002,"pkt":"aKhtGGkOkFmvW2bUCABFIAA0AABAADAGkinU4xG6wKgRNQCPwehPqEW7giTm0YASPryvAAAAAgQFtAQCAwMKAAAA"} +00447{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"imap-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1437584568002,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1437584568002,"pkt":"kFmvW2bUaKhtGGkOCABFAAAohpRAAEAG+8DAqBE11OMRusHoAI+CJObRT6hFvFAQQAD2hgAA"} +00646{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":10,"source":"imap-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":10,"flow_first_seen":1437584567812,"flow_last_seen":1437584568383,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":271,"flow_tot_l4_payload_len":524,"flow_avg_l4_payload_len":52,"midstream":0,"ts_msec":1437584568383,"l3_proto":"ip4","src_ip":"192.168.17.53","dst_ip":"212.227.17.186","src_port":49640,"dst_port":143,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"IMAPS","breed":"Safe","category":"Email"}} +00566{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":32,"source":"imap-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":32,"flow_first_seen":1437584567812,"flow_last_seen":1437584570828,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":6193,"flow_avg_l4_payload_len":193,"midstream":0,"ts_msec":1437584570828,"l3_proto":"ip4","src_ip":"192.168.17.53","dst_ip":"212.227.17.186","src_port":49640,"dst_port":143,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00161{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":32,"source":"imap-starttls.pcap","alias":"nDPId-test","total-events-serialized":8} +~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ +~~ packets captured/processed: 32/32 +~~ skipped flows.............: 0 +~~ total layer4 data length..: 6193 bytes +~~ total detected protocols..: 1 +~~ total active/idle flows...: 1/1 +~~ total timeout flows.......: 0 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ total memory allocated....: 4593415 bytes +~~ total memory freed........: 4593415 bytes +~~ total allocations/frees...: 99567/99567 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ json string min len.......: 166 chars +~~ json string max len.......: 651 chars +~~ json string avg len.......: 471 chars diff --git a/test/results/imap.pcap.out b/test/results/imap.pcap.out new file mode 100644 index 000000000..1afc6ae08 --- /dev/null +++ b/test/results/imap.pcap.out @@ -0,0 +1,23 @@ +00438{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"imap.pcap","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} +00538{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"imap.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1213095262213,"flow_last_seen":1213095262213,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1213095262213,"l3_proto":"ip4","src_ip":"10.40.4.2","dst_ip":"10.40.3.2","src_port":46045,"dst_port":143,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00466{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"imap.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1213095262213,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1213095262213,"pkt":"AASWJ8g6ABUXJM1lCABFAAA8nkhAAEAGgSAKKAQCCigDArPdAI+IaqplAAAAAKACFtDwZgAAAgQFtAQCCAoKDDQtAAAAAAEDAwc="} +00466{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"imap.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1213095262213,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1213095262213,"pkt":"ABUXJM1lAASWJ8g6CABFAAA8VURAAH8GiyQKKAMCCigEAgCPs903+0YNiGqqZqASIAAxdQAAAgQFtAEDAwgEAggKAoc1IAoMNC0="} +00455{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"imap.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1213095262213,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1213095262213,"pkt":"AASWJ8g6ABUXJM1lCABFAAA0nklAAEAGgScKKAQCCigDArPdAI+IaqpmN\/tGDoAQAC6AFAAAAQEICgoMNC0ChzUg"} +00653{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":11,"source":"imap.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":11,"flow_first_seen":1213095262213,"flow_last_seen":1213095266594,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":65,"flow_tot_l4_payload_len":184,"flow_avg_l4_payload_len":16,"midstream":0,"ts_msec":1213095266594,"l3_proto":"ip4","src_ip":"10.40.4.2","dst_ip":"10.40.3.2","src_port":46045,"dst_port":143,"l4_proto":"tcp","ndpi": {"flow_risk": {"22":"Unsafe Protocol"},"proto":"IMAP","breed":"Unsafe","category":"Email"},"imap": {"user":"samir","password":"pfres"}} +00547{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":33,"source":"imap.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":33,"flow_first_seen":1213095262213,"flow_last_seen":1213095266780,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":696,"flow_tot_l4_payload_len":1580,"flow_avg_l4_payload_len":47,"midstream":0,"ts_msec":1213095266780,"l3_proto":"ip4","src_ip":"10.40.4.2","dst_ip":"10.40.3.2","src_port":46045,"dst_port":143,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00152{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":33,"source":"imap.pcap","alias":"nDPId-test","total-events-serialized":8} +~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ +~~ packets captured/processed: 33/33 +~~ skipped flows.............: 0 +~~ total layer4 data length..: 1580 bytes +~~ total detected protocols..: 1 +~~ total active/idle flows...: 1/1 +~~ total timeout flows.......: 0 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ total memory allocated....: 4593444 bytes +~~ total memory freed........: 4593444 bytes +~~ total allocations/frees...: 99568/99568 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ json string min len.......: 157 chars +~~ json string max len.......: 658 chars +~~ json string avg len.......: 469 chars diff --git a/test/results/imaps.pcap.out b/test/results/imaps.pcap.out index 1b0d9a668..3b2706387 100644 --- a/test/results/imaps.pcap.out +++ b/test/results/imaps.pcap.out @@ -5,7 +5,7 @@ 00456{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"imaps.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1590857744706,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1590857744706,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAG+gvAqAEIp2PXpMVKA+HRNM\/OzIui24AQECwI4wAAAQEIChRNnWGpw+fs"} 00818{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"imaps.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1590857744659,"flow_last_seen":1590857744710,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":227,"flow_tot_l4_payload_len":227,"flow_avg_l4_payload_len":56,"midstream":0,"ts_msec":1590857744710,"l3_proto":"ip4","src_ip":"192.168.1.8","dst_ip":"167.99.215.164","src_port":50506,"dst_port":993,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.ntop","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mail.ntop.org","ja3":"4923a265be4d81c68ecda45bb89cdf6a","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00875{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"imaps.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":1590857744659,"flow_last_seen":1590857744765,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1667,"flow_avg_l4_payload_len":277,"midstream":0,"ts_msec":1590857744765,"l3_proto":"ip4","src_ip":"192.168.1.8","dst_ip":"167.99.215.164","src_port":50506,"dst_port":993,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.ntop","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mail.ntop.org","ja3":"4923a265be4d81c68ecda45bb89cdf6a","ja3s":"b653c251b0ee54c3088fe7bb997cf59d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"}} -01078{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":7,"source":"imaps.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":7,"flow_first_seen":1590857744659,"flow_last_seen":1590857744765,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":3107,"flow_avg_l4_payload_len":443,"midstream":0,"ts_msec":1590857744765,"l3_proto":"ip4","src_ip":"192.168.1.8","dst_ip":"167.99.215.164","src_port":50506,"dst_port":993,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.ntop","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mail.ntop.org","server_names":"mail.ntop.org","ja3":"4923a265be4d81c68ecda45bb89cdf6a","ja3s":"b653c251b0ee54c3088fe7bb997cf59d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3","issuerDN":"CN=mail.ntop.org","fingerprint":"F1:9A:35:30:96:57:5E:56:81:28:2C:D9:45:A5:83:21:9E:E8:C5:DF"}} +01079{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":7,"source":"imaps.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":7,"flow_first_seen":1590857744659,"flow_last_seen":1590857744765,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":3107,"flow_avg_l4_payload_len":443,"midstream":0,"ts_msec":1590857744765,"l3_proto":"ip4","src_ip":"192.168.1.8","dst_ip":"167.99.215.164","src_port":50506,"dst_port":993,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.ntop","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mail.ntop.org","server_names":"mail.ntop.org","ja3":"4923a265be4d81c68ecda45bb89cdf6a","ja3s":"b653c251b0ee54c3088fe7bb997cf59d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3","subjectDN":"CN=mail.ntop.org","fingerprint":"F1:9A:35:30:96:57:5E:56:81:28:2C:D9:45:A5:83:21:9E:E8:C5:DF"}} 00557{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":20,"source":"imaps.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":20,"flow_first_seen":1590857744659,"flow_last_seen":1590857744987,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":3856,"flow_avg_l4_payload_len":192,"midstream":0,"ts_msec":1590857744987,"l3_proto":"ip4","src_ip":"192.168.1.8","dst_ip":"167.99.215.164","src_port":50506,"dst_port":993,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00154{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":20,"source":"imaps.pcap","alias":"nDPId-test","total-events-serialized":10} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -16,10 +16,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1933615 bytes -~~ total memory freed........: 1933615 bytes -~~ total allocations/frees...: 35363/35363 +~~ total memory allocated....: 4595930 bytes +~~ total memory freed........: 4595930 bytes +~~ total allocations/frees...: 99559/99559 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 159 chars -~~ json string max len.......: 1083 chars -~~ json string avg len.......: 672 chars +~~ json string max len.......: 1084 chars +~~ json string avg len.......: 673 chars diff --git a/test/results/instagram.pcap.out b/test/results/instagram.pcap.out index ad2444476..034fb4766 100644 --- a/test/results/instagram.pcap.out +++ b/test/results/instagram.pcap.out @@ -56,7 +56,7 @@ 02359{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":325,"source":"instagram.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":3,"flow_last_seen":1436720908432,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":1464,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1464,"pkt_l4_len":1430,"ts_msec":1436720908432,"pkt":"QPMIw47hABsv8H60CABFAAWqu1ZAAFUGJ6cfDV00wKgAZwG7hI+o7MT1gUCDQoAQAFzmhwAAAQEIClsYbL0AA+5iFwMBBgCkPdU4R6wGSIS3keHeixTLTI9zV+il0PpZ8q91YamIsd4IZ1iA9S2D6W\/nJ4T6403w2+fJe+hdEKNsk0963CdXOEXDNkQKpXOBBE+0Y\/4Fle8ueshRyGFFEoc6PtZpKpwayy+TKxEJ4pFJyX2oGMWjaZzaOyD59AskeV\/YOll+Xm0S27uMjZKkLBkCxDNPTNhB8fh\/syM9nxdE4huEu1SgtsgSRap7+5OfSJa0vJji4Lac5HIGGpVuCAdsaWkkirxUeGhBT5KqUaH3z34YK2q9OCFDjG6zQx+K5wB6\/1tRpCV4T0Wdq9iazWqTK9fhu3Q8m7M+n+OlMsKGxDIEQhTmUFv6EsILdWY4XaXzsNt68ilI12u8FIErHj5xADP5BSss+D\/PqbyyYfj1siM7kMLTpiPXuCUljd29w+P7wtJOUzlqcHwFv60jtkmE5R7DR9LN47rlhx2ZgEX8b9nsvGl\/Z1KSCJ1m3XV6f0806axX94l9imfNEVAHweCX3kOlfFNWODbpNzNbLbpVtPn7xKRA5Y140DajcNQvyREJ7DrHWIxbEPKUq+SIMaNEJqDkl0rYnPqvJYuixcmcTK6joyocw7sF+MmuWuJzAwYoGvQacoqaNqOp0iEPlyz8x6cTF7HbzVKHlLYHsfsKMGz98miVsnjvci5f7S+qZN8wJt+ycMpErrmm5SYVwnyDiARUnY01FjBiu7oXosmSU8r8tl1Y7oQcefwWQmUMJwEVoICnXk5o\/1P1fTAJawMxQor10OxDf\/BV8+4BnkZNbktKhC4u6rpy4t9mTFTFoJnekuOgtsyuYF1D1pTovQynkNog8sbNDLg6lOVy2sSjtN38M5BrjfWP6NvWf5rAbsDm9Qvw2VUkrLm+vXfuLJeKqhTOHspJB2ZVScw6fgqCCRgXV4hbT47jXkZHPFeUj3xtv5oznldP1XEp\/Y0YyZnWCMaWATZlGVUiSYeiFbrcd70L0WujcTQSesgJzHbOqeptYMiDDVIYXi5utFDZis9FPZA2ul\/lArmvEL\/urLFDKdnXMnNjyIIqJtwWZlcpDAHOfD2KyMM51NtnpD3NXBz6ngCZNoi3DrWeJbaK2NX4FFrr9nkmfuHb0MCV8zapTpFVeDqmiCnEMr1A22q06nZsJij0BS+jpAlud6+DjOPKWljFzy06Xn15YGW3Dm07Vi1rGNQXnlLIYZbH\/Lf9VbK8rn+tf2U4X+kmR\/seSiHTIiCrfQRY82NcG+s2JE\/3RNuUUsdP3+A8UZATxsKmMNb9p9jduLcV5NSz3qcz\/E+TORnhzC5qM5iDlSbThKZAPEgvS54QGz00rdEYWdvIwL1jLd2l2yP9aEoOWrH+sNsRBCU97PG1IRhRS5jctVYyDntPEBlAbqGj6sdT5C6POfN9JdpaIsZmGaMmnU0z4bjokazZ5F6F501SFGcsFKmgoCdZLCQyyA\/CkkbqEF1LeEPM1KkE88DAsVjRhjRCz9D6VKRt8PZdtywXXp7E7yF8+4SN\/2h5CqHv4N+v+ejLyvCd2t1L4BFuJ7BTwaB6NicxBq3cWSEeADsWxC4xODPl+fmk90gThIrGh3\/E3G\/K8LjJkXPwBqDPoSCAh\/lyvY4cI9USKSjdTboTHfChgT73IzMJk4MESnvGhexHkwWw4ndKaJ88XZfXiGJCI\/GHCwJX7Zu\/IG7bV7st4TnImk\/Ds\/xEG7y3JgmTAc9wIRPfDmTaMW0XI0vpt5j1BnCLq+es4TBuh9vggrd8U5G3S+2hj2u1HQPo3wjRAM4dNo6in8nnmD4n\/\/G9yrHWQwizkMQMUhZbY0jDslavyFSGnWc0JVIhfEzkCZm+lGdYxoDPUYKjjFRFeJ8o"} 00526{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":341,"source":"instagram.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":1,"flow_first_seen":1436720908464,"flow_last_seen":1436720908464,"flow_idle_time":120000,"flow_min_l4_payload_len":68,"flow_max_l4_payload_len":68,"flow_tot_l4_payload_len":68,"flow_avg_l4_payload_len":68,"midstream":0,"ts_msec":1436720908464,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"192.168.0.103","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} 00512{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":341,"source":"instagram.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":1,"flow_last_seen":1436720908464,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":102,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":102,"pkt_l4_len":68,"ts_msec":1436720908464,"pkt":"AAAAAAAAAAAAAAAACABFwABYvRcAAEABOq\/AqABnwKgAZwMDE08AAAAARQAAPFm5QABABkodwKgAZ63CKBTA+AG7+Mu3wgAAAACgAjkIlxQAAAIEBbQEAggKAAPuewAAAAABAwMG"} -00559{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":341,"source":"instagram.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":1,"flow_first_seen":1436720908464,"flow_last_seen":1436720908464,"flow_idle_time":120000,"flow_min_l4_payload_len":68,"flow_max_l4_payload_len":68,"flow_tot_l4_payload_len":68,"flow_avg_l4_payload_len":68,"midstream":0,"ts_msec":1436720908464,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"192.168.0.103","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"}} +00578{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":341,"source":"instagram.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":1,"flow_first_seen":1436720908464,"flow_last_seen":1436720908464,"flow_idle_time":120000,"flow_min_l4_payload_len":68,"flow_max_l4_payload_len":68,"flow_tot_l4_payload_len":68,"flow_avg_l4_payload_len":68,"midstream":0,"ts_msec":1436720908464,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"192.168.0.103","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"},"entropy":4.471674} 00512{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":342,"source":"instagram.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":2,"flow_last_seen":1436720908464,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":102,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":102,"pkt_l4_len":68,"ts_msec":1436720908464,"pkt":"AAAAAAAAAAAAAAAACABFwABYvRcAAEABOq\/AqABnwKgAZwMDE08AAAAARQAAPFm5QABABkodwKgAZ63CKBTA+AG7+Mu3wgAAAACgAjkIlxQAAAIEBbQEAggKAAPuewAAAAABAwMG"} 00560{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":343,"source":"instagram.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":1,"flow_first_seen":1436720908466,"flow_last_seen":1436720908466,"flow_idle_time":7440000,"flow_min_l4_payload_len":949,"flow_max_l4_payload_len":949,"flow_tot_l4_payload_len":949,"flow_avg_l4_payload_len":949,"midstream":1,"ts_msec":1436720908466,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"31.13.93.52","src_port":33763,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 01748{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":343,"source":"instagram.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":1,"flow_last_seen":1436720908466,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":1015,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1015,"pkt_l4_len":981,"ts_msec":1436720908466,"pkt":"ABsv8H60QPMIw47hCABFAAPpXL5AAEAGnQDAqABnHw1dNIPjAbuhtt+gEOOOT4AYCqMt2AAAAQEICgAD7nvwIEj8FwMBA7DXpbZuuL+a3+A25sPf3KC8vtrovZX7fcip20iH4gbDYKHRurDuUNBuKdxbaf8w5NnTQml9NHFuaiFV9xaPTEtRbbFB9QgL8vlHsxgX1jfO9ZT6YB1lbKI1n65g8AZltFoEnCsmCE1IOxVyjBVZQT7po2puEnrF+kDYe4098KgZgFIZStFzMtmo9XOmOfNP+iRYctfjIeGJz8jQ1lFBvHEsbbQIygOCYn9oDm7CXWwj2LvemnGFKWnWYwKY2HgH6zrHi9xUd7CDCihcewk3nTPbbyiC\/Oifk2F1KjvO+B1lmqoGqUOYx21p5F3Yy7giHbLKSW+ti05sAV0fAKz7Z8+aVWuucvLaUbW+dSKFEZubeujNKIbXr7vCkpaZCatjRYZUgGNtsk2NBSXDlVMA\/v3I+TpoH8L5Ft2TQGs+aL8gJ2KVF6O2+ZYxZ96KcyiQmukk5fWpPjyBq7B0lhl8\/l+87aNWAB+03OvN8FhYV+S\/gv75JF3N388CBkyP4ME8FRt4W55y8LCj1tqiL9fodHUaE6F0ridmX8h0+Dsd82vVVQdbomtwYWVDLtEOA4gG2jJjDPllVf5J8xmFGHsA6M\/TDTHEfu8LTRQc1d6jnJGUH9Eeq7GjZHoFXfcfkpY9BGbqJWKidAdwRrWxc1XI2wcOmTiqvy3W0kHXHGHBqtUOPHt80fdZz3Php0HqhVjapNrBUUzl1zXCtqo+\/D90yVXLpIbqbzqp1UOs3uY9nrVZKeWZAphdT0b38N153F9QCQaE1j\/B3yRInHVxnxDr8\/wXaBQutJGt+fT8YapiNjDh2B5Fe\/VzJjaUK9\/s\/F4+YAkFfcLJJgpkyZ1FyjpKFDmEKLJS\/hWon3VkTkSPBJyUnbR06ETQWOqnwWcQKPcsS14LaHbhuVhKdt2tBBxQtcd0OoPW2aLOEDh9uAs1wndQ8cDwLHeWOSYDiwyq7hmF978JHTDY5T9UPy1BfhkIGr1397oeYW8tQLiHwwHKS6l11zZwAq8rb2bsBNkrNvLFUBdxAJWO7YtLy1slqNoFAyDdp7eKwmaP317WVsHGvyiwNdASVNzu1pbccCR6AgqCnTrbOntDjyNK4u2jrQuFCeBAMKVe19ptimavwWdWcfiYh6zgKaavEskV4nXhC01pvDJfX\/uuk2wAy46ocrpdos3RqXm7EpLF72d506O+IxXSSlwIplmFgawKqTtoIASL2SkYHX0Y3wKxf+vCHqdiD1nEkmvwUYQ8dkrjuTHBA1bDvg=="} @@ -105,13 +105,13 @@ 00852{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":377,"source":"instagram.pcap","alias":"nDPId-test","flow_id":22,"flow_packets_processed":4,"flow_first_seen":1436720908576,"flow_last_seen":1436720908617,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":226,"flow_tot_l4_payload_len":226,"flow_avg_l4_payload_len":56,"midstream":0,"ts_msec":1436720908617,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.154","src_port":41181,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Instagram","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1","client_requested_server_name":"igcdn-photos-a-a.akamaihd.net","ja3":"54ae5fcb0159e2ddf6a50e149221c7c7","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00852{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":378,"source":"instagram.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":4,"flow_first_seen":1436720908577,"flow_last_seen":1436720908619,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":226,"flow_tot_l4_payload_len":226,"flow_avg_l4_payload_len":56,"midstream":0,"ts_msec":1436720908619,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.154","src_port":41182,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Instagram","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1","client_requested_server_name":"igcdn-photos-a-a.akamaihd.net","ja3":"54ae5fcb0159e2ddf6a50e149221c7c7","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00906{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":381,"source":"instagram.pcap","alias":"nDPId-test","flow_id":24,"flow_packets_processed":6,"flow_first_seen":1436720908581,"flow_last_seen":1436720908633,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":1676,"flow_avg_l4_payload_len":279,"midstream":0,"ts_msec":1436720908633,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"46.33.70.136","src_port":60908,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Instagram","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1","client_requested_server_name":"igcdn-photos-g-a.akamaihd.net","ja3":"54ae5fcb0159e2ddf6a50e149221c7c7","ja3s":"34d6f0ad0a79e4cfdf145e640cc93f78","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"}} -01304{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":385,"source":"instagram.pcap","alias":"nDPId-test","flow_id":24,"flow_packets_processed":10,"flow_first_seen":1436720908581,"flow_last_seen":1436720908634,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":4354,"flow_avg_l4_payload_len":435,"midstream":0,"ts_msec":1436720908634,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"46.33.70.136","src_port":60908,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Instagram","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1","client_requested_server_name":"igcdn-photos-g-a.akamaihd.net","server_names":"a248.e.akamai.net,*.akamaihd.net,*.akamaihd-staging.net,*.akamaized.net,*.akamaized-staging.net","ja3":"54ae5fcb0159e2ddf6a50e149221c7c7","ja3s":"34d6f0ad0a79e4cfdf145e640cc93f78","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=NL, L=Amsterdam, O=Verizon Enterprise Solutions, OU=Cybertrust, CN=Verizon Akamai SureServer CA G14-SHA1","issuerDN":"C=US, ST=MA, L=Cambridge, O=Akamai Technologies Inc., CN=a248.e.akamai.net","fingerprint":"EA:5A:20:95:78:D7:09:60:5C:A1:E4:CA:A5:2B:BD:C1:78:FB:23:23"}} +01305{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":385,"source":"instagram.pcap","alias":"nDPId-test","flow_id":24,"flow_packets_processed":10,"flow_first_seen":1436720908581,"flow_last_seen":1436720908634,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":4354,"flow_avg_l4_payload_len":435,"midstream":0,"ts_msec":1436720908634,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"46.33.70.136","src_port":60908,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Instagram","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1","client_requested_server_name":"igcdn-photos-g-a.akamaihd.net","server_names":"a248.e.akamai.net,*.akamaihd.net,*.akamaihd-staging.net,*.akamaized.net,*.akamaized-staging.net","ja3":"54ae5fcb0159e2ddf6a50e149221c7c7","ja3s":"34d6f0ad0a79e4cfdf145e640cc93f78","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=NL, L=Amsterdam, O=Verizon Enterprise Solutions, OU=Cybertrust, CN=Verizon Akamai SureServer CA G14-SHA1","subjectDN":"C=US, ST=MA, L=Cambridge, O=Akamai Technologies Inc., CN=a248.e.akamai.net","fingerprint":"EA:5A:20:95:78:D7:09:60:5C:A1:E4:CA:A5:2B:BD:C1:78:FB:23:23"}} 00906{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":389,"source":"instagram.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":6,"flow_first_seen":1436720908572,"flow_last_seen":1436720908636,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":1868,"flow_avg_l4_payload_len":311,"midstream":0,"ts_msec":1436720908636,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"46.33.70.174","src_port":44558,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Instagram","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1","client_requested_server_name":"igcdn-photos-h-a.akamaihd.net","ja3":"54ae5fcb0159e2ddf6a50e149221c7c7","ja3s":"7df57c06f869fc3ce509521cae2f75ce","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"}} -01304{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":393,"source":"instagram.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":10,"flow_first_seen":1436720908572,"flow_last_seen":1436720908638,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":4546,"flow_avg_l4_payload_len":454,"midstream":0,"ts_msec":1436720908638,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"46.33.70.174","src_port":44558,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Instagram","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1","client_requested_server_name":"igcdn-photos-h-a.akamaihd.net","server_names":"a248.e.akamai.net,*.akamaihd.net,*.akamaihd-staging.net,*.akamaized.net,*.akamaized-staging.net","ja3":"54ae5fcb0159e2ddf6a50e149221c7c7","ja3s":"7df57c06f869fc3ce509521cae2f75ce","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=NL, L=Amsterdam, O=Verizon Enterprise Solutions, OU=Cybertrust, CN=Verizon Akamai SureServer CA G14-SHA1","issuerDN":"C=US, ST=MA, L=Cambridge, O=Akamai Technologies Inc., CN=a248.e.akamai.net","fingerprint":"EA:5A:20:95:78:D7:09:60:5C:A1:E4:CA:A5:2B:BD:C1:78:FB:23:23"}} +01305{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":393,"source":"instagram.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":10,"flow_first_seen":1436720908572,"flow_last_seen":1436720908638,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":4546,"flow_avg_l4_payload_len":454,"midstream":0,"ts_msec":1436720908638,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"46.33.70.174","src_port":44558,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Instagram","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1","client_requested_server_name":"igcdn-photos-h-a.akamaihd.net","server_names":"a248.e.akamai.net,*.akamaihd.net,*.akamaihd-staging.net,*.akamaized.net,*.akamaized-staging.net","ja3":"54ae5fcb0159e2ddf6a50e149221c7c7","ja3s":"7df57c06f869fc3ce509521cae2f75ce","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=NL, L=Amsterdam, O=Verizon Enterprise Solutions, OU=Cybertrust, CN=Verizon Akamai SureServer CA G14-SHA1","subjectDN":"C=US, ST=MA, L=Cambridge, O=Akamai Technologies Inc., CN=a248.e.akamai.net","fingerprint":"EA:5A:20:95:78:D7:09:60:5C:A1:E4:CA:A5:2B:BD:C1:78:FB:23:23"}} 00906{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":398,"source":"instagram.pcap","alias":"nDPId-test","flow_id":22,"flow_packets_processed":6,"flow_first_seen":1436720908576,"flow_last_seen":1436720908660,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":1644,"flow_avg_l4_payload_len":274,"midstream":0,"ts_msec":1436720908660,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.154","src_port":41181,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Instagram","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1","client_requested_server_name":"igcdn-photos-a-a.akamaihd.net","ja3":"54ae5fcb0159e2ddf6a50e149221c7c7","ja3s":"34d6f0ad0a79e4cfdf145e640cc93f78","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"}} -01304{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":402,"source":"instagram.pcap","alias":"nDPId-test","flow_id":22,"flow_packets_processed":10,"flow_first_seen":1436720908576,"flow_last_seen":1436720908661,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":4322,"flow_avg_l4_payload_len":432,"midstream":0,"ts_msec":1436720908661,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.154","src_port":41181,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Instagram","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1","client_requested_server_name":"igcdn-photos-a-a.akamaihd.net","server_names":"a248.e.akamai.net,*.akamaihd.net,*.akamaihd-staging.net,*.akamaized.net,*.akamaized-staging.net","ja3":"54ae5fcb0159e2ddf6a50e149221c7c7","ja3s":"34d6f0ad0a79e4cfdf145e640cc93f78","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=NL, L=Amsterdam, O=Verizon Enterprise Solutions, OU=Cybertrust, CN=Verizon Akamai SureServer CA G14-SHA1","issuerDN":"C=US, ST=MA, L=Cambridge, O=Akamai Technologies Inc., CN=a248.e.akamai.net","fingerprint":"EA:5A:20:95:78:D7:09:60:5C:A1:E4:CA:A5:2B:BD:C1:78:FB:23:23"}} +01305{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":402,"source":"instagram.pcap","alias":"nDPId-test","flow_id":22,"flow_packets_processed":10,"flow_first_seen":1436720908576,"flow_last_seen":1436720908661,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":4322,"flow_avg_l4_payload_len":432,"midstream":0,"ts_msec":1436720908661,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.154","src_port":41181,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Instagram","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1","client_requested_server_name":"igcdn-photos-a-a.akamaihd.net","server_names":"a248.e.akamai.net,*.akamaihd.net,*.akamaihd-staging.net,*.akamaized.net,*.akamaized-staging.net","ja3":"54ae5fcb0159e2ddf6a50e149221c7c7","ja3s":"34d6f0ad0a79e4cfdf145e640cc93f78","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=NL, L=Amsterdam, O=Verizon Enterprise Solutions, OU=Cybertrust, CN=Verizon Akamai SureServer CA G14-SHA1","subjectDN":"C=US, ST=MA, L=Cambridge, O=Akamai Technologies Inc., CN=a248.e.akamai.net","fingerprint":"EA:5A:20:95:78:D7:09:60:5C:A1:E4:CA:A5:2B:BD:C1:78:FB:23:23"}} 00906{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":407,"source":"instagram.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":6,"flow_first_seen":1436720908577,"flow_last_seen":1436720908663,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":1644,"flow_avg_l4_payload_len":274,"midstream":0,"ts_msec":1436720908663,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.154","src_port":41182,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Instagram","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1","client_requested_server_name":"igcdn-photos-a-a.akamaihd.net","ja3":"54ae5fcb0159e2ddf6a50e149221c7c7","ja3s":"34d6f0ad0a79e4cfdf145e640cc93f78","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"}} -01304{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":411,"source":"instagram.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":10,"flow_first_seen":1436720908577,"flow_last_seen":1436720908665,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":4322,"flow_avg_l4_payload_len":432,"midstream":0,"ts_msec":1436720908665,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.154","src_port":41182,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Instagram","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1","client_requested_server_name":"igcdn-photos-a-a.akamaihd.net","server_names":"a248.e.akamai.net,*.akamaihd.net,*.akamaihd-staging.net,*.akamaized.net,*.akamaized-staging.net","ja3":"54ae5fcb0159e2ddf6a50e149221c7c7","ja3s":"34d6f0ad0a79e4cfdf145e640cc93f78","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=NL, L=Amsterdam, O=Verizon Enterprise Solutions, OU=Cybertrust, CN=Verizon Akamai SureServer CA G14-SHA1","issuerDN":"C=US, ST=MA, L=Cambridge, O=Akamai Technologies Inc., CN=a248.e.akamai.net","fingerprint":"EA:5A:20:95:78:D7:09:60:5C:A1:E4:CA:A5:2B:BD:C1:78:FB:23:23"}} +01305{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":411,"source":"instagram.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":10,"flow_first_seen":1436720908577,"flow_last_seen":1436720908665,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":4322,"flow_avg_l4_payload_len":432,"midstream":0,"ts_msec":1436720908665,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.154","src_port":41182,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Instagram","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1","client_requested_server_name":"igcdn-photos-a-a.akamaihd.net","server_names":"a248.e.akamai.net,*.akamaihd.net,*.akamaihd-staging.net,*.akamaized.net,*.akamaized-staging.net","ja3":"54ae5fcb0159e2ddf6a50e149221c7c7","ja3s":"34d6f0ad0a79e4cfdf145e640cc93f78","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=NL, L=Amsterdam, O=Verizon Enterprise Solutions, OU=Cybertrust, CN=Verizon Akamai SureServer CA G14-SHA1","subjectDN":"C=US, ST=MA, L=Cambridge, O=Akamai Technologies Inc., CN=a248.e.akamai.net","fingerprint":"EA:5A:20:95:78:D7:09:60:5C:A1:E4:CA:A5:2B:BD:C1:78:FB:23:23"}} 00512{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":417,"source":"instagram.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":3,"flow_last_seen":1436720908719,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":102,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":102,"pkt_l4_len":68,"ts_msec":1436720908719,"pkt":"AAAAAAAAAAAAAAAACABFwABYvRgAAEABOq7AqABnwKgAZwMDAwcAAAAARQAAPLKEQABABvFRwKgAZ63CKBTA\/QG7ZKZcEQAAAACgAjkIlxQAAAIEBbQEAggKAAPulQAAAAABAwMG"} 02359{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":419,"source":"instagram.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":3,"flow_last_seen":1436720908720,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":1464,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1464,"pkt_l4_len":1430,"ts_msec":1436720908720,"pkt":"QPMIw47hABsv8H60CABFAAWqkOBAAFUGUh0fDV00wKgAZwG7g+MQ445PobbjVYAQANmoZAAAAQEICvAgso0AA+57FwMBBgAJWuxAFmWJOuMXXLFPa+ihsePS3XMy0YIQztBBVmLMKv7bKksLnHy6Qejj3IofgvBbzBtV3GqDkMg6uh0P6N7FwcSe3tUjgcGiijvn6K818Zp8xqjp0tEb5pWvqXYqObddd2Hnzu6vQfWb9eTm5eWBjMWaH+46WOkF+yLDu28OnCnI6DRA4hVUhPFmv3Y3Jc5EGy9h1liFAXpPz8RauF02nsY9w0LD3TtF0JwByoPONdeUPZq\/WKka9SPqVUAIaUqD+iiuPiB4iY\/P40454jR2ubUAx1KxalPDxCZcJOVc\/mRFMjjylf886\/qgnF5\/zNdIB+osc8LQ7+njijbpW6+nsd1r20QxY5h4iboPc5bOwlwaY54bOkKhUi3rW\/yK+SdRmOIbvY6QnNs\/NHnLztmSVepcsVQj4\/LAs3sQee2yV5Zb\/OKdnbNcoVz0fzHzanGF+shxmnBL7MHCUWI6dyfgrtdeHJw7AeiUY3i\/mTZNsE8HDXYtj4PZmBRSpw9Tn6yrOi8oCWZlu5KzIRGzRJtFphUHZ6meh5JLg+hn5njKZANgsGVL5D4VIgoF1kaCOaYkGXgkZUN4f977LcfvI6GMq+I5puCewiP+Uuk1kPF9pzskRav04M10TqsDM7GhlmoPVQK4OBUJ9tHagFf6IatPi0\/17iyM\/LjiFML0PoAxBFfvl5DWDm64B7S6wNuZznilyLl+dRCTX+DG4IWEZ9iWMuJz0q4h3NgjCjbVoEhcXrIzm79zTgYF1K\/Fc1eVQ5pDkZIk+MSfw+JmzqDNkO7KlRRDcuvw+93T8NghPFPmCMaGi36H+eJ8qZHgJQD6VyTq0u+kS7b7xcTR0rfQCJsFB5GAwMG7Gp3gleQk40HnR7gOPSTpCQbfSRM+5donNBgSWHGZa9A+e6lLq4NFCERiwzj3U\/o3rAI1FPY3nDbj4wb3EgILuovLCxScYhTNarC2IzSTHU8Qk8N2SV+q0qGc9KDK7Jyj+IHlvAecHsLgYXphxLiTsup\/3eR29a5fD0B54hNbSHf+QHisCGvO8syBPnMdbwGhHIhnTTwNn1eEHqk6X5WP24wp\/q9HBPEopbXKhKpIJHSzjJGb6QwaZFDvJ0eS8PBbauWDkSrvIOpQ+81F3KtLkj4QiFmXv6kUM6e\/ijm1X4ctGQCDMzfE6CL9kNIZ0KT10hk0pBqwVPBgsjzabFgBWuwkhXkJMqXx8tC1EU+7y29gsrs\/ybrD8eTd4mRW4AQWWxsx8SCg4RuBagiQndKzKvD7t\/D1UNx\/cjM+FPNHc3Vo6COyR4bKIxJFsFcqKxflWpQPrWlcHnstMeCf6fe7rHShYcn66kSCS9GJMM\/PUNJmbrAgWC5m7qX18BfYRtqglq81Hxihw61ZCMOoAsDBgvxxxkjs4uHIg0bxq+QIHC4jEm62Kc2GqcJIEifAbDIMGTrfg+zGbXs6fbA2wHWV\/6sG736+zvLX7Jbtdr+R3sSX9sMXEufLQEprDfFP7rjDtjD6q3s32bdz6TPKsaKweTpBUQdUPpxrBp58LHYIfh7kBM6ZZ7B\/leOdLQ4iB0qa4hkq1hvJbOmBVgxwN8J6lLAiR2zfKtjyjIgh1PIEwm0tWG3PrpvEGPUu+zdVEzsubp+CEZmpQpom3JAd8mN1yHxpyrcTLFJkY\/8guFvDtth\/joA1HCjPx5dnKVrWK+v+DF0itobPJ17srGXjTUdxq+PcFTOSkogqyTZpAghuLdzESZm4BYIuVxTMgSSAIWua\/B9nB7ubZGXJW35Hmjvh2589ysVkb287bswERaCrOs6tPVp2NtqRIS7vXD6J\/TWsp5LCRdFcfNfT70AwbYVcnpBdE0+y3eeVEDxU"} 00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":440,"source":"instagram.pcap","alias":"nDPId-test","flow_id":25,"flow_packets_processed":1,"flow_first_seen":1436720942507,"flow_last_seen":1436720942507,"flow_idle_time":7440000,"flow_min_l4_payload_len":1418,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":1418,"flow_avg_l4_payload_len":1418,"midstream":1,"ts_msec":1436720942507,"l3_proto":"ip4","src_ip":"92.122.48.138","dst_ip":"192.168.0.103","src_port":80,"dst_port":41562,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -239,9 +239,9 @@ ~~ total active/idle flows...: 38/38 ~~ total timeout flows.......: 13 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2709740 bytes -~~ total memory freed........: 2709740 bytes -~~ total allocations/frees...: 39042/39042 +~~ total memory allocated....: 5356367 bytes +~~ total memory freed........: 5356367 bytes +~~ total allocations/frees...: 103238/103238 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 166 chars ~~ json string max len.......: 2410 chars diff --git a/test/results/ip_fragmented_garbage.pcap.out b/test/results/ip_fragmented_garbage.pcap.out index 8934d37c2..b29152b63 100644 --- a/test/results/ip_fragmented_garbage.pcap.out +++ b/test/results/ip_fragmented_garbage.pcap.out @@ -18220,9 +18220,9 @@ ~~ total active/idle flows...: 29/29 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1974213 bytes -~~ total memory freed........: 1974213 bytes -~~ total allocations/frees...: 35451/35451 +~~ total memory allocated....: 4624656 bytes +~~ total memory freed........: 4624656 bytes +~~ total allocations/frees...: 99647/99647 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 180 chars ~~ json string max len.......: 582 chars diff --git a/test/results/iphone.pcap.out b/test/results/iphone.pcap.out index 4ef8ab215..8cbff0a4f 100644 --- a/test/results/iphone.pcap.out +++ b/test/results/iphone.pcap.out @@ -4,16 +4,16 @@ 00589{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"iphone.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1582454552576,"flow_last_seen":1582454552576,"flow_idle_time":180000,"flow_min_l4_payload_len":510,"flow_max_l4_payload_len":510,"flow_tot_l4_payload_len":510,"flow_avg_l4_payload_len":510,"midstream":0,"ts_msec":1582454552576,"l3_proto":"ip4","src_ip":"192.168.2.1","dst_ip":"192.168.2.255","src_port":17500,"dst_port":17500,"l4_proto":"udp","ndpi": {"proto":"Dropbox","breed":"Acceptable","category":"Cloud"}} 00547{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2,"source":"iphone.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1582454553219,"flow_last_seen":1582454553219,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1582454553219,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00840{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"iphone.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_last_seen":1582454553219,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":342,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":342,"pkt_l4_len":308,"ts_msec":1582454553219,"pkt":"\/\/\/\/\/\/\/\/2DBiVgAcCABFAAFIeCUAAP8RQoAAAAAA\/\/\/\/\/wBEAEMBNI0tAQEGAHhURwkAGwAAAAAAAAAAAAAAAAAAAAAAANgwYlYAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEBNwoBeQMGD3f8XywuOQIF3D0HAdgwYlYAHDMEAHanAAwKTHVjYXMtaU1hY\/8AAAAAAAAAAAAAAAAA"} -00636{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2,"source":"iphone.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1582454553219,"flow_last_seen":1582454553219,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1582454553219,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"fingerprint":"1,121,3,6,15,119,252,95,44,46"}} +00677{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2,"source":"iphone.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1582454553219,"flow_last_seen":1582454553219,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1582454553219,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"hostname":"lucas-imac","fingerprint":"1,121,3,6,15,119,252,95,44,46","class_ident":""}} 00555{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3,"source":"iphone.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1582454553606,"flow_last_seen":1582454553606,"flow_idle_time":180000,"flow_min_l4_payload_len":1157,"flow_max_l4_payload_len":1157,"flow_tot_l4_payload_len":1157,"flow_avg_l4_payload_len":1157,"midstream":0,"ts_msec":1582454553606,"l3_proto":"ip4","src_ip":"192.168.2.1","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 01978{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"iphone.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_last_seen":1582454553606,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1199,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1199,"pkt_l4_len":1165,"ts_msec":1582454553606,"pkt":"AQBeAAD7xiwDYGpkCABFAASh9MAAAP8RHubAqAIB4AAA+xTpFOkEjReaAACEAAAAAB4AAAALDUx1Y2HigJlzIGlNYWMGX29kaXNrBF90Y3AFbG9jYWwAABCAAQAAEZQANDNzeXM9d2FNQT1DNDoyQzowMzowNjo0OTpGRSxhZFZGPTB4NCxhZERUPTB4MyxhZENDPTAJX3NlcnZpY2VzB19kbnMtc2QEX3VkcMAmAAwAAQAAEZQAAsAawBoADAABAAARlAACwAwNTHVjYeKAmXMgaU1hYwxfZGV2aWNlLWluZm\/AIQAQAAEAABGUABoObW9kZWw9aU1hYzExLDMKb3N4dmVycz0xNwlfa2VyYmVyb3MKTHVjYXMtaU1hY8AmABAAAQAAEZQAMzJMS0RDOlNIQTEuNDkyNDgwQzNFQTgyODI3NzFBMEQyODhGMTExRUY5RTc1MUY5NUE2Mw1MdWNh4oCZcyBpTWFjBF9zbWLAIQAQgAEAABGUAAEAwGsADAABAAARlAACwUHBQQAMAAEAABGUAALBMw1MdWNh4oCZcyBpTWFjC19hZnBvdmVydGNwwCEAEIABAAARlAABAMBrAAwAAQAAEZQAAsF9wX0ADAABAAARlAACwW8NTHVjYeKAmXMgaU1hYwRfc3NowCEAEIABAAARlAABAMBrAAwAAQAAEZQAAsHAwcAADAABAAARlAACwbINTHVjYeKAmXMgaU1hYwlfc2Z0cC1zc2jAIQAQgAEAABGUAAEAwGsADAABAAARlAACwfzB\/AAMAAEAABGUAALB7sAMACGAAQAAAHgACAAAAADAAMDpwTMAIYABAAAAeAAIAAAAAAG9wOnBbwAhgAEAAAB4AAgAAAAAAiTA6cGyACGAAQAAAHgACAAAAAAAFsDpwe4AIYABAAAAeAAIAAAAAAAWwOkNTHVjYeKAmXMgaU1hYwRfbmZzwCEAEIABAAARlAABAMBrAAwAAQAAEZQAAsKhwqEADAABAAARlAACwpPCkwAhgAEAAAB4AAgAAAAACAHA6Q1MdWNh4oCZcyBpTWFjD19jb21wYW5pb24tbGlua8AhABCAAQAAEZQAWBZycEJBPTU5OjUxOjAyOjJGOkE0OkZGCnJwVnI9MTUyLjERcnBIST0wNzE2ZDA1OTQ0YWYRcnBITj04YjUzMjQzNTlkN2QRcnBIQT0yOGQ0YmVkNTE3ODDAawAMAAEAABGUAALC8cLxAAwAAQAAEZQAAsLjwuMAIYABAAAAeAAIAAAAAMADwOnA6QABgAEAAAB4AATAqAIBwOkAHIABAAAAeAAQ\/oAAAAAAAADELAP\/\/mBqZMAMAC+AAQAAEZQACcAMAAUAAIAAQMEzAC+AAQAAEZQACcEzAAUAAIAAQMFvAC+AAQAAEZQACcFvAAUAAIAAQMGyAC+AAQAAEZQACcGyAAUAAIAAQMHuAC+AAQAAEZQACcHuAAUAAIAAQMKTAC+AAQAAEZQACcKTAAUAAIAAQMLjAC+AAQAAEZQACcLjAAUAAIAAQMDpAC+AAQAAAHgACMDpAARAAAAIAAApBaAAABGUABIABAAOAADELAMGSf7GLANgamQ="} -00641{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":3,"source":"iphone.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1582454553606,"flow_last_seen":1582454553606,"flow_idle_time":180000,"flow_min_l4_payload_len":1157,"flow_max_l4_payload_len":1157,"flow_tot_l4_payload_len":1157,"flow_avg_l4_payload_len":1157,"midstream":0,"ts_msec":1582454553606,"l3_proto":"ip4","src_ip":"192.168.2.1","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","ndpi": {"proto":"MDNS","breed":"Acceptable","category":"Network"},"mdns": {"answer":"luca___s_imac._odisk._tcp.local"}} +00641{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":3,"source":"iphone.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1582454553606,"flow_last_seen":1582454553606,"flow_idle_time":180000,"flow_min_l4_payload_len":1157,"flow_max_l4_payload_len":1157,"flow_tot_l4_payload_len":1157,"flow_avg_l4_payload_len":1157,"midstream":0,"ts_msec":1582454553606,"l3_proto":"ip4","src_ip":"192.168.2.1","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","ndpi": {"proto":"MDNS","breed":"Acceptable","category":"Network"},"mdns": {"answer":"luca???s_imac._odisk._tcp.local"}} 00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":4,"source":"iphone.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1582454553607,"flow_last_seen":1582454553607,"flow_idle_time":180000,"flow_min_l4_payload_len":1157,"flow_max_l4_payload_len":1157,"flow_tot_l4_payload_len":1157,"flow_avg_l4_payload_len":1157,"midstream":0,"ts_msec":1582454553607,"l3_proto":"ip6","src_ip":"fe80::c42c:3ff:fe60:6a64","dst_ip":"ff02::fb","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02011{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4,"source":"iphone.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_last_seen":1582454553607,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1219,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":1219,"pkt_l4_len":1165,"ts_msec":1582454553607,"pkt":"MzMAAAD7xiwDYGpkht1gBTIBBI0R\/\/6AAAAAAAAAxCwD\/\/5gamT\/AgAAAAAAAAAAAAAAAAD7FOkU6QSNi88AAIQAAAAAHgAAAAsNTHVjYeKAmXMgaU1hYwZfb2Rpc2sEX3RjcAVsb2NhbAAAEIABAAARlAA0M3N5cz13YU1BPUM0OjJDOjAzOjA2OjQ5OkZFLGFkVkY9MHg0LGFkRFQ9MHgzLGFkQ0M9MAlfc2VydmljZXMHX2Rucy1zZARfdWRwwCYADAABAAARlAACwBrAGgAMAAEAABGUAALADA1MdWNh4oCZcyBpTWFjDF9kZXZpY2UtaW5mb8AhABAAAQAAEZQAGg5tb2RlbD1pTWFjMTEsMwpvc3h2ZXJzPTE3CV9rZXJiZXJvcwpMdWNhcy1pTWFjwCYAEAABAAARlAAzMkxLREM6U0hBMS40OTI0ODBDM0VBODI4Mjc3MUEwRDI4OEYxMTFFRjlFNzUxRjk1QTYzDUx1Y2HigJlzIGlNYWMEX3NtYsAhABCAAQAAEZQAAQDAawAMAAEAABGUAALBQcFBAAwAAQAAEZQAAsEzDUx1Y2HigJlzIGlNYWMLX2FmcG92ZXJ0Y3DAIQAQgAEAABGUAAEAwGsADAABAAARlAACwX3BfQAMAAEAABGUAALBbw1MdWNh4oCZcyBpTWFjBF9zc2jAIQAQgAEAABGUAAEAwGsADAABAAARlAACwcDBwAAMAAEAABGUAALBsg1MdWNh4oCZcyBpTWFjCV9zZnRwLXNzaMAhABCAAQAAEZQAAQDAawAMAAEAABGUAALB\/MH8AAwAAQAAEZQAAsHuwAwAIYABAAAAeAAIAAAAAMAAwOnBMwAhgAEAAAB4AAgAAAAAAb3A6cFvACGAAQAAAHgACAAAAAACJMDpwbIAIYABAAAAeAAIAAAAAAAWwOnB7gAhgAEAAAB4AAgAAAAAABbA6Q1MdWNh4oCZcyBpTWFjBF9uZnPAIQAQgAEAABGUAAEAwGsADAABAAARlAACwqHCoQAMAAEAABGUAALCk8KTACGAAQAAAHgACAAAAAAIAcDpDUx1Y2HigJlzIGlNYWMPX2NvbXBhbmlvbi1saW5rwCEAEIABAAARlABYFnJwQkE9NTk6NTE6MDI6MkY6QTQ6RkYKcnBWcj0xNTIuMRFycEhJPTA3MTZkMDU5NDRhZhFycEhOPThiNTMyNDM1OWQ3ZBFycEhBPTI4ZDRiZWQ1MTc4MMBrAAwAAQAAEZQAAsLxwvEADAABAAARlAACwuPC4wAhgAEAAAB4AAgAAAAAwAPA6cDpAAGAAQAAAHgABMCoAgHA6QAcgAEAAAB4ABD+gAAAAAAAAMQsA\/\/+YGpkwAwAL4ABAAARlAAJwAwABQAAgABAwTMAL4ABAAARlAAJwTMABQAAgABAwW8AL4ABAAARlAAJwW8ABQAAgABAwbIAL4ABAAARlAAJwbIABQAAgABAwe4AL4ABAAARlAAJwe4ABQAAgABAwpMAL4ABAAARlAAJwpMABQAAgABAwuMAL4ABAAARlAAJwuMABQAAgABAwOkAL4ABAAAAeAAIwOkABEAAAAgAACkFoAAAEZQAEgAEAA4AAMQsAwZJ\/sYsA2BqZA=="} -00651{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"iphone.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1582454553607,"flow_last_seen":1582454553607,"flow_idle_time":180000,"flow_min_l4_payload_len":1157,"flow_max_l4_payload_len":1157,"flow_tot_l4_payload_len":1157,"flow_avg_l4_payload_len":1157,"midstream":0,"ts_msec":1582454553607,"l3_proto":"ip6","src_ip":"fe80::c42c:3ff:fe60:6a64","dst_ip":"ff02::fb","src_port":5353,"dst_port":5353,"l4_proto":"udp","ndpi": {"proto":"MDNS","breed":"Acceptable","category":"Network"},"mdns": {"answer":"luca___s_imac._odisk._tcp.local"}} +00651{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"iphone.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1582454553607,"flow_last_seen":1582454553607,"flow_idle_time":180000,"flow_min_l4_payload_len":1157,"flow_max_l4_payload_len":1157,"flow_tot_l4_payload_len":1157,"flow_avg_l4_payload_len":1157,"midstream":0,"ts_msec":1582454553607,"l3_proto":"ip6","src_ip":"fe80::c42c:3ff:fe60:6a64","dst_ip":"ff02::fb","src_port":5353,"dst_port":5353,"l4_proto":"udp","ndpi": {"proto":"MDNS","breed":"Acceptable","category":"Network"},"mdns": {"answer":"luca???s_imac._odisk._tcp.local"}} 00559{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":5,"source":"iphone.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1582454553607,"flow_last_seen":1582454553607,"flow_idle_time":180000,"flow_min_l4_payload_len":1186,"flow_max_l4_payload_len":1186,"flow_tot_l4_payload_len":1186,"flow_avg_l4_payload_len":1186,"midstream":0,"ts_msec":1582454553607,"l3_proto":"ip4","src_ip":"169.254.225.216","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02018{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5,"source":"iphone.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_last_seen":1582454553607,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1228,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1228,"pkt_l4_len":1194,"ts_msec":1582454553607,"pkt":"AQBeAAD72DBiVgAcCABFAAS+xrMAAP8Rg6ip\/uHY4AAA+xTpFOkEqgnaAACEAAAAACAAAAAKDUx1Y2HigJlzIGlNYWMGX29kaXNrBF90Y3AFbG9jYWwAABCAAQAAEZQANDNzeXM9d2FNQT1DNDoyQzowMzowNjo0OTpGRSxhZFZGPTB4NCxhZERUPTB4MyxhZENDPTAJX3NlcnZpY2VzB19kbnMtc2QEX3VkcMAmAAwAAQAAEZQAAsAawBoADAABAAARlAACwAwNTHVjYeKAmXMgaU1hYwxfZGV2aWNlLWluZm\/AIQAQAAEAABGUABoObW9kZWw9aU1hYzExLDMKb3N4dmVycz0xNwlfa2VyYmVyb3MKTHVjYXMtaU1hY8AmABAAAQAAEZQAMzJMS0RDOlNIQTEuNDkyNDgwQzNFQTgyODI3NzFBMEQyODhGMTExRUY5RTc1MUY5NUE2Mw1MdWNh4oCZcyBpTWFjBF9zbWLAIQAQgAEAABGUAAEAwGsADAABAAARlAACwUHBQQAMAAEAABGUAALBMw1MdWNh4oCZcyBpTWFjC19hZnBvdmVydGNwwCEAEIABAAARlAABAMBrAAwAAQAAEZQAAsF9wX0ADAABAAARlAACwW8NTHVjYeKAmXMgaU1hYwRfc3NowCEAEIABAAARlAABAMBrAAwAAQAAEZQAAsHAwcAADAABAAARlAACwbINTHVjYeKAmXMgaU1hYwlfc2Z0cC1zc2jAIQAQgAEAABGUAAEAwGsADAABAAARlAACwfzB\/AAMAAEAABGUAALB7sAMACGAAQAAAHgACAAAAADAAMDpwTMAIYABAAAAeAAIAAAAAAG9wOnBbwAhgAEAAAB4AAgAAAAAAiTA6cGyACGAAQAAAHgACAAAAAAAFsDpwe4AIYABAAAAeAAIAAAAAAAWwOkNTHVjYeKAmXMgaU1hYwRfbmZzwCEAEIABAAARlAABAMBrAAwAAQAAEZQAAsKhwqEADAABAAARlAACwpPCkwAhgAEAAAB4AAgAAAAACAHA6Q1MdWNh4oCZcyBpTWFjD19jb21wYW5pb24tbGlua8AhABCAAQAAEZQAWBZycEJBPTU5OjUxOjAyOjJGOkE0OkZGCnJwVnI9MTUyLjERcnBIST0wNzE2ZDA1OTQ0YWYRcnBITj04YjUzMjQzNTlkN2QRcnBIQT0yOGQ0YmVkNTE3ODDAawAMAAEAABGUAALC8cLxAAwAAQAAEZQAAsLjwuMAIYABAAAAeAAIAAAAAMADwOkDMjE2AzIyNQMyNTQDMTY5B2luLWFkZHIEYXJwYQAADIABAAAAeAACwOnA6QABgAEAAAB4AASp\/uHYwAwAL4ABAAARlAAJwAwABQAAgABAwTMAL4ABAAARlAAJwTMABQAAgABAwW8AL4ABAAARlAAJwW8ABQAAgABAwbIAL4ABAAARlAAJwbIABQAAgABAwe4AL4ABAAARlAAJwe4ABQAAgABAwpMAL4ABAAARlAAJwpMABQAAgABAwuMAL4ABAAARlAAJwuMABQAAgABAw5UAL4ABAAAAeAAGw5UAAgAIwOkAL4ABAAAAeAAFwOkAAUAAACkFoAAAEZQAEgAEAA4AAMQsAwZJ\/tgwYlYAHA=="} -00645{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":5,"source":"iphone.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1582454553607,"flow_last_seen":1582454553607,"flow_idle_time":180000,"flow_min_l4_payload_len":1186,"flow_max_l4_payload_len":1186,"flow_tot_l4_payload_len":1186,"flow_avg_l4_payload_len":1186,"midstream":0,"ts_msec":1582454553607,"l3_proto":"ip4","src_ip":"169.254.225.216","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","ndpi": {"proto":"MDNS","breed":"Acceptable","category":"Network"},"mdns": {"answer":"luca___s_imac._odisk._tcp.local"}} +00645{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":5,"source":"iphone.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1582454553607,"flow_last_seen":1582454553607,"flow_idle_time":180000,"flow_min_l4_payload_len":1186,"flow_max_l4_payload_len":1186,"flow_tot_l4_payload_len":1186,"flow_avg_l4_payload_len":1186,"midstream":0,"ts_msec":1582454553607,"l3_proto":"ip4","src_ip":"169.254.225.216","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","ndpi": {"proto":"MDNS","breed":"Acceptable","category":"Network"},"mdns": {"answer":"luca???s_imac._odisk._tcp.local"}} 00551{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":6,"source":"iphone.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":1,"flow_first_seen":1582454556158,"flow_last_seen":1582454556158,"flow_idle_time":180000,"flow_min_l4_payload_len":44,"flow_max_l4_payload_len":44,"flow_tot_l4_payload_len":44,"flow_avg_l4_payload_len":44,"midstream":0,"ts_msec":1582454556158,"l3_proto":"ip4","src_ip":"192.168.2.1","dst_ip":"192.168.2.255","src_port":57621,"dst_port":57621,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00492{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6,"source":"iphone.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_last_seen":1582454556158,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"ts_msec":1582454556158,"pkt":"\/\/\/\/\/\/\/\/xiwDYGpkCABFAABITwkAAEARpUvAqAIBwKgC\/+EV4RUANNgcU3BvdFVkcDDcFXQoLlJiTAABAARIlcIDokHeIIm5eNggVkvVDJHA6KPmCng="} 00585{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":6,"source":"iphone.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":1,"flow_first_seen":1582454556158,"flow_last_seen":1582454556158,"flow_idle_time":180000,"flow_min_l4_payload_len":44,"flow_max_l4_payload_len":44,"flow_tot_l4_payload_len":44,"flow_avg_l4_payload_len":44,"midstream":0,"ts_msec":1582454556158,"l3_proto":"ip4","src_ip":"192.168.2.1","dst_ip":"192.168.2.255","src_port":57621,"dst_port":57621,"l4_proto":"udp","ndpi": {"proto":"Spotify","breed":"Acceptable","category":"Music"}} @@ -46,7 +46,7 @@ 00148{"basic_event_id":5,"basic_event_name":"Unknown packet type","thread_id":0,"packet_id":28,"source":"iphone.pcap","alias":"nDPId-test","type":34958} 00550{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":30,"source":"iphone.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":1,"flow_first_seen":1582454595352,"flow_last_seen":1582454595352,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1582454595352,"l3_proto":"ip4","src_ip":"192.168.2.1","dst_ip":"192.168.2.17","src_port":67,"dst_port":68,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00832{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":30,"source":"iphone.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":1,"flow_last_seen":1582454595352,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":342,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":342,"pkt_l4_len":308,"ts_msec":1582454595352,"pkt":"xGGLNYKpxiwDYGpkCABFAAFILXQAAP8RB87AqAIBwKgCEQBDAEQBNJWvAgEGALeWutEAAAAAAAAAAMCoAhHAqAIBAAAAAMRhizWCqQAAAAAAAAAAAABMdWNhcy1pTWFjLmxvY2FsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQECNgTAqAIBMwQAAU4gAQT\/\/\/8AAwTAqAIBBgTAqAIB\/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} -00610{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":30,"source":"iphone.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":1,"flow_first_seen":1582454595352,"flow_last_seen":1582454595352,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1582454595352,"l3_proto":"ip4","src_ip":"192.168.2.1","dst_ip":"192.168.2.17","src_port":67,"dst_port":68,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"fingerprint":""}} +00641{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":30,"source":"iphone.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":1,"flow_first_seen":1582454595352,"flow_last_seen":1582454595352,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1582454595352,"l3_proto":"ip4","src_ip":"192.168.2.1","dst_ip":"192.168.2.17","src_port":67,"dst_port":68,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"hostname":"","fingerprint":"","class_ident":""}} 00516{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":31,"source":"iphone.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":1,"flow_first_seen":1582454595354,"flow_last_seen":1582454595354,"flow_idle_time":120000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1582454595354,"l3_proto":"ip6","src_ip":"::","dst_ip":"ff02::1:ff98:a29c","l4_proto":"icmp6","flow_datalink":1,"flow_max_packets":3} 00490{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":31,"source":"iphone.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":1,"flow_last_seen":1582454595354,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1582454595354,"pkt":"MzP\/mKKcxGGLNYKpht1gAAAAACA6\/wAAAAAAAAAAAAAAAAAAAAD\/AgAAAAAAAAAAAAH\/mKKchwBApQAAAAD+gAAAAAAAAAgjPxeCmKKcDgEq29a5HEA="} 00551{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":31,"source":"iphone.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":1,"flow_first_seen":1582454595354,"flow_last_seen":1582454595354,"flow_idle_time":120000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1582454595354,"l3_proto":"ip6","src_ip":"::","dst_ip":"ff02::1:ff98:a29c","l4_proto":"icmp6","ndpi": {"proto":"ICMPV6","breed":"Acceptable","category":"Network"}} @@ -131,7 +131,7 @@ 00462{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":97,"source":"iphone.pcap","alias":"nDPId-test","flow_id":26,"flow_packet_id":3,"flow_last_seen":1582454598546,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1582454598546,"pkt":"xiwDYGpkxGGLNYKpCABFAAA0AABAAEAG\/EPAqAIREf1pysWSAbt\/OqmN8vqp6oAQBAt5ywAAAQEIChHf5\/eK\/qiV"} 00844{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":98,"source":"iphone.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":4,"flow_first_seen":1582454598416,"flow_last_seen":1582454598546,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1582454598546,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.253.105.202","src_port":50578,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Apple","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mesu.apple.com","ja3":"6fa3244afc6bb6f9fad207b6b52af26b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00925{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":102,"source":"iphone.pcap","alias":"nDPId-test","flow_id":20,"flow_packets_processed":6,"flow_first_seen":1582454598252,"flow_last_seen":1582454598558,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1957,"flow_avg_l4_payload_len":326,"midstream":0,"ts_msec":1582454598558,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.185.140","src_port":50575,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AppleiCloud","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"p26-fmfmobile.icloud.com","ja3":"6fa3244afc6bb6f9fad207b6b52af26b","ja3s":"1e60202b4001a190621caa963fb76697","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -03098{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":106,"source":"iphone.pcap","alias":"nDPId-test","flow_id":20,"flow_packets_processed":10,"flow_first_seen":1582454598252,"flow_last_seen":1582454598568,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":6277,"flow_avg_l4_payload_len":627,"midstream":0,"ts_msec":1582454598568,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.185.140","src_port":50575,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AppleiCloud","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"p26-fmfmobile.icloud.com","server_names":"p67-fmfmobile.icloud.com,p48-fmfmobile.icloud.com,p53-fmfmobile.icloud.com,p34-fmfmobile.icloud.com,p72-fmfmobile.icloud.com,fmfmobile.icloud.com,p08-fmfmobile.icloud.com,p12-fmfmobile.icloud.com,p02-fmfmobile.icloud.com,p29-fmfmobile.icloud.com,p52-fmfmobile.icloud.com,p26-fmfmobile.icloud.com,p06-fmfmobile.icloud.com,p97-fmfmobile.icloud.com,p41-fmfmobile.icloud.com,p40-fmfmobile.icloud.com,p18-fmfmobile.icloud.com,p55-fmfmobile.icloud.com,p70-fmfmobile.icloud.com,p32-fmfmobile.icloud.com,p69-fmfmobile.icloud.com,p17-fmfmobile.icloud.com,p13-fmfmobile.icloud.com,p38-fmfmobile.icloud.com,p11-fmfmobile.icloud.com,p21-fmfmobile.icloud.com,p27-fmfmobile.icloud.com,p42-fmfmobile.icloud.com,p37-fmfmobile.icloud.com,p56-fmfmobile.icloud.com,p50-fmfmobile.icloud.com,p58-fmfmobile.icloud.com,p39-fmfmobile.icloud.com,p45-fmfmobile.icloud.com,p49-fmfmobile.icloud.com,p68-fmfmobile.icloud.com,p10-fmfmobile.icloud.com,p22-fmfmobile.icloud.com,p07-fmfmobile.icloud.com,p25-fmfmobile.icloud.com,p20-fmfmobile.icloud.com,p71-fmfmobile.icloud.com,p05-fmfmobile.icloud.com,p98-fmfmobile.icloud.com,p66-fmfmobile.icloud.com,p15-fmfmobile.icloud.com,p16-fmfmobile.icloud.com,p44-fmfmobile.icloud.com,p04-fmfmobile.icloud.com,p09-fmfmobile.icloud.com,p23-fmfmobile.icloud.com,p61-fmfmobile.icloud.com,p30-fmfmobile.icloud.com,p46-fmfmobile.icloud.com,p60-fmfmobile.icloud.com,p43-fmfmobile.icloud.com,p57-fmfmobile.icloud.com,p14-fmfmobile.icloud.com,p03-fmfmobile.icloud.com,p36-fmfmobile.icloud.com,p64-fmfmobile.icloud.com,p28-fmfmobile.icloud.com,p24-fmfmobile.icloud.com,p202-fmfmobile.icloud.com,p01-fmfmobile.icloud.com,p62-fmfmobile.icloud.com,p47-fmfmobile.icloud.com,p35-fmfmobile.icloud.com,p65-fmfmobile.icloud.com,p31-fmfmobile.icloud.com,p63-fmfmobile.icloud.com,p19-fmfmobile.icloud.com,p33-fmfmobile.icloud.com,p51-fmfmobile.icloud.com,p54-fmfmobile.icloud.com,p59-fmfmobile.icloud.com,p201-fmfmobile.icloud.com","ja3":"6fa3244afc6bb6f9fad207b6b52af26b","ja3s":"1e60202b4001a190621caa963fb76697","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","issuerDN":"CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US","issuerDN":"CN=fmfmobile.icloud.com, O=Apple Inc., ST=California, C=US","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"FF:C3:9F:1A:A1:3C:D2:3C:06:96:EC:49:B4:97:A9:D3:DA:05:A3:E2"}} +03099{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":106,"source":"iphone.pcap","alias":"nDPId-test","flow_id":20,"flow_packets_processed":10,"flow_first_seen":1582454598252,"flow_last_seen":1582454598568,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":6277,"flow_avg_l4_payload_len":627,"midstream":0,"ts_msec":1582454598568,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.185.140","src_port":50575,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AppleiCloud","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"p26-fmfmobile.icloud.com","server_names":"p67-fmfmobile.icloud.com,p48-fmfmobile.icloud.com,p53-fmfmobile.icloud.com,p34-fmfmobile.icloud.com,p72-fmfmobile.icloud.com,fmfmobile.icloud.com,p08-fmfmobile.icloud.com,p12-fmfmobile.icloud.com,p02-fmfmobile.icloud.com,p29-fmfmobile.icloud.com,p52-fmfmobile.icloud.com,p26-fmfmobile.icloud.com,p06-fmfmobile.icloud.com,p97-fmfmobile.icloud.com,p41-fmfmobile.icloud.com,p40-fmfmobile.icloud.com,p18-fmfmobile.icloud.com,p55-fmfmobile.icloud.com,p70-fmfmobile.icloud.com,p32-fmfmobile.icloud.com,p69-fmfmobile.icloud.com,p17-fmfmobile.icloud.com,p13-fmfmobile.icloud.com,p38-fmfmobile.icloud.com,p11-fmfmobile.icloud.com,p21-fmfmobile.icloud.com,p27-fmfmobile.icloud.com,p42-fmfmobile.icloud.com,p37-fmfmobile.icloud.com,p56-fmfmobile.icloud.com,p50-fmfmobile.icloud.com,p58-fmfmobile.icloud.com,p39-fmfmobile.icloud.com,p45-fmfmobile.icloud.com,p49-fmfmobile.icloud.com,p68-fmfmobile.icloud.com,p10-fmfmobile.icloud.com,p22-fmfmobile.icloud.com,p07-fmfmobile.icloud.com,p25-fmfmobile.icloud.com,p20-fmfmobile.icloud.com,p71-fmfmobile.icloud.com,p05-fmfmobile.icloud.com,p98-fmfmobile.icloud.com,p66-fmfmobile.icloud.com,p15-fmfmobile.icloud.com,p16-fmfmobile.icloud.com,p44-fmfmobile.icloud.com,p04-fmfmobile.icloud.com,p09-fmfmobile.icloud.com,p23-fmfmobile.icloud.com,p61-fmfmobile.icloud.com,p30-fmfmobile.icloud.com,p46-fmfmobile.icloud.com,p60-fmfmobile.icloud.com,p43-fmfmobile.icloud.com,p57-fmfmobile.icloud.com,p14-fmfmobile.icloud.com,p03-fmfmobile.icloud.com,p36-fmfmobile.icloud.com,p64-fmfmobile.icloud.com,p28-fmfmobile.icloud.com,p24-fmfmobile.icloud.com,p202-fmfmobile.icloud.com,p01-fmfmobile.icloud.com,p62-fmfmobile.icloud.com,p47-fmfmobile.icloud.com,p35-fmfmobile.icloud.com,p65-fmfmobile.icloud.com,p31-fmfmobile.icloud.com,p63-fmfmobile.icloud.com,p19-fmfmobile.icloud.com,p33-fmfmobile.icloud.com,p51-fmfmobile.icloud.com,p54-fmfmobile.icloud.com,p59-fmfmobile.icloud.com,p201-fmfmobile.icloud.com","ja3":"6fa3244afc6bb6f9fad207b6b52af26b","ja3s":"1e60202b4001a190621caa963fb76697","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","issuerDN":"CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US","subjectDN":"CN=fmfmobile.icloud.com, O=Apple Inc., ST=California, C=US","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"FF:C3:9F:1A:A1:3C:D2:3C:06:96:EC:49:B4:97:A9:D3:DA:05:A3:E2"}} 00701{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":110,"source":"iphone.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":2,"flow_last_seen":1582454598582,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":244,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":244,"pkt_l4_len":210,"ts_msec":1582454598582,"pkt":"xGGLNYKpxiwDYGpkCABFAADmpdwAAEARTsjAqAIBwKgCEQA1znQA0sdAsQ+BgAABAAkAAAAAB2dhdGV3YXkGaWNsb3VkA2NvbQAAAQABwAwABQABAAARlgAaB2dhdGV3YXkCZmUJYXBwbGUtZG5zA25ldADAMAABAAEAAAAiAAQR+LBLwDAAAQABAAAAIgAEEfixhcAwAAEAAQAAACIABBH4sCjAMAABAAEAAAAiAAQR+LCNwDAAAQABAAAAIgAEEfiwTcAwAAEAAQAAACIABBH4sWXAMAABAAEAAAAiAAQR+LGqwDAAAQABAAAAIgAEEfiwiQ=="} 00741{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":110,"source":"iphone.pcap","alias":"nDPId-test","flow_id":28,"flow_packets_processed":2,"flow_first_seen":1582454598542,"flow_last_seen":1582454598582,"flow_idle_time":180000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":202,"flow_tot_l4_payload_len":238,"flow_avg_l4_payload_len":119,"midstream":0,"ts_msec":1582454598582,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"192.168.2.1","src_port":52852,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.AppleiCloud","breed":"Acceptable","category":"Web"},"dns": {"query":"gateway.icloud.com","num_queries":1,"num_answers":9,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"17.248.176.75"}} 00886{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":112,"source":"iphone.pcap","alias":"nDPId-test","flow_id":27,"flow_packets_processed":6,"flow_first_seen":1582454598418,"flow_last_seen":1582454598584,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1957,"flow_avg_l4_payload_len":326,"midstream":0,"ts_msec":1582454598584,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.253.105.202","src_port":50579,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Apple","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"mesu.apple.com","ja3":"6fa3244afc6bb6f9fad207b6b52af26b","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} @@ -139,7 +139,7 @@ 00479{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":118,"source":"iphone.pcap","alias":"nDPId-test","flow_id":29,"flow_packet_id":1,"flow_last_seen":1582454598587,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1582454598587,"pkt":"xiwDYGpkxGGLNYKpCABFAABAAABAAEAGtbvAqAIREfiwS8WUAbuGKOrDAAAAALDC\/\/9\/HgAAAgQFtAEDAwcBAQgKEd\/oBAAAAAAEAgAA"} 00886{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":124,"source":"iphone.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":6,"flow_first_seen":1582454598416,"flow_last_seen":1582454598590,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1957,"flow_avg_l4_payload_len":326,"midstream":0,"ts_msec":1582454598590,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.253.105.202","src_port":50578,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Apple","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"mesu.apple.com","ja3":"6fa3244afc6bb6f9fad207b6b52af26b","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00906{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":128,"source":"iphone.pcap","alias":"nDPId-test","flow_id":24,"flow_packets_processed":6,"flow_first_seen":1582454598385,"flow_last_seen":1582454598592,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1957,"flow_avg_l4_payload_len":326,"midstream":0,"ts_msec":1582454598592,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.130.2.46","src_port":50577,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Apple","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"gsp85-ssl.ls.apple.com","ja3":"55271a105172d5f225e4704755b9b250","ja3s":"4ef1b297bb817d8212165a86308bac5f","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -01197{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":130,"source":"iphone.pcap","alias":"nDPId-test","flow_id":24,"flow_packets_processed":8,"flow_first_seen":1582454598385,"flow_last_seen":1582454598592,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":4123,"flow_avg_l4_payload_len":515,"midstream":0,"ts_msec":1582454598592,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.130.2.46","src_port":50577,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Apple","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"gsp85-ssl.ls.apple.com","server_names":"*.ls.apple.com","ja3":"55271a105172d5f225e4704755b9b250","ja3s":"4ef1b297bb817d8212165a86308bac5f","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US","issuerDN":"CN=*.ls.apple.com, OU=management:idms.group.576486, O=Apple Inc., ST=California, C=US","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"E4:85:25:4C:99:F8:FB:66:49:4B:80:64:5E:63:2A:75:9B:8F:C3:51"}} +01198{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":130,"source":"iphone.pcap","alias":"nDPId-test","flow_id":24,"flow_packets_processed":8,"flow_first_seen":1582454598385,"flow_last_seen":1582454598592,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":4123,"flow_avg_l4_payload_len":515,"midstream":0,"ts_msec":1582454598592,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.130.2.46","src_port":50577,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Apple","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"gsp85-ssl.ls.apple.com","server_names":"*.ls.apple.com","ja3":"55271a105172d5f225e4704755b9b250","ja3s":"4ef1b297bb817d8212165a86308bac5f","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US","subjectDN":"CN=*.ls.apple.com, OU=management:idms.group.576486, O=Apple Inc., ST=California, C=US","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"E4:85:25:4C:99:F8:FB:66:49:4B:80:64:5E:63:2A:75:9B:8F:C3:51"}} 00472{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":133,"source":"iphone.pcap","alias":"nDPId-test","flow_id":29,"flow_packet_id":2,"flow_last_seen":1582454598621,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1582454598621,"pkt":"xGGLNYKpxiwDYGpkCABFAAA8AAAAAC4GB8AR+LBLwKgCEQG7xZQAd9VghijqxKBScSDqGQAAAgQFrAEBCApbEwd4Ed\/oBAEDAwU="} 00550{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":135,"source":"iphone.pcap","alias":"nDPId-test","flow_id":30,"flow_packets_processed":1,"flow_first_seen":1582454598713,"flow_last_seen":1582454598713,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1582454598713,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"192.168.2.1","src_port":52682,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00470{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":135,"source":"iphone.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":1,"flow_last_seen":1582454598713,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1582454598713,"pkt":"xiwDYGpkxGGLNYKpCABFAAA8BIgAAP8RMcbAqAIRwKgCAc3KADUAKGCiwekBAAABAAAAAAAAA3d3dwZpY2xvdWQDY29tAAABAAE="} @@ -188,12 +188,12 @@ 00723{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":183,"source":"iphone.pcap","alias":"nDPId-test","flow_id":33,"flow_packets_processed":2,"flow_first_seen":1582454598713,"flow_last_seen":1582454598760,"flow_idle_time":180000,"flow_min_l4_payload_len":31,"flow_max_l4_payload_len":170,"flow_tot_l4_payload_len":201,"flow_avg_l4_payload_len":100,"midstream":0,"ts_msec":1582454598760,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"192.168.2.1","src_port":62526,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Apple","breed":"Safe","category":"Web"},"dns": {"query":"cl4.apple.com","num_queries":1,"num_answers":4,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"104.73.61.30"}} 00550{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":184,"source":"iphone.pcap","alias":"nDPId-test","flow_id":39,"flow_packets_processed":1,"flow_first_seen":1582454598766,"flow_last_seen":1582454598766,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1582454598766,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"92.122.252.82","src_port":50582,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00479{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":184,"source":"iphone.pcap","alias":"nDPId-test","flow_id":39,"flow_packet_id":1,"flow_last_seen":1582454598766,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1582454598766,"pkt":"xiwDYGpkxGGLNYKpCABFAABAAABAAEAGHzLAqAIRXHr8UsWWAbuHn+lSAAAAALDC\/\/\/nwQAAAgQFtAEDAwcBAQgKEd\/ozwAAAAAEAgAA"} -01290{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":185,"source":"iphone.pcap","alias":"nDPId-test","flow_id":29,"flow_packets_processed":8,"flow_first_seen":1582454598587,"flow_last_seen":1582454598768,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":4837,"flow_avg_l4_payload_len":604,"midstream":0,"ts_msec":1582454598768,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.176.75","src_port":50580,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AppleiCloud","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"gateway.icloud.com","server_names":"gateway-india.icloud.com,gateway-carry.icloud.com,gateway.icloud.com,gateway-australia.icloud.com,gateway-sandbox.icloud.com","ja3":"6fa3244afc6bb6f9fad207b6b52af26b","ja3s":"1e60202b4001a190621caa963fb76697","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","issuerDN":"CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US","issuerDN":"CN=gateway.icloud.com, O=Apple Inc., ST=California, C=US","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"D2:DA:1C:68:0C:91:A7:DB:BA:B2:2D:29:06:DB:57:42:10:3D:3A:FE"}} +01291{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":185,"source":"iphone.pcap","alias":"nDPId-test","flow_id":29,"flow_packets_processed":8,"flow_first_seen":1582454598587,"flow_last_seen":1582454598768,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":4837,"flow_avg_l4_payload_len":604,"midstream":0,"ts_msec":1582454598768,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.176.75","src_port":50580,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AppleiCloud","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"gateway.icloud.com","server_names":"gateway-india.icloud.com,gateway-carry.icloud.com,gateway.icloud.com,gateway-australia.icloud.com,gateway-sandbox.icloud.com","ja3":"6fa3244afc6bb6f9fad207b6b52af26b","ja3s":"1e60202b4001a190621caa963fb76697","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","issuerDN":"CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US","subjectDN":"CN=gateway.icloud.com, O=Apple Inc., ST=California, C=US","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"D2:DA:1C:68:0C:91:A7:DB:BA:B2:2D:29:06:DB:57:42:10:3D:3A:FE"}} 00474{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":191,"source":"iphone.pcap","alias":"nDPId-test","flow_id":39,"flow_packet_id":2,"flow_last_seen":1582454598801,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1582454598801,"pkt":"xGGLNYKpxiwDYGpkCABFAAA8AAAAADUGajZcevxSwKgCEQG7xZaFiMYch5\/pU6BScSAUDwAAAgQFrAQCCAr\/dyjxEd\/ozwEDAwc="} 00472{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":192,"source":"iphone.pcap","alias":"nDPId-test","flow_id":38,"flow_packet_id":2,"flow_last_seen":1582454598867,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1582454598867,"pkt":"xGGLNYKpxiwDYGpkCABFAAA8AAAAADEG+7MR+LlXwKgCEQG7xZWfE+IlqBre6aBScSBsSgAAAgQFrAEBCArpLCwFEd\/opwEDAwU="} 00520{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":193,"source":"iphone.pcap","alias":"nDPId-test","flow_id":40,"flow_packets_processed":1,"flow_first_seen":1582454598885,"flow_last_seen":1582454598885,"flow_idle_time":120000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1582454598885,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"192.168.2.1","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} 00466{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":193,"source":"iphone.pcap","alias":"nDPId-test","flow_id":40,"flow_packet_id":1,"flow_last_seen":1582454598885,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"ts_msec":1582454598885,"pkt":"xiwDYGpkxGGLNYKpCABFAAA4434AAEABEeTAqAIRwKgCAQMDBHsAAAAARQAAz8hDAABAESx4wKgCAcCoAhEANfeRALsAAA=="} -00553{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":193,"source":"iphone.pcap","alias":"nDPId-test","flow_id":40,"flow_packets_processed":1,"flow_first_seen":1582454598885,"flow_last_seen":1582454598885,"flow_idle_time":120000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1582454598885,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"192.168.2.1","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"}} +00572{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":193,"source":"iphone.pcap","alias":"nDPId-test","flow_id":40,"flow_packets_processed":1,"flow_first_seen":1582454598885,"flow_last_seen":1582454598885,"flow_idle_time":120000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1582454598885,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"192.168.2.1","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"},"entropy":3.664498} 00466{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":194,"source":"iphone.pcap","alias":"nDPId-test","flow_id":40,"flow_packet_id":2,"flow_last_seen":1582454598886,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"ts_msec":1582454598886,"pkt":"xiwDYGpkxGGLNYKpCABFAAA4zMkAAEABKJnAqAIRwKgCAQMDKS0AAAAARQAAz3UJAABAEX+ywKgCAcCoAhEANdLfALsAAA=="} 00466{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":196,"source":"iphone.pcap","alias":"nDPId-test","flow_id":40,"flow_packet_id":3,"flow_last_seen":1582454598886,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"ts_msec":1582454598886,"pkt":"xiwDYGpkxGGLNYKpCABFAAA4CTAAAEAB7DLAqAIRwKgCAQMDOTMAAAAARQAA0GrYAABAEYniwKgCAcCoAhEANcLYALwAAA=="} 00549{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":200,"source":"iphone.pcap","alias":"nDPId-test","flow_id":41,"flow_packets_processed":1,"flow_first_seen":1582454598888,"flow_last_seen":1582454598888,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1582454598888,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"104.73.61.30","src_port":50583,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -208,7 +208,7 @@ 00842{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":222,"source":"iphone.pcap","alias":"nDPId-test","flow_id":41,"flow_packets_processed":4,"flow_first_seen":1582454598888,"flow_last_seen":1582454598934,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1582454598934,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"104.73.61.30","src_port":50583,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Apple","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"cl4.apple.com","ja3":"6fa3244afc6bb6f9fad207b6b52af26b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00883{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":225,"source":"iphone.pcap","alias":"nDPId-test","flow_id":41,"flow_packets_processed":6,"flow_first_seen":1582454598888,"flow_last_seen":1582454598974,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1957,"flow_avg_l4_payload_len":326,"midstream":0,"ts_msec":1582454598974,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"104.73.61.30","src_port":50583,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Apple","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"cl4.apple.com","ja3":"6fa3244afc6bb6f9fad207b6b52af26b","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00930{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":233,"source":"iphone.pcap","alias":"nDPId-test","flow_id":38,"flow_packets_processed":6,"flow_first_seen":1582454598721,"flow_last_seen":1582454599041,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1957,"flow_avg_l4_payload_len":326,"midstream":0,"ts_msec":1582454599041,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.185.87","src_port":50581,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AppleiCloud","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"p26-keyvalueservice.icloud.com","ja3":"6fa3244afc6bb6f9fad207b6b52af26b","ja3s":"1e60202b4001a190621caa963fb76697","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -03570{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":237,"source":"iphone.pcap","alias":"nDPId-test","flow_id":38,"flow_packets_processed":9,"flow_first_seen":1582454598721,"flow_last_seen":1582454599054,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":6277,"flow_avg_l4_payload_len":697,"midstream":0,"ts_msec":1582454599054,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.185.87","src_port":50581,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AppleiCloud","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"p26-keyvalueservice.icloud.com","server_names":"p62-keyvalueservice.icloud.com,p41-keyvalueservice.icloud.com,p97-keyvalueservice.icloud.com,p28-keyvalueservice.icloud.com,p32-keyvalueservice.icloud.com,p56-keyvalueservice.icloud.com,p33-keyvalueservice.icloud.com,p37-keyvalueservice.icloud.com,p67-keyvalueservice.icloud.com,p70-keyvalueservice.icloud.com,p63-keyvalueservice.icloud.com,p07-keyvalueservice.icloud.com,p52-keyvalueservice.icloud.com,p18-keyvalueservice.icloud.com,p21-keyvalueservice.icloud.com,p17-keyvalueservice.icloud.com,p36-keyvalueservice.icloud.com,p19-keyvalueservice.icloud.com,p26-keyvalueservice.icloud.com,p55-keyvalueservice.icloud.com,p06-keyvalueservice.icloud.com,p23-keyvalueservice.icloud.com,p65-keyvalueservice.icloud.com,p58-keyvalueservice.icloud.com,p35-keyvalueservice.icloud.com,p42-keyvalueservice.icloud.com,p12-keyvalueservice.icloud.com,p15-keyvalueservice.icloud.com,p16-keyvalueservice.icloud.com,p29-keyvalueservice.icloud.com,p39-keyvalueservice.icloud.com,p71-keyvalueservice.icloud.com,p22-keyvalueservice.icloud.com,p40-keyvalueservice.icloud.com,p11-keyvalueservice.icloud.com,p66-keyvalueservice.icloud.com,p68-keyvalueservice.icloud.com,p201-keyvalueservice.icloud.com,p10-keyvalueservice.icloud.com,p61-keyvalueservice.icloud.com,p30-keyvalueservice.icloud.com,p01-keyvalueservice.icloud.com,p14-keyvalueservice.icloud.com,p50-keyvalueservice.icloud.com,p31-keyvalueservice.icloud.com,p47-keyvalueservice.icloud.com,p48-keyvalueservice.icloud.com,p20-keyvalueservice.icloud.com,p51-keyvalueservice.icloud.com,p27-keyvalueservice.icloud.com,p49-keyvalueservice.icloud.com,p03-keyvalueservice.icloud.com,p24-keyvalueservice.icloud.com,p25-keyvalueservice.icloud.com,p08-keyvalueservice.icloud.com,p13-keyvalueservice.icloud.com,p04-keyvalueservice.icloud.com,p05-keyvalueservice.icloud.com,p02-keyvalueservice.icloud.com,p09-keyvalueservice.icloud.com,p57-keyvalueservice.icloud.com,p59-keyvalueservice.icloud.com,p64-keyvalueservice.icloud.com,p38-keyvalueservice.icloud.com,p54-keyvalueservice.icloud.com,p72-keyvalueservice.icloud.com,keyvalueservice.icloud.com,p69-keyvalueservice.icloud.com,p43-keyvalueservice.icloud.com,p45-keyvalueservice.icloud.com,p202-keyvalueservice.icloud.com,p98-keyvalueservice.icloud.com,p34-keyvalueservice.icloud.com,p44-keyvalueservice.icloud.com,p46-keyvalueservice.icloud.com,p53-keyvalueservice.icloud.com,p60-keyvalueservice.icloud.com","ja3":"6fa3244afc6bb6f9fad207b6b52af26b","ja3s":"1e60202b4001a190621caa963fb76697","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","issuerDN":"CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US","issuerDN":"CN=keyvalueservice.icloud.com, O=Apple Inc., ST=California, C=US","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"D8:84:3B:15:06:49:1C:72:C4:05:C0:F0:82:3B:43:4A:D1:8F:D5:9F"}} +03571{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":237,"source":"iphone.pcap","alias":"nDPId-test","flow_id":38,"flow_packets_processed":9,"flow_first_seen":1582454598721,"flow_last_seen":1582454599054,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":6277,"flow_avg_l4_payload_len":697,"midstream":0,"ts_msec":1582454599054,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.185.87","src_port":50581,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AppleiCloud","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"p26-keyvalueservice.icloud.com","server_names":"p62-keyvalueservice.icloud.com,p41-keyvalueservice.icloud.com,p97-keyvalueservice.icloud.com,p28-keyvalueservice.icloud.com,p32-keyvalueservice.icloud.com,p56-keyvalueservice.icloud.com,p33-keyvalueservice.icloud.com,p37-keyvalueservice.icloud.com,p67-keyvalueservice.icloud.com,p70-keyvalueservice.icloud.com,p63-keyvalueservice.icloud.com,p07-keyvalueservice.icloud.com,p52-keyvalueservice.icloud.com,p18-keyvalueservice.icloud.com,p21-keyvalueservice.icloud.com,p17-keyvalueservice.icloud.com,p36-keyvalueservice.icloud.com,p19-keyvalueservice.icloud.com,p26-keyvalueservice.icloud.com,p55-keyvalueservice.icloud.com,p06-keyvalueservice.icloud.com,p23-keyvalueservice.icloud.com,p65-keyvalueservice.icloud.com,p58-keyvalueservice.icloud.com,p35-keyvalueservice.icloud.com,p42-keyvalueservice.icloud.com,p12-keyvalueservice.icloud.com,p15-keyvalueservice.icloud.com,p16-keyvalueservice.icloud.com,p29-keyvalueservice.icloud.com,p39-keyvalueservice.icloud.com,p71-keyvalueservice.icloud.com,p22-keyvalueservice.icloud.com,p40-keyvalueservice.icloud.com,p11-keyvalueservice.icloud.com,p66-keyvalueservice.icloud.com,p68-keyvalueservice.icloud.com,p201-keyvalueservice.icloud.com,p10-keyvalueservice.icloud.com,p61-keyvalueservice.icloud.com,p30-keyvalueservice.icloud.com,p01-keyvalueservice.icloud.com,p14-keyvalueservice.icloud.com,p50-keyvalueservice.icloud.com,p31-keyvalueservice.icloud.com,p47-keyvalueservice.icloud.com,p48-keyvalueservice.icloud.com,p20-keyvalueservice.icloud.com,p51-keyvalueservice.icloud.com,p27-keyvalueservice.icloud.com,p49-keyvalueservice.icloud.com,p03-keyvalueservice.icloud.com,p24-keyvalueservice.icloud.com,p25-keyvalueservice.icloud.com,p08-keyvalueservice.icloud.com,p13-keyvalueservice.icloud.com,p04-keyvalueservice.icloud.com,p05-keyvalueservice.icloud.com,p02-keyvalueservice.icloud.com,p09-keyvalueservice.icloud.com,p57-keyvalueservice.icloud.com,p59-keyvalueservice.icloud.com,p64-keyvalueservice.icloud.com,p38-keyvalueservice.icloud.com,p54-keyvalueservice.icloud.com,p72-keyvalueservice.icloud.com,keyvalueservice.icloud.com,p69-keyvalueservice.icloud.com,p43-keyvalueservice.icloud.com,p45-keyvalueservice.icloud.com,p202-keyvalueservice.icloud.com,p98-keyvalueservice.icloud.com,p34-keyvalueservice.icloud.com,p44-keyvalueservice.icloud.com,p46-keyvalueservice.icloud.com,p53-keyvalueservice.icloud.com,p60-keyvalueservice.icloud.com","ja3":"6fa3244afc6bb6f9fad207b6b52af26b","ja3s":"1e60202b4001a190621caa963fb76697","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","issuerDN":"CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US","subjectDN":"CN=keyvalueservice.icloud.com, O=Apple Inc., ST=California, C=US","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"D8:84:3B:15:06:49:1C:72:C4:05:C0:F0:82:3B:43:4A:D1:8F:D5:9F"}} 00514{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":238,"source":"iphone.pcap","alias":"nDPId-test","flow_id":42,"flow_packets_processed":1,"flow_first_seen":1582454599054,"flow_last_seen":1582454599054,"flow_idle_time":600000,"flow_min_l4_payload_len":16,"flow_max_l4_payload_len":16,"flow_tot_l4_payload_len":16,"flow_avg_l4_payload_len":16,"midstream":0,"ts_msec":1582454599054,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"224.0.0.22","l4_proto":2,"flow_datalink":1,"flow_max_packets":3} 00442{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":238,"source":"iphone.pcap","alias":"nDPId-test","flow_id":42,"flow_packet_id":1,"flow_last_seen":1582454599054,"flow_idle_time":600000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":38,"pkt_len":54,"pkt_l4_len":16,"ts_msec":1582454599054,"pkt":"AQBeAAAWxGGLNYKpCABGAAAoAABAAAECQgDAqAIR4AAAFpQEAAAiAPkCAAAAAQQAAADgAAD7"} 00547{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":238,"source":"iphone.pcap","alias":"nDPId-test","flow_id":42,"flow_packets_processed":1,"flow_first_seen":1582454599054,"flow_last_seen":1582454599054,"flow_idle_time":600000,"flow_min_l4_payload_len":16,"flow_max_l4_payload_len":16,"flow_tot_l4_payload_len":16,"flow_avg_l4_payload_len":16,"midstream":0,"ts_msec":1582454599054,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"224.0.0.22","l4_proto":2,"ndpi": {"proto":"IGMP","breed":"Acceptable","category":"Network"}} @@ -228,7 +228,7 @@ 00459{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":267,"source":"iphone.pcap","alias":"nDPId-test","flow_id":45,"flow_packet_id":3,"flow_last_seen":1582454599261,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1582454599261,"pkt":"xiwDYGpkxGGLNYKpCABFAAA0AABAAEAGtcfAqAIREfiwS8WYAbuypew79Fp1GIAQBAu8hwAAAQEIChHf6p1bEwn1"} 00860{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":268,"source":"iphone.pcap","alias":"nDPId-test","flow_id":45,"flow_packets_processed":4,"flow_first_seen":1582454599225,"flow_last_seen":1582454599261,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1582454599261,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.176.75","src_port":50584,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AppleiCloud","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"gateway.icloud.com","ja3":"6fa3244afc6bb6f9fad207b6b52af26b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00918{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":270,"source":"iphone.pcap","alias":"nDPId-test","flow_id":45,"flow_packets_processed":6,"flow_first_seen":1582454599225,"flow_last_seen":1582454599295,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1957,"flow_avg_l4_payload_len":326,"midstream":0,"ts_msec":1582454599295,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.176.75","src_port":50584,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AppleiCloud","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"gateway.icloud.com","ja3":"6fa3244afc6bb6f9fad207b6b52af26b","ja3s":"1e60202b4001a190621caa963fb76697","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -01290{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":272,"source":"iphone.pcap","alias":"nDPId-test","flow_id":45,"flow_packets_processed":8,"flow_first_seen":1582454599225,"flow_last_seen":1582454599297,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":4837,"flow_avg_l4_payload_len":604,"midstream":0,"ts_msec":1582454599297,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.176.75","src_port":50584,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AppleiCloud","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"gateway.icloud.com","server_names":"gateway-india.icloud.com,gateway-carry.icloud.com,gateway.icloud.com,gateway-australia.icloud.com,gateway-sandbox.icloud.com","ja3":"6fa3244afc6bb6f9fad207b6b52af26b","ja3s":"1e60202b4001a190621caa963fb76697","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","issuerDN":"CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US","issuerDN":"CN=gateway.icloud.com, O=Apple Inc., ST=California, C=US","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"D2:DA:1C:68:0C:91:A7:DB:BA:B2:2D:29:06:DB:57:42:10:3D:3A:FE"}} +01291{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":272,"source":"iphone.pcap","alias":"nDPId-test","flow_id":45,"flow_packets_processed":8,"flow_first_seen":1582454599225,"flow_last_seen":1582454599297,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":4837,"flow_avg_l4_payload_len":604,"midstream":0,"ts_msec":1582454599297,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.176.75","src_port":50584,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AppleiCloud","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"gateway.icloud.com","server_names":"gateway-india.icloud.com,gateway-carry.icloud.com,gateway.icloud.com,gateway-australia.icloud.com,gateway-sandbox.icloud.com","ja3":"6fa3244afc6bb6f9fad207b6b52af26b","ja3s":"1e60202b4001a190621caa963fb76697","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","issuerDN":"CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US","subjectDN":"CN=gateway.icloud.com, O=Apple Inc., ST=California, C=US","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"D2:DA:1C:68:0C:91:A7:DB:BA:B2:2D:29:06:DB:57:42:10:3D:3A:FE"}} 00550{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":274,"source":"iphone.pcap","alias":"nDPId-test","flow_id":46,"flow_packets_processed":1,"flow_first_seen":1582454599396,"flow_last_seen":1582454599396,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1582454599396,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.137.166.35","src_port":50585,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00478{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":274,"source":"iphone.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":1,"flow_last_seen":1582454599396,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1582454599396,"pkt":"xiwDYGpkxGGLNYKpCABFAABAAABAAEAGwFLAqAIREYmmI8WZAbu9h96xAAAAALDC\/\/9bXgAAAgQFtAEDAwcBAQgKEd\/rCQAAAAAEAgAA"} 00516{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":275,"source":"iphone.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":2,"flow_last_seen":1582454599396,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":108,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":108,"pkt_l4_len":74,"ts_msec":1582454599396,"pkt":"AQBeAAD7xGGLNYKpCABFAABeopUAAP8RdUTAqAIR4AAA+xTpFOkASvALAAAAAAABAAAAAAABCF9ob21la2l0BF90Y3AFbG9jYWwAAAwAAQAAKQWgAAARlAASAAQADgAA5mGLNYKpxGGLNYKp"} @@ -242,9 +242,9 @@ 00459{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":322,"source":"iphone.pcap","alias":"nDPId-test","flow_id":47,"flow_packet_id":3,"flow_last_seen":1582454599776,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1582454599776,"pkt":"xiwDYGpkxGGLNYKpCABFAAA0AABAAEAGtcfAqAIREfiwS8WaAbsCzUbEtxQHi4AQBAu4qgAAAQEIChHf7JdbEwv6"} 00860{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":323,"source":"iphone.pcap","alias":"nDPId-test","flow_id":47,"flow_packets_processed":4,"flow_first_seen":1582454599740,"flow_last_seen":1582454599776,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1582454599776,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.176.75","src_port":50586,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AppleiCloud","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"gateway.icloud.com","ja3":"6fa3244afc6bb6f9fad207b6b52af26b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00896{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":325,"source":"iphone.pcap","alias":"nDPId-test","flow_id":46,"flow_packets_processed":6,"flow_first_seen":1582454599396,"flow_last_seen":1582454599793,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1957,"flow_avg_l4_payload_len":326,"midstream":0,"ts_msec":1582454599793,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.137.166.35","src_port":50585,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Apple","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"gsa.apple.com","ja3":"6fa3244afc6bb6f9fad207b6b52af26b","ja3s":"c4b2785a87896e19d37eee932070cb22","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -01178{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":327,"source":"iphone.pcap","alias":"nDPId-test","flow_id":46,"flow_packets_processed":8,"flow_first_seen":1582454599396,"flow_last_seen":1582454599794,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":4308,"flow_avg_l4_payload_len":538,"midstream":0,"ts_msec":1582454599794,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.137.166.35","src_port":50585,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Apple","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"gsa.apple.com","server_names":"gsas.apple.com,gsa.apple.com","ja3":"6fa3244afc6bb6f9fad207b6b52af26b","ja3s":"c4b2785a87896e19d37eee932070cb22","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"CN=Apple Server Authentication CA, OU=Certification Authority, O=Apple Inc., C=US","issuerDN":"CN=gsa.apple.com, O=Apple Inc., ST=California, C=US","alpn":"http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"D4:EF:5E:AD:7F:D5:13:5B:9F:B2:B9:84:19:75:BB:ED:53:FB:18:D6"}} +01179{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":327,"source":"iphone.pcap","alias":"nDPId-test","flow_id":46,"flow_packets_processed":8,"flow_first_seen":1582454599396,"flow_last_seen":1582454599794,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":4308,"flow_avg_l4_payload_len":538,"midstream":0,"ts_msec":1582454599794,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.137.166.35","src_port":50585,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Apple","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"gsa.apple.com","server_names":"gsas.apple.com,gsa.apple.com","ja3":"6fa3244afc6bb6f9fad207b6b52af26b","ja3s":"c4b2785a87896e19d37eee932070cb22","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"CN=Apple Server Authentication CA, OU=Certification Authority, O=Apple Inc., C=US","subjectDN":"CN=gsa.apple.com, O=Apple Inc., ST=California, C=US","alpn":"http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"D4:EF:5E:AD:7F:D5:13:5B:9F:B2:B9:84:19:75:BB:ED:53:FB:18:D6"}} 00918{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":330,"source":"iphone.pcap","alias":"nDPId-test","flow_id":47,"flow_packets_processed":6,"flow_first_seen":1582454599740,"flow_last_seen":1582454599811,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1957,"flow_avg_l4_payload_len":326,"midstream":0,"ts_msec":1582454599811,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.176.75","src_port":50586,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AppleiCloud","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"gateway.icloud.com","ja3":"6fa3244afc6bb6f9fad207b6b52af26b","ja3s":"1e60202b4001a190621caa963fb76697","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -01290{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":332,"source":"iphone.pcap","alias":"nDPId-test","flow_id":47,"flow_packets_processed":8,"flow_first_seen":1582454599740,"flow_last_seen":1582454599814,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":4837,"flow_avg_l4_payload_len":604,"midstream":0,"ts_msec":1582454599814,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.176.75","src_port":50586,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AppleiCloud","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"gateway.icloud.com","server_names":"gateway-india.icloud.com,gateway-carry.icloud.com,gateway.icloud.com,gateway-australia.icloud.com,gateway-sandbox.icloud.com","ja3":"6fa3244afc6bb6f9fad207b6b52af26b","ja3s":"1e60202b4001a190621caa963fb76697","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","issuerDN":"CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US","issuerDN":"CN=gateway.icloud.com, O=Apple Inc., ST=California, C=US","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"D2:DA:1C:68:0C:91:A7:DB:BA:B2:2D:29:06:DB:57:42:10:3D:3A:FE"}} +01291{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":332,"source":"iphone.pcap","alias":"nDPId-test","flow_id":47,"flow_packets_processed":8,"flow_first_seen":1582454599740,"flow_last_seen":1582454599814,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":4837,"flow_avg_l4_payload_len":604,"midstream":0,"ts_msec":1582454599814,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.176.75","src_port":50586,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AppleiCloud","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"gateway.icloud.com","server_names":"gateway-india.icloud.com,gateway-carry.icloud.com,gateway.icloud.com,gateway-australia.icloud.com,gateway-sandbox.icloud.com","ja3":"6fa3244afc6bb6f9fad207b6b52af26b","ja3s":"1e60202b4001a190621caa963fb76697","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","issuerDN":"CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US","subjectDN":"CN=gateway.icloud.com, O=Apple Inc., ST=California, C=US","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"D2:DA:1C:68:0C:91:A7:DB:BA:B2:2D:29:06:DB:57:42:10:3D:3A:FE"}} 00550{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":338,"source":"iphone.pcap","alias":"nDPId-test","flow_id":48,"flow_packets_processed":1,"flow_first_seen":1582454599929,"flow_last_seen":1582454599929,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1582454599929,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"192.168.2.1","src_port":65079,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00478{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":338,"source":"iphone.pcap","alias":"nDPId-test","flow_id":48,"flow_packet_id":1,"flow_last_seen":1582454599929,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"ts_msec":1582454599929,"pkt":"xiwDYGpkxGGLNYKpCABFAABDumIAAP8Re+TAqAIRwKgCAf43ADUALyJV0zQBAAABAAAAAAAABHBsYXkGaXR1bmVzBWFwcGxlA2NvbQAAAQAB"} 00726{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":338,"source":"iphone.pcap","alias":"nDPId-test","flow_id":48,"flow_packets_processed":1,"flow_first_seen":1582454599929,"flow_last_seen":1582454599929,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":39,"flow_tot_l4_payload_len":39,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1582454599929,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"192.168.2.1","src_port":65079,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.AppleiTunes","breed":"Fun","category":"Streaming"},"dns": {"query":"play.itunes.apple.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} @@ -328,10 +328,10 @@ ~~ total active/idle flows...: 51/51 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2390114 bytes -~~ total memory freed........: 2390114 bytes -~~ total allocations/frees...: 36245/36245 +~~ total memory allocated....: 5031229 bytes +~~ total memory freed........: 5031229 bytes +~~ total allocations/frees...: 100441/100441 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 153 chars -~~ json string max len.......: 3575 chars +~~ json string max len.......: 3576 chars ~~ json string avg len.......: 1864 chars diff --git a/test/results/ipv6_in_gtp.pcap.out b/test/results/ipv6_in_gtp.pcap.out index a48777717..101dc58c9 100644 --- a/test/results/ipv6_in_gtp.pcap.out +++ b/test/results/ipv6_in_gtp.pcap.out @@ -12,9 +12,9 @@ ~~ total active/idle flows...: 0/0 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1926508 bytes -~~ total memory freed........: 1926508 bytes -~~ total allocations/frees...: 35335/35335 +~~ total memory allocated....: 4589247 bytes +~~ total memory freed........: 4589247 bytes +~~ total allocations/frees...: 99531/99531 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 157 chars ~~ json string max len.......: 515 chars diff --git a/test/results/irc.pcap.out b/test/results/irc.pcap.out index b7baff277..7653045a9 100644 --- a/test/results/irc.pcap.out +++ b/test/results/irc.pcap.out @@ -3,7 +3,7 @@ 00467{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"irc.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1387554241634,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1387554241634,"pkt":"AAAMB6wBABNyxPHhCABFAAA8\/+BAAEAGJjUKtJz5JuVGFLNhH0BpMfDFAAAAAKACOQj\/0AAAAgQFtAQCCAq+wg8lAAAAAAEDAwc="} 00465{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"irc.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1387554241665,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1387554241665,"pkt":"ABNyxPHhANAr0XYACABFAAA8AABAADIGNBYm5UYUCrSc+R9As2GRFS01aTHwxqASFqAOiAAAAgQFtAQCCAowSCUOvsIPJQEDAwY="} 00454{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"irc.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1387554241665,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1387554241665,"pkt":"AAAMB6wBABNyxPHhCABFAAA0\/+FAAEAGJjwKtJz5JuVGFLNhH0BpMfDGkRUtNoAQAHNTYQAAAQEICr7CD0QwSCUO"} -00685{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":7,"source":"irc.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":7,"flow_first_seen":1387554241634,"flow_last_seen":1387554241695,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":62,"flow_tot_l4_payload_len":114,"flow_avg_l4_payload_len":16,"midstream":0,"ts_msec":1387554241695,"l3_proto":"ip4","src_ip":"10.180.156.249","dst_ip":"38.229.70.20","src_port":45921,"dst_port":8000,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","22":"Unsafe Protocol","36":"Clear-text credentials"},"proto":"IRC","breed":"Unsafe","category":"Chat"}} +00655{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":7,"source":"irc.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":7,"flow_first_seen":1387554241634,"flow_last_seen":1387554241695,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":62,"flow_tot_l4_payload_len":114,"flow_avg_l4_payload_len":16,"midstream":0,"ts_msec":1387554241695,"l3_proto":"ip4","src_ip":"10.180.156.249","dst_ip":"38.229.70.20","src_port":45921,"dst_port":8000,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","22":"Unsafe Protocol"},"proto":"IRC","breed":"Unsafe","category":"Chat"}} 00557{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":29,"source":"irc.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":29,"flow_first_seen":1387554241634,"flow_last_seen":1387554256201,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":7015,"flow_avg_l4_payload_len":241,"midstream":0,"ts_msec":1387554256201,"l3_proto":"ip4","src_ip":"10.180.156.249","dst_ip":"38.229.70.20","src_port":45921,"dst_port":8000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00151{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":29,"source":"irc.pcap","alias":"nDPId-test","total-events-serialized":8} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -14,10 +14,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1931013 bytes -~~ total memory freed........: 1931013 bytes -~~ total allocations/frees...: 35368/35368 +~~ total memory allocated....: 4593328 bytes +~~ total memory freed........: 4593328 bytes +~~ total allocations/frees...: 99564/99564 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 156 chars -~~ json string max len.......: 690 chars -~~ json string avg len.......: 483 chars +~~ json string max len.......: 660 chars +~~ json string avg len.......: 470 chars diff --git a/test/results/ja3_lots_of_cipher_suites.pcap.out b/test/results/ja3_lots_of_cipher_suites.pcap.out index 337a060ed..d646fa425 100644 --- a/test/results/ja3_lots_of_cipher_suites.pcap.out +++ b/test/results/ja3_lots_of_cipher_suites.pcap.out @@ -30,9 +30,9 @@ ~~ total active/idle flows...: 0/0 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1926508 bytes -~~ total memory freed........: 1926508 bytes -~~ total allocations/frees...: 35335/35335 +~~ total memory allocated....: 4589247 bytes +~~ total memory freed........: 4589247 bytes +~~ total allocations/frees...: 99531/99531 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 171 chars ~~ json string max len.......: 2347 chars diff --git a/test/results/ja3_lots_of_cipher_suites_2_anon.pcap.out b/test/results/ja3_lots_of_cipher_suites_2_anon.pcap.out index d1ce899a5..63f7e1f41 100644 --- a/test/results/ja3_lots_of_cipher_suites_2_anon.pcap.out +++ b/test/results/ja3_lots_of_cipher_suites_2_anon.pcap.out @@ -3,7 +3,7 @@ 00213{"basic_event_id":15,"basic_event_name":"Captured packet size is smaller than packet size","thread_id":0,"packet_id":1,"source":"ja3_lots_of_cipher_suites_2_anon.pcap","alias":"nDPId-test","caplen":114,"len":118} 00579{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"ja3_lots_of_cipher_suites_2_anon.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1505724520744,"flow_last_seen":1505724520744,"flow_idle_time":180000,"flow_min_l4_payload_len":72,"flow_max_l4_payload_len":72,"flow_tot_l4_payload_len":72,"flow_avg_l4_payload_len":72,"midstream":0,"ts_msec":1505724520744,"l3_proto":"ip4","src_ip":"132.190.244.12","dst_ip":"151.121.185.44","src_port":2152,"dst_port":2152,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00549{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"ja3_lots_of_cipher_suites_2_anon.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1505724520744,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":114,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":118,"pkt_l4_len":80,"ts_msec":1505724520744,"pkt":"\/Ejvopo\/MNF+D2w+CABFuABkI90AAEARjIOEvvQMl3m5LAhoCGgAUAAAMv8AQAE8W3RuUAAARQAAPGNKQABABin+wKiTsZd5waDkgAG7Qsba5QAAAACgAjkIo+MAAAIEBbQEAggKAAu5rwAAAAABAwMF"} -00611{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"ja3_lots_of_cipher_suites_2_anon.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1505724520744,"flow_last_seen":1505724520744,"flow_idle_time":180000,"flow_min_l4_payload_len":72,"flow_max_l4_payload_len":72,"flow_tot_l4_payload_len":72,"flow_avg_l4_payload_len":72,"midstream":0,"ts_msec":1505724520744,"l3_proto":"ip4","src_ip":"132.190.244.12","dst_ip":"151.121.185.44","src_port":2152,"dst_port":2152,"l4_proto":"udp","ndpi": {"proto":"GTP","breed":"Acceptable","category":"Network"}} +00617{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"ja3_lots_of_cipher_suites_2_anon.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1505724520744,"flow_last_seen":1505724520744,"flow_idle_time":180000,"flow_min_l4_payload_len":72,"flow_max_l4_payload_len":72,"flow_tot_l4_payload_len":72,"flow_avg_l4_payload_len":72,"midstream":0,"ts_msec":1505724520744,"l3_proto":"ip4","src_ip":"132.190.244.12","dst_ip":"151.121.185.44","src_port":2152,"dst_port":2152,"l4_proto":"udp","ndpi": {"proto":"GTP.GTP_U","breed":"Acceptable","category":"Network"}} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"ja3_lots_of_cipher_suites_2_anon.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1505724520947,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":110,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":110,"pkt_l4_len":76,"ts_msec":1505724520947,"pkt":"MNF+EIYg\/Ejv6KgaCABFAABgHZ4AAD0Rln6XebkshL70DAhoCGgATAAAMP8APEGxP1xFAAA8AABAADIGm0iXecGgwKiTsQG75IBV2gFiQsba5qAScSDmyQAAAgQFeAQCCAoxbvx\/AAu5rwEDAwc="} 00448{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":3,"source":"ja3_lots_of_cipher_suites_2_anon.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":106,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":110,"pkt_l4_len":0,"ts_msec":1505724521281,"pkt":"\/Ejvopo\/MNF+D2w+CABFuABcNCoAAEARfD6EvvQMl3m5LAhoCGgASAAAMv8AOAE8W3RxUAAARQAANGNLQABABioFwKiTsZd5waDkgAG7Qsba5lXaAWOAEAHJhFMAAAEBCAoAC7oNMW78fw=="} 00213{"basic_event_id":15,"basic_event_name":"Captured packet size is smaller than packet size","thread_id":0,"packet_id":3,"source":"ja3_lots_of_cipher_suites_2_anon.pcap","alias":"nDPId-test","caplen":106,"len":110} @@ -40,9 +40,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1928907 bytes -~~ total memory freed........: 1928907 bytes -~~ total allocations/frees...: 35365/35365 +~~ total memory allocated....: 4591222 bytes +~~ total memory freed........: 4591222 bytes +~~ total allocations/frees...: 99561/99561 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 186 chars ~~ json string max len.......: 1935 chars diff --git a/test/results/kerberos.pcap.out b/test/results/kerberos.pcap.out index 92019706a..fb6dbe60f 100644 --- a/test/results/kerberos.pcap.out +++ b/test/results/kerberos.pcap.out @@ -1,17 +1,20 @@ 00442{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"kerberos.pcap","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} 00553{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1549337929790,"flow_last_seen":1549337929790,"flow_idle_time":7440000,"flow_min_l4_payload_len":239,"flow_max_l4_payload_len":239,"flow_tot_l4_payload_len":239,"flow_avg_l4_payload_len":239,"midstream":1,"ts_msec":1549337929790,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49157,"dst_port":88,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00767{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1549337929790,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":293,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":293,"pkt_l4_len":259,"ts_msec":1549337929790,"pkt":"pB9ywglqAAgCHEeuCABFAAEXABdAAIAGkNisEAjJrBAICMAFAFiynbRHbznTnlAYAQAf5QAAAAAA62qB6DCB5aEDAgEFogMCAQqjFTATMBGhBAICAICiCQQHMAWgAwEB\/6SBwTCBvqAHAwUAQIEAEKEYMBagAwIBAaEPMA0bC2pvaG5zb24tcGMkohAbDmhhcHB5Y3JhZnQub3JnoyMwIaADAgECoRowGBsGa3JidGd0Gw5oYXBweWNyYWZ0Lm9yZ6URGA8yMDM3MDkxMzAyNDgwNVqmERgPMjAzNzA5MTMwMjQ4MDVapwYCBE7AFheoFTATAgESAgERAgEXAgEYAgL\/eQIBA6kdMBswGaADAgEUoRIEEEpPSE5TT04tUEMgICAgICA="} +00668{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1549337929790,"flow_last_seen":1549337929790,"flow_idle_time":7440000,"flow_min_l4_payload_len":239,"flow_max_l4_payload_len":239,"flow_tot_l4_payload_len":239,"flow_avg_l4_payload_len":239,"midstream":1,"ts_msec":1549337929790,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49157,"dst_port":88,"l4_proto":"tcp","ndpi": {"proto":"Kerberos","breed":"Acceptable","category":"Network"},"kerberos": {"hostname":"johnson-pc","domain":"happycraft.org","username":""}} 00817{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1549337929790,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":332,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":332,"pkt_l4_len":298,"ts_msec":1549337929790,"pkt":"AAgCHEeupB9ywglqCABFAAE+ExRAAIAGfbSsEAgIrBAIyQBYwAVvOdOesp21NlAYAQCkkQAAAAABEn6CAQ4wggEKoAMCAQWhAwIBHqQRGA8yMDE5MDIwNTAzMzg0OFqlBQIDBjUgpgMCARmpEBsOaGFwcHljcmFmdC5vcmeqIzAhoAMCAQKhGjAYGwZrcmJ0Z3QbDmhhcHB5Y3JhZnQub3JnrIGnBIGkMIGhMH6hAwIBE6J3BHUwczA0oAMCARKhLRsrSEFQUFlDUkFGVC5PUkdob3N0am9obnNvbi1wYy5oYXBweWNyYWZ0Lm9yZzAFoAMCARcwNKADAgEDoS0bK0hBUFBZQ1JBRlQuT1JHaG9zdGpvaG5zb24tcGMuaGFwcHljcmFmdC5vcmcwCaEDAgECogIEADAJoQMCARCiAgQAMAmhAwIBD6ICBAA="} 00553{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1549337929811,"flow_last_seen":1549337929811,"flow_idle_time":7440000,"flow_min_l4_payload_len":319,"flow_max_l4_payload_len":319,"flow_tot_l4_payload_len":319,"flow_avg_l4_payload_len":319,"midstream":1,"ts_msec":1549337929811,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49158,"dst_port":88,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00875{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_last_seen":1549337929811,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":373,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":373,"pkt_l4_len":339,"ts_msec":1549337929811,"pkt":"pB9ywglqAAgCHEeuCABFAAFnABtAAIAGkISsEAjJrBAICMAGAFganBtaQ2U1slAYAQDaGgAAAAABO2qCATcwggEzoQMCAQWiAwIBCqNjMGEwTKEDAgECokUEQzBBoAMCARKiOgQ4YERcga5zFfjuo7+oqo0hJ6Udj7efOwOKKYJj6PKpxuETgzDcdt27IvGW9sEQ18QPUV\/drVuLVBwwEaEEAgIAgKIJBAcwBaADAQH\/pIHBMIG+oAcDBQBAgQAQoRgwFqADAgEBoQ8wDRsLam9obnNvbi1wYySiEBsOaGFwcHljcmFmdC5vcmejIzAhoAMCAQKhGjAYGwZrcmJ0Z3QbDmhhcHB5Y3JhZnQub3JnpREYDzIwMzcwOTEzMDI0ODA1WqYRGA8yMDM3MDkxMzAyNDgwNVqnBgIETsAWF6gVMBMCARICARECARcCARgCAv95AgEDqR0wGzAZoAMCARShEgQQSk9ITlNPTi1QQyAgICAgIA=="} +00668{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":3,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1549337929811,"flow_last_seen":1549337929811,"flow_idle_time":7440000,"flow_min_l4_payload_len":319,"flow_max_l4_payload_len":319,"flow_tot_l4_payload_len":319,"flow_avg_l4_payload_len":319,"midstream":1,"ts_msec":1549337929811,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49158,"dst_port":88,"l4_proto":"tcp","ndpi": {"proto":"Kerberos","breed":"Acceptable","category":"Network"},"kerberos": {"hostname":"johnson-pc","domain":"happycraft.org","username":""}} 00603{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_last_seen":1549337929812,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":166,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":166,"pkt_l4_len":132,"ts_msec":1549337929812,"pkt":"AAgCHEeupB9ywglqCABFAACYExlAAIAGflWsEAgIrBAIyQBYwAZDZTtmGpwcmVAYAQDnsgAAX5hri3Z\/opje40K53kwDKo2\/CTegm0pJkWpLVNFlnn\/MakUFXqKHv4CDtH2CbQqvJq\/ecJgxH2EwrzVmUcQk2zqXXjIwbkyszZ9\/Xc6IEgQ4qiI64lPzINS7ueVTbdUXk\/8v52QxoGdMilBjjWTAcQ=="} 00553{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":5,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1549337929815,"flow_last_seen":1549337929815,"flow_idle_time":7440000,"flow_min_l4_payload_len":137,"flow_max_l4_payload_len":137,"flow_tot_l4_payload_len":137,"flow_avg_l4_payload_len":137,"midstream":1,"ts_msec":1549337929815,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49159,"dst_port":88,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00629{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_last_seen":1549337929815,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":191,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":191,"pkt_l4_len":157,"ts_msec":1549337929815,"pkt":"pB9ywglqAAgCHEeuCABFAACxACFAAIAGkTSsEAjJrBAICMAHAFgBsoC8gS4auFAYAQDUqQAAiNeE+tCJIo9Cz1KFHGicigIlxkFIEVkb70vifDKvvi6NwB24GlkehWdocuUvESpeAqtSofWtuKDm2yskVOheE+r4DxaQxRLncJy9zYBP+p7ofQvBukmarkg+oY3ctA8jgj5BSy2yi42NlxJjhcjuX3ByLG+GD20zq41Le0TbPh0TFS5qkRb0Q24="} 00604{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_last_seen":1549337929815,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":169,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":169,"pkt_l4_len":135,"ts_msec":1549337929815,"pkt":"AAgCHEeupB9ywglqCABFAACbEx9AAIAGfkysEAgIrBAIyQBYwAeBLiBsAbKBRVAYAQBP\/wAA1H56bb56rLTzhI\/so6pGl6jILu03bHY2ZWl4A41JY07Kavo1sQRKhlNPx3vE\/LdSF6BX6NLW1Fm3Tdmvr7ZEbPWOq8FZs9c0RBY7wJbwPUW44FlC0vhqJn1yGB3K1Fxl0gPqAAMzMrhupJQMQzjV4fgdag=="} 00557{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":7,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1549337929816,"flow_last_seen":1549337929816,"flow_idle_time":7440000,"flow_min_l4_payload_len":1431,"flow_max_l4_payload_len":1431,"flow_tot_l4_payload_len":1431,"flow_avg_l4_payload_len":1431,"midstream":1,"ts_msec":1549337929816,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49160,"dst_port":88,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 02380{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_last_seen":1549337929816,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":1485,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1485,"pkt_l4_len":1451,"ts_msec":1549337929816,"pkt":"pB9ywglqAAgCHEeuCABFAAW\/ACZAAIAGjCGsEAjJrBAICMAIAFgkzleN\/pyBM1AYAQCd1QAAAAAFk2yCBY8wggWLoQMCAQWiAwIBDKOCBRcwggUTMIIE\/6EDAgEBooIE9gSCBPJuggTuMIIE6qADAgEFoQMCAQ6iBwMFAAAAAACjggQ0YYIEMDCCBCygAwIBBaEQGw5IQVBQWUNSQUZULk9SR6IjMCGgAwIBAqEaMBgbBmtyYnRndBsOSEFQUFlDUkFGVC5PUkejggPsMIID6KADAgESoQMCAQKiggPaBIID1l4LwpNuTjPo\/WSca61wgawIInNQ2vTGqwCxtV1QigPfApKXxUIq16oPsvd5TUFFBoZ3psSaal0IeVBLFx\/BX1XOMXvlpVRB9MsTpZwTQ9ax1GLB6I2i5bbUZpknsnBAKrSXL695P06nXI2pxBPckcoFwJAlSBEmG2XByE8IS7rO1EarXMbJ6Y6aTY3qAJfaaRab4vHhRG2Vuf+5JWuR5w1NLPXeeoD\/rArSk0gCVLkR21SKfZcS\/vqPldqO0np7TLmMBVoYjsl6PiI0+4z2cMBft\/qbxRIxb8y1vWhjoJ64ue7lCoT2cvFOdVWD\/WH\/fANzw0ML9F0vLIXCgI1qi1sWcerxATeYpOyo7DWpsJioH9jxAPx+B6RM+9U5zQIKM9BdT3C3olrkQMfOua6FPtyqIt9kVcakdowBTS4+NidzK5sGlYIRntlAxGR8YU5brzwGdboEMfsAHK11qtTE6t\/tDmgr1+cFgW34p7q9yjtfw3IlMfNtNF6cVYmOh6G5Wnxcfjqbsrpj7Kw6mjBwfKtaYNJG6XthlVKo9I4FpdysFIteChs2N+mQtafp0AWZxKjjDKO8sohbJklYhyoJOto52hds26FAU4LmrIc5fMmADp1PG\/tBDi0BnZ3SimtoeWyM2fnwWhBrH67Gc6TeKPHSeyVFwR1fSnMxZTlzS7KXwLa62U6BZ0WNCBZzIdUTje6\/aUFTq4XeeR0Z7Vh6Z9DZ9om\/9wiQsBPMMalPRPnqfmOZT7HV5yr74UqmbVg1OWh8En3RVYoEzl+U9UxwXXFIR5zUwJrSv4BRCrfouK2f87lMtCFEg\/zEl+Ya6jB+A9XZfPbLOpJ+x1ZsBKiE7MFw9X4cPsiIvoIaHcwmirVOaa9JrhuL72qg0GrV2LWFm+xJt5NjWGhgRHFok1jp2URmHs7J3zvdeb+nbPHLvYUdtkqwb3aoYEr1Xmflw8UpDr6MDbT2en\/\/11z39903bvFGohUv62WN4swCRiY9JjXJUs610D4Xxus5+CL0zgzTQQAxEvC4LL9CQELhrXgdhbQmsotNytXnsgYuKhF4RMS5q5UH8sx1AGsmSntAJ\/W4iO+\/MbV3oU5HdPpcERFm3hfRy\/GBSS75vadxxOcRHZA6iF9\/pQ9BlFHhHcWkaQuZyUL6qH1sbSQyui0sXjtHojjpnPlsTpEM9hpMt6LhooASI6ATNe\/Xw7kB+HTJthDR\/bJnXbftcEdtnk7dLQYL5MfhSH8BDyuI9MMLmdpozP+V7mPT5HhUnsqRSQWCVyfiuDhL0shZpk83f0xNTTmK8fhSYF8Q1BGkgZwwgZmgAwIBEqKBkQSBjpT6WKZ4R5UUi5WTtSgEkEd7jMLa6AoUPu4TwrcLKGcmB9vngXIzOhZvqCgHdzOkHetRjgLUyTIXem1PFxz6mY8TxQcIZDyb19SN3Nd3sKaxs2IYEv7YHwXG6E8LM8hJLH2m\/TyiwnWxB70uZ574gAkF4FD1Zq+qMVWQ8VxsOQkGL92ElZ2TaAS4GGYCEnUwDqEEAgIApaIGBAQfAAAApGQwYqAHAwUAYIEAEKIQGw5IQVBQWUNSQUZULk9SR6MjMCGgAwIBAqEaMBgbBmtyYnRndBsOSEFQUFlDUkFGVC5PUkelERgPMjAzNzA5MTMwMjQ4MDVapwYCBE7NBe6oBTADAgES"} +00662{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":7,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1549337929816,"flow_last_seen":1549337929816,"flow_idle_time":7440000,"flow_min_l4_payload_len":1431,"flow_max_l4_payload_len":1431,"flow_tot_l4_payload_len":1431,"flow_avg_l4_payload_len":1431,"midstream":1,"ts_msec":1549337929816,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49160,"dst_port":88,"l4_proto":"tcp","ndpi": {"proto":"Kerberos","breed":"Acceptable","category":"Network"},"kerberos": {"hostname":"","domain":"happycraft.org","username":""}} 02405{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_last_seen":1549337929816,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":1498,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1498,"pkt_l4_len":1464,"ts_msec":1549337929816,"pkt":"AAgCHEeupB9ywglqCABFAAXMEyNAAIAGeResEAgIrBAIyQBYwAj+nIEzJM5dJFAYAQC28wAAAAAFoG2CBZwwggWYoAMCAQWhAwIBDaMQGw5IQVBQWUNSQUZULk9SR6QYMBagAwIBAaEPMA0bC0pPSE5TT04tUEMkpYIENGGCBDAwggQsoAMCAQWhEBsOSEFQUFlDUkFGVC5PUkeiIzAhoAMCAQKhGjAYGwZrcmJ0Z3QbDkhBUFBZQ1JBRlQuT1JHo4ID7DCCA+igAwIBEqEDAgECooID2gSCA9ZmgNa1dr3wGd87q5o3XWLsTIWysbTgkwJr+Tn54CyV4AH6vlEgusASRdJcyvN0onPWOO9TStPkihUEobLQ8WG5\/BAe\/pJm76NJeRjK9kGGi8G\/0XbFCYSPepa5PQwmUgAjsgxX98uOoIoeMgpxrDD2I4YnqT0o9T7E4u8XbTiIf+v3cdcN4dCZ+EoTKAM9GSdtpSP62\/Xb+2PxUXMWzXRKdBV4GPRc7M\/f3KRdK529+2pM4yLgF6mfdzw1YttOYiTQBSOIseZU5L5pWWwIAYUeadQLWeGW7MCmuOiezPfzHOKXT\/hMqEB\/2Egds2KA7Hm\/oP01r9IU6p42tCtn+I4EWSm5ZkiMAIXP6SCiOdO2PbdtR\/4GK9kZARZpgtLJG+aGmFpRzNAdcgcLMHN2OlX0J6+piruBM7Ww3kqLpZgruCuGx8K+d\/8FApmAeWnLmXbD3fu1T00fGd6fdKrkgCl98Sy4I0iKgJr019SubVPh\/tLfXvOPHFTskrZiab\/lkJMa\/lcaCHUWtHfBuxSsNJt7gody42oqvvYHikEn7VlQJDi\/u8KzU07HljjjoqhCYV678B3YcCsVdGefRzEoUzSdH\/BYJGW+CkosfzR7MiRBWyvn77tCF67oxZ3T5EhVst6OUOt05ejCBeF0j2P8Sa6RL1vPg6TCt7KX5yXzGdJtuRQYFzwHms4Ux+JYQXrmLh2ixoc55gWooUap7xcPOrj9EtgR7efu2PqGQVuytvq6rdV+3QUFA8AufxbPXK507+RBmLMcLcxZAxOp7SQc\/Ay3c\/ORhr+fWLV6VFfX75zufwBySCOGvrbuFXK0SnMVFwylor3lGY2Czl7Y5QKDcK4+FS+SJKTqaxj0EFxa2D+DbGLwbVt3zt9+tPhI+pr7vL0LtIL0O055Y3MLTTiVoB4FnEuGzQivRnPbXzFFcdCIUDcAh26XtB4LCpmd+fBTcLafa5ZKQ2nsR\/2LH7kpZxim50Hcvtyd5PzGPwKSVk2Q+psnZ0IehfsbwhALTs\/RQSOb7Rq41AGgy7OAH5YvpBKSd7qUDfb1gtLh6EIYhMprEuGvAg42lOnEYktaA8Y0X4PyM72xSTA9ZN+CxfcvwiIlvHf11TL5C5ZRBUy3du\/RJjPcfxsjqIdqVfXMDys4DGOvXOODvANQyMdpD2WSRWTBduQ+1useq7xNugt3rmAScfUohAT\/giN4TexFk96WUfGs376rRqExitzbuece0s6lptdaN+3sKDC1NFILlW4MQPBHpc3ComgefM9jAmeqLxMUur1iJW82d2i1F5BNiRpTZEFf7MD9poIBJjCCASKgAwIBEqKCARkEggEVQDvO7+WVQbXswJT\/WKenjoLOTOUb7xtnQSDSvTALA7cFBjKmG7py2Ll3YHsUrZQaKL2ZgS2bNcKYx\/3+lfvv+kAlvcN39ExBH9j9AGm8H1cRnFwNhRWCETnioXg\/P1Y2p+e3F0h6bOneEdLiePwHJv9FonrRV61HKyJDpzH6E0h5BR7t2eo\/60DJORIRuiguwoofBgNuIj9IIWatzAufVetcbqrWIpOgXa8Tl5itQ\/bI2zF6hwUS3TRThkmm+Lz7J7LBceoySEetzaEsRZtQYN6tENYmlD5+VEJvmJ\/Gk593lHeRAE07ZMXwY1fmEib\/vL\/sBgCUMH7CIYMAL4GjstMrJCbIeZhyoYmoahgOuedSq46aMw=="} -00672{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":8,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":2,"flow_first_seen":1549337929816,"flow_last_seen":1549337929816,"flow_idle_time":7440000,"flow_min_l4_payload_len":1431,"flow_max_l4_payload_len":1444,"flow_tot_l4_payload_len":2875,"flow_avg_l4_payload_len":1437,"midstream":1,"ts_msec":1549337929816,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49160,"dst_port":88,"l4_proto":"tcp","ndpi": {"proto":"Kerberos","breed":"Acceptable","category":"Network"},"kerberos": {"hostname":"johnson-pc","domain":"happycraft.org","username":""}} +00680{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":8,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":2,"flow_first_seen":1549337929816,"flow_last_seen":1549337929816,"flow_idle_time":7440000,"flow_min_l4_payload_len":1431,"flow_max_l4_payload_len":1444,"flow_tot_l4_payload_len":2875,"flow_avg_l4_payload_len":1437,"midstream":1,"ts_msec":1549337929816,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49160,"dst_port":88,"l4_proto":"tcp","ndpi": {"proto":"Kerberos","breed":"Acceptable","category":"Network"},"kerberos": {"hostname":"johnson-pc","domain":"happycraft.org","username":""}} 00554{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":9,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1549337929817,"flow_last_seen":1549337929817,"flow_idle_time":7440000,"flow_min_l4_payload_len":227,"flow_max_l4_payload_len":227,"flow_tot_l4_payload_len":227,"flow_avg_l4_payload_len":227,"midstream":1,"ts_msec":1549337929817,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49156,"dst_port":445,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00753{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_last_seen":1549337929817,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":281,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":281,"pkt_l4_len":247,"ts_msec":1549337929817,"pkt":"pB9ywglqAAgCHEeuCABFAAELACpAAIAGkNGsEAjJrBAICMAEAb1XsKRSOc8tT1AYAP5XOQAAtEaCpoUNMQEcRu8rXL+flRkpXPhHudnte7juaoAeTLu\/yTOr\/klMHDKYHSz0JIIsigIVsBaMl3PyJLoeb\/thjoYGSwkEC2m4nRdpRXAof0BuI3WnXPinh7MhPVCaTGyJNfqfVu\/1dc4+HXKYy76MWWV4zUtzQAeAZlVdIbuoLUlvFXjFSw5Ryb7lDA5ay5XLMnQY1U2bYUt6MYxBsLvHXZpUwBGPjxstpVTddlgnyYV1MOsJQv5Du0utIGTzTo6LpQrGUrUbi+j64I7Cmr+KeRuwdhEzhGbc+mJlwRYjD6cvIxA="} 00801{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":10,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_last_seen":1549337929818,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":314,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":314,"pkt_l4_len":280,"ts_msec":1549337929818,"pkt":"AAgCHEeupB9ywglqCABFAAEsEydAAIAGfbOsEAgIrBAIyQG9wAQ5zy1PV7ClNVAYAQBD3AAAAAABAP5TTUJAAAEAAAAAAAEAHwAJAAAAAAAAAAIAAAAAAAAA\/\/4AAAAAAABZAAAAAAQAAM9KX1xrFqd60K9wkt\/rc1cJAAAASAC4AKGBtTCBsqADCgEAoQsGCSqGSIL3EgECAqKBnQSBmmCBlwYJKoZIhvcSAQICAgBvgYcwgYSgAwIBBaEDAgEPongwdqADAgESom8EbaDd4i7\/ItyR1a9jC52avEiTOhersM4IXB2s8eeK3O+ftonNzS3toSakh8sE2tBVm3gbqMBKq1zSZzBBR6cu+Hrjxp\/3xoJEFPVC\/4y\/BWmosce7zt2RHazTIcgt7F0qD+5oY0gWkTgMB+VU0Ro="} @@ -23,9 +26,11 @@ 00729{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_last_seen":1549337929983,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":264,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":264,"pkt_l4_len":230,"ts_msec":1549337929983,"pkt":"AAgCHEeupB9ywglqCABFAAD6EzZAAIAGfdasEAgIrBAIyQGFwAlIl8v7DkIzcVAYAQBePQAAMIQAAADMAgEDYYQAAADDCgEABAAEAIeCALihgbUwgbKgAwoBAKELBgkqhkiC9xIBAgKigZ0EgZpggZcGCSqGSIb3EgECAgIAb4GHMIGEoAMCAQWhAwIBD6J4MHagAwIBEqJvBG1fPlG7bKWdrh2HD6cpz+MijBmfhDcDSHRgxosMnwcbCi1ZRnrViGBtMC2nQv6mVUDSJapX\/mZgtc4l9ALb+\/jokxskSCIt0GZfBXlBh6SOp7g9nc\/2WT4mG5e+fctttNW4KixsBWTLsk4U0TsD"} 00554{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":15,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":1,"flow_first_seen":1549337930192,"flow_last_seen":1549337930192,"flow_idle_time":7440000,"flow_min_l4_payload_len":239,"flow_max_l4_payload_len":239,"flow_tot_l4_payload_len":239,"flow_avg_l4_payload_len":239,"midstream":1,"ts_msec":1549337930192,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49166,"dst_port":88,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00768{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":15,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_last_seen":1549337930192,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":293,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":293,"pkt_l4_len":259,"ts_msec":1549337930192,"pkt":"pB9ywglqAAgCHEeuCABFAAEXAE9AAIAGkKCsEAjJrBAICMAOAFh1zEKiBQpS4FAYAQB22wAAAAAA62qB6DCB5aEDAgEFogMCAQqjFTATMBGhBAICAICiCQQHMAWgAwEB\/6SBwTCBvqAHAwUAQIEAEKEYMBagAwIBAaEPMA0bC2pvaG5zb24tcGMkohAbDkhBUFBZQ1JBRlQuT1JHoyMwIaADAgECoRowGBsGa3JidGd0Gw5IQVBQWUNSQUZULk9SR6URGA8yMDM3MDkxMzAyNDgwNVqmERgPMjAzNzA5MTMwMjQ4MDVapwYCBE6HHTSoFTATAgESAgERAgEXAgEYAgL\/eQIBA6kdMBswGaADAgEUoRIEEEpPSE5TT04tUEMgICAgICA="} +00669{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":15,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":1,"flow_first_seen":1549337930192,"flow_last_seen":1549337930192,"flow_idle_time":7440000,"flow_min_l4_payload_len":239,"flow_max_l4_payload_len":239,"flow_tot_l4_payload_len":239,"flow_avg_l4_payload_len":239,"midstream":1,"ts_msec":1549337930192,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49166,"dst_port":88,"l4_proto":"tcp","ndpi": {"proto":"Kerberos","breed":"Acceptable","category":"Network"},"kerberos": {"hostname":"johnson-pc","domain":"happycraft.org","username":""}} 00818{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":16,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":2,"flow_last_seen":1549337930193,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":332,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":332,"pkt_l4_len":298,"ts_msec":1549337930193,"pkt":"AAgCHEeupB9ywglqCABFAAE+E0ZAAIAGfYKsEAgIrBAIyQBYwA4FClLgdcxDkVAYAQCvKAAAAAABEn6CAQ4wggEKoAMCAQWhAwIBHqQRGA8yMDE5MDIwNTAzMzg0OFqlBQIDDGWApgMCARmpEBsOSEFQUFlDUkFGVC5PUkeqIzAhoAMCAQKhGjAYGwZrcmJ0Z3QbDkhBUFBZQ1JBRlQuT1JHrIGnBIGkMIGhMH6hAwIBE6J3BHUwczA0oAMCARKhLRsrSEFQUFlDUkFGVC5PUkdob3N0am9obnNvbi1wYy5oYXBweWNyYWZ0Lm9yZzAFoAMCARcwNKADAgEDoS0bK0hBUFBZQ1JBRlQuT1JHaG9zdGpvaG5zb24tcGMuaGFwcHljcmFmdC5vcmcwCaEDAgECogIEADAJoQMCARCiAgQAMAmhAwIBD6ICBAA="} 00554{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":17,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":1,"flow_first_seen":1549337930214,"flow_last_seen":1549337930214,"flow_idle_time":7440000,"flow_min_l4_payload_len":319,"flow_max_l4_payload_len":319,"flow_tot_l4_payload_len":319,"flow_avg_l4_payload_len":319,"midstream":1,"ts_msec":1549337930214,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49167,"dst_port":88,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00875{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":17,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_last_seen":1549337930214,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":373,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":373,"pkt_l4_len":339,"ts_msec":1549337930214,"pkt":"pB9ywglqAAgCHEeuCABFAAFnAFNAAIAGkEysEAjJrBAICMAPAFhOqMfQDl0Bb1AYAQBFdgAAAAABO2qCATcwggEzoQMCAQWiAwIBCqNjMGEwTKEDAgECokUEQzBBoAMCARKiOgQ4T+8E3pUi7h1ZsZOoIXjjwvAQAgQGpJXHn0jgIAIbXQei+GxBZQViNO7UVdhzj5KUys1PXrvG2C8wEaEEAgIAgKIJBAcwBaADAQH\/pIHBMIG+oAcDBQBAgQAQoRgwFqADAgEBoQ8wDRsLam9obnNvbi1wYySiEBsOSEFQUFlDUkFGVC5PUkejIzAhoAMCAQKhGjAYGwZrcmJ0Z3QbDkhBUFBZQ1JBRlQuT1JHpREYDzIwMzcwOTEzMDI0ODA1WqYRGA8yMDM3MDkxMzAyNDgwNVqnBgIETocdNKgVMBMCARICARECARcCARgCAv95AgEDqR0wGzAZoAMCARShEgQQSk9ITlNPTi1QQyAgICAgIA=="} +00669{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":17,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":1,"flow_first_seen":1549337930214,"flow_last_seen":1549337930214,"flow_idle_time":7440000,"flow_min_l4_payload_len":319,"flow_max_l4_payload_len":319,"flow_tot_l4_payload_len":319,"flow_avg_l4_payload_len":319,"midstream":1,"ts_msec":1549337930214,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49167,"dst_port":88,"l4_proto":"tcp","ndpi": {"proto":"Kerberos","breed":"Acceptable","category":"Network"},"kerberos": {"hostname":"johnson-pc","domain":"happycraft.org","username":""}} 00598{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":18,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":2,"flow_last_seen":1549337930214,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":166,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":166,"pkt_l4_len":132,"ts_msec":1549337930214,"pkt":"AAgCHEeupB9ywglqCABFAACYE0tAAIAGfiOsEAgIrBAIyQBYwA8OXQcjTqjJD1AYAQBZNwAAQBgDyB6VZPxID+fu9kcivDlP7463Dy1IfrYrHVzuJLB3P27gpkccW43Mtu3NrktwKAyme0Z0QNo0JvH3ppwCLvPborHS7i5Jp9I5pxLf5LZX6AlmVea2udQa4ufUWkijqzhrShLiqrevOUKPGzj2OQ=="} 00555{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":19,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":1,"flow_first_seen":1549337930217,"flow_last_seen":1549337930217,"flow_idle_time":7440000,"flow_min_l4_payload_len":153,"flow_max_l4_payload_len":153,"flow_tot_l4_payload_len":153,"flow_avg_l4_payload_len":153,"midstream":1,"ts_msec":1549337930217,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49168,"dst_port":88,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00655{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":19,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":1,"flow_last_seen":1549337930217,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":207,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":207,"pkt_l4_len":173,"ts_msec":1549337930217,"pkt":"pB9ywglqAAgCHEeuCABFAADBAFlAAIAGkOysEAjJrBAICMAQAFhuA\/SQrSTVxVAYAQACWAAAqoGWMIGToAMCARKigYsEgYhFQhzXcnmj64Ly0uBtjkMUoTuM+x\/rpAOTUWDkUHAspBDcB8geScaOnqOyTgnIEt9ORSbyaLGh7aDpqWoX8LkoU9AsGNn4U6LRjikWi59PfjQn46P9BY0tn6JOEZn\/IKW+bzyhJYK72MU5dfE\/Y9v1QP4pOcMGsyTXEkOUPDq6y5KpwHUNPs1e"} @@ -42,8 +47,9 @@ 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":27,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":2,"flow_last_seen":1549337931199,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":122,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":122,"pkt_l4_len":88,"ts_msec":1549337931199,"pkt":"AAgCHEeupB9ywglqCABFAABsE2VAAIAGfjWsEAgIrBAIyQBYwBJewuYoJDXRkVAYAQBPlQAA7mWAsz4LwR11oOSQ27Ex06YGG2bAP8ttVVXtAwxS755lCHRg4mUkpOjXnBJJ8KdHDkkp7LWBSVTLf+j0wkJ4hFVjx0c="} 00559{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":28,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":1,"flow_first_seen":1549337931210,"flow_last_seen":1549337931210,"flow_idle_time":7440000,"flow_min_l4_payload_len":1432,"flow_max_l4_payload_len":1432,"flow_tot_l4_payload_len":1432,"flow_avg_l4_payload_len":1432,"midstream":1,"ts_msec":1549337931210,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49171,"dst_port":88,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 02390{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":28,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":1,"flow_last_seen":1549337931210,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":1486,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1486,"pkt_l4_len":1452,"ts_msec":1549337931210,"pkt":"pB9ywglqAAgCHEeuCABFAAXAAHpAAIAGi8ysEAjJrBAICMATAFio5J72SB155lAYAQAvgAAAAAAFlGyCBZAwggWMoQMCAQWiAwIBDKOCBQcwggUDMIIE\/6EDAgEBooIE9gSCBPJuggTuMIIE6qADAgEFoQMCAQ6iBwMFAAAAAACjggQ0YYIEMDCCBCygAwIBBaEQGw5IQVBQWUNSQUZULk9SR6IjMCGgAwIBAqEaMBgbBmtyYnRndBsOSEFQUFlDUkFGVC5PUkejggPsMIID6KADAgESoQMCAQKiggPaBIID1hKWdXqL0IxSnZlxRjhHmIFUVS3rvb7i9fEBKrEJ5PVjDXxsAQeDmTL9wweNNg1pCQDRmZ6AE\/m2Y7TGJV\/FdJF\/GLAs\/UE5nC+H+eLE4iuLtnFkH3govXIWXOdlEsqQhROyd4qj2WtH7bxyzZwdtdBzD8HNk\/Zyhfmgmp+oA1+8nXeYYFDFKmqTt9a00HvvmTpJfi0pguIgxY8KmJbF4d1RUkWNuXZ5g7FA43R8i0OyHjh+mwSGoE1gJ\/X8DroluAfskaOHhGVguFx+famY4o8UsY6g4BojHiLERbIlzMsUYRq\/EQf2FuSw8Wc3swODADnnHqoAdpFJG5\/GMQbUUUhsHy5eDXa3\/EPT1ZKqI0bJsr7jOF5G9ytS8thT6E7bOOCcOFN4JNFsCA3bCyRL6jYH2ZedtZMr5yCI40ePAHAaIBbEPTKYDMpCUKxXExG41vrN6dY4CEFLw2Tb4BDinhxjESAIpIw6LOtdRzBrkjiFKjPEj4UBorlhX90DmWgF5dFJbZXz5eOVcZ\/qmOnm8JcuVim8byzO3C2W5go47U+8GNRvk\/iuaoCs18MAuzn4DOtJmgk1eSuxxL9sUZmjkqejNSB6Ny8aYGysoT\/tUR2mS\/10DyxEUb\/M23KvW\/d0nkBg7qCjWXvlLjMDmACl3rd8MXcyqYWqmZcwKWLk5yL3YiZbL90SxemnQHTIY+DWavybHj9SrM5+aINDzqHcDq0aHAhhwNPUOQQH+m0ab759iCYVNaTyITpTWuG6hneFvKoU9d3uSafxpBU5TJfC9PTmhW+\/db+6ouEM0JlNTrwSmfDpaJJPc+gkzn45Pl5k\/7+Abb+s6rWMNfHT+Em3MBbZJYdM0UlQ1xrel8YuJnwOOGyF4x2puehNGP\/\/\/ouwl65KT\/CBdxNVmhdbElBMgwiINySCK0GaA0G8iJuo2p3q21Z3q6PwC\/TBFuSNBvRRaLYdHeXUMMCTZUjjLBHDUqLGGPYiG40kPfZcBzP2U1v\/9gWBK4kWlSfWhwHwDob09dR24nAmYkaTEvrRnFvLOPKhepgPz5FiL+TNVO0x7Q9MEcpXED6nxJ9fgUpL+5AL+5zKjvBqGhTBSFztV5n2jwS9BN5nwKGyQXNwz7M3IugClC01JUeDu8ccEtCesL+sdsbL1EP7jcFCC1EniPRKxntY82esVy8lyQlrXBxmBdMcKVUa21imq65LZV0MJEQvFPcKWd3cpqWETjO2y3rGD5HXk8dwPDck3LvUU56PaEiLP3SNlqGRnDfEXoiRxz6YMXMhdwJMRbqAQJYa71fsqMLgQ4u3s5WkgZwwgZmgAwIBEqKBkQSBjkBvFbBksZRBZsgqvT9rWZWIMz104YLf86+Cksa0ZMsEGJ\/RDcCZOr8kPQRKlwzkm2uQjqkaOemu4sYhWXYr71KrOEs2JUveeWW4HHkLaYXd0a2yOtTAVV1zR76rPVw3Om2DZiy3OdOJiQuRn3tY6sCbzkX\/gKz0r0nI8miItgy4uzP0Z9rEEUiiCUR\/XkOkdTBzoAcDBQBAgQAAohAbDkhBUFBZQ1JBRlQuT1JHoycwJaADAgEKoR4wHBsaam9obnNvbi1wYyRASEFQUFlDUkFGVC5PUkelERgPMjAzNzA5MTMwMjQ4MDVapwYCBE44sbqoEjAQAgESAgERAgEXAgEYAgL\/eQ=="} +00664{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":28,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":1,"flow_first_seen":1549337931210,"flow_last_seen":1549337931210,"flow_idle_time":7440000,"flow_min_l4_payload_len":1432,"flow_max_l4_payload_len":1432,"flow_tot_l4_payload_len":1432,"flow_avg_l4_payload_len":1432,"midstream":1,"ts_msec":1549337931210,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49171,"dst_port":88,"l4_proto":"tcp","ndpi": {"proto":"Kerberos","breed":"Acceptable","category":"Network"},"kerberos": {"hostname":"","domain":"happycraft.org","username":""}} 02411{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":29,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":2,"flow_last_seen":1549337931211,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":1506,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1506,"pkt_l4_len":1472,"ts_msec":1549337931211,"pkt":"AAgCHEeupB9ywglqCABFAAXUE2tAAIAGeMesEAgIrBAIyQBYwBNIHXnmqOSkjlAYAQDmlQAAAAAFqG2CBaQwggWgoAMCAQWhAwIBDaMQGw5IQVBQWUNSQUZULk9SR6QYMBagAwIBAaEPMA0bC0pPSE5TT04tUEMkpYIEOGGCBDQwggQwoAMCAQWhEBsOSEFQUFlDUkFGVC5PUkeiJzAloAMCAQqhHjAcGxpqb2huc29uLXBjJEBIQVBQWUNSQUZULk9SR6OCA+wwggPooAMCARKhAwIBAaKCA9oEggPWM37115K3Hp8wZkASHyq+pZzCB52w4ZkoKvxkfuUu0LiaHFeH\/YmBkYuC+Y2vHUb50xj2RvlJ0VUIhZ76+RSlQ21W8ccYNaNUXAdabNdF58x1VLmlxuTxbWyuhApe3nart0yE2ggJlqq+SXunnCj4pybyo3D5UqYJsd2CPwW\/UrYMlNJN1gTQgtBaL+rVhNBO6KW9AYxQ1t3V4\/aN5W98Rm9mtqvqy8JlwwSbsqtA+fkgyuLhaFI64sFXeg2okoVY+WpiV8y69YH3VrH9iOYXgjNBApUv8XW3Inwsdd+FJTBLBvDWG4tGHW9DGxqpa+jzaFQyiDi46S1MFPNG5ax\/fXZRFVyIKm5Uvcg+IVoFoTv79M+o2izKZu3xW5GT3jmX5joC1Jz2cBBvfj31IPUawr97kChTt3baVrRO5jtj4Qe\/Yf9D1ea6AnOL3m9lXfbWlkiRMtogdbiLBmz40fY6y7s2fBoNzUM7PPtzjMCZD+mzFnuxbn6SKFsq1jRXr1gfhz99U\/sj4rpgf0fGzuAji6\/CldJydoJ3ZF35EbOHxlT67B0T5Wdz2DSGMxMFnFTU2y41IZZAFsQkozjJDlJyV\/H3UNEgpsuzFWCdn70SJWivzXQmU387\/5qoLQgDt1DzqhRxVq84eAlKWowli8llAVqtdeTmpgPePJrGuN8afpBvekjwt\/1CNWyg0EdZHQFfl1jlAEsgIyCski92E8xu8mvOhuDWTPYemtkOSb2FcxtoxHDyT\/GouX7ARs1ZykSB8j3R9t9ImA7xedyZ34sFfJFGRcLyx6qpTKqFmVZRuxhX4QxBOD\/ubH8xUJ\/p2KhM0jR1yUcK5cyCfymWcxTybrHYNySjaI0gUlhRAiWvZM8bRaCC8Fvoak+VMcqFAYw\/ve5dkR7KuJ\/TxqmhnlpwuoDkayoCpyiqZLALWWLzMuA+erM0osdjgnLPkazewgaOuGK+L14eoN40NcSEI4LVjIf3MizcDep1bu4x++f34uKnDRQCxEnEkfmry2Kt7UmB9dRWUyMnIhre\/LcHyWzVYKmQzK4jbAZGQz3E7SgAtaF8YpuFzK+wN7Al3\/bnw+mNGEv8UnWesnu6eYSeTafPkSExr0eHjyMGHylq1SYGRDikN47BEUJ9DRohxwo4GIbZJ4SlXZm2o1CyYrdjxESgLw7oBxv5ojM77+mqWLxxRYcXrNOO62jI7OC10ISrQjw9VRI73l6ie75xGP23mwgzTkWksp2AmXFXEibjsoWoxN\/dqkJ1paHMQ4D49jni4b2qEd7LE7wiCkMzEEz1wgpM028xFWhhGKaCASowggEmoAMCARKiggEdBIIBGXjHjK5feQ4HY+O2QW1CcrS7y98xjbx4G5\/F1UdYW0nRFrJ1ea7DBhGVKjGhvpNRa\/suoiAGgMaTxIusGGUQaAV3QBkZHI2P7w3S90dRv87TwzBiyLZFov6Iyju+rGIOEBeNij1u4+ieA37sl1WxkkeY5PDSqYQ0xi5dzSQDh1ZKJZF1swmboJUdCNAO5zs9II914vVd0a+gpHqPPfi\/aa\/2ENYesIfYc445XBAksieN4OCiUuXDZetEyUARPhuFnigdmrFcLiKa7lrUb+XOxw\/TpGzrNeFBj3QXNS06SOOdTL3pwlP77\/SR+78shwDam4sOlgv2UEV2H31TfNEKJs\/OC4Ks1WD8+3srLETa3NVngdje5im6AaSi"} -00674{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":29,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":2,"flow_first_seen":1549337931210,"flow_last_seen":1549337931211,"flow_idle_time":7440000,"flow_min_l4_payload_len":1432,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":2884,"flow_avg_l4_payload_len":1442,"midstream":1,"ts_msec":1549337931211,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49171,"dst_port":88,"l4_proto":"tcp","ndpi": {"proto":"Kerberos","breed":"Acceptable","category":"Network"},"kerberos": {"hostname":"johnson-pc","domain":"happycraft.org","username":""}} +00682{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":29,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":2,"flow_first_seen":1549337931210,"flow_last_seen":1549337931211,"flow_idle_time":7440000,"flow_min_l4_payload_len":1432,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":2884,"flow_avg_l4_payload_len":1442,"midstream":1,"ts_msec":1549337931211,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49171,"dst_port":88,"l4_proto":"tcp","ndpi": {"proto":"Kerberos","breed":"Acceptable","category":"Network"},"kerberos": {"hostname":"johnson-pc","domain":"happycraft.org","username":""}} 00559{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":30,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":1,"flow_first_seen":1549337931211,"flow_last_seen":1549337931211,"flow_idle_time":7440000,"flow_min_l4_payload_len":1064,"flow_max_l4_payload_len":1064,"flow_tot_l4_payload_len":1064,"flow_avg_l4_payload_len":1064,"midstream":1,"ts_msec":1549337931211,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49173,"dst_port":88,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 01888{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":30,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":1,"flow_last_seen":1549337931211,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":1118,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1118,"pkt_l4_len":1084,"ts_msec":1549337931211,"pkt":"pB9ywglqAAgCHEeuCABFAARQAIFAAIAGjTWsEAjJrBAICMAVAFjnnRKZiyMmn1AYAQD\/uwAADkhBUFBZQ1JBRlQuT1JHoicwJaADAgEKoR4wHBsaam9obnNvbi1wYyRASEFQUFlDUkFGVC5PUkejggPsMIID6KADAgESoQMCAQGiggPaBIID1jN+9deStx6fMGZAEh8qvqWcwgedsOGZKCr8ZH7lLtC4mhxXh\/2JgZGLgvmNrx1G+dMY9kb5SdFVCIWe+vkUpUNtVvHHGDWjVFwHWmzXRefMdVS5pcbk8W1sroQKXt52q7dMhNoICZaqvkl7p5wo+Kcm8qNw+VKmCbHdgj8Fv1K2DJTSTdYE0ILQWi\/q1YTQTuilvQGMUNbd1eP2jeVvfEZvZrar6svCZcMEm7KrQPn5IMri4WhSOuLBV3oNqJKFWPlqYlfMuvWB91ax\/YjmF4IzQQKVL\/F1tyJ8LHXfhSUwSwbw1huLRh1vQxsaqWvo82hUMog4uOktTBTzRuWsf312URVciCpuVL3IPiFaBaE7+\/TPqNosymbt8VuRk945l+Y6AtSc9nAQb3499SD1GsK\/e5AoU7d22la0TuY7Y+EHv2H\/Q9XmugJzi95vZV321pZIkTLaIHW4iwZs+NH2Osu7NnwaDc1DOzz7c4zAmQ\/psxZ7sW5+kihbKtY0V69YH4c\/fVP7I+K6YH9Hxs7gI4uvwpXScnaCd2Rd+RGzh8ZU+uwdE+Vnc9g0hjMTBZxU1NsuNSGWQBbEJKM4yQ5Sclfx91DRIKbLsxVgnZ+9EiVor810JlN\/O\/+aqC0IA7dQ86oUcVavOHgJSlqMJYvJZQFarXXk5qYD3jyaxrjfGn6Qb3pI8Lf9QjVsoNBHWR0BX5dY5QBLICMgrJIvdhPMbvJrzobg1kz2HprZDkm9hXMbaMRw8k\/xqLl+wEbNWcpEgfI90fbfSJgO8Xncmd+LBXyRRkXC8seqqUyqhZlWUbsYV+EMQTg\/7mx\/MVCf6dioTNI0dclHCuXMgn8plnMU8m6x2Dcko2iNIFJYUQIlr2TPG0WggvBb6GpPlTHKhQGMP73uXZEeyrif08apoZ5acLqA5GsqAqcoqmSwC1li8zLgPnqzNKLHY4Jyz5Gs3sIGjrhivi9eHqDeNDXEhCOC1YyH9zIs3A3qdW7uMfvn9+Lipw0UAsRJxJH5q8tire1JgfXUVlMjJyIa3vy3B8ls1WCpkMyuI2wGRkM9xO0oALWhfGKbhcyvsDewJd\/258PpjRhL\/FJ1nrJ7unmEnk2nz5EhMa9Hh48jBh8patUmBkQ4pDeOwRFCfQ0aIccKOBiG2SeEpV2ZtqNQsmK3Y8REoC8O6Acb+aIzO+\/pqli8cUWHF6zTjutoyOzgtdCEq0I8PVUSO95eonu+cRj9t5sIM05FpLKdgJlxVxIm47KFqMTf3apCdaWhzEOA+PY54uG9qhHeyxO8IgpDMxBM9cIKTNNvMRVoYRg="} 00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":31,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":1,"flow_first_seen":1549337931211,"flow_last_seen":1549337931211,"flow_idle_time":7440000,"flow_min_l4_payload_len":242,"flow_max_l4_payload_len":242,"flow_tot_l4_payload_len":242,"flow_avg_l4_payload_len":242,"midstream":1,"ts_msec":1549337931211,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49172,"dst_port":389,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -55,8 +61,9 @@ 00605{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":35,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":2,"flow_last_seen":1549337931219,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":169,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":169,"pkt_l4_len":135,"ts_msec":1549337931219,"pkt":"AAgCHEeupB9ywglqCABFAACbE31AAIAGfe6sEAgIrBAIyQBYwBcKhDl3bkbwtVAYAQD\/bQAAzmwvcX+5XppDtJZXr9PwDYLsp98Hk08TTktA1oPPxQHxyFPFFH6C9d30u8d8saioSDapQyKHHyGt004ct60erCJP9bUby12IBGHwYva7Ha2y2bxZxEn3nV+8BQON\/a2dluoxZFHPI4urPpSWS9H8dnzG6Q=="} 00559{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":36,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":1,"flow_first_seen":1549337931219,"flow_last_seen":1549337931219,"flow_idle_time":7440000,"flow_min_l4_payload_len":1431,"flow_max_l4_payload_len":1431,"flow_tot_l4_payload_len":1431,"flow_avg_l4_payload_len":1431,"midstream":1,"ts_msec":1549337931219,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49176,"dst_port":88,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 02389{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":36,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":18,"flow_packet_id":1,"flow_last_seen":1549337931219,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":1485,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1485,"pkt_l4_len":1451,"ts_msec":1549337931219,"pkt":"pB9ywglqAAgCHEeuCABFAAW\/AJNAAIAGi7SsEAjJrBAICMAYAFg1TYdzLuLg4VAYAQBQtwAAAAAFk2yCBY8wggWLoQMCAQWiAwIBDKOCBRcwggUTMIIE\/6EDAgEBooIE9gSCBPJuggTuMIIE6qADAgEFoQMCAQ6iBwMFAAAAAACjggQ0YYIEMDCCBCygAwIBBaEQGw5IQVBQWUNSQUZULk9SR6IjMCGgAwIBAqEaMBgbBmtyYnRndBsOSEFQUFlDUkFGVC5PUkejggPsMIID6KADAgESoQMCAQKiggPaBIID1hKWdXqL0IxSnZlxRjhHmIFUVS3rvb7i9fEBKrEJ5PVjDXxsAQeDmTL9wweNNg1pCQDRmZ6AE\/m2Y7TGJV\/FdJF\/GLAs\/UE5nC+H+eLE4iuLtnFkH3govXIWXOdlEsqQhROyd4qj2WtH7bxyzZwdtdBzD8HNk\/Zyhfmgmp+oA1+8nXeYYFDFKmqTt9a00HvvmTpJfi0pguIgxY8KmJbF4d1RUkWNuXZ5g7FA43R8i0OyHjh+mwSGoE1gJ\/X8DroluAfskaOHhGVguFx+famY4o8UsY6g4BojHiLERbIlzMsUYRq\/EQf2FuSw8Wc3swODADnnHqoAdpFJG5\/GMQbUUUhsHy5eDXa3\/EPT1ZKqI0bJsr7jOF5G9ytS8thT6E7bOOCcOFN4JNFsCA3bCyRL6jYH2ZedtZMr5yCI40ePAHAaIBbEPTKYDMpCUKxXExG41vrN6dY4CEFLw2Tb4BDinhxjESAIpIw6LOtdRzBrkjiFKjPEj4UBorlhX90DmWgF5dFJbZXz5eOVcZ\/qmOnm8JcuVim8byzO3C2W5go47U+8GNRvk\/iuaoCs18MAuzn4DOtJmgk1eSuxxL9sUZmjkqejNSB6Ny8aYGysoT\/tUR2mS\/10DyxEUb\/M23KvW\/d0nkBg7qCjWXvlLjMDmACl3rd8MXcyqYWqmZcwKWLk5yL3YiZbL90SxemnQHTIY+DWavybHj9SrM5+aINDzqHcDq0aHAhhwNPUOQQH+m0ab759iCYVNaTyITpTWuG6hneFvKoU9d3uSafxpBU5TJfC9PTmhW+\/db+6ouEM0JlNTrwSmfDpaJJPc+gkzn45Pl5k\/7+Abb+s6rWMNfHT+Em3MBbZJYdM0UlQ1xrel8YuJnwOOGyF4x2puehNGP\/\/\/ouwl65KT\/CBdxNVmhdbElBMgwiINySCK0GaA0G8iJuo2p3q21Z3q6PwC\/TBFuSNBvRRaLYdHeXUMMCTZUjjLBHDUqLGGPYiG40kPfZcBzP2U1v\/9gWBK4kWlSfWhwHwDob09dR24nAmYkaTEvrRnFvLOPKhepgPz5FiL+TNVO0x7Q9MEcpXED6nxJ9fgUpL+5AL+5zKjvBqGhTBSFztV5n2jwS9BN5nwKGyQXNwz7M3IugClC01JUeDu8ccEtCesL+sdsbL1EP7jcFCC1EniPRKxntY82esVy8lyQlrXBxmBdMcKVUa21imq65LZV0MJEQvFPcKWd3cpqWETjO2y3rGD5HXk8dwPDck3LvUU56PaEiLP3SNlqGRnDfEXoiRxz6YMXMhdwJMRbqAQJYa71fsqMLgQ4u3s5WkgZwwgZmgAwIBEqKBkQSBjoWrS7jR3\/ZxrmkklAr5M\/UVPgZBz\/I0MBRDSrLAPTWRtuq1ZhbBTvDmh4JfIoeW\/NN+j\/BIs99fVl1IARv5kJzlvsrT0oz2PdU+R8Rl10wOzwJfT7yBOJecNjJCW1XhiL9p6LojffFaim+4jvn\/X89SbhRBqPbpCCF+yHmow+h4iZkD+HM6Jz3YsaIdiuQwDqEEAgIApaIGBAQfAAAApGQwYqAHAwUAYIEAEKIQGw5IQVBQWUNSQUZULk9SR6MjMCGgAwIBAqEaMBgbBmtyYnRndBsOSEFQUFlDUkFGVC5PUkelERgPMjAzNzA5MTMwMjQ4MDVapwYCBE44s3moBTADAgES"} +00664{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":36,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":1,"flow_first_seen":1549337931219,"flow_last_seen":1549337931219,"flow_idle_time":7440000,"flow_min_l4_payload_len":1431,"flow_max_l4_payload_len":1431,"flow_tot_l4_payload_len":1431,"flow_avg_l4_payload_len":1431,"midstream":1,"ts_msec":1549337931219,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49176,"dst_port":88,"l4_proto":"tcp","ndpi": {"proto":"Kerberos","breed":"Acceptable","category":"Network"},"kerberos": {"hostname":"","domain":"happycraft.org","username":""}} 02405{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":37,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":18,"flow_packet_id":2,"flow_last_seen":1549337931220,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":1498,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1498,"pkt_l4_len":1464,"ts_msec":1549337931220,"pkt":"AAgCHEeupB9ywglqCABFAAXME4FAAIAGeLmsEAgIrBAIyQBYwBgu4uDhNU2NClAYAQBUPQAAAAAFoG2CBZwwggWYoAMCAQWhAwIBDaMQGw5IQVBQWUNSQUZULk9SR6QYMBagAwIBAaEPMA0bC0pPSE5TT04tUEMkpYIENGGCBDAwggQsoAMCAQWhEBsOSEFQUFlDUkFGVC5PUkeiIzAhoAMCAQKhGjAYGwZrcmJ0Z3QbDkhBUFBZQ1JBRlQuT1JHo4ID7DCCA+igAwIBEqEDAgECooID2gSCA9aIPBwtNxkshczHziSeGRCcSiSC82vdTNNxZoZEqctTILmi\/cPiWo2kj2ZowTM5BfoTzgngU5zy1dblxSYtNNDo790fqKeln68pSwduOA5ekfZ2omIpLyTKi1Uzi5unXScqqLz0hKSsn\/40+2FcuWZE3ZvPuCmZ8SKPEnuc921KBrNqOj\/0DryAdSyI8er0AkE463j84WxyAtyNQDKDrp2ez6929oR6Rx5hbvL8GdKQY9jCLD2rnICMW89Hj9rOupV1OeH78XxxB7MSKm499oGFFneF9SM8YJwXSSMV673PLXubFj6DMrikD2G0Sl6xic8MhWvEbY+QDRNnfGPZAJvMaahqCk8wVuJCt+fkFop+b4toNRK\/McSX15qS4Oue1FamxPlWb8yeZyA7zxXMdyv\/9YdFl51KW6DMdV\/gNQhWVbNsnpHVbk+dZ3hmZuA13vS+pCaVgYWcY8TsTrrqDHUdvkhYH5y6bQXhaba0hTe8Bpqjtkm6\/RTu4J\/\/NKiUQMb9AOVNXKtDTvIFCVxCzbgDhWofcnihAdfiq3GVUSfoJVIjvbiKN6rurAhxZ5G7eeGZ0k0F7hodA7NNCDg1db\/i3Z0nn0sEe0z7aNhzE0ribx16c5Vcg7SzYKcbmYr2SOlrqyDG2wBIue4c+yHf8w4ERFzFfLLBAoUF6TY9mRoNRbKB\/qSAwbDd52vGpnn87rIVg\/QNGVIwMeb1KKPfdaC4wum+6\/FhZgWd0DbrZEhIXl\/8HN6zG+3ywmGFdeC2DFCmO4dETOrfkL6fl3T\/7ku0etROu1j+k26SXEG6Gge01yPUKju51MrjdtHnDZ1Ss42MB0XlUT6U6S5TlEIP\/8k9d0krm1cn0oRERln+NBIaJS\/B2711LZddv4tje7ItSqfXLacjoI7g80JWdXjf4l7SPcZiNeEbp1dMmXrQFZcbRN17kosEr4Tm2W4friYde8+zbAKqoXvVJXbnxAUwEVAGcV\/iPptIl\/xW9mtB0WPhDmkKXm2SfL9rih8OBbowoKkOmIJqQw8CRJRncVK0szyJok+ajlBHDiJgpcZUT8EmfmEr0qJ0qoMeuCqxs8Kf3IstAtgMR7lMBZda98WMq0J06Prxf9X\/7Sw5XHFF0Ihx2VyWiVN3DmzgADoDdivNlyaD8+Octjfvk+ZwiZGCsRMD1d7AL6HjQzrju4nysDHJIjeaKR52nWtCWAZ87qog1mDH+qjQPdMGkDr1FGrVbBXAZcR0K17tOKTw9bgQg9LvLMWeDMDNCEwvA8GHdr\/fAsBPK3PDKVyht8oNdhjar8xKOZRvwzCOpoIBJjCCASKgAwIBEqKCARkEggEVYp6jTcDi\/gYVd9SDuEsi2VccBape1lXgcuGoeWG1ePxV5NidfJvDEi3F2VmdD04JFUaFb\/GRqNe9F8xWyy86xiJ3eKyJgAfyG7DDQnnFCeKC++4ORaBUkKnIeWwsFqQxh0aL1BrdknGP8u06G6P95r9esj7jUPDXQ1D0+jbs1WpWssKqZMQfUgV0eg9FoEGdVPsUmgNbZN2YPPrxhZ6CEgNOIC\/5aj8NqGMkPPX6xfYF4tbD74dZ3EfC4ry5KcIxNVYXU179as2C\/cihpEMrX8yiZtM91awDzQYUMPKt3\/3WSS96ycQo00pex7Pc1Jh3j49Cr5ckyWXD9SUXbCcOpUpip4\/Jz5Hvsliozjm5inKwUIBTJQ=="} -00674{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":37,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":2,"flow_first_seen":1549337931219,"flow_last_seen":1549337931220,"flow_idle_time":7440000,"flow_min_l4_payload_len":1431,"flow_max_l4_payload_len":1444,"flow_tot_l4_payload_len":2875,"flow_avg_l4_payload_len":1437,"midstream":1,"ts_msec":1549337931220,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49176,"dst_port":88,"l4_proto":"tcp","ndpi": {"proto":"Kerberos","breed":"Acceptable","category":"Network"},"kerberos": {"hostname":"johnson-pc","domain":"happycraft.org","username":""}} +00682{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":37,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":2,"flow_first_seen":1549337931219,"flow_last_seen":1549337931220,"flow_idle_time":7440000,"flow_min_l4_payload_len":1431,"flow_max_l4_payload_len":1444,"flow_tot_l4_payload_len":2875,"flow_avg_l4_payload_len":1437,"midstream":1,"ts_msec":1549337931220,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49176,"dst_port":88,"l4_proto":"tcp","ndpi": {"proto":"Kerberos","breed":"Acceptable","category":"Network"},"kerberos": {"hostname":"johnson-pc","domain":"happycraft.org","username":""}} 00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":38,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":1,"flow_first_seen":1549337931220,"flow_last_seen":1549337931220,"flow_idle_time":7440000,"flow_min_l4_payload_len":227,"flow_max_l4_payload_len":227,"flow_tot_l4_payload_len":227,"flow_avg_l4_payload_len":227,"midstream":1,"ts_msec":1549337931220,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49174,"dst_port":445,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00760{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":38,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":19,"flow_packet_id":1,"flow_last_seen":1549337931220,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":281,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":281,"pkt_l4_len":247,"ts_msec":1549337931220,"pkt":"pB9ywglqAAgCHEeuCABFAAELAJhAAIAGkGOsEAjJrBAICMAWAb2ZMOb++YgxIFAYAP+McAAAQFskZ7b1ZYO5\/CuVOTe3ZqHs3nhqe1KXhnlBtJ\/qDgyo+sduQpC\/WLkmAdUvTJdV+CtGiwLoGf3Uio50ZE6gilnFEbzLLhzMIw4gwhRvlYwapNctw4G2EkpKfWO1MgMQ0yTGVxtfwAuP0ouYkDi\/6FI97AzDGvp\/R2LK19PAI403fVWk1Cbb2O\/YPOGH5a8hHowuR6tT8UugHDdGGl\/fWl8Wk4rCdi\/3gOYAhRVI6o2ZOHpv4GeBlLgJ6L2WL35O3jhh2e2dr0Fkd\/WG3ET2QLw9x3WRfncFn29f8nOqAUQDRH0="} 00802{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":39,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":19,"flow_packet_id":2,"flow_last_seen":1549337931221,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":314,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":314,"pkt_l4_len":280,"ts_msec":1549337931221,"pkt":"AAgCHEeupB9ywglqCABFAAEsE4VAAIAGfVWsEAgIrBAIyQG9wBb5iDEgmTDn4VAYAP9zWgAAAAABAP5TTUJAAAEAAAAAAAEAHwAJAAAAAAAAAAEAAAAAAAAA\/\/4AAAAAAABdAAAAAAQAAPvWvNgjH\/I48OPxOa5H7a4JAAAASAC4AKGBtTCBsqADCgEAoQsGCSqGSIL3EgECAqKBnQSBmmCBlwYJKoZIhvcSAQICAgBvgYcwgYSgAwIBBaEDAgEPongwdqADAgESom8EbUswX\/mwh6g2ztwHi8\/dTRtvFzo0LVENq7tttT0JwVpKoIxijjsysss5HuCbI3DQGU7C0ILmrl+8phtVtu+2vBMSA9FKWe75R\/a+ST6oEaoDrDjzWfPqdU4xUCgD\/zK6J0O4Dsk+rO8nhy4LUmk="} @@ -68,9 +75,11 @@ 00729{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":43,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":2,"flow_last_seen":1549337937701,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":264,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":264,"pkt_l4_len":230,"ts_msec":1549337937701,"pkt":"AAgCHEeupB9ywglqCABFAAD6E6JAAIAGfWqsEAgIrBAIyQGFwBxI3pNwglNt+lAYAQCvQgAAMIQAAADMAgEKYYQAAADDCgEABAAEAIeCALihgbUwgbKgAwoBAKELBgkqhkiC9xIBAgKigZ0EgZpggZcGCSqGSIb3EgECAgIAb4GHMIGEoAMCAQWhAwIBD6J4MHagAwIBEqJvBG2EupGhqTVA+Kxm5vIdkbfFjlPoe8DmjpF\/p2I3j7EwFjqQzavz5jy+cGzZKn09a9y0dyj\/mpeHcqpjjORB3KYfxKGHrDmiKKSYiCwqx86ee7rLKiQPX2z3RSwNa4fWz8uAjgw+I5CkXYbP6rNu"} 00555{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":44,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":22,"flow_packets_processed":1,"flow_first_seen":1549337937703,"flow_last_seen":1549337937703,"flow_idle_time":7440000,"flow_min_l4_payload_len":239,"flow_max_l4_payload_len":239,"flow_tot_l4_payload_len":239,"flow_avg_l4_payload_len":239,"midstream":1,"ts_msec":1549337937703,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49181,"dst_port":88,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00769{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":44,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":1,"flow_last_seen":1549337937703,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":293,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":293,"pkt_l4_len":259,"ts_msec":1549337937703,"pkt":"pB9ywglqAAgCHEeuCABFAAEXANlAAIAGkBasEAjJrBAICMAdAFjHhcaiuhdcXlAYAQCv5QAAAAAA62qB6DCB5aEDAgEFogMCAQqjFTATMBGhBAICAICiCQQHMAWgAwEB\/6SBwTCBvqAHAwUAQIEAEKEYMBagAwIBAaEPMA0bC0pPSE5TT04tUEMkohAbDkhBUFBZQ1JBRlQuT1JHoyMwIaADAgECoRowGBsGa3JidGd0Gw5IQVBQWUNSQUZULk9SR6URGA8yMDM3MDkxMzAyNDgwNVqmERgPMjAzNzA5MTMwMjQ4MDVapwYCBFIcW1KoFTATAgESAgERAgEXAgEYAgL\/eQIBA6kdMBswGaADAgEUoRIEEEpPSE5TT04tUEMgICAgICA="} +00670{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":44,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":22,"flow_packets_processed":1,"flow_first_seen":1549337937703,"flow_last_seen":1549337937703,"flow_idle_time":7440000,"flow_min_l4_payload_len":239,"flow_max_l4_payload_len":239,"flow_tot_l4_payload_len":239,"flow_avg_l4_payload_len":239,"midstream":1,"ts_msec":1549337937703,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49181,"dst_port":88,"l4_proto":"tcp","ndpi": {"proto":"Kerberos","breed":"Acceptable","category":"Network"},"kerberos": {"hostname":"johnson-pc","domain":"happycraft.org","username":""}} 00819{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":45,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":2,"flow_last_seen":1549337937703,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":332,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":332,"pkt_l4_len":298,"ts_msec":1549337937703,"pkt":"AAgCHEeupB9ywglqCABFAAE+E6VAAIAGfSOsEAgIrBAIyQBYwB26F1xex4XHkVAYAQDp0AAAAAABEn6CAQ4wggEKoAMCAQWhAwIBHqQRGA8yMDE5MDIwNTAzMzg1NlqlBQIDBJWNpgMCARmpEBsOSEFQUFlDUkFGVC5PUkeqIzAhoAMCAQKhGjAYGwZrcmJ0Z3QbDkhBUFBZQ1JBRlQuT1JHrIGnBIGkMIGhMH6hAwIBE6J3BHUwczA0oAMCARKhLRsrSEFQUFlDUkFGVC5PUkdob3N0am9obnNvbi1wYy5oYXBweWNyYWZ0Lm9yZzAFoAMCARcwNKADAgEDoS0bK0hBUFBZQ1JBRlQuT1JHaG9zdGpvaG5zb24tcGMuaGFwcHljcmFmdC5vcmcwCaEDAgECogIEADAJoQMCARCiAgQAMAmhAwIBD6ICBAA="} 00555{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":46,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":1,"flow_first_seen":1549337937724,"flow_last_seen":1549337937724,"flow_idle_time":7440000,"flow_min_l4_payload_len":319,"flow_max_l4_payload_len":319,"flow_tot_l4_payload_len":319,"flow_avg_l4_payload_len":319,"midstream":1,"ts_msec":1549337937724,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49182,"dst_port":88,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00880{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":46,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":1,"flow_last_seen":1549337937724,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":373,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":373,"pkt_l4_len":339,"ts_msec":1549337937724,"pkt":"pB9ywglqAAgCHEeuCABFAAFnAN1AAIAGj8KsEAjJrBAICMAeAFgo\/29go\/Vk0VAYAQAVQgAAAAABO2qCATcwggEzoQMCAQWiAwIBCqNjMGEwTKEDAgECokUEQzBBoAMCARKiOgQ4EwWkoanvLUiVA5eu8uG72\/EPy4+eHAiK9HbftleuqZ7DwBR\/wY3Sc5USTXPr6SJXdlLH8zfIE5MwEaEEAgIAgKIJBAcwBaADAQH\/pIHBMIG+oAcDBQBAgQAQoRgwFqADAgEBoQ8wDRsLSk9ITlNPTi1QQySiEBsOSEFQUFlDUkFGVC5PUkejIzAhoAMCAQKhGjAYGwZrcmJ0Z3QbDkhBUFBZQ1JBRlQuT1JHpREYDzIwMzcwOTEzMDI0ODA1WqYRGA8yMDM3MDkxMzAyNDgwNVqnBgIEUhxbUqgVMBMCARICARECARcCARgCAv95AgEDqR0wGzAZoAMCARShEgQQSk9ITlNPTi1QQyAgICAgIA=="} +00670{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":46,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":1,"flow_first_seen":1549337937724,"flow_last_seen":1549337937724,"flow_idle_time":7440000,"flow_min_l4_payload_len":319,"flow_max_l4_payload_len":319,"flow_tot_l4_payload_len":319,"flow_avg_l4_payload_len":319,"midstream":1,"ts_msec":1549337937724,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49182,"dst_port":88,"l4_proto":"tcp","ndpi": {"proto":"Kerberos","breed":"Acceptable","category":"Network"},"kerberos": {"hostname":"johnson-pc","domain":"happycraft.org","username":""}} 00600{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":47,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":2,"flow_last_seen":1549337937724,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":166,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":166,"pkt_l4_len":132,"ts_msec":1549337937724,"pkt":"AAgCHEeupB9ywglqCABFAACYE6pAAIAGfcSsEAgIrBAIyQBYwB6j9WqFKP9wn1AYAQCbeQAAeBxjGZR555TmhlGtfWdB3hqYo6lYswe6vKpNUcrN1M7KGcxMIdPLYhZ04dECjGI6ypolTWuvt884Bi2lq0pIFbZFVKD3x\/BnUesSWAB9L0qg+5NPzwAEggckaZSGKHdd5sXD0ux4MNvoyw986qY1Nw=="} 00551{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":48,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":24,"flow_packets_processed":1,"flow_first_seen":1549337937725,"flow_last_seen":1549337937725,"flow_idle_time":7440000,"flow_min_l4_payload_len":80,"flow_max_l4_payload_len":80,"flow_tot_l4_payload_len":80,"flow_avg_l4_payload_len":80,"midstream":1,"ts_msec":1549337937725,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49183,"dst_port":88,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00560{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":48,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":1,"flow_last_seen":1549337937725,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":134,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":134,"pkt_l4_len":100,"ts_msec":1549337937725,"pkt":"pB9ywglqAAgCHEeuCABFAAB4AONAAIAGkKusEAjJrBAICMAfAFi1TK\/3YmHJT1AYAQDj2wAAbj2wbk+derrxO0c0pxRSdruhR6\/j4Ui\/xNsBa8OfbfRkbAwdywbQynHUORFcFH8maukxsoLa+OhvD2a5+zDPKPlneJ\/sg2b\/GuIvr5ZD3Bg="} @@ -84,9 +93,11 @@ 00751{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":54,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":26,"flow_packet_id":3,"flow_last_seen":1549337940433,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":274,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":274,"pkt_l4_len":240,"ts_msec":1549337940433,"pkt":"pB9ywglqAAgCHEeuCABFAAEEAP9AAIAGkAOsEAjJrBAICMAhwAMZWx3nQJkKeFAYAP\/gGgAABQAOAxAAAADcAIwAAgAAANAW0BYAAAAAAQAAAAEAAQA1QlHjBkvREasEAMBPwtzSBAAAADMFcXG6vjdJgxm12++czDYBAAAACQYAAAAAAAChgYkwgYagAwoBAaJfBF1vWzBZoAMCAQWhAwIBD6JNMEugAwIBEqJEBELB6nut18jCMG03H8TJyLvCf8wWF6F7BqJ4bg85nSMTOiCmzGy+a5tNrq0VYdAt2TCIZ2p1Ys\/DpnWvcPxOp0LCSoajHgQcBAQE\/\/\/\/\/\/8AAAAAVL504MDCo+3fnXZuQhY33A=="} 00555{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":55,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":27,"flow_packets_processed":1,"flow_first_seen":1549337951630,"flow_last_seen":1549337951630,"flow_idle_time":7440000,"flow_min_l4_payload_len":235,"flow_max_l4_payload_len":235,"flow_tot_l4_payload_len":235,"flow_avg_l4_payload_len":235,"midstream":1,"ts_msec":1549337951630,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49187,"dst_port":88,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00764{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":55,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":27,"flow_packet_id":1,"flow_last_seen":1549337951630,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":289,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":289,"pkt_l4_len":255,"ts_msec":1549337951630,"pkt":"pB9ywglqAAgCHEeuCABFAAETAQ1AAIAGj+asEAjJrBAICMAjAFj9jJo6lSyMo1AYAQB4vAAAAAAA52qB5DCB4aEDAgEFogMCAQqjFTATMBGhBAICAICiCQQHMAWgAwEB\/6SBvTCBuqAHAwUAQIEAEKEcMBqgAwIBAaETMBEbD3RoZXJlc2Euam9obnNvbqIMGwpIQVBQWUNSQUZUox8wHaADAgECoRYwFBsGa3JidGd0GwpIQVBQWUNSQUZUpREYDzIwMzcwOTEzMDI0ODA1WqYRGA8yMDM3MDkxMzAyNDgwNVqnBgIEXdv8Z6gVMBMCARICARECARcCARgCAv95AgEDqR0wGzAZoAMCARShEgQQSk9ITlNPTi1QQyAgICAgIA=="} +00671{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":55,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":27,"flow_packets_processed":1,"flow_first_seen":1549337951630,"flow_last_seen":1549337951630,"flow_idle_time":7440000,"flow_min_l4_payload_len":235,"flow_max_l4_payload_len":235,"flow_tot_l4_payload_len":235,"flow_avg_l4_payload_len":235,"midstream":1,"ts_msec":1549337951630,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49187,"dst_port":88,"l4_proto":"tcp","ndpi": {"proto":"Kerberos","breed":"Acceptable","category":"Network"},"kerberos": {"hostname":"","domain":"happycraft","username":"theresa.johnson"}} 00768{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":56,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":27,"flow_packet_id":2,"flow_last_seen":1549337951631,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":294,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":294,"pkt_l4_len":260,"ts_msec":1549337951631,"pkt":"AAgCHEeupB9ywglqCABFAAEYE9dAAIAGfResEAgIrBAIyQBYwCOVLIyj\/YybJVAYAQAREAAAAAAA7H6B6TCB5qADAgEFoQMCAR6kERgPMjAxOTAyMDUwMzM5MTBapQUCAwNKZqYDAgEZqQwbCkhBUFBZQ1JBRlSqHzAdoAMCAQKhFjAUGwZrcmJ0Z3QbCkhBUFBZQ1JBRlSsgYsEgYgwgYUwYqEDAgETolsEWTBXMCagAwIBEqEfGx1IQVBQWUNSQUZULk9SR3RoZXJlc2Euam9obnNvbjAFoAMCARcwJqADAgEDoR8bHUhBUFBZQ1JBRlQuT1JHdGhlcmVzYS5qb2huc29uMAmhAwIBAqICBAAwCaEDAgEQogIEADAJoQMCAQ+iAgQA"} 00555{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":57,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":28,"flow_packets_processed":1,"flow_first_seen":1549337951638,"flow_last_seen":1549337951638,"flow_idle_time":7440000,"flow_min_l4_payload_len":315,"flow_max_l4_payload_len":315,"flow_tot_l4_payload_len":315,"flow_avg_l4_payload_len":315,"midstream":1,"ts_msec":1549337951638,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49188,"dst_port":88,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00872{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":57,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":1,"flow_last_seen":1549337951638,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":369,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":369,"pkt_l4_len":335,"ts_msec":1549337951638,"pkt":"pB9ywglqAAgCHEeuCABFAAFjARFAAIAGj5KsEAjJrBAICMAkAFi0GLZOsNNMHlAYAQAvMAAAAAABN2qCATMwggEvoQMCAQWiAwIBCqNjMGEwTKEDAgECokUEQzBBoAMCARKiOgQ4Wndh9xw8qUUtso0vc8TuP9R5peLYlUKrIi93QkMXsrfVII\/B8UhLSOwTSHwq5LSHP2vURJP\/YpgwEaEEAgIAgKIJBAcwBaADAQH\/pIG9MIG6oAcDBQBAgQAQoRwwGqADAgEBoRMwERsPdGhlcmVzYS5qb2huc29uogwbCkhBUFBZQ1JBRlSjHzAdoAMCAQKhFjAUGwZrcmJ0Z3QbCkhBUFBZQ1JBRlSlERgPMjAzNzA5MTMwMjQ4MDVaphEYDzIwMzcwOTEzMDI0ODA1WqcGAgRd2\/xnqBUwEwIBEgIBEQIBFwIBGAIC\/3kCAQOpHTAbMBmgAwIBFKESBBBKT0hOU09OLVBDICAgICAg"} +00671{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":57,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":28,"flow_packets_processed":1,"flow_first_seen":1549337951638,"flow_last_seen":1549337951638,"flow_idle_time":7440000,"flow_min_l4_payload_len":315,"flow_max_l4_payload_len":315,"flow_tot_l4_payload_len":315,"flow_avg_l4_payload_len":315,"midstream":1,"ts_msec":1549337951638,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49188,"dst_port":88,"l4_proto":"tcp","ndpi": {"proto":"Kerberos","breed":"Acceptable","category":"Network"},"kerberos": {"hostname":"","domain":"happycraft","username":"theresa.johnson"}} 00667{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":58,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":2,"flow_last_seen":1549337951638,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":216,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":216,"pkt_l4_len":182,"ts_msec":1549337951638,"pkt":"AAgCHEeupB9ywglqCABFAADKE9xAAIAGfWCsEAgIrBAIyQBYwCSw01HStBi3iVAYAQA+gAAAtgxIRqdE2xpJueUsyACfoBkRIO2d0vdWoZTH7\/Uq\/IekfUoxUBvBS550+iWChkmhJucRdY1OlQL1WMQC8uhxGdFWaESvp\/JzESFsbwdEK2JaAYNNrn2MyR4+4w4oYIB6xP3aoFYA9y5s01X0oEa\/3ePvjWb66V7pwZZYO9bc89yozmxDtVb4zCT8SyPCYGj7ljiOz9w+sICchbsKK+VkdLL4"} 00551{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":59,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":29,"flow_packets_processed":1,"flow_first_seen":1549337951639,"flow_last_seen":1549337951639,"flow_idle_time":7440000,"flow_min_l4_payload_len":41,"flow_max_l4_payload_len":41,"flow_tot_l4_payload_len":41,"flow_avg_l4_payload_len":41,"midstream":1,"ts_msec":1549337951639,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49189,"dst_port":88,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00502{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":59,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":29,"flow_packet_id":1,"flow_last_seen":1549337951639,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":95,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":95,"pkt_l4_len":61,"ts_msec":1549337951639,"pkt":"pB9ywglqAAgCHEeuCABFAABRARdAAIAGkJ6sEAjJrBAICMAlAFiRlp2kV2CH+1AYAQDPTQAAMzcwOTEzMDI0ODA1WqcGAgRd2\/xvqBIwEAIBEgIBEQIBFwIBGAIC\/3k="} @@ -116,18 +127,14 @@ 00560{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":77,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":6,"flow_first_seen":1549337930219,"flow_last_seen":1549337951711,"flow_idle_time":7440000,"flow_min_l4_payload_len":220,"flow_max_l4_payload_len":375,"flow_tot_l4_payload_len":1682,"flow_avg_l4_payload_len":280,"midstream":1,"ts_msec":1549337952283,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49165,"dst_port":49155,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00574{"flow_event_id":8,"flow_event_name":"not-detected","thread_id":0,"packet_id":77,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":3,"flow_first_seen":1549337940432,"flow_last_seen":1549337940433,"flow_idle_time":7440000,"flow_min_l4_payload_len":220,"flow_max_l4_payload_len":359,"flow_tot_l4_payload_len":863,"flow_avg_l4_payload_len":287,"midstream":1,"ts_msec":1549337952283,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49185,"dst_port":49155,"l4_proto":"tcp","ndpi": {"proto":"Unknown","breed":"Unrated"}} 00559{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":77,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":3,"flow_first_seen":1549337940432,"flow_last_seen":1549337940433,"flow_idle_time":7440000,"flow_min_l4_payload_len":220,"flow_max_l4_payload_len":359,"flow_tot_l4_payload_len":863,"flow_avg_l4_payload_len":287,"midstream":1,"ts_msec":1549337952283,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49185,"dst_port":49155,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00668{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":77,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":2,"flow_first_seen":1549337929790,"flow_last_seen":1549337929790,"flow_idle_time":7440000,"flow_min_l4_payload_len":239,"flow_max_l4_payload_len":278,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":258,"midstream":1,"ts_msec":1549337952283,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49157,"dst_port":88,"l4_proto":"tcp","ndpi": {"proto":"Kerberos","breed":"Acceptable","category":"Network"},"kerberos": {"hostname":"johnson-pc","domain":"happycraft.org","username":""}} 00555{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":77,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":2,"flow_first_seen":1549337929790,"flow_last_seen":1549337929790,"flow_idle_time":7440000,"flow_min_l4_payload_len":239,"flow_max_l4_payload_len":278,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":258,"midstream":1,"ts_msec":1549337952283,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49157,"dst_port":88,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00668{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":77,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":2,"flow_first_seen":1549337929811,"flow_last_seen":1549337929812,"flow_idle_time":7440000,"flow_min_l4_payload_len":112,"flow_max_l4_payload_len":319,"flow_tot_l4_payload_len":431,"flow_avg_l4_payload_len":215,"midstream":1,"ts_msec":1549337952283,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49158,"dst_port":88,"l4_proto":"tcp","ndpi": {"proto":"Kerberos","breed":"Acceptable","category":"Network"},"kerberos": {"hostname":"johnson-pc","domain":"happycraft.org","username":""}} 00555{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":77,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":2,"flow_first_seen":1549337929811,"flow_last_seen":1549337929812,"flow_idle_time":7440000,"flow_min_l4_payload_len":112,"flow_max_l4_payload_len":319,"flow_tot_l4_payload_len":431,"flow_avg_l4_payload_len":215,"midstream":1,"ts_msec":1549337952283,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49158,"dst_port":88,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00644{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":77,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":2,"flow_first_seen":1549337929815,"flow_last_seen":1549337929815,"flow_idle_time":7440000,"flow_min_l4_payload_len":115,"flow_max_l4_payload_len":137,"flow_tot_l4_payload_len":252,"flow_avg_l4_payload_len":126,"midstream":1,"ts_msec":1549337952283,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49159,"dst_port":88,"l4_proto":"tcp","ndpi": {"proto":"Kerberos","breed":"Acceptable","category":"Network"},"kerberos": {"hostname":"","domain":"","username":""}} 00555{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":77,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":2,"flow_first_seen":1549337929815,"flow_last_seen":1549337929815,"flow_idle_time":7440000,"flow_min_l4_payload_len":115,"flow_max_l4_payload_len":137,"flow_tot_l4_payload_len":252,"flow_avg_l4_payload_len":126,"midstream":1,"ts_msec":1549337952283,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49159,"dst_port":88,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00559{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":77,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":2,"flow_first_seen":1549337929816,"flow_last_seen":1549337929816,"flow_idle_time":7440000,"flow_min_l4_payload_len":1431,"flow_max_l4_payload_len":1444,"flow_tot_l4_payload_len":2875,"flow_avg_l4_payload_len":1437,"midstream":1,"ts_msec":1549337952283,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49160,"dst_port":88,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00644{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":77,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":2,"flow_first_seen":1549337929981,"flow_last_seen":1549337929983,"flow_idle_time":7440000,"flow_min_l4_payload_len":126,"flow_max_l4_payload_len":153,"flow_tot_l4_payload_len":279,"flow_avg_l4_payload_len":139,"midstream":1,"ts_msec":1549337952283,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49162,"dst_port":88,"l4_proto":"tcp","ndpi": {"proto":"Kerberos","breed":"Acceptable","category":"Network"},"kerberos": {"hostname":"","domain":"","username":""}} 00555{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":77,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":2,"flow_first_seen":1549337929981,"flow_last_seen":1549337929983,"flow_idle_time":7440000,"flow_min_l4_payload_len":126,"flow_max_l4_payload_len":153,"flow_tot_l4_payload_len":279,"flow_avg_l4_payload_len":139,"midstream":1,"ts_msec":1549337952283,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49162,"dst_port":88,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00668{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":77,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":2,"flow_first_seen":1549337930192,"flow_last_seen":1549337930193,"flow_idle_time":7440000,"flow_min_l4_payload_len":239,"flow_max_l4_payload_len":278,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":258,"midstream":1,"ts_msec":1549337952283,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49166,"dst_port":88,"l4_proto":"tcp","ndpi": {"proto":"Kerberos","breed":"Acceptable","category":"Network"},"kerberos": {"hostname":"johnson-pc","domain":"happycraft.org","username":""}} 00555{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":77,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":2,"flow_first_seen":1549337930192,"flow_last_seen":1549337930193,"flow_idle_time":7440000,"flow_min_l4_payload_len":239,"flow_max_l4_payload_len":278,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":258,"midstream":1,"ts_msec":1549337952283,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49166,"dst_port":88,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00668{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":77,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":2,"flow_first_seen":1549337930214,"flow_last_seen":1549337930214,"flow_idle_time":7440000,"flow_min_l4_payload_len":112,"flow_max_l4_payload_len":319,"flow_tot_l4_payload_len":431,"flow_avg_l4_payload_len":215,"midstream":1,"ts_msec":1549337952283,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49167,"dst_port":88,"l4_proto":"tcp","ndpi": {"proto":"Kerberos","breed":"Acceptable","category":"Network"},"kerberos": {"hostname":"johnson-pc","domain":"happycraft.org","username":""}} 00555{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":77,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":2,"flow_first_seen":1549337930214,"flow_last_seen":1549337930214,"flow_idle_time":7440000,"flow_min_l4_payload_len":112,"flow_max_l4_payload_len":319,"flow_tot_l4_payload_len":431,"flow_avg_l4_payload_len":215,"midstream":1,"ts_msec":1549337952283,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49167,"dst_port":88,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00645{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":77,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":2,"flow_first_seen":1549337930217,"flow_last_seen":1549337930217,"flow_idle_time":7440000,"flow_min_l4_payload_len":126,"flow_max_l4_payload_len":153,"flow_tot_l4_payload_len":279,"flow_avg_l4_payload_len":139,"midstream":1,"ts_msec":1549337952283,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49168,"dst_port":88,"l4_proto":"tcp","ndpi": {"proto":"Kerberos","breed":"Acceptable","category":"Network"},"kerberos": {"hostname":"","domain":"","username":""}} 00556{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":77,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":2,"flow_first_seen":1549337930217,"flow_last_seen":1549337930217,"flow_idle_time":7440000,"flow_min_l4_payload_len":126,"flow_max_l4_payload_len":153,"flow_tot_l4_payload_len":279,"flow_avg_l4_payload_len":139,"midstream":1,"ts_msec":1549337952283,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49168,"dst_port":88,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -139,17 +146,13 @@ 00645{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":77,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":2,"flow_first_seen":1549337931218,"flow_last_seen":1549337931219,"flow_idle_time":7440000,"flow_min_l4_payload_len":115,"flow_max_l4_payload_len":137,"flow_tot_l4_payload_len":252,"flow_avg_l4_payload_len":126,"midstream":1,"ts_msec":1549337952283,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49175,"dst_port":88,"l4_proto":"tcp","ndpi": {"proto":"Kerberos","breed":"Acceptable","category":"Network"},"kerberos": {"hostname":"","domain":"","username":""}} 00556{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":77,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":2,"flow_first_seen":1549337931218,"flow_last_seen":1549337931219,"flow_idle_time":7440000,"flow_min_l4_payload_len":115,"flow_max_l4_payload_len":137,"flow_tot_l4_payload_len":252,"flow_avg_l4_payload_len":126,"midstream":1,"ts_msec":1549337952283,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49175,"dst_port":88,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00560{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":77,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":2,"flow_first_seen":1549337931219,"flow_last_seen":1549337931220,"flow_idle_time":7440000,"flow_min_l4_payload_len":1431,"flow_max_l4_payload_len":1444,"flow_tot_l4_payload_len":2875,"flow_avg_l4_payload_len":1437,"midstream":1,"ts_msec":1549337952283,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49176,"dst_port":88,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00669{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":77,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":22,"flow_packets_processed":2,"flow_first_seen":1549337937703,"flow_last_seen":1549337937703,"flow_idle_time":7440000,"flow_min_l4_payload_len":239,"flow_max_l4_payload_len":278,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":258,"midstream":1,"ts_msec":1549337952283,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49181,"dst_port":88,"l4_proto":"tcp","ndpi": {"proto":"Kerberos","breed":"Acceptable","category":"Network"},"kerberos": {"hostname":"johnson-pc","domain":"happycraft.org","username":""}} 00556{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":77,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":22,"flow_packets_processed":2,"flow_first_seen":1549337937703,"flow_last_seen":1549337937703,"flow_idle_time":7440000,"flow_min_l4_payload_len":239,"flow_max_l4_payload_len":278,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":258,"midstream":1,"ts_msec":1549337952283,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49181,"dst_port":88,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00669{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":77,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":2,"flow_first_seen":1549337937724,"flow_last_seen":1549337937724,"flow_idle_time":7440000,"flow_min_l4_payload_len":112,"flow_max_l4_payload_len":319,"flow_tot_l4_payload_len":431,"flow_avg_l4_payload_len":215,"midstream":1,"ts_msec":1549337952283,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49182,"dst_port":88,"l4_proto":"tcp","ndpi": {"proto":"Kerberos","breed":"Acceptable","category":"Network"},"kerberos": {"hostname":"johnson-pc","domain":"happycraft.org","username":""}} 00556{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":77,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":2,"flow_first_seen":1549337937724,"flow_last_seen":1549337937724,"flow_idle_time":7440000,"flow_min_l4_payload_len":112,"flow_max_l4_payload_len":319,"flow_tot_l4_payload_len":431,"flow_avg_l4_payload_len":215,"midstream":1,"ts_msec":1549337952283,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49182,"dst_port":88,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00642{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":77,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":24,"flow_packets_processed":2,"flow_first_seen":1549337937725,"flow_last_seen":1549337937726,"flow_idle_time":7440000,"flow_min_l4_payload_len":40,"flow_max_l4_payload_len":80,"flow_tot_l4_payload_len":120,"flow_avg_l4_payload_len":60,"midstream":1,"ts_msec":1549337952283,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49183,"dst_port":88,"l4_proto":"tcp","ndpi": {"proto":"Kerberos","breed":"Acceptable","category":"Network"},"kerberos": {"hostname":"","domain":"","username":""}} 00553{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":77,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":24,"flow_packets_processed":2,"flow_first_seen":1549337937725,"flow_last_seen":1549337937726,"flow_idle_time":7440000,"flow_min_l4_payload_len":40,"flow_max_l4_payload_len":80,"flow_tot_l4_payload_len":120,"flow_avg_l4_payload_len":60,"midstream":1,"ts_msec":1549337952283,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49183,"dst_port":88,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00645{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":77,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":25,"flow_packets_processed":2,"flow_first_seen":1549337940431,"flow_last_seen":1549337940432,"flow_idle_time":7440000,"flow_min_l4_payload_len":115,"flow_max_l4_payload_len":137,"flow_tot_l4_payload_len":252,"flow_avg_l4_payload_len":126,"midstream":1,"ts_msec":1549337952283,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49186,"dst_port":88,"l4_proto":"tcp","ndpi": {"proto":"Kerberos","breed":"Acceptable","category":"Network"},"kerberos": {"hostname":"","domain":"","username":""}} 00556{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":77,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":25,"flow_packets_processed":2,"flow_first_seen":1549337940431,"flow_last_seen":1549337940432,"flow_idle_time":7440000,"flow_min_l4_payload_len":115,"flow_max_l4_payload_len":137,"flow_tot_l4_payload_len":252,"flow_avg_l4_payload_len":126,"midstream":1,"ts_msec":1549337952283,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49186,"dst_port":88,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00670{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":77,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":27,"flow_packets_processed":2,"flow_first_seen":1549337951630,"flow_last_seen":1549337951631,"flow_idle_time":7440000,"flow_min_l4_payload_len":235,"flow_max_l4_payload_len":240,"flow_tot_l4_payload_len":475,"flow_avg_l4_payload_len":237,"midstream":1,"ts_msec":1549337952283,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49187,"dst_port":88,"l4_proto":"tcp","ndpi": {"proto":"Kerberos","breed":"Acceptable","category":"Network"},"kerberos": {"hostname":"","domain":"happycraft","username":"theresa.johnson"}} 00556{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":77,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":27,"flow_packets_processed":2,"flow_first_seen":1549337951630,"flow_last_seen":1549337951631,"flow_idle_time":7440000,"flow_min_l4_payload_len":235,"flow_max_l4_payload_len":240,"flow_tot_l4_payload_len":475,"flow_avg_l4_payload_len":237,"midstream":1,"ts_msec":1549337952283,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49187,"dst_port":88,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00670{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":77,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":28,"flow_packets_processed":2,"flow_first_seen":1549337951638,"flow_last_seen":1549337951638,"flow_idle_time":7440000,"flow_min_l4_payload_len":162,"flow_max_l4_payload_len":315,"flow_tot_l4_payload_len":477,"flow_avg_l4_payload_len":238,"midstream":1,"ts_msec":1549337952283,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49188,"dst_port":88,"l4_proto":"tcp","ndpi": {"proto":"Kerberos","breed":"Acceptable","category":"Network"},"kerberos": {"hostname":"","domain":"happycraft","username":"theresa.johnson"}} 00556{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":77,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":28,"flow_packets_processed":2,"flow_first_seen":1549337951638,"flow_last_seen":1549337951638,"flow_idle_time":7440000,"flow_min_l4_payload_len":162,"flow_max_l4_payload_len":315,"flow_tot_l4_payload_len":477,"flow_avg_l4_payload_len":238,"midstream":1,"ts_msec":1549337952283,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49188,"dst_port":88,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00642{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":77,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":29,"flow_packets_processed":2,"flow_first_seen":1549337951639,"flow_last_seen":1549337951639,"flow_idle_time":7440000,"flow_min_l4_payload_len":41,"flow_max_l4_payload_len":66,"flow_tot_l4_payload_len":107,"flow_avg_l4_payload_len":53,"midstream":1,"ts_msec":1549337952283,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49189,"dst_port":88,"l4_proto":"tcp","ndpi": {"proto":"Kerberos","breed":"Acceptable","category":"Network"},"kerberos": {"hostname":"","domain":"","username":""}} 00553{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":77,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":29,"flow_packets_processed":2,"flow_first_seen":1549337951639,"flow_last_seen":1549337951639,"flow_idle_time":7440000,"flow_min_l4_payload_len":41,"flow_max_l4_payload_len":66,"flow_tot_l4_payload_len":107,"flow_avg_l4_payload_len":53,"midstream":1,"ts_msec":1549337952283,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49189,"dst_port":88,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -181,18 +184,18 @@ 00557{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":77,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":2,"flow_first_seen":1549337931220,"flow_last_seen":1549337931221,"flow_idle_time":7440000,"flow_min_l4_payload_len":227,"flow_max_l4_payload_len":260,"flow_tot_l4_payload_len":487,"flow_avg_l4_payload_len":243,"midstream":1,"ts_msec":1549337952283,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49174,"dst_port":445,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00589{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":77,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":36,"flow_packets_processed":2,"flow_first_seen":1549337952282,"flow_last_seen":1549337952283,"flow_idle_time":7440000,"flow_min_l4_payload_len":260,"flow_max_l4_payload_len":356,"flow_tot_l4_payload_len":616,"flow_avg_l4_payload_len":308,"midstream":1,"ts_msec":1549337952283,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49194,"dst_port":445,"l4_proto":"tcp","ndpi": {"proto":"SMBv23","breed":"Acceptable","category":"System"}} 00557{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":77,"source":"kerberos.pcap","alias":"nDPId-test","flow_id":36,"flow_packets_processed":2,"flow_first_seen":1549337952282,"flow_last_seen":1549337952283,"flow_idle_time":7440000,"flow_min_l4_payload_len":260,"flow_max_l4_payload_len":356,"flow_tot_l4_payload_len":616,"flow_avg_l4_payload_len":308,"midstream":1,"ts_msec":1549337952283,"l3_proto":"ip4","src_ip":"172.16.8.201","dst_ip":"172.16.8.8","src_port":49194,"dst_port":445,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00158{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":77,"source":"kerberos.pcap","alias":"nDPId-test","total-events-serialized":184} +00158{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":77,"source":"kerberos.pcap","alias":"nDPId-test","total-events-serialized":187} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ ~~ packets captured/processed: 77/77 ~~ skipped flows.............: 0 ~~ total layer4 data length..: 24133 bytes -~~ total detected protocols..: 3 +~~ total detected protocols..: 11 ~~ total active/idle flows...: 36/36 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2060645 bytes -~~ total memory freed........: 2060645 bytes -~~ total allocations/frees...: 35556/35556 +~~ total memory allocated....: 4685592 bytes +~~ total memory freed........: 4685592 bytes +~~ total allocations/frees...: 99741/99741 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 163 chars ~~ json string max len.......: 2416 chars diff --git a/test/results/kerberos_fuzz.pcapng.out b/test/results/kerberos_fuzz.pcapng.out new file mode 100644 index 000000000..c11fca8e7 --- /dev/null +++ b/test/results/kerberos_fuzz.pcapng.out @@ -0,0 +1,21 @@ +00449{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"kerberos_fuzz.pcapng","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} +00557{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"kerberos_fuzz.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1633884084000,"flow_last_seen":1633884084000,"flow_idle_time":7440000,"flow_min_l4_payload_len":260,"flow_max_l4_payload_len":260,"flow_tot_l4_payload_len":260,"flow_avg_l4_payload_len":260,"midstream":1,"ts_msec":1633884084000,"l3_proto":"ip4","src_ip":"126.4.1.0","dst_ip":"19.0.0.0","src_port":88,"dst_port":53646,"l4_proto":"tcp","flow_datalink":228,"flow_max_packets":3} +00801{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"kerberos_fuzz.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1633884084000,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":288,"pkt_type":2048,"pkt_l3_offset":0,"pkt_l4_offset":20,"pkt_len":288,"pkt_l4_len":268,"ts_msec":1633884084000,"pkt":"RSYBIAFKAAAABn0BfgQBABMAAAAAWNGOAAAAAAAAAQAgAQAAAAAAAGZfRk9VTgAGA0QNChsbGxsbGxsbGxsbJwYGBgYGBgYGBhsbG10bGwYGBgYGBgYGBg0K\/\/\/\/\/05NRWGMG2VyMUnz8\/NDQQEAAAAAAABdKgC3MFD\/AAAAAABfAAAAAAAAAEVhjGlkO\/\/\/\/\/\/\/b2VyWQAAAAAAAABNRQAAAAAAAAAAAAAAAAAAAAAATUxAU0m3MFCjL1MuMlQg80NBTk1FYYxpZDsNCv\/\/\/\/9OTUVhjBtlcjFJ8\/P\/\/\/\/\/AAAAAAAAXSoAtzBQoy9TLkFOTUVhjGlkOw0K\/\/\/\/\/zsNCv\/\/\/\/8vUy4yVEFUIPNDQU5NRWGMaWQ7DQr\/\/\/\/\/"} +00651{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"kerberos_fuzz.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1633884084000,"flow_last_seen":1633884084000,"flow_idle_time":7440000,"flow_min_l4_payload_len":260,"flow_max_l4_payload_len":260,"flow_tot_l4_payload_len":260,"flow_avg_l4_payload_len":260,"midstream":1,"ts_msec":1633884084000,"l3_proto":"ip4","src_ip":"126.4.1.0","dst_ip":"19.0.0.0","src_port":88,"dst_port":53646,"l4_proto":"tcp","ndpi": {"proto":"Kerberos","breed":"Acceptable","category":"Network"},"kerberos": {"hostname":"","domain":"r1ica","username":""}} +00557{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1,"source":"kerberos_fuzz.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1633884084000,"flow_last_seen":1633884084000,"flow_idle_time":7440000,"flow_min_l4_payload_len":260,"flow_max_l4_payload_len":260,"flow_tot_l4_payload_len":260,"flow_avg_l4_payload_len":260,"midstream":1,"ts_msec":1633884084000,"l3_proto":"ip4","src_ip":"126.4.1.0","dst_ip":"19.0.0.0","src_port":88,"dst_port":53646,"l4_proto":"tcp","flow_datalink":228,"flow_max_packets":3} +00162{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":1,"source":"kerberos_fuzz.pcapng","alias":"nDPId-test","total-events-serialized":6} +~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ +~~ packets captured/processed: 1/1 +~~ skipped flows.............: 0 +~~ total layer4 data length..: 260 bytes +~~ total detected protocols..: 1 +~~ total active/idle flows...: 1/1 +~~ total timeout flows.......: 0 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ total memory allocated....: 4590468 bytes +~~ total memory freed........: 4590468 bytes +~~ total allocations/frees...: 99535/99535 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ json string min len.......: 167 chars +~~ json string max len.......: 806 chars +~~ json string avg len.......: 541 chars diff --git a/test/results/log4j-webapp-exploit.pcap.out b/test/results/log4j-webapp-exploit.pcap.out new file mode 100644 index 000000000..e1f85f3b6 --- /dev/null +++ b/test/results/log4j-webapp-exploit.pcap.out @@ -0,0 +1,68 @@ +00454{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} +00563{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1639425815407,"flow_last_seen":1639425815407,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1639425815407,"l3_proto":"ip4","src_ip":"172.16.238.1","dst_ip":"172.16.238.10","src_port":1984,"dst_port":8080,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} +00486{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1639425815407,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"ts_msec":1639425815407,"pkt":"AAAAAQAGAkJ2jzQWAAAIAEUAADxjYEAAPQamLqwQ7gGsEO4KB8AfkHmWgrEAAAAAoAL68JU2AAACBAW0BAIICq34shoAAAAAAQMDBw=="} +00487{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1639425815407,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"ts_msec":1639425815407,"pkt":"AAQAAQAGAkKsEO4KAAAIAEUAADwAAEAAQAYGj6wQ7gqsEO4BH5AHwIo9\/lB5loKyoBJxIDRcAAACBAW0BAIICmhBAYSt+LIaAQMDBw=="} +00474{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1639425815408,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"ts_msec":1639425815408,"pkt":"AAAAAQAGAkJ2jzQWAAAIAEUAADRjYUAAPQamNawQ7gGsEO4KB8AfkHmWgrKKPf5RgBAB9sqWAAABAQgKrfiyHGhBAYQ="} +00878{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1639425815407,"flow_last_seen":1639425815415,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":646,"flow_tot_l4_payload_len":646,"flow_avg_l4_payload_len":161,"midstream":0,"ts_msec":1639425815415,"l3_proto":"ip4","src_ip":"172.16.238.1","dst_ip":"172.16.238.10","src_port":1984,"dst_port":8080,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","11":"HTTP Suspicious User-Agent","12":"HTTP Numeric IP Address"},"proto":"HTTP","breed":"Acceptable","category":"Web"},"http": {"hostname":"192.168.13.31","url":"192.168.13.31:8080\/log4shell\/login","code":0,"content_type":"","user_agent":"jndi:ldap:\/\/172.16.238.11:1389\/a"}} +00348{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":6,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":44,"pkt_type":2054,"pkt_l3_offset":16,"pkt_l4_offset":0,"pkt_len":44,"pkt_l4_len":0,"ts_msec":1639425815682,"pkt":"AAQAAQAGAkKsEO4KAAAIBgABCAAGBAABAkKsEO4KrBDuCgAAAAAAAKwQ7gs="} +00164{"basic_event_id":2,"basic_event_name":"Unknown L3 protocol","thread_id":0,"packet_id":6,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","protocol":2054} +00348{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":7,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":44,"pkt_type":2054,"pkt_l3_offset":16,"pkt_l4_offset":0,"pkt_len":44,"pkt_l4_len":0,"ts_msec":1639425815682,"pkt":"AAAAAQAGAkKsEO4LAAAIBgABCAAGBAACAkKsEO4LrBDuCwJCrBDuCqwQ7go="} +00164{"basic_event_id":2,"basic_event_name":"Unknown L3 protocol","thread_id":0,"packet_id":7,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","protocol":2054} +00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":8,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1639425815682,"flow_last_seen":1639425815682,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1639425815682,"l3_proto":"ip4","src_ip":"172.16.238.10","dst_ip":"172.16.238.11","src_port":57650,"dst_port":1389,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} +00486{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_last_seen":1639425815682,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"ts_msec":1639425815682,"pkt":"AAQAAQAGAkKsEO4KAAAIAEUAADycRUAAQAZqP6wQ7gqsEO4L4TIFbQLNSvsAAAAAoAJyEDRmAAACBAW0BAIICvIpEmgAAAAAAQMDBw=="} +00486{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_last_seen":1639425815683,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"ts_msec":1639425815683,"pkt":"AAAAAQAGAkKsEO4LAAAIAEUAADwAAEAAQAYGhawQ7gusEO4KBW3hMnt33KkCzUr8oBJxIDRmAAACBAW0BAIICingw2TyKRJoAQMDBw=="} +00475{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":10,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_last_seen":1639425815683,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"ts_msec":1639425815683,"pkt":"AAQAAQAGAkKsEO4KAAAIAEUAADScRkAAQAZqRqwQ7gqsEO4L4TIFbQLNSvx7d9yqgBAA5TReAAABAQgK8ikSaCngw2Q="} +00655{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":11,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":4,"flow_first_seen":1639425815682,"flow_last_seen":1639425815692,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":14,"flow_tot_l4_payload_len":14,"flow_avg_l4_payload_len":3,"midstream":0,"ts_msec":1639425815692,"l3_proto":"ip4","src_ip":"172.16.238.10","dst_ip":"172.16.238.11","src_port":57650,"dst_port":1389,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"LDAP","breed":"Acceptable","category":"System"}} +00564{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":20,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1639425815910,"flow_last_seen":1639425815910,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1639425815910,"l3_proto":"ip4","src_ip":"172.16.238.10","dst_ip":"172.16.238.11","src_port":48444,"dst_port":80,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} +00487{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":20,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_last_seen":1639425815910,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"ts_msec":1639425815910,"pkt":"AAQAAQAGAkKsEO4KAAAIAEUAADzhTUAAQAYlN6wQ7gqsEO4LvTwAUKwpPLEAAAAAoAJyEDRmAAACBAW0BAIICvIpE0sAAAAAAQMDBw=="} +00487{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":21,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_last_seen":1639425815910,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"ts_msec":1639425815910,"pkt":"AAAAAQAGAkKsEO4LAAAIAEUAADwAAEAAQAYGhawQ7gusEO4KAFC9PH3sGAysKTyyoBJxIDRmAAACBAW0BAIICingxEfyKRNLAQMDBw=="} +00475{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":22,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_last_seen":1639425815910,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"ts_msec":1639425815910,"pkt":"AAQAAQAGAkKsEO4KAAAIAEUAADThTkAAQAYlPqwQ7gqsEO4LvTwAUKwpPLJ97BgNgBAA5TReAAABAQgK8ikTSyngxEc="} +00773{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":23,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":4,"flow_first_seen":1639425815910,"flow_last_seen":1639425815913,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":208,"flow_tot_l4_payload_len":208,"flow_avg_l4_payload_len":52,"midstream":0,"ts_msec":1639425815913,"l3_proto":"ip4","src_ip":"172.16.238.10","dst_ip":"172.16.238.11","src_port":48444,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"12":"HTTP Numeric IP Address"},"proto":"HTTP","breed":"Acceptable","category":"Web"},"http": {"hostname":"172.16.238.11","url":"172.16.238.11\/Exploit.class","code":0,"content_type":"","user_agent":"Java\/1.8.0_51"}} +00842{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":25,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":6,"flow_first_seen":1639425815910,"flow_last_seen":1639425815916,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":208,"flow_tot_l4_payload_len":404,"flow_avg_l4_payload_len":67,"midstream":0,"ts_msec":1639425815916,"l3_proto":"ip4","src_ip":"172.16.238.10","dst_ip":"172.16.238.11","src_port":48444,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"4":"Binary application transfer","12":"HTTP Numeric IP Address"},"proto":"HTTP","breed":"Acceptable","category":"Download"},"http": {"hostname":"172.16.238.11","url":"172.16.238.11\/Exploit.class","code":200,"content_type":"application\/java-vm","user_agent":"Java\/1.8.0_51"}} +00564{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":32,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1639425815944,"flow_last_seen":1639425815944,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1639425815944,"l3_proto":"ip4","src_ip":"172.16.238.10","dst_ip":"10.10.10.31","src_port":55408,"dst_port":9001,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} +00487{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":32,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_last_seen":1639425815944,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"ts_msec":1639425815944,"pkt":"AAQAAQAGAkKsEO4KAAAIAEUAADw8h0AAQAZP8awQ7goKCgof2HAjKVh5kSAAAAAAoAJyEK5yAAACBAW0BAIICq5YAo8AAAAAAQMDBw=="} +00487{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":33,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_last_seen":1639425815944,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"ts_msec":1639425815944,"pkt":"AAAAAQAGAkJ2jzQWAAAIAEUAADwAAEAAQAaMeAoKCh+sEO4KIynYcLp2lFRYeZEhoBJxIK5yAAACBAW0BAIICiCvi5+uWAKPAQMDBw=="} +00475{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":34,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_last_seen":1639425815944,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"ts_msec":1639425815944,"pkt":"AAQAAQAGAkKsEO4KAAAIAEUAADQ8iEAAQAZP+KwQ7goKCgof2HAjKVh5kSG6dpRVgBAA5a5qAAABAQgKrlgCjyCvi58="} +00349{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":35,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":44,"pkt_type":2054,"pkt_l3_offset":16,"pkt_l4_offset":0,"pkt_len":44,"pkt_l4_len":0,"ts_msec":1639425820869,"pkt":"AAAAAQAGAkJ2jzQWAAAIBgABCAAGBAABAkJ2jzQWrBDuAQAAAAAAAKwQ7go="} +00165{"basic_event_id":2,"basic_event_name":"Unknown L3 protocol","thread_id":0,"packet_id":35,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","protocol":2054} +00349{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":36,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":44,"pkt_type":2054,"pkt_l3_offset":16,"pkt_l4_offset":0,"pkt_len":44,"pkt_l4_len":0,"ts_msec":1639425820869,"pkt":"AAQAAQAGAkKsEO4KAAAIBgABCAAGBAACAkKsEO4KrBDuCgJCdo80FqwQ7gE="} +00165{"basic_event_id":2,"basic_event_name":"Unknown L3 protocol","thread_id":0,"packet_id":36,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","protocol":2054} +00584{"flow_event_id":8,"flow_event_name":"not-detected","thread_id":0,"packet_id":290,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":255,"flow_first_seen":1639425815944,"flow_last_seen":1639425831262,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":21,"flow_tot_l4_payload_len":553,"flow_avg_l4_payload_len":2,"midstream":0,"ts_msec":1639425831262,"l3_proto":"ip4","src_ip":"172.16.238.10","dst_ip":"10.10.10.31","src_port":55408,"dst_port":9001,"l4_proto":"tcp","ndpi": {"proto":"Unknown","breed":"Unrated"}} +00567{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":395,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1639425834628,"flow_last_seen":1639425834628,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1639425834628,"l3_proto":"ip4","src_ip":"172.16.238.10","dst_ip":"172.16.238.11","src_port":57742,"dst_port":1389,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} +00488{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":395,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_last_seen":1639425834628,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"ts_msec":1639425834628,"pkt":"AAQAAQAGAkKsEO4KAAAIAEUAADxNdkAAQAa5DqwQ7gqsEO4L4Y4FbXfaWIQAAAAAoAJyEDRmAAACBAW0BAIICvIpXGkAAAAAAQMDBw=="} +00488{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":396,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_last_seen":1639425834628,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"ts_msec":1639425834628,"pkt":"AAAAAQAGAkKsEO4LAAAIAEUAADwAAEAAQAYGhawQ7gusEO4KBW3hjinD15132liFoBJxIDRmAAACBAW0BAIICinhDWbyKVxpAQMDBw=="} +00476{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":397,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_last_seen":1639425834628,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"ts_msec":1639425834628,"pkt":"AAQAAQAGAkKsEO4KAAAIAEUAADRNd0AAQAa5FawQ7gqsEO4L4Y4FbXfaWIUpw9eegBAA5TReAAABAQgK8ilcainhDWY="} +00656{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":398,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":4,"flow_first_seen":1639425834628,"flow_last_seen":1639425834629,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":14,"flow_tot_l4_payload_len":14,"flow_avg_l4_payload_len":3,"midstream":0,"ts_msec":1639425834629,"l3_proto":"ip4","src_ip":"172.16.238.10","dst_ip":"172.16.238.11","src_port":57742,"dst_port":1389,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"LDAP","breed":"Acceptable","category":"System"}} +00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":406,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":1,"flow_first_seen":1639425834639,"flow_last_seen":1639425834639,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1639425834639,"l3_proto":"ip4","src_ip":"172.16.238.10","dst_ip":"172.16.238.11","src_port":48534,"dst_port":80,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} +00488{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":406,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_last_seen":1639425834639,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"ts_msec":1639425834639,"pkt":"AAQAAQAGAkKsEO4KAAAIAEUAADzOBEAAQAY4gKwQ7gqsEO4LvZYAUJNLn5gAAAAAoAJyEDRmAAACBAW0BAIICvIpXHQAAAAAAQMDBw=="} +00489{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":407,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_last_seen":1639425834639,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"ts_msec":1639425834639,"pkt":"AAAAAQAGAkKsEO4LAAAIAEUAADwAAEAAQAYGhawQ7gusEO4KAFC9lr\/2uzmTS5+ZoBJxIDRmAAACBAW0BAIICinhDXHyKVx0AQMDBw=="} +00477{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":408,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_last_seen":1639425834639,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"ts_msec":1639425834639,"pkt":"AAQAAQAGAkKsEO4KAAAIAEUAADTOBUAAQAY4h6wQ7gqsEO4LvZYAUJNLn5m\/9rs6gBAA5TReAAABAQgK8ilcdSnhDXE="} +00774{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":409,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":4,"flow_first_seen":1639425834639,"flow_last_seen":1639425834640,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":208,"flow_tot_l4_payload_len":208,"flow_avg_l4_payload_len":52,"midstream":0,"ts_msec":1639425834640,"l3_proto":"ip4","src_ip":"172.16.238.10","dst_ip":"172.16.238.11","src_port":48534,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"12":"HTTP Numeric IP Address"},"proto":"HTTP","breed":"Acceptable","category":"Web"},"http": {"hostname":"172.16.238.11","url":"172.16.238.11\/Exploit.class","code":0,"content_type":"","user_agent":"Java\/1.8.0_51"}} +00843{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":411,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":6,"flow_first_seen":1639425834639,"flow_last_seen":1639425834641,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":208,"flow_tot_l4_payload_len":404,"flow_avg_l4_payload_len":67,"midstream":0,"ts_msec":1639425834641,"l3_proto":"ip4","src_ip":"172.16.238.10","dst_ip":"172.16.238.11","src_port":48534,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"4":"Binary application transfer","12":"HTTP Numeric IP Address"},"proto":"HTTP","breed":"Acceptable","category":"Download"},"http": {"hostname":"172.16.238.11","url":"172.16.238.11\/Exploit.class","code":200,"content_type":"application\/java-vm","user_agent":"Java\/1.8.0_51"}} +00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":419,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":1,"flow_first_seen":1639425834645,"flow_last_seen":1639425834645,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1639425834645,"l3_proto":"ip4","src_ip":"172.16.238.10","dst_ip":"10.10.10.31","src_port":55498,"dst_port":9001,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} +00489{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":419,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_last_seen":1639425834645,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"ts_msec":1639425834645,"pkt":"AAQAAQAGAkKsEO4KAAAIAEUAADxNUUAAQAY\/J6wQ7goKCgof2MojKQYXlfcAAAAAoAJyEK5yAAACBAW0BAIICq5YS5wAAAAAAQMDBw=="} +00460{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":420,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_last_seen":1639425834646,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":56,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":56,"pkt_l4_len":20,"ts_msec":1639425834646,"pkt":"AAAAAQAGAkJ2jzQWAAAIAEUAACgAAEAAQAaMjAoKCh+sEO4KIynYygAAAAAGF5X4UBQAAGmJAAA="} +00573{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":426,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":15,"flow_first_seen":1639425834628,"flow_last_seen":1639425834647,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":147,"flow_tot_l4_payload_len":294,"flow_avg_l4_payload_len":19,"midstream":0,"ts_msec":1639425834697,"l3_proto":"ip4","src_ip":"172.16.238.10","dst_ip":"172.16.238.11","src_port":57742,"dst_port":1389,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} +00571{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":426,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":9,"flow_first_seen":1639425815407,"flow_last_seen":1639425834697,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":646,"flow_tot_l4_payload_len":869,"flow_avg_l4_payload_len":96,"midstream":0,"ts_msec":1639425834697,"l3_proto":"ip4","src_ip":"172.16.238.1","dst_ip":"172.16.238.10","src_port":1984,"dst_port":8080,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} +00570{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":426,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":354,"flow_first_seen":1639425815944,"flow_last_seen":1639425833586,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":21,"flow_tot_l4_payload_len":861,"flow_avg_l4_payload_len":2,"midstream":0,"ts_msec":1639425834697,"l3_proto":"ip4","src_ip":"172.16.238.10","dst_ip":"10.10.10.31","src_port":55408,"dst_port":9001,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} +00579{"flow_event_id":8,"flow_event_name":"not-detected","thread_id":0,"packet_id":426,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":2,"flow_first_seen":1639425834645,"flow_last_seen":1639425834646,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1639425834697,"l3_proto":"ip4","src_ip":"172.16.238.10","dst_ip":"10.10.10.31","src_port":55498,"dst_port":9001,"l4_proto":"tcp","ndpi": {"proto":"Unknown","breed":"Unrated"}} +00565{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":426,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":2,"flow_first_seen":1639425834645,"flow_last_seen":1639425834646,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1639425834697,"l3_proto":"ip4","src_ip":"172.16.238.10","dst_ip":"10.10.10.31","src_port":55498,"dst_port":9001,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} +00574{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":426,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":12,"flow_first_seen":1639425815910,"flow_last_seen":1639425815918,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1352,"flow_tot_l4_payload_len":1756,"flow_avg_l4_payload_len":146,"midstream":0,"ts_msec":1639425834697,"l3_proto":"ip4","src_ip":"172.16.238.10","dst_ip":"172.16.238.11","src_port":48444,"dst_port":80,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} +00574{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":426,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":13,"flow_first_seen":1639425834639,"flow_last_seen":1639425834642,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1352,"flow_tot_l4_payload_len":1756,"flow_avg_l4_payload_len":135,"midstream":0,"ts_msec":1639425834697,"l3_proto":"ip4","src_ip":"172.16.238.10","dst_ip":"172.16.238.11","src_port":48534,"dst_port":80,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} +00573{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":426,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":17,"flow_first_seen":1639425815682,"flow_last_seen":1639425833591,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":147,"flow_tot_l4_payload_len":294,"flow_avg_l4_payload_len":17,"midstream":0,"ts_msec":1639425834697,"l3_proto":"ip4","src_ip":"172.16.238.10","dst_ip":"172.16.238.11","src_port":57650,"dst_port":1389,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} +00170{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":426,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","total-events-serialized":53} +~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ +~~ packets captured/processed: 426/422 +~~ skipped flows.............: 0 +~~ total layer4 data length..: 5830 bytes +~~ total detected protocols..: 5 +~~ total active/idle flows...: 7/7 +~~ total timeout flows.......: 0 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ total memory allocated....: 4616209 bytes +~~ total memory freed........: 4616209 bytes +~~ total allocations/frees...: 99987/99987 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ json string min len.......: 169 chars +~~ json string max len.......: 883 chars +~~ json string avg len.......: 526 chars diff --git a/test/results/long_tls_certificate.pcap.out b/test/results/long_tls_certificate.pcap.out index 2ae22b558..0b571a1a6 100644 --- a/test/results/long_tls_certificate.pcap.out +++ b/test/results/long_tls_certificate.pcap.out @@ -3,9 +3,9 @@ 00488{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"long_tls_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1609756181300,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1609756181300,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGqknAqAE8ag9ke9glAbsIXeEZAAAAALAC\/\/9qjwAAAgQFtAEDAwUBAQgKDpRqEwAAAAAEAgAA"} 00486{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"long_tls_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1609756181671,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1609756181671,"pkt":"KDc3AG3IEBMx8Tl2CABFAABAAABAACsGv0lqD2R7wKgBPAG72CWlbC1xCF3hGrASMqDiugAAAgQFrAEBAQEBAQEBAQEBAQEBAQEEAgAA"} 00456{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"long_tls_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1609756181671,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1609756181671,"pkt":"EBMx8Tl2KDc3AG3ICABFAAAoAABAAEAGqmHAqAE8ag9ke9glAbsIXeEapWwtclAQ\/\/+JLgAA"} -00802{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"long_tls_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1609756181300,"flow_last_seen":1609756181681,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1609756181681,"l3_proto":"ip4","src_ip":"192.168.1.60","dst_ip":"106.15.100.123","src_port":55333,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"beacon-api.aliyuncs.com","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} -00860{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"long_tls_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":1609756181300,"flow_last_seen":1609756182035,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":1969,"flow_avg_l4_payload_len":328,"midstream":0,"ts_msec":1609756182035,"l3_proto":"ip4","src_ip":"192.168.1.60","dst_ip":"106.15.100.123","src_port":55333,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"beacon-api.aliyuncs.com","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"eee3d2bf5f17d17548ac36ba1872951f","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -04997{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":12,"source":"long_tls_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":12,"flow_first_seen":1609756181300,"flow_last_seen":1609756182035,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":7375,"flow_avg_l4_payload_len":614,"midstream":0,"ts_msec":1609756182035,"l3_proto":"ip4","src_ip":"192.168.1.60","dst_ip":"106.15.100.123","src_port":55333,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"beacon-api.aliyuncs.com","server_names":"*.aliyun.com,manager.channel.aliyun.com,*.ace.aliyun.com,*.acs-internal.aliyuncs.com,*.acs.aliyun.com,*.aicrowd.aliyun.com,*.alibabacloud.co.in,*.alibabacloud.com,*.alibabacloud.com.au,*.alibabacloud.com.hk,*.alibabacloud.com.my,*.alibabacloud.com.sg,*.alibabacloud.com.tw,*.alicdn.com,*.alicloud.com,*.aligroup.aliyun.com,*.alimei.com,*.alink.aliyun.com,*.alios.aliyuncs.com,*.aliplus.com,*.alitranx.aliyun.com,*.aliyun-iot-share.com,*.aliyuncs.com,*.alyms.cn,*.ap-northeast-1.aliyuncs.com,*.ap-south-1.aliyuncs.com,*.ap-southeast-1.aliyuncs.com,*.ap-southeast-2.aliyuncs.com,*.ap-southeast-3.aliyuncs.com,*.ap-southeast-5.aliyuncs.com,*.api.aliyun.com,*.apm.aliyun.com,*.app.aliyun.com,*.asmlink.cn,*.banma.aliyuncs.com,*.base.shuju.aliyun.com,*.bi.aliyun.com,*.biz.aliyun.com,*.bridge.aliyun.com,*.ccc.aliyuncs.com,*.center.aliyun.com,*.citybrain.aliyun.com,*.cloudapp.aliyun.com,*.cloudeagle.cn,*.cloudgame.aliyun.com,*.cn-beijing.aliyuncs.com,*.cn-chengdu.aliyuncs.com,*.cn-guizhou.aliyuncs.com,*.cn-haidian.aliyuncs.com,*.cn-hangzhou-finance.aliyuncs.com,*.cn-hangzhou.aliyuncs.com,*.cn-hongkong.aliyuncs.com,*.cn-huhehaote.aliyuncs.com,*.cn-ningxia.aliyuncs.com,*.cn-north-2-gov-1.aliyuncs.com,*.cn-qingdao-nebula.aliyuncs.com,*.cn-qingdao.aliyuncs.com,*.cn-shanghai-finance-1.aliyuncs.com,*.cn-shanghai.aliyun.com,*.cn-shanghai.aliyuncs.com,*.cn-shenzhen-cloudstone.aliyuncs.com,*.cn-shenzhen-finance-1.aliyuncs.com,*.cn-shenzhen.aliyuncs.com,*.cn-sichuan.aliyuncs.com,*.cn-zhangjiakou.aliyuncs.com,*.connect.aliyun.com,*.console.alibabacloud.com,*.console.alicloud.com,*.console.aliyun.com,*.cs.aliyun.com,*.cschat-ccs.aliyun.com,*.data.aliyun.com,*.dataapi.aliyun.com,*.dataq.aliyuncs.com,*.datav.aliyun.com,*.datav.aliyuncs.com,*.devlops.aliyun.com,*.devops.aliyun.com,*.ditu.aliyun.com,*.domain.aliyun.com,*.dyiot.aliyun.com,*.ebs.aliyun.com,*.emas.aliyun.com,*.emr.aliyun.com,*.enterprise.aliyun.com,*.env.aliyun.com,*.et-industry.aliyun.com,*.eu-central-1.aliyuncs.com,*.eu-west-1.aliyuncs.com,*.fc.aliyun.com,*.feedback.console.aliyun.com,*.gts-x.aliyun.com,*.gts.aliyun.com,*.help-ccs.aliyun.com,*.ialicdn.com,*.in-mumbai.aliyuncs.com,*.iot.aliyun.com,*.jp-fudao.aliyuncs.com,*.linkedmall.aliyun.com,*.linkwan.aliyun.com,*.living.aliyun.com,*.luban.aliyun.com,*.m.aliyun.com,*.market.aliyun.com,*.maxcompute.aliyun.com,*.me-east-1.aliyuncs.com,*.media.aliyun.com,*.microdingtalk.aliyun.com,*.mit.aliyun.com,*.mobile.aliyun.com,*.msea.aliyun.com,*.mts.aliyun.com,*.mvp.aliyun.com,*.nebula.aliyun.com,*.nls.aliyuncs.com,*.odps.aliyun.com,*.ons.aliyun.com,*.ose.aliyun.com,*.pai.data.aliyun.com,*.pcs-gw-cn-beijing.aliyun.com,*.pcs-gw-cn-shanghai.aliyun.com,*.phpwind.com,*.phpwind.net,*.pre-sg-purchase.aliyun.com,*.prepub.aliyun.com,*.product.center.aliyun.com,*.pts.aliyun.com,*.r-app-cn-beijing-data.aliyun.com,*.r-app-cn-hangzhou-data.aliyun.com,*.r-app-cn-shenzhen-data.aliyun.com,*.r-app-data.aliyun.com,*.rdc.aliyun.com,*.rds.aliyun.com,*.reid.aliyun.com,*.sc-cmdb.aliyuncs.com,*.scsp.aliyun.com,*.sg.aliyuncs.com,*.shuju.aliyun.com,*.smart.aliyun.com,*.soc.aliyun.com,*.soc.aliyuncs.com,*.sparenode.com,*.supet.com,*.tburl.in,*.teambition.com,*.teambition.net,*.teambitionapis.com,*.tianchi.aliyun.com,*.toolkit.aliyun.com,*.tv.aliyun.com,*.tw-gaoxiong.aliyuncs.com,*.us-east-1.aliyuncs.com,*.us-west-1.aliyuncs.com,*.webide.aliyun.com,*.yuntu.aliyun.com,account.www.net.cn,alibabacloud.co.in,alibabacloud.com,alibabacloud.com.au,alibabacloud.com.hk,alibabacloud.com.my,alibabacloud.com.sg,alibabacloud.com.tw,alicdn.com,alicloud.com,alimei.com,aliyun-iot-share.com,aliyuncs.com,dc.www.net.cn,dmp.www.net.cn,dns.www.net.cn,panda.www.net.cn,pandavip.www.net.cn,phpwind.com,phpwind.net,scdnphi6.com,sparenode.com,supet.com,tburl.in,teambition.com,teambition.net,teambitionapis.com,tianchi-global.com,whois.www.net.cn,aliyun.com","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"eee3d2bf5f17d17548ac36ba1872951f","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2","issuerDN":"C=CN, ST=ZheJiang, L=HangZhou, O=Alibaba (China) Technology Co., Ltd., CN=*.aliyun.com","alpn":"h2,http\/1.1","fingerprint":"2B:C6:82:22:E9:94:09:24:34:E1:5C:F1:24:76:98:75:45:78:53:DA"}} +00816{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"long_tls_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1609756181300,"flow_last_seen":1609756181681,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1609756181681,"l3_proto":"ip4","src_ip":"192.168.1.60","dst_ip":"106.15.100.123","src_port":55333,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Alibaba","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"beacon-api.aliyuncs.com","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} +00874{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"long_tls_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":1609756181300,"flow_last_seen":1609756182035,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":1969,"flow_avg_l4_payload_len":328,"midstream":0,"ts_msec":1609756182035,"l3_proto":"ip4","src_ip":"192.168.1.60","dst_ip":"106.15.100.123","src_port":55333,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Alibaba","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"beacon-api.aliyuncs.com","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"eee3d2bf5f17d17548ac36ba1872951f","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} +05012{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":12,"source":"long_tls_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":12,"flow_first_seen":1609756181300,"flow_last_seen":1609756182035,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":7375,"flow_avg_l4_payload_len":614,"midstream":0,"ts_msec":1609756182035,"l3_proto":"ip4","src_ip":"192.168.1.60","dst_ip":"106.15.100.123","src_port":55333,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Alibaba","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"beacon-api.aliyuncs.com","server_names":"*.aliyun.com,manager.channel.aliyun.com,*.ace.aliyun.com,*.acs-internal.aliyuncs.com,*.acs.aliyun.com,*.aicrowd.aliyun.com,*.alibabacloud.co.in,*.alibabacloud.com,*.alibabacloud.com.au,*.alibabacloud.com.hk,*.alibabacloud.com.my,*.alibabacloud.com.sg,*.alibabacloud.com.tw,*.alicdn.com,*.alicloud.com,*.aligroup.aliyun.com,*.alimei.com,*.alink.aliyun.com,*.alios.aliyuncs.com,*.aliplus.com,*.alitranx.aliyun.com,*.aliyun-iot-share.com,*.aliyuncs.com,*.alyms.cn,*.ap-northeast-1.aliyuncs.com,*.ap-south-1.aliyuncs.com,*.ap-southeast-1.aliyuncs.com,*.ap-southeast-2.aliyuncs.com,*.ap-southeast-3.aliyuncs.com,*.ap-southeast-5.aliyuncs.com,*.api.aliyun.com,*.apm.aliyun.com,*.app.aliyun.com,*.asmlink.cn,*.banma.aliyuncs.com,*.base.shuju.aliyun.com,*.bi.aliyun.com,*.biz.aliyun.com,*.bridge.aliyun.com,*.ccc.aliyuncs.com,*.center.aliyun.com,*.citybrain.aliyun.com,*.cloudapp.aliyun.com,*.cloudeagle.cn,*.cloudgame.aliyun.com,*.cn-beijing.aliyuncs.com,*.cn-chengdu.aliyuncs.com,*.cn-guizhou.aliyuncs.com,*.cn-haidian.aliyuncs.com,*.cn-hangzhou-finance.aliyuncs.com,*.cn-hangzhou.aliyuncs.com,*.cn-hongkong.aliyuncs.com,*.cn-huhehaote.aliyuncs.com,*.cn-ningxia.aliyuncs.com,*.cn-north-2-gov-1.aliyuncs.com,*.cn-qingdao-nebula.aliyuncs.com,*.cn-qingdao.aliyuncs.com,*.cn-shanghai-finance-1.aliyuncs.com,*.cn-shanghai.aliyun.com,*.cn-shanghai.aliyuncs.com,*.cn-shenzhen-cloudstone.aliyuncs.com,*.cn-shenzhen-finance-1.aliyuncs.com,*.cn-shenzhen.aliyuncs.com,*.cn-sichuan.aliyuncs.com,*.cn-zhangjiakou.aliyuncs.com,*.connect.aliyun.com,*.console.alibabacloud.com,*.console.alicloud.com,*.console.aliyun.com,*.cs.aliyun.com,*.cschat-ccs.aliyun.com,*.data.aliyun.com,*.dataapi.aliyun.com,*.dataq.aliyuncs.com,*.datav.aliyun.com,*.datav.aliyuncs.com,*.devlops.aliyun.com,*.devops.aliyun.com,*.ditu.aliyun.com,*.domain.aliyun.com,*.dyiot.aliyun.com,*.ebs.aliyun.com,*.emas.aliyun.com,*.emr.aliyun.com,*.enterprise.aliyun.com,*.env.aliyun.com,*.et-industry.aliyun.com,*.eu-central-1.aliyuncs.com,*.eu-west-1.aliyuncs.com,*.fc.aliyun.com,*.feedback.console.aliyun.com,*.gts-x.aliyun.com,*.gts.aliyun.com,*.help-ccs.aliyun.com,*.ialicdn.com,*.in-mumbai.aliyuncs.com,*.iot.aliyun.com,*.jp-fudao.aliyuncs.com,*.linkedmall.aliyun.com,*.linkwan.aliyun.com,*.living.aliyun.com,*.luban.aliyun.com,*.m.aliyun.com,*.market.aliyun.com,*.maxcompute.aliyun.com,*.me-east-1.aliyuncs.com,*.media.aliyun.com,*.microdingtalk.aliyun.com,*.mit.aliyun.com,*.mobile.aliyun.com,*.msea.aliyun.com,*.mts.aliyun.com,*.mvp.aliyun.com,*.nebula.aliyun.com,*.nls.aliyuncs.com,*.odps.aliyun.com,*.ons.aliyun.com,*.ose.aliyun.com,*.pai.data.aliyun.com,*.pcs-gw-cn-beijing.aliyun.com,*.pcs-gw-cn-shanghai.aliyun.com,*.phpwind.com,*.phpwind.net,*.pre-sg-purchase.aliyun.com,*.prepub.aliyun.com,*.product.center.aliyun.com,*.pts.aliyun.com,*.r-app-cn-beijing-data.aliyun.com,*.r-app-cn-hangzhou-data.aliyun.com,*.r-app-cn-shenzhen-data.aliyun.com,*.r-app-data.aliyun.com,*.rdc.aliyun.com,*.rds.aliyun.com,*.reid.aliyun.com,*.sc-cmdb.aliyuncs.com,*.scsp.aliyun.com,*.sg.aliyuncs.com,*.shuju.aliyun.com,*.smart.aliyun.com,*.soc.aliyun.com,*.soc.aliyuncs.com,*.sparenode.com,*.supet.com,*.tburl.in,*.teambition.com,*.teambition.net,*.teambitionapis.com,*.tianchi.aliyun.com,*.toolkit.aliyun.com,*.tv.aliyun.com,*.tw-gaoxiong.aliyuncs.com,*.us-east-1.aliyuncs.com,*.us-west-1.aliyuncs.com,*.webide.aliyun.com,*.yuntu.aliyun.com,account.www.net.cn,alibabacloud.co.in,alibabacloud.com,alibabacloud.com.au,alibabacloud.com.hk,alibabacloud.com.my,alibabacloud.com.sg,alibabacloud.com.tw,alicdn.com,alicloud.com,alimei.com,aliyun-iot-share.com,aliyuncs.com,dc.www.net.cn,dmp.www.net.cn,dns.www.net.cn,panda.www.net.cn,pandavip.www.net.cn,phpwind.com,phpwind.net,scdnphi6.com,sparenode.com,supet.com,tburl.in,teambition.com,teambition.net,teambitionapis.com,tianchi-global.com,whois.www.net.cn,aliyun.com","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"eee3d2bf5f17d17548ac36ba1872951f","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2","subjectDN":"C=CN, ST=ZheJiang, L=HangZhou, O=Alibaba (China) Technology Co., Ltd., CN=*.aliyun.com","alpn":"h2,http\/1.1","fingerprint":"2B:C6:82:22:E9:94:09:24:34:E1:5C:F1:24:76:98:75:45:78:53:DA"}} 00573{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":47,"source":"long_tls_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":47,"flow_first_seen":1609756181300,"flow_last_seen":1609756183162,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":12100,"flow_avg_l4_payload_len":257,"midstream":0,"ts_msec":1609756183162,"l3_proto":"ip4","src_ip":"192.168.1.60","dst_ip":"106.15.100.123","src_port":55333,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00169{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":47,"source":"long_tls_certificate.pcap","alias":"nDPId-test","total-events-serialized":10} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -16,10 +16,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2326755 bytes -~~ total memory freed........: 2326755 bytes -~~ total allocations/frees...: 35578/35578 +~~ total memory allocated....: 4989070 bytes +~~ total memory freed........: 4989070 bytes +~~ total allocations/frees...: 99774/99774 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 174 chars -~~ json string max len.......: 5002 chars -~~ json string avg len.......: 2394 chars +~~ json string max len.......: 5017 chars +~~ json string avg len.......: 2401 chars diff --git a/test/results/malformed_dns.pcap.out b/test/results/malformed_dns.pcap.out index 1e3095652..664f56226 100644 --- a/test/results/malformed_dns.pcap.out +++ b/test/results/malformed_dns.pcap.out @@ -3,10 +3,10 @@ 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"malformed_dns.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1591551760342,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"ts_msec":1591551760342,"pkt":"AAAAAAAAAAAAAAAACABFAAA4nToAAEAR33h\/AAABfwAAAcUDADUAJP43hLQBAAABAAAAAAAAA3d3dwJ4dANjb20AAAEAAQ=="} 00707{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"malformed_dns.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1591551760342,"flow_last_seen":1591551760342,"flow_idle_time":180000,"flow_min_l4_payload_len":28,"flow_max_l4_payload_len":28,"flow_tot_l4_payload_len":28,"flow_avg_l4_payload_len":28,"midstream":0,"ts_msec":1591551760342,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":50435,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"www.xt.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 02643{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"malformed_dns.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1591551760357,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1430,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1430,"pkt_l4_len":1396,"ts_msec":1591551760357,"pkt":"\/\/\/\/\/\/\/\/AAAAAAAACABFAAWIAAEAAEARd2J\/AAABfwAAAQA1xQMFdLSchLSBAAACAAIAAAAAA3d3dwJ4dANjb20AAAEAASJBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBPwAAAAA\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8+Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz\/AQD0+Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/wEHAQjs8PT4\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/P8BDwETARcBGNzg5Ojs8PT4\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz\/AR8BIwEnASsBLwEzATcBOLzAxMjM0NTY3ODk6Ozw9Pj8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/wE\/AUMBRwFLAU8BUwFXAVsBXwFjAWcBawFvAXMBdwF4fICEiIyQlJicoKSorLC0uLzAxMjM0NTY3ODk6Ozw9PsBfwGDAYcBiwGPAZMBlwGbAZ8BowGnAasBrwGzAbcBuwG\/AcMBxwHLAc8B0wHXAdsB3wHjAecB6wHvAfMB9wH4AAQABwAwAAQABAAAAAAAEQkJCQsAMAAUAAQAAAAAATANBQUE\/MDAwMDEwMDAyMDAxMTAwMTIwMDIxMDAyMjAxMDEwMjAxMTEwMTEyMDEyMTAxMjIwMjAyMTEwMjEyMDIyMTAyBQAAAAAAwP8="} -00799{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2,"source":"malformed_dns.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":2,"flow_first_seen":1591551760342,"flow_last_seen":1591551760357,"flow_idle_time":180000,"flow_min_l4_payload_len":28,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":1416,"flow_avg_l4_payload_len":708,"midstream":0,"ts_msec":1591551760357,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":50435,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"17":"Malformed packet","37":"DNS packet larger than 512 bytes"},"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"www.xt.com","num_queries":2,"num_answers":2,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"0.0.0.0"}} +00759{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2,"source":"malformed_dns.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":2,"flow_first_seen":1591551760342,"flow_last_seen":1591551760357,"flow_idle_time":180000,"flow_min_l4_payload_len":28,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":1416,"flow_avg_l4_payload_len":708,"midstream":0,"ts_msec":1591551760357,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":50435,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"17":"Malformed packet"},"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"www.xt.com","num_queries":2,"num_answers":2,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"0.0.0.0"}} 02643{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"malformed_dns.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1591551760372,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1430,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1430,"pkt_l4_len":1396,"ts_msec":1591551760372,"pkt":"\/\/\/\/\/\/\/\/AAAAAAAACABFAAWIAAEAAEARd2J\/AAABfwAAAQA1xQMFdLSchLSBAAACAAIAAAAAA3d3dwJ4dANjb20AAAEAASJBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBPwAAAAA\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8+Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz\/AQD0+Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/wEHAQjs8PT4\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/P8BDwETARcBGNzg5Ojs8PT4\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz\/AR8BIwEnASsBLwEzATcBOLzAxMjM0NTY3ODk6Ozw9Pj8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/Pz8\/wE\/AUMBRwFLAU8BUwFXAVsBXwFjAWcBawFvAXMBdwF4fICEiIyQlJicoKSorLC0uLzAxMjM0NTY3ODk6Ozw9PsBfwGDAYcBiwGPAZMBlwGbAZ8BowGnAasBrwGzAbcBuwG\/AcMBxwHLAc8B0wHXAdsB3wHjAecB6wHvAfMB9wH4AAQABwAwAAQABAAAAAAAEQkJCQsAMAAUAAQAAAAAATANBQUE\/MDAwMDEwMDAyMDAxMTAwMTIwMDIxMDAyMjAxMDEwMjAxMTEwMTEyMDEyMTAxMjIwMjAyMTEwMjEyMDIyMTAyBQAAAAAAwP8="} -00799{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":4,"source":"malformed_dns.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1591551760342,"flow_last_seen":1591551765342,"flow_idle_time":180000,"flow_min_l4_payload_len":28,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":2832,"flow_avg_l4_payload_len":708,"midstream":0,"ts_msec":1591551765342,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":50435,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"17":"Malformed packet","37":"DNS packet larger than 512 bytes"},"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"www.xt.com","num_queries":2,"num_answers":2,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"0.0.0.0"}} -00799{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":5,"source":"malformed_dns.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":5,"flow_first_seen":1591551760342,"flow_last_seen":1591551765355,"flow_idle_time":180000,"flow_min_l4_payload_len":28,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":4220,"flow_avg_l4_payload_len":844,"midstream":0,"ts_msec":1591551765355,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":50435,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"17":"Malformed packet","37":"DNS packet larger than 512 bytes"},"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"www.xt.com","num_queries":2,"num_answers":2,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"0.0.0.0"}} +00759{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":4,"source":"malformed_dns.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1591551760342,"flow_last_seen":1591551765342,"flow_idle_time":180000,"flow_min_l4_payload_len":28,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":2832,"flow_avg_l4_payload_len":708,"midstream":0,"ts_msec":1591551765342,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":50435,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"17":"Malformed packet"},"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"www.xt.com","num_queries":2,"num_answers":2,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"0.0.0.0"}} +00759{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":5,"source":"malformed_dns.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":5,"flow_first_seen":1591551760342,"flow_last_seen":1591551765355,"flow_idle_time":180000,"flow_min_l4_payload_len":28,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":4220,"flow_avg_l4_payload_len":844,"midstream":0,"ts_msec":1591551765355,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":50435,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"17":"Malformed packet"},"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"www.xt.com","num_queries":2,"num_answers":2,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"0.0.0.0"}} 00555{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":6,"source":"malformed_dns.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":1591551760342,"flow_last_seen":1591551765368,"flow_idle_time":180000,"flow_min_l4_payload_len":28,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":5608,"flow_avg_l4_payload_len":934,"midstream":0,"ts_msec":1591551765368,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":50435,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00161{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":6,"source":"malformed_dns.pcap","alias":"nDPId-test","total-events-serialized":11} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -17,9 +17,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1928298 bytes -~~ total memory freed........: 1928298 bytes -~~ total allocations/frees...: 35344/35344 +~~ total memory allocated....: 4590613 bytes +~~ total memory freed........: 4590613 bytes +~~ total allocations/frees...: 99540/99540 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 166 chars ~~ json string max len.......: 2648 chars diff --git a/test/results/malformed_icmp.pcap.out b/test/results/malformed_icmp.pcap.out index f103423a1..732dbad3a 100644 --- a/test/results/malformed_icmp.pcap.out +++ b/test/results/malformed_icmp.pcap.out @@ -12,9 +12,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1928153 bytes -~~ total memory freed........: 1928153 bytes -~~ total allocations/frees...: 35339/35339 +~~ total memory allocated....: 4590468 bytes +~~ total memory freed........: 4590468 bytes +~~ total allocations/frees...: 99535/99535 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 166 chars ~~ json string max len.......: 604 chars diff --git a/test/results/malware.pcap.out b/test/results/malware.pcap.out index 7fead6e6a..a5e4cc839 100644 --- a/test/results/malware.pcap.out +++ b/test/results/malware.pcap.out @@ -6,7 +6,7 @@ 00729{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2,"source":"malware.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":2,"flow_first_seen":1569571466977,"flow_last_seen":1569571467001,"flow_idle_time":180000,"flow_min_l4_payload_len":64,"flow_max_l4_payload_len":68,"flow_tot_l4_payload_len":132,"flow_avg_l4_payload_len":66,"midstream":0,"ts_msec":1569571467001,"l3_proto":"ip4","src_ip":"192.168.7.7","dst_ip":"1.1.1.1","src_port":42370,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"www.internetbadguys.com","num_queries":1,"num_answers":2,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"67.215.92.210"}} 00521{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3,"source":"malware.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1569571470672,"flow_last_seen":1569571470672,"flow_idle_time":120000,"flow_min_l4_payload_len":64,"flow_max_l4_payload_len":64,"flow_tot_l4_payload_len":64,"flow_avg_l4_payload_len":64,"midstream":0,"ts_msec":1569571470672,"l3_proto":"ip4","src_ip":"192.168.7.7","dst_ip":"144.139.247.220","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} 00500{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"malware.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_last_seen":1569571470672,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":98,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":98,"pkt_l4_len":64,"ts_msec":1569571470672,"pkt":"CGoKOl4eMFLLbJwbCABFAABU4M1AAEABCcTAqAcHkIv33AgApMYAAQABjsKNXQAAAABuRAoAAAAAABAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc="} -00554{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":3,"source":"malware.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1569571470672,"flow_last_seen":1569571470672,"flow_idle_time":120000,"flow_min_l4_payload_len":64,"flow_max_l4_payload_len":64,"flow_tot_l4_payload_len":64,"flow_avg_l4_payload_len":64,"midstream":0,"ts_msec":1569571470672,"l3_proto":"ip4","src_ip":"192.168.7.7","dst_ip":"144.139.247.220","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"}} +00573{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":3,"source":"malware.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1569571470672,"flow_last_seen":1569571470672,"flow_idle_time":120000,"flow_min_l4_payload_len":64,"flow_max_l4_payload_len":64,"flow_tot_l4_payload_len":64,"flow_avg_l4_payload_len":64,"midstream":0,"ts_msec":1569571470672,"l3_proto":"ip4","src_ip":"192.168.7.7","dst_ip":"144.139.247.220","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"},"entropy":5.297900} 00548{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":4,"source":"malware.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1569571476362,"flow_last_seen":1569571476362,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1569571476362,"l3_proto":"ip4","src_ip":"192.168.7.7","dst_ip":"144.139.247.220","src_port":33706,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00457{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4,"source":"malware.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_last_seen":1569571476362,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1569571476362,"pkt":"CGoKOl4eMFLLbJwbCABFAAA0sPtAAEAGObHAqAcHkIv33IOqAFCfbfb4AAAAAIAC+vBQPgAAAgQFtAEBBAIBAwMH"} 00587{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":5,"source":"malware.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1569571476362,"flow_last_seen":1569571476362,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1569579408876,"l3_proto":"ip4","src_ip":"192.168.7.7","dst_ip":"144.139.247.220","src_port":33706,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP","breed":"Acceptable","category":"Web"},"http": {}} @@ -21,9 +21,9 @@ 00457{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7,"source":"malware.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_last_seen":1569579416636,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1569579416636,"pkt":"CGoKOl4eMFLLbJwbCABFAAA0xe5AAEAGDH3AqAcHQ9dc0omkAbvdSlrrAAAAAIAC+vBofwAAAgQFtAEBBAIBAwMH"} 00457{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8,"source":"malware.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_last_seen":1569579416828,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1569579416828,"pkt":"MFLLbJwbCGoKOl4eCABFAAA0AABAADgG2mtD11zSwKgHBwG7iaQdaco+3Upa7IASchDpWQAAAgQFtAEBBAIBAwMH"} 00441{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9,"source":"malware.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_last_seen":1569579416828,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1569579416828,"pkt":"CGoKOl4eMFLLbJwbCABFAAAoxe9AAEAGDIjAqAcHQ9dc0omkAbvdSlrsHWnKP1AQAfZocwAA"} -00859{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":10,"source":"malware.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":4,"flow_first_seen":1569579416636,"flow_last_seen":1569579416830,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1569579416830,"l3_proto":"ip4","src_ip":"192.168.7.7","dst_ip":"67.215.92.210","src_port":35236,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.OpenDNS","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.internetbadguys.com","ja3":"f6ce47303dce394049af395fc6d0bc20","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -00915{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":12,"source":"malware.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":6,"flow_first_seen":1569579416636,"flow_last_seen":1569579417029,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":1977,"flow_avg_l4_payload_len":329,"midstream":0,"ts_msec":1569579417029,"l3_proto":"ip4","src_ip":"192.168.7.7","dst_ip":"67.215.92.210","src_port":35236,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.OpenDNS","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.internetbadguys.com","ja3":"f6ce47303dce394049af395fc6d0bc20","ja3s":"0c0aff9ccea5e7e1de5c3a0069d103f3","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -02334{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":16,"source":"malware.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":10,"flow_first_seen":1569579416636,"flow_last_seen":1569579417030,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":4897,"flow_avg_l4_payload_len":489,"midstream":0,"ts_msec":1569579417030,"l3_proto":"ip4","src_ip":"192.168.7.7","dst_ip":"67.215.92.210","src_port":35236,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"10":"TLS Certificate Mismatch"},"proto":"TLS.OpenDNS","breed":"Acceptable","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.internetbadguys.com","server_names":"api.opendns.com,branded-login.opendns.com,cachecheck.opendns.com,community.opendns.com,dashboard2.opendns.com,dashboard.opendns.com,dashboard-ipv4.opendns.com,msp-login.opendns.com,api-ipv4.opendns.com,api-ipv6.opendns.com,authz.api.opendns.com,domain.opendns.com,help.vpn.opendns.com,ideabank.opendns.com,login.opendns.com,netgear.opendns.com,reseller-login.opendns.com,images.opendns.com,images-using.opendns.com,store.opendns.com,signup.opendns.com,twilio.opendns.com,updates.opendns.com,shared.opendns.com,tools.opendns.com,cache.opendns.com,api.umbrella.com,branded-login.umbrella.com,cachecheck.umbrella.com,community.umbrella.com,dashboard2.umbrella.com,dashboard.umbrella.com,dashboard-ipv4.umbrella.com,msp-login.umbrella.com,api-ipv4.umbrella.com,api-ipv6.umbrella.com,authz.api.umbrella.com,domain.umbrella.com,help.vpn.umbrella.com,ideabank.umbrella.com,login.umbrella.com,netgear.umbrella.com,reseller-login.umbrella.com,images.umbrella.com,images-using.umbrella.com,store.umbrella.com,signup.umbrella.com,twilio.umbrella.com,updates.umbrella.com,shared.umbrella.com,tools.umbrella.com,cache.umbrella.com","ja3":"f6ce47303dce394049af395fc6d0bc20","ja3s":"0c0aff9ccea5e7e1de5c3a0069d103f3","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","issuerDN":"C=US, ST=California, L=San Francisco, O=OpenDNS, Inc., CN=api.opendns.com","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"21:B4:CF:84:13:3A:21:A4:B0:02:63:76:39:84:EA:ED:27:EE:51:7C"}} +00859{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":10,"source":"malware.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":4,"flow_first_seen":1569579416636,"flow_last_seen":1569579416830,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1569579416830,"l3_proto":"ip4","src_ip":"192.168.7.7","dst_ip":"67.215.92.210","src_port":35236,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.OpenDNS","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.internetbadguys.com","ja3":"b20b44b18b853ef29ab773e921b03422","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00915{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":12,"source":"malware.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":6,"flow_first_seen":1569579416636,"flow_last_seen":1569579417029,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":1977,"flow_avg_l4_payload_len":329,"midstream":0,"ts_msec":1569579417029,"l3_proto":"ip4","src_ip":"192.168.7.7","dst_ip":"67.215.92.210","src_port":35236,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.OpenDNS","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.internetbadguys.com","ja3":"b20b44b18b853ef29ab773e921b03422","ja3s":"0c0aff9ccea5e7e1de5c3a0069d103f3","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +02335{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":16,"source":"malware.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":10,"flow_first_seen":1569579416636,"flow_last_seen":1569579417030,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":4897,"flow_avg_l4_payload_len":489,"midstream":0,"ts_msec":1569579417030,"l3_proto":"ip4","src_ip":"192.168.7.7","dst_ip":"67.215.92.210","src_port":35236,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"10":"TLS Certificate Mismatch"},"proto":"TLS.OpenDNS","breed":"Acceptable","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.internetbadguys.com","server_names":"api.opendns.com,branded-login.opendns.com,cachecheck.opendns.com,community.opendns.com,dashboard2.opendns.com,dashboard.opendns.com,dashboard-ipv4.opendns.com,msp-login.opendns.com,api-ipv4.opendns.com,api-ipv6.opendns.com,authz.api.opendns.com,domain.opendns.com,help.vpn.opendns.com,ideabank.opendns.com,login.opendns.com,netgear.opendns.com,reseller-login.opendns.com,images.opendns.com,images-using.opendns.com,store.opendns.com,signup.opendns.com,twilio.opendns.com,updates.opendns.com,shared.opendns.com,tools.opendns.com,cache.opendns.com,api.umbrella.com,branded-login.umbrella.com,cachecheck.umbrella.com,community.umbrella.com,dashboard2.umbrella.com,dashboard.umbrella.com,dashboard-ipv4.umbrella.com,msp-login.umbrella.com,api-ipv4.umbrella.com,api-ipv6.umbrella.com,authz.api.umbrella.com,domain.umbrella.com,help.vpn.umbrella.com,ideabank.umbrella.com,login.umbrella.com,netgear.umbrella.com,reseller-login.umbrella.com,images.umbrella.com,images-using.umbrella.com,store.umbrella.com,signup.umbrella.com,twilio.umbrella.com,updates.umbrella.com,shared.umbrella.com,tools.umbrella.com,cache.umbrella.com","ja3":"b20b44b18b853ef29ab773e921b03422","ja3s":"0c0aff9ccea5e7e1de5c3a0069d103f3","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=OpenDNS, Inc., CN=api.opendns.com","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"21:B4:CF:84:13:3A:21:A4:B0:02:63:76:39:84:EA:ED:27:EE:51:7C"}} 00557{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":26,"source":"malware.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":20,"flow_first_seen":1569579416636,"flow_last_seen":1569579417280,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":6018,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1569579417280,"l3_proto":"ip4","src_ip":"192.168.7.7","dst_ip":"67.215.92.210","src_port":35236,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00555{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":26,"source":"malware.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":2,"flow_first_seen":1569579408876,"flow_last_seen":1569579409087,"flow_idle_time":7440000,"flow_min_l4_payload_len":44,"flow_max_l4_payload_len":329,"flow_tot_l4_payload_len":373,"flow_avg_l4_payload_len":186,"midstream":1,"ts_msec":1569579417280,"l3_proto":"ip4","src_ip":"192.168.7.7","dst_ip":"67.215.92.210","src_port":48394,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00156{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":26,"source":"malware.pcap","alias":"nDPId-test","total-events-serialized":29} @@ -35,10 +35,10 @@ ~~ total active/idle flows...: 5/5 ~~ total timeout flows.......: 1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1974547 bytes -~~ total memory freed........: 1974547 bytes -~~ total allocations/frees...: 35437/35437 +~~ total memory allocated....: 4635177 bytes +~~ total memory freed........: 4635177 bytes +~~ total allocations/frees...: 99634/99634 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 161 chars -~~ json string max len.......: 2339 chars +~~ json string max len.......: 2340 chars ~~ json string avg len.......: 1276 chars diff --git a/test/results/memcached.cap.out b/test/results/memcached.cap.out index 9ca394d0a..cd9203b3b 100644 --- a/test/results/memcached.cap.out +++ b/test/results/memcached.cap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1930462 bytes -~~ total memory freed........: 1930462 bytes -~~ total allocations/frees...: 35349/35349 +~~ total memory allocated....: 4592777 bytes +~~ total memory freed........: 4592777 bytes +~~ total allocations/frees...: 99545/99545 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 161 chars ~~ json string max len.......: 595 chars diff --git a/test/results/modbus.pcap.out b/test/results/modbus.pcap.out index bb4a3ff85..cbcd51646 100644 --- a/test/results/modbus.pcap.out +++ b/test/results/modbus.pcap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1931082 bytes -~~ total memory freed........: 1931082 bytes -~~ total allocations/frees...: 35440/35440 +~~ total memory allocated....: 4593397 bytes +~~ total memory freed........: 4593397 bytes +~~ total allocations/frees...: 99636/99636 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 160 chars ~~ json string max len.......: 597 chars diff --git a/test/results/monero.pcap.out b/test/results/monero.pcap.out index 909d1016f..056713f55 100644 --- a/test/results/monero.pcap.out +++ b/test/results/monero.pcap.out @@ -20,9 +20,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1951295 bytes -~~ total memory freed........: 1951295 bytes -~~ total allocations/frees...: 35664/35664 +~~ total memory allocated....: 4613186 bytes +~~ total memory freed........: 4613186 bytes +~~ total allocations/frees...: 99860/99860 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 161 chars ~~ json string max len.......: 670 chars diff --git a/test/results/mongodb.pcap.out b/test/results/mongodb.pcap.out index 65bafe091..42e541330 100644 --- a/test/results/mongodb.pcap.out +++ b/test/results/mongodb.pcap.out @@ -62,9 +62,9 @@ ~~ total active/idle flows...: 0/0 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1926508 bytes -~~ total memory freed........: 1926508 bytes -~~ total allocations/frees...: 35335/35335 +~~ total memory allocated....: 4589247 bytes +~~ total memory freed........: 4589247 bytes +~~ total allocations/frees...: 99531/99531 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 153 chars ~~ json string max len.......: 737 chars diff --git a/test/results/mpeg.pcap.out b/test/results/mpeg.pcap.out index 4a1bcdf2c..541ca0e71 100644 --- a/test/results/mpeg.pcap.out +++ b/test/results/mpeg.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1928733 bytes -~~ total memory freed........: 1928733 bytes -~~ total allocations/frees...: 35360/35360 +~~ total memory allocated....: 4591048 bytes +~~ total memory freed........: 4591048 bytes +~~ total allocations/frees...: 99556/99556 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 157 chars ~~ json string max len.......: 747 chars diff --git a/test/results/mpegts.pcap.out b/test/results/mpegts.pcap.out index b3a1ef519..6243e0edb 100644 --- a/test/results/mpegts.pcap.out +++ b/test/results/mpegts.pcap.out @@ -10,9 +10,9 @@ ~~ total active/idle flows...: 0/0 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1926508 bytes -~~ total memory freed........: 1926508 bytes -~~ total allocations/frees...: 35335/35335 +~~ total memory allocated....: 4589247 bytes +~~ total memory freed........: 4589247 bytes +~~ total allocations/frees...: 99531/99531 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 152 chars ~~ json string max len.......: 2621 chars diff --git a/test/results/mssql_tds.pcap.out b/test/results/mssql_tds.pcap.out index 67ea1e44a..1144abe7c 100644 --- a/test/results/mssql_tds.pcap.out +++ b/test/results/mssql_tds.pcap.out @@ -63,9 +63,9 @@ ~~ total active/idle flows...: 12/12 ~~ total timeout flows.......: 1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1985835 bytes -~~ total memory freed........: 1985835 bytes -~~ total allocations/frees...: 35416/35416 +~~ total memory allocated....: 4643486 bytes +~~ total memory freed........: 4643486 bytes +~~ total allocations/frees...: 99612/99612 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 163 chars ~~ json string max len.......: 2410 chars diff --git a/test/results/mysql-8.pcap.out b/test/results/mysql-8.pcap.out index ce813c7e0..c745fe354 100644 --- a/test/results/mysql-8.pcap.out +++ b/test/results/mysql-8.pcap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1928240 bytes -~~ total memory freed........: 1928240 bytes -~~ total allocations/frees...: 35342/35342 +~~ total memory allocated....: 4590555 bytes +~~ total memory freed........: 4590555 bytes +~~ total allocations/frees...: 99538/99538 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 159 chars ~~ json string max len.......: 588 chars diff --git a/test/results/nats.pcap.out b/test/results/nats.pcap.out index 3964ceb92..ff686c81f 100644 --- a/test/results/nats.pcap.out +++ b/test/results/nats.pcap.out @@ -62,9 +62,9 @@ ~~ total active/idle flows...: 0/0 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1926508 bytes -~~ total memory freed........: 1926508 bytes -~~ total allocations/frees...: 35335/35335 +~~ total memory allocated....: 4589247 bytes +~~ total memory freed........: 4589247 bytes +~~ total allocations/frees...: 99531/99531 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 158 chars ~~ json string max len.......: 766 chars diff --git a/test/results/ndpi_match_string_subprotocol__error.pcapng.out b/test/results/ndpi_match_string_subprotocol__error.pcapng.out index d6661f8dc..c6aa0e298 100644 --- a/test/results/ndpi_match_string_subprotocol__error.pcapng.out +++ b/test/results/ndpi_match_string_subprotocol__error.pcapng.out @@ -22,9 +22,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1932265 bytes -~~ total memory freed........: 1932265 bytes -~~ total allocations/frees...: 35359/35359 +~~ total memory allocated....: 4594156 bytes +~~ total memory freed........: 4594156 bytes +~~ total allocations/frees...: 99555/99555 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 192 chars ~~ json string max len.......: 1987 chars diff --git a/test/results/nest_log_sink.pcap.out b/test/results/nest_log_sink.pcap.out index 6a3b8af5a..85eb436f5 100644 --- a/test/results/nest_log_sink.pcap.out +++ b/test/results/nest_log_sink.pcap.out @@ -12,7 +12,7 @@ 00457{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":135,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_last_seen":1536714602612,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"ts_msec":1536714602612,"pkt":"AJD7JidrGLQwJjRACABFAAAsL4oAAP8GGxPAqPIPI7yauvduK1cIvyQjAAAAAGACEgDGgwAAAgQEgAAA"} 00457{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":136,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_last_seen":1536714602681,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"ts_msec":1536714602681,"pkt":"GLQwJjRAAJD7JidrCABFAAAsAABAADcG0p0jvJq6wKjyDytX927RT8zNCL8kJGASbvDKWAAAAgQFjA=="} 00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":137,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_last_seen":1536714602684,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"ts_msec":1536714602684,"pkt":"AJD7JidrGLQwJjRACABFAAAoL4sAAP8GGxbAqPIPI7yauvduK1cIvyQk0U\/MzlAQEgA+3gAAAAAAAAAA"} -00615{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":142,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":8,"flow_first_seen":1536714602612,"flow_last_seen":1536714604778,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":679,"flow_tot_l4_payload_len":1262,"flow_avg_l4_payload_len":157,"midstream":0,"ts_msec":1536714604778,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63342,"dst_port":11095,"l4_proto":"tcp","ndpi": {"proto":"NestLogSink.Google","breed":"Tracker\/Ads","category":"Cloud"}} +00613{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":142,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":8,"flow_first_seen":1536714602612,"flow_last_seen":1536714604778,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":679,"flow_tot_l4_payload_len":1262,"flow_avg_l4_payload_len":157,"midstream":0,"ts_msec":1536714604778,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63342,"dst_port":11095,"l4_proto":"tcp","ndpi": {"proto":"NestLogSink.Google","breed":"Acceptable","category":"Cloud"}} 00514{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":211,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_last_seen":1536714607328,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":101,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":101,"pkt_l4_len":67,"ts_msec":1536714607328,"pkt":"AJD7JidrGLQwJjRACABFAABXL7IAAP8RJoHAqPIPwKjyAc5xADUAQyQGbMYBAAABAAAAAAAAB2N6ZmUxMDUHZnJvbnQwMQVpYWQwMQpwcm9kdWN0aW9uBG5lc3QDY29tAAABAAE="} 00765{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":211,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":3,"flow_first_seen":1536714602587,"flow_last_seen":1536714607328,"flow_idle_time":180000,"flow_min_l4_payload_len":40,"flow_max_l4_payload_len":59,"flow_tot_l4_payload_len":155,"flow_avg_l4_payload_len":51,"midstream":0,"ts_msec":1536714607328,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"192.168.242.1","src_port":52849,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"czfe105.front01.iad01.production.nest.com","num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"35.188.154.186"}} 00765{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":213,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":4,"flow_first_seen":1536714602587,"flow_last_seen":1536714607527,"flow_idle_time":180000,"flow_min_l4_payload_len":40,"flow_max_l4_payload_len":127,"flow_tot_l4_payload_len":282,"flow_avg_l4_payload_len":70,"midstream":0,"ts_msec":1536714607527,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"192.168.242.1","src_port":52849,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"czfe105.front01.iad01.production.nest.com","num_queries":1,"num_answers":2,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"35.174.82.237"}} @@ -25,7 +25,7 @@ 00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":237,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_last_seen":1536714610253,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"ts_msec":1536714610253,"pkt":"AJD7JidrGLQwJjRACABFAAAsL74AAP8GGt\/AqPIPI7yauvdwK1cI1a0HAAAAAGACEgA9hwAAAgQEgAAA"} 00457{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":238,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_last_seen":1536714610314,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"ts_msec":1536714610314,"pkt":"GLQwJjRAAJD7JidrCABFAAAsAABAADcG0p0jvJq6wKjyDytX93Bcs3xVCNWtCGASbvAGcQAAAgQFjA=="} 00457{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":239,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_last_seen":1536714610318,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"ts_msec":1536714610318,"pkt":"AJD7JidrGLQwJjRACABFAAAoL78AAP8GGuLAqPIPI7yauvdwK1cI1a0IXLN8VlAQEgB69gAAAAAAAAAA"} -00615{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":246,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":7,"flow_first_seen":1536714610253,"flow_last_seen":1536714613730,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":678,"flow_tot_l4_payload_len":1738,"flow_avg_l4_payload_len":248,"midstream":0,"ts_msec":1536714613730,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63344,"dst_port":11095,"l4_proto":"tcp","ndpi": {"proto":"NestLogSink.Google","breed":"Tracker\/Ads","category":"Cloud"}} +00613{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":246,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":7,"flow_first_seen":1536714610253,"flow_last_seen":1536714613730,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":678,"flow_tot_l4_payload_len":1738,"flow_avg_l4_payload_len":248,"midstream":0,"ts_msec":1536714613730,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63344,"dst_port":11095,"l4_proto":"tcp","ndpi": {"proto":"NestLogSink.Google","breed":"Acceptable","category":"Cloud"}} 00600{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":268,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":83,"flow_first_seen":1536712992228,"flow_last_seen":1536714607385,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":62,"flow_tot_l4_payload_len":62,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1536714735302,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63340,"dst_port":11095,"l4_proto":"tcp","ndpi": {"proto":"NestLogSink","breed":"Acceptable","category":"Cloud"}} 00563{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":268,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":83,"flow_first_seen":1536712992228,"flow_last_seen":1536714607385,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":62,"flow_tot_l4_payload_len":62,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1536714735302,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63340,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00570{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":268,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":72,"flow_first_seen":1536714602612,"flow_last_seen":1536714607322,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":679,"flow_tot_l4_payload_len":14831,"flow_avg_l4_payload_len":205,"midstream":0,"ts_msec":1536714735302,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63342,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -41,7 +41,7 @@ 00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":408,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_last_seen":1536716402828,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"ts_msec":1536716402828,"pkt":"AJD7JidrGLQwJjRACABFAAAsL\/gAAP8GGqXAqPIPI7yauvdxK1cI4Q21AAAAAGACEgDczAAAAgQEgAAA"} 00457{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":409,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_last_seen":1536716402889,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"ts_msec":1536716402889,"pkt":"GLQwJjRAAJD7JidrCABFAAAsAABAADcG0p0jvJq6wKjyDytX93El8kNOCOENtmASbvAVfwAAAgQFjA=="} 00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":410,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_last_seen":1536716402894,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"ts_msec":1536716402894,"pkt":"AJD7JidrGLQwJjRACABFAAAoL\/kAAP8GGqjAqPIPI7yauvdxK1cI4Q22JfJDT1AQEgCKBAAAAAAAAAAA"} -00615{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":415,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":8,"flow_first_seen":1536716402828,"flow_last_seen":1536716404974,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":678,"flow_tot_l4_payload_len":1260,"flow_avg_l4_payload_len":157,"midstream":0,"ts_msec":1536716404974,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63345,"dst_port":11095,"l4_proto":"tcp","ndpi": {"proto":"NestLogSink.Google","breed":"Tracker\/Ads","category":"Cloud"}} +00613{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":415,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":8,"flow_first_seen":1536716402828,"flow_last_seen":1536716404974,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":678,"flow_tot_l4_payload_len":1260,"flow_avg_l4_payload_len":157,"midstream":0,"ts_msec":1536716404974,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63345,"dst_port":11095,"l4_proto":"tcp","ndpi": {"proto":"NestLogSink.Google","breed":"Acceptable","category":"Cloud"}} 00514{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":483,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_last_seen":1536716407003,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":101,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":101,"pkt_l4_len":67,"ts_msec":1536716407003,"pkt":"AJD7JidrGLQwJjRACABFAABXMB8AAP8RJhTAqPIPwKjyAc5xADUAQ16pMiMBAAABAAAAAAAAB2N6ZmUxMDUHZnJvbnQwMQVpYWQwMQpwcm9kdWN0aW9uBG5lc3QDY29tAAABAAE="} 00765{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":483,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":3,"flow_first_seen":1536716402804,"flow_last_seen":1536716407003,"flow_idle_time":180000,"flow_min_l4_payload_len":40,"flow_max_l4_payload_len":59,"flow_tot_l4_payload_len":155,"flow_avg_l4_payload_len":51,"midstream":0,"ts_msec":1536716407003,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"192.168.242.1","src_port":52849,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"czfe105.front01.iad01.production.nest.com","num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"35.188.154.186"}} 00765{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":485,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":4,"flow_first_seen":1536716402804,"flow_last_seen":1536716407116,"flow_idle_time":180000,"flow_min_l4_payload_len":40,"flow_max_l4_payload_len":127,"flow_tot_l4_payload_len":282,"flow_avg_l4_payload_len":70,"midstream":0,"ts_msec":1536716407116,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"192.168.242.1","src_port":52849,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"czfe105.front01.iad01.production.nest.com","num_queries":1,"num_answers":2,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"35.174.82.237"}} @@ -54,7 +54,7 @@ 00457{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":510,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_last_seen":1536716409847,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"ts_msec":1536716409847,"pkt":"AJD7JidrGLQwJjRACABFAAAsMCwAAP8GGnHAqPIPI7yauvdzK1cI9889AAAAAGACEgAbLAAAAgQEgAAA"} 00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":511,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":2,"flow_last_seen":1536716409908,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"ts_msec":1536716409908,"pkt":"GLQwJjRAAJD7JidrCABFAAAsAABAADcG0p0jvJq6wKjyDytX93M4S\/jECPfPPmASbvCMDgAAAgQFjA=="} 00457{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":512,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":3,"flow_last_seen":1536716409910,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"ts_msec":1536716409910,"pkt":"AJD7JidrGLQwJjRACABFAAAoMC0AAP8GGnTAqPIPI7yauvdzK1cI988+OEv4xVAQEgAAlAAAAAAAAAAA"} -00615{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":517,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":8,"flow_first_seen":1536716409847,"flow_last_seen":1536716411997,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":679,"flow_tot_l4_payload_len":1263,"flow_avg_l4_payload_len":157,"midstream":0,"ts_msec":1536716411997,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63347,"dst_port":11095,"l4_proto":"tcp","ndpi": {"proto":"NestLogSink.Google","breed":"Tracker\/Ads","category":"Cloud"}} +00613{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":517,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":8,"flow_first_seen":1536716409847,"flow_last_seen":1536716411997,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":679,"flow_tot_l4_payload_len":1263,"flow_avg_l4_payload_len":157,"midstream":0,"ts_msec":1536716411997,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63347,"dst_port":11095,"l4_proto":"tcp","ndpi": {"proto":"NestLogSink.Google","breed":"Acceptable","category":"Cloud"}} 00568{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":537,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":116,"flow_first_seen":1536714607530,"flow_last_seen":1536716407068,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":677,"flow_tot_l4_payload_len":4069,"flow_avg_l4_payload_len":35,"midstream":0,"ts_msec":1536716532444,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63343,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00570{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":537,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":71,"flow_first_seen":1536716402828,"flow_last_seen":1536716406969,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":678,"flow_tot_l4_payload_len":14853,"flow_avg_l4_payload_len":209,"midstream":0,"ts_msec":1536716532444,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63345,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00569{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":537,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":20,"flow_first_seen":1536716409847,"flow_last_seen":1536716412657,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":679,"flow_tot_l4_payload_len":2259,"flow_avg_l4_payload_len":112,"midstream":0,"ts_msec":1536716532444,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63347,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -70,7 +70,7 @@ 00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":614,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":1,"flow_last_seen":1536717428089,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"ts_msec":1536717428089,"pkt":"AJD7JidrGLQwJjRACABFAAAsMFEAAP8GGkzAqPIPI7yauvd0K1cJA0ANAAAAAGACEgCqTwAAAgQEgAAA"} 00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":615,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":2,"flow_last_seen":1536717428146,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"ts_msec":1536717428146,"pkt":"GLQwJjRAAJD7JidrCABFAAAsAABAADcG0p0jvJq6wKjyDytX93SD5IA7CQNADmASbvBIIgAAAgQFjA=="} 00459{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":616,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":3,"flow_last_seen":1536717428152,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"ts_msec":1536717428152,"pkt":"AJD7JidrGLQwJjRACABFAAAoMFIAAP8GGk\/AqPIPI7yauvd0K1cJA0AOg+SAPFAQEgC8pwAAAAAAAAAA"} -00616{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":621,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":8,"flow_first_seen":1536717428089,"flow_last_seen":1536717430226,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":678,"flow_tot_l4_payload_len":1260,"flow_avg_l4_payload_len":157,"midstream":0,"ts_msec":1536717430226,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63348,"dst_port":11095,"l4_proto":"tcp","ndpi": {"proto":"NestLogSink.Google","breed":"Tracker\/Ads","category":"Cloud"}} +00614{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":621,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":8,"flow_first_seen":1536717428089,"flow_last_seen":1536717430226,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":678,"flow_tot_l4_payload_len":1260,"flow_avg_l4_payload_len":157,"midstream":0,"ts_msec":1536717430226,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63348,"dst_port":11095,"l4_proto":"tcp","ndpi": {"proto":"NestLogSink.Google","breed":"Acceptable","category":"Cloud"}} 00766{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":671,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":4,"flow_first_seen":1536717427961,"flow_last_seen":1536717449934,"flow_idle_time":180000,"flow_min_l4_payload_len":40,"flow_max_l4_payload_len":59,"flow_tot_l4_payload_len":195,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1536717449934,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"192.168.242.1","src_port":52849,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"czfe105.front01.iad01.production.nest.com","num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"35.188.154.186"}} 00766{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":673,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":5,"flow_first_seen":1536717427961,"flow_last_seen":1536717450088,"flow_idle_time":180000,"flow_min_l4_payload_len":40,"flow_max_l4_payload_len":127,"flow_tot_l4_payload_len":322,"flow_avg_l4_payload_len":64,"midstream":0,"ts_msec":1536717450088,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"192.168.242.1","src_port":52849,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"czfe105.front01.iad01.production.nest.com","num_queries":1,"num_answers":2,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"35.174.82.237"}} 00561{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":674,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":1,"flow_first_seen":1536717450091,"flow_last_seen":1536717450091,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1536717450091,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63349,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -97,7 +97,7 @@ 00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":781,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":1,"flow_last_seen":1536718202984,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"ts_msec":1536718202984,"pkt":"AJD7JidrGLQwJjRACABFAAAsMJsAAP8GGgLAqPIPI7yauvd3K1cJJajVAAAAAGACEgBBYgAAAgQEgAAA"} 00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":782,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":2,"flow_last_seen":1536718203039,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"ts_msec":1536718203039,"pkt":"GLQwJjRAAJD7JidrCABFAAAsAABAADcG0p0jvJq6wKjyDytX93fElurmCSWo1mASbvAz1wAAAgQFjA=="} 00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":783,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":3,"flow_last_seen":1536718203042,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"ts_msec":1536718203042,"pkt":"AJD7JidrGLQwJjRACABFAAAoMJwAAP8GGgXAqPIPI7yauvd3K1cJJajWxJbq51AQEgCoXAAAAAAAAAAA"} -00616{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":788,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":8,"flow_first_seen":1536718202984,"flow_last_seen":1536718205132,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":679,"flow_tot_l4_payload_len":1261,"flow_avg_l4_payload_len":157,"midstream":0,"ts_msec":1536718205132,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63351,"dst_port":11095,"l4_proto":"tcp","ndpi": {"proto":"NestLogSink.Google","breed":"Tracker\/Ads","category":"Cloud"}} +00614{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":788,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":8,"flow_first_seen":1536718202984,"flow_last_seen":1536718205132,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":679,"flow_tot_l4_payload_len":1261,"flow_avg_l4_payload_len":157,"midstream":0,"ts_msec":1536718205132,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63351,"dst_port":11095,"l4_proto":"tcp","ndpi": {"proto":"NestLogSink.Google","breed":"Acceptable","category":"Cloud"}} 00561{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":834,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":1,"flow_first_seen":1536718206572,"flow_last_seen":1536718206572,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1536718206572,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63352,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":834,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":1,"flow_last_seen":1536718206572,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"ts_msec":1536718206572,"pkt":"AJD7JidrGLQwJjRACABFAAAsMLcAAP8GYcHAqPIPI65S7fd4K1cJMSXhAAAAAGACEgAMJQAAAgQEgAAA"} 00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":836,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":2,"flow_last_seen":1536718206638,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"ts_msec":1536718206638,"pkt":"GLQwJjRAAJD7JidrCABFAAAsAABAAC0GJHkjrlLtwKjyDytX93jm8XvxCTEl4mASaQNQ+QAAAgQFtA=="} @@ -107,7 +107,7 @@ 00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":858,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":1,"flow_last_seen":1536718209313,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"ts_msec":1536718209313,"pkt":"AJD7JidrGLQwJjRACABFAAAsMMIAAP8GGdvAqPIPI7yauvd5K1cJPKL3AAAAAGACEgBHJwAAAgQEgAAA"} 00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":860,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":2,"flow_last_seen":1536718209383,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"ts_msec":1536718209383,"pkt":"GLQwJjRAAJD7JidrCABFAAAsAABAADcG0p0jvJq6wKjyDytX93le92HNCTyi+GASbvAoVQAAAgQFjA=="} 00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":861,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":3,"flow_last_seen":1536718209385,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"ts_msec":1536718209385,"pkt":"AJD7JidrGLQwJjRACABFAAAoMMQAAP8GGd3AqPIPI7yauvd5K1cJPKL4XvdhzlAQEgCc2gAAAAAAAAAA"} -00616{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":866,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":8,"flow_first_seen":1536718209313,"flow_last_seen":1536718211481,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":678,"flow_tot_l4_payload_len":1262,"flow_avg_l4_payload_len":157,"midstream":0,"ts_msec":1536718211481,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63353,"dst_port":11095,"l4_proto":"tcp","ndpi": {"proto":"NestLogSink.Google","breed":"Tracker\/Ads","category":"Cloud"}} +00614{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":866,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":8,"flow_first_seen":1536718209313,"flow_last_seen":1536718211481,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":678,"flow_tot_l4_payload_len":1262,"flow_avg_l4_payload_len":157,"midstream":0,"ts_msec":1536718211481,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63353,"dst_port":11095,"l4_proto":"tcp","ndpi": {"proto":"NestLogSink.Google","breed":"Acceptable","category":"Cloud"}} 00569{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":886,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":32,"flow_first_seen":1536718052990,"flow_last_seen":1536718206634,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":677,"flow_tot_l4_payload_len":3362,"flow_avg_l4_payload_len":105,"midstream":0,"ts_msec":1536718332151,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63350,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00570{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":886,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":49,"flow_first_seen":1536718202984,"flow_last_seen":1536718206546,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":679,"flow_tot_l4_payload_len":9459,"flow_avg_l4_payload_len":193,"midstream":0,"ts_msec":1536718332151,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63351,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00570{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":886,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":20,"flow_first_seen":1536718209313,"flow_last_seen":1536718211968,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":678,"flow_tot_l4_payload_len":2258,"flow_avg_l4_payload_len":112,"midstream":0,"ts_msec":1536718332151,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63353,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -123,9 +123,9 @@ ~~ total active/idle flows...: 17/17 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2001002 bytes -~~ total memory freed........: 2001002 bytes -~~ total allocations/frees...: 36172/36172 +~~ total memory allocated....: 4656533 bytes +~~ total memory freed........: 4656533 bytes +~~ total allocations/frees...: 100368/100368 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 170 chars ~~ json string max len.......: 771 chars diff --git a/test/results/netbios.pcap.out b/test/results/netbios.pcap.out index a4320fd13..d76e238f2 100644 --- a/test/results/netbios.pcap.out +++ b/test/results/netbios.pcap.out @@ -78,9 +78,9 @@ ~~ total active/idle flows...: 15/15 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1960336 bytes -~~ total memory freed........: 1960336 bytes -~~ total allocations/frees...: 35641/35641 +~~ total memory allocated....: 4616715 bytes +~~ total memory freed........: 4616715 bytes +~~ total allocations/frees...: 99837/99837 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 162 chars ~~ json string max len.......: 713 chars diff --git a/test/results/netbios_wildcard_dns_query.pcap.out b/test/results/netbios_wildcard_dns_query.pcap.out index ee93f8a40..9f9465340 100644 --- a/test/results/netbios_wildcard_dns_query.pcap.out +++ b/test/results/netbios_wildcard_dns_query.pcap.out @@ -12,9 +12,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1928153 bytes -~~ total memory freed........: 1928153 bytes -~~ total allocations/frees...: 35339/35339 +~~ total memory allocated....: 4590468 bytes +~~ total memory freed........: 4590468 bytes +~~ total allocations/frees...: 99535/99535 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 178 chars ~~ json string max len.......: 751 chars diff --git a/test/results/netflix.pcap.out b/test/results/netflix.pcap.out index a341a35ee..c66204d6d 100644 --- a/test/results/netflix.pcap.out +++ b/test/results/netflix.pcap.out @@ -29,9 +29,9 @@ 00547{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":17,"source":"netflix.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":1,"flow_first_seen":1484319032986,"flow_last_seen":1484319032986,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1484319032986,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.32.196.36","src_port":53116,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00476{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":17,"source":"netflix.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_last_seen":1484319032986,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1484319032986,"pkt":"gCqoTGHM5JjWH70UCABFAABAdf5AAEAGCsbAqAEHNCDEJM98AbvweU0rAAAAALAC\/\/+WPwAAAgQFtAEDAwUBAQgKH2S4iAAAAAAEAgAA"} 00864{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":19,"source":"netflix.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":6,"flow_first_seen":1484319032888,"flow_last_seen":1484319032990,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1656,"flow_avg_l4_payload_len":276,"midstream":0,"ts_msec":1484319032990,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53105,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ichnaea.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"spdy\/3.1,spdy\/3,http\/1.1"}} -01293{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":20,"source":"netflix.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":7,"flow_first_seen":1484319032888,"flow_last_seen":1484319032991,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":3104,"flow_avg_l4_payload_len":443,"midstream":0,"ts_msec":1484319032991,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53105,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ichnaea.netflix.com","server_names":"ichnaea.netflix.com,beacon.netflix.com,presentationtracking.netflix.com,nmtracking.netflix.com,customerevents.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=customerevents.netflix.com","alpn":"spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F"}} +01294{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":20,"source":"netflix.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":7,"flow_first_seen":1484319032888,"flow_last_seen":1484319032991,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":3104,"flow_avg_l4_payload_len":443,"midstream":0,"ts_msec":1484319032991,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53105,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ichnaea.netflix.com","server_names":"ichnaea.netflix.com,beacon.netflix.com,presentationtracking.netflix.com,nmtracking.netflix.com,customerevents.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=customerevents.netflix.com","alpn":"spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F"}} 00883{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":25,"source":"netflix.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":6,"flow_first_seen":1484319032896,"flow_last_seen":1484319033008,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1965,"flow_avg_l4_payload_len":327,"midstream":0,"ts_msec":1484319033008,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53114,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ios.nccp.netflix.com","ja3":"dc67ac8aaf8d7f69ecd6598135448f24","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}} -01222{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":29,"source":"netflix.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":7,"flow_first_seen":1484319032896,"flow_last_seen":1484319033017,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":3045,"flow_avg_l4_payload_len":435,"midstream":0,"ts_msec":1484319033017,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53114,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ios.nccp.netflix.com","server_names":"*.nccp.netflix.com","ja3":"dc67ac8aaf8d7f69ecd6598135448f24","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"CN=Primary Certificate Authority (2009), ST=California, C=US, O=Netflix Inc, OU=Electronic Delivery, L=Los Gatos","issuerDN":"CN=*.nccp.netflix.com, O=Netflix, Inc., OU=Operations, C=US, ST=California, L=Los Gatos","fingerprint":"97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33"}} +01223{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":29,"source":"netflix.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":7,"flow_first_seen":1484319032896,"flow_last_seen":1484319033017,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":3045,"flow_avg_l4_payload_len":435,"midstream":0,"ts_msec":1484319033017,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53114,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ios.nccp.netflix.com","server_names":"*.nccp.netflix.com","ja3":"dc67ac8aaf8d7f69ecd6598135448f24","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"CN=Primary Certificate Authority (2009), ST=California, C=US, O=Netflix Inc, OU=Electronic Delivery, L=Los Gatos","subjectDN":"CN=*.nccp.netflix.com, O=Netflix, Inc., OU=Operations, C=US, ST=California, L=Los Gatos","fingerprint":"97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33"}} 00470{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":31,"source":"netflix.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_last_seen":1484319033029,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1484319033029,"pkt":"5JjWH70UgCqoTGHMCABFIAA8AABAACkGl6g0IMQkwKgBBwG7z3ve3c1cx8tKb6ASRepkbwAAAgQFtAQCCAq2m8VuH2S4hgEDAwg="} 00470{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":33,"source":"netflix.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_last_seen":1484319033032,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1484319033032,"pkt":"5JjWH70UgCqoTGHMCABFIAA8AABAACoGlqg0IMQkwKgBBwG7z3xLWYWT8HlNLKASReoUTgAAAgQFtAQCCAq2m8VvH2S4iAEDAwg="} 00459{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":34,"source":"netflix.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_last_seen":1484319033032,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1484319033032,"pkt":"gCqoTGHM5JjWH70UCABFAAA0rMBAAEAG1A\/AqAEHNCDEJM97AbvHy0pv3t3NXYAQEBXI5wAAAQEICh9kuLC2m8Vu"} @@ -39,9 +39,9 @@ 00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":36,"source":"netflix.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_last_seen":1484319033038,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1484319033038,"pkt":"gCqoTGHM5JjWH70UCABFAAA0iIJAAEAG+E3AqAEHNCDEJM98AbvweU0sS1mFlIAQEBV4xgAAAQEICh9kuLK2m8Vv"} 00830{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":37,"source":"netflix.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":4,"flow_first_seen":1484319032986,"flow_last_seen":1484319033038,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":232,"flow_tot_l4_payload_len":232,"flow_avg_l4_payload_len":58,"midstream":0,"ts_msec":1484319033038,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.32.196.36","src_port":53116,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"api-global.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}} 00887{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":48,"source":"netflix.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":6,"flow_first_seen":1484319032984,"flow_last_seen":1484319033086,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1680,"flow_avg_l4_payload_len":280,"midstream":0,"ts_msec":1484319033086,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.32.196.36","src_port":53115,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"api-global.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}} -01343{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":49,"source":"netflix.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":7,"flow_first_seen":1484319032984,"flow_last_seen":1484319033087,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":3128,"flow_avg_l4_payload_len":446,"midstream":0,"ts_msec":1484319033087,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.32.196.36","src_port":53115,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"api-global.netflix.com","server_names":"api-latam.netflix.com,htmltvui.netflix.com,api-eu.netflix.com,uiboot.netflix.com,api-global.netflix.com,api-user.netflix.com,api-us.netflix.com,api.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=api.netflix.com","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C"}} +01344{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":49,"source":"netflix.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":7,"flow_first_seen":1484319032984,"flow_last_seen":1484319033087,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":3128,"flow_avg_l4_payload_len":446,"midstream":0,"ts_msec":1484319033087,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.32.196.36","src_port":53115,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"api-global.netflix.com","server_names":"api-latam.netflix.com,htmltvui.netflix.com,api-eu.netflix.com,uiboot.netflix.com,api-global.netflix.com,api-user.netflix.com,api-us.netflix.com,api.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=api.netflix.com","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C"}} 00887{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":52,"source":"netflix.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":6,"flow_first_seen":1484319032986,"flow_last_seen":1484319033098,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1680,"flow_avg_l4_payload_len":280,"midstream":0,"ts_msec":1484319033098,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.32.196.36","src_port":53116,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"api-global.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}} -01343{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":53,"source":"netflix.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":7,"flow_first_seen":1484319032986,"flow_last_seen":1484319033112,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":3128,"flow_avg_l4_payload_len":446,"midstream":0,"ts_msec":1484319033112,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.32.196.36","src_port":53116,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"api-global.netflix.com","server_names":"api-latam.netflix.com,htmltvui.netflix.com,api-eu.netflix.com,uiboot.netflix.com,api-global.netflix.com,api-user.netflix.com,api-us.netflix.com,api.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=api.netflix.com","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C"}} +01344{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":53,"source":"netflix.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":7,"flow_first_seen":1484319032986,"flow_last_seen":1484319033112,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":3128,"flow_avg_l4_payload_len":446,"midstream":0,"ts_msec":1484319033112,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.32.196.36","src_port":53116,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"api-global.netflix.com","server_names":"api-latam.netflix.com,htmltvui.netflix.com,api-eu.netflix.com,uiboot.netflix.com,api-global.netflix.com,api-user.netflix.com,api-us.netflix.com,api.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=api.netflix.com","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C"}} 00547{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":87,"source":"netflix.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":1,"flow_first_seen":1484319033206,"flow_last_seen":1484319033206,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1484319033206,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.32.196.36","src_port":53117,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00476{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":87,"source":"netflix.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_last_seen":1484319033206,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1484319033206,"pkt":"gCqoTGHM5JjWH70UCABFAABAagpAAEAGFrrAqAEHNCDEJM99AbszkZRgAAAAALAC\/\/8LKQAAAgQFtAEDAwUBAQgKH2S5UQAAAAAEAgAA"} 00470{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":99,"source":"netflix.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":2,"flow_last_seen":1484319033258,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1484319033258,"pkt":"5JjWH70UgCqoTGHMCABFIAA8AABAACoGlqg0IMQkwKgBBwG7z33SmoRGM5GUYaASReoDCgAAAgQFtAQCCAq2m8WoH2S5UQEDAwg="} @@ -54,7 +54,7 @@ 00460{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":145,"source":"netflix.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":3,"flow_last_seen":1484319033680,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1484319033680,"pkt":"gCqoTGHM5JjWH70UCABFAAA0\/p1AAEAGd0DAqAEHNkXM8c9+AbvPvqpBvxwx6IAQEBW0wwAAAQEICh9kux6Fp1CV"} 00829{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":146,"source":"netflix.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":4,"flow_first_seen":1484319033631,"flow_last_seen":1484319033681,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":229,"flow_tot_l4_payload_len":229,"flow_avg_l4_payload_len":57,"midstream":0,"ts_msec":1484319033681,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53118,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ichnaea.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}} 00886{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":148,"source":"netflix.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":6,"flow_first_seen":1484319033631,"flow_last_seen":1484319033734,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1677,"flow_avg_l4_payload_len":279,"midstream":0,"ts_msec":1484319033734,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53118,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ichnaea.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}} -01315{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":149,"source":"netflix.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":7,"flow_first_seen":1484319033631,"flow_last_seen":1484319033735,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":3125,"flow_avg_l4_payload_len":446,"midstream":0,"ts_msec":1484319033735,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53118,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ichnaea.netflix.com","server_names":"ichnaea.netflix.com,beacon.netflix.com,presentationtracking.netflix.com,nmtracking.netflix.com,customerevents.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=customerevents.netflix.com","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F"}} +01316{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":149,"source":"netflix.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":7,"flow_first_seen":1484319033631,"flow_last_seen":1484319033735,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":3125,"flow_avg_l4_payload_len":446,"midstream":0,"ts_msec":1484319033735,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53118,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ichnaea.netflix.com","server_names":"ichnaea.netflix.com,beacon.netflix.com,presentationtracking.netflix.com,nmtracking.netflix.com,customerevents.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=customerevents.netflix.com","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F"}} 00560{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":165,"source":"netflix.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":1,"flow_first_seen":1484319033886,"flow_last_seen":1484319033886,"flow_idle_time":180000,"flow_min_l4_payload_len":122,"flow_max_l4_payload_len":122,"flow_tot_l4_payload_len":122,"flow_avg_l4_payload_len":122,"midstream":0,"ts_msec":1484319033886,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"239.255.255.250","src_port":53776,"dst_port":1900,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00599{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":165,"source":"netflix.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":1,"flow_last_seen":1484319033886,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":164,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":164,"pkt_l4_len":130,"ts_msec":1484319033886,"pkt":"AQBef\/\/65JjWH70UCABFAACWfwIAAAERiKvAqAEH7\/\/\/+tIQB2wAggqVTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSE9TVDogMjM5LjI1NS4yNTUuMjUwOjE5MDANCk1BTjogInNzZHA6ZGlzY292ZXIiDQpNWDogMg0KU1Q6IHVybjptZHgtbmV0ZmxpeC1jb206c2VydmljZTp0YXJnZXQ6MA0KDQo="} 00592{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":165,"source":"netflix.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":1,"flow_first_seen":1484319033886,"flow_last_seen":1484319033886,"flow_idle_time":180000,"flow_min_l4_payload_len":122,"flow_max_l4_payload_len":122,"flow_tot_l4_payload_len":122,"flow_avg_l4_payload_len":122,"midstream":0,"ts_msec":1484319033886,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"239.255.255.250","src_port":53776,"dst_port":1900,"l4_proto":"udp","ndpi": {"proto":"SSDP","breed":"Acceptable","category":"System"}} @@ -65,7 +65,7 @@ 00603{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":176,"source":"netflix.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":2,"flow_last_seen":1484319033993,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":167,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":167,"pkt_l4_len":133,"ts_msec":1484319033993,"pkt":"AQBef\/\/65JjWH70UCABFAACZ8KEAAAERFwnAqAEH7\/\/\/+tIQB2wAhUYzTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSE9TVDogMjM5LjI1NS4yNTUuMjUwOjE5MDANCk1BTjogInNzZHA6ZGlzY292ZXIiDQpNWDogMg0KU1Q6IHVybjpkaWFsLW11bHRpc2NyZWVuLW9yZzpzZXJ2aWNlOmRpYWw6MQ0KDQo="} 00830{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":177,"source":"netflix.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":4,"flow_first_seen":1484319033943,"flow_last_seen":1484319033997,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":229,"flow_tot_l4_payload_len":229,"flow_avg_l4_payload_len":57,"midstream":0,"ts_msec":1484319033997,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53119,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ichnaea.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}} 00887{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":179,"source":"netflix.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":6,"flow_first_seen":1484319033943,"flow_last_seen":1484319034048,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1677,"flow_avg_l4_payload_len":279,"midstream":0,"ts_msec":1484319034048,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53119,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ichnaea.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}} -01316{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":180,"source":"netflix.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":7,"flow_first_seen":1484319033943,"flow_last_seen":1484319034049,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":3125,"flow_avg_l4_payload_len":446,"midstream":0,"ts_msec":1484319034049,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53119,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ichnaea.netflix.com","server_names":"ichnaea.netflix.com,beacon.netflix.com,presentationtracking.netflix.com,nmtracking.netflix.com,customerevents.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=customerevents.netflix.com","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F"}} +01317{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":180,"source":"netflix.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":7,"flow_first_seen":1484319033943,"flow_last_seen":1484319034049,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":3125,"flow_avg_l4_payload_len":446,"midstream":0,"ts_msec":1484319034049,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53119,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ichnaea.netflix.com","server_names":"ichnaea.netflix.com,beacon.netflix.com,presentationtracking.netflix.com,nmtracking.netflix.com,customerevents.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=customerevents.netflix.com","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F"}} 00515{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":205,"source":"netflix.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":1,"flow_first_seen":1484319034890,"flow_last_seen":1484319034890,"flow_idle_time":600000,"flow_min_l4_payload_len":8,"flow_max_l4_payload_len":8,"flow_tot_l4_payload_len":8,"flow_avg_l4_payload_len":8,"midstream":0,"ts_msec":1484319034890,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"239.255.255.250","l4_proto":2,"flow_datalink":1,"flow_max_packets":3} 00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":205,"source":"netflix.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":1,"flow_last_seen":1484319034890,"flow_idle_time":600000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":38,"pkt_len":60,"pkt_l4_len":8,"ts_msec":1484319034890,"pkt":"AQBef\/\/65JjWH70UCABGAAAgKLUAAAECSnnAqAEH7\/\/\/+pQEAAAWAPoE7\/\/\/+gAAAAAAAAAAAAAAAAAA"} 00548{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":205,"source":"netflix.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":1,"flow_first_seen":1484319034890,"flow_last_seen":1484319034890,"flow_idle_time":600000,"flow_min_l4_payload_len":8,"flow_max_l4_payload_len":8,"flow_tot_l4_payload_len":8,"flow_avg_l4_payload_len":8,"midstream":0,"ts_msec":1484319034890,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"239.255.255.250","l4_proto":2,"ndpi": {"proto":"IGMP","breed":"Acceptable","category":"Network"}} @@ -85,9 +85,9 @@ 00830{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":224,"source":"netflix.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":4,"flow_first_seen":1484319035079,"flow_last_seen":1484319035134,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":208,"flow_tot_l4_payload_len":208,"flow_avg_l4_payload_len":52,"midstream":0,"ts_msec":1484319035134,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53132,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"api-global.netflix.com","ja3":"7e72698146290dd68239f788a452e7d8","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00830{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":225,"source":"netflix.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":4,"flow_first_seen":1484319035080,"flow_last_seen":1484319035136,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":208,"flow_tot_l4_payload_len":208,"flow_avg_l4_payload_len":52,"midstream":0,"ts_msec":1484319035136,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53133,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"api-global.netflix.com","ja3":"7e72698146290dd68239f788a452e7d8","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00887{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":227,"source":"netflix.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":6,"flow_first_seen":1484319035079,"flow_last_seen":1484319035185,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1656,"flow_avg_l4_payload_len":276,"midstream":0,"ts_msec":1484319035185,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53132,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"api-global.netflix.com","ja3":"7e72698146290dd68239f788a452e7d8","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}} -01343{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":228,"source":"netflix.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":7,"flow_first_seen":1484319035079,"flow_last_seen":1484319035186,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":3104,"flow_avg_l4_payload_len":443,"midstream":0,"ts_msec":1484319035186,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53132,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"api-global.netflix.com","server_names":"api-latam.netflix.com,htmltvui.netflix.com,api-eu.netflix.com,uiboot.netflix.com,api-global.netflix.com,api-user.netflix.com,api-us.netflix.com,api.netflix.com","ja3":"7e72698146290dd68239f788a452e7d8","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=api.netflix.com","fingerprint":"FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C"}} +01344{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":228,"source":"netflix.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":7,"flow_first_seen":1484319035079,"flow_last_seen":1484319035186,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":3104,"flow_avg_l4_payload_len":443,"midstream":0,"ts_msec":1484319035186,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53132,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"api-global.netflix.com","server_names":"api-latam.netflix.com,htmltvui.netflix.com,api-eu.netflix.com,uiboot.netflix.com,api-global.netflix.com,api-user.netflix.com,api-us.netflix.com,api.netflix.com","ja3":"7e72698146290dd68239f788a452e7d8","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=api.netflix.com","fingerprint":"FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C"}} 00887{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":231,"source":"netflix.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":6,"flow_first_seen":1484319035080,"flow_last_seen":1484319035200,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1656,"flow_avg_l4_payload_len":276,"midstream":0,"ts_msec":1484319035200,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53133,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"api-global.netflix.com","ja3":"7e72698146290dd68239f788a452e7d8","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}} -01343{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":232,"source":"netflix.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":7,"flow_first_seen":1484319035080,"flow_last_seen":1484319035215,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":3104,"flow_avg_l4_payload_len":443,"midstream":0,"ts_msec":1484319035215,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53133,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"api-global.netflix.com","server_names":"api-latam.netflix.com,htmltvui.netflix.com,api-eu.netflix.com,uiboot.netflix.com,api-global.netflix.com,api-user.netflix.com,api-us.netflix.com,api.netflix.com","ja3":"7e72698146290dd68239f788a452e7d8","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=api.netflix.com","fingerprint":"FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C"}} +01344{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":232,"source":"netflix.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":7,"flow_first_seen":1484319035080,"flow_last_seen":1484319035215,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":3104,"flow_avg_l4_payload_len":443,"midstream":0,"ts_msec":1484319035215,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53133,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"api-global.netflix.com","server_names":"api-latam.netflix.com,htmltvui.netflix.com,api-eu.netflix.com,uiboot.netflix.com,api-global.netflix.com,api-user.netflix.com,api-us.netflix.com,api.netflix.com","ja3":"7e72698146290dd68239f788a452e7d8","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=api.netflix.com","fingerprint":"FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C"}} 00549{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":257,"source":"netflix.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":1,"flow_first_seen":1484319035342,"flow_last_seen":1484319035342,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1484319035342,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53134,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00478{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":257,"source":"netflix.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":1,"flow_last_seen":1484319035342,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1484319035342,"pkt":"gCqoTGHM5JjWH70UCABFAABA3CdAAEAGQP3AqAEHNFkni8+OAbvRf5R9AAAAALAC\/\/8BVgAAAgQFtAEDAwUBAQgKH2TBaAAAAAAEAgAA"} 00473{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":267,"source":"netflix.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":2,"flow_last_seen":1484319035397,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1484319035397,"pkt":"5JjWH70UgCqoTGHMCABFIAA8AABAACoGMwk0WSeLwKgBBwG7z47YAyXj0X+UfqASRepXrQAAAgQFtAQCCAqtiMk\/H2TBaAEDAwg="} @@ -106,7 +106,7 @@ 00460{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":327,"source":"netflix.pcap","alias":"nDPId-test","flow_id":18,"flow_packet_id":3,"flow_last_seen":1484319036868,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1484319036868,"pkt":"gCqoTGHM5JjWH70UCABFAAA0UCJAAEAGXunAqAEHaFZhs8+VAbsXO1WEkf8WmIAQEBWfqAAAAQEICh9kxzUCM2vS"} 00828{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":328,"source":"netflix.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":4,"flow_first_seen":1484319036854,"flow_last_seen":1484319036870,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":227,"flow_tot_l4_payload_len":227,"flow_avg_l4_payload_len":56,"midstream":0,"ts_msec":1484319036870,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"104.86.97.179","src_port":53141,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"art-s.nflximg.net","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}} 00885{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":330,"source":"netflix.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":6,"flow_first_seen":1484319036854,"flow_last_seen":1484319036889,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1675,"flow_avg_l4_payload_len":279,"midstream":0,"ts_msec":1484319036889,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"104.86.97.179","src_port":53141,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"art-s.nflximg.net","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"ef6b224ce027c8e21e5a25d8a58255a3","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}} -01314{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":333,"source":"netflix.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":9,"flow_first_seen":1484319036854,"flow_last_seen":1484319036900,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":3641,"flow_avg_l4_payload_len":404,"midstream":0,"ts_msec":1484319036900,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"104.86.97.179","src_port":53141,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"art-s.nflximg.net","server_names":"secure.cdn.nflximg.net,*.nflxext.com,*.nflxvideo.net,*.nflxsearch.net,*.nrd.nflximg.net,*.nflximg.net","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"ef6b224ce027c8e21e5a25d8a58255a3","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=California, L=Los Gatos, O=Netflix, Inc., OU=Content Delivery Operations, CN=secure.cdn.nflximg.net","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"0D:EF:D1:E6:29:11:1A:A5:88:B3:2F:04:65:D6:D7:AD:84:A2:52:26"}} +01315{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":333,"source":"netflix.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":9,"flow_first_seen":1484319036854,"flow_last_seen":1484319036900,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":3641,"flow_avg_l4_payload_len":404,"midstream":0,"ts_msec":1484319036900,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"104.86.97.179","src_port":53141,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"art-s.nflximg.net","server_names":"secure.cdn.nflximg.net,*.nflxext.com,*.nflxvideo.net,*.nflxsearch.net,*.nrd.nflximg.net,*.nflximg.net","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"ef6b224ce027c8e21e5a25d8a58255a3","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=Los Gatos, O=Netflix, Inc., OU=Content Delivery Operations, CN=secure.cdn.nflximg.net","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"0D:EF:D1:E6:29:11:1A:A5:88:B3:2F:04:65:D6:D7:AD:84:A2:52:26"}} 00550{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":604,"source":"netflix.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":1,"flow_first_seen":1484319042988,"flow_last_seen":1484319042988,"flow_idle_time":180000,"flow_min_l4_payload_len":42,"flow_max_l4_payload_len":42,"flow_tot_l4_payload_len":42,"flow_avg_l4_payload_len":42,"midstream":0,"ts_msec":1484319042988,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":59180,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00484{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":604,"source":"netflix.pcap","alias":"nDPId-test","flow_id":19,"flow_packet_id":1,"flow_last_seen":1484319042988,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":84,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":84,"pkt_l4_len":50,"ts_msec":1484319042988,"pkt":"gCqoTGHM5JjWH70UCABFAABGkh4AAP8Rpi\/AqAEHwKgBAecsADUAMtLh8roBAAABAAAAAAAAB2FydHdvcmsEYWthbQduZmx4aW1nA25ldAAAAQAB"} 00721{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":604,"source":"netflix.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":1,"flow_first_seen":1484319042988,"flow_last_seen":1484319042988,"flow_idle_time":180000,"flow_min_l4_payload_len":42,"flow_max_l4_payload_len":42,"flow_tot_l4_payload_len":42,"flow_avg_l4_payload_len":42,"midstream":0,"ts_msec":1484319042988,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":59180,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.NetFlix","breed":"Fun","category":"Video"},"dns": {"query":"artwork.akam.nflximg.net","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} @@ -165,7 +165,7 @@ 00829{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":912,"source":"netflix.pcap","alias":"nDPId-test","flow_id":29,"flow_packets_processed":4,"flow_first_seen":1484319049684,"flow_last_seen":1484319049748,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1484319049748,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53162,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ios.nccp.netflix.com","ja3":"dc67ac8aaf8d7f69ecd6598135448f24","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00841{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":913,"source":"netflix.pcap","alias":"nDPId-test","flow_id":28,"flow_packets_processed":6,"flow_first_seen":1484319049672,"flow_last_seen":1484319049753,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1664,"flow_avg_l4_payload_len":277,"midstream":0,"ts_msec":1484319049753,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.24","src_port":53153,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"25":"HTTP suspicious content"},"proto":"HTTP.NetFlix","breed":"Fun","category":"Video"},"http": {"hostname":"tp.akam.nflximg.com","url":"tp.akam.nflximg.com\/tpa3\/616\/2041779616.bif","code":200,"content_type":"text\/plain","user_agent":"Argo\/900 CFNetwork\/808.2.16 Darwin\/16.3.0"}} 00885{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":920,"source":"netflix.pcap","alias":"nDPId-test","flow_id":29,"flow_packets_processed":6,"flow_first_seen":1484319049684,"flow_last_seen":1484319049807,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1965,"flow_avg_l4_payload_len":327,"midstream":0,"ts_msec":1484319049807,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53162,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ios.nccp.netflix.com","ja3":"dc67ac8aaf8d7f69ecd6598135448f24","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}} -01224{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":923,"source":"netflix.pcap","alias":"nDPId-test","flow_id":29,"flow_packets_processed":7,"flow_first_seen":1484319049684,"flow_last_seen":1484319049850,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":3045,"flow_avg_l4_payload_len":435,"midstream":0,"ts_msec":1484319049850,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53162,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ios.nccp.netflix.com","server_names":"*.nccp.netflix.com","ja3":"dc67ac8aaf8d7f69ecd6598135448f24","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"CN=Primary Certificate Authority (2009), ST=California, C=US, O=Netflix Inc, OU=Electronic Delivery, L=Los Gatos","issuerDN":"CN=*.nccp.netflix.com, O=Netflix, Inc., OU=Operations, C=US, ST=California, L=Los Gatos","fingerprint":"97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33"}} +01225{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":923,"source":"netflix.pcap","alias":"nDPId-test","flow_id":29,"flow_packets_processed":7,"flow_first_seen":1484319049684,"flow_last_seen":1484319049850,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":3045,"flow_avg_l4_payload_len":435,"midstream":0,"ts_msec":1484319049850,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53162,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ios.nccp.netflix.com","server_names":"*.nccp.netflix.com","ja3":"dc67ac8aaf8d7f69ecd6598135448f24","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"CN=Primary Certificate Authority (2009), ST=California, C=US, O=Netflix Inc, OU=Electronic Delivery, L=Los Gatos","subjectDN":"CN=*.nccp.netflix.com, O=Netflix, Inc., OU=Operations, C=US, ST=California, L=Los Gatos","fingerprint":"97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33"}} 00549{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":968,"source":"netflix.pcap","alias":"nDPId-test","flow_id":30,"flow_packets_processed":1,"flow_first_seen":1484319050652,"flow_last_seen":1484319050652,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1484319050652,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.145","src_port":53163,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00479{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":968,"source":"netflix.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":1,"flow_last_seen":1484319050652,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1484319050652,"pkt":"gCqoTGHM5JjWH70UCABFAABA2xBAAEAGenHAqAEHF\/YLkc+rAFC8XkCtAAAAALAC\/\/9pzAAAAgQFtAEDAwUBAQgKH2T7jgAAAAAEAgAA"} 00475{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":970,"source":"netflix.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":2,"flow_last_seen":1484319050677,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1484319050677,"pkt":"5JjWH70UgCqoTGHMCABFIAA8AABAADsGWmYX9guRwKgBBwBQz6susPTdvF5ArqAS\/\/\/2WQAAAgQFtAEDAwkEAggKRVwbeB9k+44="} @@ -268,10 +268,10 @@ 00830{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1957,"source":"netflix.pcap","alias":"nDPId-test","flow_id":49,"flow_packets_processed":4,"flow_first_seen":1484319064711,"flow_last_seen":1484319064785,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":229,"flow_tot_l4_payload_len":229,"flow_avg_l4_payload_len":57,"midstream":0,"ts_msec":1484319064785,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.37.36.252","src_port":53203,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ichnaea.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}} 00886{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1961,"source":"netflix.pcap","alias":"nDPId-test","flow_id":46,"flow_packets_processed":6,"flow_first_seen":1484319064669,"flow_last_seen":1484319064796,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1965,"flow_avg_l4_payload_len":327,"midstream":0,"ts_msec":1484319064796,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53193,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ios.nccp.netflix.com","ja3":"dc67ac8aaf8d7f69ecd6598135448f24","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}} 00886{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1962,"source":"netflix.pcap","alias":"nDPId-test","flow_id":47,"flow_packets_processed":6,"flow_first_seen":1484319064671,"flow_last_seen":1484319064823,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1965,"flow_avg_l4_payload_len":327,"midstream":0,"ts_msec":1484319064823,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53202,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ios.nccp.netflix.com","ja3":"dc67ac8aaf8d7f69ecd6598135448f24","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}} -01225{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1964,"source":"netflix.pcap","alias":"nDPId-test","flow_id":46,"flow_packets_processed":7,"flow_first_seen":1484319064669,"flow_last_seen":1484319064850,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":3045,"flow_avg_l4_payload_len":435,"midstream":0,"ts_msec":1484319064850,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53193,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ios.nccp.netflix.com","server_names":"*.nccp.netflix.com","ja3":"dc67ac8aaf8d7f69ecd6598135448f24","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"CN=Primary Certificate Authority (2009), ST=California, C=US, O=Netflix Inc, OU=Electronic Delivery, L=Los Gatos","issuerDN":"CN=*.nccp.netflix.com, O=Netflix, Inc., OU=Operations, C=US, ST=California, L=Los Gatos","fingerprint":"97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33"}} +01226{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1964,"source":"netflix.pcap","alias":"nDPId-test","flow_id":46,"flow_packets_processed":7,"flow_first_seen":1484319064669,"flow_last_seen":1484319064850,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":3045,"flow_avg_l4_payload_len":435,"midstream":0,"ts_msec":1484319064850,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53193,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ios.nccp.netflix.com","server_names":"*.nccp.netflix.com","ja3":"dc67ac8aaf8d7f69ecd6598135448f24","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"CN=Primary Certificate Authority (2009), ST=California, C=US, O=Netflix Inc, OU=Electronic Delivery, L=Los Gatos","subjectDN":"CN=*.nccp.netflix.com, O=Netflix, Inc., OU=Operations, C=US, ST=California, L=Los Gatos","fingerprint":"97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33"}} 00887{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1968,"source":"netflix.pcap","alias":"nDPId-test","flow_id":49,"flow_packets_processed":6,"flow_first_seen":1484319064711,"flow_last_seen":1484319064885,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1677,"flow_avg_l4_payload_len":279,"midstream":0,"ts_msec":1484319064885,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.37.36.252","src_port":53203,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ichnaea.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}} -01225{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1969,"source":"netflix.pcap","alias":"nDPId-test","flow_id":47,"flow_packets_processed":7,"flow_first_seen":1484319064671,"flow_last_seen":1484319064898,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":3045,"flow_avg_l4_payload_len":435,"midstream":0,"ts_msec":1484319064898,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53202,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ios.nccp.netflix.com","server_names":"*.nccp.netflix.com","ja3":"dc67ac8aaf8d7f69ecd6598135448f24","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"CN=Primary Certificate Authority (2009), ST=California, C=US, O=Netflix Inc, OU=Electronic Delivery, L=Los Gatos","issuerDN":"CN=*.nccp.netflix.com, O=Netflix, Inc., OU=Operations, C=US, ST=California, L=Los Gatos","fingerprint":"97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33"}} -01316{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1977,"source":"netflix.pcap","alias":"nDPId-test","flow_id":49,"flow_packets_processed":7,"flow_first_seen":1484319064711,"flow_last_seen":1484319064950,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":3125,"flow_avg_l4_payload_len":446,"midstream":0,"ts_msec":1484319064950,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.37.36.252","src_port":53203,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ichnaea.netflix.com","server_names":"ichnaea.netflix.com,beacon.netflix.com,presentationtracking.netflix.com,nmtracking.netflix.com,customerevents.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=customerevents.netflix.com","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F"}} +01226{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1969,"source":"netflix.pcap","alias":"nDPId-test","flow_id":47,"flow_packets_processed":7,"flow_first_seen":1484319064671,"flow_last_seen":1484319064898,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":3045,"flow_avg_l4_payload_len":435,"midstream":0,"ts_msec":1484319064898,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53202,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ios.nccp.netflix.com","server_names":"*.nccp.netflix.com","ja3":"dc67ac8aaf8d7f69ecd6598135448f24","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"CN=Primary Certificate Authority (2009), ST=California, C=US, O=Netflix Inc, OU=Electronic Delivery, L=Los Gatos","subjectDN":"CN=*.nccp.netflix.com, O=Netflix, Inc., OU=Operations, C=US, ST=California, L=Los Gatos","fingerprint":"97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33"}} +01317{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1977,"source":"netflix.pcap","alias":"nDPId-test","flow_id":49,"flow_packets_processed":7,"flow_first_seen":1484319064711,"flow_last_seen":1484319064950,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":3125,"flow_avg_l4_payload_len":446,"midstream":0,"ts_msec":1484319064950,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.37.36.252","src_port":53203,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ichnaea.netflix.com","server_names":"ichnaea.netflix.com,beacon.netflix.com,presentationtracking.netflix.com,nmtracking.netflix.com,customerevents.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=customerevents.netflix.com","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F"}} 00550{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2494,"source":"netflix.pcap","alias":"nDPId-test","flow_id":50,"flow_packets_processed":1,"flow_first_seen":1484319070636,"flow_last_seen":1484319070636,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1484319070636,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.133","src_port":53210,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00482{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2494,"source":"netflix.pcap","alias":"nDPId-test","flow_id":50,"flow_packet_id":1,"flow_last_seen":1484319070636,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1484319070636,"pkt":"gCqoTGHM5JjWH70UCABFAABAs25AAEAGoh\/AqAEHF\/YLhc\/aAFBx1HGxAAAAALAC\/\/84uwAAAgQFtAEDAwUBAQgKH2VGAgAAAAAEAgAA"} 00476{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2497,"source":"netflix.pcap","alias":"nDPId-test","flow_id":50,"flow_packet_id":2,"flow_last_seen":1484319070655,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1484319070655,"pkt":"5JjWH70UgCqoTGHMCABFIAA8AABAADsGWnIX9guFwKgBBwBQz9pdV1SucdRxsqAS\/\/+\/OwAAAgQFtAEDAwkEAggKgYtW3h9lRgI="} @@ -296,7 +296,7 @@ 00462{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6414,"source":"netflix.pcap","alias":"nDPId-test","flow_id":53,"flow_packet_id":3,"flow_last_seen":1484319114457,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1484319114457,"pkt":"gCqoTGHM5JjWH70UCABFAAA03p5AAEAGT4DAqAEHNCAW1s\/2Abt+TgYKSUprD4AQEBVsWgAAAQEICh9l6fy2sSMx"} 00830{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":6416,"source":"netflix.pcap","alias":"nDPId-test","flow_id":53,"flow_packets_processed":4,"flow_first_seen":1484319114406,"flow_last_seen":1484319114464,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1484319114464,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.32.22.214","src_port":53238,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ios.nccp.netflix.com","ja3":"dc67ac8aaf8d7f69ecd6598135448f24","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00886{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":6423,"source":"netflix.pcap","alias":"nDPId-test","flow_id":53,"flow_packets_processed":6,"flow_first_seen":1484319114406,"flow_last_seen":1484319114523,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1965,"flow_avg_l4_payload_len":327,"midstream":0,"ts_msec":1484319114523,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.32.22.214","src_port":53238,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ios.nccp.netflix.com","ja3":"dc67ac8aaf8d7f69ecd6598135448f24","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}} -01225{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":6425,"source":"netflix.pcap","alias":"nDPId-test","flow_id":53,"flow_packets_processed":7,"flow_first_seen":1484319114406,"flow_last_seen":1484319114556,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":3045,"flow_avg_l4_payload_len":435,"midstream":0,"ts_msec":1484319114556,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.32.22.214","src_port":53238,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ios.nccp.netflix.com","server_names":"*.nccp.netflix.com","ja3":"dc67ac8aaf8d7f69ecd6598135448f24","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"CN=Primary Certificate Authority (2009), ST=California, C=US, O=Netflix Inc, OU=Electronic Delivery, L=Los Gatos","issuerDN":"CN=*.nccp.netflix.com, O=Netflix, Inc., OU=Operations, C=US, ST=California, L=Los Gatos","fingerprint":"97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33"}} +01226{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":6425,"source":"netflix.pcap","alias":"nDPId-test","flow_id":53,"flow_packets_processed":7,"flow_first_seen":1484319114406,"flow_last_seen":1484319114556,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":3045,"flow_avg_l4_payload_len":435,"midstream":0,"ts_msec":1484319114556,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.32.22.214","src_port":53238,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ios.nccp.netflix.com","server_names":"*.nccp.netflix.com","ja3":"dc67ac8aaf8d7f69ecd6598135448f24","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"CN=Primary Certificate Authority (2009), ST=California, C=US, O=Netflix Inc, OU=Electronic Delivery, L=Los Gatos","subjectDN":"CN=*.nccp.netflix.com, O=Netflix, Inc., OU=Operations, C=US, ST=California, L=Los Gatos","fingerprint":"97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33"}} 00551{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":6721,"source":"netflix.pcap","alias":"nDPId-test","flow_id":54,"flow_packets_processed":1,"flow_first_seen":1484319117511,"flow_last_seen":1484319117511,"flow_idle_time":180000,"flow_min_l4_payload_len":55,"flow_max_l4_payload_len":55,"flow_tot_l4_payload_len":55,"flow_avg_l4_payload_len":55,"midstream":0,"ts_msec":1484319117511,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":52095,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00506{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6721,"source":"netflix.pcap","alias":"nDPId-test","flow_id":54,"flow_packet_id":1,"flow_last_seen":1484319117511,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":97,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":97,"pkt_l4_len":63,"ts_msec":1484319117511,"pkt":"gCqoTGHM5JjWH70UCABFAABT2RsAAP8RXyXAqAEHwKgBAct\/ADUAP5\/hcXUBAAABAAAAAAAACmFwaS1nbG9iYWwHbGF0ZW5jeQZwcm9kYWEHbmV0ZmxpeANjb20AAAEAAQ=="} 00735{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":6721,"source":"netflix.pcap","alias":"nDPId-test","flow_id":54,"flow_packets_processed":1,"flow_first_seen":1484319117511,"flow_last_seen":1484319117511,"flow_idle_time":180000,"flow_min_l4_payload_len":55,"flow_max_l4_payload_len":55,"flow_tot_l4_payload_len":55,"flow_avg_l4_payload_len":55,"midstream":0,"ts_msec":1484319117511,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":52095,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.NetFlix","breed":"Fun","category":"Video"},"dns": {"query":"api-global.latency.prodaa.netflix.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} @@ -313,9 +313,9 @@ 00461{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6773,"source":"netflix.pcap","alias":"nDPId-test","flow_id":56,"flow_packet_id":3,"flow_last_seen":1484319117704,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1484319117704,"pkt":"gCqoTGHM5JjWH70UCABFAAA0fsVAAEAGr1nAqAEHNCAW1tAAAbtmeMEhXwOe+oAQEBVwIwAAAQEICh9l9hi2sSZc"} 00830{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":6774,"source":"netflix.pcap","alias":"nDPId-test","flow_id":56,"flow_packets_processed":4,"flow_first_seen":1484319117651,"flow_last_seen":1484319117713,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1484319117713,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.32.22.214","src_port":53248,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ios.nccp.netflix.com","ja3":"dc67ac8aaf8d7f69ecd6598135448f24","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00888{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":6776,"source":"netflix.pcap","alias":"nDPId-test","flow_id":55,"flow_packets_processed":6,"flow_first_seen":1484319117605,"flow_last_seen":1484319117737,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1965,"flow_avg_l4_payload_len":327,"midstream":0,"ts_msec":1484319117737,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.41.30.5","src_port":53239,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"api-global.netflix.com","ja3":"d8bfad189bd26664e04570c104ee8418","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}} -01344{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":6777,"source":"netflix.pcap","alias":"nDPId-test","flow_id":55,"flow_packets_processed":7,"flow_first_seen":1484319117605,"flow_last_seen":1484319117738,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":3413,"flow_avg_l4_payload_len":487,"midstream":0,"ts_msec":1484319117738,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.41.30.5","src_port":53239,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"api-global.netflix.com","server_names":"api-latam.netflix.com,htmltvui.netflix.com,api-eu.netflix.com,uiboot.netflix.com,api-global.netflix.com,api-user.netflix.com,api-us.netflix.com,api.netflix.com","ja3":"d8bfad189bd26664e04570c104ee8418","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=api.netflix.com","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C"}} +01345{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":6777,"source":"netflix.pcap","alias":"nDPId-test","flow_id":55,"flow_packets_processed":7,"flow_first_seen":1484319117605,"flow_last_seen":1484319117738,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":3413,"flow_avg_l4_payload_len":487,"midstream":0,"ts_msec":1484319117738,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.41.30.5","src_port":53239,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"api-global.netflix.com","server_names":"api-latam.netflix.com,htmltvui.netflix.com,api-eu.netflix.com,uiboot.netflix.com,api-global.netflix.com,api-user.netflix.com,api-us.netflix.com,api.netflix.com","ja3":"d8bfad189bd26664e04570c104ee8418","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=api.netflix.com","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C"}} 00886{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":6789,"source":"netflix.pcap","alias":"nDPId-test","flow_id":56,"flow_packets_processed":6,"flow_first_seen":1484319117651,"flow_last_seen":1484319117770,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1965,"flow_avg_l4_payload_len":327,"midstream":0,"ts_msec":1484319117770,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.32.22.214","src_port":53248,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ios.nccp.netflix.com","ja3":"dc67ac8aaf8d7f69ecd6598135448f24","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}} -01225{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":6790,"source":"netflix.pcap","alias":"nDPId-test","flow_id":56,"flow_packets_processed":7,"flow_first_seen":1484319117651,"flow_last_seen":1484319117771,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":3045,"flow_avg_l4_payload_len":435,"midstream":0,"ts_msec":1484319117771,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.32.22.214","src_port":53248,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ios.nccp.netflix.com","server_names":"*.nccp.netflix.com","ja3":"dc67ac8aaf8d7f69ecd6598135448f24","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"CN=Primary Certificate Authority (2009), ST=California, C=US, O=Netflix Inc, OU=Electronic Delivery, L=Los Gatos","issuerDN":"CN=*.nccp.netflix.com, O=Netflix, Inc., OU=Operations, C=US, ST=California, L=Los Gatos","fingerprint":"97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33"}} +01226{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":6790,"source":"netflix.pcap","alias":"nDPId-test","flow_id":56,"flow_packets_processed":7,"flow_first_seen":1484319117651,"flow_last_seen":1484319117771,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":3045,"flow_avg_l4_payload_len":435,"midstream":0,"ts_msec":1484319117771,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.32.22.214","src_port":53248,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.NetFlix","breed":"Fun","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ios.nccp.netflix.com","server_names":"*.nccp.netflix.com","ja3":"dc67ac8aaf8d7f69ecd6598135448f24","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"CN=Primary Certificate Authority (2009), ST=California, C=US, O=Netflix Inc, OU=Electronic Delivery, L=Los Gatos","subjectDN":"CN=*.nccp.netflix.com, O=Netflix, Inc., OU=Operations, C=US, ST=California, L=Los Gatos","fingerprint":"97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33"}} 00548{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":6799,"source":"netflix.pcap","alias":"nDPId-test","flow_id":57,"flow_packets_processed":1,"flow_first_seen":1484319117826,"flow_last_seen":1484319117826,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1484319117826,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.41.30.5","src_port":53249,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00479{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6799,"source":"netflix.pcap","alias":"nDPId-test","flow_id":57,"flow_packet_id":1,"flow_last_seen":1484319117826,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1484319117826,"pkt":"gCqoTGHM5JjWH70UCABFAABAF8hAAEAGDxPAqAEHNCkeBdABAbshc+whAAAAALAC\/\/8t3QAAAgQFtAEDAwUBAQgKH2X2iwAAAAAEAgAA"} 00548{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":6800,"source":"netflix.pcap","alias":"nDPId-test","flow_id":58,"flow_packets_processed":1,"flow_first_seen":1484319117827,"flow_last_seen":1484319117827,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1484319117827,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.41.30.5","src_port":53250,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -349,7 +349,7 @@ 00554{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":6999,"source":"netflix.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":2,"flow_first_seen":1484319042988,"flow_last_seen":1484319043002,"flow_idle_time":180000,"flow_min_l4_payload_len":42,"flow_max_l4_payload_len":106,"flow_tot_l4_payload_len":148,"flow_avg_l4_payload_len":74,"midstream":0,"ts_msec":1484319120726,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":59180,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00558{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":6999,"source":"netflix.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":25,"flow_first_seen":1484319032896,"flow_last_seen":1484319033215,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":6570,"flow_avg_l4_payload_len":262,"midstream":0,"ts_msec":1484319120726,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53114,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00560{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":6999,"source":"netflix.pcap","alias":"nDPId-test","flow_id":29,"flow_packets_processed":31,"flow_first_seen":1484319049684,"flow_last_seen":1484319050696,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":12666,"flow_avg_l4_payload_len":408,"midstream":0,"ts_msec":1484319120726,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53162,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00581{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":6999,"source":"netflix.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":2,"flow_first_seen":1484319030789,"flow_last_seen":1484319044993,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1484319120726,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.24.87.6","src_port":52929,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"}} +00586{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":6999,"source":"netflix.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":2,"flow_first_seen":1484319030789,"flow_last_seen":1484319044993,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1484319120726,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.24.87.6","src_port":52929,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"}} 00547{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":6999,"source":"netflix.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":2,"flow_first_seen":1484319030789,"flow_last_seen":1484319044993,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1484319120726,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.24.87.6","src_port":52929,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00561{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":6999,"source":"netflix.pcap","alias":"nDPId-test","flow_id":46,"flow_packets_processed":71,"flow_first_seen":1484319064669,"flow_last_seen":1484319117874,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":53403,"flow_avg_l4_payload_len":752,"midstream":0,"ts_msec":1484319120726,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53193,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00560{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":6999,"source":"netflix.pcap","alias":"nDPId-test","flow_id":47,"flow_packets_processed":38,"flow_first_seen":1484319064671,"flow_last_seen":1484319065592,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":16026,"flow_avg_l4_payload_len":421,"midstream":0,"ts_msec":1484319120726,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53202,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -414,10 +414,10 @@ ~~ total active/idle flows...: 61/61 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2641723 bytes -~~ total memory freed........: 2641723 bytes -~~ total allocations/frees...: 42768/42768 +~~ total memory allocated....: 5278666 bytes +~~ total memory freed........: 5278666 bytes +~~ total allocations/frees...: 106966/106966 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 164 chars -~~ json string max len.......: 1349 chars -~~ json string avg len.......: 826 chars +~~ json string max len.......: 1350 chars +~~ json string avg len.......: 827 chars diff --git a/test/results/netflow-fritz.pcap.out b/test/results/netflow-fritz.pcap.out index 8fdaaa980..a70d94e64 100644 --- a/test/results/netflow-fritz.pcap.out +++ b/test/results/netflow-fritz.pcap.out @@ -12,9 +12,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1928153 bytes -~~ total memory freed........: 1928153 bytes -~~ total allocations/frees...: 35339/35339 +~~ total memory allocated....: 4590468 bytes +~~ total memory freed........: 4590468 bytes +~~ total allocations/frees...: 99535/99535 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 165 chars ~~ json string max len.......: 686 chars diff --git a/test/results/netflowv9.pcap.out b/test/results/netflowv9.pcap.out index b42b7a220..49d5fa4ca 100644 --- a/test/results/netflowv9.pcap.out +++ b/test/results/netflowv9.pcap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1928414 bytes -~~ total memory freed........: 1928414 bytes -~~ total allocations/frees...: 35348/35348 +~~ total memory allocated....: 4590729 bytes +~~ total memory freed........: 4590729 bytes +~~ total allocations/frees...: 99544/99544 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 162 chars ~~ json string max len.......: 2296 chars diff --git a/test/results/nintendo.pcap.out b/test/results/nintendo.pcap.out index 3296e39eb..92117eb40 100644 --- a/test/results/nintendo.pcap.out +++ b/test/results/nintendo.pcap.out @@ -20,7 +20,7 @@ 00460{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":57,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_last_seen":1500731322761,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1500731322761,"pkt":"fLuKifuEAA6OGXEMCABFAAA0FZhAAOUGcZ02uwq5wKgMcgG7vMgz\/J69i298C4AQALmNxAAAAQEICgQM25wAGmE2"} 00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":60,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1500731323269,"flow_last_seen":1500731323269,"flow_idle_time":180000,"flow_min_l4_payload_len":76,"flow_max_l4_payload_len":76,"flow_tot_l4_payload_len":76,"flow_avg_l4_payload_len":76,"midstream":0,"ts_msec":1500731323269,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"35.158.74.61","src_port":52119,"dst_port":33335,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00536{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":60,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_last_seen":1500731323269,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":118,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":118,"pkt_l4_len":84,"ts_msec":1500731323269,"pkt":"AA6OGXEMfLuKifuECABFAABoEV8AAEARLjHAqAxyI55KPcuXgjcAVAoAMquYZAIAAACgRQAAPD+rAYcrvhgZcqXY4tF4R087lVXf\/uabOP7DTtPl\/Z68o2TwyTMiy\/1PT8Q0PYJjfL9\/FaWie4QujpeJZMzmHA=="} -00597{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":60,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1500731323269,"flow_last_seen":1500731323269,"flow_idle_time":180000,"flow_min_l4_payload_len":76,"flow_max_l4_payload_len":76,"flow_tot_l4_payload_len":76,"flow_avg_l4_payload_len":76,"midstream":0,"ts_msec":1500731323269,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"35.158.74.61","src_port":52119,"dst_port":33335,"l4_proto":"udp","ndpi": {"proto":"Nintendo.Amazon","breed":"Acceptable","category":"Game"}} +00600{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":60,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1500731323269,"flow_last_seen":1500731323269,"flow_idle_time":180000,"flow_min_l4_payload_len":76,"flow_max_l4_payload_len":76,"flow_tot_l4_payload_len":76,"flow_avg_l4_payload_len":76,"midstream":0,"ts_msec":1500731323269,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"35.158.74.61","src_port":52119,"dst_port":33335,"l4_proto":"udp","ndpi": {"proto":"Nintendo.AmazonAWS","breed":"Acceptable","category":"Game"}} 00536{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":61,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_last_seen":1500731323270,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":118,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":118,"pkt_l4_len":84,"ts_msec":1500731323270,"pkt":"AA6OGXEMfLuKifuECABFAABoEWAAAEARLjDAqAxyI55KPcuXgjcAVAoAMquYZAIAAACgRQAAPD+rAYcrvhgZcqXY4tF4R087lVXf\/uabOP7DTtPl\/Z68o2TwyTMiy\/1PT8Q0PYJjfL9\/FaWie4QujpeJZMzmHA=="} 00536{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":62,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_last_seen":1500731323270,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":118,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":118,"pkt_l4_len":84,"ts_msec":1500731323270,"pkt":"AA6OGXEMfLuKifuECABFAABoEWEAAEARLi\/AqAxyI55KPcuXgjcAVCUqMquYZAIAAACgRgAAPD+rAYcrvhgZcqXY4tF4R087lVXf\/uabOP7DTtPl\/Z68o2TwyTMiy\/1PT8Q0PYJjeofEEG4mAZPKsmIYZ3XQPw=="} 00561{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":83,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":1,"flow_first_seen":1500731326270,"flow_last_seen":1500731326270,"flow_idle_time":180000,"flow_min_l4_payload_len":688,"flow_max_l4_payload_len":688,"flow_tot_l4_payload_len":688,"flow_avg_l4_payload_len":688,"midstream":0,"ts_msec":1500731326270,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"52.10.205.177","src_port":52119,"dst_port":34343,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -36,7 +36,7 @@ 00459{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":93,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_last_seen":1500731326680,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1500731326680,"pkt":"AA6OGXEMfLuKifuECABFAAA0EXRAAEAGCZ3AqAxyNsAb2aItAbvSLGpFwBwN1IAQAg4imAAAAQEICgAaca+n0Wp9"} 00861{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":94,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":4,"flow_first_seen":1500731326644,"flow_last_seen":1500731326686,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":212,"flow_tot_l4_payload_len":212,"flow_avg_l4_payload_len":53,"midstream":0,"ts_msec":1500731326686,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"54.192.27.217","src_port":41517,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Nintendo","breed":"Fun","category":"Game"},"tls": {"version":"TLSv1.2","client_requested_server_name":"e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com","ja3":"200a99534ce50d35cf40cc3cce4c69b5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00918{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":96,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":6,"flow_first_seen":1500731326644,"flow_last_seen":1500731326729,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1348,"flow_tot_l4_payload_len":1560,"flow_avg_l4_payload_len":260,"midstream":0,"ts_msec":1500731326729,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"54.192.27.217","src_port":41517,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Nintendo","breed":"Fun","category":"Game"},"tls": {"version":"TLSv1.2","client_requested_server_name":"e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com","ja3":"200a99534ce50d35cf40cc3cce4c69b5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}} -01234{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":97,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":7,"flow_first_seen":1500731326644,"flow_last_seen":1500731326731,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1348,"flow_tot_l4_payload_len":2908,"flow_avg_l4_payload_len":415,"midstream":0,"ts_msec":1500731326731,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"54.192.27.217","src_port":41517,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Nintendo","breed":"Fun","category":"Game"},"tls": {"version":"TLSv1.2","client_requested_server_name":"e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com","server_names":"*.baas.nintendo.com,baas.nintendo.com","ja3":"200a99534ce50d35cf40cc3cce4c69b5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","issuerDN":"C=JP, ST=Kyoto, L=Minami-ku, O=Nintendo Co., Ltd., CN=*.baas.nintendo.com","fingerprint":"8A:0A:1D:D3:A8:96:7A:55:C5:75:B2:2B:3E:45:15:54:0A:B0:FC:94"}} +01235{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":97,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":7,"flow_first_seen":1500731326644,"flow_last_seen":1500731326731,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1348,"flow_tot_l4_payload_len":2908,"flow_avg_l4_payload_len":415,"midstream":0,"ts_msec":1500731326731,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"54.192.27.217","src_port":41517,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Nintendo","breed":"Fun","category":"Game"},"tls": {"version":"TLSv1.2","client_requested_server_name":"e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com","server_names":"*.baas.nintendo.com,baas.nintendo.com","ja3":"200a99534ce50d35cf40cc3cce4c69b5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=JP, ST=Kyoto, L=Minami-ku, O=Nintendo Co., Ltd., CN=*.baas.nintendo.com","fingerprint":"8A:0A:1D:D3:A8:96:7A:55:C5:75:B2:2B:3E:45:15:54:0A:B0:FC:94"}} 00553{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":113,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":1,"flow_first_seen":1500731329336,"flow_last_seen":1500731329336,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1500731329336,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"54.146.242.74","src_port":11534,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00444{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":113,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_last_seen":1500731329336,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1500731329336,"pkt":"AA6OGXEMfLuKifuECABFAAAoEX5AAEAGM1vAqAxyNpLySi0OAbv6FA+Od8xLzVAQEsCrFwAA"} 00444{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":114,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":2,"flow_last_seen":1500731329520,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1500731329520,"pkt":"fLuKifuEAA6OGXEMCABFAAAo9shAACwGYhA2kvJKwKgMcgG7LQ53zEvN+hQPj1AQn2AedgAA"} @@ -75,7 +75,7 @@ 00461{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":155,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":3,"flow_last_seen":1500731341242,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1500731341242,"pkt":"AA6OGXEMfLuKifuECABFAAA0EZdAAEAGCkvAqAxyNsAbCHphAbtX9RryfZacgoAQAg4GiQAAAQEICgAaqpOoOPNA"} 00861{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":156,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":4,"flow_first_seen":1500731341201,"flow_last_seen":1500731341246,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":212,"flow_tot_l4_payload_len":212,"flow_avg_l4_payload_len":53,"midstream":0,"ts_msec":1500731341246,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"54.192.27.8","src_port":31329,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Nintendo","breed":"Fun","category":"Game"},"tls": {"version":"TLSv1.2","client_requested_server_name":"e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com","ja3":"200a99534ce50d35cf40cc3cce4c69b5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00918{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":158,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":6,"flow_first_seen":1500731341201,"flow_last_seen":1500731341285,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1348,"flow_tot_l4_payload_len":1560,"flow_avg_l4_payload_len":260,"midstream":0,"ts_msec":1500731341285,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"54.192.27.8","src_port":31329,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Nintendo","breed":"Fun","category":"Game"},"tls": {"version":"TLSv1.2","client_requested_server_name":"e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com","ja3":"200a99534ce50d35cf40cc3cce4c69b5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}} -01234{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":159,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":7,"flow_first_seen":1500731341201,"flow_last_seen":1500731341285,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1348,"flow_tot_l4_payload_len":2908,"flow_avg_l4_payload_len":415,"midstream":0,"ts_msec":1500731341285,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"54.192.27.8","src_port":31329,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Nintendo","breed":"Fun","category":"Game"},"tls": {"version":"TLSv1.2","client_requested_server_name":"e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com","server_names":"*.baas.nintendo.com,baas.nintendo.com","ja3":"200a99534ce50d35cf40cc3cce4c69b5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","issuerDN":"C=JP, ST=Kyoto, L=Minami-ku, O=Nintendo Co., Ltd., CN=*.baas.nintendo.com","fingerprint":"8A:0A:1D:D3:A8:96:7A:55:C5:75:B2:2B:3E:45:15:54:0A:B0:FC:94"}} +01235{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":159,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":7,"flow_first_seen":1500731341201,"flow_last_seen":1500731341285,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1348,"flow_tot_l4_payload_len":2908,"flow_avg_l4_payload_len":415,"midstream":0,"ts_msec":1500731341285,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"54.192.27.8","src_port":31329,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Nintendo","breed":"Fun","category":"Game"},"tls": {"version":"TLSv1.2","client_requested_server_name":"e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com","server_names":"*.baas.nintendo.com,baas.nintendo.com","ja3":"200a99534ce50d35cf40cc3cce4c69b5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=JP, ST=Kyoto, L=Minami-ku, O=Nintendo Co., Ltd., CN=*.baas.nintendo.com","fingerprint":"8A:0A:1D:D3:A8:96:7A:55:C5:75:B2:2B:3E:45:15:54:0A:B0:FC:94"}} 00560{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":187,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":1,"flow_first_seen":1500731342849,"flow_last_seen":1500731342849,"flow_idle_time":180000,"flow_min_l4_payload_len":76,"flow_max_l4_payload_len":76,"flow_tot_l4_payload_len":76,"flow_avg_l4_payload_len":76,"midstream":0,"ts_msec":1500731342849,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"185.118.169.65","src_port":55915,"dst_port":27520,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00535{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":187,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":1,"flow_last_seen":1500731342849,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":118,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":118,"pkt_l4_len":84,"ts_msec":1500731342849,"pkt":"AA6OGXEMfLuKifuECABFAABoEaUAAAQRdQ7AqAxyuXapQdpra4AAVCIdMquYZAIAAADswAAAiVxWTHQXYLkMmEhv3TFhCo9D90XwqWXbgOlZDx\/Hd+4rX5hDUY6wfFQBAZE4XnJazusJzbVQnhevgQppjVzdvQ=="} 00587{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":187,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":1,"flow_first_seen":1500731342849,"flow_last_seen":1500731342849,"flow_idle_time":180000,"flow_min_l4_payload_len":76,"flow_max_l4_payload_len":76,"flow_tot_l4_payload_len":76,"flow_avg_l4_payload_len":76,"midstream":0,"ts_msec":1500731342849,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"185.118.169.65","src_port":55915,"dst_port":27520,"l4_proto":"udp","ndpi": {"proto":"Nintendo","breed":"Fun","category":"Game"}} @@ -83,7 +83,7 @@ 00537{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":189,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":3,"flow_last_seen":1500731342850,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":118,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":118,"pkt_l4_len":84,"ts_msec":1500731342850,"pkt":"AA6OGXEMfLuKifuECABFAABoEacAAAQRdQzAqAxyuXapQdpra4AAVKPSMquYZAIAAADswQAAiVxWTHQXYLkMmEhv3TFhCo9D90XwqWXbgOlZDx\/Hd+6PDZdQtmr\/jnYvUCnbuXCGD7lHXmsq3069ZX\/zt70P0A=="} 00526{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":190,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":1,"flow_first_seen":1500731342860,"flow_last_seen":1500731342860,"flow_idle_time":120000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1500731342860,"l3_proto":"ip4","src_ip":"151.6.184.100","dst_ip":"192.168.12.114","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} 00468{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":190,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":18,"flow_packet_id":1,"flow_last_seen":1500731342860,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"ts_msec":1500731342860,"pkt":"fLuKifuEAA6OGXEMCABFAAA4AAAAAPwBoj+XBrhkwKgMcgsAWRkAAAAARQAAaBGlAAABEXgOwKgMcrl2qUHaa2uAAFRVpg=="} -00559{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":190,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":1,"flow_first_seen":1500731342860,"flow_last_seen":1500731342860,"flow_idle_time":120000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1500731342860,"l3_proto":"ip4","src_ip":"151.6.184.100","dst_ip":"192.168.12.114","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"}} +00578{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":190,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":1,"flow_first_seen":1500731342860,"flow_last_seen":1500731342860,"flow_idle_time":120000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1500731342860,"l3_proto":"ip4","src_ip":"151.6.184.100","dst_ip":"192.168.12.114","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"},"entropy":4.249867} 00468{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":191,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":18,"flow_packet_id":2,"flow_last_seen":1500731342860,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"ts_msec":1500731342860,"pkt":"fLuKifuEAA6OGXEMCABFAAA4AAAAAPwBoj+XBrhkwKgMcgsAeQIAAAAARQAAaBGmAAABEXgNwKgMcrl2qUHaa2uAAFQ1vQ=="} 00468{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":192,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":18,"flow_packet_id":3,"flow_last_seen":1500731342860,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"ts_msec":1500731342860,"pkt":"fLuKifuEAA6OGXEMCABFAAA4AAAAAPwBoj+XBrhkwKgMcgsA12MAAAAARQAAaBGnAAABEXgMwKgMcrl2qUHaa2uAAFTXWw=="} 00560{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":199,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":1,"flow_first_seen":1500731343061,"flow_last_seen":1500731343061,"flow_idle_time":180000,"flow_min_l4_payload_len":76,"flow_max_l4_payload_len":76,"flow_tot_l4_payload_len":76,"flow_avg_l4_payload_len":76,"midstream":0,"ts_msec":1500731343061,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"93.237.131.235","src_port":55915,"dst_port":56066,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -98,28 +98,28 @@ 00535{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":217,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":3,"flow_last_seen":1500731343267,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":118,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":118,"pkt_l4_len":84,"ts_msec":1500731343267,"pkt":"AA6OGXEMfLuKifuECABFAABoEbcAAAQR5+zAqAxyUT2eitpryjkAVC1TMquYZAIAAADuYwAAiVxWTHQXYLkMmEhv3TFhCo9D90XwqWXbgOlZDx\/Hd+5Run8isLISlhuFklysgYAwVdq0TTDfSVfOsDm2ryNz2g=="} 00525{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":226,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":1,"flow_first_seen":1500731343274,"flow_last_seen":1500731343274,"flow_idle_time":120000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1500731343274,"l3_proto":"ip4","src_ip":"151.6.184.98","dst_ip":"192.168.12.114","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} 00468{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":226,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":1,"flow_last_seen":1500731343274,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"ts_msec":1500731343274,"pkt":"fLuKifuEAA6OGXEMCABFAAA4AAAAAPwBokGXBrhiwKgMcgsAwIMAAAAARQAAaBG1AAABEeruwKgMclE9noraa8o5AFSPgg=="} -00558{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":226,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":1,"flow_first_seen":1500731343274,"flow_last_seen":1500731343274,"flow_idle_time":120000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1500731343274,"l3_proto":"ip4","src_ip":"151.6.184.98","dst_ip":"192.168.12.114","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"}} +00577{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":226,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":1,"flow_first_seen":1500731343274,"flow_last_seen":1500731343274,"flow_idle_time":120000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1500731343274,"l3_proto":"ip4","src_ip":"151.6.184.98","dst_ip":"192.168.12.114","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"},"entropy":4.321296} 00468{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":227,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":2,"flow_last_seen":1500731343274,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"ts_msec":1500731343274,"pkt":"fLuKifuEAA6OGXEMCABFAAA4AAAAAPwBokGXBrhiwKgMcgsAs38AAAAARQAAaBG2AAABEertwKgMclE9noraa8o5AFSchg=="} 00468{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":228,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":3,"flow_last_seen":1500731343274,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"ts_msec":1500731343274,"pkt":"fLuKifuEAA6OGXEMCABFAAA4AAAAAPwBokGXBrhiwKgMcgsA7ykAAAAARQAAaBG3AAABEerswKgMclE9noraa8o5AFRg3A=="} -00591{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1000,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":10,"flow_first_seen":1500731340831,"flow_last_seen":1500731340889,"flow_idle_time":180000,"flow_min_l4_payload_len":16,"flow_max_l4_payload_len":16,"flow_tot_l4_payload_len":160,"flow_avg_l4_payload_len":16,"midstream":0,"ts_msec":1500731348756,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"35.158.74.61","src_port":55915,"dst_port":10025,"l4_proto":"udp","ndpi": {"proto":"Amazon","breed":"Acceptable","category":"Web"}} +00596{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1000,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":10,"flow_first_seen":1500731340831,"flow_last_seen":1500731340889,"flow_idle_time":180000,"flow_min_l4_payload_len":16,"flow_max_l4_payload_len":16,"flow_tot_l4_payload_len":160,"flow_avg_l4_payload_len":16,"midstream":0,"ts_msec":1500731348756,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"35.158.74.61","src_port":55915,"dst_port":10025,"l4_proto":"udp","ndpi": {"proto":"AmazonAWS","breed":"Acceptable","category":"Cloud"}} 00562{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1000,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":10,"flow_first_seen":1500731340831,"flow_last_seen":1500731340889,"flow_idle_time":180000,"flow_min_l4_payload_len":16,"flow_max_l4_payload_len":16,"flow_tot_l4_payload_len":160,"flow_avg_l4_payload_len":16,"midstream":0,"ts_msec":1500731348756,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"35.158.74.61","src_port":55915,"dst_port":10025,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00560{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1000,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":2,"flow_first_seen":1500731341194,"flow_last_seen":1500731341194,"flow_idle_time":180000,"flow_min_l4_payload_len":68,"flow_max_l4_payload_len":239,"flow_tot_l4_payload_len":307,"flow_avg_l4_payload_len":153,"midstream":0,"ts_msec":1500731348756,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"192.168.12.1","src_port":51035,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00558{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1000,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":8,"flow_first_seen":1500731340951,"flow_last_seen":1500731340966,"flow_idle_time":180000,"flow_min_l4_payload_len":50,"flow_max_l4_payload_len":66,"flow_tot_l4_payload_len":432,"flow_avg_l4_payload_len":54,"midstream":0,"ts_msec":1500731348756,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"192.168.12.1","src_port":10184,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} -00588{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1000,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":2,"flow_first_seen":1500731329336,"flow_last_seen":1500731329520,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1500731348756,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"54.146.242.74","src_port":11534,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"}} +00593{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1000,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":2,"flow_first_seen":1500731329336,"flow_last_seen":1500731329520,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1500731348756,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"54.146.242.74","src_port":11534,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"}} 00555{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1000,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":2,"flow_first_seen":1500731329336,"flow_last_seen":1500731329520,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1500731348756,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"54.146.242.74","src_port":11534,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00595{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1000,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":54,"flow_first_seen":1500731322454,"flow_last_seen":1500731343995,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":917,"flow_tot_l4_payload_len":4923,"flow_avg_l4_payload_len":91,"midstream":1,"ts_msec":1500731348756,"l3_proto":"ip4","src_ip":"54.187.10.185","dst_ip":"192.168.12.114","src_port":443,"dst_port":48328,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"}} +00600{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1000,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":54,"flow_first_seen":1500731322454,"flow_last_seen":1500731343995,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":917,"flow_tot_l4_payload_len":4923,"flow_avg_l4_payload_len":91,"midstream":1,"ts_msec":1500731348756,"l3_proto":"ip4","src_ip":"54.187.10.185","dst_ip":"192.168.12.114","src_port":443,"dst_port":48328,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"}} 00562{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1000,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":54,"flow_first_seen":1500731322454,"flow_last_seen":1500731343995,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":917,"flow_tot_l4_payload_len":4923,"flow_avg_l4_payload_len":91,"midstream":1,"ts_msec":1500731348756,"l3_proto":"ip4","src_ip":"54.187.10.185","dst_ip":"192.168.12.114","src_port":443,"dst_port":48328,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00568{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1000,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":20,"flow_packets_processed":160,"flow_first_seen":1500731343266,"flow_last_seen":1500731348756,"flow_idle_time":180000,"flow_min_l4_payload_len":60,"flow_max_l4_payload_len":844,"flow_tot_l4_payload_len":45024,"flow_avg_l4_payload_len":281,"midstream":0,"ts_msec":1500731348756,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"81.61.158.138","src_port":55915,"dst_port":51769,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00559{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1000,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":2,"flow_first_seen":1500731326599,"flow_last_seen":1500731326628,"flow_idle_time":180000,"flow_min_l4_payload_len":68,"flow_max_l4_payload_len":239,"flow_tot_l4_payload_len":307,"flow_avg_l4_payload_len":153,"midstream":0,"ts_msec":1500731348756,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"192.168.12.1","src_port":18874,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} -00589{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1000,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":5,"flow_first_seen":1500731340826,"flow_last_seen":1500731340827,"flow_idle_time":180000,"flow_min_l4_payload_len":16,"flow_max_l4_payload_len":16,"flow_tot_l4_payload_len":80,"flow_avg_l4_payload_len":16,"midstream":0,"ts_msec":1500731348756,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"35.158.74.61","src_port":55915,"dst_port":33334,"l4_proto":"udp","ndpi": {"proto":"Amazon","breed":"Acceptable","category":"Web"}} +00594{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1000,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":5,"flow_first_seen":1500731340826,"flow_last_seen":1500731340827,"flow_idle_time":180000,"flow_min_l4_payload_len":16,"flow_max_l4_payload_len":16,"flow_tot_l4_payload_len":80,"flow_avg_l4_payload_len":16,"midstream":0,"ts_msec":1500731348756,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"35.158.74.61","src_port":55915,"dst_port":33334,"l4_proto":"udp","ndpi": {"proto":"AmazonAWS","breed":"Acceptable","category":"Cloud"}} 00560{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1000,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":5,"flow_first_seen":1500731340826,"flow_last_seen":1500731340827,"flow_idle_time":180000,"flow_min_l4_payload_len":16,"flow_max_l4_payload_len":16,"flow_tot_l4_payload_len":80,"flow_avg_l4_payload_len":16,"midstream":0,"ts_msec":1500731348756,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"35.158.74.61","src_port":55915,"dst_port":33334,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} -00590{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1000,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":3,"flow_first_seen":1500731340941,"flow_last_seen":1500731340946,"flow_idle_time":180000,"flow_min_l4_payload_len":64,"flow_max_l4_payload_len":64,"flow_tot_l4_payload_len":192,"flow_avg_l4_payload_len":64,"midstream":0,"ts_msec":1500731348756,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"35.158.74.61","src_port":55915,"dst_port":33335,"l4_proto":"udp","ndpi": {"proto":"Amazon","breed":"Acceptable","category":"Web"}} +00595{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1000,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":3,"flow_first_seen":1500731340941,"flow_last_seen":1500731340946,"flow_idle_time":180000,"flow_min_l4_payload_len":64,"flow_max_l4_payload_len":64,"flow_tot_l4_payload_len":192,"flow_avg_l4_payload_len":64,"midstream":0,"ts_msec":1500731348756,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"35.158.74.61","src_port":55915,"dst_port":33335,"l4_proto":"udp","ndpi": {"proto":"AmazonAWS","breed":"Acceptable","category":"Cloud"}} 00561{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1000,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":3,"flow_first_seen":1500731340941,"flow_last_seen":1500731340946,"flow_idle_time":180000,"flow_min_l4_payload_len":64,"flow_max_l4_payload_len":64,"flow_tot_l4_payload_len":192,"flow_avg_l4_payload_len":64,"midstream":0,"ts_msec":1500731348756,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"35.158.74.61","src_port":55915,"dst_port":33335,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} -00594{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1000,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":1,"flow_first_seen":1500731340981,"flow_last_seen":1500731340981,"flow_idle_time":180000,"flow_min_l4_payload_len":256,"flow_max_l4_payload_len":256,"flow_tot_l4_payload_len":256,"flow_avg_l4_payload_len":256,"midstream":0,"ts_msec":1500731348756,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"52.10.205.177","src_port":55915,"dst_port":34343,"l4_proto":"udp","ndpi": {"proto":"Amazon","breed":"Acceptable","category":"Web"}} +00599{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1000,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":1,"flow_first_seen":1500731340981,"flow_last_seen":1500731340981,"flow_idle_time":180000,"flow_min_l4_payload_len":256,"flow_max_l4_payload_len":256,"flow_tot_l4_payload_len":256,"flow_avg_l4_payload_len":256,"midstream":0,"ts_msec":1500731348756,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"52.10.205.177","src_port":55915,"dst_port":34343,"l4_proto":"udp","ndpi": {"proto":"AmazonAWS","breed":"Acceptable","category":"Cloud"}} 00565{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1000,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":1,"flow_first_seen":1500731340981,"flow_last_seen":1500731340981,"flow_idle_time":180000,"flow_min_l4_payload_len":256,"flow_max_l4_payload_len":256,"flow_tot_l4_payload_len":256,"flow_avg_l4_payload_len":256,"midstream":0,"ts_msec":1500731348756,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"52.10.205.177","src_port":55915,"dst_port":34343,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00570{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1000,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":157,"flow_first_seen":1500731343061,"flow_last_seen":1500731348745,"flow_idle_time":180000,"flow_min_l4_payload_len":60,"flow_max_l4_payload_len":1212,"flow_tot_l4_payload_len":46764,"flow_avg_l4_payload_len":297,"midstream":0,"ts_msec":1500731348756,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"93.237.131.235","src_port":55915,"dst_port":56066,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00560{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1000,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":3,"flow_first_seen":1500731323269,"flow_last_seen":1500731323270,"flow_idle_time":180000,"flow_min_l4_payload_len":76,"flow_max_l4_payload_len":76,"flow_tot_l4_payload_len":228,"flow_avg_l4_payload_len":76,"midstream":0,"ts_msec":1500731348756,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"35.158.74.61","src_port":52119,"dst_port":33335,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} -00593{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1000,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":1,"flow_first_seen":1500731326270,"flow_last_seen":1500731326270,"flow_idle_time":180000,"flow_min_l4_payload_len":688,"flow_max_l4_payload_len":688,"flow_tot_l4_payload_len":688,"flow_avg_l4_payload_len":688,"midstream":0,"ts_msec":1500731348756,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"52.10.205.177","src_port":52119,"dst_port":34343,"l4_proto":"udp","ndpi": {"proto":"Amazon","breed":"Acceptable","category":"Web"}} +00598{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1000,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":1,"flow_first_seen":1500731326270,"flow_last_seen":1500731326270,"flow_idle_time":180000,"flow_min_l4_payload_len":688,"flow_max_l4_payload_len":688,"flow_tot_l4_payload_len":688,"flow_avg_l4_payload_len":688,"midstream":0,"ts_msec":1500731348756,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"52.10.205.177","src_port":52119,"dst_port":34343,"l4_proto":"udp","ndpi": {"proto":"AmazonAWS","breed":"Acceptable","category":"Cloud"}} 00564{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1000,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":1,"flow_first_seen":1500731326270,"flow_last_seen":1500731326270,"flow_idle_time":180000,"flow_min_l4_payload_len":688,"flow_max_l4_payload_len":688,"flow_tot_l4_payload_len":688,"flow_avg_l4_payload_len":688,"midstream":0,"ts_msec":1500731348756,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"52.10.205.177","src_port":52119,"dst_port":34343,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00563{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1000,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":21,"flow_first_seen":1500731326644,"flow_last_seen":1500731327201,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1348,"flow_tot_l4_payload_len":6361,"flow_avg_l4_payload_len":302,"midstream":0,"ts_msec":1500731348756,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"54.192.27.217","src_port":41517,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00562{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1000,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":20,"flow_first_seen":1500731341201,"flow_last_seen":1500731341710,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1348,"flow_tot_l4_payload_len":6363,"flow_avg_l4_payload_len":318,"midstream":0,"ts_msec":1500731348756,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"54.192.27.8","src_port":31329,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -138,9 +138,9 @@ ~~ total active/idle flows...: 21/21 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2001168 bytes -~~ total memory freed........: 2001168 bytes -~~ total allocations/frees...: 36407/36407 +~~ total memory allocated....: 4655003 bytes +~~ total memory freed........: 4655003 bytes +~~ total allocations/frees...: 100603/100603 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 165 chars ~~ json string max len.......: 1392 chars diff --git a/test/results/no_sni.pcap.out b/test/results/no_sni.pcap.out index 0c8edf4eb..807b6494a 100644 --- a/test/results/no_sni.pcap.out +++ b/test/results/no_sni.pcap.out @@ -7,14 +7,14 @@ 00476{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_last_seen":1604822444486,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1604822444486,"pkt":"EBMxuRBeeDHBvV4kCABFAABAAABAAEAGFo\/AqAF3aBD5+cmWAbsdU0ZpAAAAALAC\/\/\/IBQAAAgQFtAEDAwYBAQgKKlLxbAAAAAAEAgAA"} 00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_last_seen":1604822444624,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1604822444624,"pkt":"eDHBvV4kEBMxuRBeCABFAAA0AABAADkGHZtoEPn5wKgBdwG7yZbnV+zfHVNGaoAS\/\/9HygAAAgQFeAEBBAIBAwMK"} 00441{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":10,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_last_seen":1604822444624,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1604822444624,"pkt":"EBMxuRBeeDHBvV4kCABFAAAoAABAAEAGFqfAqAF3aBD5+cmWAbsdU0Zq51fs4FAQEAB4YwAA"} -00847{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":11,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":4,"flow_first_seen":1604822444486,"flow_last_seen":1604822444629,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":616,"flow_tot_l4_payload_len":616,"flow_avg_l4_payload_len":154,"midstream":0,"ts_msec":1604822444629,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.16.249.249","src_port":51606,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.DoH_DoT","breed":"Fun","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mozilla.cloudflare-dns.com","ja3":"5dd472f5a4060141b8cfd05eecf10d11","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} -00887{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":15,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":8,"flow_first_seen":1604822444486,"flow_last_seen":1604822444807,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":682,"flow_tot_l4_payload_len":1474,"flow_avg_l4_payload_len":184,"midstream":0,"ts_msec":1604822444807,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.16.249.249","src_port":51606,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.DoH_DoT","breed":"Fun","category":"Network"},"tls": {"version":"TLSv1.3","client_requested_server_name":"mozilla.cloudflare-dns.com","ja3":"5dd472f5a4060141b8cfd05eecf10d11","ja3s":"2b0648ab686ee45e0e7c35fcfb0eea7e","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} +00847{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":11,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":4,"flow_first_seen":1604822444486,"flow_last_seen":1604822444629,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":616,"flow_tot_l4_payload_len":616,"flow_avg_l4_payload_len":154,"midstream":0,"ts_msec":1604822444629,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.16.249.249","src_port":51606,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.DoH_DoT","breed":"Fun","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mozilla.cloudflare-dns.com","ja3":"f14ec85ee5580a29f6523e24e5d3d527","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} +00887{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":15,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":8,"flow_first_seen":1604822444486,"flow_last_seen":1604822444807,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":682,"flow_tot_l4_payload_len":1474,"flow_avg_l4_payload_len":184,"midstream":0,"ts_msec":1604822444807,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.16.249.249","src_port":51606,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.DoH_DoT","breed":"Fun","category":"Network"},"tls": {"version":"TLSv1.3","client_requested_server_name":"mozilla.cloudflare-dns.com","ja3":"f14ec85ee5580a29f6523e24e5d3d527","ja3s":"2b0648ab686ee45e0e7c35fcfb0eea7e","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} 00549{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":36,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1604822444913,"flow_last_seen":1604822444913,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1604822444913,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.16.124.96","src_port":51612,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00476{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":36,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_last_seen":1604822444913,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1604822444913,"pkt":"EBMxuRBeeDHBvV4kCABFAABAAABAAEAGlCjAqAF3aBB8YMmcAbs\/DuN6AAAAALAC\/\/+FPgAAAgQFtAEDAwYBAQgKKlLy+gAAAAAEAgAA"} 00460{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":43,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_last_seen":1604822445034,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1604822445034,"pkt":"eDHBvV4kEBMxuRBeCABFAAA0AABAADkGmzRoEHxgwKgBdwG7yZyEa\/jPPw7je4AS\/\/9djQAAAgQFeAEBBAIBAwMK"} 00442{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":44,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_last_seen":1604822445034,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1604822445034,"pkt":"EBMxuRBeeDHBvV4kCABFAAAoAABAAEAGlEDAqAF3aBB8YMmcAbs\/DuN7hGv40FAQEACOJgAA"} -00826{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":45,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":4,"flow_first_seen":1604822444913,"flow_last_seen":1604822445039,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":947,"flow_tot_l4_payload_len":947,"flow_avg_l4_payload_len":236,"midstream":0,"ts_msec":1604822445039,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.16.124.96","src_port":51612,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Cloudflare","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"398991c398d60bfa0e3f00f8782dafc9","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} -00866{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":47,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":6,"flow_first_seen":1604822444913,"flow_last_seen":1604822445135,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":947,"flow_tot_l4_payload_len":1179,"flow_avg_l4_payload_len":196,"midstream":0,"ts_msec":1604822445135,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.16.124.96","src_port":51612,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Cloudflare","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"","ja3":"398991c398d60bfa0e3f00f8782dafc9","ja3s":"2b0648ab686ee45e0e7c35fcfb0eea7e","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} +00826{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":45,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":4,"flow_first_seen":1604822444913,"flow_last_seen":1604822445039,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":947,"flow_tot_l4_payload_len":947,"flow_avg_l4_payload_len":236,"midstream":0,"ts_msec":1604822445039,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.16.124.96","src_port":51612,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Cloudflare","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"76ec527d45e3a2a9093484446d7d3264","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} +00866{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":47,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":6,"flow_first_seen":1604822444913,"flow_last_seen":1604822445135,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":947,"flow_tot_l4_payload_len":1179,"flow_avg_l4_payload_len":196,"midstream":0,"ts_msec":1604822445135,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.16.124.96","src_port":51612,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Cloudflare","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"","ja3":"76ec527d45e3a2a9093484446d7d3264","ja3s":"2b0648ab686ee45e0e7c35fcfb0eea7e","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} 00550{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":778,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1604822447227,"flow_last_seen":1604822447227,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1604822447227,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.17.198.37","src_port":51635,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00476{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":778,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_last_seen":1604822447227,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1604822447227,"pkt":"EBMxuRBeeDHBvV4kCABFAABAAABAAEAGSmLAqAF3aBHGJcmzAbtjbUROAAAAALAC\/\/+t4gAAAgQFtAEDAwYBAQgKKlL7RgAAAAAEAgAA"} 00550{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":789,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1604822447249,"flow_last_seen":1604822447249,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1604822447249,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.17.198.37","src_port":51636,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -27,24 +27,24 @@ 00476{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":807,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_last_seen":1604822447287,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1604822447287,"pkt":"EBMxuRBeeDHBvV4kCABFAABAAABAAEAGx9jAqAF3aBZIqsm3AbsAL2HpAAAAALAC\/\/9wxQAAAgQFtAEDAwYBAQgKKlL7eQAAAAAEAgAA"} 00461{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":809,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_last_seen":1604822447311,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1604822447311,"pkt":"eDHBvV4kEBMxuRBeCABFAAA0AABAADcGU25oEcYlwKgBdwG7ybNKGfaqY21ET4AS\/\/\/K9AAAAgQFeAEBBAIBAwMK"} 00442{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":810,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_last_seen":1604822447311,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1604822447311,"pkt":"EBMxuRBeeDHBvV4kCABFAAAoAABAAEAGSnrAqAF3aBHGJcmzAbtjbURPShn2q1AQEAD7jQAA"} -00888{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":819,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":4,"flow_first_seen":1604822447227,"flow_last_seen":1604822447321,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1604822447321,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.17.198.37","src_port":51635,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Cloudflare","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"951c558a-5e07-47ca-a0c0-225da1b33163.is-cf.help.every1dns.net","ja3":"1fd36067223570569bbf156fece40978","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} +00888{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":819,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":4,"flow_first_seen":1604822447227,"flow_last_seen":1604822447321,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1604822447321,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.17.198.37","src_port":51635,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Cloudflare","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"951c558a-5e07-47ca-a0c0-225da1b33163.is-cf.help.every1dns.net","ja3":"aa7744226c695c0b2e440419848cf700","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} 00460{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":820,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_last_seen":1604822447325,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1604822447325,"pkt":"eDHBvV4kEBMxuRBeCABFAAA0AABAADcGU25oEcYlwKgBdwG7ybQgqbhsGMRIBoAS\/\/95lAAAAgQFeAEBBAIBAwMK"} 00442{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":821,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_last_seen":1604822447325,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1604822447325,"pkt":"EBMxuRBeeDHBvV4kCABFAAAoAABAAEAGSnrAqAF3aBHGJcm0AbsYxEgGIKm4bVAQEACqLQAA"} -00889{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":822,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":4,"flow_first_seen":1604822447249,"flow_last_seen":1604822447330,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1604822447330,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.17.198.37","src_port":51636,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Cloudflare","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"951c558a-5e07-47ca-a0c0-225da1b33163.is-doh.help.every1dns.net","ja3":"1fd36067223570569bbf156fece40978","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} +00889{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":822,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":4,"flow_first_seen":1604822447249,"flow_last_seen":1604822447330,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1604822447330,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.17.198.37","src_port":51636,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Cloudflare","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"951c558a-5e07-47ca-a0c0-225da1b33163.is-doh.help.every1dns.net","ja3":"aa7744226c695c0b2e440419848cf700","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} 00460{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":823,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_last_seen":1604822447368,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1604822447368,"pkt":"eDHBvV4kEBMxuRBeCABFAAA0AABAADQG0+RoFkiqwKgBdwG7ybVDiAdt8KRa8oAS\/\/+aXQAAAgQFeAEBBAIBAwMK"} 00443{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":824,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_last_seen":1604822447369,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1604822447369,"pkt":"EBMxuRBeeDHBvV4kCABFAAAoAABAAEAGx\/DAqAF3aBZIqsm1AbvwpFryQ4gHblAQEADK9gAA"} 00460{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":825,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_last_seen":1604822447370,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1604822447370,"pkt":"eDHBvV4kEBMxuRBeCABFAAA0AABAADQG0+RoFkiqwKgBdwG7ybbraGnySz6LGIAS\/\/8FNwAAAgQFeAEBBAIBAwMK"} 00443{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":826,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_last_seen":1604822447370,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1604822447370,"pkt":"EBMxuRBeeDHBvV4kCABFAAAoAABAAEAGx\/DAqAF3aBZIqsm2AbtLPosY62hp81AQEAA10AAA"} 00461{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":827,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":2,"flow_last_seen":1604822447373,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1604822447373,"pkt":"eDHBvV4kEBMxuRBeCABFAAA0AABAADQG0+RoFkiqwKgBdwG7ybcBQwC0AC9h6oAS\/\/\/M1wAAAgQFeAEBBAIBAwMK"} 00443{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":828,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_last_seen":1604822447373,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1604822447373,"pkt":"EBMxuRBeeDHBvV4kCABFAAAoAABAAEAGx\/DAqAF3aBZIqsm3AbsAL2HqAUMAtVAQEAD9cAAA"} -00827{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":829,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":4,"flow_first_seen":1604822447287,"flow_last_seen":1604822447374,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":712,"flow_tot_l4_payload_len":712,"flow_avg_l4_payload_len":178,"midstream":0,"ts_msec":1604822447374,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.22.72.170","src_port":51637,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Cloudflare","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"16fcce72c01e54fab4ddabce048c0f5b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} -00827{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":840,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":4,"flow_first_seen":1604822447287,"flow_last_seen":1604822447380,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":712,"flow_tot_l4_payload_len":712,"flow_avg_l4_payload_len":178,"midstream":0,"ts_msec":1604822447380,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.22.72.170","src_port":51639,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Cloudflare","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"16fcce72c01e54fab4ddabce048c0f5b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} -00827{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":841,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":4,"flow_first_seen":1604822447287,"flow_last_seen":1604822447386,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":712,"flow_tot_l4_payload_len":712,"flow_avg_l4_payload_len":178,"midstream":0,"ts_msec":1604822447386,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.22.72.170","src_port":51638,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Cloudflare","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"16fcce72c01e54fab4ddabce048c0f5b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} -00929{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":843,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":6,"flow_first_seen":1604822447227,"flow_last_seen":1604822447412,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":1977,"flow_avg_l4_payload_len":329,"midstream":0,"ts_msec":1604822447412,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.17.198.37","src_port":51635,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Cloudflare","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"951c558a-5e07-47ca-a0c0-225da1b33163.is-cf.help.every1dns.net","ja3":"1fd36067223570569bbf156fece40978","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} -00930{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":882,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":6,"flow_first_seen":1604822447249,"flow_last_seen":1604822447447,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":1977,"flow_avg_l4_payload_len":329,"midstream":0,"ts_msec":1604822447447,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.17.198.37","src_port":51636,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Cloudflare","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"951c558a-5e07-47ca-a0c0-225da1b33163.is-doh.help.every1dns.net","ja3":"1fd36067223570569bbf156fece40978","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} -00868{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":944,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":6,"flow_first_seen":1604822447287,"flow_last_seen":1604822447500,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":2172,"flow_avg_l4_payload_len":362,"midstream":0,"ts_msec":1604822447500,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.22.72.170","src_port":51637,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Cloudflare","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"","ja3":"16fcce72c01e54fab4ddabce048c0f5b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} -00868{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":948,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":6,"flow_first_seen":1604822447287,"flow_last_seen":1604822447506,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":2172,"flow_avg_l4_payload_len":362,"midstream":0,"ts_msec":1604822447506,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.22.72.170","src_port":51639,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Cloudflare","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"","ja3":"16fcce72c01e54fab4ddabce048c0f5b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} -00868{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":952,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":6,"flow_first_seen":1604822447287,"flow_last_seen":1604822447515,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":2172,"flow_avg_l4_payload_len":362,"midstream":0,"ts_msec":1604822447515,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.22.72.170","src_port":51638,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Cloudflare","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"","ja3":"16fcce72c01e54fab4ddabce048c0f5b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} +00827{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":829,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":4,"flow_first_seen":1604822447287,"flow_last_seen":1604822447374,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":712,"flow_tot_l4_payload_len":712,"flow_avg_l4_payload_len":178,"midstream":0,"ts_msec":1604822447374,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.22.72.170","src_port":51637,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Cloudflare","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"62a4a00de930bd0a5bee0309cc8362ed","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} +00827{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":840,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":4,"flow_first_seen":1604822447287,"flow_last_seen":1604822447380,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":712,"flow_tot_l4_payload_len":712,"flow_avg_l4_payload_len":178,"midstream":0,"ts_msec":1604822447380,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.22.72.170","src_port":51639,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Cloudflare","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"62a4a00de930bd0a5bee0309cc8362ed","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} +00827{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":841,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":4,"flow_first_seen":1604822447287,"flow_last_seen":1604822447386,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":712,"flow_tot_l4_payload_len":712,"flow_avg_l4_payload_len":178,"midstream":0,"ts_msec":1604822447386,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.22.72.170","src_port":51638,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Cloudflare","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"62a4a00de930bd0a5bee0309cc8362ed","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} +00929{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":843,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":6,"flow_first_seen":1604822447227,"flow_last_seen":1604822447412,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":1977,"flow_avg_l4_payload_len":329,"midstream":0,"ts_msec":1604822447412,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.17.198.37","src_port":51635,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Cloudflare","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"951c558a-5e07-47ca-a0c0-225da1b33163.is-cf.help.every1dns.net","ja3":"aa7744226c695c0b2e440419848cf700","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} +00930{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":882,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":6,"flow_first_seen":1604822447249,"flow_last_seen":1604822447447,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":1977,"flow_avg_l4_payload_len":329,"midstream":0,"ts_msec":1604822447447,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.17.198.37","src_port":51636,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Cloudflare","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"951c558a-5e07-47ca-a0c0-225da1b33163.is-doh.help.every1dns.net","ja3":"aa7744226c695c0b2e440419848cf700","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} +00868{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":944,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":6,"flow_first_seen":1604822447287,"flow_last_seen":1604822447500,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":2172,"flow_avg_l4_payload_len":362,"midstream":0,"ts_msec":1604822447500,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.22.72.170","src_port":51637,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Cloudflare","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"","ja3":"62a4a00de930bd0a5bee0309cc8362ed","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} +00868{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":948,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":6,"flow_first_seen":1604822447287,"flow_last_seen":1604822447506,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":2172,"flow_avg_l4_payload_len":362,"midstream":0,"ts_msec":1604822447506,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.22.72.170","src_port":51639,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Cloudflare","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"","ja3":"62a4a00de930bd0a5bee0309cc8362ed","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} +00868{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":952,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":6,"flow_first_seen":1604822447287,"flow_last_seen":1604822447515,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":2172,"flow_avg_l4_payload_len":362,"midstream":0,"ts_msec":1604822447515,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.22.72.170","src_port":51638,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Cloudflare","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"","ja3":"62a4a00de930bd0a5bee0309cc8362ed","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} 00561{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1185,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":35,"flow_first_seen":1604822447287,"flow_last_seen":1604822447869,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":7366,"flow_avg_l4_payload_len":210,"midstream":0,"ts_msec":1604822448604,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.22.72.170","src_port":51637,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00560{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1185,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":22,"flow_first_seen":1604822447287,"flow_last_seen":1604822447844,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":4320,"flow_avg_l4_payload_len":196,"midstream":0,"ts_msec":1604822448604,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.22.72.170","src_port":51638,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00560{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1185,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":22,"flow_first_seen":1604822447287,"flow_last_seen":1604822447839,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":4320,"flow_avg_l4_payload_len":196,"midstream":0,"ts_msec":1604822448604,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.22.72.170","src_port":51639,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -63,9 +63,9 @@ ~~ total active/idle flows...: 8/8 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2005769 bytes -~~ total memory freed........: 2005769 bytes -~~ total allocations/frees...: 36575/36575 +~~ total memory allocated....: 4665116 bytes +~~ total memory freed........: 4665116 bytes +~~ total allocations/frees...: 100771/100771 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 162 chars ~~ json string max len.......: 935 chars diff --git a/test/results/ocs.pcap.out b/test/results/ocs.pcap.out index 88559a210..f7d05b228 100644 --- a/test/results/ocs.pcap.out +++ b/test/results/ocs.pcap.out @@ -1900,9 +1900,9 @@ ~~ total active/idle flows...: 0/0 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1926508 bytes -~~ total memory freed........: 1926508 bytes -~~ total allocations/frees...: 35335/35335 +~~ total memory allocated....: 4589247 bytes +~~ total memory freed........: 4589247 bytes +~~ total allocations/frees...: 99531/99531 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 146 chars ~~ json string max len.......: 2227 chars diff --git a/test/results/ocsp.pcapng.out b/test/results/ocsp.pcapng.out new file mode 100644 index 000000000..767c1e2eb --- /dev/null +++ b/test/results/ocsp.pcapng.out @@ -0,0 +1,77 @@ +00440{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"ocsp.pcapng","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} +00548{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1623221248283,"flow_last_seen":1623221248283,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1623221248283,"l3_proto":"ip4","src_ip":"192.168.1.227","dst_ip":"109.70.240.130","src_port":49813,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00530{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1623221248283,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":118,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":118,"pkt_l4_len":32,"ts_msec":1623221248283,"pkt":"pJGxgjQ56CrqthSFCABFAAA07YhAAIAG7ObAqAHjbUbwgsKVAFBAnkIeAAAAAIAC+vAOKQAAAgQFtAEDAwgBAQQCGYERCQAgACABAAABAAAACAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARhcrEQ=="} +00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1623221248292,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":114,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":114,"pkt_l4_len":28,"ts_msec":1623221248292,"pkt":"6CrqthSFpJGxgjQ5CABFAAAwAABAADUGJXRtRvCCwKgB4wBQwpWhnw3QQJ5CH3ASOQg1lwAAAgQFtAEDAwkZgREJACAAIAEAAAEAAAAIAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAx3fu3"} +00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1623221248311,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":112,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":112,"pkt_l4_len":20,"ts_msec":1623221248311,"pkt":"pJGxgjQ56CrqthSFCABFAAAo7YlAAIAG7PHAqAHjbUbwgsKVAFBAnkIfoZ8N0VAQAgGYawAAAAAAAAAAGYERCQAgACABAAABAAAACAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAjLK1pA=="} +00850{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1623221248283,"flow_last_seen":1623221248318,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":385,"flow_tot_l4_payload_len":385,"flow_avg_l4_payload_len":96,"midstream":0,"ts_msec":1623221248318,"l3_proto":"ip4","src_ip":"192.168.1.227","dst_ip":"109.70.240.130","src_port":49813,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP","breed":"Acceptable","category":"Web"},"http": {"hostname":"ocsp07.actalis.it","url":"ocsp07.actalis.it\/VA\/AUTH-ROOT\/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSw4x5v4bTlizjNRmTdkYSy7q0R9gQUUtiIOsifeGbtifN7OHCUyQICNtACEEWXMtjzGMt1k6L0aA%2BQ6tk%3D","code":0,"content_type":"","user_agent":"Microsoft-CryptoAPI\/10.0"}} +00558{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":24,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":23,"flow_first_seen":1623221248283,"flow_last_seen":1623221313421,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":8359,"flow_avg_l4_payload_len":363,"midstream":0,"ts_msec":1623222699655,"l3_proto":"ip4","src_ip":"192.168.1.227","dst_ip":"109.70.240.130","src_port":49813,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00549{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":24,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1623222699655,"flow_last_seen":1623222699655,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1623222699655,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"142.250.184.99","src_port":54154,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_last_seen":1623222699655,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":40,"ts_msec":1623222699655,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA8N6FAAEAG+ZTAqAGAjvq4Y9OKAFA7VkTpAAAAAKAC+vDDlAAAAgQFtAQCCAqSLZmsAAAAAAEDAwcZgREJACAAIAEAAAEAAAAIAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAADx0lW5"} +00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":25,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_last_seen":1623222699659,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":40,"ts_msec":1623222699659,"pkt":"PKn0qB\/spJGxgjQ5CABFgAA8l3UAADkG4ECO+rhjwKgBgABQ04qgD55GO1ZE6qAS\/\/9O2gAAAgQFlgQCCAovwgGfki2ZrAEDAwgZgREJACAAIAEAAAEAAAAIAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAACT46ug"} +00532{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":26,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_last_seen":1623222699662,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":118,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":118,"pkt_l4_len":32,"ts_msec":1623222699662,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA0N6JAAEAG+ZvAqAGAjvq4Y9OKAFA7VkTqoA+eR4AQAfZ7iwAAAQEICpItmbQvwgGfGYERCQAgACABAAABAAAACAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAqAZWVw=="} +00779{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":27,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":2,"flow_packets_processed":4,"flow_first_seen":1623222699655,"flow_last_seen":1623222699662,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":394,"flow_tot_l4_payload_len":394,"flow_avg_l4_payload_len":98,"midstream":0,"ts_msec":1623222699662,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"142.250.184.99","src_port":54154,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.OCSP","breed":"Safe","category":"Network"},"http": {"hostname":"ocsp.pki.goog","url":"ocsp.pki.goog\/gts1o1core","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko\/20100101 Firefox\/89.0"}} +00548{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":49,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1623222785863,"flow_last_seen":1623222785863,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1623222785863,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"92.122.95.235","src_port":43728,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":49,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_last_seen":1623222785863,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":40,"ts_msec":1623222785863,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA8JGFAAEAGl83AqAGAXHpf66rQAFDHRQtaAAAAAKAC+vAjygAAAgQFtAQCCAq0VnigAAAAAAEDAwcZgREJACAAIAEAAAEAAAAIAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB2OTsI"} +00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":50,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_last_seen":1623222785875,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":40,"ts_msec":1623222785875,"pkt":"PKn0qB\/spJGxgjQ5CABFAAA8AABAADgGxC5cel\/rwKgBgABQqtACFmIrx0ULW6AScSDxGwAAAgQFtAQCCAqrs6x4tFZ4oAEDAwcZgREJACAAIAEAAAEAAAAIAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB8kYB7"} +00532{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":51,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_last_seen":1623222785879,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":118,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":118,"pkt_l4_len":32,"ts_msec":1623222785879,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA0JGJAAEAGl9TAqAGAXHpf66rQAFDHRQtbAhZiLIAQAfaPAgAAAQEICrRWeLCrs6x4GYERCQAgACABAAABAAAACAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcxJlyw=="} +00770{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":52,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":3,"flow_packets_processed":4,"flow_first_seen":1623222785863,"flow_last_seen":1623222785879,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":386,"flow_tot_l4_payload_len":386,"flow_avg_l4_payload_len":96,"midstream":0,"ts_msec":1623222785879,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"92.122.95.235","src_port":43728,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.OCSP","breed":"Safe","category":"Network"},"http": {"hostname":"r3.o.lencr.org","url":"r3.o.lencr.org\/","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko\/20100101 Firefox\/89.0"}} +00556{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":110,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":3,"flow_packets_processed":36,"flow_first_seen":1623222785863,"flow_last_seen":1623222909833,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":889,"flow_tot_l4_payload_len":2550,"flow_avg_l4_payload_len":70,"midstream":0,"ts_msec":1623223090984,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"92.122.95.235","src_port":43728,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00557{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":110,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":2,"flow_packets_processed":50,"flow_first_seen":1623222699655,"flow_last_seen":1623222892672,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":702,"flow_tot_l4_payload_len":2192,"flow_avg_l4_payload_len":43,"midstream":0,"ts_msec":1623223090984,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"142.250.184.99","src_port":54154,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00550{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":110,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1623223090984,"flow_last_seen":1623223090984,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1623223090984,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"151.139.128.14","src_port":34320,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":110,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_last_seen":1623223090984,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":40,"ts_msec":1623223090984,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA8WOFAAEAGCBnAqAGAl4uADoYQAFC9BO7MAAAAAKAC+vBq5AAAAgQFtAQCCArLCQstAAAAAAEDAwcZgREJACAAIAEAAAEAAAAIAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAABk1G4o"} +00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":111,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_last_seen":1623223091009,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":40,"ts_msec":1623223091009,"pkt":"PKn0qB\/spJGxgjQ5CABFAAA8AABAADAGcPqXi4AOwKgBgABQhhCFN\/R2vQTuzaAS\/ohuswAAAgQFtAQCCAoBgn1XywkLLQEDAwcZgREJACAAIAEAAAEAAAAIAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAADKwfqN"} +00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":112,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_last_seen":1623223091014,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":118,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":118,"pkt_l4_len":32,"ts_msec":1623223091014,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA0WOJAAEAGCCDAqAGAl4uADoYQAFC9BO7NhTf0d4AQAfaZ9AAAAQEICssJC0sBgn1XGYERCQAgACABAAABAAAACAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZwg24A=="} +00788{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":113,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":4,"flow_packets_processed":4,"flow_first_seen":1623223090984,"flow_last_seen":1623223091014,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":393,"flow_tot_l4_payload_len":393,"flow_avg_l4_payload_len":98,"midstream":0,"ts_msec":1623223091014,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"151.139.128.14","src_port":34320,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.OCSP","breed":"Safe","category":"Network"},"http": {"hostname":"geant.ocsp.sectigo.com","url":"geant.ocsp.sectigo.com\/","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko\/20100101 Firefox\/89.0"}} +00550{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":119,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1623223091709,"flow_last_seen":1623223091709,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1623223091709,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"151.139.128.14","src_port":34340,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":119,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_last_seen":1623223091709,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":40,"ts_msec":1623223091709,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA8XL5AAEAGBDzAqAGAl4uADoYkAFDUes8oAAAAAKAC+vBwKQAAAgQFtAQCCArLCQ4CAAAAAAEDAwcZgREJACAAIAEAAAEAAAAIAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAACb3tkC"} +00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":120,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_last_seen":1623223091736,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":40,"ts_msec":1623223091736,"pkt":"PKn0qB\/spJGxgjQ5CABFAAA8AABAAC8GcfqXi4AOwKgBgABQhiREDjpk1HrPKaAS\/\/+ohwAAAgQFtAQCCAp7mshzywkOAgEDAwgZgREJACAAIAEAAAEAAAAIAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAvlhtb"} +00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":121,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_last_seen":1623223091739,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":118,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":118,"pkt_l4_len":32,"ts_msec":1623223091739,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA0XL9AAEAGBEPAqAGAl4uADoYkAFDUes8pRA46ZYAQAfbVQAAAAQEICssJDiB7mshzGYERCQAgACABAAABAAAACAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAApa33FQ=="} +00780{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":122,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":5,"flow_packets_processed":4,"flow_first_seen":1623223091709,"flow_last_seen":1623223091739,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":389,"flow_tot_l4_payload_len":389,"flow_avg_l4_payload_len":97,"midstream":0,"ts_msec":1623223091739,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"151.139.128.14","src_port":34340,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.OCSP","breed":"Safe","category":"Network"},"http": {"hostname":"ocsp.usertrust.com","url":"ocsp.usertrust.com\/","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko\/20100101 Firefox\/89.0"}} +00557{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":158,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":4,"flow_packets_processed":24,"flow_first_seen":1623223090984,"flow_last_seen":1623223156084,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":728,"flow_tot_l4_payload_len":1592,"flow_avg_l4_payload_len":66,"midstream":0,"ts_msec":1623226796047,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"151.139.128.14","src_port":34320,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00557{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":158,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":5,"flow_packets_processed":24,"flow_first_seen":1623223091709,"flow_last_seen":1623223156800,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":472,"flow_tot_l4_payload_len":1306,"flow_avg_l4_payload_len":54,"midstream":0,"ts_msec":1623226796047,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"151.139.128.14","src_port":34340,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00549{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":158,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":6,"flow_packets_processed":1,"flow_first_seen":1623226796047,"flow_last_seen":1623226796047,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1623226796047,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"93.184.220.29","src_port":47904,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":158,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_last_seen":1623226796047,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":40,"ts_msec":1623226796047,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA8IiFAAEAGHJ3AqAGAXbjcHbsgAFDKwHZTAAAAAKAC+vANzwAAAgQFtAQCCArJnn0eAAAAAAEDAwcZgREJACAAIAEAAAEAAAAIAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC2uJMq"} +00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":159,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_last_seen":1623226796050,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":40,"ts_msec":1623226796050,"pkt":"PKn0qB\/spJGxgjQ5CABFAAA8OIIAADgGTjxduNwdwKgBgABQuyB0cdYZysB2VKAS\/\/931wAAAgQFtAQCCAqXTK79yZ59HgEDAwkZgREJACAAIAEAAAEAAAAIAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAApvHVR"} +00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":160,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_last_seen":1623226796054,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":118,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":118,"pkt_l4_len":32,"ts_msec":1623226796054,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA0IiJAAEAGHKTAqAGAXbjcHbsgAFDKwHZUdHHWGoAQAfakpwAAAQEICsmefSaXTK79GYERCQAgACABAAABAAAACAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA5srZww=="} +00777{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":161,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":6,"flow_packets_processed":4,"flow_first_seen":1623226796047,"flow_last_seen":1623226796057,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":387,"flow_tot_l4_payload_len":387,"flow_avg_l4_payload_len":96,"midstream":0,"ts_msec":1623226796057,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"93.184.220.29","src_port":47904,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.OCSP","breed":"Safe","category":"Network"},"http": {"hostname":"ocsp.digicert.com","url":"ocsp.digicert.com\/","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko\/20100101 Firefox\/89.0"}} +00556{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":208,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":6,"flow_packets_processed":50,"flow_first_seen":1623226796047,"flow_last_seen":1623226963037,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":799,"flow_tot_l4_payload_len":3558,"flow_avg_l4_payload_len":71,"midstream":0,"ts_msec":1623227471703,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"93.184.220.29","src_port":47904,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00547{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":208,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":7,"flow_packets_processed":1,"flow_first_seen":1623227471703,"flow_last_seen":1623227471703,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1623227471703,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"52.85.15.92","src_port":49382,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":208,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_last_seen":1623227471703,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":40,"ts_msec":1623227471703,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA8CDlAAEAGLKrAqAGANFUPXMDmAFDpM3mLAAAAAKAC+vAljwAAAgQFtAQCCArD2jnWAAAAAAEDAwcZgREJACAAIAEAAAEAAAAIAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAU0JsT"} +00544{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":209,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_last_seen":1623227471715,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":40,"ts_msec":1623227471715,"pkt":"PKn0qB\/spJGxgjQ5CABFAAA8PJoAAPMGhUg0VQ9cwKgBgABQwOYt\/4+26TN5jKAS\/\/9VQwAAAgQFoAQCCAoCPQtLw9o51gEDAwkZgREJACAAIAEAAAEAAAAIAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAABrMGLg"} +00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":210,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_last_seen":1623227471719,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":118,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":118,"pkt_l4_len":32,"ts_msec":1623227471719,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA0CDpAAEAGLLHAqAGANFUPXMDmAFDpM3mMLf+Pt4AQAfaB9gAAAQEICsPaOecCPQtLGYERCQAgACABAAABAAAACAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYY2fOA=="} +00793{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":211,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":7,"flow_packets_processed":4,"flow_first_seen":1623227471703,"flow_last_seen":1623227471719,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":396,"flow_tot_l4_payload_len":396,"flow_avg_l4_payload_len":99,"midstream":0,"ts_msec":1623227471719,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"52.85.15.92","src_port":49382,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.OCSP","breed":"Safe","category":"Network"},"http": {"hostname":"ocsp.sca1b.amazontrust.com","url":"ocsp.sca1b.amazontrust.com\/","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko\/20100101 Firefox\/89.0"}} +00549{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":215,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":8,"flow_packets_processed":1,"flow_first_seen":1623227472211,"flow_last_seen":1623227472211,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1623227472211,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"151.101.2.133","src_port":59922,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":215,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_last_seen":1623227472211,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":40,"ts_msec":1623227472211,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA8cDxAAEAGbm3AqAGAl2UCheoSAFClxR9VAAAAAKAC+vA6IAAAAgQFtAQCCApcSasVAAAAAAEDAwcZgREJACAAIAEAAAEAAAAIAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAbRut"} +00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":216,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":8,"flow_packet_id":2,"flow_last_seen":1623227472214,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":40,"ts_msec":1623227472214,"pkt":"PKn0qB\/spJGxgjQ5CABFAAA8AABAADYG6KmXZQKFwKgBgABQ6hJzFOMDpcUfVqAS\/\/9zqQAAAgQFTAQCCAoCSmlaXEmrFQEDAwkZgREJACAAIAEAAAEAAAAIAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAkey68"} +00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":217,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_last_seen":1623227472218,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":118,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":118,"pkt_l4_len":32,"ts_msec":1623227472218,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA0cD1AAEAGbnTAqAGAl2UCheoSAFClxR9WcxTjBIAQAfagEQAAAQEIClxJqx0CSmlaGYERCQAgACABAAABAAAACAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAyyO91A=="} +00798{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":218,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":8,"flow_packets_processed":4,"flow_first_seen":1623227472211,"flow_last_seen":1623227472219,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":401,"flow_tot_l4_payload_len":401,"flow_avg_l4_payload_len":100,"midstream":0,"ts_msec":1623227472219,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"151.101.2.133","src_port":59922,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.OCSP","breed":"Safe","category":"Network"},"http": {"hostname":"ocsp.globalsign.com","url":"ocsp.globalsign.com\/gsrsaovsslca2018","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko\/20100101 Firefox\/89.0"}} +00557{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":275,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":8,"flow_packets_processed":35,"flow_first_seen":1623227472211,"flow_last_seen":1623227587356,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1344,"flow_tot_l4_payload_len":2399,"flow_avg_l4_payload_len":68,"midstream":0,"ts_msec":1623229632695,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"151.101.2.133","src_port":59922,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00555{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":275,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":7,"flow_packets_processed":32,"flow_first_seen":1623227471703,"flow_last_seen":1623227587366,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1006,"flow_tot_l4_payload_len":1402,"flow_avg_l4_payload_len":43,"midstream":0,"ts_msec":1623229632695,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"52.85.15.92","src_port":49382,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00550{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":275,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":9,"flow_packets_processed":1,"flow_first_seen":1623229632695,"flow_last_seen":1623229632695,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1623229632695,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"109.70.240.114","src_port":45514,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":275,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_last_seen":1623229632695,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":40,"ts_msec":1623229632695,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA82G5AAEAGQmzAqAGAbUbwcrHKAFDtwUNWAAAAAKAC+vAcMQAAAgQFtAQCCAoRKRyhAAAAAAEDAwcZgREJACAAIAEAAAEAAAAIAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAADZRLNb"} +00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":276,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":9,"flow_packet_id":2,"flow_last_seen":1623229632706,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":40,"ts_msec":1623229632706,"pkt":"PKn0qB\/spJGxgjQ5CABFAAA8AABAADUGJdttRvBywKgBgABQscrfcozQ7cFDV6AScSAwDQAAAgQFtAQCCAq9uUvmESkcoQEDAwcZgREJACAAIAEAAAEAAAAIAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAADSBFoQ"} +00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":277,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":9,"flow_packet_id":3,"flow_last_seen":1623229632711,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":118,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":118,"pkt_l4_len":32,"ts_msec":1623229632711,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA02G9AAEAGQnPAqAGAbUbwcrHKAFDtwUNX33KM0YAQAfbN9AAAAQEIChEpHLC9uUvmGYERCQAgACABAAABAAAACAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0EjACA=="} +00791{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":278,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":9,"flow_packets_processed":4,"flow_first_seen":1623229632695,"flow_last_seen":1623229632711,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":399,"flow_tot_l4_payload_len":399,"flow_avg_l4_payload_len":99,"midstream":0,"ts_msec":1623229632711,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"109.70.240.114","src_port":45514,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.OCSP","breed":"Safe","category":"Network"},"http": {"hostname":"ocsp09.actalis.it","url":"ocsp09.actalis.it\/VA\/AUTHOV-G3","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko\/20100101 Firefox\/89.0"}} +00559{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":299,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":9,"flow_packets_processed":24,"flow_first_seen":1623229632695,"flow_last_seen":1623229697742,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":2724,"flow_avg_l4_payload_len":113,"midstream":0,"ts_msec":1623229850956,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"109.70.240.114","src_port":45514,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00549{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":299,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":10,"flow_packets_processed":1,"flow_first_seen":1623229850956,"flow_last_seen":1623229850956,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1623229850956,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"23.12.96.145","src_port":49034,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":299,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":10,"flow_packet_id":1,"flow_last_seen":1623229850956,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":40,"ts_msec":1623229850956,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA8+shAAEAGBi7AqAGAFwxgkb+KAFDAJRPhAAAAAKAC+vCvFgAAAgQFtAQCCAqOHkIzAAAAAAEDAwcZgREJACAAIAEAAAEAAAAIAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAACxCLhj"} +00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":300,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":10,"flow_packet_id":2,"flow_last_seen":1623229850968,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":40,"ts_msec":1623229850968,"pkt":"PKn0qB\/spJGxgjQ5CABFAAA8AABAADgGCPcXDGCRwKgBgABQv4rZVTUewCUT4qAS\/ohT3AAAAgQFtAQCCAoG1UJIjh5CMwEDAwcZgREJACAAIAEAAAEAAAAIAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAABvS4I1"} +00535{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":301,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":10,"flow_packet_id":3,"flow_last_seen":1623229850972,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":118,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":118,"pkt_l4_len":32,"ts_msec":1623229850972,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA0+slAAEAGBjXAqAGAFwxgkb+KAFDAJRPi2VU1H4AQAfZ\/KgAAAQEICo4eQkQG1UJIGYERCQAgACABAAABAAAACAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAV7trsA=="} +00775{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":302,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":10,"flow_packets_processed":4,"flow_first_seen":1623229850956,"flow_last_seen":1623229850973,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":386,"flow_tot_l4_payload_len":386,"flow_avg_l4_payload_len":96,"midstream":0,"ts_msec":1623229850973,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"23.12.96.145","src_port":49034,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.OCSP","breed":"Safe","category":"Network"},"http": {"hostname":"ocsp.entrust.net","url":"ocsp.entrust.net\/","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko\/20100101 Firefox\/89.0"}} +00558{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":344,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":10,"flow_packets_processed":46,"flow_first_seen":1623229850956,"flow_last_seen":1623229968257,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":7031,"flow_avg_l4_payload_len":152,"midstream":0,"ts_msec":1623229968257,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"23.12.96.145","src_port":49034,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00156{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":344,"source":"ocsp.pcapng","alias":"nDPId-test","total-events-serialized":62} +~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ +~~ packets captured/processed: 344/344 +~~ skipped flows.............: 0 +~~ total layer4 data length..: 33113 bytes +~~ total detected protocols..: 10 +~~ total active/idle flows...: 10/10 +~~ total timeout flows.......: 0 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ total memory allocated....: 4612775 bytes +~~ total memory freed........: 4612775 bytes +~~ total allocations/frees...: 99953/99953 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ json string min len.......: 161 chars +~~ json string max len.......: 855 chars +~~ json string avg len.......: 579 chars diff --git a/test/results/ookla.pcap.out b/test/results/ookla.pcap.out index 1116ecf7a..b6ef17d44 100644 --- a/test/results/ookla.pcap.out +++ b/test/results/ookla.pcap.out @@ -20,9 +20,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2087506 bytes -~~ total memory freed........: 2087506 bytes -~~ total allocations/frees...: 40431/40431 +~~ total memory allocated....: 4749397 bytes +~~ total memory freed........: 4749397 bytes +~~ total allocations/frees...: 104627/104627 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 161 chars ~~ json string max len.......: 637 chars diff --git a/test/results/openvpn.pcap.out b/test/results/openvpn.pcap.out index b949bfe27..e23063142 100644 --- a/test/results/openvpn.pcap.out +++ b/test/results/openvpn.pcap.out @@ -26,9 +26,9 @@ ~~ total active/idle flows...: 3/3 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1942046 bytes -~~ total memory freed........: 1942046 bytes -~~ total allocations/frees...: 35643/35643 +~~ total memory allocated....: 4603513 bytes +~~ total memory freed........: 4603513 bytes +~~ total allocations/frees...: 99839/99839 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 162 chars ~~ json string max len.......: 652 chars diff --git a/test/results/os_detected.pcapng.out b/test/results/os_detected.pcapng.out index d2f9d7460..099c942e1 100644 --- a/test/results/os_detected.pcapng.out +++ b/test/results/os_detected.pcapng.out @@ -1,7 +1,7 @@ 00447{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"os_detected.pcapng","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} 00560{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"os_detected.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1611427514609,"flow_last_seen":1611427514609,"flow_idle_time":180000,"flow_min_l4_payload_len":1252,"flow_max_l4_payload_len":1252,"flow_tot_l4_payload_len":1252,"flow_avg_l4_payload_len":1252,"midstream":0,"ts_msec":1611427514609,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"8.8.8.8","src_port":39821,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02143{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"os_detected.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1611427514609,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1294,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1294,"pkt_l4_len":1260,"ts_msec":1611427514609,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAUAZdFAAEAR\/ePAqAGACAgICJuNAbsE7AYLxP8AAB0Inw\/JO07eNjIIgxX\/XKNBIUIARMqZ8UiDvq\/ZLsUdz0scSMu9YDA5XC\/EJ\/VWdcKmIJjpSLXMxg05sWM0HmWuizvek0EXnlQzmUN9ovr2\/hk4L4+drmSHxo9NOB+GUfgxVDY8jS5sYut7pzwyS1v0Tzd0E1TyJIWDsBfvZlI4bbIIRlefQgOB0WdUqMEfHzxzcbGs6dNO+9vDaznNJ4dGUWqyjTrP1xrbA5ARI5dTVb4R+7D0v8orWpuNvxjoiVb36LCsfL0SbVo2GhqQoHke+Z\/B2D+0+r7INWQc1iHzAG+HeNlA1LtOtYyHAJVB+P59vqKsfmDTE8RgVpXe1x30lS+4YR7jaekw9qCyZHC0kKXvmsPCqZ\/9qa5gMMsfGTjnOTdcid5WA6CyHhSK2HTQW4GkzXHYPreaFIFRc0y9+aMq1Mfl97S1vnvDvIbG91Np67AM6LV1xuilkclYvUim1l1JoFQCUfe6m3PyP+gIQTFerpfrZHjXHVmed8ZubnloXre0\/Z3B2Oh1fmjBjrSNQGdC4YK\/DVld8Ug+FRG0kxgDMCgRJ2S9dOYEMkKgzq\/BKvgwUYmMidXS+F+tMJvoHQSzv3bhpGgehHuZOqNIC3d6Rty6h0nPb+BYsf5E1IpIcwzMB2CvZbT77jViKMoAt5RtufWUmoQ2qymcAa7AXbvCL5L7qI\/1oplTPNm0Ysi0JSUXXf61rlCNL1vc+XNbLSeTg2Vz2fPTbPH7hg\/8qinCri68WhuYiT\/rvuXkVqGxWKJq5b1oM\/AIky7+yMfObOfk9kQ3thgac0pRO1LAAwjECH\/XdGHuEsxIejknnknLjBpjmS+2c+909N0TGc\/NPsDPdaLmN10HnCVLaT1WmruOxWZDa3gV1s3K4IKU6NwqVeHNSYO5xx5HEC7tZU+y4E74cmfLayIxxbdgkahHRv9ATyXrtMLRAHqK8ZsoIIw0D9NAPBA355APW3UhJ\/Z9ZHxppKcR2\/OPN1KQqoIrhRGT9bUzB7Xkn\/VMWRYSTXTiaAYMcb8dRkENbKtVWSIk9LJFrE8pIXivmB2tWlt1t6y+TR30oU1\/NUX3jGhxE7t44s+NhGXfBpl2YQbF4zUhYeZAUzU9QbWzyGdZYarMNxVUgYeW9stlVHB0y\/otPwbX9mpoJ+Dy1FXdgrsIv1LAkh1\/3bdSFFfKVJUwX6EGqQRQU02j\/r+E7RZ0bE01QtNNSuMRMdJX2zJtopXBwZLz8h67datSO+I1wfoRzj4VUG35Q8hcFywG\/xq04McVVySWGNnMos9RmQkhysf\/lc3FuHHnMMA\/XcGqeB2biYiiwAKDCGuBCGTLrEYhV1yIzE4vEhvJvg325fJl3DNeUSuAwqKe9SjUjQtv+EVpEiYxaR6X90zwFDBlHdBDDCfh3iS1o2jSGLUvocncy0jQz8qak7nPw6oMW\/gU8WvBhkEaY\/b26hw+tYWakl5yNVwxnF\/7PKfJyyyPpmjSH2ycL45nydbEY1t1GYpcV+P7AunIs6enuyUp9NNdtbH\/d0RuYFGsVW1287YLi13LwF56RtlC\/tVGquwfxdqcbniCbYb8LvlGF6r32UjuoiuACdgmkrt6Wf7sAVkRHeYLY5bLkD+o6H+JIwDjoOA\/yI8iOw0QceAwvS35vC2IO56LiInTgA=="} -00895{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"os_detected.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1611427514609,"flow_last_seen":1611427514609,"flow_idle_time":180000,"flow_min_l4_payload_len":1252,"flow_max_l4_payload_len":1252,"flow_tot_l4_payload_len":1252,"flow_avg_l4_payload_len":1252,"midstream":0,"ts_msec":1611427514609,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"8.8.8.8","src_port":39821,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"24":"SNI TLS extension was missing"},"proto":"QUIC.Google","breed":"Tracker\/Ads","category":"Web"},"quic": {"user_agent":"Mozilla\/5.0 (Windows NT 5.2; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit\/531.21.10 (KHTML, like Gecko)","version":"TLSv1.3","alpn":"h3-29","ja3":"9addef84847d700f759746b237c405c8","tls_supported_versions":"TLSv1.3"}} +00893{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"os_detected.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1611427514609,"flow_last_seen":1611427514609,"flow_idle_time":180000,"flow_min_l4_payload_len":1252,"flow_max_l4_payload_len":1252,"flow_tot_l4_payload_len":1252,"flow_avg_l4_payload_len":1252,"midstream":0,"ts_msec":1611427514609,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"8.8.8.8","src_port":39821,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"24":"SNI TLS extension was missing"},"proto":"QUIC.Google","breed":"Acceptable","category":"Web"},"quic": {"user_agent":"Mozilla\/5.0 (Windows NT 5.2; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit\/531.21.10 (KHTML, like Gecko)","version":"TLSv1.3","alpn":"h3-29","ja3":"9addef84847d700f759746b237c405c8","tls_supported_versions":"TLSv1.3"}} 00561{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1,"source":"os_detected.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1611427514609,"flow_last_seen":1611427514609,"flow_idle_time":180000,"flow_min_l4_payload_len":1252,"flow_max_l4_payload_len":1252,"flow_tot_l4_payload_len":1252,"flow_avg_l4_payload_len":1252,"midstream":0,"ts_msec":1611427514609,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"8.8.8.8","src_port":39821,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00160{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":1,"source":"os_detected.pcapng","alias":"nDPId-test","total-events-serialized":6} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -12,9 +12,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1933682 bytes -~~ total memory freed........: 1933682 bytes -~~ total allocations/frees...: 35352/35352 +~~ total memory allocated....: 4596017 bytes +~~ total memory freed........: 4596017 bytes +~~ total allocations/frees...: 99549/99549 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 165 chars ~~ json string max len.......: 2148 chars diff --git a/test/results/pinterest.pcap.out b/test/results/pinterest.pcap.out index c54759420..1b9a4f884 100644 --- a/test/results/pinterest.pcap.out +++ b/test/results/pinterest.pcap.out @@ -11,7 +11,7 @@ 00490{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_last_seen":1605289713761,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605289713761,"pkt":"qtsDr8lk5EKm5WPyht1gD\/cFACAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXhUge4Bu\/ur8QaawxnfgBAB+xfPAAABAQgKz6owf8K5IFc="} 00898{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":8,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":4,"flow_first_seen":1605289713743,"flow_last_seen":1605289713761,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605289713761,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33262,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Pinterest","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.pinterest.fr","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00955{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":10,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":6,"flow_first_seen":1605289713743,"flow_last_seen":1605289713802,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":1565,"flow_avg_l4_payload_len":260,"midstream":0,"ts_msec":1605289713802,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33262,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Pinterest","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.pinterest.fr","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -02735{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":17,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":13,"flow_first_seen":1605289713743,"flow_last_seen":1605289713803,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":5757,"flow_avg_l4_payload_len":442,"midstream":0,"ts_msec":1605289713803,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33262,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Pinterest","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.pinterest.fr","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","issuerDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}} +02736{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":17,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":13,"flow_first_seen":1605289713743,"flow_last_seen":1605289713803,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":5757,"flow_avg_l4_payload_len":442,"midstream":0,"ts_msec":1605289713803,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33262,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Pinterest","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.pinterest.fr","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}} 00581{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":79,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1605289714142,"flow_last_seen":1605289714142,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1605289714142,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38512,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00501{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":79,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_last_seen":1605289714142,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605289714142,"pkt":"qtsDr8lk5EKm5WPyht1gBvDPACgGQCoBywEgSYsHmR3shSjf9ikqBE5CAB0AAAAAAAAAAACElnABu5Qp1R0AAAAAoAL9IJUzAAACBAWgBAIICtZiIAMAAAAAAQMDBw=="} 00581{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":80,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1605289714142,"flow_last_seen":1605289714142,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1605289714142,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38514,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -43,17 +43,17 @@ 00894{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":101,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":4,"flow_first_seen":1605289714142,"flow_last_seen":1605289714182,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605289714182,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38522,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Pinterest","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"s.pinimg.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00894{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":102,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":4,"flow_first_seen":1605289714142,"flow_last_seen":1605289714182,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605289714182,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38520,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Pinterest","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"s.pinimg.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00950{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":104,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":6,"flow_first_seen":1605289714142,"flow_last_seen":1605289714204,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":1905,"flow_avg_l4_payload_len":317,"midstream":0,"ts_msec":1605289714204,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38512,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Pinterest","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"s.pinimg.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -02729{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":107,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":9,"flow_first_seen":1605289714142,"flow_last_seen":1605289714204,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":5839,"flow_avg_l4_payload_len":648,"midstream":0,"ts_msec":1605289714204,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38512,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Pinterest","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"s.pinimg.com","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","issuerDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}} +02730{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":107,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":9,"flow_first_seen":1605289714142,"flow_last_seen":1605289714204,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":5839,"flow_avg_l4_payload_len":648,"midstream":0,"ts_msec":1605289714204,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38512,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Pinterest","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"s.pinimg.com","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}} 00950{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":127,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":7,"flow_first_seen":1605289714142,"flow_last_seen":1605289714229,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":1905,"flow_avg_l4_payload_len":272,"midstream":0,"ts_msec":1605289714229,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38518,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Pinterest","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"s.pinimg.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -02730{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":131,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":10,"flow_first_seen":1605289714142,"flow_last_seen":1605289714229,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":5839,"flow_avg_l4_payload_len":583,"midstream":0,"ts_msec":1605289714229,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38518,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Pinterest","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"s.pinimg.com","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","issuerDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}} +02731{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":131,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":10,"flow_first_seen":1605289714142,"flow_last_seen":1605289714229,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":5839,"flow_avg_l4_payload_len":583,"midstream":0,"ts_msec":1605289714229,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38518,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Pinterest","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"s.pinimg.com","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}} 00950{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":134,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":7,"flow_first_seen":1605289714142,"flow_last_seen":1605289714229,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":1905,"flow_avg_l4_payload_len":272,"midstream":0,"ts_msec":1605289714229,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38516,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Pinterest","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"s.pinimg.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00950{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":135,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":7,"flow_first_seen":1605289714142,"flow_last_seen":1605289714229,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":1905,"flow_avg_l4_payload_len":272,"midstream":0,"ts_msec":1605289714229,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38522,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Pinterest","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"s.pinimg.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -02730{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":138,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":10,"flow_first_seen":1605289714142,"flow_last_seen":1605289714229,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":5839,"flow_avg_l4_payload_len":583,"midstream":0,"ts_msec":1605289714229,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38522,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Pinterest","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"s.pinimg.com","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","issuerDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}} +02731{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":138,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":10,"flow_first_seen":1605289714142,"flow_last_seen":1605289714229,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":5839,"flow_avg_l4_payload_len":583,"midstream":0,"ts_msec":1605289714229,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38522,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Pinterest","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"s.pinimg.com","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}} 00950{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":141,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":7,"flow_first_seen":1605289714142,"flow_last_seen":1605289714229,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":1905,"flow_avg_l4_payload_len":272,"midstream":0,"ts_msec":1605289714229,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38514,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Pinterest","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"s.pinimg.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -02730{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":149,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":13,"flow_first_seen":1605289714142,"flow_last_seen":1605289714230,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":5839,"flow_avg_l4_payload_len":449,"midstream":0,"ts_msec":1605289714230,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38516,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Pinterest","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"s.pinimg.com","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","issuerDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}} -02730{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":150,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":11,"flow_first_seen":1605289714142,"flow_last_seen":1605289714230,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":5839,"flow_avg_l4_payload_len":530,"midstream":0,"ts_msec":1605289714230,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38514,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Pinterest","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"s.pinimg.com","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","issuerDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}} +02731{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":149,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":13,"flow_first_seen":1605289714142,"flow_last_seen":1605289714230,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":5839,"flow_avg_l4_payload_len":449,"midstream":0,"ts_msec":1605289714230,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38516,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Pinterest","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"s.pinimg.com","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}} +02731{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":150,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":11,"flow_first_seen":1605289714142,"flow_last_seen":1605289714230,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":5839,"flow_avg_l4_payload_len":530,"midstream":0,"ts_msec":1605289714230,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38514,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Pinterest","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"s.pinimg.com","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}} 00950{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":151,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":7,"flow_first_seen":1605289714142,"flow_last_seen":1605289714230,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":1905,"flow_avg_l4_payload_len":272,"midstream":0,"ts_msec":1605289714230,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38520,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Pinterest","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"s.pinimg.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -02730{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":154,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":10,"flow_first_seen":1605289714142,"flow_last_seen":1605289714230,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":5839,"flow_avg_l4_payload_len":583,"midstream":0,"ts_msec":1605289714230,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38520,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Pinterest","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"s.pinimg.com","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","issuerDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}} +02731{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":154,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":10,"flow_first_seen":1605289714142,"flow_last_seen":1605289714230,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":5839,"flow_avg_l4_payload_len":583,"midstream":0,"ts_msec":1605289714230,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38520,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Pinterest","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"s.pinimg.com","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}} 00585{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":159,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":1,"flow_first_seen":1605289714250,"flow_last_seen":1605289714250,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1605289714250,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33156,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00491{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":159,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":1,"flow_last_seen":1605289714250,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605289714250,"pkt":"qtsDr8lk5EKm5WPyht1gA+BkACAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXhUgYQBu4mXWd7qkQRvgBAJlouHAAABAQgKz6oyaMK4cmQ="} 00591{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":160,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":1,"flow_first_seen":1605289714250,"flow_last_seen":1605289714250,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1605289714250,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::2002","src_port":58726,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -73,40 +73,40 @@ 00926{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":505,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":6,"flow_first_seen":1605289714558,"flow_last_seen":1605289714615,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605289714615,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2600:1901::7a0b::","src_port":47032,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"sessions.bugsnag.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00504{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":515,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":2,"flow_last_seen":1605289714616,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605289714616,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoAFFBABwgWAAAAAAAAIAQqAcsBIEmLB5kd7IUo3\/YpAbue9py+eGX+6kRroBJXgA2NAAACBAV4AQMDAwQCCArCuSOwyRVPBg=="} 00492{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":516,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":3,"flow_last_seen":1605289714616,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605289714616,"pkt":"qtsDr8lk5EKm5WPyht1gDTn6ACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIFgAAAAAAACAEnvYBu\/7qRGucvnhmgBAB+5GEAAABAQgKyRVPIMK5I7A="} -00901{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":517,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":4,"flow_first_seen":1605289714590,"flow_last_seen":1605289714617,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605289714617,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2004","src_port":40694,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.google.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00899{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":517,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":4,"flow_first_seen":1605289714590,"flow_last_seen":1605289714617,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605289714617,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2004","src_port":40694,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.google.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00585{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":525,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":1,"flow_first_seen":1605289714658,"flow_last_seen":1605289714658,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1605289714658,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33280,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00504{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":525,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":1,"flow_last_seen":1605289714658,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605289714658,"pkt":"qtsDr8lk5EKm5WPyht1gCBesACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXhUggABu2pDSXwAAAAAoAL9ILsUAAACBAWgBAIICs+qM\/8AAAAAAQMDBw=="} -00942{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":528,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":6,"flow_first_seen":1605289714590,"flow_last_seen":1605289714660,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605289714660,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2004","src_port":40694,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"www.google.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00940{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":528,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":6,"flow_first_seen":1605289714590,"flow_last_seen":1605289714660,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605289714660,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2004","src_port":40694,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"www.google.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00506{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":542,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":2,"flow_last_seen":1605289714697,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605289714697,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPQBk\/5sAAAAAAAAAAJdleFQqAcsBIEmLB5kd7IUo3\/YpAbuCAAsx4c9qQ0l9oBJXgI0UAAACBAV4AQMDAwQCCArCuSQBz6oz\/w=="} 00491{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":543,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":3,"flow_last_seen":1605289714697,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605289714697,"pkt":"qtsDr8lk5EKm5WPyht1gCBesACAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXhUggABu2pDSX0LMeHQgBAB+xD+AAABAQgKz6o0J8K5JAE="} 00907{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":544,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":4,"flow_first_seen":1605289714658,"flow_last_seen":1605289714698,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605289714698,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33280,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Pinterest","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"accounts.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00963{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":575,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":6,"flow_first_seen":1605289714658,"flow_last_seen":1605289714739,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":1565,"flow_avg_l4_payload_len":260,"midstream":0,"ts_msec":1605289714739,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33280,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Pinterest","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"accounts.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -02743{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":583,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":14,"flow_first_seen":1605289714658,"flow_last_seen":1605289714740,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":5757,"flow_avg_l4_payload_len":411,"midstream":0,"ts_msec":1605289714740,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33280,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Pinterest","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"accounts.pinterest.com","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","issuerDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}} +02744{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":583,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":14,"flow_first_seen":1605289714658,"flow_last_seen":1605289714740,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":5757,"flow_avg_l4_payload_len":411,"midstream":0,"ts_msec":1605289714740,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33280,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Pinterest","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"accounts.pinterest.com","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}} 00584{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":626,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":1,"flow_first_seen":1605289714782,"flow_last_seen":1605289714782,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1605289714782,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::720","src_port":57050,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00503{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":626,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":1,"flow_last_seen":1605289714782,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605289714782,"pkt":"qtsDr8lk5EKm5WPyht1gCp8uACgGQCoBywEgSYsHmR3shSjf9ikqBE5CAB0AAAAAAAAAAAcg3toBu85LuqIAAAAAoAL9IEOtAAACBAWgBAIICnRgZN4AAAAAAQMDBw=="} 00504{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":692,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":2,"flow_last_seen":1605289714832,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605289714832,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoETkIAHQAAAAAAAAAAByAqAcsBIEmLB5kd7IUo3\/YpAbve2qyyOFrOS7qjoBJXgB0bAAACBAV4AQMDAwQCCArCuSSHdGBk3g=="} 00491{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":693,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":3,"flow_last_seen":1605289714832,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605289714832,"pkt":"qtsDr8lk5EKm5WPyht1gCp8uACAGQCoBywEgSYsHmR3shSjf9ikqBE5CAB0AAAAAAAAAAAcg3toBu85LuqOssjhbgBAB+6D6AAABAQgKdGBlEMK5JIc="} 00884{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":694,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":4,"flow_first_seen":1605289714782,"flow_last_seen":1605289714833,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605289714833,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::720","src_port":57050,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"images.unsplash.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00940{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":870,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":6,"flow_first_seen":1605289714782,"flow_last_seen":1605289714867,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":1905,"flow_avg_l4_payload_len":317,"midstream":0,"ts_msec":1605289714867,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::720","src_port":57050,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"images.unsplash.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -03165{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":876,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":12,"flow_first_seen":1605289714782,"flow_last_seen":1605289714869,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":6069,"flow_avg_l4_payload_len":505,"midstream":0,"ts_msec":1605289714869,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::720","src_port":57050,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Media"},"tls": {"version":"TLSv1.2","client_requested_server_name":"images.unsplash.com","server_names":"imgix2.map.fastly.net,*.camp-fire.jp,*.carwow.co.uk,*.carwow.de,*.carwow.es,*.catchandrelease.com,*.dorothee-schumacher.com,*.footway.com,*.img-ikyu.com,*.imgix.drizly.com,*.instamotor.com,*.microdinc.com,*.msastaging.com,*.peddle.com,*.remax.ca,*.ustudio.com,*.vaping360.com,*.weber.com,article-image-ix.nikkei.com,assets.eberhardt-travel.de,assets.verishop.com,assets.verishop.xyz,cdn.airstream.com,cdn.elementthree.com,cdn.hashnode.com,cdn.naturalhealthyconcepts.com,cdn.parent.eu,cdn.phonehouse.es,cdn.shiplus.co.il,i.drop-cdn.com,i.upworthy.com,image.volunteerworld.com,imageproxy.themaven.net,images-dev.takeshape.io,images.101cookbooks.com,images.beano.com,images.businessoffashion.com,images.congstar.de,images.diesdas.digital,images.fandor.com,images.greetingsisland.com,images.malaecuia.com.br,images.omaze.com,images.roulottesgagnon.com,images.takeshape.io,images.thewanderful.co,images.unsplash.com,images.victoriaplum.com,images.vraiandoro.com,img-1.homely.com.au,img-stack.imagereflow.com,img.badshop.se,img.bernieandphyls.com,img.bioopticsworld.com,img.broadbandtechreport.com,img.broadwaybox.com,img.bygghemma.se,img.bygghjemme.no,img.byggshop.se,img.cablinginstall.com,img.dentaleconomics.com,img.dentistryiq.com,img.evaluationengineering.com,img.golvshop.se,img.grudado.com.br,img.industrial-lasers.com,img.induux.de,img.intelligent-aerospace.com,img.inturn.co,img.laserfocusworld.com,img.ledsmagazine.com,img.lightwaveonline.com,img.militaryaerospace.com,img.mychannels.video,img.officer.com,img.offshore-mag.com,img.ogj.com,img.perioimplantadvisory.com,img.plasticsmachinerymagazine.com,img.prevu.com,img.rdhmag.com,img.speedcurve.com,img.strategies-u.com,img.utilityproducts.com,img.vision-systems.com,img.waterworld.com,img.workbook.com,img.xlhemma.se,img1.nowpurchase.com,iw.induux.de,m.22slides.com,media.sailrace.com,media.useyourlocal.com,pictures.hideaways.dk,raven.contrado.com,resources.intuitive.com,static.doorsuperstore.co.uk","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3","issuerDN":"C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=imgix2.map.fastly.net","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1F:BC:A1:79:48:96:70:32:B8:08:C1:38:D4:20:12:BE:D9:6F:14:B6"}} -03170{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2181,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":255,"flow_first_seen":1605289714782,"flow_last_seen":1605289715109,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":6940,"flow_tot_l4_payload_len":389860,"flow_avg_l4_payload_len":1528,"midstream":0,"ts_msec":1605289715109,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::720","src_port":57050,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Media"},"tls": {"version":"TLSv1.2","client_requested_server_name":"images.unsplash.com","server_names":"imgix2.map.fastly.net,*.camp-fire.jp,*.carwow.co.uk,*.carwow.de,*.carwow.es,*.catchandrelease.com,*.dorothee-schumacher.com,*.footway.com,*.img-ikyu.com,*.imgix.drizly.com,*.instamotor.com,*.microdinc.com,*.msastaging.com,*.peddle.com,*.remax.ca,*.ustudio.com,*.vaping360.com,*.weber.com,article-image-ix.nikkei.com,assets.eberhardt-travel.de,assets.verishop.com,assets.verishop.xyz,cdn.airstream.com,cdn.elementthree.com,cdn.hashnode.com,cdn.naturalhealthyconcepts.com,cdn.parent.eu,cdn.phonehouse.es,cdn.shiplus.co.il,i.drop-cdn.com,i.upworthy.com,image.volunteerworld.com,imageproxy.themaven.net,images-dev.takeshape.io,images.101cookbooks.com,images.beano.com,images.businessoffashion.com,images.congstar.de,images.diesdas.digital,images.fandor.com,images.greetingsisland.com,images.malaecuia.com.br,images.omaze.com,images.roulottesgagnon.com,images.takeshape.io,images.thewanderful.co,images.unsplash.com,images.victoriaplum.com,images.vraiandoro.com,img-1.homely.com.au,img-stack.imagereflow.com,img.badshop.se,img.bernieandphyls.com,img.bioopticsworld.com,img.broadbandtechreport.com,img.broadwaybox.com,img.bygghemma.se,img.bygghjemme.no,img.byggshop.se,img.cablinginstall.com,img.dentaleconomics.com,img.dentistryiq.com,img.evaluationengineering.com,img.golvshop.se,img.grudado.com.br,img.industrial-lasers.com,img.induux.de,img.intelligent-aerospace.com,img.inturn.co,img.laserfocusworld.com,img.ledsmagazine.com,img.lightwaveonline.com,img.militaryaerospace.com,img.mychannels.video,img.officer.com,img.offshore-mag.com,img.ogj.com,img.perioimplantadvisory.com,img.plasticsmachinerymagazine.com,img.prevu.com,img.rdhmag.com,img.speedcurve.com,img.strategies-u.com,img.utilityproducts.com,img.vision-systems.com,img.waterworld.com,img.workbook.com,img.xlhemma.se,img1.nowpurchase.com,iw.induux.de,m.22slides.com,media.sailrace.com,media.useyourlocal.com,pictures.hideaways.dk,raven.contrado.com,resources.intuitive.com,static.doorsuperstore.co.uk","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3","issuerDN":"C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=imgix2.map.fastly.net","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1F:BC:A1:79:48:96:70:32:B8:08:C1:38:D4:20:12:BE:D9:6F:14:B6"}} +03166{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":876,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":12,"flow_first_seen":1605289714782,"flow_last_seen":1605289714869,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":6069,"flow_avg_l4_payload_len":505,"midstream":0,"ts_msec":1605289714869,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::720","src_port":57050,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Media"},"tls": {"version":"TLSv1.2","client_requested_server_name":"images.unsplash.com","server_names":"imgix2.map.fastly.net,*.camp-fire.jp,*.carwow.co.uk,*.carwow.de,*.carwow.es,*.catchandrelease.com,*.dorothee-schumacher.com,*.footway.com,*.img-ikyu.com,*.imgix.drizly.com,*.instamotor.com,*.microdinc.com,*.msastaging.com,*.peddle.com,*.remax.ca,*.ustudio.com,*.vaping360.com,*.weber.com,article-image-ix.nikkei.com,assets.eberhardt-travel.de,assets.verishop.com,assets.verishop.xyz,cdn.airstream.com,cdn.elementthree.com,cdn.hashnode.com,cdn.naturalhealthyconcepts.com,cdn.parent.eu,cdn.phonehouse.es,cdn.shiplus.co.il,i.drop-cdn.com,i.upworthy.com,image.volunteerworld.com,imageproxy.themaven.net,images-dev.takeshape.io,images.101cookbooks.com,images.beano.com,images.businessoffashion.com,images.congstar.de,images.diesdas.digital,images.fandor.com,images.greetingsisland.com,images.malaecuia.com.br,images.omaze.com,images.roulottesgagnon.com,images.takeshape.io,images.thewanderful.co,images.unsplash.com,images.victoriaplum.com,images.vraiandoro.com,img-1.homely.com.au,img-stack.imagereflow.com,img.badshop.se,img.bernieandphyls.com,img.bioopticsworld.com,img.broadbandtechreport.com,img.broadwaybox.com,img.bygghemma.se,img.bygghjemme.no,img.byggshop.se,img.cablinginstall.com,img.dentaleconomics.com,img.dentistryiq.com,img.evaluationengineering.com,img.golvshop.se,img.grudado.com.br,img.industrial-lasers.com,img.induux.de,img.intelligent-aerospace.com,img.inturn.co,img.laserfocusworld.com,img.ledsmagazine.com,img.lightwaveonline.com,img.militaryaerospace.com,img.mychannels.video,img.officer.com,img.offshore-mag.com,img.ogj.com,img.perioimplantadvisory.com,img.plasticsmachinerymagazine.com,img.prevu.com,img.rdhmag.com,img.speedcurve.com,img.strategies-u.com,img.utilityproducts.com,img.vision-systems.com,img.waterworld.com,img.workbook.com,img.xlhemma.se,img1.nowpurchase.com,iw.induux.de,m.22slides.com,media.sailrace.com,media.useyourlocal.com,pictures.hideaways.dk,raven.contrado.com,resources.intuitive.com,static.doorsuperstore.co.uk","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3","subjectDN":"C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=imgix2.map.fastly.net","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1F:BC:A1:79:48:96:70:32:B8:08:C1:38:D4:20:12:BE:D9:6F:14:B6"}} +03171{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2181,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":255,"flow_first_seen":1605289714782,"flow_last_seen":1605289715109,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":6940,"flow_tot_l4_payload_len":389860,"flow_avg_l4_payload_len":1528,"midstream":0,"ts_msec":1605289715109,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::720","src_port":57050,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Media"},"tls": {"version":"TLSv1.2","client_requested_server_name":"images.unsplash.com","server_names":"imgix2.map.fastly.net,*.camp-fire.jp,*.carwow.co.uk,*.carwow.de,*.carwow.es,*.catchandrelease.com,*.dorothee-schumacher.com,*.footway.com,*.img-ikyu.com,*.imgix.drizly.com,*.instamotor.com,*.microdinc.com,*.msastaging.com,*.peddle.com,*.remax.ca,*.ustudio.com,*.vaping360.com,*.weber.com,article-image-ix.nikkei.com,assets.eberhardt-travel.de,assets.verishop.com,assets.verishop.xyz,cdn.airstream.com,cdn.elementthree.com,cdn.hashnode.com,cdn.naturalhealthyconcepts.com,cdn.parent.eu,cdn.phonehouse.es,cdn.shiplus.co.il,i.drop-cdn.com,i.upworthy.com,image.volunteerworld.com,imageproxy.themaven.net,images-dev.takeshape.io,images.101cookbooks.com,images.beano.com,images.businessoffashion.com,images.congstar.de,images.diesdas.digital,images.fandor.com,images.greetingsisland.com,images.malaecuia.com.br,images.omaze.com,images.roulottesgagnon.com,images.takeshape.io,images.thewanderful.co,images.unsplash.com,images.victoriaplum.com,images.vraiandoro.com,img-1.homely.com.au,img-stack.imagereflow.com,img.badshop.se,img.bernieandphyls.com,img.bioopticsworld.com,img.broadbandtechreport.com,img.broadwaybox.com,img.bygghemma.se,img.bygghjemme.no,img.byggshop.se,img.cablinginstall.com,img.dentaleconomics.com,img.dentistryiq.com,img.evaluationengineering.com,img.golvshop.se,img.grudado.com.br,img.industrial-lasers.com,img.induux.de,img.intelligent-aerospace.com,img.inturn.co,img.laserfocusworld.com,img.ledsmagazine.com,img.lightwaveonline.com,img.militaryaerospace.com,img.mychannels.video,img.officer.com,img.offshore-mag.com,img.ogj.com,img.perioimplantadvisory.com,img.plasticsmachinerymagazine.com,img.prevu.com,img.rdhmag.com,img.speedcurve.com,img.strategies-u.com,img.utilityproducts.com,img.vision-systems.com,img.waterworld.com,img.workbook.com,img.xlhemma.se,img1.nowpurchase.com,iw.induux.de,m.22slides.com,media.sailrace.com,media.useyourlocal.com,pictures.hideaways.dk,raven.contrado.com,resources.intuitive.com,static.doorsuperstore.co.uk","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3","subjectDN":"C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=imgix2.map.fastly.net","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1F:BC:A1:79:48:96:70:32:B8:08:C1:38:D4:20:12:BE:D9:6F:14:B6"}} 00592{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2206,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":1,"flow_first_seen":1605289715133,"flow_last_seen":1605289715133,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1605289715133,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2003","src_port":51582,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00504{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2206,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":1,"flow_last_seen":1605289715133,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605289715133,"pkt":"qtsDr8lk5EKm5WPyht1gAUyOACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIFgAAAAAAACADyX4Bu+HPmfcAAAAAoAL9IJHxAAACBAWgBAIICjiITggAAAAAAQMDBw=="} 00505{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2778,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":2,"flow_last_seen":1605289715210,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605289715210,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoAFFBABwgWAAAAAAAAIAMqAcsBIEmLB5kd7IUo3\/YpAbvJfoEpGV7hz5n4oBJXgLSTAAACBAV4AQMDAwQCCArCuSXYOIhOCA=="} 00492{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2781,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":3,"flow_last_seen":1605289715210,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605289715210,"pkt":"qtsDr8lk5EKm5WPyht1gAUyOACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIFgAAAAAAACADyX4Bu+HPmfiBKRlfgBAB+zhYAAABAQgKOIhOVcK5Jdg="} -00903{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2792,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":4,"flow_first_seen":1605289715133,"flow_last_seen":1605289715212,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605289715212,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2003","src_port":51582,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.gstatic.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00901{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2792,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":4,"flow_first_seen":1605289715133,"flow_last_seen":1605289715212,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605289715212,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2003","src_port":51582,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.gstatic.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00592{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2896,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":1,"flow_first_seen":1605289715221,"flow_last_seen":1605289715221,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1605289715221,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:806::200e","src_port":54416,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00504{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2896,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":18,"flow_packet_id":1,"flow_last_seen":1605289715221,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605289715221,"pkt":"qtsDr8lk5EKm5WPyht1gDRmqACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIBgAAAAAAACAO1JABu7b0CzwAAAAAoAL9ILgWAAACBAWgBAIICnB0noAAAAAAAQMDBw=="} 00505{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3385,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":18,"flow_packet_id":2,"flow_last_seen":1605289715273,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605289715273,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoAFFBABwgGAAAAAAAAIA4qAcsBIEmLB5kd7IUo3\/YpAbvUkNYqBSe29As9oBJXgJmfAAACBAV4AQMDAwQCCArCuSYncHSegA=="} 00492{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3387,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":18,"flow_packet_id":3,"flow_last_seen":1605289715273,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605289715273,"pkt":"qtsDr8lk5EKm5WPyht1gDRmqACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIBgAAAAAAACAO1JABu7b0Cz3WKgUogBAB+x19AAABAQgKcHSetMK5Jic="} -00903{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":3394,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":4,"flow_first_seen":1605289715221,"flow_last_seen":1605289715274,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605289715274,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:806::200e","src_port":54416,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"apis.google.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00901{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":3394,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":4,"flow_first_seen":1605289715221,"flow_last_seen":1605289715274,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605289715274,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:806::200e","src_port":54416,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"apis.google.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00598{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3395,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":1,"flow_first_seen":1605289715274,"flow_last_seen":1605289715274,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1605289715274,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a03:2880:f030:13:face:b00c::3","src_port":51292,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00505{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3395,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":19,"flow_packet_id":1,"flow_last_seen":1605289715274,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605289715274,"pkt":"qtsDr8lk5EKm5WPyht1gCiKuACgGQCoBywEgSYsHmR3shSjf9ikqAyiA8DAAE\/rOsAwAAAADyFwBu3K5vIYAAAAAoAL9IIqeAAACBAWgBAIICrhM3AoAAAAAAQMDBw=="} -00944{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":3513,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":6,"flow_first_seen":1605289715133,"flow_last_seen":1605289715287,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605289715287,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2003","src_port":51582,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"www.gstatic.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00942{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":3513,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":6,"flow_first_seen":1605289715133,"flow_last_seen":1605289715287,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605289715287,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2003","src_port":51582,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"www.gstatic.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00505{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3659,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":19,"flow_packet_id":2,"flow_last_seen":1605289715301,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605289715301,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoDKIDwMAAT+s6wDAAAAAMqAcsBIEmLB5kd7IUo3\/YpAbvIXBJtCi5yubyHoBJXgCqsAAACBAV4AQMDAwQCCArCuSZZuEzcCg=="} 00493{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3662,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":19,"flow_packet_id":3,"flow_last_seen":1605289715301,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605289715301,"pkt":"qtsDr8lk5EKm5WPyht1gCiKuACAGQCoBywEgSYsHmR3shSjf9ikqAyiA8DAAE\/rOsAwAAAADyFwBu3K5vIcSbQovgBAB+66iAAABAQgKuEzcJcK5Jlk="} 00917{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":3667,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":4,"flow_first_seen":1605289715274,"flow_last_seen":1605289715301,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605289715301,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a03:2880:f030:13:face:b00c::3","src_port":51292,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Facebook","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"connect.facebook.net","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -00944{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":3797,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":6,"flow_first_seen":1605289715221,"flow_last_seen":1605289715321,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605289715321,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:806::200e","src_port":54416,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"apis.google.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00942{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":3797,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":6,"flow_first_seen":1605289715221,"flow_last_seen":1605289715321,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605289715321,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:806::200e","src_port":54416,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"apis.google.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00958{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":3820,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":6,"flow_first_seen":1605289715274,"flow_last_seen":1605289715333,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1380,"flow_tot_l4_payload_len":1897,"flow_avg_l4_payload_len":316,"midstream":0,"ts_msec":1605289715333,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a03:2880:f030:13:face:b00c::3","src_port":51292,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Facebook","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.3","client_requested_server_name":"connect.facebook.net","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00601{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":6497,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":20,"flow_packets_processed":1,"flow_first_seen":1605289715782,"flow_last_seen":1605289715782,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1605289715782,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a03:2880:f11f:83:face:b00c::25de","src_port":60340,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00505{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6497,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":1,"flow_last_seen":1605289715782,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605289715782,"pkt":"qtsDr8lk5EKm5WPyht1gAWIEACgGQCoBywEgSYsHmR3shSjf9ikqAyiA8R8Ag\/rOsAwAACXe67QBu2RbtWoAAAAAoAL9IBbyAAACBAWgBAIICmcfa8wAAAAAAQMDBw=="} @@ -128,8 +128,8 @@ 00505{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14612,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":1,"flow_last_seen":1605289717548,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605289717548,"pkt":"qtsDr8lk5EKm5WPyht1gD67DACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIFgAAAAAAACANn74Bu+7PaD4AAAAAoAL9ID+FAAACBAWgBAIICjGG9eUAAAAAAQMDBw=="} 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14613,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":2,"flow_last_seen":1605289717572,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605289717572,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoAFFBABwgWAAAAAAAAIA0qAcsBIEmLB5kd7IUo3\/YpAbufvovR75juz2g\/oBJXgHfiAAACBAV4AQMDAwQCCArCuS86MYb15Q=="} 00495{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14614,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":3,"flow_last_seen":1605289717572,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605289717572,"pkt":"qtsDr8lk5EKm5WPyht1gD67DACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIFgAAAAAAACANn74Bu+7PaD+L0e+ZgBAB+\/vbAAABAQgKMYb1\/cK5Lzo="} -00908{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":14615,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":4,"flow_first_seen":1605289717548,"flow_last_seen":1605289717572,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605289717572,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::200d","src_port":40894,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"accounts.google.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -00949{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":14617,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":6,"flow_first_seen":1605289717548,"flow_last_seen":1605289717605,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605289717605,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::200d","src_port":40894,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"accounts.google.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00906{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":14615,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":4,"flow_first_seen":1605289717548,"flow_last_seen":1605289717572,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605289717572,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::200d","src_port":40894,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"accounts.google.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00947{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":14617,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":6,"flow_first_seen":1605289717548,"flow_last_seen":1605289717605,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605289717605,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::200d","src_port":40894,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"accounts.google.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00586{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":14833,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":24,"flow_packets_processed":1,"flow_first_seen":1605289718346,"flow_last_seen":1605289718346,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1605289718346,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::720","src_port":56940,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00493{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14833,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":1,"flow_last_seen":1605289718346,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605289718346,"pkt":"qtsDr8lk5EKm5WPyht1gDn7LACAGQCoBywEgSYsHmR3shSjf9ikqBE5CAB0AAAAAAAAAAAcg3mwBu1MbKQQ2nwhTgBBf5ZGnAAABAQgKdGByysK4e5A="} 00593{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":14834,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":25,"flow_packets_processed":1,"flow_first_seen":1605289718347,"flow_last_seen":1605289718347,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1605289718347,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2003","src_port":51472,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -142,7 +142,7 @@ 00494{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14838,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":27,"flow_packet_id":2,"flow_last_seen":1605289718378,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605289718378,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACAGPSoAFFBABwgMAAAAAAAAIAoqAcsBIEmLB5kd7IUo3\/YpAbvfKq3COfXNBVWYgBALvWWfAAABAQgKwrkyYVcQ4ow="} 00494{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14839,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":2,"flow_last_seen":1605289718378,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605289718378,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACAGPSoAFFBABwgWAAAAAAAAIAMqAcsBIEmLB5kd7IUo3\/YpAbvJEPGplpSXUIMEgBALh6bdAAABAQgKwrkyYTiGPeg="} 00494{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14840,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":26,"flow_packet_id":2,"flow_last_seen":1605289718378,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605289718378,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACAGPSoAFFBABwgGAAAAAAAAIA4qAcsBIEmLB5kd7IUo3\/YpAbvUJMtvpLavZCWagBAL1W6tAAABAQgKwrkyYnBykDw="} -02741{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":14860,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":255,"flow_first_seen":1605289713743,"flow_last_seen":1605289719719,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":145253,"flow_avg_l4_payload_len":569,"midstream":0,"ts_msec":1605289719719,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33262,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Pinterest","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.pinterest.fr","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","issuerDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}} +02742{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":14860,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":255,"flow_first_seen":1605289713743,"flow_last_seen":1605289719719,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":145253,"flow_avg_l4_payload_len":569,"midstream":0,"ts_msec":1605289719719,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33262,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Pinterest","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.pinterest.fr","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}} 00585{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":14887,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":28,"flow_packets_processed":1,"flow_first_seen":1605289720502,"flow_last_seen":1605289720502,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1605289720502,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38402,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00493{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14887,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":1,"flow_last_seen":1605289720502,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605289720502,"pkt":"qtsDr8lk5EKm5WPyht1gDE+lACAGQCoBywEgSYsHmR3shSjf9ikqBE5CAB0AAAAAAAAAAACElgIBuwZ3AS1n9K5wgBAD7qJGAAABAQgK1mI428K4iuQ="} 00494{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14888,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":2,"flow_last_seen":1605289720592,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605289720592,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACAGPSoETkIAHQAAAAAAAAAAAIQqAcsBIEmLB5kd7IUo3\/YpAbuWAmf0rnAGdwEugBAMdPzqAAABAQgKwrk63tZgJbc="} @@ -173,17 +173,17 @@ 00905{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":15854,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":35,"flow_packets_processed":4,"flow_first_seen":1605289732959,"flow_last_seen":1605289733006,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605289733006,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38546,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Pinterest","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"assets.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":15960,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":36,"flow_packet_id":2,"flow_last_seen":1605289733019,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605289733019,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoAFFBABwgKAAAAAAAAIA4qAcsBIEmLB5kd7IUo3\/YpAbuwRmgG99MLvByLoBJXgOQ\/AAACBAV4AQMDAwQCCArCuWuDWG5gMg=="} 00494{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":15964,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":36,"flow_packet_id":3,"flow_last_seen":1605289733019,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605289733019,"pkt":"qtsDr8lk5EKm5WPyht1gD7s\/ACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcICgAAAAAAACAOsEYBuwu8HItoBvfUgBAB+2giAAABAQgKWG5gYcK5a4M="} -00913{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":15967,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":36,"flow_packets_processed":4,"flow_first_seen":1605289732972,"flow_last_seen":1605289733019,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605289733019,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80a::200e","src_port":45126,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.google-analytics.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00921{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":15967,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":36,"flow_packets_processed":4,"flow_first_seen":1605289732972,"flow_last_seen":1605289733019,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605289733019,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80a::200e","src_port":45126,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Advertisement"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.google-analytics.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00961{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":16214,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":35,"flow_packets_processed":6,"flow_first_seen":1605289732959,"flow_last_seen":1605289733059,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":1905,"flow_avg_l4_payload_len":317,"midstream":0,"ts_msec":1605289733059,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38546,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Pinterest","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"assets.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -02741{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":16230,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":35,"flow_packets_processed":11,"flow_first_seen":1605289732959,"flow_last_seen":1605289733060,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":5839,"flow_avg_l4_payload_len":530,"midstream":0,"ts_msec":1605289733060,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38546,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Pinterest","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"assets.pinterest.com","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","issuerDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}} -00954{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":16506,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":36,"flow_packets_processed":6,"flow_first_seen":1605289732972,"flow_last_seen":1605289733177,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605289733177,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80a::200e","src_port":45126,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"www.google-analytics.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +02742{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":16230,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":35,"flow_packets_processed":11,"flow_first_seen":1605289732959,"flow_last_seen":1605289733060,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":5839,"flow_avg_l4_payload_len":530,"midstream":0,"ts_msec":1605289733060,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38546,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Pinterest","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"assets.pinterest.com","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}} +00962{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":16506,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":36,"flow_packets_processed":6,"flow_first_seen":1605289732972,"flow_last_seen":1605289733177,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605289733177,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80a::200e","src_port":45126,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Advertisement"},"tls": {"version":"TLSv1.3","client_requested_server_name":"www.google-analytics.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00587{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":17592,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":37,"flow_packets_processed":1,"flow_first_seen":1605289733399,"flow_last_seen":1605289733399,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1605289733399,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7a6e","src_port":40114,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00505{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":17592,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":37,"flow_packet_id":1,"flow_last_seen":1605289733399,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605289733399,"pkt":"qtsDr8lk5EKm5WPyht1gBe6sACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXpunLIBuwBxlgkAAAAAoAL9IKzvAAACBAWgBAIICsW6TI0AAAAAAQMDBw=="} 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":17595,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":37,"flow_packet_id":2,"flow_last_seen":1605289733420,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605289733420,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPQBk\/5sAAAAAAAAAAJdlem4qAcsBIEmLB5kd7IUo3\/YpAbucsmOjoioAcZYKoBJXgB0AAAACBAV4AQMDAwQCCArCuW0jxbpMjQ=="} 00493{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":17596,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":37,"flow_packet_id":3,"flow_last_seen":1605289733420,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605289733420,"pkt":"qtsDr8lk5EKm5WPyht1gBe6sACAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXpunLIBuwBxlgpjo6IrgBAB+6D8AAABAQgKxbpMosK5bSM="} 00889{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":17597,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":37,"flow_packets_processed":4,"flow_first_seen":1605289733399,"flow_last_seen":1605289733421,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605289733421,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7a6e","src_port":40114,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"js-agent.newrelic.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00945{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":17600,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":37,"flow_packets_processed":6,"flow_first_seen":1605289733399,"flow_last_seen":1605289733466,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":1565,"flow_avg_l4_payload_len":260,"midstream":0,"ts_msec":1605289733466,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7a6e","src_port":40114,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"js-agent.newrelic.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -02809{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":17606,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":37,"flow_packets_processed":12,"flow_first_seen":1605289733399,"flow_last_seen":1605289733468,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":5757,"flow_avg_l4_payload_len":479,"midstream":0,"ts_msec":1605289733468,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7a6e","src_port":40114,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Media"},"tls": {"version":"TLSv1.2","client_requested_server_name":"js-agent.newrelic.com","server_names":"f4.shared.global.fastly.net,*.500px.com,*.500px.net,*.500px.org,*.acceptance.habitat.sh,*.api.swiftype.com,*.art19.com,*.brave.com,*.chef.co,*.chef.io,*.cookpad.com,*.evbstatic.com,*.eventbrite.com,*.experiencepoint.com,*.fs.pastbook.com,*.fs.quploads.com,*.ftcdn.net,*.fubo.tv,*.getchef.com,*.githash.fubo.tv,*.habitat.sh,*.inspec.io,*.issuu.com,*.isu.pub,*.jimdo-dev-staging.com,*.jimdo-stable-staging.com,*.lulus.com,*.mansion-market.com,*.marfeel.com,*.massrel.io,*.meetu.ps,*.meetup.com,*.meetupstatic.com,*.newrelic.com,*.opscode.com,*.perimeterx.net,*.production.cdn.art19.com,*.staging.art19.com,*.staging.cdn.art19.com,*.swiftype.com,*.tissuu.com,*.video.franklyinc.com,*.wikihow.com,*.worldnow.com,500px.com,500px.net,500px.org,a1.awin1.com,acceptance.habitat.sh,api.swiftype.com,app.birchbox.com,app.staging.birchbox.com,app.staging.birchbox.es,art19.com,brave.com,cdn-f.adsmoloco.com,cdn.evbuc.com,cdn.polyfills.io,chef.co,chef.io,content.gamefuel.info,evbuc.com,experiencepoint.com,fast.appcues.com,fast.wistia.com,fast.wistia.net,fast.wistia.st,fubo.tv,getchef.com,githash.fubo.tv,habitat.sh,hbbtv.6play.fr,houstontexans.com,insight.atpi.com,inspec.io,jimdo-dev-staging.com,jimdo-stable-staging.com,link.sg.booking.com,mansion-market.com,media.bunited.com,meetu.ps,meetup.com,meetupstatic.com,onairhls.malimarcdn.net,opscode.com,perimeterx.net,polyfill.webservices.ft.com,qa.polyfills.io,raiders.com,s.sg.booking.com,s.swiftypecdn.com,static.birchbox.com,swiftype.com,viverepiusani.it,wikihow.com,wistia.com,www.dwin2.com,www.houstontexans.com,www.raiders.com,www.wada-ama.org","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3","issuerDN":"C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=f4.shared.global.fastly.net","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"BE:28:82:77:5B:06:41:1F:70:84:BD:A4:B9:FB:F0:BC:B1:B5:E3:A0"}} +02810{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":17606,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":37,"flow_packets_processed":12,"flow_first_seen":1605289733399,"flow_last_seen":1605289733468,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":5757,"flow_avg_l4_payload_len":479,"midstream":0,"ts_msec":1605289733468,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7a6e","src_port":40114,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Media"},"tls": {"version":"TLSv1.2","client_requested_server_name":"js-agent.newrelic.com","server_names":"f4.shared.global.fastly.net,*.500px.com,*.500px.net,*.500px.org,*.acceptance.habitat.sh,*.api.swiftype.com,*.art19.com,*.brave.com,*.chef.co,*.chef.io,*.cookpad.com,*.evbstatic.com,*.eventbrite.com,*.experiencepoint.com,*.fs.pastbook.com,*.fs.quploads.com,*.ftcdn.net,*.fubo.tv,*.getchef.com,*.githash.fubo.tv,*.habitat.sh,*.inspec.io,*.issuu.com,*.isu.pub,*.jimdo-dev-staging.com,*.jimdo-stable-staging.com,*.lulus.com,*.mansion-market.com,*.marfeel.com,*.massrel.io,*.meetu.ps,*.meetup.com,*.meetupstatic.com,*.newrelic.com,*.opscode.com,*.perimeterx.net,*.production.cdn.art19.com,*.staging.art19.com,*.staging.cdn.art19.com,*.swiftype.com,*.tissuu.com,*.video.franklyinc.com,*.wikihow.com,*.worldnow.com,500px.com,500px.net,500px.org,a1.awin1.com,acceptance.habitat.sh,api.swiftype.com,app.birchbox.com,app.staging.birchbox.com,app.staging.birchbox.es,art19.com,brave.com,cdn-f.adsmoloco.com,cdn.evbuc.com,cdn.polyfills.io,chef.co,chef.io,content.gamefuel.info,evbuc.com,experiencepoint.com,fast.appcues.com,fast.wistia.com,fast.wistia.net,fast.wistia.st,fubo.tv,getchef.com,githash.fubo.tv,habitat.sh,hbbtv.6play.fr,houstontexans.com,insight.atpi.com,inspec.io,jimdo-dev-staging.com,jimdo-stable-staging.com,link.sg.booking.com,mansion-market.com,media.bunited.com,meetu.ps,meetup.com,meetupstatic.com,onairhls.malimarcdn.net,opscode.com,perimeterx.net,polyfill.webservices.ft.com,qa.polyfills.io,raiders.com,s.sg.booking.com,s.swiftypecdn.com,static.birchbox.com,swiftype.com,viverepiusani.it,wikihow.com,wistia.com,www.dwin2.com,www.houstontexans.com,www.raiders.com,www.wada-ama.org","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3","subjectDN":"C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=f4.shared.global.fastly.net","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"BE:28:82:77:5B:06:41:1F:70:84:BD:A4:B9:FB:F0:BC:B1:B5:E3:A0"}} 00613{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":17657,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":2,"flow_first_seen":1605289712203,"flow_last_seen":1605289712420,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1605289734948,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:807::200a","src_port":40876,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"}} 00593{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":17657,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":2,"flow_first_seen":1605289712203,"flow_last_seen":1605289712420,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1605289734948,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:807::200a","src_port":40876,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00596{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":17657,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":41,"flow_first_seen":1605289714558,"flow_last_seen":1605289715083,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":7864,"flow_avg_l4_payload_len":191,"midstream":0,"ts_msec":1605289734948,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2600:1901::7a0b::","src_port":47032,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -247,10 +247,10 @@ ~~ total active/idle flows...: 37/37 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 3528181 bytes -~~ total memory freed........: 3528181 bytes -~~ total allocations/frees...: 54314/54314 +~~ total memory allocated....: 6175232 bytes +~~ total memory freed........: 6175232 bytes +~~ total allocations/frees...: 118510/118510 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 167 chars -~~ json string max len.......: 3175 chars +~~ json string max len.......: 3176 chars ~~ json string avg len.......: 1741 chars diff --git a/test/results/pop3.pcap.out b/test/results/pop3.pcap.out new file mode 100644 index 000000000..0cf026add --- /dev/null +++ b/test/results/pop3.pcap.out @@ -0,0 +1,23 @@ +00438{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"pop3.pcap","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} +00546{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"pop3.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1349776771892,"flow_last_seen":1349776771892,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1349776771892,"l3_proto":"ip4","src_ip":"143.225.229.181","dst_ip":"74.208.5.28","src_port":35287,"dst_port":110,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00467{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"pop3.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1349776771892,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1349776771892,"pkt":"ABffs8QAAMCfw1sHCABFEAA8\/wtAAEAGdh2P4eW1StAFHInXAG5gksK3AAAAAKACFtDFsQAAAgQFtAQCCAoAYD28AAAAAAEDAwY="} +00466{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"pop3.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1349776772030,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1349776772030,"pkt":"AMCfw1sHABffs8QACABFAAA8AABAADUGgDlK0AUcj+HltQBuidcdXnV7YJLCuKASFqDzqQAAAgQFtAQCCApTpKX2AGA9vAEDAwk="} +00455{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"pop3.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1349776772030,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1349776772030,"pkt":"ABffs8QAAMCfw1sHCABFEAA0\/wxAAEAGdiSP4eW1StAFHInXAG5gksK4HV51fIAQAFzFqQAAAQEICgBgPkZTpKX2"} +00683{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":10,"source":"pop3.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":10,"flow_first_seen":1349776771892,"flow_last_seen":1349776780730,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":60,"flow_tot_l4_payload_len":142,"flow_avg_l4_payload_len":14,"midstream":0,"ts_msec":1349776780730,"l3_proto":"ip4","src_ip":"143.225.229.181","dst_ip":"74.208.5.28","src_port":35287,"dst_port":110,"l4_proto":"tcp","ndpi": {"flow_risk": {"22":"Unsafe Protocol"},"proto":"POP3","breed":"Unsafe","category":"Email"},"pop": {"user":"cicciopernacchio@mail.com","password":"pippozzo"}} +00555{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":31,"source":"pop3.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":31,"flow_first_seen":1349776771892,"flow_last_seen":1349776799209,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1853,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1349776799209,"l3_proto":"ip4","src_ip":"143.225.229.181","dst_ip":"74.208.5.28","src_port":35287,"dst_port":110,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00152{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":31,"source":"pop3.pcap","alias":"nDPId-test","total-events-serialized":8} +~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ +~~ packets captured/processed: 31/31 +~~ skipped flows.............: 0 +~~ total layer4 data length..: 1853 bytes +~~ total detected protocols..: 1 +~~ total active/idle flows...: 1/1 +~~ total timeout flows.......: 0 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ total memory allocated....: 4593386 bytes +~~ total memory freed........: 4593386 bytes +~~ total allocations/frees...: 99566/99566 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ json string min len.......: 157 chars +~~ json string max len.......: 688 chars +~~ json string avg len.......: 482 chars diff --git a/test/results/pps.pcap.out b/test/results/pps.pcap.out index d2080409d..c8cf43413 100644 --- a/test/results/pps.pcap.out +++ b/test/results/pps.pcap.out @@ -128,7 +128,7 @@ 01363{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":998,"source":"pps.pcap","alias":"nDPId-test","flow_id":38,"flow_packet_id":2,"flow_last_seen":1467353139050,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":744,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":744,"pkt_l4_len":710,"ts_msec":1467353139050,"pkt":"ABxCjnAxTF4M6gNlCABFAALaH2hAAC0GDFd7fXAxwKhzCABQxSD7GtiHFHbNKVAYADhuxwAASFRUUC8xLjEgMzAyIEZvdW5kDQpMb2NhdGlvbjogaHR0cHM6Ly95b3V0dS5iZS85b3ZjSndDN0FFYw0KU2V0LUNvb2tpZTogSF9NS1RfQ0xLSUQ9MDAwMDAwMDE1OWRhMTZiODU3NzYwODMyNWEwOGEzNzYwMDAwMDAyMDM1MzM2NTMyMzU2NTMzMzM2NTMwMzYzNDYzMzYzNTM3NjMzMDM2NjIzNTM1Mzg2NTM1NjMzMzYzMzMzMzY2NjQwMDAwMDAwODc5NmY3NTc0NzUyZTYyNjU7IFBhdGg9LzsgRG9tYWluPWhtLmJhaWR1LmNvbTsgRXhwaXJlcz1GcmksIDAxIEp1bCAyMDE2IDA2OjM1OjM4IEdNVA0KU2V0LUNvb2tpZTogSF9NS1RfQ0xLTE9HPTAwMDAwMDAxNTlkYTE2Yjg1Nzc2MDgzMjVhMDhhMzc2MDAwMDAwMjAzNTMzNjUzMjM1NjUzMzMzNjUzMDM2MzQ2MzM2MzUzNzYzMzAzNjYyMzUzNTM4NjUzNTYzMzM2MzMzMzM2NjY0MDAwMDAwMDg3OTZmNzU3NDc1MmU2MjY1OyBQYXRoPS87IERvbWFpbj1obS5iYWlkdS5jb207IEV4cGlyZXM9RnJpLCAwMSBKdWwgMjAxNiAwNjozNTozOCBHTVQNClAzUDogQ1A9IkNVUmEgQURNYSBERVZhIFBTQW8gUFNEbyBPVVIgQlVTIFVOSSBQVVIgSU5UIERFTSBTVEEgUFJFIENPTSBOQVYgT1RDIE5PSSBEU1AgQ09SIg0KQ29ubmVjdGlvbjogY2xvc2UNCkNvbnRlbnQtTGVuZ3RoOiAwDQpEYXRlOiBGcmksIDAxIEp1bCAyMDE2IDA2OjA1OjM4IEdNVA0KU2VydmVyOiBhcGFjaGUNCg0K"} 00555{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":999,"source":"pps.pcap","alias":"nDPId-test","flow_id":39,"flow_packets_processed":1,"flow_first_seen":1467353139305,"flow_last_seen":1467353139305,"flow_idle_time":7440000,"flow_min_l4_payload_len":226,"flow_max_l4_payload_len":226,"flow_tot_l4_payload_len":226,"flow_avg_l4_payload_len":226,"midstream":1,"ts_msec":1467353139305,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"203.66.182.24","src_port":50466,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00747{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":999,"source":"pps.pcap","alias":"nDPId-test","flow_id":39,"flow_packet_id":1,"flow_last_seen":1467353139305,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":280,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":280,"pkt_l4_len":246,"ts_msec":1467353139305,"pkt":"TF4M6gNlABxCjnAxCABFAAEKA4dAAIAGQVvAqHMIy0K2GMUiAFDWCs3i1IWCxVAYAQQdEwAAR0VUIC9vY3NwL01Fa3dSekJGTUVNd1FUQUpCZ1VyRGdNQ0dnVUFCQlR5NEdyNWhZb2RqWENiU1JramVxbTFHaWglMkJaQVFVU3QwR0ZodTg5bWkxZHZXQnRydGlHcnBhZ1M4Q0NFWXJGWGtxMnVneiBIVFRQLzEuMQ0KQ29ubmVjdGlvbjogS2VlcC1BbGl2ZQ0KQWNjZXB0OiAqLyoNClVzZXItQWdlbnQ6IE1pY3Jvc29mdC1DcnlwdG9BUEkvNi4xDQpIb3N0OiBjbGllbnRzMS5nb29nbGUuY29tDQoNCg=="} -00841{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":999,"source":"pps.pcap","alias":"nDPId-test","flow_id":39,"flow_packets_processed":1,"flow_first_seen":1467353139305,"flow_last_seen":1467353139305,"flow_idle_time":7440000,"flow_min_l4_payload_len":226,"flow_max_l4_payload_len":226,"flow_tot_l4_payload_len":226,"flow_avg_l4_payload_len":226,"midstream":1,"ts_msec":1467353139305,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"203.66.182.24","src_port":50466,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.Google","breed":"Tracker\/Ads","category":"Web"},"http": {"hostname":"clients1.google.com","url":"clients1.google.com\/ocsp\/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih%2BZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEYrFXkq2ugz","code":0,"content_type":"","user_agent":"Microsoft-CryptoAPI\/6.1"}} +00839{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":999,"source":"pps.pcap","alias":"nDPId-test","flow_id":39,"flow_packets_processed":1,"flow_first_seen":1467353139305,"flow_last_seen":1467353139305,"flow_idle_time":7440000,"flow_min_l4_payload_len":226,"flow_max_l4_payload_len":226,"flow_tot_l4_payload_len":226,"flow_avg_l4_payload_len":226,"midstream":1,"ts_msec":1467353139305,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"203.66.182.24","src_port":50466,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.Google","breed":"Acceptable","category":"Web"},"http": {"hostname":"clients1.google.com","url":"clients1.google.com\/ocsp\/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih%2BZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEYrFXkq2ugz","code":0,"content_type":"","user_agent":"Microsoft-CryptoAPI\/6.1"}} 01458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1000,"source":"pps.pcap","alias":"nDPId-test","flow_id":39,"flow_packet_id":2,"flow_last_seen":1467353139309,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":813,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":813,"pkt_l4_len":779,"ts_msec":1467353139309,"pkt":"ABxCjnAxTF4M6gNlCABFAAMfaWMAAD0GXGrLQrYYwKhzCABQxSLUhYLF1grOxFAYAO2vKAAASFRUUC8xLjEgMjAwIE9LDQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jc3AtcmVzcG9uc2UNCkRhdGU6IFR1ZSwgMjggSnVuIDIwMTYgMTc6MzQ6NDkgR01UDQpFeHBpcmVzOiBTYXQsIDAyIEp1bCAyMDE2IDE3OjM0OjQ5IEdNVA0KU2VydmVyOiBvY3NwX3Jlc3BvbmRlcg0KQ29udGVudC1MZW5ndGg6IDQ2Mw0KWC1YU1MtUHJvdGVjdGlvbjogMTsgbW9kZT1ibG9jaw0KWC1GcmFtZS1PcHRpb25zOiBTQU1FT1JJR0lODQpBZ2U6IDIxNzg0OQ0KQ2FjaGUtQ29udHJvbDogcHVibGljLCBtYXgtYWdlPTM0NTYwMA0KDQowggHLCgEAoIIBxDCCAcAGCSsGAQUFBzABAQSCAbEwggGtMIGWohYEFErdBhYbvPZotXb1gba7Yhq6WoEvGA8yMDE2MDYyODA3MDAxN1owazBpMEEwCQYFKw4DAhoFAAQU8uBq+YWKHY1wm0kZI3qptRoofmQEFErdBhYbvPZotXb1gba7Yhq6WoEvAghGKxV5KtroM4AAGA8yMDE2MDYyODA3MDAxN1qgERgPMjAxNjA3MDUwNzAwMTdaMA0GCSqGSIb3DQEBCwUAA4IBAQBKs877cfA5B2KGhwFSvIyUBYVxkUFjApJpIKog7zezUT4uRPAvbjktL\/Ds15nk8Y2Znhsf4SdVmf8GlloCQ6IXimfBklwRGn8\/72t77ZQLcabmXBFNBqyfqmRrW1O7lFh1alLxLnbN6PNKIPNv7dkTJVq4NRpJC1H3sykeA3XbH5EEaxhdvWFd1bsvybTiEgn7Bn5bpdXlExvoxRYuc7MLXQAUHRWSGKZpv+UniRokZRHgZy2GbGkQE8sf0PVCXrNjm4qsIXnQvqrF2J2xxFQ5x1wzU7J9l9Av+bPvuQI2mdLqvQskYq3tOxhJ6prFG9fcqt4lJS5E11mkG9tPXiAq"} 00557{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1001,"source":"pps.pcap","alias":"nDPId-test","flow_id":40,"flow_packets_processed":1,"flow_first_seen":1467353139505,"flow_last_seen":1467353139505,"flow_idle_time":7440000,"flow_min_l4_payload_len":575,"flow_max_l4_payload_len":575,"flow_tot_l4_payload_len":575,"flow_avg_l4_payload_len":575,"midstream":1,"ts_msec":1467353139505,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"202.108.14.219","src_port":50467,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 01212{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1001,"source":"pps.pcap","alias":"nDPId-test","flow_id":40,"flow_packet_id":1,"flow_last_seen":1467353139505,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":629,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":629,"pkt_l4_len":595,"ts_msec":1467353139505,"pkt":"TF4M6gNlABxCjnAxCABFAAJnA5RAAIAG6ATAqHMIymwO28UjAFBUZatTb7o85VAYAQQGIwAAR0VUIC9jb3JlP3Q9MTEmY3Q9YWRzdGFydCZzdGFydHRtPTEwOTcmcmVzZXQ9MSZyYT0yJnBmPTIwMSZwPTExJnAxPTExNCZwMj0zMDAwJnNka3RwPTEmYzE9NiZyPTUwMDQ5NDYwMCZhaWQ9NTAyOTU5OTAwJnU9YWFvZWZkdHFnZmRlcHhjMnRudjNwaXVjZ2NiNGVvZm4mcHU9Jm9zPXdpbmRvd3Mmdj01JTJFMiUyRTE1JTJFMjI0MCZrcnY9MiUyRTAlMkUxMDImZHQ9Jmh1PS0xJnJuPTE0NjczNTMxMTkmaXNsb2NhbD0wJmFzPWQxOWY2NDA0N2I2NDFjZDZmZjA5NmIwNGZiMmEzMGI1JnZlPTNjYzBjOGZhMzcyNjI1ZTY0MTQzMTQ0ODE2ZjNlOTY4JnBlPWM5NWQ5OTJlMjk4NTZkYzg0ZjJlOTkwN2EyZTRiMjgyJnZmcm09JmNobD0maGNkbnY9MTAuMC4wLjI5MyZ0cGNkPTAmaXNkcm09MSZodD0wIEhUVFAvMS4xDQpVc2VyLUFnZW50OiBRWS1QbGF5ZXItV2luZG93cy8yLjAuMTAyDQpIb3N0OiBtc2cuNzEuYW0NCkFjY2VwdDogKi8qDQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUNCnF5aWQ6YWFvZWZkdHFnZmRlcHhjMnRudjNwaXVjZ2NiNGVvZm4NCnF5cGlkOl8yMDEyDQpxeXBsYXRmb3JtOjAtMg0KDQo="} @@ -570,9 +570,9 @@ ~~ total active/idle flows...: 107/107 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2209238 bytes -~~ total memory freed........: 2209238 bytes -~~ total allocations/frees...: 38337/38337 +~~ total memory allocated....: 4826779 bytes +~~ total memory freed........: 4826779 bytes +~~ total allocations/frees...: 102550/102550 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 160 chars ~~ json string max len.......: 2175 chars diff --git a/test/results/ps_vue.pcap.out b/test/results/ps_vue.pcap.out index 9b091bab9..2c37750ab 100644 --- a/test/results/ps_vue.pcap.out +++ b/test/results/ps_vue.pcap.out @@ -29,9 +29,9 @@ 00443{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1369,"source":"ps_vue.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_last_seen":1568831068497,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1568831068497,"pkt":"QJkivOG5AKC8brI7CABFSAAow6oAAO4GOi8NIf9gwKgBhAG71yS9fOulSelfaVAQgjIznwAA"} 00574{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1740,"source":"ps_vue.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":2,"flow_first_seen":1568831063948,"flow_last_seen":1568831063948,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":31,"flow_tot_l4_payload_len":31,"flow_avg_l4_payload_len":15,"midstream":1,"ts_msec":1568831070533,"l3_proto":"ip4","src_ip":"23.57.89.123","dst_ip":"192.168.1.132","src_port":443,"dst_port":62694,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"}} 00553{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1740,"source":"ps_vue.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":2,"flow_first_seen":1568831063948,"flow_last_seen":1568831063948,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":31,"flow_tot_l4_payload_len":31,"flow_avg_l4_payload_len":15,"midstream":1,"ts_msec":1568831070533,"l3_proto":"ip4","src_ip":"23.57.89.123","dst_ip":"192.168.1.132","src_port":443,"dst_port":62694,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00591{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1740,"source":"ps_vue.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":4,"flow_first_seen":1568831058486,"flow_last_seen":1568831068662,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":539,"flow_tot_l4_payload_len":1078,"flow_avg_l4_payload_len":269,"midstream":1,"ts_msec":1568831070533,"l3_proto":"ip4","src_ip":"13.33.255.96","dst_ip":"192.168.1.132","src_port":443,"dst_port":55076,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"}} +00596{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1740,"source":"ps_vue.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":4,"flow_first_seen":1568831058486,"flow_last_seen":1568831068662,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":539,"flow_tot_l4_payload_len":1078,"flow_avg_l4_payload_len":269,"midstream":1,"ts_msec":1568831070533,"l3_proto":"ip4","src_ip":"13.33.255.96","dst_ip":"192.168.1.132","src_port":443,"dst_port":55076,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"}} 00558{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1740,"source":"ps_vue.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":4,"flow_first_seen":1568831058486,"flow_last_seen":1568831068662,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":539,"flow_tot_l4_payload_len":1078,"flow_avg_l4_payload_len":269,"midstream":1,"ts_msec":1568831070533,"l3_proto":"ip4","src_ip":"13.33.255.96","dst_ip":"192.168.1.132","src_port":443,"dst_port":55076,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00590{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1740,"source":"ps_vue.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1568831062289,"flow_last_seen":1568831062289,"flow_idle_time":7440000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":1,"ts_msec":1568831070533,"l3_proto":"ip4","src_ip":"34.217.165.102","dst_ip":"192.168.1.132","src_port":443,"dst_port":63577,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"}} +00595{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1740,"source":"ps_vue.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1568831062289,"flow_last_seen":1568831062289,"flow_idle_time":7440000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":1,"ts_msec":1568831070533,"l3_proto":"ip4","src_ip":"34.217.165.102","dst_ip":"192.168.1.132","src_port":443,"dst_port":63577,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"}} 00557{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1740,"source":"ps_vue.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1568831062289,"flow_last_seen":1568831062289,"flow_idle_time":7440000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":1,"ts_msec":1568831070533,"l3_proto":"ip4","src_ip":"34.217.165.102","dst_ip":"192.168.1.132","src_port":443,"dst_port":63577,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00564{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1740,"source":"ps_vue.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1724,"flow_first_seen":1568831054386,"flow_last_seen":1568831070533,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1318,"flow_tot_l4_payload_len":2105073,"flow_avg_l4_payload_len":1221,"midstream":1,"ts_msec":1568831070533,"l3_proto":"ip4","src_ip":"8.252.2.139","dst_ip":"192.168.1.132","src_port":80,"dst_port":59198,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00574{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1740,"source":"ps_vue.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":2,"flow_first_seen":1568831063828,"flow_last_seen":1568831063828,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":31,"flow_tot_l4_payload_len":31,"flow_avg_l4_payload_len":15,"midstream":1,"ts_msec":1568831070533,"l3_proto":"ip4","src_ip":"23.57.89.123","dst_ip":"192.168.1.132","src_port":443,"dst_port":55648,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"}} @@ -51,9 +51,9 @@ ~~ total active/idle flows...: 8/8 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2639455 bytes -~~ total memory freed........: 2639455 bytes -~~ total allocations/frees...: 37138/37138 +~~ total memory allocated....: 5298802 bytes +~~ total memory freed........: 5298802 bytes +~~ total allocations/frees...: 101334/101334 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 162 chars ~~ json string max len.......: 2251 chars diff --git a/test/results/quic-23.pcap.out b/test/results/quic-23.pcap.out index 8c4ed9003..aaba0f1b9 100644 --- a/test/results/quic-23.pcap.out +++ b/test/results/quic-23.pcap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1934154 bytes -~~ total memory freed........: 1934154 bytes -~~ total allocations/frees...: 35370/35370 +~~ total memory allocated....: 4596469 bytes +~~ total memory freed........: 4596469 bytes +~~ total allocations/frees...: 99566/99566 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 160 chars ~~ json string max len.......: 2199 chars diff --git a/test/results/quic-24.pcap.out b/test/results/quic-24.pcap.out index a5b2606cd..4af39cfb5 100644 --- a/test/results/quic-24.pcap.out +++ b/test/results/quic-24.pcap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1933981 bytes -~~ total memory freed........: 1933981 bytes -~~ total allocations/frees...: 35365/35365 +~~ total memory allocated....: 4596296 bytes +~~ total memory freed........: 4596296 bytes +~~ total allocations/frees...: 99561/99561 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 160 chars ~~ json string max len.......: 2132 chars diff --git a/test/results/quic-27.pcap.out b/test/results/quic-27.pcap.out index 6eb7d3b11..ad1aba044 100644 --- a/test/results/quic-27.pcap.out +++ b/test/results/quic-27.pcap.out @@ -1,7 +1,7 @@ 00441{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"quic-27.pcap","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} 00595{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"quic-27.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1592388075915,"flow_last_seen":1592388075915,"flow_idle_time":180000,"flow_min_l4_payload_len":1330,"flow_max_l4_payload_len":1330,"flow_tot_l4_payload_len":1330,"flow_avg_l4_payload_len":1330,"midstream":0,"ts_msec":1592388075915,"l3_proto":"ip6","src_ip":"3ef4:2194:f4a6:3503:40cd:714:57:c4e4","dst_ip":"2f3d:64d1:9d59:549b::200e","src_port":64229,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02267{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"quic-27.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1592388075915,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":1392,"pkt_l4_len":1338,"ts_msec":1592388075915,"pkt":"AAAAAAAAAAgA1Oceht1gB9AaBToRPz70IZT0pjUDQM0HFABXxOQvPWTRnVlUmwAAAAAAACAO+uUBuwU6BFLF\/wAAGwh7p3UKjzv1VgAARSBBNb8rxExjuvv1Ye++hbc9om0DU4NnwSG\/3UebQzKe+\/ChMR6f65IjHiAPoLAAXROmLqaJFJBg9Sjii5GNpIY1s7jLmFqalAiGP2eQLOW5rgxDWycwtAoSDO71eI9T1Uq7EBmGHvnPmeSBFCTAwbphrP9uMLPyAc17USwCikZDlt2XGVMfiXze2ila5iBclIpM\/nqIjbZDUUYzdC34yYbr54VrUe33DQppusK5QzTfqS+3bRJeNmvfVjhputwGoNup+0y7rJDCwpxgcjG0dCKgMjLHOmSc3TOXpHySWsU8YrZhzLttd3CTZRM5WZ+WibgEID8\/Y94\/jmGwbweD3Pfo3Ppwfbm6t+wCItY8yBKRQ+H5v5jedjzP\/LjrRtljajhGcJZd6HJgjueiAiaEAdj7fx0T9yjCxPVImLtLHfXPo558xAwXVU83pzT9xavzftzVp99vYm\/GU\/kg1VYfnH4H1qpMlTlic\/Q6Q8iLnCNGJ9LIhtmYFfunAmiyObADRsU4B6j4HoJX3if+mucsKdp+8N3ugLjM4uwUvOF7XyACDpCZ\/G3\/5X5J\/zKZkqDPUYvuluMsSOj8B9WlMWtbGerp5EjqolIlNnjYomDTKeHIxZZRBaJp\/QOHxqWVWl+MlH9KWaLg+UuJ1tkD\/z7oSb+H1aPInCB0q4IOfY52jC5M0sAyNUCCRYRJtlGM\/qM0P8wM\/vcpX4GIrlML77jxP6dU5SrTUTaXASv8j9337neVie5dGU901jPeI0ibTEPO5jmp5JTAiUrtWT\/OPLGl6+AqDrvj2iLYI6MfHf54Ll0eSJwKxczdOyajjbkW+wF4mDNBcrHs+Iy+NLs84KPkQaEHysgP5fydEh4OpzytKTjbeDrjBTG9KcUWYmBar2q8HpPFclPVfMJzlgzmG1ymiPOmBJDgqQ3ZUM2g855ht6g7tzCMio0LrDHG0qDTQGyGwGnOACHMF4aRlNBHHPXjD0AWFg5ITC\/muG1btVnHCRMRKjcJbcwgB5knd4j3yLyF5jIDRSKNhE6Ac48oXpl\/X8QX7id\/RdTdMTE+I9ImLp3efowsLaCMtmIEe+7JeD8HXS\/DHY7CcQC7QJJxTExlt1pZ1J8VxZQ\/Rin8crO7sCUZAX\/MAmOTczrCmlYKxmfZCym\/VBLaEls1IO\/vlhGhIazJ4ec+unaATLsbpA8gpl3A6fA\/mtphj6B2kmQmdb4PDBkjLGlUB9TA\/hWCdu8okA42ElpefKLs7iaYvj9eGjbpH4CtZIsn81hYHam0KixsLnFD01WT2G3jWF4\/p32XASEAIX2fGqhIl42kT79V0gWU\/zHFYX4d1dqE0R0QvDLgaBR5adJ\/AQSCQX30uHxQBsrPiDAUle40F0f\/CKLbXDtfvQg3i0EyI3KXCW22kEkJyctCWU066Vqsp6MiM5DPCQw20QD2L38WJTrzFxYD7gmCe1AwoQFfD6gqTnrS3Tj0ht5GTD8vsEYZ0oezjMP8XuBMCjClE8hToMxgRyaUKQoJ4zuAen+tMutEa2m48+u5jHJEJljGjHC4LHZWMR3906vXde+zdCg1ShHY11L\/Bz5vKrplIBCiT9vl3ZYNjO6hBlbKS8VP\/yg6gsLQ9AigFTHxstN+VusbiYbo8JJgQWEcDGy2dI9GZZqPmAAFQeJAEQIBnrb965lc\/aHxPwoSZtBKWldoAMiE22ownQezP3boCQ596Xlhlq\/aTLkj8uddR096XdeUuOzAUI7eEPdA9iCr"} -00872{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"quic-27.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1592388075915,"flow_last_seen":1592388075915,"flow_idle_time":180000,"flow_min_l4_payload_len":1330,"flow_max_l4_payload_len":1330,"flow_tot_l4_payload_len":1330,"flow_avg_l4_payload_len":1330,"midstream":0,"ts_msec":1592388075915,"l3_proto":"ip6","src_ip":"3ef4:2194:f4a6:3503:40cd:714:57:c4e4","dst_ip":"2f3d:64d1:9d59:549b::200e","src_port":64229,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Google","breed":"Tracker\/Ads","category":"Web"},"quic": {"client_requested_server_name":"play.google.com","user_agent":"beta Chrome\/84.0.4147.45 Windows NT 10.0; Win64; x64","version":"TLSv1.3","alpn":"h3-27","ja3":"1e022f87823477abd6a79c31d70062d7","tls_supported_versions":"TLSv1.3"}} +00870{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"quic-27.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1592388075915,"flow_last_seen":1592388075915,"flow_idle_time":180000,"flow_min_l4_payload_len":1330,"flow_max_l4_payload_len":1330,"flow_tot_l4_payload_len":1330,"flow_avg_l4_payload_len":1330,"midstream":0,"ts_msec":1592388075915,"l3_proto":"ip6","src_ip":"3ef4:2194:f4a6:3503:40cd:714:57:c4e4","dst_ip":"2f3d:64d1:9d59:549b::200e","src_port":64229,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Google","breed":"Acceptable","category":"Web"},"quic": {"client_requested_server_name":"play.google.com","user_agent":"beta Chrome\/84.0.4147.45 Windows NT 10.0; Win64; x64","version":"TLSv1.3","alpn":"h3-27","ja3":"1e022f87823477abd6a79c31d70062d7","tls_supported_versions":"TLSv1.3"}} 02264{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"quic-27.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1592388075921,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":1392,"pkt_l4_len":1338,"ts_msec":1592388075921,"pkt":"AAAAAAAAAAIA6W2Tht1gAAAABToROC89ZNGdWVSbAAAAAAAAIA4+9CGU9KY1A0DNBxQAV8TkAbv65QU6\/nTM\/wAAGwAIe6d1Co879VYARSBTj79W6cwNvYIa4eRJRqYVEF\/FFQs4\/YFJNsPxXKvEgdRDTO3utbDdVpsr9xE5Fa\/TpG177HOYaSrCAz5Jo2+BV5oFjmMd9bTEkWInl1UOdHKW2niDF5nMaLe02aYd0mp25Hmgx4h+P4ZNUU2g7lMQwO8oh5pyFwebO4ynZaVfKfuvlderCYi9W3A+nCI5swIBOg\/\/GR\/eRpRy+l1xUDMEIkXKJ9xm\/36tgV9mPj+QnGLik9ENPu+ZN+Me0EJ5sHt5U9N9HC21bIxbx2522Px9RzM8EV5k0bNaVeSUX6Kx86PSOGKlOzKToSyBuVcP\/8Y\/pj31FFMn4jXKSKIZkR4jdHKqC8A0U8JWz+lo5qygK0a0s0j3vnz5UfxKqxBqYcCTRyIv0ihPq9lNS2XBnJHxjyGSIIPIjQ8xsASU2vSfjgEk5w8+ci+un+2IlNQ9pkFNXyipoW9wTbokYSnOTxLk6sFfH3dsyfqGWWE1tcdt7fy7oyiEsvZGRhn\/L+h2S5jSKsdHx7NdNgIdO39fvhXOA8HjSqb3VALAtyj6ehundx3BZcRNfsuUa5ZwC219uau0CpTuX2Tcg4sLjnvZG2Lvryln9pXYVKexJ7M82YgjmrH3wKorHuQt5fR9o7MWyn4djeqsrjK1KyRTCzgfjFDh3HyEU84LAmn6y\/vAo6GV5tlhx7mhZNMKhoPxPwLQjI9LlPc\/eMbJSDiPSdtQN0Aka6OS5JgFtfkS4GGEZrqH3Wmy218ogEMrR323mHZfknuU+di+qZFkdH\/EQiWObuHXwvxT+d8mUKnyAB02BTcx6ikllxkk+7Anulz\/alZEZCKgpjN62uDEL1zgUQWaEwOMai6Bq8aLpyIjWmfI3mXlEoQL9YGtvFU3NA0ZJr0FsSmnF79XixoAiidGmVLveJwbz2v70EltiOw6GW4XT1Nx8GJbOHEb4lw8Nf+y1YmbiOSl6N6MqAV+LTudvCC93HluIlhU0E3uX9LGDS+ScDF\/SXTW4zk9DPu\/I2vtwGCJX81Rv1WV8uy3YU63ClpeYXvX7h3rAbpodg\/tjIJpSxX8PbWv2L+X7I9n9ASbVRLPybgw1VXro90q6rMYVQ\/J4rPmhLpWzdEAazqGLHFi9KCGNiyg\/RvVoTwUKLYJ2wN2A7fA5TkKjD7w9oSn095bN7P+h75McGVrIyVqdEh4yuOB+Tvz9c62lXezMJJBw0zLwBGL\/8fc+U1+0HGaZ8c8r\/a9gzaAu\/1hL\/GX6BDxGvNlvCbNJSR7uYc+tLK+p8LJwdEE6O1NRlrVaqPbBG+gZN39wLrBIi\/4C1PvaV8uwXWpwJT4\/2iKYJmYuzWYHqOYb26qPVfaWtKa8zR+ytS6h93OrCLmPemuHc\/JEUEpO0dp8igHMSUL1C+oRr6S3mhQFj3DoLOC25YV2Nz23shcZvt4jUGqP33atbdN9fs6Z6FU668dqDsydPhc\/SLsWEHLNI2dYaUpYVsKq4rnVyNmOwE\/6yXFioayjL1rahnUdwSUA+95p6JoySDTBjZ0UNSLSl7C2+U5OFwI7ckGRhoW0KKahovJhm17+fTYxdp+9HuvzWSSUY0fZvLQBV7yxLsR4PcQVPaqkZsrRSNzLBu5zsWgsJ7iTP5Pui\/izmglDfXm4vEH6laDbuG6URrQ7dv3yhcwEz\/QEq4E36vx+7mzPgws4U6N6vHcQkT\/3gkAaI1tEvZMgcRaUphUC3VFG3nl7XwQxFcW31F+TgbWi2aESvVU"} 02260{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"quic-27.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1592388075957,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":1392,"pkt_l4_len":1338,"ts_msec":1592388075957,"pkt":"AAAAAAAAAAgA1Oceht1gB9AaBToRPz70IZT0pjUDQM0HFABXxOQvPWTRnVlUmwAAAAAAACAO+uUBuwU6q+fA\/wAAGwh7p3UKjzv1VgAARSD7U2hL0O88k3UZXjUbrBBd+WZB0UG\/j7758xlBZzizfYUS+JxzLcKYGo8WQzFU7GyiuzvE8f9eov2KYsEVwanC7Vc9pLDljUq9fi2hrf+FzyyRcUlliaDQXxX7n1Ivm9KRXOqnnKdmfHVEvBFAffLmUIXWbO+YgkFjGfD8GnPXDCrAqvwlSSmWge5izab1xOS9Wo1XnWifp0lpGLQpE1MqqxNhBIDxbfaVbjuMEAWyrxRLEqh16GZ0\/jsodxxqlZew4w347xtEtqPzlLyHr4poFBV0Y0YYyCJ1yuoIhaXm+33Z+1T2cYWE7O6I9WEk+mBcGSHxZEZP4CaDr0T3d2jgKsNoKY7bkKT1W4j+vuMJDFuHBaV9SRkGAElCQfGPawy8Ys82dsHnmEEyzp8V6ce7FzsZZVA9JPutVgoejftdzH\/RLPkp8RBEvUi+HMOKcmfLfnWgmtZUoG2P5WRsd4keUAJzFzPu8JDFkn8Qz7I2ryzN2cOlRhia\/jz4PgIUt+4ZQKXncNfyTzS2OteWVaV9zMESXfyvD0pVAT08qEHRc6laTl0ufuUQBtHn5CKjoJYFHspiVeCiJegPMoj4HilpDrhpSZdELNW8O6lX\/+Ya\/E5+xP\/XiQg9mVqUhmMopCMRpiLIe2Y5jGt3vKxJGa5gox\/Ao+2MtfZQZSIoFcP8KluOAfCrb5sGinc+sTc+ZKeAOQmz2FRpTh4fxO1mAo2o9ZJLguqcLrOlyxUUSOHnuLgNLS7XObH1LUUip1vPpeYTmlqzrANNh9EYL2PlIErptyjoZYKQJ8rGcKFCKO11+88Wp\/LRi79APRPkY6RnAKucyRnsrN5ZraDdPgKee842vxIdbP4CvpQKByezNr0Y4u9e5janU208elx\/zNNPzGR9+gsEJIstRXxFey8H0re4AXkIgXjqAReUAEftPwSWT1yW9+jva9RQbrdrR5MlklIvCCr\/7U5+3OUw9\/43s\/O3pgzG2DXT5bg3D27JwIW8euuy95GFovl\/nwOfDJmNLw18bQ3hbUqIFcvmzSmF4CVgS8f8nD5zXQn0Y6t6H\/0dRw6m\/fNV\/hHkJp2gXqQ7165w9HG2aJNS+9mCFSeYNr4H2pXUCnIsj\/Pby8rM4BOGLZX6zg3e6S5gFfYBAXTKRGfLDh+HC8x9D89XnWP0cyQWheKUU2YWacOr4WVE0zJK4qj2v39Y03nQgSY7Oa54R2PRMjuzzTSkaITdQ1fo\/eapkrPXa1eGFgwwF6EMe47fkokLHjscKhQ9hUwVD1WZo132hEoWEgCk6GBm9kpFczYiEdZUPhpULGvCKI1iCSBgMjY4vkSPjkj\/CUDk9lkmQxFPWmRRIn5bNqB\/16pGMD5AZgW1l2kOJo5CYfNF1x84eGg+l3fSTIrHWDb7BvF8kmCbEpzK5xtWGHGjxOpk\/7a+pTOyHHSCngxZDzPdni8BcsxtcevFPBg2cOlxb2H\/0wK6HxkRNoGyDH5CwTV\/9XVHoipCcVdCRMqh2JweXzA8wyDxryIMQur2tx3A0CW64wtn\/h7BSyKnDTRXR1V+Wa7DymTTmnRiQ6l5f3ecwcceih\/JZP\/GSUvQLB1MZBKOprH4Whg11Rc2g4AjShZ7+YxYeeQtOgNFCRS53FA6JbVYqDpNySia3zORBhbds4Rqs3FtKCEuzx1fAYtgyzWdf8adqeSwRKSlOPPdqsVh5zsBNqK4beqT9\/RPVDkfR2bjUTRJesgqyVO6iWDbnnnAdtd3"} 00596{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":20,"source":"quic-27.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":20,"flow_first_seen":1592388075915,"flow_last_seen":1592388084373,"flow_idle_time":180000,"flow_min_l4_payload_len":25,"flow_max_l4_payload_len":1330,"flow_tot_l4_payload_len":11647,"flow_avg_l4_payload_len":582,"midstream":0,"ts_msec":1592388084373,"l3_proto":"ip6","src_ip":"3ef4:2194:f4a6:3503:40cd:714:57:c4e4","dst_ip":"2f3d:64d1:9d59:549b::200e","src_port":64229,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1934257 bytes -~~ total memory freed........: 1934257 bytes -~~ total allocations/frees...: 35371/35371 +~~ total memory allocated....: 4596572 bytes +~~ total memory freed........: 4596572 bytes +~~ total allocations/frees...: 99567/99567 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 160 chars ~~ json string max len.......: 2272 chars diff --git a/test/results/quic-28.pcap.out b/test/results/quic-28.pcap.out index 770993d39..39b0bad59 100644 --- a/test/results/quic-28.pcap.out +++ b/test/results/quic-28.pcap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1940837 bytes -~~ total memory freed........: 1940837 bytes -~~ total allocations/frees...: 35603/35603 +~~ total memory allocated....: 4603152 bytes +~~ total memory freed........: 4603152 bytes +~~ total allocations/frees...: 99799/99799 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 161 chars ~~ json string max len.......: 2061 chars diff --git a/test/results/quic-29.pcap.out b/test/results/quic-29.pcap.out index 63aba5c9a..7de942f2d 100644 --- a/test/results/quic-29.pcap.out +++ b/test/results/quic-29.pcap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1933981 bytes -~~ total memory freed........: 1933981 bytes -~~ total allocations/frees...: 35365/35365 +~~ total memory allocated....: 4596296 bytes +~~ total memory freed........: 4596296 bytes +~~ total allocations/frees...: 99561/99561 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 160 chars ~~ json string max len.......: 2133 chars diff --git a/test/results/quic-33.pcapng.out b/test/results/quic-33.pcapng.out index b46c3ad6a..b3be491c6 100644 --- a/test/results/quic-33.pcapng.out +++ b/test/results/quic-33.pcapng.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1962384 bytes -~~ total memory freed........: 1962384 bytes -~~ total allocations/frees...: 36342/36342 +~~ total memory allocated....: 4624699 bytes +~~ total memory freed........: 4624699 bytes +~~ total allocations/frees...: 100538/100538 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 163 chars ~~ json string max len.......: 2137 chars diff --git a/test/results/quic-fuzz-overflow.pcapng.out b/test/results/quic-fuzz-overflow.pcapng.out new file mode 100644 index 000000000..d8b033695 --- /dev/null +++ b/test/results/quic-fuzz-overflow.pcapng.out @@ -0,0 +1,21 @@ +00454{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"quic-fuzz-overflow.pcapng","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} +00578{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"quic-fuzz-overflow.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1633957625000,"flow_last_seen":1633957625000,"flow_idle_time":180000,"flow_min_l4_payload_len":1252,"flow_max_l4_payload_len":1252,"flow_tot_l4_payload_len":1252,"flow_avg_l4_payload_len":1252,"midstream":0,"ts_msec":1633957625000,"l3_proto":"ip4","src_ip":"255.255.255.255","dst_ip":"255.255.255.32","src_port":8224,"dst_port":8224,"l4_proto":"udp","flow_datalink":228,"flow_max_packets":3} +03004{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"quic-fuzz-overflow.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1633957625000,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1280,"pkt_type":2048,"pkt_l3_offset":0,"pkt_l4_offset":20,"pkt_len":1280,"pkt_l4_len":1260,"ts_msec":1633957625000,"pkt":"RSAFACAgIAAgESAg\/\/\/\/\/\/\/\/\/yAgICAgICAgIMhRMDI0ICAgICAgICAgICD\/\/yD\/\/\/\/\/\/yAgIAAAoAEgBENITE8gACAgVUFJRP\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/yAgICAgICAgICAgICAgIP\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIP\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/8gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICD\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIP\/\/\/\/\/\/\/\/\/\/\/yAgICAgICAg\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/8gICAgICAgICAgICAgIP\/\/\/\/\/\/\/\/\/\/\/yAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIP\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/8gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/yAgICAgICAgICAgIP\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/8gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICD\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/8gICAgICAgICAgICAgICAgIP\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/8gICAgICAgICAgICAgICAgIP\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ICAgICAgICAgICAgICAgICD\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ICAgICAgICAgICAgICAgICA="} +00710{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"quic-fuzz-overflow.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1633957625000,"flow_last_seen":1633957625000,"flow_idle_time":180000,"flow_min_l4_payload_len":1252,"flow_max_l4_payload_len":1252,"flow_tot_l4_payload_len":1252,"flow_avg_l4_payload_len":1252,"midstream":0,"ts_msec":1633957625000,"l3_proto":"ip4","src_ip":"255.255.255.255","dst_ip":"255.255.255.32","src_port":8224,"dst_port":8224,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","24":"SNI TLS extension was missing"},"proto":"QUIC","breed":"Acceptable","category":"Web"},"quic": {}} +00579{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1,"source":"quic-fuzz-overflow.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1633957625000,"flow_last_seen":1633957625000,"flow_idle_time":180000,"flow_min_l4_payload_len":1252,"flow_max_l4_payload_len":1252,"flow_tot_l4_payload_len":1252,"flow_avg_l4_payload_len":1252,"midstream":0,"ts_msec":1633957625000,"l3_proto":"ip4","src_ip":"255.255.255.255","dst_ip":"255.255.255.32","src_port":8224,"dst_port":8224,"l4_proto":"udp","flow_datalink":228,"flow_max_packets":3} +00167{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":1,"source":"quic-fuzz-overflow.pcapng","alias":"nDPId-test","total-events-serialized":6} +~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ +~~ packets captured/processed: 1/1 +~~ skipped flows.............: 0 +~~ total layer4 data length..: 1252 bytes +~~ total detected protocols..: 1 +~~ total active/idle flows...: 1/1 +~~ total timeout flows.......: 0 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ total memory allocated....: 4590468 bytes +~~ total memory freed........: 4590468 bytes +~~ total allocations/frees...: 99535/99535 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ json string min len.......: 172 chars +~~ json string max len.......: 3009 chars +~~ json string avg len.......: 1577 chars diff --git a/test/results/quic-mvfst-22.pcap.out b/test/results/quic-mvfst-22.pcap.out index ce3e2b75f..b7bb252d4 100644 --- a/test/results/quic-mvfst-22.pcap.out +++ b/test/results/quic-mvfst-22.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1947762 bytes -~~ total memory freed........: 1947762 bytes -~~ total allocations/frees...: 35840/35840 +~~ total memory allocated....: 4610077 bytes +~~ total memory freed........: 4610077 bytes +~~ total allocations/frees...: 100036/100036 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 167 chars ~~ json string max len.......: 2127 chars diff --git a/test/results/quic-mvfst-22_decryption_error.pcap.out b/test/results/quic-mvfst-22_decryption_error.pcap.out index c596095f3..8b684a6ad 100644 --- a/test/results/quic-mvfst-22_decryption_error.pcap.out +++ b/test/results/quic-mvfst-22_decryption_error.pcap.out @@ -714,9 +714,9 @@ ~~ total active/idle flows...: 0/0 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1926508 bytes -~~ total memory freed........: 1926508 bytes -~~ total allocations/frees...: 35335/35335 +~~ total memory allocated....: 4589247 bytes +~~ total memory freed........: 4589247 bytes +~~ total allocations/frees...: 99531/99531 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 173 chars ~~ json string max len.......: 2056 chars diff --git a/test/results/quic-mvfst-27.pcapng.out b/test/results/quic-mvfst-27.pcapng.out index b4cfd7026..ee2011631 100644 --- a/test/results/quic-mvfst-27.pcapng.out +++ b/test/results/quic-mvfst-27.pcapng.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1934125 bytes -~~ total memory freed........: 1934125 bytes -~~ total allocations/frees...: 35370/35370 +~~ total memory allocated....: 4596440 bytes +~~ total memory freed........: 4596440 bytes +~~ total allocations/frees...: 99566/99566 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 168 chars ~~ json string max len.......: 2196 chars diff --git a/test/results/quic-mvfst-exp.pcap.out b/test/results/quic-mvfst-exp.pcap.out index d022c8eb7..1c5e9bc2a 100644 --- a/test/results/quic-mvfst-exp.pcap.out +++ b/test/results/quic-mvfst-exp.pcap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1934415 bytes -~~ total memory freed........: 1934415 bytes -~~ total allocations/frees...: 35380/35380 +~~ total memory allocated....: 4596730 bytes +~~ total memory freed........: 4596730 bytes +~~ total allocations/frees...: 99576/99576 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 167 chars ~~ json string max len.......: 2146 chars diff --git a/test/results/quic-v2-00.pcapng.out b/test/results/quic-v2-00.pcapng.out new file mode 100644 index 000000000..e0ce90ff3 --- /dev/null +++ b/test/results/quic-v2-00.pcapng.out @@ -0,0 +1,23 @@ +00446{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"quic-v2-00.pcapng","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} +00566{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"quic-v2-00.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1637834659980,"flow_last_seen":1637834659980,"flow_idle_time":180000,"flow_min_l4_payload_len":1252,"flow_max_l4_payload_len":1252,"flow_tot_l4_payload_len":1252,"flow_avg_l4_payload_len":1252,"midstream":0,"ts_msec":1637834659980,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.198","src_port":50277,"dst_port":4443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +02130{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"quic-v2-00.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1637834659980,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1294,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1294,"pkt_l4_len":1260,"ts_msec":1637834659980,"pkt":"CAAnfrFjCgAnAAAACABFAgUApRBAAEARnsLAqDgBwKg4xsRlEVsE7OHRwv8CAAAIrj891mmhU7MITo0Xtz5eoNQARMoxqNSV7ADoFS7QxZ4\/HLjYUQBcyNcuN8bWG62+xF99Aye9DaJmsH6KCNcXJhjzha2fPdBZdc4Nidwy8pCVeYmH4yM6vXMdZ9UMG9ccEeFY0I8OcdmCSXa5odhdufBB8IiExzry\/kH3tbfUjXG04iCN+nOW3sUvM9jYBjMbDtvxmp3pNIhkRBYoqbdUsrgnC8gxSkuovl57ULo\/sHveA0VUZAGJSxTmVKe0r07WTY8Vme8cfKQuhCJyJQ0u6fy9TRgZZXMRXC0eJFf7TJ8th7p5hroNv6bLzmOuPgjvNTNJHwrDyFSySUxVtcYIdHVVK87NTKPpEsdU1rVG0M5a4NB7IceprsnY26+xxntF6CSj3awhr3bTkwpEEUY97+p1ajX+D8g1I4aOX6rhaGAvrlzvXuUaEGOgKPnQ+AUWgI4et+ESZ0jx95yNVOZMOIz03NHVCKK7sdoCvaV6DvfXrxC8VlZ\/voiimBSm4fxQtoq\/ehX+TDbJpuRVnW6tNqvoqo6b\/2mSeCze+AQTzCbQpJ9VxRP1OFSZb\/ZvwGL1xj+B+gsuWBOb2AKjTbcvrTFxQzjTz05z\/BTm\/8w6cUnlTZjNa6p5dHreDqezRbSD7lRQGWYzSIxQvxfAw3DmeDsgfIfLxIqlbjPAc7d1HLNRpPfAu9Xl2s0TOHTNNjxjvzFCmvhejA7r8fwovA9MGeABUWwJKX2lyb2KKRc6ZJ\/qwh1AmX1b27zLxiD3bmnWKipDS2J7nLbuit+X+x06cImd6I0jpxyszf9KlN8iShBGZLqWJuv4Sjm\/dbK5NAaFMyuxjutoHwHvt07Y0ybvrYM9q8eVqN2oXETUg3Q3JUPV6WrxRbJl02cOpYDWQmBbK32W+peQ6GgIPEGKh9xa53uYTOijgYPO7CzdBEq3yxlRm5mC45k9OnUXWP+pF\/\/3iqFzsEKAmw40YLrHgEhrRPwPwjA\/dEAdjlHQzLuPuJq\/lyh\/hngZe3iwYssgO+tjI9yT4GdtlNlxQxO2O3GnJGqReBKmRxUAIhvO4FGZvjzwaSnuQrlkrbMarvFnXBuA5xyokJGnx4Iuzxr8AuV8zTQH+3jPA\/IQu7te8iyjuipCCygjw5xX59DLE12WjOG6koGVDaTnK7EbaGXrceFbkurw9qrtaiM69Yc9LMJ8TlSB2bvsKUS5ROi5bB7Lkinodsq5TR+EIX9Vm4IdcjVjEMLk4PtAnY002vWcKoj7dqnG3PPxJ9jU5ZgalNcld216l74snMEx+DiVUziQSuix\/uhvgPCsbbNV7hTCbZgZrDyKiDQRY4+3\/aHIQ1egJTtTtCRN9\/hWBzta55pccPOZDmu4uFONofh4h8xzoTP70OytaDdl0wQ\/Ei3lAuHXsCv8+mDaCq5lkkdaZ4yec+Y7QXFDsftrwvwkHfmK1cVGIkQNhKGTJhXsAPIvMTJrvHKrKfkAkhkpujyQ9rOaLYnu9tKAqSFHSGbT4+tf9GwvC\/qe1icEqu7DGJuTrYJX248FiL4Ch+mdl93W3xuioDiePz\/LIUFTufH2qrWjaZO246tacboPOhhUtoHXq9yDKn+WDGCcQai7+YX70MiOjB7M+ZA9r4rhA4BnGOCHFairuSvx7tyf1IdmjIxzRQkOzw=="} +00962{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"quic-v2-00.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1637834659980,"flow_last_seen":1637834659980,"flow_idle_time":180000,"flow_min_l4_payload_len":1252,"flow_max_l4_payload_len":1252,"flow_tot_l4_payload_len":1252,"flow_avg_l4_payload_len":1252,"midstream":0,"ts_msec":1637834659980,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.198","src_port":50277,"dst_port":4443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","24":"SNI TLS extension was missing"},"proto":"QUIC","breed":"Acceptable","category":"Web"},"quic": {"version":"TLSv1.3","alpn":"h3-34,hq-34,h3-33,hq-33,h3-32,hq-32,h3-31,hq-31,h3-29,hq-29,h3-30,hq-30,h3-28,hq-28,h3-27,hq-27,h3,hq-interop","ja3":"0299b052ace53a14c3a04aceb5efd247","tls_supported_versions":"TLSv1.3,TLSv1.3 (draft),TLSv1.3 (draft),TLSv1.3 (draft)"}} +00553{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"quic-v2-00.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1637834659981,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":132,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":132,"pkt_l4_len":98,"ts_msec":1637834659981,"pkt":"CgAnAAAACAAnfrFjCABFAgB2689AAEARXI3AqDjGwKg4ARFbxGUAYl4L8P8CAAAITo0Xtz5eoNQIzn6Zws0tgzR89MPJKWOEcQosGt5JnvFEzbxq7ueyicjryx4GEYRiBPVuCO\/u++qyU+1Oe0oBZ5OgZN57Q6zBwe7HF\/MNE0OW9jWa"} +02127{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"quic-v2-00.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1637834659981,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1294,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1294,"pkt_l4_len":1260,"ts_msec":1637834659981,"pkt":"CAAnfrFjCgAnAAAACABFAgUApRFAAEARnsHAqDgBwKg4xsRlEVsE7Ggoxf8CAAAIzn6Zws0tgzQITo0Xtz5eoNQzfPTDySljhHEKLBreSZ7xRM28au7nsonI68seBhGEYgT1bgjv7vvqslPtTntKAWeToGTeRJcWE0YjWjjVhc2Epc6uRtR8VN2t2fxi\/BKMmIkOV87hdjuuQq+sQZ0aP+qAWUZVPXYTQHrsn74n\/20No0K3IRfMpFAohmoCuHG\/oQ2kWLkh177bcXYP5JJlk8DkeqaOI5jJHhZopdC0EbAUvMxzupw+jzNBfqVtawmI7ck4oaVbSmv2Lh6DWiZpOV9olm9oIGBvX2BwaSJD1bqkBU4R9jqpVrYVbPT8wKh4QURdyUCFt\/pHVUDNOCdVrd5eUzcIKHKZaxSHePl\/yg\/dZfocdFhjXr+U733uYE1qFz548naI9j5KWFQR98\/CC0d0xoU88iMdiNfsuKpNx+0KTTooTNyU1vveYbCXzokTytLPjCvSa6G73TOvA8OuYqiUHp5xIaLnG3yNhVMDOSMhU4ie3r+DP28Mq2ZWhXb0gV907Zpx+KmY7qFE\/EyWPTw3ImggsMZOsPVzlV7KQ1G4JHZysWOpvVXcKqSK+UITOAxHamfF+pVJDkIieo\/+UVkfaWKxIvKYp+6AyW0mR91ijnCBWiv5ac8EelQBTEUMESmN3gff7jVmyD2UBGfExJI\/xp8zNyXaLaoqKwUf+CQdXZyTUzSEow4dw7sk0BLa4e20TxielSByZoWK6tkiltlUP4PBd1obZ\/M6oWg61j\/Daa8BtIg2NiKd6C8GmB4wD3HxshTAfK8yQQvtfE5oxhIYFSThvUihWT5Y6+DXgFo1pfhCLK9GiUczfLb4IIj1ohvX7+JFC3tCZNhvBg+W6VXr0O0KDoohneIAR1gneA0NH\/AqiCjy6uumlwR0QPW6m1\/qhFdEihzIt7lXZBU1C0s3xSiecNioN1nHQ1IZ18Gt5IO0O8fCyaWkwQJW2X4b7oYB71jM09PZ6yTEheWWX1Z9OGLrj2qcJloTu4Iu57B9axJ4rPb3iaYEijb13CtYJyBrdekXWhtaBsDUZ4K3VnApYE2uwbNJjLuophjh1jHU6UaDW7ICUdFlFfXOXD9zV29thx80\/DmDnUWBkCiYZ1b8WkeGSDocv3+HJQsgn59EUwVtn48xiKxF+ZxbEyvE+tNMsZmJsKYtblFc78KHscbC\/gXOqIss94XJoPcOEnYS4XkfqkmrgcV+OcOn4xwAQZnZuvWtmECInLRRqZSWSgrK5WL3PY0tP7MwsjMj84o6wBnMP4w3HV50+mH8pwYFK7mbzXOSQewpeHcDSLhnLJws7lK12ciTf9mDIIAvKBV\/tMkKkPxyJSEhm3jO7hS51vQnfnfkpRwdX7SiobX4njfsJlhehzLkqQw51jymiTpszSbAlctrbxZEyzfIc2WNWTUWx08ydtAwlnqeB3Do2MRGROWmPmTwZQao5kKTElIMYU3ySnnob2SxJIk9zX7GT64JhQ8ACYfYm+EIsGpdwABuXDGAru+RAc6pHR7G9TKS2nV6aLuss2\/KhvADWzMAzwYWr8elV6VWYH9TDqVGswk9u\/66exfYVBSjIRj5MhRdx3Wo5x2vsIYtvcbxtp7Mbnc9AhThDmqqwywGPlZW7atDcUp1UHbpIe7lydp\/rxXfp2pJnL4sHu4B5+Vosg=="} +00567{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":30,"source":"quic-v2-00.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":30,"flow_first_seen":1637834659980,"flow_last_seen":1637834659987,"flow_idle_time":180000,"flow_min_l4_payload_len":55,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":26333,"flow_avg_l4_payload_len":877,"midstream":0,"ts_msec":1637834659987,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.198","src_port":50277,"dst_port":4443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00160{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":30,"source":"quic-v2-00.pcapng","alias":"nDPId-test","total-events-serialized":8} +~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ +~~ packets captured/processed: 30/30 +~~ skipped flows.............: 0 +~~ total layer4 data length..: 26333 bytes +~~ total detected protocols..: 1 +~~ total active/idle flows...: 1/1 +~~ total timeout flows.......: 0 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ total memory allocated....: 4596883 bytes +~~ total memory freed........: 4596883 bytes +~~ total allocations/frees...: 99576/99576 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ json string min len.......: 165 chars +~~ json string max len.......: 2135 chars +~~ json string avg len.......: 1207 chars diff --git a/test/results/quic.pcap.out b/test/results/quic.pcap.out index 3cf831098..7a8819d8a 100644 --- a/test/results/quic.pcap.out +++ b/test/results/quic.pcap.out @@ -13,7 +13,7 @@ 00549{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":420,"source":"quic.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":6,"flow_first_seen":1461850699450,"flow_last_seen":1461850703450,"flow_idle_time":180000,"flow_min_l4_payload_len":70,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":6820,"flow_avg_l4_payload_len":1136,"midstream":0,"ts_msec":1463060980301,"l3_proto":"ip4","src_ip":"10.0.0.4","dst_ip":"10.0.0.3","src_port":40134,"dst_port":6121,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00558{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":420,"source":"quic.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1463060980301,"flow_last_seen":1463060980301,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1463060980301,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"172.217.16.4","src_port":45669,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02240{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":420,"source":"quic.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_last_seen":1463060980301,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1463060980301,"pkt":"8IQvSpdgeJKcD6iOCABFAAViG\/5AAEARmp7AqAFprNkQBLJlAbsFTr+DDUPl1BjSnP0KUTAyNQFyZIfG66V5bj99kfIBoAEABENITE8XAAAAUEFEAIgBAABTTkkAlgEAAFNUSwDQAQAAVkVSANQBAABDQ1MA5AEAAE5PTkMEAgAATVNQQwgCAABBRUFEDAIAAFVBSUQsAgAAU0NJRDwCAABUQ0lEQAIAAFBETUREAgAAU1JCRkgCAABJQ1NMTAIAAFBVQlNsAgAAU0NMU3ACAABLRVhTdAIAAENPUFR4AgAAQ0NSVJACAABJUlRUlAIAAENFVFY4AwAAQ0ZDVzwDAABTRkNXQAMAAC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0td3d3Lmdvb2dsZS5jb21PyGNIiSYlWYMNKJNAlwv39ix54lRFVA6paRsUl4FQy0hWHom6FQQ9JcZPH9joUxX+SDLF1j\/DSdX0UTAyNXsm6efkXHH\/AeiBYJKSGuhXNIn06ylDo5Ug9+nOea5qJJts1jMXRdJCxw2QvK85nmQAAABDQzIwQ2hyb21lLzQ5LjAuMjYyMy44NyBMaW51eCB4ODZfNjQarjm3cTKFpJVCrT7eADgKAAAAAFg1MDkAABAAHgAAAMpYWB84oseWX+q27ipmj\/RQLfsZQqQtGKexDF79uuJfAQAAAEMyNTVGSVhEVe9eTSHF9WXiYxqCfXGFX0ALe5Cprnnr7MUAAJJnZtEbkxP245vVr56GfjMCMAwif3n\/lWOThmdSnoedzP2jx+7ZPMWRBUv\/hZavd3FPUhQwHHwpvJJDzRcoSGYXtOQyhcYCVpGlxHD65Db8HFfgEKEx\/YlE\/aFaPqB1XqWWzf4zDCgIc\/Djzy4R\/py4JVjfq9V0ooIkHbH+8mAcpgdNt3gj0SeICAOM6wnOXFVXQaU2KKd\/llBTkdtTIS8p4UckAADwAAAAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} -00703{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":420,"source":"quic.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1463060980301,"flow_last_seen":1463060980301,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1463060980301,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"172.217.16.4","src_port":45669,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Google","breed":"Tracker\/Ads","category":"Web"},"quic": {"client_requested_server_name":"www.google.com","user_agent":"Chrome\/49.0.2623.87 Linux x86_64"}} +00701{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":420,"source":"quic.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1463060980301,"flow_last_seen":1463060980301,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1463060980301,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"172.217.16.4","src_port":45669,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Google","breed":"Acceptable","category":"Web"},"quic": {"client_requested_server_name":"www.google.com","user_agent":"Chrome\/49.0.2623.87 Linux x86_64"}} 00554{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":421,"source":"quic.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1463060980313,"flow_last_seen":1463060980313,"flow_idle_time":180000,"flow_min_l4_payload_len":120,"flow_max_l4_payload_len":120,"flow_tot_l4_payload_len":120,"flow_avg_l4_payload_len":120,"midstream":0,"ts_msec":1463060980313,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"172.217.16.3","src_port":40461,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00589{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":421,"source":"quic.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_last_seen":1463060980313,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":162,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":162,"pkt_l4_len":128,"ts_msec":1463060980313,"pkt":"8IQvSpdgeJKcD6iOCABFAACUtgVAAEARBWbAqAFprNkQA54NAbsAgHEsDKM2rKXAEd7wIt3qCq5m3TavpAsTDbAsFGxmQjrMNGgPLp5\/67eBvHP3BJ3FiMAS4anKHt6qD2LZa9lkPD+xi9VHkCY0QuwL2qSbKNzU+YmHNEsRyVDptUSV5HeCE\/peVLnXWfr\/zBYlTVvhdUjE1rsevsCPj6RN"} 00560{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":422,"source":"quic.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1463060980336,"flow_last_seen":1463060980336,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1463060980336,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"216.58.210.238","src_port":34438,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -24,7 +24,7 @@ 00696{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":423,"source":"quic.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":1,"flow_first_seen":1463060980349,"flow_last_seen":1463060980349,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1463060980349,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"216.58.214.110","src_port":48445,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.YouTube","breed":"Fun","category":"Media"},"quic": {"client_requested_server_name":"i.ytimg.com","user_agent":"Chrome\/49.0.2623.87 Linux x86_64"}} 00560{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":424,"source":"quic.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":1,"flow_first_seen":1463060980356,"flow_last_seen":1463060980356,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1463060980356,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"216.58.201.227","src_port":40030,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02230{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":424,"source":"quic.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_last_seen":1463060980356,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1463060980356,"pkt":"8IQvSpdgeJKcD6iOCABFAAViY+ZAAEARbXXAqAFp2DrJ45xeAbsFTrsoDSo6NO9En0amUTAyNQHxQPc0oXq52GqfzEUBoAEUBUNITE8PAAAAUEFEACcEAABTTkkAOAQAAFZFUgA8BAAAQ0NTAEwEAABNU1BDUAQAAFVBSURwBAAAVENJRHQEAABQRE1EeAQAAFNSQkZ8BAAASUNTTIAEAABTQ0xThAQAAENPUFSIBAAASVJUVIwEAABDRkNXkAQAAFNGQ1eUBAAALS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLWZvbnRzLmdzdGF0aWMuY29tUTAyNXsm6efkXHH\/AeiBYJKSGuhkAAAAQ2hyb21lLzQ5LjAuMjYyMy44NyBMaW51eCB4ODZfNjQAAAAAWDUwOQAAEAAeAAAAAQAAAEZJWEQ2AwEAAADwAAAAYAAAAAAAAAAAAAAAAAAAAAAAAAAA"} -00708{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":424,"source":"quic.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":1,"flow_first_seen":1463060980356,"flow_last_seen":1463060980356,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1463060980356,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"216.58.201.227","src_port":40030,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Google","breed":"Tracker\/Ads","category":"Web"},"quic": {"client_requested_server_name":"fonts.gstatic.com","user_agent":"Chrome\/49.0.2623.87 Linux x86_64"}} +00706{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":424,"source":"quic.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":1,"flow_first_seen":1463060980356,"flow_last_seen":1463060980356,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1463060980356,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"216.58.201.227","src_port":40030,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Google","breed":"Acceptable","category":"Web"},"quic": {"client_requested_server_name":"fonts.gstatic.com","user_agent":"Chrome\/49.0.2623.87 Linux x86_64"}} 01475{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":425,"source":"quic.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_last_seen":1463060980358,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":816,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":816,"pkt_l4_len":782,"ts_msec":1463060980358,"pkt":"8IQvSpdgeJKcD6iOCABFAAMieqxAAEART+TAqAFp2DrS7oaGAbsDDnUSDaSWOQdzcSypUTAyNQKic+J8GjVsfJMsdsljddNYUoaFl0z7yC+b\/wr4VU+uLim9cSDoCfQ+BQHWf7axGI\/0otFRZnw6Kt8qBdaHMLIkdKcN8wdByZN\/oxJ5hHJiGBr5fiEEYQesGjd7ktKww8RLAeoDPzO5xHVx6UhHPdcfqLCO0OUirBVeLWv0B2O9yzbQVc1VH+bmliqhUEJvrnRG4cr78AW8g3wScWC4rwYpeJVk\/IAAQQ57Dki1DMwjrpTDHht\/5ZKfx0L6ARDMsMT4o5zF\/akZnbDa0ujEPexxAMZmDGeFTAQkCIMwA\/gA3J1r7aP1KpIssFW81KVjJ5iXRD5YwhMXjujhZlTD7FpkokyBosoiaYQ9OlBELgrsv\/9qDO2wxdYuRfMHHiN5v5dCIbRSeNjSHrD5k38mY1aUywqkMP+2CUbD2epWgY5pAU9yj7pwB44jlPLOPZlRDlPzYteeLN3w3AP\/lAuGaox0e\/nN6hJNNlHNcIQxZHPP2S1Nn2pwslhn\/VZ\/sLfiYbgNEJ7jii0Xgsq+CMf0fQRIuCSQdHqU2jrdN+ANDhT5dE3khD4eoPHs8vCv4BKfMl7gejkwwAW2mHRMOqa7T9bOfmL\/xQjsgJk39nF1RjCMAK12Xi+dtOGE9IgQxbz9zSmgmL2yfIbOnXdI+bTM22zfHQn6FUtzcayZDzqJ6V1SbCofsr53iOUBUvhiUNinYAVziLfoiiMvfHEE5p0lanDdKZb0YpgPqdNQd16jKwJjqhYbmKL4sSrdZfI7oqtHDzJwMafbASoNSGD3Uv4mKwYKsjq2Gt5i5gDh3DTXlk8HfNKd3wJG6rjWcXbXKzMhv54KIsq1aZ1I4i1ag8lQ0v10wAGcat1qElIOAsfiTGWepgC8HR8kDowOKSvfud74VVvyn31uOyJudA\/cCGuSQ\/d7qs9IBWEXiAAAuMK7hXoYMc\/2wJckDypsBIy3x5hskbJa1d0Ahy9jqEdMlnrF69g47VNiGR6icm7nProfol9M2gJRYOL9DgN\/"} 02256{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":426,"source":"quic.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_last_seen":1463060980361,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1463060980361,"pkt":"eJKcD6iO8IQvSpdgCABFAAViEvYAADMR8Kas2RAEwKgBaQG7smUFTookAAGQybRh4NjU1uL582WDWYRD2dtjLe0ntuD1Rv2\/b2fKGeJD6xTTVAUMsP2lDwoVXXJwitAjM1Ss3TeNIyNiPaVEHvBHWgnmTCyfAFo80jSe0xJw6Ybz6w3BHKed9Mf4LC34oG\/VIDlHTxzV6KkXcvqfJ+U14RSVhKW3KAUcxQl5Qnl+FE6bIGsShbMSV6P+UWlpqynVxRJTYzRSpGWAchBBRlF7EhFWsrYnblyXrD3VTjEqg879fRXYm2D6G+l3V3l4hCc8odvANTzc501Sej7x6oDCtVRndJ56LpiERNpHUkSjmM00+Wy1dbMT\/Vm99GrTmWmQ58Bhd7+x\/sycdH8p6kPEaBRymR3LuujKz\/Gp3cYG3YCBKEJqKQbhAu5X3FQ9PXBc+M62o93W9PU8b6NIWgn7PPkt\/looi8HdoxE9N0Q1KeX\/DgvtM+nwxVmrskJK6Thzut4c\/pKoeIdgzgc3\/jHyNkNEOaEuYipEhpS0\/Q+tOI16w+YZPxlDlM2uXgEDMcZKpZ3i643hutLioOhndNrgTa+7hlc5d+9fBUPIG4kEo\/3qe\/1sIW96DdumLgeq7hN8q9ipK\/OYJXgatYkOUytQ0BidBbi0s1rXKIV0\/20SDyn2cTxo7WHBdcfDH2uOAi\/TCrRfDAaRNQYOzMWy\/oZuiEP4GWby88PrtsqP7zlBhlOROw4HDIjA48YJ3izoMulzCHWEfBSraR6GRvLlvTobSdvt\/z+UVvoGEaNUxGfD3NV\/ys6k8iURbaIUpy8FqGPXqO5y1+eef+JbMhHxVscn06dBggRMWGOOEqj0iilT1RKBH9sFsvyyAlIRcyu73\/dSHY+X7jFjSREVA2KvZo6yurWHJdfQmRknszSHCEHvhyALYDYo7SRCnZFDn5E9W3gfJx9JMvRGkKHXuxSF3xLvoY5nZEGBaR+XmmVlyrTJABRhDpbAmZ5n4r9hBYxhQHxcHxiGFFAZf8z0g25Mt1TpS14HKgYd19UYag4E9v9SK0NipYTC9fTFM1QGWJgR0BKWBdAxjVtOeAxGYzbRhH6dsuYtciI4zHHsc2k8CUrpT7INwMysA9v0qD2r5uYmQ8cWNQI093fnUkc1ZiLc0jIwKw1r5S6aXpzTXj770vHeucOObKGH\/cu1fclnWip+hpVKiVNyqyTuHufVLPShgYbyGVCuWpZPLDtm2Jgl78SGXcMPJqMT\/eMThOsXIuSLcIkh41PVNQKxF5sBj\/BOj5ESvnmDK6QkupJ4WgD36Qg55pRhbyhTXn3wlt2Wr\/yvzjY+U2Y7nfQG6dNeCf\/ZR4o941mW0nR93XyOa+USW4ElVSAKkaXcwrIvcK8SdED4dYTXRprenIgGMn8eEVkFhh5c+SVUq+XERE8IzY1QaFHpJZP8fwhzTmsejKR4iNGy5hDCfipCmLS34n3Ti+BCtXRamD+5SfxUJJlOaGuDx1ZxsJ+DRIsQP+0kLMojxKXXv8fxv+kjUQYTnOJebQGi1vj1CqRIxf5a70YpuiubpyNGMG3LRDDgT1bz3u8MXCO6UUeWAw7iQ0bpGgmPr47zuIVkRhe2cIWsbNBRCq+DfTxqyI5xdGH+ZdSvdGdcCnw7eeyZKURtoMVPU9ujTUcxOz5LcEN\/TxALvQe7jb0VWnhZrurBM\/tZX7uY\/NVzfAVeTgxdzrV78G5uYYEagOMAWzfqvOVOd0DJVYOhYStQVf878CnlBQP9yq8zVHiaudHd7jYBpAflemve6zr2sCq3IlfpR3vKBjLqbY7vKTWflGz9T6iOy4tB+9SN2sXj4A2cmfb4"} 00560{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":427,"source":"quic.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":1,"flow_first_seen":1463060980364,"flow_last_seen":1463060980364,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1463060980364,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"216.58.201.238","src_port":55934,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -45,7 +45,7 @@ 02233{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":444,"source":"quic.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_last_seen":1463060980446,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1463060980446,"pkt":"eJKcD6iO8IQvSpdgCABFAAVi7JsAADERM7XYOsnuwKgBaQG72n4FTodMDNvEpLUMteNnAjCUFcdtv6XHZbkQxgCkAS0FXQCLsNsKswVSG3lP+qzvmF246uDhGtUyFwaTzRJRxS8XOFxmLluatV\/uy7O6p0+N2bQ\/+Zrt1fpZeW6648bpNyd9YDE3eJJ8v\/9lvMKhkrynd\/W+TFqduscYADp6WRYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} 02247{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":449,"source":"quic.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":2,"flow_last_seen":1463060980460,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1463060980460,"pkt":"eJKcD6iO8IQvSpdgCABFAAVifaoAADIRmLPYOtLhwKgBaQG70jkFThU9AAFbOkhXLI3U967KCL3cJUfMqLc5FSrY4cYs3xypa7qHkPMQkfyihNqC28UhBOL3e\/5TBI7YTG0J23OmdlC7GgmCbVWFBre3mnIHOH5gNl6B4pV+JLE9LheDJBWLfps\/P5l5aMhy6p4xkqOtVn+84yrn69vnIGngY2UUctisj\/\/7qbGHoU7KjFVZvLiLnesCjZPEQ9bmtTdxJ8NIoohV99NBrL3ZR\/mRKqFg6ck1jjGMancWDX9uCodwuw+nFeiwhdNiUXqpCyb8WsgjNJlQgx5Jzfa6dxFwnJS2EsJzy1jow479DEUJQyupcHux9LBb4IxdT8f537ef70Ew4CvWu3Iba3a+sRfT8oSLt0CF8xrbGmeBEnSqbecBn6F2MYjUF2gtYKqmlv2GpssQgCf+y1IgiyKvJBAFYATvIM5Yoz\/5ASrdVp19my0ed8fkjXD\/9hI6BqGDwauf0bTx1RLAMhLrvl6pXAmkTiy9XjRAKtxJq+C1D4UKHSSI2+YjymrUAqCH3KRAZmA0Bxs3bF5O\/PSuozCEiM1fA6uKcRzdnnQiYy07+fjPtlVxQByhag2n\/cAPz+kuIj8MMSN1yDveDuOdF8jXFe5s9mrKD8JMfRZctDC3tl6y0RDe95cUiGF72q+hrAL\/PnaEp3C0gWLN0HrD0R9JOOxmp7Auh7povQU79kvL0xqyh4jnZ\/Eauv5xfJJ9WERDrqx3CTTuciqZlam2PDCCuo1MW4zttYvjA3nx3zF4aGwysEzvVFN3YL6hVQjdDA4G9W2+Ef0aVvJ6dwImjNYp4R0XlWhoyOCtNc6n9KHJ2lGiAOWbtoy+eIkUgerfolxpj29D8pTuvRSA6xSdgniEhkWz2S88FBK7lsS9dfKhGidfIxn3mpcstFKBaupKzVmBUCAqw1Z9aWdecUTnIY67owXaqxfverdyb0S4+uAKmDm4p8KZN+VbJFG\/ylg0sBWP80mInpEbGS7MrNOzG+nWmwobpNpDfkH6k4MJahEdbTJwc8F0zwrc9OBje09p8uO+iXNyZJSmFPRBYsNZ4SG8aHlZEWwk1zN++dYeWoX+nUUYJD4SmFHSyUSfF3Ib+mhP8VYivL+Z49LFaGNAB7KGxHv6fvGdSutX9bFiP1ZkAEhpweNPt8+O3nQTWj927mHvqPFEoMfTdYknC6NXf1NUkjL0SCHGhtXTgom7sP8gds1oLZBN2H5EejX\/eUCiWr6Vz0O2ty3vLiEaKe45R6dpcVbZGDcZnogU1oKhCd5eIW5VCS9ZoxdQUXYVQ5OVZmD0+lXGLDhaxED1Sg0QBEID7Gyk3XlpIelSpdCcj7XZyy+fDz5peeAIHd7A\/NT1xszFkW3dJpaVelwRfVQ2Tajy6IY3aeRniays5OlSdDEGtZvz+UGoOACWTNtx+Bck5uH4c3U2F4B+CPTc7F0hvJL623HEU79LiEo5zzmsjK4jgrRtPE6Ujm4ZpuNfqh8tPnhC9+Bi2Aja+3eezVsTpRflcLiQs0+wiUrXwIMtQYHLDjHEkGkWCaZ1nNn1+gwpcra6WAb6OHVPMNzrYJK0SrAHU0\/USbaXPZLFNMj2alWPs47VfDow3\/W3uXsLSYKoanH+Y+vNHJPIWjV0xMRUN6pTJE7IVb0BTnZ7b0D3Y4\/SxaKloeNxIuesxRvodNcMI\/1buC5kqkJStpYaf7KVkJyh1GHdI8GrmxoF2MSLqGY6lT0vPgbFD4MZreGOa5Sssczsczl+luw+iYguWV7SHDSmHfZxeBgkr589fC51KvvuWXNd3GZS5QlUqIxlrJRMHt8X"} 00558{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":450,"source":"quic.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":6,"flow_first_seen":1463060980356,"flow_last_seen":1463060980457,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":5477,"flow_avg_l4_payload_len":912,"midstream":0,"ts_msec":1463075953299,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"216.58.201.227","src_port":40030,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} -00584{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":450,"source":"quic.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":3,"flow_first_seen":1463060980313,"flow_last_seen":1463060980404,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":120,"flow_tot_l4_payload_len":238,"flow_avg_l4_payload_len":79,"midstream":0,"ts_msec":1463075953299,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"172.217.16.3","src_port":40461,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"Google","breed":"Tracker\/Ads","category":"Web"}} +00582{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":450,"source":"quic.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":3,"flow_first_seen":1463060980313,"flow_last_seen":1463060980404,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":120,"flow_tot_l4_payload_len":238,"flow_avg_l4_payload_len":79,"midstream":0,"ts_msec":1463075953299,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"172.217.16.3","src_port":40461,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"Google","breed":"Acceptable","category":"Web"}} 00553{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":450,"source":"quic.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":3,"flow_first_seen":1463060980313,"flow_last_seen":1463060980404,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":120,"flow_tot_l4_payload_len":238,"flow_avg_l4_payload_len":79,"midstream":0,"ts_msec":1463075953299,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"172.217.16.3","src_port":40461,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00558{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":450,"source":"quic.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":3,"flow_first_seen":1463060980349,"flow_last_seen":1463060980446,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":2737,"flow_avg_l4_payload_len":912,"midstream":0,"ts_msec":1463075953299,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"216.58.214.110","src_port":48445,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00558{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":450,"source":"quic.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":7,"flow_first_seen":1463060980336,"flow_last_seen":1463060980436,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":6251,"flow_avg_l4_payload_len":893,"midstream":0,"ts_msec":1463075953299,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"216.58.210.238","src_port":34438,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -67,9 +67,9 @@ ~~ total active/idle flows...: 10/10 ~~ total timeout flows.......: 1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1957947 bytes -~~ total memory freed........: 1957947 bytes -~~ total allocations/frees...: 35891/35891 +~~ total memory allocated....: 4616446 bytes +~~ total memory freed........: 4616446 bytes +~~ total allocations/frees...: 100087/100087 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 159 chars ~~ json string max len.......: 2264 chars diff --git a/test/results/quic046.pcap.out b/test/results/quic046.pcap.out index 5af772cca..51e980880 100644 --- a/test/results/quic046.pcap.out +++ b/test/results/quic046.pcap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1931072 bytes -~~ total memory freed........: 1931072 bytes -~~ total allocations/frees...: 35439/35439 +~~ total memory allocated....: 4593387 bytes +~~ total memory freed........: 4593387 bytes +~~ total allocations/frees...: 99635/99635 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 161 chars ~~ json string max len.......: 2241 chars diff --git a/test/results/quic_0RTT.pcap.out b/test/results/quic_0RTT.pcap.out index f0e9fe7e1..b90f257b5 100644 --- a/test/results/quic_0RTT.pcap.out +++ b/test/results/quic_0RTT.pcap.out @@ -13,9 +13,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1932928 bytes -~~ total memory freed........: 1932928 bytes -~~ total allocations/frees...: 35352/35352 +~~ total memory allocated....: 4595243 bytes +~~ total memory freed........: 4595243 bytes +~~ total allocations/frees...: 99548/99548 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 161 chars ~~ json string max len.......: 2132 chars diff --git a/test/results/quic_frags_ch_in_multiple_packets.pcapng.out b/test/results/quic_frags_ch_in_multiple_packets.pcapng.out index e7f1c6ba5..0c930f8a0 100644 --- a/test/results/quic_frags_ch_in_multiple_packets.pcapng.out +++ b/test/results/quic_frags_ch_in_multiple_packets.pcapng.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1943278 bytes -~~ total memory freed........: 1943278 bytes -~~ total allocations/frees...: 35365/35365 +~~ total memory allocated....: 4605593 bytes +~~ total memory freed........: 4605593 bytes +~~ total allocations/frees...: 99561/99561 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 187 chars ~~ json string max len.......: 2179 chars diff --git a/test/results/quic_frags_ch_out_of_order_same_packet_craziness.pcapng.out b/test/results/quic_frags_ch_out_of_order_same_packet_craziness.pcapng.out index 87eb05da6..755a44e58 100644 --- a/test/results/quic_frags_ch_out_of_order_same_packet_craziness.pcapng.out +++ b/test/results/quic_frags_ch_out_of_order_same_packet_craziness.pcapng.out @@ -10,7 +10,7 @@ 00643{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":5,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1621417628801,"flow_last_seen":1621417628801,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621417628801,"l3_proto":"ip4","src_ip":"147.196.90.42","dst_ip":"177.86.46.206","src_port":61647,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC","breed":"Acceptable","category":"Web"},"quic": {}} 02291{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_last_seen":1621417628930,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621417628930,"pkt":"AAAAAAAAAAQApuCjCABFAAViWsRAAH4RzrOTxFoqsVYuzvDPAbsFTm8Jwf8AAB0I+raMAglwITcAAEU0pjC69lxL17I2Vm\/2Q1yiyTryhXfWfRIufhNP5rg4c+FEuOp6GqQUQFPIcqWk6U0BDlkVmnmwl9dIFWmX\/bKzitGvZ8mfDi9hktZWexq37TSuAH96QNRoeDy4tvPiSgKIr6FZgR4Q\/HVISWRrxFL0ZKD38sgIoVYjPEx\/9Ic4WOpPiBg1t9\/qrhQHH9cTVMgWsLt0TDJTL0KZv3cMnUOIyDfZegNZ4jvz12dVBYTIdmKO7+1d6Z2\/OF7H8egyUhxpPD8g63YnzjMgsOVESGTopFXkRNnrC5YYuCPBc4+8zyPzWbaRA7ZY7Dj7GHebUIt0h3Gw1DMiRq+wjLGQycx78BHNpTa91SU5Z8OasixP0ARhcYJ7QKV8jqRLQIZ4IpBhgMNdrO8Ggn4V1al1n25AZ\/Lyk1mcCfIi5OinaMRv84l92mkzRek7AiZLH1nKN7U8\/la6FOtm5DE6vEcr9GZeZ4g8aHUkwBMbmP+13DolPMOI6DGfrXzZ7dBsZ4wbQKaGjaOhZc874uKqQ4j0o8xXhMGNRmGzqEw0XLrhUHdOwIt3sXfKa0kWZzBhThe9vA5yuf2IJle4m+JLUJDIrj8NkmAliM5a1Ztu0S1CjbeZwlZNEfqXXuBJ3XmYBU6x4TRQAywkhzhzUXIItcWXIsLEo24LH25n3fHel8z8SAJtU1rYW4MJ3cHGCieRuLa9m5WyLoD8MhHU7jK16MqrtWsEA8LCVJ4hJcCGC0d0cGJ9TmpzgM8fitFGSMldwBt1v31w+KigRFbv3PGq15QaFu3Bc5ghmXY2tvuPrAPwDQ1dcf4BaQoD2VAGVaIncU5tvynrQteTCLDkNbf+kZJa2SKp54q2Z9Fns9c9jt0T8RlL2p3YHikPu7llSazlfLXFGeGzoDJGGsNxHPldt9to6lNcm7BdP4mkNcgatPDawW4pXv1ns4BEQlIqeGnHJbtHqijRNTuEtZwIuRhW\/Knz7OtExuPugeU8Zt\/GlPfZScOWlEiLrc05jYYCgWUXmqy179xmcMucA9Wtytp06aBHf+WfQ1fURy3jSmQ3NJ3gv81uQ5roWC\/f151I1SnpAuoNl\/wshFDWrHEG7wosMoA69VM5ioRjUH6Vw6vtLsEkJmdXHbiLelXmCeiv5o5cjuB7D+CLbcHnxi6S1s4ouqpxdZyMBB3jywu2tIYU4QKiN+fjaYMDYwpAzD5Jb2Fn5An8ebr2twQ9IO7dHcApVPzom1G8qYIs37w2OByHgFyhjSn3envhKGKlaF+DnxPnqjkcDSypaV6Xw6EsGbkUEBsPWaFNAQl0rYQv4OIQSLLLDbtnqJSJtFqJvApbEkL5FOujphAtNX4TvOYetM3s\/ZH5TkEvzT+bgZWz2mB1oMOoQPy213DWxLIhN9Sus3pIVPH9KUpLVArxCusIojjl4y\/CVvWA5XX0iWrENm1HaA6F521QuNa+s5DzOv42QgWOr+s5uNKSTFxAahQlQrNplOZsHircGL1XR+n2uD2gTgWAAY3b2i21J5cYoe0Z\/jVWlplRHgm1fBm8iBceAe+i8eGjb4bPc5PfJZ8n+JrHrN8SDylfFnIiRNE8ID8KN8lkbNu3\/oS3Kih\/K85WFq55fup233gxsGiJl3pqoHcF8IRFeJ07vNzBh1QaRlhGdke5sCCm3DG3xbt+UWW7rCkqr05j2zGYZdejMwOKkfbRf6NbqQKPeIcLIlv2bkyG3CDxjjE97A5SRMMjRaI2D9gkNO0\/wn3W0x5srM6qZB5BFLM7YG15trX9AF3w"} 02295{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_last_seen":1621417629532,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621417629532,"pkt":"AAAAAAAAAAQApuCjCABFAAViWtRAAH4RzqOTxFoqsVYuzvDPAbsFTrDqwv8AAB0I+raMAglwITcAAEU097Xe2il2Zegu7U45BZ8gKfm75BdOnPJC97WfnE5KscE98sHvgzGhWttrfuN5Zw6V0RznV0lHr8X6WifmddIwLz9dgmQayfKTYym3Ekq7+FTfsVbmdLv7iDTySVEQT3U6aJZTVVfr48rzDdUlbuOabtPNfF9PK4wxRo28Hv8rNIeQLcDYX1ZhINEmN+sLvvHwjXJJn\/mGzxs37Wo7yOZbGkbY30QHlElqBOAjfC6VA27GzLEtJY\/bgqKUM6kS54RZZNzg5pKpLNlhxgP248e2xlGMNOmp4fMFXgmg3EfYbmnl2iWasHW8AkLql7Ucnm9wslVj\/YWb2c6IF2fyJjiByU3v\/tWqKcs4QGqfKnNSz7TAvliCZNV6Zo4gfpjCqzFPRaJI4yeyyqsAh\/yIYVP9ZV+w7uilAeMXgI+K0KIlxsOhizEgVDitG\/KAo9LOeN6fomCXq4209QrcrNd3XMwKvH9b188UgNv\/jRvXciyaJGIyMgJ7mamyBtbMq07La5hMyvo0mSqFOXeW1vGdKnMpuiGY5RTAHMnhNlkaZqmORAjp34HPN8n4vG44MH5AJ7tXiPcaAMzbgdmd6ox3fd0BfTrlccudwRllV1uZTxS3xRBBhwWhqTZE4FhxMXqd4endwazGj4NY2Vq7gD8YwyUO508LgWL2kYAd\/HfPDFLaaugd7M4tl4hSFuXNenTPDtb\/bRXBfDbvsb6xXiRig92+oFBV7pEoV5L\/yiJ4P2gax0Ac11TG31dQqdzo9z3YfYxfMa\/+8LYBIBydV8pcGIzVQDhSjN2LC5nUQOTcNfPU\/oVh0Ybk1aIMEU85MfYtwrsAgUEMpEGProetQB0mTzcYq+lEmbIIU8WPencLFFFL9uSVHveeIfGWVYNsJ7jljceMSgP5H6cv7CnQzsqS8dQ4uaXalyrjBXDSyJmCkDvaY220xAc3pj12kdE4BvFmAtStxWdtg66AiG7qv91s5V3en6J6UAronI\/KmR8EOk5BiV2TYsFERt4G27JNG5X\/AJaZ8VwtC2WsqvDKaMKYDTCCbRtilBnZ79PJ8INFhsaJtQDLjVGnL0+0lag21H2c0AgRlVIciNuUToDrQp+pYnpr3L\/mM63uQTkvv5eBIAP7i9VCEUjMABfjlzuA4QlRNUQ0vfIchW72uzMqFErT0XMVPnKFlDHN9TDNIkKHDeKZQaWZA\/OfMsV7evfLcQ+ddG\/xKNaoq8806UcjLdGTZEiKme6xLw53P6MT79sTHldTCpjPaldQ3tMH4EIg1InZbS5ktmIvlLQ2zHCeJ+cCrcDav1P0xMr+DLvH3rXDc1LTF\/hYsBxIYeS7vsQF07Zw9I0Aabf0GjuxOlwnW2Bt8iPysdcUeHkriGdeS3Czvq\/nkZEaGKcHJEnfklzqeTz2bYQ+SkshE9F12pfc0agQ0tbVdAnKaEKIsSgzPUMt7MgzYsL9AUkoIblqKn2hXfFXW3gr6XbSi5TQygflSMy28Bs+5OghyrSNcFcOe8e+DTn5mmzjD5O4rsNuXEgF7wS26+FyMgZbWHqX8HMifw3qMfcAQ1nT3l97zTbszeFs6\/goTc7uST7XEMKSKrS2lP7e\/ELG11fN8X22oM+TfVd0wylz3v0e6ThdB\/tMpVkNfw82FE39BRdoKw04E7yZ9lgCOyxJvMvSEQRhX0eoTiGgfBQDAhtTklq2Zr0UEwX8LiDkDQg8kHbX+ady095CUYxnxCvxjTB8g7HIHtQ37uzrFXIL6Nxg8bDtLpiJue2jB8lwh4plomig"} -00888{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":8,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":2,"flow_packets_processed":4,"flow_first_seen":1621417628801,"flow_last_seen":1621417630732,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":5400,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621417630732,"l3_proto":"ip4","src_ip":"147.196.90.42","dst_ip":"177.86.46.206","src_port":61647,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Google","breed":"Tracker\/Ads","category":"Web"},"quic": {"client_requested_server_name":"sb-ssl.google.com","user_agent":"dev Chrome\/92.0.4503.5 Windows NT 10.0; Win64; x64","version":"TLSv1.3","alpn":"h3-29","ja3":"8b979b020e67a82c4f1f7f3932805dbb","tls_supported_versions":"TLSv1.3"}} +00886{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":8,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":2,"flow_packets_processed":4,"flow_first_seen":1621417628801,"flow_last_seen":1621417630732,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":5400,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621417630732,"l3_proto":"ip4","src_ip":"147.196.90.42","dst_ip":"177.86.46.206","src_port":61647,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Google","breed":"Acceptable","category":"Web"},"quic": {"client_requested_server_name":"sb-ssl.google.com","user_agent":"dev Chrome\/92.0.4503.5 Windows NT 10.0; Win64; x64","version":"TLSv1.3","alpn":"h3-29","ja3":"8b979b020e67a82c4f1f7f3932805dbb","tls_supported_versions":"TLSv1.3"}} 00604{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":9,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":2,"flow_packets_processed":4,"flow_first_seen":1621417628801,"flow_last_seen":1621417630732,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":5400,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621421253470,"l3_proto":"ip4","src_ip":"147.196.90.42","dst_ip":"177.86.46.206","src_port":61647,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00603{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":9,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1621421253470,"flow_last_seen":1621421253470,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621421253470,"l3_proto":"ip4","src_ip":"168.144.64.5","dst_ip":"212.22.246.243","src_port":55376,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02299{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_last_seen":1621421253470,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621421253470,"pkt":"AAAAAAAAAAEAnT6cCABFAAViPLlAAH4RBzKokEAF1Bb289hQAbsFTvjXzP8AAB0IFOutyi98gDkAAEU0QEoUNnfb6spEl4sOhm7a3kYwPyh0twGQme8gnUbSWjlTM0eV\/33jZKgt8R3qtWDm2zSx\/rpQpEqQQvknW76YTyqy8lhhBH0HTupzxapnAU360wL\/+pHUQa9kkbfGs+rg0fJIwO92cTdSFU4vLU7xVz2fVMJaMQH8aHE\/1fVdWPC5x1T42ZLsnrxIMQ5wxIFrryrh15fMsCUmzvgSHxA\/i23NsVEQK0FaymSQ3vTxzLlBUWH4BZEKhwxODiawYJVn6KqbmqIqOPZjXiYZhiN\/Oc0\/LeCyQFaH1ri9xPnu4k\/db5yW\/Vm5M7J0u3m8iCZTpmZh9UW7Vz+Tt6ZtpNNUgyHlXEXFJ93VOxKXczX6MviwyGemHWSQL48Z\/padN7yuSlVEbH4WE\/x\/ebW7zTY276B4XQ+wlkch4ZzVURSVv2IJCLTAANRAmruSTCorJVR33qh+1laWpf0XjXQiid5xdrcBQeDZrONgOO69EM9SiLwEVtc0TpitDpJidyT0U1tQrFl70d\/XEPdy6sl8efWo7ZCqMlidLhPlq3NrVHxg4+Rm0hcmtJgElwEuqTGiLadNGhoT7Yo7j8pSYgNw7GRtSquhp7H3+FF2Y2bFNX19Z9+rRsJB4pUiilB5tu0adouOMnwmGTBRsatrnFOOtA0F2vX+LGN0MZFmEF5dpYuvWiLOa+K0fw5uMZaD1DwO81ez++YVlEQYMcGk8nRbrvkTr\/h1NjMg4AGD90jQKUb4FofQXWaVczScZMMs2v2AijtxxRDHmaMhESOLxFfFbAGY7GSyIn06ETBx10YXRTWxeT0eUKlaLwKeXgT1f9Nzee8owqgOKrkqV2dKYlj65fZbe64rFKZ1qmuSQpeN6luwI34bKSC\/P1YZm224OWk7dK8zYb6iVGqzON\/pvHnYbfT2ttIlhWIYxtY8Ju6yt1zHvLgcU9f83bCChlVephnGaWCxUwUlXnYZevAlJBygTGyZxTz2ZSb0ie32uT7qgPEA8\/VhOVmgfgz5uz1CkH7wK301uXB6Jd+vCV5C\/oxE\/jofm4fBRgusDmoz+6N3GpdbS6mlSoo0uqerAGszdbsmbuicOljSko4OAeqWoT+mGW7afPjx5a2FUCfO2SrBsu8hZPpnDhlhRCeKCJQcAHRB7xgiDd9eCcdbKD7Wu6I5NAMZ9c5cy\/ihBVX35Z+UgC3RyusmI0NtKYhjUDswCM0eyBoXLaZPl8INR9v1LW+yvOTZym8K9Aj0qNkha5Yzfvxik20hZiRqz1bdL8xXLCFYqYMYQEadOjp3L+P6FsQzEDaOxkrn2NuRIxBUQl17JREUFH0XnFwFnMT7z5vgxqMs+\/cTusvocWbp9TisAPxAunu5IgIhjJTjwzvXKQEqGGTx\/Uv95lseYEkyPjUxRZUqo6ayvxQzUbD7WzEPJfWp4V0dKCqk8jMcfr4gKrj2FSp8Pp2y\/+11ISOglp7xB6eIZFO0ZgRIY37WC1adnktqCSKXkgYJUGB+Oc8sMK4ta5iGShCsKCGNc84cXtiEBSa78agZzOMcgLZMHRXRJQcxDXBaC6GCHQXnLhoom2lIO8IpQOLCvA+fkPsBsI1oOJHnHV8O+hHfPFWWAiSD\/PB9nE4NwaIPKU4ZyWnacfkkFlYLZfqca8KZX4UtWN\/IEVTbG6\/oU7nJ0oyYFSxJfcA+XMb3hdr7h9ytVk4VGIeEwTkm3q4IbP0kGL00wYVhVU92VFVVNJemgeHNnaAUtTEkhmyuDDVqFnLFxbtyS6nB8YnwnujNnjXs"} @@ -292,17 +292,17 @@ 00605{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":74,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":61,"flow_packets_processed":1,"flow_first_seen":1621434304066,"flow_last_seen":1621434304066,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621486316206,"l3_proto":"ip4","src_ip":"168.144.64.5","dst_ip":"137.238.249.2","src_port":57735,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00606{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":74,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":62,"flow_packets_processed":1,"flow_first_seen":1621486316206,"flow_last_seen":1621486316206,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621486316206,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"208.229.157.81","src_port":50588,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02299{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":74,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":62,"flow_packet_id":1,"flow_last_seen":1621486316206,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621486316206,"pkt":"AAAAAAAAAAQAJ0huCABFAAViZWtAAH4R2n40uxSv0OWdUcWcAbsFTrOSyf8AAB0I+xTa7lKQafkAAEU0jTWyhjWmo3c2c8tkYAeIRC00J2hfh\/j02rOWVtYboU9UivrOMDnb4DlblCS28uJrMkjjwdTtO22vVFwPaYxj2IIflFADqJCdVuHcXcnvIynZuH\/49aoZoAl2YJS8pUl6yCn3zcPhaVYM3BWJHJ12bT\/rBl+QUhFz+eNv1NjusSyo7XRmUXDT9LZCM\/KsdcUeJxbJMKMhLKDH81GMtpYCHwWUPWqqO9e9hvA+yFxWoDib4NbLv3\/NPWniDKh36sKuVx\/WIkOp5AaTQLzBliiDDxtF80Iy3ba1w3uKH81kscAY6jISZDkCGIpkH83a9jbwNNTu4dDGSDZa7\/6HH5W20Tq4MhhXWYZTT\/8h1Oy0puUFllXhqXmIg8+2Grn5B+DCtffivNTxawD23zhZYDMa5O4Knv1pxKsoCPI9uGjVARZ4WxoinnBJ4Lx\/eivjiy\/9wUiLC2t3yBsy7scxzTv7a9B56haRYFOHLBvLzNjV2ReQFucDRZ194sZlbUdGn8MFTzauGKyE8FjTABrbToSZZkd+s9mIdwH35yLr658ZiMm1iQSdaUX3AcvdyYuEGp8MnQAMvaoRfRnnmkSaFBBjiB2OIsBm5yjfjQzpYtX97hEeUwSv5yqk9ySGiUJXi\/5hLfad84l42JzVEw9YlxyakiWEDTCs6mdaMom7vY\/Iha1i3AZ8pf3WkhBJ3b2\/2DKVs0REkOZgjTqzdd\/K4AfSFcDL8A1CiF09bQ+eTVXaS+xpmL5GSTVDyTRM40KZfUhO\/T9EQZtNPiniyNqbtSZp2BYc+\/2l9wdhMEjiEKO6wYoSeRFPJBNsw+m7Su\/ssmDRlXGBnVI6tlHZWM7CBp7yEtJ+9b5lh\/h2b6o8NLXzXZmB94SFM5zpx3nqn4s+YimdYWtGhQxRDQoKolK3iglu1GOcgjHmAJkQjEjCoXuY5Z3wxhAtlHkChB4D4Sj+Mo0Pe8PuHQ3hvPSuLwFw0FqDm7Rspzd6alV6wevE9brqF0ttPmCgs8akAeLH3Hg2jOzJR7Zq8KSRDJyhC5wYRQJomZdHmhVl6k0hQlrOPsbeG33RJrOXASmtURkVNrkqMFtEbzD+nJJcxlWpn49Ehl9m2kKOIs1drmrTjCgOrpMNceU36z6U7NKS4u4a1hVFTMi1YV9BCf0SrTjGuouERb51jAiRXHvLt9eC3HlqplhkgSDMr8ATClK+9EeI5ZYJ+qwQ1oNpZdKQHsnK3rftNgPnZFIeVe2LSvMENi8FH6YjUWMcIEMIxUvHXWmhFLzwRkjM\/dETZG8LtSp9lIP+R6o2M+Z0pn4VC09fNocjGnGygpS8xtImvQ9Xi52Wji0Mxqp\/ox1cXlDhElkji1gScwsWqwExhfJEHyZrsxDoSgYL92Z1Pn4HBsnIkQM7VPxnWWnZFJ2LkCfQ6AL5v6LxfRd1eQDzaT8j2cXS+hAnjFgH8roiknWfHzSVGVNaIySwi6GzicPRwiTXqCSzzyJiRjY7LO2cY4SJmX6FqWWTL2hOvjoCvsVA2cZN1um+uHaF8+jCaYrlDihaV62byo0sQX49iEOMQc4cm5w+ac672idPEvZbXjaLZaKlnjbEhQJQMWC\/nDrqdHevi8VXVL66zosdlIzNI74mdhJfTd8oc2ovgBinEH9PA2Lqf8or\/1dRozLWj6+nG686ciLUDqT0aDB8JAQ3nq+eUFn83ml\/py\/lqV4T0XXeWonhVytFKd1udnPL0depml6Dv31txugFaXuB9swFjUHsdQbAqQI4U08c1YRaBctk"} -00646{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":74,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":62,"flow_packets_processed":1,"flow_first_seen":1621486316206,"flow_last_seen":1621486316206,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621486316206,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"208.229.157.81","src_port":50588,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC","breed":"Acceptable","category":"Web"},"quic": {}} +00654{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":74,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":62,"flow_packets_processed":1,"flow_first_seen":1621486316206,"flow_last_seen":1621486316206,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621486316206,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"208.229.157.81","src_port":50588,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Azure","breed":"Acceptable","category":"Cloud"},"quic": {}} 02305{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":75,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":62,"flow_packet_id":2,"flow_last_seen":1621486316485,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621486316485,"pkt":"AAAAAAAAAAQAJ0huCABFAAViZXhAAH4R2nE0uxSv0OWdUcWcAbsFTqeoxf8AAB0I+xTa7lKQafkAAEU02NqFlwI2X\/88ClDrDdUJKCRw\/slmHtAOwvb06+QlMjRjV0hs2aYrH3dl2vG36AHZbKvCCu+8tbZyidkId\/SwRLk\/aGUb9L+x4bKEhyji10luTyL48ncebSgio1Ylf2sP5y7qYToItoOHdM+sF4EspTkGPS58+WD5u+L5sXHLzRq6EFovw7tEFm4rXT1ncWUZsfHN3bUzi7UC\/xILKAQ258ulh3E12ZSv8bupoSOwAKHtGPJmU5UDctMjcbxM4bIIF8Y3B8utqsAN8n4iNen\/hK6bsT+7MeKDyJk8GvgeIX4qPhGkfCyzy2ZSx5In0Gj9mMFlrQlbRzQtMTQJLS9XHGrBJjKt7Kwt4iHS3C2\/ll+JnHv3jFSbkwPkaj4L9zsoUsRbA4HR60OvfubceMHwPcwpOKS\/YhEEpiSIRwK1XH4b0OZUCFWXt2vsvHXiJx7CWD5E6BOBg+ZYetFelTfuQxNgfXROtoGuJ+3wQxi2DRGnFXCHGYLoAO8i4AAIvpgGgoqzjNM1BmQvfSO\/X4dZ8fc7Fo7vdxAVJZrJXT4m2TBKFrsawVChuoJH67VOmFJS1xgFWukI7zRJtsXhN7Czc+i9T8YtKZjInSr9AVxgs0c5d\/WCQetSMLQd\/JT5oa0sx8n2J7Z2NcU99xovxV2uKz4qjrx\/Y2k6ZoB9x3f0Yg6sfXGEGo2MQD\/7z+LWRPw2gSm3FEw8jwVDd9S8o7TTxjGKX94D5vYTcchFQTfbn2HfhKqR8F1OQIlO\/wsmxlHMHBvFUjUhJiIPWRLZt9vP+JJ4qKw7nADsc3kkxPCiHPpOD07HQF+XsbdLrhdRPVrhK5WXHFkyBU\/dGYYuv1WiPzMaGJvkyCOgbXcAH3Gb5PcTDyew+MRzHK03TijcWQ+ZOoouVFzsL9ai7HJq8AhiXpNhyx1MICcuUOAIBkQWFqamjY7zI2GJ\/c8jdNXGDAcYVSSmicj+n+x1og23m\/OzzTHzOLv1hr3DJu3hQFGpKefyvQXTCQ\/t38x1oKMoJcBam+ydIiQL\/qBv8Cn9WIgDhZCWjY0H1Zu8jJgS\/pZVcJ7m1gqv0WsKI2s926YbdUCbQTSDQMHYPrbnBQU2zGsddtUkHA8smR00xItuhuXFpHntBzWrCuuKLbpV6LTA5KLTpwJmEru6UaR8hWJdlNusN0FzSumL2gnW0wHATZvtmTr71efZIP5glV9Q2+vjbPwcPmHOjEAqqO8a9LEnQ9t0G7b4NxL6vNhgV9vEOYuD\/QGqwrXjwJs\/ispzj8Z6ANFL8uKgoOlsRFn5hpE\/fEX3ckmgeLqbknqG+NWj2t9zKylkyKmSKmy\/cxU0t1SSA8TuG2Qovkwr8Q5atDfcwDzjbYNh4vnD4EwH9iR13QsPu2AvJQjfH4r8xwFeP4P+BosOwdv7qI095S245vAYmXdL+TcX5rXjtvIGCma5M3p3OuUhnY0Sw5uOMqNm7nKPE8gz+Qsbb3VghujUa0NFn\/z6mc8MCrFJWDwY0gtXgCMv3nHx0GNtveZAICqjHZI7xwD\/RqR1lUZAfrPmAYo2kQrmshXTSHK1+8ZYJQvHmShCz6JQySscdlE647wVjnlBAZLUNr\/JBi7VMTdmpytCi6WzCx9AClMAzaYwBrTYGAmEVrVYJn1CaBDE26M0v0gm+S3JJIUIKMgBJtWD32fztac9Z5cAdjD4Hplc8RLAKlcnsRn\/BbxbFD\/d6tMg\/0CsxSInqyE8gbUz3lWbKWZ4OyOgUZwqm1QvYwlCMJMB6wEc+xPqoVbA"} 02306{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":76,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":62,"flow_packet_id":3,"flow_last_seen":1621486317090,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621486317090,"pkt":"AAAAAAAAAAQAJ0huCABFAAViZXtAAH4R2m40uxSv0OWdUcWcAbsFTgb1xv8AAB0I+xTa7lKQafkAAEU0t4azdHP6WARXvgfhEqAKpp3NRuHRg86uDYx6EraWfkB\/keNDFP3812WLSUJscegRJDC6DlMfTKSYGWjNCpVN8MkKLUxcf64j8OSn7gJZrI\/Q\/gKqY6Z8WIW7yXuifcAcxkC+cmw4eAjlyzZBZvU8ggZVByRRED2WeesmX9AerV06QYER0EbcO9+qzWXQ6Y1556b95esXVXYKwgaT\/JKPANtVx8JfgN8Vh1WXykc2J\/44ZDFpxZFRkUgHxJ3usOwxmesQs2TSh30GqcsvOPy1uBZE3aVlHsrZmfwcenRdsFblzJPQcAyj4L\/6\/V7LtEzbpK98ZznFjKlQ\/CAc0XOreT7lRX11x9l8Nwo5wz1cQeBW03aSFui9mnb+3x1mHZOfYliDqBYAh9AjahgYUEMLGQiqpnnOD59nJV21MaJqJDM\/LJMSKyy9TxlVb0G\/G5WjXSDrmaBMSxIJiiiNThOK4NxEJznmEgpU9sC2Kzrji4qQ4sLSQ6G6Z0s\/K5gmRdAHVqFaA+OXNLXjAWZslcHRAYBCopAeso5rNrNCUMASsOo0cU4hy3GR22hGlLj3LBUy\/ywcQOfX7XYMmNZHdOfJKOwbfgqm7seEpATTHBOfsy1pkFj95HcOrlD13hBtaabu3RXQXmH3nvQQ0rAeKIQPng6Rz1ptjgs6q\/CsEIrQ831zGr9a68MXwQ51qstfBpiZJmHO5lQoTCcztT\/VSQm16LxdoNEA+tXVtDTHWzSIJ\/LsE7pROWa4ORaidOXgt5TuUpfp4UISCbasJi8sLhnJLPMM\/EMJ23P7ba+yNMO1yGyYgCP8y3iA4+Y0RCdbxKqNpblS1T9\/mwKgrVDaW0XfBdJ9ftVX8k4Asxj7aK\/grpVoo1x51mqqsIA\/eHwsOupYQnvyOKi6jHUZB2gug+9nv8P0lYzQYOI55nVygLmUPrt2mSQ2sxQZ3kNmobaJriv6tzeq4TnHl6oNqBTaUDSvgLoQFd9\/B93pzBto\/PWA85xxN7VZQOfd+DbFZ\/VBe73Qs+O+\/dsWYu8iQAMXiU4ipp9EIx\/uZoMUoWZj8rpSXDjEmLBbfMhJKI7th4AA0\/5pKTfK1Apef9X0Y5Kb2sWh24U\/M0c4i1SQdud1ypuHQGiudDhFPShSAhcPisWpjplWcdsEwxnBas4ojrBnnQjyHC2CNab1rcfTuqYLiJtZH+uFMNQqqo6\/rNfItXVpIQOkY7oH9NiquEBxGd5JMZV8xVdnW72qeBwOu707A4H9dx8aMxpNDFlsPT1CFtBo0+lBzmwd+U1J8RntLvUR++yoLGBfFoOFlBTxWd3EivQ+g4+hpsw6rhJx+o9KX12Wn+aCMzsyz2T+R275SnsosAVi6kZMH82nXvr3evy7oteFCprRiLgZZtTXZYQJnyvePz3+OCE1jJkDgtZz9lh5TRWEayVbmQ09oh0A2tO7l+b1MhJ9OOwh0tP+9C20L\/Rggyul58op2cZC7t0viwUloxNKFKHp6rLutsIgcRmAblAvmfE5evu8AKGMZAnbi\/qa50JLxEWg2ch014JrpjvQIgocJjdI4tVkdA1vAfzuTPMq6ZgpnlfebCtsmAjEOJvaC2jz2PpD3Da36F+9zqnKoYC4kArpMRPt1KxhhpnZuf4gUuyQNfw3N1IHRfKWJXJxGnUUH22LX3lkdvtG8ab43cqVRaBCEPVJUDvP1bY6E3TNNUkpsE2FLpbFaVjW8UTq4sTUXREoubs1+bmZBpV1b11ZgF\/sh+IuI5ZSadOQo47ZmlSoh\/ht"} 00605{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":78,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":63,"flow_packets_processed":1,"flow_first_seen":1621486369476,"flow_last_seen":1621486369476,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621486369476,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"99.42.133.245","src_port":61089,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02297{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":78,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":63,"flow_packet_id":1,"flow_last_seen":1621486369476,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621486369476,"pkt":"AAAAAAAAAAQAxdZsCABFAAViaPxAAH4RXAU0uxSvYyqF9e6hAbsFTrhSxP8AAB0I+0NvIwjQu6UAAEU0azRBvw0HhuIl9\/xBjvifKak7sXpTLlmi+dbAR0gnHQ8yLpljofwXe+5I8+bjI6htbC0wktYLe9u1IbRrfn281Ygo9P+77SbfKFoWgOiNBP7DCcTYRMpm60boF\/tXFlu4RcDwIKHkE98LfcboNnZO6vgCOMNp2Oc0FW71MgnEMdGflqZG7oF457RNBS84xcpV6nGLNOdNKSMQqzQlO4jgRLIFlWEVMuZfPjKeCbFvi+9u443qZzhpp1RjViXLJQLM4O3xNtmwsrIybLL167f7g6DkkCHpv7D4g7Aegn0CUSGnhsDPpzH6vl+y+ZphsvLUKg8Up8DKE6OcuDZ2hrkBODY3w78BA6TwCijjXzbEkjwfOo6WXZ7anzvjy2rKeTxPqEDLbbU2mUP9vwNYzNXJKG2DUAsDLDw6z7pW\/sws6BGrQtkI4MswvtPP3tTOUG\/fE\/ztGz6sn0isa49Skrr5sdjTBckHoBSXiarAL+UhWVH3IgXrw7LDIqxiqdq7nRgSKmIzhN9fAbY6UXqQ932CN1pNDdZ9w\/GGn2o7t3bhxb5QVcZtml2RlYzXpD38XPIVBBQ47INhpeNulXlv8GPqMtdWTZebqe4kY7kqcVj0cQPvIwucmOBjpmJQg7KJ7oAQf9\/GJCRUlYyPpb8UxzZhEIeu3XefRjDZNtuoutnX0dz+oXCLYmdZjfP36HFbNYRByGa5fmywec37zgU\/qlyWBC2YCwex2EfvKOy9LWsTwa0ZT8kdxRFmJEv3ynISWQk6m6ALqZbKftEzLU53Sbc5IUV0op9T4rpP0U+RHeEC5OrRZtLDz7Eoi9XXjobuI3Vg8eC4MHSuUO6V5Xv0Nf3+ekeBTC4ZPF9uBseY\/M\/dl0+yfCT+XFaXx3GicyqgVnrvdtodSYLOXs8ya9nmPO\/qYXeXC3eiFr+iktgKCZgHHx3a+niakZlOQIdnQs8m+3FjMcPGf5iRRc1au20WBWADTpVoSMiHx7In8vZZ951ksDsiVML5vgKF3uCPIZiGrbd7epc75W0H66E6MYCh6UtGfeXcH48l\/e5dYlz+GnvNtX24qdsZ8ZjyXvychZ2KIR22+ZYaEiM\/DEMB6luZTBsCO\/v2zsreln6ASIp00NFiopmG5ECaS\/wzhc7cyOYeoLY+l9laxEBYEqW7mGrKnqBUW8CdAonXxsjkGQxEgjetP14OMrGziNFo3Hmm4YUyWifAkDAA0y29APcv6DiME4DgmAODMt0L6F2HG8ByP+NbokUTWDBX+4z7Vu5mleZba895fNmU9ORQiZpsGKf5KdpS60rinWsd7H7F5AaKkK9V8ehTTA2KJN4FeRKEoVzjZNBXQIIp68V\/vTf6MjitUwkEVupaAbIqjiysCSlLtNhGoB5fG+h4bOdXHXY5aevu6eMcfIv\/VbjnB55QeiEX\/EGcg3yTCoROSaMNCGVQt7zybtKYLEAyJsZQdEzgoFSBm\/aVwsdOJLWiaQNxXr18wB2gwcynUtmY2OVRwX9j017xp7wGxmkp6fMo89Q5EZUZHfrQPUTsdLVxwrCtX8+BW19j1yLDE1jHz\/+hGjjVhkwiSSrUAMm3RWzCmyQbEXOdJpYEBon5bDAOn9LIToMnCQE86GVIS0UXQomCSYbZ4epFa1Ztm0zGdSLCKIfptcYOK6+a0cWvPAl+LZLk6bVf4IQ3VrJ2Pyo8DyjbC59d75TDSUXKmy1\/\/IRu4PkQCaoDSf88oNbPYxcEpRCESbf7WtoG6B+DEymuEdUAjcUwmOAZpwYnrVev"} -00645{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":78,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":63,"flow_packets_processed":1,"flow_first_seen":1621486369476,"flow_last_seen":1621486369476,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621486369476,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"99.42.133.245","src_port":61089,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC","breed":"Acceptable","category":"Web"},"quic": {}} +00653{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":78,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":63,"flow_packets_processed":1,"flow_first_seen":1621486369476,"flow_last_seen":1621486369476,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621486369476,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"99.42.133.245","src_port":61089,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Azure","breed":"Acceptable","category":"Cloud"},"quic": {}} 02308{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":79,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":63,"flow_packet_id":2,"flow_last_seen":1621486369781,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621486369781,"pkt":"AAAAAAAAAAQAxdZsCABFAAViaQVAAH4RW\/w0uxSvYyqF9e6hAbsFTrnVzP8AAB0I+0NvIwjQu6UAAEU03RUajo54f3xaeQcz5ShQCKZJx+hnzaoOL+d9TDb2UYj2DFEQFg8O+PU04LqxBWrWZC6Jw7FAOK24WCy0+Qq+3W2m1Yj3lW4LJIV888sWjcqqlWbULhyMA\/KD5b8qufe+TPSdlntyuZPV2pTPKi5B+SQiTyl5FD9POY3+v3rSnfowAVM2nytoVtVAXU7ajofA6WeK40X1jrJmHBb8E8rErNsDpXfZzug5wr1qdAlbwVJRdAAFYIZgoB2\/qSq5jmhYNWc\/gyOteYYnvauiknHb14gnDW9kJk2AXthTxKyTuNGMMxIe8\/+57XTEdXgzJjfVFWlgu2dHS8t\/0D3vzl8kg3nUD3Et77FL6IMLHaLSMukGOY1oBOkzjqX9K7VF4oQZRG9WjeL8sHkc22npUwO8iu8Bg0QKzz6y1u\/WTGBcWCD6mmt7brbnyRuuQgJ5OSl+aUzFnuzYJwIcGCDmEAvg+d8QzbJwb0\/ydw6dj0OMY83exGXykPAMPH7d7uEh5qtWi73l2znhazBL+P6xXiAwMP5388MuTY+jv7myTvH2QegjTUhQrSoffjxgsBE+ew2qlWyIZdlD9xSPSQjzdG892xvO+Daqm0xCPE1\/DcTBrgTsBx5zRHmldCADLkPEXpDHIwwb64NYIN\/OgJT2Txk9iwrogjaIoAbzHDjBsRD+zjRv6ke5JHSd+l5VjHM2dZF9PUtL0DvVyYUjBO9tnDbTkEoPXCgLrgUFMpYiHso39U9eNfLO5kGqcHN+eOpKAvyRZVxKbK9+4n4VOyQK+R8se+nV68oYONIx4HlUc503SyGOap\/\/LCYROiGY4eaPDh7vr94Iu30hTjCiyIlio3ENmo2Xtpgx0y4zki182URjhdi2lMGGt75JESZeZfkA34f7hLFevCumcj6ijOjzZ0u42eGs\/RX\/7\/yBrnMjY+2gfiJ4TxqZChQis\/GYKAbD2JIuzCsi6V2Ubm8Nw35KDS+sB53W6Do27E2GSA2DWv+MzAm6zveezQDVV+o4OsT5neD4AAwgLFy\/Qy2xi+GZjSkZy8RSo3iRdAs62eGy1gVfhyPrNudRwVNEuWk\/dY2itlVJ+HJ28fJnpvvX3tj8I7p1+1yZJSjalMpM5yQmgJkG9WVckV8DGAWXv3xO8cB5OugwG77mQoMStI3vQGUXlb1t4\/i+fDw\/GuS4IZc1qT+z2tWNFMto35TYb7NCelxMcXuuM+fYamAktrAw1KxhGvSXuYqr\/srgGiZhDyKLEbwtAm\/PUk8PsLr9uf3dxP9zKVSrZ3enmKDlUmAbwVi3hp78d\/5QtHvS4TMGUKLEXPCDhUSuwE7OOnJPgm+9br0i+fWDTX4tU91C\/jkplORo4Cj82ZnXtiWWPH0axQZfuh8nQGk2O3ZzNJTPqAtZI1gmIa6n7kNGEdgtaMX7Pg3vjDy68p5aVHfYpO\/dRKKWrMVDPCoBiAvp7eoWe9rRs4zHZdWniTJ3TJ\/1zSX8g\/p4+Y0B5FqL1OIXFwBjWTct4roreoqwYWuYvynwyepiVqQwZWkuHxiCkCJi1WnbBJ5iZfX\/8wWqdcHJRUcAJUNgCfoV7Ve\/zYSplpt9zSooIJyCI6uI9H8NvW80zzMgfGToxt4BHzDG95IPe8ajcFZ5KX0BoZRF14qIUNMRcwxWisnEuOIE\/Q+ayMiFBDXLhxu7NRovYXsWUIFNs5o2BFE\/MKTaf\/oZ0iEYees5KfoTm65JfoEaFJ9jS3QBRmZFIyZUE+OXP+Hcko2Pe\/+D7s3GVBk0cIMYErQi"} 02299{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":80,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":63,"flow_packet_id":3,"flow_last_seen":1621486370391,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621486370391,"pkt":"AAAAAAAAAAQAxdZsCABFAAViaQZAAH4RW\/s0uxSvYyqF9e6hAbsFTimxxf8AAB0I+0NvIwjQu6UAAEU03bTMBGYCrS8cnv5vhFjbtc1bGvAvFQnZB6yJG8NkcrmiIIJPIXl2q4dOP10rWX5YFWQXsyHMoGvgrIcWDVzIX3NZ7o8SxUndmlIUJBVqXEfKC6th0dxYBXCRfJJYWNyYrXmuN+Y0PL58UHK7tpZpgBK7mIQyQqSMZcKAs7IPHVXv2Sv3DGgEdMifspeJLZrqAdK5aSG9OqL\/1HP9dlfRJZOn5z1AX6j5z63ULJV5lG7V5bETO20pw88dGKcT+ZGMwvA69Sd5k0J76yF4otVf+nWsZJtlYGjXtglJhDbIRllnDv+E+a46adZELPbL8K3oBj6\/CCVCE2naOyEf6mPlfsVkBDeGjKbsRBu21pYLux7J6CXacUP3TFJ44akagTX\/8xKYW3ZaCu4Q0+BcjGnTHcCQO7kjxo2v3xqEKiOBagnZztVu8xYJUV1uSp0p84BGJGssQKgY2BPdhtNjFgTRBcdgKWi1F7+kUVb\/YTbwJyuRTa+PDvQQMNFOZgaYCsfjqFJWHKG2zIwkFspCoaCF8XtQGkCq9jE6y4qf4zjPbZ7N1UwwnwdZxfWb1Fw4aktZsDsenXL8B8X0NngfTME6MDZxvWCxHmQc5ppnjDsJXBvxCfHQyc9M7d8D8CeVC+HWbU67PYxUuKsITW5a7mAaKH0WaTJ26olLUeQA3GDIUFw9xUdggvpZTPLePjQefZEEfRjRjT8iEYeb9CzGQi6t+9fTQ6pc+9Rp6a50KYQ1uCZSpODozp\/OQcBEbdR9GtmHpCDR0JSPJbtOYkVGGl9N0B1JEmNoUvWkQjGNjAZe3zsIkxaJ57mePus0qsRip0mYliPwjYjUPzsCHzNeDVwVXuWpUcUzM2mUJOgikCw6XKjTRqaWuAqeW1c9z4mZTbOSK\/TxHcCg\/WiNrzmz+WTnbB9BVLyyGE4vg7qJFN4PX2g3DqbfkifJRA9XPVuXHaYWBlDVz8FX3HNEQ6rLUkFa6eqyarqoeBLNt0e0nZn9mcxG4Qo9mD2OYNdYfux80GSAZIDpyIm8TDnnEmhS5z2HYyomgtO2Y4t\/N5FkVRx6yIfdqPtr7Ui3r9fpMCfazjmjrQ+LfRUxo6Q2p6YAAv1C6FuIqrLJVqHI\/kpJu7ZWHTe2PKlaiOnlj1A5JSK4vO\/0WUDs4dtC6LTCRT2cHR8t0Gej0FDzJ++VJbM\/YfPg8brEWZFYdpsvpeNzCryX37u4tW9MApgeHZ1fZQT7f+f0wNL3xb9nkBGv430\/o6aRXdV4rdsVK1Icwt6zKjtP4+M0EEPcPCQVgeyQEGAAiT3Uzle36U56GZffLsCMgG23H\/3Z1NKDWwffbKh1gfnfiwFVKdwun1Qt78gbk1vSqnomb\/J79AsHqjs4dj92ExlMBaeEeYS838CC1\/+GvM2TQqnNQGc0TBtsKDsLKmNN\/8BHFpN4K9oCP36JNjPgUtLnOiEpwlupSGWcDbtdi6ZFxy+Q7dsd+3esOK\/k1qXwrnT1z9erk299qqN\/tK39BUGopYzBcI7ZqtvWVyUcAQv4rkOvMHmT93EH9eAV\/HM1whxSr7kyLBcJNnJ8VG6vC+5b8Eiwd4KEvhX4SUFtdpJK\/juljSeDOnjRTvrONC\/wed2ymfPWrpUK94fPBsgVhs3zwEWHcezodeiB7xOvk8HZvWHvIdUWX23Dy5xvn5LYUigujlWn4Of6EawcMVeXgViQ66NNCX\/RKsSqrI\/0g0LQPkUhNuc1Z6LvT+izQ7m4p2uahClxy2m7stvMB02QAeTxR40TF5yA"} 00606{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":82,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":64,"flow_packets_processed":1,"flow_first_seen":1621486385474,"flow_last_seen":1621486385474,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621486385474,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"208.229.157.81","src_port":49880,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02302{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":82,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":64,"flow_packet_id":1,"flow_last_seen":1621486385474,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621486385474,"pkt":"AAAAAAAAAAQAJ0huCABFAAViZZFAAH4R2lg0uxSv0OWdUcLYAbsFTiq5xP8AAB0I+aKrjQG3wPMAAEU0wuD+7fY6Iyc8tUyNR8o8NpWyUYFI2ltF3LBlXWefiS8pWcL74QB2DRW9zaYKiQLkhdAYa9TytEiykfGGocLbybyMzfU84hTMBvmtN9X8ZFMfEisph4kQ3rvmzIKxImtWYbPuenHPvncTyghAlfBjyTAs4SBTn7zgSiTlWDdrfi34xfTstE2uvPZkKaWey9pXrjtdmfzoUf\/pnc+joM+ZvbIOQcTsRmXe5mjiVNaJ6HbPiHfKS10CyjUY01LajnspTwPslYnWYHNLgwAGsyRZ3BxR6GzhK0yi77NGNugWOahmIQ6nR7Ydevwzssc8uD6\/61qD61eTpCJutHPvmpIMYyBaYt3YTvj7rWTy4+Jwluo7NCbmBS6erQnQ0BioBgOLfZKwMDge8tR1RT7fB2y73uabWZmh+z9EXiZif9vDBEIzL8O7i8XDK+n4f62Ye3t+bnf3T\/kEu06cpWij61xvDaapGt5KkkpyGLnr1+FLnojx+RRHnFHIYRBgk0R2kEDER0hHA1VeiOanzTBCFFmvwFA4TMEyQweEYvKw3Kr5NUAc2xOwhVaAL3S6xL\/Wk\/SHYOYp5f0PvIEoO7\/8io\/mEJnGHY\/3kgfXj71k\/T3+r2XctxV8PD3XFXtFnV1FZeROEc3BUlMypjGko0Tbxn8TLjIbiqBt40oHwVFVvr3zGWD1h4RU4S4gf9uyP8Ze+YtGqGo434thBMwnGvfjKdLhQJtIVyNEqyYwuvEvQSBGG+kgp7fWxhCxs3+fbhPQTRYk\/v3WUK2SO9YuJEstt\/h2vF9QgTemr9AIjZTwspLB5lVyViciTmGq8Sv0ccZicPe8AazPdv40uBUNsLwlJBWnFFcDvymaaOS6K09cWBdy0mbrwp8\/Qf2j\/wwjY+o0OYJsGRCGGQ6ET57ektTFjrSGOVwqV9ScfzX5znZD+H6kwkBf1O5IzmA+\/GA1wqzC5J9sUPvKCTirqPecQIYYVquKinZKzhsDVhUADXpFT0udOlKR0uhkOCRqJsNTXL\/mafXS3+PSGh99iH51SwtUUJntU0BR8enFfk1SrdSRAr8wyz4qsVel4jzWEdUfHV\/P86FFH+QEw1abjB2h3SRqAAOHmAfcG\/uY9ox6u2GzMWSaZnsaTqOVBeLeWcQzhkrU9Z0XOCXuT8oREqaNA5FtJW8KWw4W7AgsJOgQ6KKmOhxh\/Sa9xvwEc+UXuYo4+9\/295WwLPUiqlmI80sZ5MoN\/M3QtOiUpRW6uU50HQdEXpljpfNX1Ul8JoBTMhvcJ5NW+FyRXYKNMfEEmEJ\/bvF3\/j1YI05JniGjM6mnl++dN8BP+GVMRR9DzF5J5ULbCVwM0AAMJLiLlwhwq9U40MTPoWJnoX9YFggLWwj9lQC065dWBen4MPGk26TfmuuXGV+X8k4iX8RotxUbiRr+NVmhdaVnI0o8YdFg4IeDNDlpwLL0St6sT5ZrmettHNngu+I1PPObx1u4\/0P0MqDPvazomUz93QZhJKVKT9C6LEyLYcSjxTGXp1+z4ZDBBfwlu0ys9uEElkGFm3wDpJMIW9I5cCW\/YYdHy79zUfD6w9hQ\/hirJGoMOzA0yz\/\/oESSV5DpdQtEEpQVf+pa4YsPzNg2XIlz8e+OjE7mj5zn0kQEz19jUtEba97CNXLU5+IwcQj89kSD6mwJqhhNAA9qbQHiUlU2rWwCsntFwUpKLMMcVCHYrVsOlaOMOyK7dkwME8jMVzZFIiv19xEqG38D3uh5T3lqXB4+cO87sUlV0VfbSVX2jiLZmUKp"} -00646{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":82,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":64,"flow_packets_processed":1,"flow_first_seen":1621486385474,"flow_last_seen":1621486385474,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621486385474,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"208.229.157.81","src_port":49880,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC","breed":"Acceptable","category":"Web"},"quic": {}} +00654{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":82,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":64,"flow_packets_processed":1,"flow_first_seen":1621486385474,"flow_last_seen":1621486385474,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621486385474,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"208.229.157.81","src_port":49880,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Azure","breed":"Acceptable","category":"Cloud"},"quic": {}} 02301{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":83,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":64,"flow_packet_id":2,"flow_last_seen":1621486385780,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621486385780,"pkt":"AAAAAAAAAAQAJ0huCABFAAViZZlAAH4R2lA0uxSv0OWdUcLYAbsFTtWuzv8AAB0I+aKrjQG3wPMAAEU0pYnq3I+Pk4UybR9VBssX3rW2MX9MykXuwtEl37HZjZdvUwqOPILmOs1ug3ZVyVxysW\/GbunfQvoEKJNeJUHr7ARioYosUv\/iMtw3zJNnqitKNycrvEvR+KPtynwqcEskqC+a0DoLcVg8G+1ytgtC5bHkcrgb6c+yvfYPM6bQHRedo3fqBnUH\/vo++7E8FATzPknFujoxXAfIqx5\/yGoMqH+HqtaMj\/gBvnONUQgLifilr2pN2X5UZtCvWUHfwSy\/ewC4h8t+MC5HX5kjR\/I\/PEFr21ZhBOTbRAIvsPlTMMkPaVFoJeMhvSPXH3RCxFq+4eYuMrUD0OhNOcPxOIZDZCyl0o\/ggv2DFXNJg+gVLPXoZbPB4iu5Uhmke6bpE2jqTUZPjwXEkBe6xV6sp6bLYYcswATmdDqFUEdmWGMKBAsMqXikUGSk8uiqTt95fjHy8nJN41GX4xtHHAni0YyIelafqSbckoVL1qDANQr0CxF7G13sR9plFiWW7O5A7e7cS9pe6mRYIxMGaciOe9ievt36yTBJgl\/fiQ\/Mz7Rf\/0\/xEHpiGjimSZGMLJKt8tbPUkf1Doy0L2PCwY6LPbySmFk83DrXfORYqZzQC5aRkTc2HeUqrMm4bElbKJ5gKch3VNRryw25TpUnRtQFu9IMWDE5dX\/3mWizx7+qMJm47Fyoex2QVEdKtHErz\/i5jbltyKP+JlYh\/5iVhFxWpfjDpTOkH+CE\/A7gJzr87sNP+7VuTghxvarGALGRQvWB3CXNIrBOCA9jEhQerKbB8C97DJMm5tcWUZ65E7AYZouY8+zkDggzBLI+0JJ05RIaaHlApiwpsWJ2zl6F1m9w14xWaghs7jZgtgfJEpGiT74jl4pf2klaE21HmQ3jnkf6AGhbgdZBQmCO4EIpeWJZsQhwGl5VQuea9a84+ee5DEZk764Ux2ytifgViB44NxlhtfksBdQI6G+PUXELugH4wQ6SukmCIBACuFIfzQbiKGjpnRUkS7AmxTtYPrsIuSjFIrLSGd\/5Xekm02vVOPCc7EG+Woa7OletCxnuTQjLX8oheX0o2Op+1dBXeNai8Q63RlSaVEOBjEiXQnmJ5lR4kLHJAKgnnUly9\/g84JyqUljiN\/e8uABODq7kynlT0o2IN5CHpN2XfhoXZlxt2HiDrqvNzSKO3CpTZnnkJeJtK9cjSU1XxfkGr1TK+WrsxaOx2y4S6PIiErYJnObHfsCoROfZB5v6WjVW4TwLRypWRXulBOZly5TnbMAqCFsdN0gy6amJt3ngyiI1muUKlcYOXXmBVBPpum\/+c5TkiBPy0hZUTn3PK8vRrELBxFuvPrWR1GEbulof1jbR58Ncmb0rjGewwYSLgqvfw8fWuUbbODAYVLX15bmDoErj\/57wyWqkBS8kUoD3JZecSRs8Aps02NKyynCKHOlNpc8OBgCA4Ad6xJZK3IyyURTyz5JvyG0vAoHB8Htl9cCeXJkHl+hbzHpVtzHZa9PuVxTwrw5ZpWXJ3D7gYDf3YjByo50t9uNuwO1TdW6VEIoQ2YFWco6RoRPd9mEfRhGyA\/HMeXm4nHmXXkUxD0lWGhQ1X301intynkww+5gju+t6izkuTyIR+es3wNgXF3uDXXchyNcpEgdq6KXfVdg\/FtdXzMb3o20tlnu0aGTS9Ke8r2K9x5Uy5E4IMaNx46xDz\/FHeQCHMCFloD7HC0iGeHQTjamzHYw9Q9cx0UPZlEZjKGZ\/W9mm9Rh0pSLgVkS1htsYD6Bvo2h8czyqOaZf"} 02299{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":84,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":64,"flow_packet_id":3,"flow_last_seen":1621486386389,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621486386389,"pkt":"AAAAAAAAAAQAJ0huCABFAAViZZpAAH4R2k80uxSv0OWdUcLYAbsFTowYzv8AAB0I+aKrjQG3wPMAAEU063sPCo4ozMPxlUj\/bSPtY3+CzlLdcC7kUprewEjKm2OTMB65C2RpyTFK0qHd1UzUnN6U5dQGGKmwgsbIXIKSBC7aC9lk9\/7KSXCk70eFVpjOtIDpiKUi8vVDCcfV6kRbykQ1UG60rnGaessWOlmJYYUYrFTLfQgo1LVYDsFKsPtJ1s1kupvZUz7DtsLylFS2l34GkqtIScglkyae0GI8mViRVebeilzlJSvddjOZxdAXXrNZAwRXdoffLloV5HtcoTQxqkR0GAPQdvrWXk+SMlGx\/W7Ne49MxOoYqcb+ZEW\/cA0RMhYOyvvzwyDA6S9WR2IZmDOEetLTQcoqKQrcTga50K8d4JAO4kVEikYFtr5Bm1z+MiARlDwUJIa24qTqLJVIo5iKqG52c5DO3tsvK0vzd8pSllrOHA6f\/I4wQDPyPJtMgg5O1ZoG8De8l3r2ufSRHsnJkEpyqWGF1+ijD\/7lBI\/5nWTPn9fBbdQQQkTlCH2+hn3jyqGiasIwS76cDfQW7wvTATHGizCtUCL9RDngXJ4m60+cjB0gourDm90bfqwSQs1xt55IkE5JsBrjydZPyipe0uhIjm4KZxuvhAjYi7daB1ce\/\/+407cCf+sxxL7CWqTVDAtgj6KFZbP4hnyT9ga4vkmC3\/t2CtLgFM4\/LEuF4nmXrGayZvHNNVuso5WMvbM4gno9LWsv2kJV4dX1TThhLd\/wIxSNzjl0dXSOBZ7wgJEHEnznJuFVstXb3tQcV7X3RP\/hcXpU9XjjFPCV5oo1sQe64QtneNkxV2yjvvs4fEGTk+zfZAnlMw\/iFw5VrPsMS\/wDar7RyJvWTPrIcoFDMu0pl6zkP5Al5BXrxcNMZVEAv6FlHk7RldT5vteKHFUD2EG202+PzEtOTPlmqNG6eE17A10kl4\/4bK9PAjRlBlsdbWm59jtIwieLuyVkY3xNNoXmkXmw+HTfj8L6cgMab+8MVWKD6X2FNJX1Hh4plar7gQs1wBHs\/50jh9TX5uIoGdQRaAkCjse9rKdwxS\/mQ3AZwSCeTLDSDZ7HNKOkFvE4XF72wS8k1jEs8CQLMd5eF7YKEIwhKqSRCTAxxeIp83q7tXfO3G8oxX8DNBZyGPdzHTcD2B2+WzAACX+B3mJrQJ47ogTtd7hRxPzmVNoKxW1cJA2W8sth9y2x0M4tQfFNCg+y7Hjysh4guq6xCuiVT5xotwMwPSDBGNIuXj+rftzi7znrhrNAbCSXiAYGtGnmHBOghmDMitk72DkuK88UEA04IW2\/8fbI46r27QDrpS7pjckWTOaGJMfuh8JgHCaU9F5gWqtRhso3KChbMMFYhYXX8heyFp2QTjtSXCvmSvOb\/P4Saj9keRyVu6EwxUD\/Wvi1CQPZNexfLJTr4d0fY2EFznG9mLwUFqLk8x93VjpNxh9mUDOT+9FkN2OUAwfOdunZk+S7EQYfuz58Zq50dfTTQ4ytc1corJ8ZnuRFp7bcXIyr+r\/g0rxcm55mxTcduuOI43k6A\/u4kxcszhmg9OmUhSIdiyIqrI4cTDkvXweJOztAO+v1eNUC8H68zvSWSCyYfBS09v+biPzskrJYVcIdvRbgzNi1MALIo64umFnfoGW7g7tdRnTTtUaVJ7SjjCNftNOmI+oKGp0G6qA+uKDhFNzBEwpKt7nPh7uh8czyGQ5haYxO+MQIP6acb8ITWfq7ZBDLBK87VY24JBoDq6EX9\/nCN65uCe1Ka7quGr3dV6rIOhhe19uIvRjiUm2GbcXkIV4PPI8eo8VJ"} 00607{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":86,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":62,"flow_packets_processed":4,"flow_first_seen":1621486316206,"flow_last_seen":1621486318293,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":5400,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621488172593,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"208.229.157.81","src_port":50588,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -322,17 +322,17 @@ 00607{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":94,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":66,"flow_packets_processed":4,"flow_first_seen":1621489064431,"flow_last_seen":1621489066532,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":5400,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621490937698,"l3_proto":"ip4","src_ip":"159.117.176.124","dst_ip":"198.74.29.79","src_port":49867,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00605{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":94,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":67,"flow_packets_processed":1,"flow_first_seen":1621490937698,"flow_last_seen":1621490937698,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621490937698,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"118.89.218.46","src_port":58123,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02298{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":94,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":67,"flow_packet_id":1,"flow_last_seen":1621490937698,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621490937698,"pkt":"AAAAAAAAAAQAxdZsCABFAAViDl1AAH4RTzw0uxSvdlnaLuMLAbsFThsNyv8AAB0Is32f4l9Pl3YAAEU0hQvFkzqCFRJrzdm+P7CepRPizYj8V5fWvrVXzVuBf2NRkl3eGWbs2YtmOjlr1x\/pBPc\/7TLqG34Khp0PMlFKcz3fdNeoXKYeyR\/Hs72zcRs4hnEn+4P6mPqm5uCsv8fDjYHuJRIAjvSHTbEdxqgFHEd93118utoyjtMgpgcEbs4fXoPb8uDAHM5T4MCKj6qQNjX6I7nNo6EuPNWQg9gu3uCawN9k7BQzQN6E5YfL1AdHh4udF7sZw+dow9sF\/laxj49FS3UXGVaahEsCE3aD2597p7TwOCMsaP9cpJ6+mt4daKLcDJnJAMt+icMAtT9fzWBRO4vYi5NQjh2DPs+GRWiTKh8dxvVzhRom8\/iF8KHgTJy3pWtXKlPeLfZAL3oZX5hiz2PB+HTVur2l5vjVWa6EpaFOaRykdvEuLIieDh5u0ZCT5hWtho28j2TyUwsZurEURzu6rl34H7da+I6rfvvL\/zNBXRl0T5rIEnMLL\/j4r9tphU2zm73BBkXS2V8NqavgjXhm8kqC3c5AZmhcVx3aPVo+42Q3ezUT39SUVKQVNHXmiaFVKiSaFUFlpUHrBUR8nGg2CAYm5iRBq\/qCatZ+wKK6Jor9Aelj+kTAnp5y3Y17HPQCp3A9e7GN\/AQvzanaLBchENACUbp6PsLPG0WwONlg5LquPMp39gYOflC9I0cMA9lanerY2UKd2DIvHrNxINIhafo64dTHQ2kruV+pvFVizjiYGEPTHm5vnjJ+vNgtO8FZ6Eymo8qJM5A2+vwe1kvg4nJxdm2E2Wn9X7T70nm++uQBCATbDwLy4YWKSHsoUqqJOZluOGYa1wXb4e+XDlmQzD44JyGBZoUrd+\/dh+KC7bZ6++qLMza7R\/lgjP\/l01SyMjsktR9TKWRx8l\/pSrp2aBkNYKphapPAf6rVSB6qqzYptEM4+9RgL5fiahM9zZLohrgrmNstzopEBbSjJHKT2BtkCePCTq9BXTY9wpytpKjLROzmBJcxKjOlKnF1g\/rktfgoVBF1SKnq6hR2PLzX3pKRc\/RptOGJ8gayhpr53uiIJElSTx+gWcAQGtbS9w40dA7UdV0kQrKTsOlEZPv4Wf1DZo6smp3gIVuDDknJHBV+79Kgv5HRfK28giV9WHGfmEktaajImtic0wa4l7nZNKYEOG\/CyBNl4UHMG4iNm+Y40wSoxegD3OA3LFE2Tr3WxLZaukNoA74zUcX2aqS0oIhr43+nrWk7rEOCNY9O2hGcdnBoVGgvgYX\/gYhzcOFnVXvBYg+04X1\/Lu6Je6ysBSIVyex9isvdPzkU7pOxMaiH3uzhIu6T+pp2pHExh+9q+rK10SAGliPxRu5zXtXE3Oy94SyfUjETd0qOQfmkHBz\/e9FYgFyyAkQn3MHd3fMmxpKxNsGPMBp\/cSG\/LANkIApGSvPXTwNw1vUedAoCnyCDwQXlWFtAwyohCNg2btp5ZVrwJqBGM7vTCz+QiD2xs1qEthiBEr8j6ftBwGUP9P0OZX\/LFSLwiLgDLEHK\/768YbCSvzW3RfUSDD4sBnSpdyK4zahGcrI93nPJV2g2l0hHyyPgJ7X+z4BRD+aEuHW6lUHeG3Oj5Qh+Vsi8uKdlG0jwjTzMAg3f97PU4FGrQ+RjmPIPZIj9zzw+nTMrJSpqyIKsK7h2bGHuUUNWEUnH05Zth20+XAUcAWRC4suUp9EI8SZymgXxcd3IQ5KrKIi3GAnhHbFpy9beC1dCN5olmWNLOL3oSxQHzr7fvKwFtpOssY7Sag281T8O6Eak"} -00645{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":94,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":67,"flow_packets_processed":1,"flow_first_seen":1621490937698,"flow_last_seen":1621490937698,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621490937698,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"118.89.218.46","src_port":58123,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC","breed":"Acceptable","category":"Web"},"quic": {}} +00653{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":94,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":67,"flow_packets_processed":1,"flow_first_seen":1621490937698,"flow_last_seen":1621490937698,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621490937698,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"118.89.218.46","src_port":58123,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Azure","breed":"Acceptable","category":"Cloud"},"quic": {}} 02298{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":95,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":67,"flow_packet_id":2,"flow_last_seen":1621490938810,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621490938810,"pkt":"AAAAAAAAAAQAxdZsCABFAAViDnRAAH4RTyU0uxSvdlnaLuMLAbsFThUFyP8AAB0Is32f4l9Pl3YAAEU0YOqdYTCCZZmk+g3+J22oWfx0doVS585v5dZuMcju6ceFUGjlxObU5iFwgva6ib0ak1Tmez5R8snBJP694+WPYbwvpl7HFaYBb32L02hySVgOT1FTMmvBo2Fo\/d5ANfZGxJNDQBrucO2wU26mhDDIiJWiWYLyLw+2wH9XtUY9hKwoMo3iFTjxOO1dnynX63OlfxLKWOPNDL\/CJlgdgaNXHQV7leuc3Xd6jzLAetIP1cBEVuqCfGK1Z\/PwWhV\/ilCFb3DMmIz+HaenysHXzEImv5aEb6mec8YzM\/GvxDGp1tCbktIjpAUlEhPRXGKZ8L0YQpyXKVC37At+Ncsh7AGMJvk0puDbiFW8meTwbKSAn\/sAaruKCEiN7ZpDtZ6AQjgTjJIChfbGSU8bd6+hfwBxOU5JZ5xFfQWmRvrx7dy8X8kvYMhYuvkFi3w9Ni2RFiXvTVu8VuiANv809cCo09xvlNkdw1DO\/WJmXRsdf1Y0IqaxV5KrebivhDDNQHtyrnyfrxQ5Y4ift5qmodWeoxdiidD7RJxvcyaRuheSGzXqxC4lIAiMQlrcqXvPnq3wegxcfrIRDEWEavybtNijaDhbp2eu65kvOP5wXZMNleDGBSxQdgktQpxL6TcHQlqLOjfCNHdixljqRof7DPO+5RBSaRguaP\/xe1GoZxspva5ZE9Xk+Xf3SmMHKKlPy59QkuWoIaGOiB7N7I1DAInixS\/jVOIySTOq4xF2KnvU1cEtEoyV42Mhr2KORjN9TpQKBy7JF6wcPKs2Pl3baeiEyYmSdleQIgMxFgrcHJCi21HOjSroXF4HIUsE2apsLaSuZKIs6JTyYJ6qUdjIGm424\/UHHh7fS4g4qA\/yUxx\/xBalncHIA4CjURBqXagq47c2XNGvnlFEquS6V7HZy9x27CFukTSbeIjgcRxXOAJzUlJ1yQ5t5JkOgB8oPDo7vO1NPT7iXgezGOshBG3qxRqw4FUz7pY+auLAGyFbA\/lsmtbgOLGTcFptcsDFuxveiIqXNb3fggSAG9Jq3G4TYmnIqNqka7HhL+stsx9khyR4A9gCtftmEfOrTTxMftEStlT5QLserQlCNp0N1XklnoOsNOcDxQty6hF3nIOhScEBVKysqeVEbi4UdZcUA64KdSVhoAaFJgUYzqosBYVtSdq6oVjC3rbAJ92pfW7W5fHOO\/Gzz4rjoa6QO0jRV4cCPZLQqvL7Whl8UxlUFbNLzMyEaywNzMDAb8u4rh5j\/o9WJorChNDzH+7aC1pGc2DBqQhx+NA2UfbkgudimG0uOmYNVjS1IS1bDSwBdSH7GNbNFSEkwovorAkgGXCiJsNN1cNIzzCohUj5lfbIM4g5Mr+pCB40oATdPIus6Jzb2ASLd\/9Q3sKnYlXjoEthW4ZxmNASLbj3i11YfRdbW\/XSJmbOzbWEbGkTfP\/k6k8tNozfErQYaqQcQWy1XNJfDiRBXvvfoE3+y9U2kVEyp3L6AC1g\/JNMxiXgENUxOjpl9VPREmrP\/Rjthtz9gSXutw7+EZR3faEchxgczJKIbKwYHcJXGoSYCA8W3Hk3Zf+L+BJmdrRVHbtPRFqDPup8RvGlcW5Xzoa4vRRZbXHIKNQitatbh6+9\/gMI9RgLPzmaVU\/Vp8RntOXhKOwTec+\/5p5Qci1058hGbPEcEz9RH7ho4Uxp4mI0kI9Cy+wNwmwipQYYPfi742YDYxomWF7pzIij4vCMpGVsjxYg5gSAF5wb8qbS5fVF7UlGZOWJLoEHBgMVPUjuR95n2f0L"} -00892{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":95,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":67,"flow_packets_processed":2,"flow_first_seen":1621490937698,"flow_last_seen":1621490938810,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":2700,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621490938810,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"118.89.218.46","src_port":58123,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Google","breed":"Tracker\/Ads","category":"Web"},"quic": {"client_requested_server_name":"accounts.google.com","user_agent":"dev Chrome\/92.0.4503.5 Windows NT 10.0; Win64; x64","version":"TLSv1.3","alpn":"h3-29","ja3":"8b979b020e67a82c4f1f7f3932805dbb","tls_supported_versions":"TLSv1.3"}} +00890{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":95,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":67,"flow_packets_processed":2,"flow_first_seen":1621490937698,"flow_last_seen":1621490938810,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":2700,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621490938810,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"118.89.218.46","src_port":58123,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Google","breed":"Acceptable","category":"Web"},"quic": {"client_requested_server_name":"accounts.google.com","user_agent":"dev Chrome\/92.0.4503.5 Windows NT 10.0; Win64; x64","version":"TLSv1.3","alpn":"h3-29","ja3":"8b979b020e67a82c4f1f7f3932805dbb","tls_supported_versions":"TLSv1.3"}} 00607{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":96,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":68,"flow_packets_processed":1,"flow_first_seen":1621490940042,"flow_last_seen":1621490940042,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621490940042,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"121.209.126.161","src_port":63507,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02301{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":96,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":68,"flow_packet_id":1,"flow_last_seen":1621490940042,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621490940042,"pkt":"AAAAAAAAAAQA\/nCGCABFAAViEwhAAH4RoqY0uxSvedF+ofgTAbsFTmycyf8AAB0IX1A3NmSMbKUAAEU0Pg8s+OhkXllUqtMD1WTcO9yjUOzCG24snxvIngH7iX6ehFgoF1UYrfDy88XdHomQKlyLms0u9jlYkrqEodLauJRGapy4Hle2I8WKWHQL1rTKZH+tzK8ow8MeqFRrpbk8\/iokxoMoLXgVKCOwqLL7oRfGteGHJcbAGqvj5rPWn8lTHy\/nr7UNzD5DIeg4hTPlFVFboFc96\/ePrxRP6\/CWV2PQluHrHP+UDiuvF+\/WgxAU4Zaq\/s2euO20g4VMq4g6z0hkNtHxIuQ6G6ZlVXeT6uBX6ZPVEg0pfUhEvbGjqyM68S7s\/LuqkjtoK8zch\/4QBOjnMBjjSQwLMYWrIngHxIgbqBSyCkOJ+S+nMOeH0cA+0cnqBY4O49ufQhXDRjEGH5t5soDhhzS8sBGOiS03hbrWi+tm95qnkQ4EY7uhdczTXrlpbhNUdpcyH4wC71tfxfvQVS5y8IC1e8zT5BsHNYmBSU3cCiepaiVmZYJcGPmbBd0EWBl43HnBPIQ8CwCcoTjwgg26Yu4ozcj0BKQFUR0GMUF83l1lF8ot6wXFAA+oVj8seMzHzv2II23OXhbg44qPmITHSEYOmk8bA8y9XUBg7ALjZ36C005quDVZGN0J+Q44oR4tlRYPB94GZr5laHx3xI4zV2UfRy01CNaSkDMoeOEOMaeAi4kFgFipvCE1jwRUNvw9Vqe2+hR\/wsE+qJ\/zc31inDfEFutt+QNKxDy+c5v2szwudCf+3lADM5GAPJCWo+Nv3ArVcoU95DnZ8Qni4gFNPIas7CUUE3oqubppTtj9Kw2C\/6AvXyw4q7FUZBaXB5X4zjUqQWxcc20sJRmNfK46tma+3YZBWJZSVhtM4pRqEfs362IPwcZpvzz9KMT1frJPvZSyqCg5WxsuShHYKbtQca6juA82VMIw7n0mkTmMIQQq9Mj1AYJMVxWSFfEi9dTleToj9MJ1kk9djU0M9qoCSBeOLKZOaO7ZMQoI+LQb5AKLobDEPmCM\/+7vqosV0xxNb5\/8d22vjMPjhhUJQCLCU0zSX2v8r8IeoTWvGuTd36jZKvjkA9tWHYu73L8Z1+CH8Cei7yWoKXUBW3fDckkX+B50D9QGMtC\/RL4c6YIkI006jUdtSCby+AjkkzqsejzwjNaUTji4RgY8P93\/urJ7QidOPx7hxI6\/TCZFHC3NSWXM8bWJhPqBFEUJXD3S1Xr4e\/XJX4lmJ\/Ol5PgUeFwl29wp8pAoUmC4cRILuSnQY4l9xAdZlPqyDmbVu\/SSWy2Akqi5xJqxDVEON1HIuVfAYg1i119Yr7dWU5QplKsuqzsu4hfLJ6M8Yw5ZRJVC7RSE3r\/N0XrnFY73pQjDIXk9UmcxBojTmmq+gMcamIBeoL0S0ukwFhIcT6HHQfqlw0OzdXB1KL44BXZ9G2XIbRiRgnhcLeXH05qnfpT5pUwkVHt9m7ibHbmqRFCjXSOFgriLQZGqyYKgC+7F70lj6Mklvy+ynXaGzESE6icJU\/STfU04WOE\/XjvOrRE8MvWUxGzhOBNeg4DukKHrJE7SlhswBlqxEdAUp1sFZsl\/6UVWCheylk3qxVcmo08I0V6U82TPQllNBHQQvLwa1Hz1qkNj0H98MIqjYsZiUPrT9PHl\/EubC5Mxf+rACdfBZZVOf7ZrGTAkVMqdQkNJ4KAoV4KyVWs727STfm\/XXQbuh+KdV53N3ZDf84eN9hHsz6Xg77mwy7PCShrWSrFEAyXWlin+he1NMoCnvMEs3ErNthA178U9LrQNGhrOQxjMONlj"} -00647{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":96,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":68,"flow_packets_processed":1,"flow_first_seen":1621490940042,"flow_last_seen":1621490940042,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621490940042,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"121.209.126.161","src_port":63507,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC","breed":"Acceptable","category":"Web"},"quic": {}} +00655{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":96,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":68,"flow_packets_processed":1,"flow_first_seen":1621490940042,"flow_last_seen":1621490940042,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621490940042,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"121.209.126.161","src_port":63507,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Azure","breed":"Acceptable","category":"Cloud"},"quic": {}} 02301{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":97,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":68,"flow_packet_id":2,"flow_last_seen":1621490940362,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621490940362,"pkt":"AAAAAAAAAAQA\/nCGCABFAAViEyFAAH4Roo00uxSvedF+ofgTAbsFTnxFzf8AAB0IX1A3NmSMbKUAAEU0xxudDjtwfHlFBOkIITOn8rvZxFm\/C93HCINJPVtiKR6bg4Mw7wQEXtiGHvHKsHQBCttPbgS\/hcDSxPOzux0V4CNQepSq2ytOhstQPNFgKqDi1D66h\/pG7BpGzCKPVnSY0j4mZfGHvp\/\/90uSi9bw7p+VzILVU3jM1Bfy+bJs20rNuK7sUwNxouBiolA43ulRiKtOrcMFSJUwryaJPuIF2AKADyLpYU6k7IhYp5pMSN\/FZrzaNP++MuPxUL0Gl5Navc20GBsGENjWTKPgIBn9sYhebGFEzStHKW0oRdWu4ecBWDSRteLnjvyRNfq+mu5PY+bv2BFXCrGw35UfLh\/YXxBUAy4mIdjLfzCt9VY3jAczlR6NzkXFtYCr4R8X++5lLCWyho9eGTf\/ZCpvdhXIm3YwXRQvz+kfxqnQsXH0ATnpdvEsAGru0CyioUbYBPhrlPL198KH2whWhbXpqJHFAyYFbpGDtS75d+ky3I7XtWANXuJ7DarmS3NZjP4Jf66vvGqKiJgy0KfGW+e7woGpFYzAoh4imK1VH8lIlaAurjJK0bKeBg9p5lFL0\/l+10ncgvPXDUuHlo46gy\/05jQ7pY9sWVusH8IwAbUs7+8XHTFa2n0Sk2BBs7cZpvTnwshZ+DP3ur5kokHk4A+vp7WHa4BbCLu22NtXJTp\/gQCajhA7U5McVzIVwwCkYzni+CTklGJudESK0dNwGzMjjvyh74BS8FP9wJoxjQxNp+QpBlr56o5vBkDintusd350CRIWzdRHfSgPIvr94nWDpXZFHV\/kTCtKuqDDbRIFJXgtJbMsMFk99XMXvWAVlDdMLwUFBCiheR0jEKmnOUGFAhtpeRaDYUitm6kQwBSlx494dMG4z7plhkyjgTRLdgMjGfgIdWdBxvKHIIvG3w\/V0evuN7rNPmv9HuOEitJrzJxpVhNZOoxAwLj9Luz46NCnQhKxi8RkJzyxHrjJop3lPAM0Y0bEhkOzTIRWf+t2hC8aA4KzaeLaWoCMRho1h3u3XPu3\/l6coc7iHJv\/2jzHV2f+8iGD+OQNMR9Kk99olUGh3yP6NJUA\/\/JOUUSZU3oe\/+nZqHPjXlf6UZ981hgrw2hFoCczDQltVQw8FOKd26NbN1UtWgiNS2G8T40NYIim1zBCFfKP9QB7fmPzHJDrqF9B2z8JCy2E76upD5NGPW077sVIvba7Ipr6QIRTGvvbV1\/tkhYCjTPxCUUENkB4qeC3g47G4DoEvoxNPUmX4lTntBxzxCUTgRTwb\/lKdC+a0EYxdtM5lRPHqXOg2W4+zkbzAvD981aa8cd3CUfbaiE3dmvVl8kAJBTvA7OBTRbFUiyh4hawpJaNoqqurTOZisggyEq8HET4+QxdAtFezeONkxyuzFSApfMDq9flcgmEnkCr0TO0tqKJC1OKWpkWpLnBiM8yAGqKTKylOg54gnFHgxTuPO66xLEKA8U9uUArvEv53MiMkmwlGJ\/R8DVYSi9lDGyVmqVbcb97csNgpSyaEAeipp\/xWQ9HZtumpN8oEgvCYnLsS2EfcfhO913KD0CEGNt5Eo4gSfP81+PQSvJvVrMAn8EG7DLqd7Bmv5BkyGG2JK8jhFljvgxwM6xjiPRsTShXGKbUG8XLhVXExbTQLftOfAo1ewb7oxiEPU8I+f46C5Ac4FzkNqV4H\/gd0P38BHG7LPoUUiE\/Ipgayi0qMMiXrV6TBl+UJmFlsYoY5\/mLRewMoSEzw4RRXooYehfNFw04DLhOfVWgmuS8w2oNaA6WV0z9"} 02307{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":98,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":68,"flow_packet_id":3,"flow_last_seen":1621490941568,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621490941568,"pkt":"AAAAAAAAAAQA\/nCGCABFAAViEyJAAH4Roow0uxSvedF+ofgTAbsFTkMYwP8AAB0IX1A3NmSMbKUAAEU0X3GLCKhQ\/kdXKlH1Uuvr7DsXc9kc2k0vey+LpKewCV3nDMgYTsbLcy\/hcOGbXOScP++l31aUJmaaSW7D3\/b1UKqaibOt1++jBKUGgHxvkHK7\/eIbPnk5lrlJGltbH1lVtjul90tjvoP2C0HGMu\/Q554\/zF5y3+m7JmZAmSjKD68m0IKoWfIlmy5OvxUjvqVj7fVNTGy8V9A8hysK+PthsdG2XbAGQ5r7jFZtgM2W0MUKS7M8fkDlpw6kLICW6or165\/Pu6sFJ\/29IWOcJLgCsF33hp\/eqp6x6\/ECLl+bLOD\/2ybV1zgfWcQJdeCTDlaBbs00YQsEWV3eNTSP1cAPrcHphduw9dFEMzdLujKMYP6qp9q4Kf9aga2dK4puh5Ip7GziQj98etOy\/ltXPqQDK0X0xvEFsMV40JSwj+BzoIGv4jugTdJl63HCP9wqVdO7OrAmKEFYkbeXK5P6pG8yzHXXppocSBsWVO97R55m5tJhwqTeKsPTGfmgkv+0mr+yMvQABbK3kL73O0HwPVgRMzkj11Hwldi1m3kxEtoBJnbHsAJyW4T4WEMuyY9xWOFILOzlsEWcW1DlkhujMuBrKf4HHbPFIfZA+vCGqVGuA9J49rsNTvkxJ3jjtUuvX02pDhaSBY2OTXYv5Dc54DTTkDjg2S7sEfptoW0pUxSNkWGCbPIP4xa+v0s6S\/mMMDwXP8kgPvEmHUDknP7JkED8bkUIL1Ho0AWHqdjSnc7aUc0tHV706qMXs0VyhEhojglXbeJLnekqAVF1dAyJGsOPr5QTKqiKuC+Sgj3UNOQ2AORLL3k0ntqV2x\/rHRdWLiJtPYEUBcvzUxECD7Dtnifc2AbiFM\/4baOlJluyckkIkfljDBVEu84m1Q2kmQPBLAgkcl7yWChrQ5E\/F60If6SMyqrUlc2HMVvUBPZOd0Nsx8em3OcZz\/rd4dy5sR9B9SAkyfXIjPZat\/3SaduQsvQmjAvUkWJFmJcvwpcq2CHg3vveXbVE0PWJwxm31KUkGpdZBf0LnhThU3dnOeKxoMeUP496G60PKVdq7+Ev8OZxM4csxN6N9XOao2AmHwp\/0PfV0b+M6mCVlON4ySjH0zfT5CuS19JLsB0PAKCSWv6u5RSSSFK4\/9Pykim8KK8CSmoO+ZYYUWS5WpEmMsvK64DpcO9Wo88i\/G337OpXfoBIGbBcKqVJnkKYXTEBvx\/pOckc6mKqj1Xx2NLH9flt3AVKGz33q9V7vvj+2mpU\/AF2AYOC5QHoVhyHo4\/LUMEXlMibQL7QWDMM7oSFG9qo4z3Ogx0Id6yuIs2TTa0ezZqML11NC1X5955fIUW\/FDJcjZV8HB175+M7QL6IEWOOx6PZp1K\/RJlnO3heZacJYqauQwksZQsk4arIv6tCsj5ldWRpoqj3CLHPSNLlUOifs4ET+tW4OnRsMipebDJLpPBCJQJ+ecUpHtHbH+75\/d\/mWMiDQ\/hwUplHzhAjVMYLJSbAhbvEaR1IT2meCVIPAWn6ZyjG6gExtCbx+iUePUXL2hlrgzvBZ3GRHAOacsg6dN+CWQxwhWJB23q+MgzegfFEv2iEzXU8DkMvw\/RCwWjBr20X1FCOk795+lTgR3zGd9CF5postNEBPhGGGNxdqFYsot1FrVpwc5OqokbxkxTF7Onnq2kbbsl8Ba3XWkoGN76uWqzAZmzJNMK92Tdqpu1zazult+08ooXIuTRa2BfjyhJzhXLCrMQgn4QLV75o\/ppwW4gZ0PFwpLXpwmShzQ7nN6WnZ1Py"} 00607{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":99,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":69,"flow_packets_processed":1,"flow_first_seen":1621490996100,"flow_last_seen":1621490996100,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621490996100,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"108.171.138.182","src_port":57066,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02298{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":99,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":69,"flow_packet_id":1,"flow_last_seen":1621490996100,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621490996100,"pkt":"AAAAAAAAAAQAXWCjCABFAAViEIJAAH4Rpj00uxSvbKuKtt7qAbsFTlULzP8AAB0I1Car3PgqXoAAAEU0JJ9ZSJFnukw1kpIlerEIR7j54itrs6xKCGRE3XXR1FUvYtWiluVKkauej0mCgbfT49PWNVhv+d4PorlbwaCUuVogcoTaWUYfSMeQ7fvaCU5aGPhJnEWG\/0UBi1+8bCzq+SnypfTFmorq2dCk0qu92Ra50orfefmV0vtWsPEJimLpBfooWqbaEDaehfit7mw9dCNYCi1aruacDnpniKy5C0xID610oz+9TzXqtP6hBX3weUiK8Pyj6SMCZYEMLlvyFqwJB6JhFabZjNVmEjxtmGfFjrlmd8rGHWmhPpNKZDxUqmt5inD\/KBSwcSZjjZ2qVnYKFg9ZmE7YiJQNgNHdWnN0hvXaAF9t6UZJG6j5RLXjrewkAvkQDQHDpjvn0e4OB74XmU0f2pIRunZhG7nOdLrUIM3KYu4dp2SuvtBfXKF0JXJe4B3ipp\/HIXGxiIvxOuBhCV+try+l4\/ghPvYz4guxmwVL2sb1KOMYvw3AS2A9R7ISPdwCMEfNl0w7rnx7vKocBLncvhtDj6UswuytUe86VosZs6KpSu0MAgLJQtzS5mHMtRoQC8nFUX3y9GJ3tQdZReoRs5tT1J5QMG4ZaagK3Fd\/7M9x+E3FYrzzeGcDRtrRq5MMA4gADKTgaYZ+dKZMGdYo\/zPs253wfmTLUONNUPE7nq2Vqk53VySGDE\/2DUFu7Ouj4RcxQsyWQ5nTu01SZpQVMCdEN9s3guPRJHE1wvBDlg3bcsULX6ndUJQtoKpB8S6SxF27c5F4vK6k7cDGBUHNhgFGBvHbDK3DfXDpjwj7gg2cqNGRjyAQuR9PRICL7cb0AtSLaZUVEEj9LOfinX22qJNw3UF45DmfYo0\/JhJsSVJETL+9+\/IioFEWfh7SIpMVOu2RmSgEttov5swxPhIzuPvG+jIN04ml6r6sKlbwvgpbTGRWXVEqHBIQKz6hKZClZuSzSFKbsX49qdGXDM4XoODhPHLuRT3yh5r1JVnj7WHxhj3H5nD905qtU6bFJNe7n8l+D+uTJC\/IJu+kVyPQUWTIszeHcVgbabOXCOhKEJ2WtzLg7w+iaHi5LKjOT0MhRn4SMjHqY8gT6IdQh2dB8UwKaPz4N4HHltvk\/z2Y4L7mxeZ\/JjfG7JTmXTK6vTdjv9\/CAxmGhA\/wluaZ8tsrr5D+RdZPcXbEgBxH\/1tm6Bm6MpwP4YTSV9nxhIj0pGZHkpR+b2F4vl+nfENUZ5pReO94D4F\/RK66IESDjrP6tunmsMOMwn4+7B6QDDyOPDemTPrdF7zgJ+tY8975Y574Jc\/8yLBjbsC2ChrCxey35qrU\/vbhI34DkY7t8RrGmb3mWvKTS3qkB7Crk6DhnsUeTkGhVfg7A64U7ZiG4gBUQe7bIdSST2ngB6BSxxi3zRFk57obYhZOPoc3fWCo75KIToMVPMEYkIJx9+0YQlJeC5tnUyTEdxLueb2t5tk60+o+zEAOczUzzmu+JgJmBDQC3kS7OhExq2w8nBzzBuSHPPKcrZD8XdVFyl6v9hzq+F47wNZ22K27SHatestnBzU2FJkFSWgVWESWEb2tfRRceR37vbK\/bpqkp0cvwGojwVUlRemGqfylFPMQ1s+cnHj5sWbpZptO22YP\/G+CKfzf8pXSX7kzLdflxLF9DxVV+b83+nl+nTbj31vNDvGjXGswE6k3b\/905Liv2TlF0IzK2ZLVImonTHT6GswLKKIQ31p0M617FD3z1I3\/Kv2TR3RJaw4Ynkj4A5OuDN07n7PbCwGTm8j44Q\/2rqIeqilV"} -00647{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":99,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":69,"flow_packets_processed":1,"flow_first_seen":1621490996100,"flow_last_seen":1621490996100,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621490996100,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"108.171.138.182","src_port":57066,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC","breed":"Acceptable","category":"Web"},"quic": {}} +00655{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":99,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":69,"flow_packets_processed":1,"flow_first_seen":1621490996100,"flow_last_seen":1621490996100,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621490996100,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"108.171.138.182","src_port":57066,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Azure","breed":"Acceptable","category":"Cloud"},"quic": {}} 02302{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":100,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":69,"flow_packet_id":2,"flow_last_seen":1621490996403,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621490996403,"pkt":"AAAAAAAAAAQAXWCjCABFAAViEJlAAH4RpiY0uxSvbKuKtt7qAbsFTmC3xf8AAB0I1Car3PgqXoAAAEU0S6ZfGd14S8A0NR1EXdOvvljTofNOsuBTESXKp4Oj7auLmC8B\/qxGB6ytk1wgcKgb4d567f76YrqqUml1MYVDe1C\/JvoI59\/gIk5MbkrAeINiJJmd4QeAnkVSzV5lCfOcg4X92GhM4oNiOV2dGGG19wmPo1+VUjHzShTUdyDHnnuZMliAzOjvbmXBN2aOzeCn+8K5drqRExq0cBsCHzvVRFUNzNlUUX5Vo+D387IvPpUHb7zmraw5XeiFvxl2Ta\/q5W5pNrCUAugz0iVIVuWVUNPV2x3FJywavW9Mc5JIWO8xXdlge6Szt9ygE3gMdi8fwLQb8lGW8vEcTE+N\/RkpReCzQ5xMfv355m1dCwCDmEbVqFEy+tHwxDIPuNe27WWgF9XSiasGS+4dfQwcg4ORYoMDpbfXKW92OUlTCH6yDwc7C78NrMUmisC5VK1mGGLaQ9Qu2wMRUqjdmNuepip5K0XNHR5BBbH81tXrZgvI7+1m6Yw0b4kZRl80WJwqq1KSBW4yOioR69+m2UjFAyV\/DXvz\/cExixYmUmVoRdQkJvqPEwdqKmYp83pX9N6Hd9bp8FjZiscO\/ylBmHeN2rawxJLrCx1pzuNkPlwJSuJasPINYSbw1F6JY3wUwxIeNBUcmrCmJuSJtdG7ayJElCjqeWPX8iOrtpJRyvIeNvVeP4zvOG+0xtaofbgfCwz76b84GmN17Mieoa5Bg0V+IoGD7eigcx4YglpTvHcQafiVJ+PIKzt1Fb+zraYPSsDdrlZP1w+1Hf31E\/7kXH56u8ayLXgMPnrISXGFMyS\/xokT7eAZHt\/LAzOJxdLaTDPem\/QunlwKxGvr7bmetIM3A6DNVEQjlmxo+VRIkbPBHlH8femG9JcYcQo9D76bkS1ct6T\/NMC38EOKjtDrrbwB6KP891J44T0TieukIbMdjtFWBM7IOVr8jksgPE25Qg1RWYJaofEPkp4D3UDLFQ3i3dbANJ4XVY\/+L6s+MFkMJ5vBF3bZcm\/tDpVfLrqBJT4nJ7a1C2yAYs59uuvaHev2cKOStPDQDjZlKsuGChOYfuICTD4igM9\/JcrG2yRYeOUCgKTyd394CO7u7YTQ5SxBzyztPmR1KbXNMGGetSQjaw1hK5VOfjJgPn+mSvHfGKivShlE7PanYf+wRwpAG4+iHQtJsjM6WclCAcVrZNfSob\/SYkmMNb3abOPObEQM2ceixo+VTcnp7HeKPVYD1ybdnOMOXFC1AEz9wSofo6gTNdJjdRzlc\/9v7H9A4GsQFk2F7K54C2kPehQpa66BiqetQtr+UE\/dVFH6uNeScw+ulCv\/wbm+OBfrLZ2GXKql6eSDpcCVpn3MV2YEi5CgRFRyayz\/\/2woQgL8t+RxToNJ\/qQWCsxJMrThy97Ju4LAwWk5KeZaLwnxjsnunA1T99DyV8+UKz7+g5JIOC8ruYl8Cwc3nxBc+tvBSpA4ZcE9I+tZo34gvOtIq2Vp5LtGbyHij4LH40qk6nQ\/1gDcnTZVMAXlo9nJiRobqRR+5H3Sg6cc623xK2b9CkBfTTs2kJf1fvbYMbdZ+wEDmMqWAzs4QGCGgJ6e4avqUcQ0kS0cOgHx6IAe77IaK1bK2SrJc66FdwbVpj+\/3eUCOHhaAIGMeISGD7TNa3JfY6n0SkFubtUhSB0GUsv2j85xhlI1qeV+8UDynYcpwz8FIiKVdUIjfXcOGHLc9FJMKZ3XshDKwmNniXL0xT6RHfFQH3w8eQ\/YxCjcIE1MW2OGZs+3vB9wyULm8eiLTszw"} 02310{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":101,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":69,"flow_packet_id":3,"flow_last_seen":1621490997006,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621490997006,"pkt":"AAAAAAAAAAQAXWCjCABFAAViEJ5AAH4RpiE0uxSvbKuKtt7qAbsFTpBcyf8AAB0I1Car3PgqXoAAAEU0uA5YSqiRZv5\/DZhOTssoA0DPn9Zo4RXJotK44fYCvFiyrLXWkACavb445uJAej9D6NW8Y41y6KLu3pIKWD5qGNryyrX7YHITgUXix8iJo5DiSxsH3mGC2JahEYGf\/vTyPVMCyJZWsgerAn4HVFWRUh1qe82mrvrOfq6CMJqoDiP8vlj8+LrUV\/YTZtmYn9QGfS5vgZWX2txmg7RWFMQ+Rz2t3\/jIoTk1tBYJ8e4ItX4pZIW\/53Hyo2dcr4a7USRmF1tn8rKRC5HhXyRfxIBsmcteyC06JLk45KaIFQsqsO01ArTRBrqtXELj7tUE98y6lWlRh8r4yikeZefWhfGlnFB8GF6ugo6zdES7YXjYS9WA652moLPIYC0HZ4SbnVpSbRSuHeIGE5Lu9G6Sue9cSsIYF+Q+QkYSmgthm63nN\/pLWKoU\/RnLDJHaaN+LMsKEUL21PxpA47xYiNZr99R5HeRxIrMGueLrYGdwS\/9Macb\/Jur9jEdINRcxOqvE\/Oky1YBxT9EEdmvl8xfSzGRV6EJ2dO8C3TxvmALVJdJg7\/+XmVlc7vdVkE++7sw3O91FGcYlrdAT8TCgEm4OjsLPi5Cp+NhDUd9lNsblGNPne2oWas4b8C2P\/tYyZf+gOvHLJV3qKtY1q\/qcAcDlCTflHkKqb\/f8vTpeSKwdug8\/WMPk7J7GuRqkfSiRUAHrQP9z8Ev0mxBjmR0hdyQhsJrq6NDbkZA40SjV4PLS6wDFjRKFILwhocOA59yklQQ9oYMwuJzmXLKwLrh5mOeO7SiIFPGV64mweKEGNBwsPL73yemcdr\/l7ci\/aRkjgroHfTOlRVNlwd2SMp6acpgJ3DUTPihyMBDSlBSCN3TpbTHi0mhLZV3VnRkGCjGLPs2dQwR+\/NHoWbG\/mkxOp1+Yw2+oGEApO7eTCrPIrMzOJPwIOKL240s+7ngQuSxGGK0TJiP\/b3U0+u65ktYKEIhmHd4NjqdknH73Qe9XAd2ZIJ7fI1HZmpgWCSTOYqlCtKfFnEWXjld7ZMR2bys1tpSPgypDIWux8kmWABvn28paMZ5649uFQ9tMCjlecEV\/1g+ERbp+wKDLmdogOcIzxg0M+JAJaffVX3DrOnA+A+uSiEkyKncq2c\/YTqK9cI\/JDh0JxfqNhsxmMlnwuAaJuPcBh1lD\/B3Q54dORDqCAw\/xIL5UovaES4PJSfmtHs56ItrSO911ZuIm9uOZr63ZoEcTfsynRQRr4UugAwprRYIoFK07lwdRcDiV67g2XdWXRwtNjWXsWfQGHKiNcbvetslRKrXfxyaa5qn6SEG2C2SnYaRGY3a99\/8awO5F2Qpe+vbycKzEN3ueNUgtD8y92W1XtG2C78GhMCEI1RPYj1pzZhzbrlJRrm5YT3D\/l8R+fQYCAtmrdD+CkceZwNpPKhEhVavI5Gp5XwNdJ56+RbVOrxDRVmjqTRPLg4zuWj2jEJ79chsV5GX2UrMGDWSjjSZAsWp9Mx4ndt6VUOFZip\/9r4MKmJiO7yGxG8d3B8CM0gf2O3UIBZEchmXjqS2T2\/ewwSSDqYn23knX\/nt\/rnNzky3YHLXA2PXQsFtsr2gSewQ8lu4K9Abfu98oJmGOqB6Zepl6y2WwgW1oaL73FaoUE77CPUfZc3ThUmYcus+PH3momVuo6wjeidlhQHQcAxWy2EczheDpK4PInZZTQH8B9cl87zWeaY26xiBO6\/KO4jcBhP55bEZTsGd\/GDBTnrzlfHI8ia0xyN1XOyklzBDoPTS\/1FjAcpdn"} 00911{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":101,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":69,"flow_packets_processed":3,"flow_first_seen":1621490996100,"flow_last_seen":1621490997006,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":4050,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621490997006,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"108.171.138.182","src_port":57066,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.GoogleServices","breed":"Acceptable","category":"Web"},"quic": {"client_requested_server_name":"clientservices.googleapis.com","user_agent":"dev Chrome\/92.0.4503.5 Windows NT 10.0; Win64; x64","version":"TLSv1.3","alpn":"h3-29","ja3":"8b979b020e67a82c4f1f7f3932805dbb","tls_supported_versions":"TLSv1.3"}} @@ -341,13 +341,13 @@ 00609{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":103,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":69,"flow_packets_processed":4,"flow_first_seen":1621490996100,"flow_last_seen":1621490998210,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":5400,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621492846202,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"108.171.138.182","src_port":57066,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00606{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":103,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":70,"flow_packets_processed":1,"flow_first_seen":1621492846202,"flow_last_seen":1621492846202,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621492846202,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"196.245.61.64","src_port":52512,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02298{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":103,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":70,"flow_packet_id":1,"flow_last_seen":1621492846202,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621492846202,"pkt":"AAAAAAAAAAQAl2dmCABFAAViYMxAAH4RSx80uxSvxPU9QM0gAbsFTsrvwv8AAB0IkN0D0fi2gP0AAEU0WPLbpHtkRhjnBwYFLsQ0oBVcuOZxPwKAEGEgwAlTMTXTGM71v6BXkNyXBiiValVwFjUYX7UUrk+V5Jrupcy7Obpi2i00t8odJApt+XitfLuiix1t0F7z5Z+feBpcusmj2sOZ6QR6h9W++LWKulARwr2neypk4oGapBa+NsiNweTRdbMX3O4d\/mwfllanHZjdO6qyaQ7CnGSuCulGekhpihqBGXPcLW0di3I9pvTqznFG9kWmS8ORGWf1J8GUtGc5VJSaNCJ+Fec43BTOm1+MS\/j4zGK08zpEpGVcAuP60NQcXU9UkzZKsPw3ZWurcWQhQRUUG2hZnMieZ2iH9C8vVNFBjN\/04FbVKM4mZrWJT1lug\/jBAePvCTNRYXmLxN9Ou++HC02AMJ57sWcEhMIYguKuFYuR7dxPfL+cTW1koRSS6BsFC4n5ZRuwmsUcF9vfJPEIqvBwmCjtVhhf7VD5goH9tVyYF8KO3kIv28uMuxWcK+q6wT8hSJ\/zEHzootumo7aXQqZvFeJhyCX0EfLhJ23vbRO9FmugxWN7m4sTU7Fhf9kalJr+3D134oZ9EEYm2k3laLxJs0+YOmna+6\/rVscNjjUad0DFGPUlfBEWehyhkygQSnAC64dHYrDv0iBrOmlJ6MRSwFxUrKXnUfq3k6Sjz27UeFDKAbXjm9pfn3JaqYN+iEPqCI6LxBiewwQo6PhkrbmioOgwvX\/DmpJRnPyUe5tKPfpj591HlcbD1wj8IAwgpQiAbJmWGX26TQVGc\/oGu0wUuxxgG3S0COr+VKnO615jbylfYmabj0+tV2Uo1TdMmuzr4pfQWFOvIgEzWzlgauVuFGrxVJNotNQk7htoqJBX\/hMnFoa6P3D+kOnEu3G17VXOpjoxBo+e82xbyKTxE+HiEnZeWZL7luz5bZBmWGZc506mXLnCeZZQqiG\/9I\/FNIpPvoo3H6warZwrzbb8Um6Nvs0Ics90RO0bApWCzRG1ZbX3AHjvDgTh2p8CR9Oooi6r0cJxgwFZZY8SZy3zNyWg\/wHtBtGqhZKlBnnzNUo9ZvpjYGNFYCmpHvrwviyxBvhHkg983940o+FsWBHY4PXxHhH1BeANrMFfkbINkn+CbC2\/r3ppTRHHY4fjTIWqDjaau3fmNxn2oa4KoWNkTjA1BSXwvqc8trFGDFMCJhUs3hSHPiEoAQ531rkzeUr7wtvjAhy3yMpxtEUaaAGyPySo1NYyTXEWK8w0\/YLlmeDmev2JWcCnl7HS0O13jStUjDzYdEKkWbQEZyNXBVEhaIvowRgcn7\/v2zT1Ji\/TX8DeP9rZyEyPensHrqvCjEiXBVlBQXgUJKTAdm6SwnhUmgDIWfMcW2vD88XETNohXNP\/OdolyEZ2F5Okt1oR5HKmRMri3BoToqsELE6FkQG6EG4JyB3bG1wn7w7zqvTRpR1UjWxoXiXjFxffg92VsUmcwuEyMksgqkhRx9h0TWNRACL51r145yHnspstaxqMITdw034yIHhAL3G5uPbMdUZQJozU\/XLnjQ9V7x\/mbfIElAUaPrac3k2nvzbr5ENvEse2uDH9Q5NSX4CsOm399roi9AvuA4V7OYxCn6T1MdQz\/4\/J5eI8ez9zieLgXCZomN4Y+BUIAuOY5\/dWqfjZcWMx1s9NOKQTb1Ka9pe9XEJIuxx2s04cvGxtWZpPXA8fQ9IoJlumB17J64o1iwcDB9g1LshjWGo9lOe9FjTnwf2Uc7YISmWj+vyoFvYEhvt82NsOS0g1fbgE3nFxg5ojGIF4"} -00646{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":103,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":70,"flow_packets_processed":1,"flow_first_seen":1621492846202,"flow_last_seen":1621492846202,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621492846202,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"196.245.61.64","src_port":52512,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC","breed":"Acceptable","category":"Web"},"quic": {}} +00654{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":103,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":70,"flow_packets_processed":1,"flow_first_seen":1621492846202,"flow_last_seen":1621492846202,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621492846202,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"196.245.61.64","src_port":52512,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Azure","breed":"Acceptable","category":"Cloud"},"quic": {}} 02310{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":104,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":70,"flow_packet_id":2,"flow_last_seen":1621492846499,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621492846499,"pkt":"AAAAAAAAAAQAl2dmCABFAAViYNhAAH4RSxM0uxSvxPU9QM0gAbsFTsB+yP8AAB0IkN0D0fi2gP0AAEU0eNeT2iVrLMv4jKHl8TcBYgCovcfBUbyiMals1lo6OENtv3m3tzUH\/6BCYnVpY+CFN6iuhjAxK4TQo8fdrcWsTOaPpoFoY2L1biWlEbkp\/x6C0kavU\/xvEB03HgfSHvx9g2E9+0QVaZrnTGMDhzE\/LCMOi99ZyzUFTLa2whyStOHkacXjeP\/fXvaRIU8Xw0e1DmF+BBORNoKDNAzHaWe3Xdqk4sXMuKcYmcsPCiNzUfbIR5I4+VLDDbiRMHE4TjaiWP1s5tp2uFI3oH8oNBxSqcPF8N1QFN8Owg0bhCA\/IS6AAO+WjLvCXNFTIFRkUX2YOFCXkduhSQk\/oHwzaVML52Ssm10WvS1irnJ1a2h+SxJBrkoqZbSa3c8eawvV0lJSss8ZpdSbSRzoN2qRfRqNsLkutWp\/l\/cD\/9NStpmQaF3kKcyrILDL5C+ND+LRujNpqDaC7rufyYb4OxX88B0MzY74bKzBpjdNd\/NyrBm8\/onpNwjnCW96RXgIjm5ELYRH09jAdke\/LMSfgsn6fc0lbvgEQ3PiOAd21XyPj2OSsqeutdhHzHRboDg8Pn60e3mxTSQEysOZhCJu1aVdB2yGnhlHsTGM58d5JBHDE+jZDUbC06OdcJVkIv6bjuXRCqEL93W8VuYBHzKsU8Ii7A0JxSjAutjZgwMCd45KPWDsNutDQ87CFhmk5RA+fKc3pBM8cKLyE1\/D7NJxJr4GJrA53oLs7VGf6MKmlV4AsJZP6rx2xmCFhjFqHYFLBgJdnESGthy0GqSMdwYEYdqxlsQZidXrJUgJhUv\/viqRmaGGOIoeCbGdNL22EJ90SNuuCvVNhxjf+OCfozoA65mZFx5Us+WOLW813xAA7oS3jfz2r9ButsPWkueyotS4sGWbX+O7pcBxmbUlkuDeWzly\/JrdnbLf8o5IpZlL\/szeGX\/xaukbonKpw0kk35eQAFT22V0SvOQXn506i1bIeQVC6wqNBPKsgTo\/VPQcaj1aZ1Q17VqXoKPIuPlZ7SMkngAYC6FlUWvgpdcoeIcZ\/t2glrET\/TpZTHAx1vcYpwXGccxvCqJvFzp\/iEy\/P0\/s2VTVERM98qgpyC8vVMDiAXeT0c+8myMBJWMmEBB7+3YFzgV0RnhI5XMWiTiedHwgemVCeDU1kg8u8hqfknKqaVcO5tLH9t2FGmiCSrVi\/CAOeu\/vnWqt9L\/E7AUvgJ3nf\/XofTNim4vFwMW9qWfnflBAI4etDSLXlfhCF6hj05LkXpBYnhDX04dMfzMd0wbqUALjlqng3G22KPNXzcoLHgLHkSRTNkeGoexq9oBLHV6OhHb4pIzLS3SlHBQgMv0ujiz0C3WRmVVFITqTC4Ym0lFLd1XdXKIywfzJUvwG8AxVCpiWvvbn0MsvomTXCjNPteZVCsije7Ys2XOj4jFIoymLHdB7GeVOyHHeUAXfmy7fXXhR9EIO7It7pUitHoj7\/O+uPlKz4WGY1XtA5gadBlJ9hcfv1AISORgb2SzImOEaEIs1Oyben4xhUAxtnihkj2tOYt66nHUJoi6WDXV0pSiA1adbER0DGTh61m1GbsvAF6iehNm5R\/auq3cSwz\/oNuoEeWcajKe6C+bJZ0Pp4ODEB6xylysFi5Nsg\/X3yxwOUBMebO7HFdoJOx6\/anLHqvZoeJiNuEm3J93g5x\/1Nsu9QNYOSXc3CITQMMVtVZsPeOQpBypby+hqNIrDBvXDcv86XBheVQLni22zPRHvnPPVc9m1STaKuBI1rOewM0zxJ7Y1kebQ5fFy"} 02312{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":105,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":70,"flow_packet_id":3,"flow_last_seen":1621492847100,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621492847100,"pkt":"AAAAAAAAAAQAl2dmCABFAAViYNlAAH4RSxI0uxSvxPU9QM0gAbsFTuvFzP8AAB0IkN0D0fi2gP0AAEU06G6NT+VSCrmEO3BKTHqGvRDj7zHVCi94TyNRWxU1mXbjbTRFZ+CaZvg4gqUf9xMHAUYdMHn0JKiRgnSgkHznaTtiRgEk22fQwgIxVH+hvtVpbaIsb3bOri0\/NzM4wzGQk0hhFXdooXMc+tmV57mVI8vF9JmkYZ3AY2F8JLlv1BxIxapiJTD7gwuZ9nIypLmrrtiyGXxIl88PM6uDd1lRl3qoQ0oiA9c6pPTCRB8dAQJ4YYuVmuW5TbhruKDZ8PB0MJQOb013X2nAghH9Hwha3CvwiU2omtgMvjkZesxfUObKfDTbFEMzL\/jrRFh\/+J0F\/EGuyjhTpDu6+xG8itbCbnAQOy7WuW5TYEsc0xXOAoc6KlEwmQiQKfPKtF\/2CZ9SjafQf4Oy5m1SaS8su+ueaSjJsX7m0K38THdf5jQ\/Fl4bTD67mwBO+f0scmP6GL\/mbPaoaMUGAzlNUBiMCCExtPs8A0mmZK+0smBu+L2yDxhIAkqjH2OcdLR11dCH0QdOU\/qRLGN41DI\/\/cqIkx2ijbR9g+OiikFtGSy6n2LA3mBBdnd2T0hBdnX9fIo78omWMaICsidEwWQIYfSO+LyI2h4JvJoNJSJxTMpQux0CHDeflYgxqteaTQCHdOZSOAFozGJdqpUc4ukomNxsQCMV4GAyI75uC+kKJhbeM\/HEqnNyY0rfHOQrHusbMJJ7FCv6nM11\/2Oo1Hh2eJK88As7gRhqPVzeuz\/U\/xXz2EOtHRBBzR+oprpB0Uws8\/b54W5T+yFgV3JV567bJDHBaKHV4CypvviObj3VPZSDfbx8ZDE8cPozymxrQGwJnz\/SSVKg7yHHCcAhBIh9T7YzMsItriGNvgnX0urwJbHBIwvT0elkkqojq4KIx\/7Yh8uMFRpT07cYIl6MdN\/iCqwh1vqZbBwbGpfQR\/HAz4IypJz+zywRzPQmL4Zjd28OKKYaEI1VO6TnaZathnaIz0cGz41\/3ec6ubKFkmDYBvMaCkYbP938UlSyqwlkgR59+GTpwl2zVUb\/faKExO\/4NpJhLquIMi1hgHnj1b89iIzZEVRRmuruxSFJoxbfnenirV2KkIVM3rdYaAMxCt99+sRexO3VcGSAJA03hK\/5kyXvD1AEq19Fa4iw1nUrJXngE0gL+UwmRFL0ICfLh\/hdSEO2viit7tS9gNA4BJCujAoVC7fRr\/9\/osYAvWoTHo08WZH2WCiQAis7vlYiYCukAhDVyYp0qF36aPAJIVN4AZeZh\/UwxvSF7ScBTb4zd2qrmWQ\/QZp4LrWYepsYYrlR5PrdyOcgmPlz88MR+J+nuXlWXgCXcgNN1OrnHnxsLeZAZ66ipsvP1GZZJYJb3sLc9AcafS9torkCmsXvmQslIdm+okpX\/V\/b43ll6bHHGrpUQUv\/PNxOHHQOhXVrn7vat1ejZj90Ni6sGu+5HaMpi1OLD1mKP68o8RFXXDItYMsdIXHnUpqZjqKI3C+edj9oApTrZsLkp61Xxv6XiA96YE2VPsxN+ezAXexypGEJk04q7+rYgpGY24NJp4tAUHgsYUOjphIugzRYKjYfTmKFGPs84dxLcAVTKE13VQOFcTXkt62OXTrEtGBfQUWVDuQm\/p598jzYh96BGCH7WptCesorqdhDG\/2HxAPEOEo7SWItolevicv20QLakpWkPPm17h6hzM\/rWFNZM9vbByjMoWPhIUCyRXi\/CbuDLLXeA9rb9\/9+r7QoHKocX6ChoPNabp8O8SrguQ6Jwt8O7ZEnphGvVCAS+swijeKY"} 00607{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":107,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":70,"flow_packets_processed":4,"flow_first_seen":1621492846202,"flow_last_seen":1621492848301,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":5400,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621494599158,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"196.245.61.64","src_port":52512,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00607{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":107,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":71,"flow_packets_processed":1,"flow_first_seen":1621494599158,"flow_last_seen":1621494599158,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621494599158,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"208.229.157.81","src_port":51619,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02306{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":107,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":71,"flow_packet_id":1,"flow_last_seen":1621494599158,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621494599158,"pkt":"AAAAAAAAAAQAJ0huCABFAAViVlNAAH4R6ZY0uxSv0OWdUcmjAbsFTknBxv8AAB0IjEZZ7Twbo9wAAEU0kJjhzp3PFc23t3I6EGlw9Nw6Qc1SUTVOLXwfMjNoeRLiLBXl1p7gZhSviv9JQfR9Wlb4B\/LvGDs5HubqNvjy9gSGhUAoZKHgVyQNQ8sPeb+zAK4\/+3Qxk6DgExGf6DSCsV9UWtXpGmfgDVaGUIKvjlEvPlaJQ79FJEUNmnxqw+Su2z56GwGnZs3etUJY7Thex2ui8FvucKYZYvgu6wRjounSXDUxthqRvvbGPyVi+\/zvUh6JQJ+TX8SC4eFZqQp+jb7GmBSIOMm\/Ec1jvbOi\/aliVkt3gPEwixlo\/RAm9MQzPwfq70hgSkoJx46ldrVQcWlKc\/yvw3p2stokg4mvv0O\/AA2g32B4XP1S2bCDnPSyjwe\/FFG3OX0VFLRXvjekO4to1p9XPgmuVtwpQLf4lyNVfpdhvYlgoEwUjM9uaq3UiXNUhHqjQ0L4DXtkhhjRWeULrLkU0f0REry3Q\/LckyGikkZkv+F+HV9G2NIDV+IxZQ6OWB7DM0Z83epJzGFj5\/uYXKmk+BbONhvtUkbwsIoFVtH1Q4vZLc4nHVR23cDEhozshXDSC7PWSfxClKjneDPQdrDLr0vgsH8xBaaaTioZjwEVMdhbN8FsX\/rL6bMhM+b9iF41rToFIYIcSRksL0LulUfkhaEGqLUnpKwuyqlF5UpMMngzqdoYUpd0fzQgxA99TnPf\/ZibGXba4goUBq5aTeKljwjQvpfeDm0N71QVgSNFdU8sTF5RiM0jkfLo8VOjKRpirBNuYJ7DIAlvof3NA0Grn8dQ7f8YWlV1lHjXfjMeogHBB\/P2mTQzXX3ArnxmdG\/i2\/iEZexnqGBauYfcvUbCb4yWGyQ+uf4buf9Z9AyMQMsYl+B8ptpOp5x0NGkqHT26QYAV+A6a2HfCBCEg66zE4TRZrMqr6q6\/a\/IE2n6Yv2maemjmwg4iHbv195EUc9666Xw\/knVVZHK8GuAAgFkIfnCTuFvSaCEwbnOXJ3s++e1rXdNr+Hg0b2Zbi4Ef9DQNeQpBIh3Ur7TEj8IDc\/NOM35lp7oYr7QO2zj6YAWebmCqb56wXDDn5mBBgu37fQhnakjMV7jHPkryVTXnFiOaL\/CVFGTvS46bBvmJkLPq4HRzoYbmboqQx4mXB1LvgMfXrHU3l7iZLz\/2XPIqh+KYqtzkanEAs3nElKsp2sB5mExQqIIubK+l5dcRdQNfCBmPrColZiPglV6Hv5liYk8JJ8Kbi6iN9RFbJHoGR+dLu3tvqT\/dah4soYZhtI9JnUfTXwZhINQmrqt11PjUN5xy2FY4x7Hur7+46IjhG3mRUQfKZk31z3sThwR5xjbX16LSIZERlLjpMdpm+lcm2fcsmWRXoQTgM8\/ugnLqEQDMuUDGvRukyIwk88fRryMIRKV8KDVhw4+vJ2EZLvYDeRSBFQdsKzSa\/hTqJc1bTtpaEUuGT2u\/or12NqrqQU7wVWi3YOk1X+OSoNbRXciEI2LGKLRqsnbsAqS+IJRbeA+3y8sXStW3YAt1gPKq7Pgq5cW4+8O1NmIlJ6gz1+lq\/WisqZhapMN5rUgoylNO5YJPHuzHdkOWHinWJ52NWCXnOYekNmJLkh41YrSQvM7Zm1APRBCuH+h9RHttH1u+s9o2TQ4uAPAAFWi6bluDPG8hlbO7uz7OAKhhEJ239ij+NXPbweBE66DiURdi7Gj3kcjPg3OPsIP1L\/pUMzoKutj3ZBRiMec+XXaGz3s5ppe5ssD\/WW3cQpGois32lgVeJrDmpDxCsEoxF\/1Tdai7z0bd"} -00647{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":107,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":71,"flow_packets_processed":1,"flow_first_seen":1621494599158,"flow_last_seen":1621494599158,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621494599158,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"208.229.157.81","src_port":51619,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC","breed":"Acceptable","category":"Web"},"quic": {}} +00655{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":107,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":71,"flow_packets_processed":1,"flow_first_seen":1621494599158,"flow_last_seen":1621494599158,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621494599158,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"208.229.157.81","src_port":51619,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Azure","breed":"Acceptable","category":"Cloud"},"quic": {}} 02308{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":108,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":71,"flow_packet_id":2,"flow_last_seen":1621494599466,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621494599466,"pkt":"AAAAAAAAAAQAJ0huCABFAAViVm9AAH4R6Xo0uxSv0OWdUcmjAbsFTojgyf8AAB0IjEZZ7Twbo9wAAEU001Nedh8jl0mRxcN7+5ymyAhdk9NMUwxYze3lIyYWk2jP0t92iE+L\/yAM4MnpE0YCo8Yj\/sG9IYL5\/Jqz+v0\/7PZJlA72+xIp\/Zz2FHFmfCsrXJBq8qMZr4yMJUaTQ79L\/KyQSvCHFBgMRJUhRKX69bPpnAnksqJirAlkiGBvT0YEt9mMoiR55EP1zkREk8I1QRdfacOBiC1xn5oSmyEOrHRGNMlEIFFRJLgWr0XXotnRIEGBlAPOKZPZzQapDug6\/9gRem0rTXsSVsMhbztxGw\/vtcuhxHhCL\/sRMBYP\/by5OhP3fCsCPd3sspB94dh0sVKqpEvWHKRXI5qkQ8i0KiE6NKXE1Nhqr1NvADQnhHZesnr3pbbwRzdVtIdnVbg+KpCF5NoQHX8ZH8QDyNjWRE1jnBpB6l3OJ1sSKdAgaiw8Ptd9k6AGoDKbmF4ICOpOWeyjIS5UuYgKNS4W1hKboP4A0l98z1AMF1cWHOyoMcwHulLBVCbBON1h3OyJxCb+qSsMMjsumD6d4H94KHLyQlTJDPLNq5+27EH4JgoPrQnrhU70QkhyDGeMEA08Y3NMvkMXs9ScL+i2jzv5BFhQo\/tMXR8AuhJIM9staI9B52\/FDML\/NHMdUhCiYzlzdj1bMiHMjmHtScQaruiH9wV2aP0flj8aUj5pRTOyuCcs7Yj8tosR5Q7Bc4J09A\/d7uBuSzN6SiWaOfxKRsQjRiB+PoBFp3RyZI15eo0FBDGFV9z7YaWXpK\/QUxQVAHHMQr6q2XYdo34fAYM5WCCSw55MSvIPkgf5o0DYE25dUpBH2wSkVcAbptZSsQKNwzN7dqVdVmsRhsSqNIVkr94Mgea0XDKOPfcuA0DHWVB2NpAqq\/2KIzHInDQ6qFc5M4nF4o54hvOuiL+GByVbEQt\/\/entGulu7X2JEiyqmYk92gVvJPNI8Bwemp05+Q+twxKscsRsU5w0Xn4LJ0aYLhTJviBC5fXR8Pc1viFBHXYXbarbLaQ3PMRows7y8XdeOl\/bsuCdG0ch6eIFsRvMMwjmhUgHj6ZC2WxikfNArVb9\/GqEMsVsVGaSerfdOb8LTsT5SWnrIpnMmWN2uIjFPgyu8\/qOno2piahKRLskEqrRUpNfLzBpNxlY9abVFtVrTQFSn+Bv0pyQSJS4S8yhl2CkBgItTkREH46KOs97E\/bHK\/yGj3NexQldO92K00H85joQ7nGUScRMKfqIpqXecJxSM6OAroxCymb3vSJmrnHwKgY0lo+ETPgqaXNxSMmLS\/2JsUVg9IcXwjmP\/hdzYDT4SjdN\/NCNzQLqEDcD8ycSm8xG+d2Pvjum+8NDSNcasGk4ZrSjQeckzYfCVt3NCKRhy2IHBlWjMTzzyU6DPzhIcLNpxSDWwl1i2IaHmb1isu27465MaWunzERUUlOR+kzIqaRHPTGq7D8F9Wz\/Lo9VOIM5KywiZogg8pDlQ7rw5vQ2wQF5TAz7WtDmtXKPT6M2TZLh0RCInRTlcWnKpFX\/38oEnnKrzaye2ifSAUvdyfSNZNXjY2UYGYg6Xrow72NLPTC9O\/+G9i89rbi0HpJcLFfEQxFMQ1sztsPWaTAohU5yyk90ga7gEn9IGLftr8nTGe13R6POb\/td5pOruFoWbUnJjSDEOgXIJWatBnyyLDn9kNeLMGnrjo17scXrhmlTzgSFpT8tsc+6WK+4OwCSK7uN2VYU5zw7G2oqvb\/XH2izKQLOvApMhxYFBkNigiUw+ruYaH6KQmSISbShAPpmf6e3Ok4EN\/1H"} 02310{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":109,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":71,"flow_packet_id":3,"flow_last_seen":1621494600068,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621494600068,"pkt":"AAAAAAAAAAQAJ0huCABFAAViVq1AAH4R6Tw0uxSv0OWdUcmjAbsFTrvcyP8AAB0IjEZZ7Twbo9wAAEU0356vdnE85kFrnK9PnoN7N\/6cuhgJZOurPVLrUkSIEhjazS+SHD5nphYh\/Ei9oaiDY8Opbyw\/qBtRNMamhXjzOXvgznSeUsgwy1Y\/wE6Z8L\/PLMFoRidzgyIEn6rjIJKHwzzF2KGrVstlhyz2RTwgIvHMy9MIjilbgudOkuRl5cUCx4DqELWc9uRZ3o5vsRYtLfQcGLcZxuZNq+qR4l\/haEcF\/bo9RHUYHevsrmU3WGlZq2VVs06I2zfKkHonNVQotk1bro8ws9jUj7jyxUbwzWCdp3Y0J2vApeu9ELE8rutr0ZnW7RegpTFdI+\/pjDsy7w+XtT1RZkjL7KyYUDlQxQdEaIMNGHrAqXcCdWe\/PGc8CDZEYRQG4imIq3PmqUKfLT1H1z5PjAZqsks7C4eHUMCY+G0m1pwUNctiLiFN\/1UbsvMid1sQh6WBXSJiOYMPhFaj32vm6bQzmsW166O9cP+ju7nY2kDwHjX1VRLKHDBPT+BqIPgfQsjJdmUiCoPO1j6aSYQVgo0uGE74BSKhT3W7x1ONh6fXLzmN7+wWyuCCjfUqF68k4DNAO5ugG5nw7CpIh4otPJ3HMgytjz\/1hKjAQhcC4anVdWe0zLhoQLK+s1Pp+iUPac8alWHNwAjuYOUrtvLlDW5GtHXWtZeiHtJznZvOZ++hzVm33rcGcrUAJZx8UDtbZOWODHW2DvBPFPoCX6ZQVBXs9voksBXC+G9JF7eqoFmqO\/EH6soGSg6sF0snwdl4Tmbozt2\/yp4ye5MHCKh12GvgAGa\/SRfEXeWrk94V+VCNFH+5X7\/8EcicVy7uChM5zWex3QUxbJVdLP\/j5AI3XbgkHGGZyofmIhkZxWEV98Sv0kfttNMcxA841+aSpRVJN0a2XfeGieapwvw\/R6yETR9CN8TcQTFe6UQYPq7543m22E4Sg8mtjsfi7GhTVtBFlPk02hhEbcLmI3PLT100l2b\/h+mQABi\/RqHWxECe91tiAPUoarX+VKj0c3DqByummicCRPZ6kkW6whbXho2HsoAk+D7QoyjIYr\/kbmXT3ddi5XSAc3T\/AXjnmkbnhNKsXrqcM9kMdl18Kd80bmVHFpHplnIJlyzn8ksEEhjYfE\/gaufdnXnq1D3ABRKg2gQzIvoSpfYLvtOATq8ZeC375hfqRNXtw\/n1kUK3bICXzA6mFxkmQD7AGOSqcR3jSdloiLRo+G\/p15yY7zRCuvYbEtKyY7omcrKB9AP+U0Y\/znYg58r4wOaZBC4V+dmRK\/kkpba47uaqRhUyF\/yTdt5a8rnd6rmCkS\/vkMPoDjgVn9aKrD3m9zX1zDlvbDZWh6g6iUswysusJDPEcMqVt9oBikmJmTA4XJHL7KebwbAwBNS3e6+CgYETncO9oV627jebHXfk1gOzNt336lADXC3SIjRhE0xUCj9b7vGl2zV\/XiVaHp4BdieNUYdFnptfsJwounQcX5RSNrDM7WkoXytf9j\/GcyxSIH55p+0ANjoTPQ14vhNgMa5CNLbJsAFOaOAZLOmrRttaEW+CIy\/6QEDgSPdDqCmjHaTsDMAS0PJ+CViTPaRKX9Mb\/HoG1+hLb7WLn885xXvuCUz6bu45JBXtjOSd2sFZtZL5SSAAkPqTlNn4yof7j6smtUT03YKs+rhKLROxwhgN\/v7YhG5RqBATOJnmQaGvuGYn8hIWfZ0uuo2mUCeo5E23kwQk4p+DKVCBDeHuSFjGPVCnKBGHNbnoLJC5+6z0UTOz+H8VNr5FqbVxdiFV1rCMp6QITKc\/"} 00608{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":111,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":71,"flow_packets_processed":4,"flow_first_seen":1621494599158,"flow_last_seen":1621494601272,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":5400,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621495208068,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"208.229.157.81","src_port":51619,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -448,7 +448,7 @@ 00607{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":132,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":92,"flow_packets_processed":1,"flow_first_seen":1621496172813,"flow_last_seen":1621496172813,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621496437543,"l3_proto":"ip4","src_ip":"168.144.64.5","dst_ip":"93.100.151.221","src_port":52942,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00605{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":132,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":93,"flow_packets_processed":1,"flow_first_seen":1621496437543,"flow_last_seen":1621496437543,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621496437543,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"198.74.29.79","src_port":62114,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02310{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":132,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":93,"flow_packet_id":1,"flow_last_seen":1621496437543,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621496437543,"pkt":"AAAAAAAAAAQA+mr7CABFAAViYKNAAH4RaeQ0uxSvxkodT\/KiAbsFTtIIyv8AAB0IvPCERtRr\/7QAAEU0VDep\/CZnpIQa8eVhNyJ3U1QCAukLnPnKtOrC\/7zKB1G+98eg7ftwXdiCu4mjtl1Q8mNJOaDHQdHo\/ZnotZk2q+6WYBr5DXX5QHa13JOYGLxoc9qyOjz+jbwetc54i8U7+0kSHAbALiGoIDK5WQRRZWetkNux+DZoWjHY5WfosmGRQsxtOixsR3jt9j7FOo4uqSxQGhtqIeA0i25755C0K1hzCtZHRQuy55gnoUo6zZiPhelVtIcqgCilkIu+IaiAgPdY8qusu3Q9ASMkRkk0UX5H8nUY5fVDgGL4DjsJROTA71uUmNZenr0sr5JOl\/aDX74AH3H77h7yG8JDcWCMqta2iHG5v7LfQn6HD8EvX8A9+X1BPgSNN1do76JMe5qE+cL6FAAbPHwnyEKr00VkR3NF0Wj71jZ14VH7imUBnL66mFh+udQFwSu20vdM9c8XD4z8cDkFHoqTsPkKjRGkjCQi8gB1gYo0m\/YFj+JeaePbkDvq0OSLPaTj\/\/uR93wYJiwS6oC\/aiMrt4Ai7n7\/FG5FTHmyLQWtwhpvmSeJKiasDEobo8lDxko0INCDfgQfJ3SBS6Viiln\/ASliXjKWu4SrneUfwv6qaK5CsTzFRpoqdrt\/s\/4hApSQqHe2ymAF3JbfHyoRulU2oXzj3PnMlAj4Z4Vj4oik802VNCwqS9rwhkgwLpg2ForHv0BBRPYvL6MVNDpoeE6Q+fkjAsxQcCry3Tg\/0ntsyB77pU9N+6ViiIk\/seArDaEwUpWw96CaP6HGoEH+ITzRBw4NaVx1WIIOT111vCFZOdJbhxCcjcGlkWUXH2Mfa710gWwLlFOy8LDSs50FqSN\/OPohmIvSl5JLifaSN0t8gyVjvGme43FCNf1IRmz\/msB0elm4bS6ud+82racQS6O6aZIJmDUDJkR4HH9e\/YL1z+2ASyQ94Fzatzpb4GFKnXYPSRR9ZXr+nLzhoRIUWJY27XaWKYbXR\/JgJvZqSpd9j1Y9iIYmFAj\/kzwA1TDOawG0jmZJvOHRbLPdttFMT9Z8ICzQz7sbYr50LzOCpscApRYi0yCxCW+7FvKkaUxLEeqVZNTb5bfzGXSqygFSO8Onu18Vfr2pGmZ97fTY05vmeNRaTdGB9GDxEB+of1UDIaNk5S6UGJN8C0OX2skQW9hdlLAoFJbl3R\/kaaNQomNrWf12eVjbEPUwYduxDkiFO\/Cu3xI8s\/1bhAxAoo1eoosHRSb+RfuzYRRHXHaCwK0syV2XsapF5fct1hE0QKESIuGMqkYTacUhiZ+am2170YsnbIH6mCpW2GWX2kdp\/NRfot7wqoww4YL4kQ0dV2zP8iVLBMwBcBBj7jRlAJPmU94cd1+2yA9MIjBhwW2o6kySfxuLx1CH1XTXYxyDRbLVbIkYJ9KjklyMjtPqIcfNaglBMiG4bD+cmIuV+JVF2yBdmwLpupy8GkZrPVtTuFpepOJxWGxrxdE4LNF44zdCZCWF5fsbh0tA\/4QNVZd3EvAFmb9igKxLlVrUdRexT5v0zY8qkBoP74MZTTSWxXbGUHSlroYRRVjE1ko2j801gomU8QxZIsnLdQPtAkZ1hEimDc88Y35XyX679476yZ\/aqcOmLMYDbu0Vw3kbH\/S1Pi\/Q6fIKsIvYN8tlqc6ZQKWv4iCbutDJNK0I1762s\/zDONmC7qcwhUo\/1eKb+bifa8jDvxqbQH5WTi1a8brNLoMOVpui\/c73ZoNVIkMLLnI\/xxYiZknhsfNiaQgxORr7sklMg7Kd\/f31pN0pVpaR"} -00645{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":132,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":93,"flow_packets_processed":1,"flow_first_seen":1621496437543,"flow_last_seen":1621496437543,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621496437543,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"198.74.29.79","src_port":62114,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC","breed":"Acceptable","category":"Web"},"quic": {}} +00653{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":132,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":93,"flow_packets_processed":1,"flow_first_seen":1621496437543,"flow_last_seen":1621496437543,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621496437543,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"198.74.29.79","src_port":62114,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Azure","breed":"Acceptable","category":"Cloud"},"quic": {}} 02300{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":133,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":93,"flow_packet_id":2,"flow_last_seen":1621496437852,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621496437852,"pkt":"AAAAAAAAAAQA+mr7CABFAAViYK5AAH4Radk0uxSvxkodT\/KiAbsFTi+oyv8AAB0IvPCERtRr\/7QAAEU0JaLtoHyofbRbg8jGkawveiyJ2UaoheXbSYuPTeMKCeIU77lABrfhjW\/KFsoqVpaP9JKJMlnvWCAfrhYhpHkJG+xvxdGDmZWYW6e1KGN5t8DibwD+sY7U6We2yL0NMOrSYyY67PZ33CEYMgrO+bU1ma8i3+NoKnZhxsjAkaglJ6uAUozF4XuimP6iU+KzggGtZ5AHeHRJJSrIijvm2uURkPI\/Zf52SGLY+vL4vQPTe7wS1EKJeXUmQgYmh2aup9vLeWlDTkRpMf1EwpwHNlukj5oBWVeoeBmaQD4sx+NuopJ+2QprYWTuKVJ508tJ6HgsW5Ot7jO5bBygYTExm8AhqCnq4UjBmnft2hLhbA7\/d3ydVpIp7qFrWPv9n07PW58yXrAf70XLdskX2QCxfb2EahbYmb3Vx+DoN9ZQfyauIGIQJ4G4xs7NSUBH1KpzLXiWyZKGC2bhtRyON+3HzPjWFxkL0Tfa80\/+SxEpgasrCwJQb+1o6V\/lNwqybT5vHn79PHBIvEpedoaDM+BEu+O79uo27iS8RNPO794dIBqh+wJSlgKlH5zeUshHAvvFJn1TFlqv8TRVbuRhgffiNiYg0o1CeqH6Zf28VhJJpbsJJD4AZ\/jSirQZxHEWJI7alxgK\/LiDdkgpKDEWpc3pue7siiUI86wkuQp3ziUbYYUwf+3S2XmN4C+TOxmkT5fxEIOXMUz4o9qBlMvVx+HeJXeP4+1XADUariBmhpvXNO6nl8VgSR05a2jc1zcSQm6hoH7Sjq19QDV7jFEfc7eLbvAvOLM23DWJ+wh4NpHj9pZdPlAmebA1IRONzVUDs+FLPzEH62RBEORoAtOT4e39cJai5gPk0i6dU0vofBLpifIxzMyKYaGd4qxHI1hU\/vumyHtthijttX3+DFdn3RYaqCp1LpOaUmoX\/6sMVu8m0LGWnwhQqFoSAeJsuv14Al7ULvCdbJM06GXHtuP8hOpztz8GERiD3IE4+pHtQzzeOFwW3gBxM8vb\/kgHuBEO3Ngo3tjKIHZU34x718MZS7qAptuEPHVkm+ESamOD7xBmeB3Lqe2ntH0yaZ0R1ojSk6QGp9l\/DQGTgYlqqmVVplJJS9Mq23y4sYJANTI+VTWYMkD6NqRCbwxSayYlRmpI0bsWTBa3Egd5P7LRpi+3cNo9ZuEhXIAF3ycXIYlhzeSYSYvtqmdmjkTzNQLLrulkQ5zCYRtkU4zvk\/g9mgS2CcfxLTkjgtei6kwqIx3Nk4h0E0OZscgKCSJf4cRmCCOmfcnN0SQlWhChNjlpr8NXwxRXP\/99Mm1hVM9\/1cJQ8UoVQJDRNojN3SkiUl26oijeQfH807azHA\/97ACgXT19Mdl1O3NlO9Iz\/csL8LLesYa1qB5z+IjimX42W8TXFqTRlbQ7oeAmIc8H5U32U0xeqTwvh76ZUT0WO\/Hpn0xBlv6aqBcKb1Cxl7JTIzz67aCTV66YXN8NeR593i1+u0PvZCPySYf5PqAIuY3yAjXufep0Fzzko0vw1dgNNd1cSLqgPBALOXp4QpvYDsh5OdOzrPtb9Bwn8\/YjM65iU1fQJwe0pFgWPBk3OLAC1ivEA1X2opEADJmIj\/+8LvIdF6nYgzKjVtmvtV9atGouRJomruCL8JxrFfNeHoRpx0yRl9yU\/q2BGWdEuqEHO6y7Tbfu0SWUkh49LajcNcpvqE+bJljstNdRH3yFDQnBncwCCqj4zSbXWQeeQR2mI+3rqRgA1HwOB+cQZChDPCGByW10tu7BtVyE7\/y\/Y+sF"} 02313{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":134,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":93,"flow_packet_id":3,"flow_last_seen":1621496438462,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621496438462,"pkt":"AAAAAAAAAAQA+mr7CABFAAViYK9AAH4Radg0uxSvxkodT\/KiAbsFTjIVyf8AAB0IvPCERtRr\/7QAAEU0a1V3BXBwEIhDElH\/1qUxqcqfVK\/U+I3pv8jXB6GKoLcClwfi5i+JVRi\/+qOD0jSHpVm+CcmsqV2quEgqGH5Gn0rihcbJDGj870ULZI4KmDKfC69q5r6675Wy4U0x28m2t5DK6rGqmJIfuY4CLJ5+JpnAGepaot5zw988NS9MjaUUAwJq0KRJTk9TQLF3FkyUeCnv+L2\/mCZ4pQPvTUHoai0BPsJAkEBQbCDT0ne2qov3gwfXPyGYjT+qpU1DonWmFNb695dnTcteFv3XvXkEd58E8n7ydtguTKEpl548CM+1ZWTRyyMlXz4XZF8nSLIMx0GUIZgZvabVLDS2+F0B521wAlGhNrm8PRINe9rBVvQYcP4xgohRdv3nDuVcLpMwOSEXj4YWgyE3ZUgeAzYB\/H75MXEyWx2rB05U\/7TWZ7NlkA33O50sz9d4a2o1c3cNntoxGwlEfyLKcihZ\/Suz\/KxirS++R\/qp01ueSmHonRfmrrM1LSGcMyKd+Oc4e5KssoiJAFl2Nso9pSh\/Hc4LC0BNO2pv99cb2fqWMrvtg4RKbfx1R5ZiccoCxgCpi46Y\/bGbfrDImS2xG9ERCTD6jtG0jRR1KV9w3yPJD6dZUx9vPrSlfE7TRtUvV2tg2P8RQt\/NsSQk3\/7JpfMhAIPApofSUgXm0f7r+8Zw1J12aP1zZsU9ZyRmQPc6usI4DXJN8WSrOMAw2YJx5dHRsAS5bRsxti2UCq\/PcqbnjXZexpjegsnkWKYnN\/pwtZdssK+ny+99042hifAuhg\/BXmwZfuFZ7LWOinb0yOszMgV4GVujdcSyRmmJB+im4Mj4o509W5k04dZ0bDE52gnvESt2EXA8x4iUBeMzV1EC9VoL2Zd72WZ2Le8+\/S0MFe3Se8D\/liSQe5dY3M\/L+3ZXq\/9nfvzioEORhqMqj8nSgClQeG9dmdKGgxM5mcQ9CeGNozwRdxhJvWFmctGZQ2NjWDhhDHDaqU259Q3FvsbElzHVdrJ5mJ0Cxf9ajFKPgkVOGdrDG9ApKtfsvTm8mcEa8n0Q62eOymCVJqvif5jaYy+ecjinMVsEogfItZgW86yqnm54hcKotzJtaFtp3CA5T0NjiL0VfXkiOTKfOXVWtwS2R+LPX1ibd8kfkwAh\/XXkesEqkGqJKfxtLjiY18HS1YhU3t6JkzeJqPLrJB\/PbFwyElYds\/6m0\/g+LOXOZ67UcdCScV0su9cTzTbpFuilpU31PFlGsAgDKmvkZLzN7jt\/kqOCXoWwgg9bPQkbwwNwl54A9eMPW3BHZk0poDKL2DWdoWQmTEsHc0pqdf\/k0atEtrhXPDE6dm9ctnyGia88NrHpejAS5iOiAf1eL4iWXQNTQkLKwlOqi0oh5WENqyW2gdD3O5vPNDr95MLc6Nk9E3B2M+6BndVVw6tTuGClOXozYuEVgbdPUEQGHunkA\/dCQkelRbanSo5cdvMQPWbxeU5G497tiSuxNDfmsujYTz\/BK6JWmejCS\/KhAJaMKx7PrcrPsaNqhZU4Mn4\/jSs11bYdbYsLm+pMXqsl9X68WqxfFniiajHo\/Fd3P7UYw9qKzJA5hFllxa12+AedgC513u0kPjxtExQUdI3b78Ms+FaM6UYc1IOQ6tYJC\/kR00xvH3J0uZZ0HafuTIIxCiV49M2ik73I2gkK\/TLa9hQf1LFJjsPj9VPpRxrc2Ly1SzJ7P1j6ovi9NMEeR\/e7+QcpnMJTH1C\/dGDgaTfjeelKzH0zIUwM4v73ZogzQ+Q6mOQCAb1RAyJQ"} 00606{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":136,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":93,"flow_packets_processed":4,"flow_first_seen":1621496437543,"flow_last_seen":1621496439665,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":5400,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621497523457,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"198.74.29.79","src_port":62114,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -474,14 +474,14 @@ 00647{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":145,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":97,"flow_packets_processed":1,"flow_first_seen":1621499083794,"flow_last_seen":1621499083794,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621499083794,"l3_proto":"ip4","src_ip":"168.144.64.5","dst_ip":"185.186.183.185","src_port":49217,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC","breed":"Acceptable","category":"Web"},"quic": {}} 00605{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":146,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":98,"flow_packets_processed":1,"flow_first_seen":1621499130835,"flow_last_seen":1621499130835,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621499130835,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"198.74.29.79","src_port":61286,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02312{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":146,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":98,"flow_packet_id":1,"flow_last_seen":1621499130835,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621499130835,"pkt":"AAAAAAAAAAQA+mr7CABFAAViautAAH4RX5w0uxSvxkodT+9mAbsFTpEZw\/8AAB0IgC3o3GMiP\/8AAEU0PdKy7uKG3ARNfT09pZj4weIAx8vl1AZI+zMCTSNcyqisuLogUxNuVvaYt3\/glQ+D6lndRNMSuyW6j5yustnSGakysxsalXmdT1UcNTCHKHLeg8MGYbFf1nX95GwKiEKdI50HtYAVtBQjTNOTIu4nPcMX+lDl5V6\/ytmtC7XiQnbKGjmWQm\/5MDqEu40hggsQtcdk2jnQjgDTlviz5K19+Tr1C9ZtBh0pIi4\/9HJR25mhrL6n0N1dPzZ\/Sqk4b9t3u89S9E30HZYdBGpKBZsCH9hWFAhEmi7j9zZtGj\/cxAMeBcWRYInSCSDQRHhlkWsdmuRhy3Q07JJw\/pEuGWxhUDuVEci8KtERueLkLLLpEexZVihN4fEprEovribmXQoru+8BTBV+JKFqpyK44xLUOIK69w2LDvW\/c9dPKklcJAIVdwv\/H0kgY4YqDOIxKOP84t7SjU2P\/ow0Hgn\/JAdJ6i\/lHci\/A9+cu9\/Xk16H553fgdhUwRGo3ALZoNMzPzZ1o3fb5FWDfOha3mWIsBgUxeNt4buHg+jzgWf7W+8y6hmDLWrPKxyW2XOx6tYTJz3Xjs+\/mCn0wh\/mAZ+1hWOefp3U2Y80XBDgcJQRXavyO05wNoq15SpWKscYO5J7keXA83swiPGep5RyjOBdKfiII0v1ao+0rcEj0azRi8HmEhA\/AjmGfVSAAHVwBUamRC5+huXrgR7MEVx67+etgSdyuW\/yAF8xKZdh7YH+6wKsN72y7zdLpHJKk0SbAUI46TifMcEIMeIjlEPcVZXIE5rZ5rAAIrKbutpPELqhKDRo+C3oR4n9djDZXmF+B4O61eZoj26V8iiMi3Ap\/CD+ILTxN1vpLCz34kzpWw+Nvi\/ei8CsOgprWtklqFizkd0rAcDGEQGgQUmScGmGMEFTP7Tg2c0rd2YIJhDkQOLfYLZbFQ53RWO0Pggj\/QDl2rb91M5mdkJT0X64J45SyH9PR\/Q3NGgNCplgG+Zi1JMbY22khGyCv03BTfHcT6hnjWVcK0KimWhXdtO40IIpbzn37UO9Luj5lbbwTxA+F15tWNy3XlcT29pBTkrxIoD1a7jgZwe2L1\/Ov4CPoXZLMCQMQHvebHhxwgktEDCOQHeufOAARA9+ttGIYLmddJgygIHV+Z0m9eIUy9kSZvBlaoiT+1q5FRgi4aM7OXeRlcCnvKKLkhgPWsdD0iPMWVSO46LUV89lhtNMGfdtBxkfsOg+W5oXMWMpj9KmR6kowFzf9zj2QyWQFYmhpTbluKm3xfoGLLarkejEApaHi42nZxpainN+yR4Xj1CvqK7729lw20TkDJxJys8CkR6zRpnmDL275nTf\/h6umI\/BjPRIRIgbx3bSDq20ohdXKRrSZXC\/Arr5YfL+XhMgAUJbz3r4XwrrmclpOMMJn2kr\/gs3To4em\/HdWYqxdT6aST7ERX9KK04xNC6\/hrkuQzcRruUkuY3mUT8iKJjTr46ie2j\/A1tng3m3VKM0t\/2rfAm08hZWqsveRgilR3Zm78b9fgxj9VY8tmIh3i6sK\/djJUOnInRG631tWG0Qe1eRXSJgMeHizDi47oScl6deUbLalH1IvbrClHklGE\/ZcbaAKgwr43r+5MEM4cfDxEWqZaPxzsAHgwOhwkmTZ30Jhi+c4as8kD0LDD4tAMnjZY1FLuGbtQbU3BlRBN9KIN1hHKMv01OPEqvqTE8yp4iGqB9BypJrEEtRX\/ZZWohZEKxDzLUAu7MMY9Va00pq66LfRVHtgBgFkrrN5Dlw320q"} -00645{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":146,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":98,"flow_packets_processed":1,"flow_first_seen":1621499130835,"flow_last_seen":1621499130835,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621499130835,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"198.74.29.79","src_port":61286,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC","breed":"Acceptable","category":"Web"},"quic": {}} +00653{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":146,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":98,"flow_packets_processed":1,"flow_first_seen":1621499130835,"flow_last_seen":1621499130835,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621499130835,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"198.74.29.79","src_port":61286,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Azure","breed":"Acceptable","category":"Cloud"},"quic": {}} 02301{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":147,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":98,"flow_packet_id":2,"flow_last_seen":1621499131134,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621499131134,"pkt":"AAAAAAAAAAQA+mr7CABFAAViavhAAH4RX480uxSvxkodT+9mAbsFTiPZy\/8AAB0IgC3o3GMiP\/8AAEU0xNPHNjkzcBN6tG3CMXMgN1VQUQ5zORwwdJvxC+4U4Wo768p0CS6oitGkvJZyjwyc3OomATdmVH8dl4u8+5ZoRqU5nHzh8arBwEn1ailAEl2\/FeLrAKukjlpYd2Uk6yjAdkKgzRJUrt7\/axFA3LL6O7tdgC5hzo0E0\/vl4YnagMJM3wjFjjHYO2MS55fyThkTKtMGKHzAVPiKv2kKUgzu3g8FlFf4vERg7PBca9iFQwa1e6czfFLHU3jmlRamr1hxIWC8ey9XXVda7oP9kCT82UgKpNgsvn9ag0yB6QxqI6o91lGsTfzgwNOJcVvwV3aY2qjfabeDbzPU82GWmC8dcxg60wWM23VAAZlVYaqE14ppMMyorKrKFMn+86H5\/aNgSXh0MxcYpilmN6MgsD5Jpkp6OIphsmHoNdSCO0UVCwGJhSGovYG83XAmetDlCEUuBf6MaZFXBjrfL+9+VHX4irSmtkovc6L5vSe3Nf\/Ub6qgARu+YW6Wwl4tUjGEcM7JKUQxN2Ukg1PimEsh9oAZ12nyYh9FV1JccWxNJ2iNa0HzjjZKFHsI+Wpn2wjQu6fGLrQdYisl3dxVlFj4jvRBju6QBGPqW8L8vdchXv3SI7zqO+NhEBqeCwisAVMGs3\/e0eLRoiqrlCvpzdd6wmWwzublWtkESFBS+GKBzAzbuO4L4Jk3UFfDunCYtqzhO+2c92mAtqsWUkc7CKf7i5TjKJZM8unl261yU\/jXeb6zhnBK28FD6Pf7vze97LmpT5VanmKiGpb8ZFvlX5LvJwFqOst\/Op1D8Xr+i6cOe2zujddvgkGRpWHduSyvlJRv5eRBop0FHOugDZjHwRl1P5GOEDM7AA1rf2k\/IZ6eHOqZsGK6AJyenzNCgwn2VrrkC9JsT5B02qcBGp2ieI1StsetnNDeBxqD01kqrPTmpVvwJxCy2yxgJrEXUggkwFbWIS7thWSjjhXDU0J1GP9L68+5UUKxu0743nekpL+HTPJD4N3h3CVTgzlGthPYulkO8tpw\/xmwb4Z53Jqw0aGKoz+dhDGMih5n97yaHi969BtPXsVrXOzMwgYDcGdHV6VGFDrRp8MvBHKVCcSB29+r+o\/y7gXXTkYGvFUdNPQnjtOPuTA3g6ED4ZH8pHwnFuthO9KrwMMPO0Bmio3US2E5BtPsHcZEVYe8RumZt3y1QcMWOvon\/UMvBjIjvrv0jsdmxjixC9tBFNbGe7r97P3sSHcFQ62T6BzS\/+NgBh1Yy4NhP5OC50DrYOUUKT2FWmyPF3rEeN7cKlVvDoToDTZvmnHz0lXki3TSjmEpfEl8VTrO2dVRjEyX6UGi07VXGODj7O0oDpUYCDjmG1IY0i\/swPCy3NuNEJt8yL0p3nKFjn1FYCc72eaCLxOWLqdkUlTWvm8YpTERh\/\/2jrhdGM0qtsJ7FcXHR51v4J\/QVf7rdJwPLrxNThdnZTGK4C1SIOXmUd+I7RAsVphCtMqkYz2xSC9bj0qFHuk+dNgchK\/qNK7D\/3TQluL6drX87zcJEWbeEAz++Bs4gMrOfH1c41XMna9bpL8uXPg\/gpvGR2NJd9tPrZADqH\/l\/5rjIhOiUnkWVyo0TCuowGc1U+R+LzRsroJKH\/6INUIkFvJyqDDWDuiqbuF4a8ofyZWpGKXbY6tbrxR5vwaHY6nEBEtgpQDNpXreT8uG1VJNuS0qFW1sMAQeSlsJF2xsZqjv925b07nSHBK8aJ++l8pku10eV9oj5mc55it2ZlpB3G4BEsXbBXW0kaMazv8X"} 02309{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":148,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":98,"flow_packet_id":3,"flow_last_seen":1621499131747,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621499131747,"pkt":"AAAAAAAAAAQA+mr7CABFAAViavlAAH4RX440uxSvxkodT+9mAbsFTucGw\/8AAB0IgC3o3GMiP\/8AAEU0O8kVjzdhFbU85yBt1iwqehVgv2Jezj6mn9SdO\/xAMoQ6Qj2CZu4L+khp0ED4qwgVsRimpW9+019RfzBmCFh99aBBiZCv05rUnXo\/AfLOGNQtnfLnIt22QaI4txCY1wQh4\/Yqe+fANHZK\/ZmF\/8jsdmd71qfw03URemmchuDEmTC2QyCtQDR6IgH1doVCRoOWgfqOlswkaRTmqWfAdyO82HcYIhAl\/HvuxVmWaTRo+N+1Uvg3vOoeFbmkRfA3yUNsNKKXj3CuZnmwqgawAkhvUNunDuSNb6sXcWQSLMYzSYokvzGSrnCUFzWEzLjsIIkXyik5WMtbabj\/rXxW\/BmKnGxQAsyLYjlGWLl8IsRIUrFFSYYnArQnHAypfPl5sP2d4bIyERB5Xk+W0ngzdIfL9its1S\/1UVAsH\/LCTr4l85qg6B3o5lI7DKEPxygD1vV7v2kHUJUOsz6IQEA5cB8per0TSrcw70EjOs2PB2X\/KlkRtnF3cJ9mBrlLk7KkAdUnU+mv18q7Ur\/HRCeSKZ1IDGV+ySb3Pkkbb41pvETv2t9LoyQAD6Lzg0sSPQ7JLV2KhP1jHyct5463eYlSDK4lKsa29bix2j9nRvZdlPAs7HziAX+7Yre3QLRHAPqf\/Fg1bbLM5UQ4fWOBRZxhjJcdvgOJYkAXggHGTSKUtw58FK258BEuvGOXPaZLUbUPnco5cBPBIPnVm18eagNa8I5hoD3V4qJwr9MuaRW9lHG4afIywkdpNhJvwCaU0fJZ7zWnop85QgRGJTV5214WTZL+EUJZ8twDwaNzSY1ggAfatI1G32TefYqPxD0muHegRu5a+vh6GU9Nr4OZ\/spphiT2QHSVclDaYx2okizMN5ZYBs0bQln9i6XBm2Xldh+51uDHmQ4Zzp5v5YqyrRXhV0FfzvxrdzKY7KJJQgW29XcUFfrN5qG1mzTku37OdUh4OsIIhl78ZXl7b4B4gtfU2MlbyD0x5w27\/HBKRN75vA6sVD4434hZz0CVYEpHiS\/\/F+U03dYEtR9fBHiid5ECmvh8ygYyirip51ZPSMQ+xf+D7QciO3qwP0jr6a1lkCiOGvIgtxOPSkwBE14jvn4b4AgoxAwzxMoNWG+KiIzQcc5d77j3SVtd+zufZsoTaSVxvbWmtRH0a31c5XS8D\/F0m+6IrOG+sVg+DE76dDddFTb+w9dffyNc0Dy2WGhcNHMlytYl3hpyDxLT5XyRXvjxA0\/VLZiYU4eZ4ElyHnvoUsVc1zIaglmrF+UZkxVlMip6nMHZ9lAEsM5\/RJYf6oyNArAqc\/usJ\/9w+reh+ZP71fVKQMu8hkbAHifaXr7zINN8beOioIt1MpZKpcyaXZRCKvAOiunMN2HFg7gb4p\/O\/EYfkBy\/QNmvkqv63ADfvqVNbE3rlc1Spji+jLBIq3nPFuy\/5gX\/hKpM6V+1cWwiQk9pBOX4ZM5SBBKjwpGA59adqr0mV2fpXKtxohrt1P7YEzdHgk6wi5UR4cnhpR6ATzawptEewUpLpO9E5\/GgMkhT3mM2LdLlAJbflcld+TxymmmNvb3UpmjyGh3\/j4AG85zZBWQGL4jZJFWwd8JkedM8UyyY3+J7Hf7Llgt2XBjEica1HmobGyVnvxPpQPkJ3hFFYALzmeLaq88STNOaZPk6gzd8otilv70M1Uie7Wd78Y3H+OJSDOFEeZSWpO7cC\/0ENxs6hxSkpuU\/vHtior07jJ7OPSapjbYusV4q2O8nnSUJJ+wHjLAkldls5Mo1vwKpLEojKmMh"} 00608{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":150,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":97,"flow_packets_processed":1,"flow_first_seen":1621499083794,"flow_last_seen":1621499083794,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621500710201,"l3_proto":"ip4","src_ip":"168.144.64.5","dst_ip":"185.186.183.185","src_port":49217,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00606{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":150,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":98,"flow_packets_processed":4,"flow_first_seen":1621499130835,"flow_last_seen":1621499132950,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":5400,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621500710201,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"198.74.29.79","src_port":61286,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00608{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":150,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":99,"flow_packets_processed":1,"flow_first_seen":1621500710201,"flow_last_seen":1621500710201,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621500710201,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"102.194.207.179","src_port":53260,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02297{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":150,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":99,"flow_packet_id":1,"flow_last_seen":1621500710201,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621500710201,"pkt":"AAAAAAAAAAQAXWCjCABFAAVidHpAAH4RAzE0uxSvZsLPs9AMAbsFTi9Ky\/8AAB0ItCn86+Se4YgAAEU0MHhrfbtIJTtH3QVY6F3aeUtwMPN+HFDoLuLJNWWF83Oo91F\/IrU\/4VzzpTeT2Fs3WeheARS7a3eJ6+jBx50KgL2Mtap+DJiMUnv5+MiK\/lUO39U0cv8d7GpIK\/I60LKV\/5UKO3hYdAl9H3sKf\/17sYn0RqCxn3h27SFb14UfQMrK5fzHbBIcyCTwAI8EH1FUNiii2EHC6MKWOlasY1W7tTdhYLqIJe3Pnw\/eMMH4EH67C816p5GMiQfDThgfQ2wgQHnziUTQvAMRReqOG70usUWRBc0H+BQ8YvPfZECfgPywP5jcJ6yFiW20NNxDHB6aoJ4Cj+YV3HYe3hWH6RtYkzgshfY2d5Z5SXiixf9F396ika8t5YhgzUJqm3qaduYkkuoKsKEzuoXUVwFjy4mdMVXENEyNoKQ+m7hVG2MtxWAe5F0iilBt4B+B47gPKblladD3cYJ89FSWeT4JmrpSKq+sitEawWg8mHrgGTQq7NYbu7N+XGgNwfYKSGmo+wJ4PZoiqprX5abZOW0AcEO4GmP23kcsiaw6jBKGRiI62wQkX3CdcrDC94UAE4ETeCTM7KGTkc2NjqYwxvCRWtYhRE2jKZjoxjsBPN71ErHefn1F+hbfKNlDzSGX\/XS29PsKXDs3Zy7d5AvyJhbeMO5c9ZW9Z367PIIkmQCfsx7uUon\/NyNKlzzrFPmj4\/Q5MNYmYJUzIjfkdbkREP\/oi3qdVUZRk6Qq3mEyntdw2m0x+Fl9NnJmI7wPyTSTYM1zGxtoprNKLZoKHPJUdriJdNO1mtZLgz\/iMksWRPpo1KJv17xWq6zVr1T5Rb\/56VZDZZTzvvnDR3LfObrvTjxHZjpDe470INkM91Ng4x1MGEIzMvtmxatbi7QsiBiDO\/OqdD1JZRhadEr1SeF+j+x3pCgDJPrTxUQNeLKGpDOINsHcCNzi9E6t6xSea+mxi6UCuZeVqiu7Mq6oTDEdYhM0f2zJdDmUwxt9ntbOaqb\/70GFQw3Pu6A6FPriLWgxfjbt820gGfdllAq3bd17xNlN89\/sslY71CRXr\/AXS9zW9TVm9cE3ieGVRvpPlBXLxR3CcDRad5beYHB2p+59RVP4JEz3gq5xGAJk56U10gDcUMuTu9lOP0LVK6rTCu109YNLsvJwHDQHJg6cMb9ghMycYjRH9R8GiFVxeXk8FZUVTPEwK19hu5R3J4CDXQi+bSlYR8ZWUeNFXdURMnp1LQodsU7HXmk0DNjXTkB48gPiecCbmUF+uqaDsBFruhCgfz1ajvkEGLeVbKosgz80uhsQmk3MpvR16f+ZOAa9cii2ACYegZ1+a4KEx2NvHlXUrXa2GOsjIAygu7UkwCjyJDh\/KLNwjSadZAQTyM7O4lGORdsjV5FzQj3iyRFzjEjdAaMYFQh7u74sj71sIjcdgnajLAngwvieEOhjfkDL0tvg0+xr2ScehwvmJTYQZ0A4LvQTGmQ0QSop8E3Bdjoib9O4UduuWyY49M20Z07qfK9fbUe3P7MyS0IssG5j+o2HGVtB2rGDGegUxPzqBriraNuRetc+27PYobO7JO3W\/n8cUzNrheWIWi9IB4U+pmyDcJIP58jjktd5G89dt6sAMJR3A5kbmIbJ9iNmSo5NdNog3tnD5t5HDujKlpjs5YYJJjfEpJdk07sWx3cs35o4J40ZUcj6dz2f5kyw3ZDKB\/hzEHArYpTkaJY4Gfn8PS30KdL4TNAJjWtoOfQevIKVcxh5IQLx0UwAHLDP4qnlqslqSloufJGz2Uh8"} -00648{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":150,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":99,"flow_packets_processed":1,"flow_first_seen":1621500710201,"flow_last_seen":1621500710201,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621500710201,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"102.194.207.179","src_port":53260,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC","breed":"Acceptable","category":"Web"},"quic": {}} +00656{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":150,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":99,"flow_packets_processed":1,"flow_first_seen":1621500710201,"flow_last_seen":1621500710201,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621500710201,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"102.194.207.179","src_port":53260,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Azure","breed":"Acceptable","category":"Cloud"},"quic": {}} 02301{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":151,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":99,"flow_packet_id":2,"flow_last_seen":1621500710508,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621500710508,"pkt":"AAAAAAAAAAQAXWCjCABFAAVidIBAAH4RAys0uxSvZsLPs9AMAbsFThGvwP8AAB0ItCn86+Se4YgAAEU01ef7l0UP4woUE5dsuDr8jBLUL6glp4Hay+1PVqJ1qjZhTrhZ\/HlCWneFdokdJJCHL9aLl4EI+zRfD\/McWX32i\/GREyeHr4lMy4TiI6zbvduEowF9eNA5Tp3OZ9GCbt+VMsYazwXNCMv7NFAV34d4tKKg3LHgAaEVn2Y+UbC2G+bYh+I3BU7O10HCLFpy7dljaBLe9qgbXIUuhMGDWNAnyQ+uYXiH2Jephgdag65enzMRnzpWg6tOxGmRHM\/sp7fpGYwk8PUnJ\/bg3wGtSnXhZccRwt0adDkhfdJ32tQWidjaGerN9H2lZ7O397QtbCs9\/8om91WjQ21YVaDo4Ipv8H0+f1V\/Cc42HBGsarDGnoyUmUg1jicgM5DPMJpvLG2UQQK5tiuC\/cbEV8WUL7QwOcxB3jbJTnxR1MHJT3pp81ODQhzEb3PhIJ\/5Cs0fOuGXlljtXRHGXKKK9NsXQ0izy4kIRIbdXUZKKUe4T4svk7KGeA3O23ttudesKDm99vJFGPLYZ34JAet2qmXSBcBuHQHN4aXeGdVG7MFzyQ92k+oQwlhlcIAhjHVS07UHZXN\/vQViV2LX6DSII6bHO8BhhtxKEj+5T+AEO+gFSPXVLnsAtt9jbTLOZtW1OuAXvN2H99cPQ6kiz\/OG9Z9DeWz\/n4jYXXfnHNa1A5r8RPBukPjk+DreRRGc9TBqR\/n8DDhNakfL0Fck3RKiTr8g2Av+YbMsrLWtvcnoT0rNWL7JWLcj4+4\/jtD3F4oDSeZdh9waOz7hGXnbyoVXNWXrcFpfx77eeqj51aL+3KRVwUbkgRwo5pHgL7hEnxN9VPb3Nbay587MleldGfNDOngB7dKByzM6zduwHhffnRWrDEBE3EQQI5wNwKLOIv9dQzppwC58eZxY0Cxh0nyCfck9L+upLS\/SSPRp0lZCWPVizK57z1DXIwneHbP\/8Hgysu7PPLkyCRSECVbbbitAvbtwLTHK33sAbO3oKAAAXnwbYjqk9lZmdLeO84o92phBblzzTWEVyzJf6XwtEie79iUzv0gOZKqtupDWJnjOgWOhhSra3KOxaFoHE05l7vFbVZMWFjqvSUOIj7aT8pRtZ3A8XiI4yAenMZbx8Noig2Tv\/4iZBtEhsXIEPJ\/GdI+cZsswHBmC4MoRRX8sfAcQcLKC0NsE8iTGSOI5BQZLzHhGSKkGn8XVlyAlmI52p44RHuokDQeePWi0IqXdipLo52vUi32A9W5ZySu8wjwH0+TmQOsjtyEt1WRsQ9wLF3apv\/TUW4+usvpV159wu9QNjO39MwP7rVLYpRTpK2fHgNOq47+RoVsFZDNOEQMG6JcZfYhdRpJCFZTxbCJLGBrNE8SO9hLhrTXR0B0IZGDIZ35DJlgU3Za+yK3uSCBc3IN0p97ksRGA5FKvCPtJcsM2\/csH6\/HU1qf1f0iRNI\/TtUb6I73fJb1bLdQeKNHntzmogBwn9oPuqo+gtLSwtXae5sl70N5g4LrZ8PFnTx2lQMUWHnNA7\/NfKlV24zKPWKBQFEp1Ll+GkIQ4+2VSqwKteIza9AEA0HQRFuVoFbCOySV1C2F5DI6b3bUAcZPOS4EK5sgcvgQXK\/kw5Lml\/5HXzi6wNd7ujorlYuy1rrbgADxiFT3G3+7eEQmrzleWwgR84fGJrsGXGWRRksb0D4sgTRBJoHHnzf+UHtoZlhKZ7MrrWCe+rgmAPKYrQl5HS2h0M4Sd0TsvG35w8Nfd7uE0Cm1gQkCkKH2QZcTaB17nO+93nufc4orBsf0H"} 02301{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":152,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":99,"flow_packet_id":3,"flow_last_seen":1621500711118,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621500711118,"pkt":"AAAAAAAAAAQAXWCjCABFAAVidIFAAH4RAyo0uxSvZsLPs9AMAbsFTmIiwf8AAB0ItCn86+Se4YgAAEU0FvsScjgiXb43Z5OHmvEYwaOoC42xDpqJfRfqlKRpZwF5AnAxrqFV79ZpFnEvEhLmveXc5xDzsSroW6m86jG45I0fFyX3DYlFTlRWn6Sytea5JPO12EfJbfqSFvNzEqmQ4gFas2HXJ2FX2ZoFtOrT1Qp43etaUsidgduMrH94THaDB9pQcwHKupL0h5YJ21d4uDpduyjYmRI\/jSmxZ2o5487BjNxGIiLtUrbwVkNIPSfjyMP5aDNyEKH0uc0UKMUvLMNr7XpQ1A1u47hFs287N4mHIG56vvgNzeLUDt0k1MPT\/kGpWCx8pGpFNrvk1nrkx7VkZAvjp\/9BdDBzSjx\/eUYtrNhzQ0IQe0hI2dyVNc8oZJZ9LtwNkx13TL3XaejmmuaYZ5B1EgN210MMBgN2q4MKppTuAvCQdN0rYg1Eetfey1Czpq8DvYrtRob0CYoPxRNQb4hQY+mAtVm5In1K8uiwgIb9fwBZ4878UCDelVNFoIUw+l3DO2r3eQiyJ1qJ2FQD5njNdWfokooKrW7pkJaWp1Su7UEKIwCrHqPQdqZjdBG1V1fXoUW3f50uoUtNBqxzmzG\/nc6r9vmn7Hupo64j5xAOGxtoJ7+CXMmYHHWY26B1SVO8GEqfiJKdUBeSOJP+\/MJ8MxDfNBGk\/ZN++nWubo5tvAD59mguiYbs2TJn97d75ZXwCSvntISAbbWVTp8AcyBv7hFM4CenTfEcDoR0h+9UMmt410Igj8DfCq0uBJ9bfdd9vaavpedqeSBrcaCWj6Vm8lPgRR9m+idu+v42W\/Y7dhhPvUrZYy43dKrTyr1UA6FrlC0+cMVKwBuas+sYqkr29klDCbiXmBJwbwFjeK4tVoMcVU5tgERpJO29uTaQwM9TtLKYYpaiU3bEFvVtP\/Qtn3qhFg87\/I\/RWjoT+rBbR4QDQUW9VPOaC\/zE01OtUPc5D50Oe30bx8WsZ3NjQ\/Rz1culaGAqFUjPGD3UTvfe+YzvsST9oPhqowv7hv2g7D78AygZJDWj3Xy+kWEnj\/pB3Jx0\/OvXiqzf2tizghsbgz\/7TQfvenyU\/YjzQzisVkudIMBHZfHpFf1xszofNNVEViopslpwwFJvvLgUhw0aVf5anl4AFVfHf7Fbiq+ByHxdPrQzfWnqt4ebVjeIYwLQRD+Sc5q5KKw9n351IQvh3iLjQfOMlC29Lv8K\/f64xF454eAM+T3ej9aTbN2lpyk4d44ROP1Oa47QDp0riFycvY47pAgeZtogdK11E5+iMGpqTnOxn9+LXFyNRlhHrvu67ztK3yT1Q38o1K6t76Qdc2LLNxNb42ZTHdtkEvDq4+GjOdvvGXlynEQvbTtvdG6fACdyaH0xeuILHqQCt+BvoL\/9SLWq+5Q6qid0Ax80+f42fP1VeV80Df+srNlHtlx1gxx0eFSN\/ZxupB3yFoybkQHafOdB3DjIHqI2gODRQBgLO27D\/lTmmK6tKkQ951QvnyKrHxord7vZSW3Oq7RRLWR+SVjkGHmv3l\/Ze5hnE5cZJuxcuPAk2mAKwF+6k5B3F+cbJWDnxNeoh4C1jTw62drlxgT1oJkzh1x0IBq5I1mmRgifHxa24oQE8RAkrXlt\/l6PygI3tBmwEN7W9ztIBr0mGHgoMXHSI2+\/eoOzMY2+qscRsVIWNEx6WLxrztwLs9nHe+LJi\/8hqm0+hjADeZHms9rDOsWgE7WwhNZcW0TgSYYOby+hR7hjZUUjIMuY3PvHUBu9nOxFOj6gdeVPSzcIl5MJbJVDUDw2yOc8"} 00611{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":154,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":99,"flow_packets_processed":4,"flow_first_seen":1621500710201,"flow_last_seen":1621500712321,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":5400,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621500832402,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"102.194.207.179","src_port":53260,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -498,10 +498,10 @@ 02299{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":156,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":102,"flow_packet_id":1,"flow_last_seen":1621501260783,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621501260783,"pkt":"AAAAAAAAAAQAcbmbCABFAAViVLhAAH4RRAufdbB8z3k\/XPqGAbsFTtJqyv8AAB0IqwzBH+7SJ6oAAEU0OmGuRD6o6zt6nf9tmhZ4egDU3ziCGGMLigzQd\/qcgJuXuFXJaHBdLU0MBpsdPKMeIvS9Od3J6aS7A4aqWHEzIUcAYpLZNGiwuH3wRo\/ZCRSY8hB6LE3YzLe42CdSzc5lCzItOsVUkYEC0ElANHXZEVA1CYAydF9uHTTyCq2uXRt3pMNkc6SD2TRzdAjxNMy4aC+pKc8u60PxO0LJCtV5c4GHi\/apOFYyznJrd5zwDibl6ADYf0eOlYG7Dmb+62KXGzs+UZINoqFEItj8sokCUApXkVgH3JMM1tQ7\/i+CPMar5u5VhzM0xoMe4DQC0z+Yuf3p0TEn1Yqj0xXSzHscv\/FAGmONfCIQGf4DqCpAxJhcdINRN9hpMwFEfhYgZXMbdUkpqQbEUlH6Jh8L0xXSG8BNDbJ+HqsCUU8yfHEs9031W1jXujoXsokpBHj6NRhfYT40cfJ0owXrRfPAsakJrEfIbY678aDECo1jdyeAUnmWY+XbG8o1nY\/4ODgRYgmuoc3IOboNUvx8dTlRVrTI1abSpt63k1mZBwz2PcIo80+jYFQUD8COKs9GGRBzV5HYfMiKnpB8E0fvddrtWuczrHTEHaj+A8EU23AUAoyRQeuZRJ2ND3muZ5PofS2Dkb\/RLqYEnLx53b3gsbjBEhQD9jTXMS\/CkNOxA2dXLmL1VCbZDM001ClSjf0VqrWyNkHZ020vH5Z87sRnfqRjhEFyC6btyFOJe50iTVCZPNiJgpQQjGKjO4rNKkdOhqVKJYV3tZ30pOlvkz82jkWMMrXlfnLtb9s5pzTLv9t0tUOoQ4QgbRKhgDzve\/xApJG8bUCntJD7lpCAx9F9HoZMq40CxcFnF2sEh63lTmmld2YtjKFNOpA3UantQuZCNL\/CmftmHYYLrD7QkKm4TvXgbIR8RxVZ+EtiDOPLtHOx6d9B7dMcTY3Mfmi0JILNHIfrPCWog+RxVMh6d8lhNxI62zpKHPU0Tg6vqeO8SzyLB\/n8diVDpb66xI152GpmYVi2GA2rWPfxVjszVl5jtF3gWEj8sOvNX3xomkTvDqEIOlWFIFjdzSMYAaE\/94dpPwrnlUXOlwVZbLyG8zBkrVJIJEL0VFlCRP3cPWR9GCwyqZp3TvaFXw65QoKcuAiLNfsKEEBT7thsxAP5ShRNnKnAVngImJT7\/QyRjMLgNdZQiVPKJgKxlHmR4CKW3EdPdCekSxLH3DqHQePQJoWyWmK2uMuElqVzImkMVeqUtVe1Z7XAmQ74ZmJX77RfTpYOUgTJWLw8yAw1CjfU5hA0NqXKDuF\/siEDZ0glp7FNdcWvBjbo\/ABe7QhVen4FOuDzJ7O3om6ZklR7mLYelWmYJHFfypdJF0Xj+hmRP2HWSSx4\/j6XqYC2eVviMKbyBDVQQPI0EM6QnNDTPPWP8a+XfmtmdlLc9QgUY0RmRpsrtKa+1IyPqG93eGTD+ZSsMgyIEQWA5Fm5wsK4NEmZ+pC9UWL57aEkWkIPEN4XlJ\/9JPPb3uZ2vDE\/Va0Bb1Y7vNFgBYQGZaZLzo9Gdz7yiHwLVKre1BC0kz+KfDM03+0yKx5CFVmJ\/kBO0+wIW17IRrXQXE0U0ProK9hPHRKvARb03bAuREr6TJR10+JsF1ImGW+lnDDK1\/FtTCgnzrxyWlFZM3Cg6kZN\/6ZrM2A49rBarb0aVirmITUvU59YafXCiT9ymjQXREvUsDHNYJ68Utiz2AdjCI7phJ86HXYCIFDLKUZ7rKmhC6fjynuAGp9kfCbPkPfnqyMDrXIJ"} 00649{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":156,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":102,"flow_packets_processed":1,"flow_first_seen":1621501260783,"flow_last_seen":1621501260783,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621501260783,"l3_proto":"ip4","src_ip":"159.117.176.124","dst_ip":"207.121.63.92","src_port":64134,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC","breed":"Acceptable","category":"Web"},"quic": {}} 02308{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":157,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":102,"flow_packet_id":2,"flow_last_seen":1621501261082,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621501261082,"pkt":"AAAAAAAAAAQAcbmbCABFAAViVMVAAH4RQ\/6fdbB8z3k\/XPqGAbsFTnp7xf8AAB0IqwzBH+7SJ6oAAEU0QCGjYmqsUMXHqnSGAa+SGBqQKewpsFPBcHbIO1VQVQmdi3mM6XPwhlgoWrccirvAt2h4VgoFMSMBKUnjc\/s7c31zMKNVAjGwqSS9UcMQe+beIWng48oRC5FQxFxp76d9NvJFZQrnobOu9\/OI9vLd\/kjxzUXkKaoMqPw3HA3NrHDmVaI1U1G916dAe3tpfhldRg8TG66kkZbvUPojfmBk6b2Z19o0wD3eL3ArF1ggKa7dtmOX3vPsGSHppdsAwy05mrGdBMogG2GNPoz1f6Mrx1CryOOeu7sX8P0doH1Sq0iFILD1hylRmMMZ5Opz0H2bi9KA7w\/Ag2fPK0T9oDIw0fFaoOFIf0DJ+lEFoJl+bUaUeYjpiNWRiJKG6uA\/8tslFXAk5id\/lQWKSBH2JicuyYgt3WXJe70ZAzp2iJ\/c\/DtJGyES\/AMV8JsInY9TNZ4RXPUu+I\/eX7SJpitBsTdhCEwJGiE0dT1TYgPIAD7IuBR125WX32fSO6pJg\/SC52+hata3geWR8gYaq0AXNqoDGePDOkIXu0L29JvXGLb3VjgkzsU7GDWMMiBS57s7K1nDWVaICtgb8tHvX+qm2yAEqxNTZylYIiRmNXEmMd4aEPfVCDRnoLnzwSUCqP2hNYKZWNP\/L4ttvwS03mes81iB3GFItzHUXUjDko+av7CA0J3KO8YO\/MegXhauhWaOMhTq9siY897rXz2nMEjgxielkq2WyMK6PT7GQGMUlCvVs2Lh0wr5fTdVSGH3n8y5kmB+Cpz3AWzqb0PCrL7nfp1ZQdKXBaV+\/8ls7T8As7zUGDLh1cEJLF5+OvQcPuWBETyYL6v6P0nP5uBkBK24BlVWM\/6sea6ivZVTU1ytJuTc4EW8eV7cOfQv3Z0ZvtO\/E+dtnWbRbm1+xnHQSTJejv0j+x\/5AGS7d9EBuJMkNcE8AQ4pldxgHz7Ptlg1BHWeyw3V53MEbQaaKLxV0WAfr2iBsH3t5M6hAvRICNnnoroLK7ICwfeGHvOCdHXa+iqtGu6TGnIJmUNgGQqP1S8MgI4WSJKg4gkxYOG8Yq8I6m3HzLsup78oZ6bqytrclhVLejrz8Tk1wQFWeJGz1cSVmJ7dlJY4MD8VT3IFiybLNnMNNe7YmlJus\/1uc9POON3uOlN0OXN57myRfkJk6aARYP\/VFYz2zQVzhOYWEpCg54BznwVNZxFF0LMNmGI2PVN06DbNXX9IxLaS+ptZnDWUEZKgww7Rh55OBQLkyONb3AXu68OQa9KfW6wKnH\/vmE8HYT6n+SXcK7GycIHau5AFjik2iCmv0VvdznzcaYCCq0Mfet4dNtH\/YoT\/I\/YrfjkCWn9TD2GpQpUNvMSERx6JmQCcnn6FUkuIqIOwQZ7TJ4fAgdop2a8RuxfgczRZ1qfymdRGBK2o+W0zafNFhHNk2SYmyvsZ1V8VBf\/oEixGqVnlZ\/Jq+d3sW39fHCM7TJKwcTtcBclxaa8fGLAAlW9lwT0AQAwjaArlz\/6Lw8tnHTm015jYFYAA5vZt1SyvuCzOL1voALV\/+nsbl3\/ONSPNJsDGJadYCDcjqbyAwc3rD2eTlnRMOCdPOfDkt6aPuNtwIQdnKz2fd4z8axtKYuzjc5dW0Vg4zcREoGQwXF3Mlfi7nUkcrBa7blnobGRnU3R82Mb1vEB9HojGcsN+QDpwTPjHZhspz1V5NyHgQ7hab2FBtan1NhmTF8w7rDqqAwRtjT1cqxDw9C9TkgJvOeDw\/J5ejOyPpxUe1E98wc8RMhxL8HbUxhU6"} -00891{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":157,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":102,"flow_packets_processed":2,"flow_first_seen":1621501260783,"flow_last_seen":1621501261082,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":2700,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621501261082,"l3_proto":"ip4","src_ip":"159.117.176.124","dst_ip":"207.121.63.92","src_port":64134,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Google","breed":"Tracker\/Ads","category":"Web"},"quic": {"client_requested_server_name":"www.google.com","user_agent":"dev Chrome\/92.0.4503.5 Windows NT 10.0; Win64; x64","version":"TLSv1.3","alpn":"h3-29","ja3":"8b979b020e67a82c4f1f7f3932805dbb","tls_supported_versions":"TLSv1.3"}} +00889{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":157,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":102,"flow_packets_processed":2,"flow_first_seen":1621501260783,"flow_last_seen":1621501261082,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":2700,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621501261082,"l3_proto":"ip4","src_ip":"159.117.176.124","dst_ip":"207.121.63.92","src_port":64134,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Google","breed":"Acceptable","category":"Web"},"quic": {"client_requested_server_name":"www.google.com","user_agent":"dev Chrome\/92.0.4503.5 Windows NT 10.0; Win64; x64","version":"TLSv1.3","alpn":"h3-29","ja3":"8b979b020e67a82c4f1f7f3932805dbb","tls_supported_versions":"TLSv1.3"}} 00609{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":158,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":103,"flow_packets_processed":1,"flow_first_seen":1621501261282,"flow_last_seen":1621501261282,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621501261282,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"202.152.155.121","src_port":61484,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02301{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":158,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":103,"flow_packet_id":1,"flow_last_seen":1621501261282,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621501261282,"pkt":"AAAAAAAAAAQA2OESCABFAAVibSVAAH4R2uk0uxSvypibefAsAbsFTt60w\/8AAB0IZEtuMTNmxFAAAEU0LH9lIIuMdZ7Kq5MCzCZAEE+168Yufakbt9pK0ksbFQo5gOkiaZtZmGL7ajorb6dlvPftlMSSvVuPm3GtlmjJiRJfcfSv6WCOpmfO2v6Vi8Gqe2z+CCwK+2m\/JLswIRcEtxYUQTR+mGEhGLqGsRBSch\/o0S7SruCC1QzCSC8G53\/qUYvkz+bnlIyDwadCcS+Bc5KcjL4tNroERGF7KikT1T9sF4XsS6GZZ5vImGfO3EkmUp8XE7jlVo8hS1am9\/dWmCCc\/5UVFDsBeuTG7wkgrb8swjB0805Wj9GAKKohjHey69GAIKPU3++2Imdagnr4acCwOFCrohzIIheL6xgOuccLlkxDVLjv32FfUde9yJXpLDBHMt76\/rduX6hlX68l11YNKGEr\/zkJxTj9ypa0blphHmap9\/VBxt4j+qGvE8cstJqh+0IpvOAVwU9lYmLuMLrq1nyWotlAq9mRnhXu+BQIbhgiYOfa+NaU9CqMuW+zTjv\/orQq5ERGPyXLWWaqpnLvACGfb9O5GE65tq9zbrPCgxRqZkEBql7CjsnZhZlmCr3gHvgCBq68gfxQu+39WkMzkvkbP8IALmggIQ7VQf8BFdayRba+Un3cP7f07rfoszy+m8D\/z0DW0SQgPeYsF\/KmQko4DJ59g8KzGl0re9gjZRv5RqIECyhlYHWJ7GyL1p6bli3WeNOhxQJ2LLSs7R5C1m3Adc0j0XFC1pB+sAW\/WEd5oLl9Hwjd6M0MklHMK0LYJJtSeHujnXWGQ8zBsv7diOFCmysv3C+aiX6B0P9ogHiAroIepHRii2maNhtRux1yyqTbuXMBGnRPqFAWbVaJQnNR1GwNd+qPfEmyFuIfG3xnj0aeWVINv8LvYzmYdOSTc7SL9gqYuvzHxRf1+Upzh4eF5QSLoWFnXPXL3449L3q0i+u80g9dZ3zpdrqQOpENcencZZGYbAgeK541RYNNro8eF8HwnYPBOIy\/Zl55vIK\/DEhSHnDpLGsakuI5sKTjtOeDx8DcJWgQ1BpawPb8oHOX7RqPhuxoKHRxFskxCDjHJh3ZT2U7YKpwgythqKBDauWw6V0hLNf6LNYtE9ypEHgKJ6trOXxgEDjS1iVFjdsX8YQ6+uIw\/VczFtSfg\/SPICVvTLXIAkfbMpSXSpbuwtaktICU2t9lJxcQPW3\/l2RVQlQ6A9orYmKqPcVckVDM+iHEIyMf9H4+vCZVgRIIICMwjlkLV5tcwaX0n7fRUHrmKaF8bEP9rGW60wBvfzerDhS2zUGBYaNPcvoOZQT2ZC\/EK4cXTZIBKvBIyWC72OiMtkS12h5aaPAtwZ6n2dXPCOk3d5CPWaaLjKOIMoQxRhJPD+tcF5lq+ivLDIhTHUNk3nCiT2ptn8sF5bPoqGsz0vo61bRIdmWMMojjGxrRSN7\/n7VJ7xjrskWBNwwKUBcjdFlM0H0heCJNg1grIB9Hn\/3GIWzCFZQ4MK0h3E8LnbseAq9C+ciIX45aTl8kFGqoSHjTiIRX1LhP\/Ej8fNDVJL8xCvYIK5uvMb5wfu4aPiMKEV+qyT2Ru5KgH3hlAbiLVCIDHX3NwF+qehB6sfUut4lougpqanWJ25xwUyKgjA21oplysL84+Pde6u0fQ1tsE4nXneYYoZdfcbHNS2+TcLpNnevmrlv8oGUF+IHSvQ2pys4po2Ft+zwvHiZVRUCkyaXat54kiLBaAYSl8PWx5iWyAEXxmiBRpM1GFaKzxBpGVsS6lfPmZGj\/E0GSH9ahQaWLKvJL1xv+z\/y5zk8w"} -00649{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":158,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":103,"flow_packets_processed":1,"flow_first_seen":1621501261282,"flow_last_seen":1621501261282,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621501261282,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"202.152.155.121","src_port":61484,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC","breed":"Acceptable","category":"Web"},"quic": {}} +00657{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":158,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":103,"flow_packets_processed":1,"flow_first_seen":1621501261282,"flow_last_seen":1621501261282,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621501261282,"l3_proto":"ip4","src_ip":"52.187.20.175","dst_ip":"202.152.155.121","src_port":61484,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Azure","breed":"Acceptable","category":"Cloud"},"quic": {}} 02305{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":159,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":103,"flow_packet_id":2,"flow_last_seen":1621501261581,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621501261581,"pkt":"AAAAAAAAAAQA2OESCABFAAVibS5AAH4R2uA0uxSvypibefAsAbsFTsIcwP8AAB0IZEtuMTNmxFAAAEU0JZ1KfLVI+JBmlx1gc1nZ06mlDQJxsWyoA2bzQbVVMhPumzwO3ZAR98o8ZPo9xLCUDTzGpsR1VmkqScVjzEZA\/RjIqIioWENrjUeZOvFpfzQMTLEtfK1H5gSkSzr1d9deTBzCPCECHyoWo01URci3jW51V0HbjDnEJD1I8iSzapavqXvkm7q\/CkPAOKz+EFk9ddN9tvBAUK+D6ra\/NoAZo9xXayAuRyx3iyJFB5EvlFUz1Sj7dTVlS5+TdfHDF6BCtxu\/3b6UGPME6BE0mv1zrD1kdQyNtPuDIptySY43Kas3SgvX\/I4v3DNRjU9o8CMW8YMBriuPdWaursmVudUTJYnB0q37mK+lxWkIltSWsQNuLr5cp6c4Vru0wwO0Ame+VygNGHbkKKCLw\/51hBpKkkTptkPAlMSaQQtKQI0OPuk7ItN4VrB+m9Vkwuz17+rymkBrFyMhsKcJIjj3luZReWaMMeNdN7r\/9xHAgrWKyyA3NzqfpYemGPDltByS1phr383eIdP8f5Ze0Ac0+tdcIJ2dWvbXqHhn3dZjhSk0HZZGEHnio7bqsyCfy\/wl3pykgp8G87hcfpY4upvLLmQRm6zklE2ZcD8mFhu4pD4VtgI4q1NkSPN4ENjVSltM1\/G\/SJCaisjk7\/TaytPYDocBazw8BpeLBGuMrWBrDpERso7obnHeO8wf+Lzqup7YnGDMt9vWazQbf5KRZY344vRrcxm8Cgm6xrf7EN0vEZrGdmbVtBvFwjU01hxeAVD8m7tC88nDxYD\/Vcms+kgEHQFUG5VPiMI1EaEjp4uM84vZhZhC6CDRHypPGw9HGqiPK3b\/Pd6yKRggtZr\/oWcBajQm0w+tBJKdOv7x6ZSHD5PhdRlgANNg\/jeNfdV0X5QnhkLi02ZeZq8yEDPFn9a3Lnz57TXoXYYfH6skWRGwGSQ2xHufw0DtBDB91pQTHPRFqigTQMOkcbUHvQ9FLSynEnElkdYIwyDeYl1wlkOI3z6haMDXB1V3RpZHuXa5GdOGVPCXKGY8TvCCd23w7RNdvgI0SAkP50qXRP4Kk2X1AVVlqpYf8FwiZi9W0HEiDmKaHfCa6sFt1\/rgrqUUw5ELhzKrL6pJ+lTg3H5NM0cd0C4hTHBtzSm3C5D7f92zskegG0WyFRw1Ba8N8vzkk3+Qhp\/je68IXQzCUe2u\/EtUX6CQYfCYIoWtYM8z5STiqZadSz8Hcj8gkMjUYbOqoFONvZacfYEHB0SARvuLReB4iTtWuIXgjYJcb5Qkm+SBb46jf\/04rZRrUrWfuW4MRTyzVXxCithuxVhs4F8PHfdPTq\/LCBBTHWDTyCQfTKVPq8P8t30ZnQWxsuPjLcSqLk2yTFwMtN32Tpl6KkT++kfElEUN8g20QBH4D3nsWOQyXh1qp6BLTCOt0IKBckhyNskXvMkS9f6xJSD6uYDR8gpfSiiduxVMENXsD+aZg0sKhc1tnhY564nzvmzaK5pK\/mG4HpcEZaoQlPnN9CVVFsxc\/AdJrQTcfRaJiP8\/\/Yg3DwS0RE3P4jvs8+29fssz2Vycvc4CcLnL6CYBjQV+ee549uL3GVp1M5HV3WkcafyAbynhL22G3n+0pOA92LLDWaPxdPw5GuPkVaJx0v0qoyE9b4AZ\/f7JyiBWPsZeIMB4ss18qfbar1+hhPvrhcG72WrRn1MOHBG\/UEQi0IsO4yKvwqiblXD9HjT\/0dhqt\/RFTAwug67Fa0M1R4Gf6vwbZT92OzvcYVJR3zAK+LRbdOlVy90zr3DQGbvb"} 02305{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":160,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":102,"flow_packet_id":3,"flow_last_seen":1621501261682,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621501261682,"pkt":"AAAAAAAAAAQAcbmbCABFAAViVOJAAH4RQ+GfdbB8z3k\/XPqGAbsFTv9fx\/8AAB0IqwzBH+7SJ6oAAEU0U9sthnA8M57fkNsMeJ2EE1SHED6gJhbQN4BfQJOO1PjffFq3gtFk4IyP8Wth3mraFF35AS\/mCSP5GPdO\/bY3uB7Y7VeiLUEY9IS2dFIrYZfbf9ZQsemW2z0+VCxvN2Db9C7578kBNAZHcZiUcQFU7QlwuGC4nwNjsiuK0SteLVHFM0d8O27xz2JpZUPDhtvrtHPERZTudFi1Sej11OjXXeMujoumIvT2OYdCj+X0NfUPlwu9sFCLpzinhlfbOthWMWB8q\/9N\/OyqjEr4qbDQGFnM\/Hr8eJUBkqVZluSAYj1Ywh29XdTMOcq5AUfmyV1X0sTrgeDtnbqi3godsTwx1QbwhKBj2dWTyYyHTDajH+2UBid1GebdhLGSjjnKxxAaaw6EFgQmpu7koEqoPObHp5kFU7wjAY8mggUyFBVjUIfNBYhWssGwyT5Z\/r5OGZuX1rx6tRJJm6gIeL60FE9LVHmgWUsYaHuVYpkqJgZrs8PzckQh0niaraVIhLPsP0c2zyZ8p6k39xAgrRwfx\/Zh9nPNn3qSfxXEzLRxlRYWUsplPXqYbIcReCdkDC\/N5gL1eP\/jiLz6QU52SRtg8taUEPRtc88DYo2jurpisQQ15KiRpuliwmtrhW0HqBvzdAZZarXSjJIjkWxLUUFMahlxZEceLNdSqe7MdK1UkaKw83287xEiaSEO7eTUM+\/wBRhGZf\/1DB70GE\/ULxXMbdJn9jltiavDAQNSyczf2+nbYlnG1N6O1TcuG42rxaHRd6KknCvWSCrAhQM\/VqLCDk0bY2mxWybhrjoGc0JuiCMFsYr+5pV5QRoX4Lq+e9gqBFnp3Uaem1xfnlWZMvZVrfurPDH1T3I4Dx8IroHaQ2Bo5DvKOdsiFkfzx2DBIq6SjpXaCsVzWBgmVAE9DRo2pY+eROHEOdfo8\/FBuCZXhbIlRq1heZJwhsmlY+7e2qNgtpC5DaW7zKw1HKVB0RPYT7VRcRTNl2g+fmbYvt3YQzNlorcN9OrbGF4EZ32C93f4\/HUQOVFV2yInR8hfRvuHsywq5N9zdnMDFx4UtoGC5\/JPOmqIglqIM9o0AUrBq4GdLXhfYvcFRKKHwZ7TRsYLwmoMgHWy8jwfHZhK1htPPyCu\/l8XN40QZGFptNt7D40U7OSwWUN1+psHOjRZWv6ST7CMmleHqyEPl1KLs2mifOpHcy+gSFbFBD6LLuLlmcGxRtETjrnZ7+bSuE+Zt8ruZaaGcSfNYzrqd1zOq56HYPd6nlE\/mmgkW8AFD4HgObgvdcHAI+BQl2HO3lTApnJPdlU4\/6LGlTjc\/Xy6ZatrCgtI9vY0+cPbiLZUSCI0nkM8mmbA2A5MknAZe\/w1hAi0GLW9UoOUSrCzacIaeo9N2SakmRlQF7OxrccNFQQ\/UxrBENXiSn8dd3pbynfOPUKA8bLUE0Fha7t882zmf3D2IV8UDrWHqT2rFiv6k3POzwJo9CVhSImVzpyIro243Q09zk2kOJxu0gB1BHDvYJrVOYEpZLmGM4H5HwzOJAsaUidoe7\/oRQyD8W5INMmeQBEWvyryJW11xgcq+r4ORSm2VIuTghtDpCYCC2hC9f+Dlxwu8h6CMW3kWH65itA1vwPXB6v+afYS01KWtxgI6eW\/NRjdMoX0SXGogIM7OSPQVVfkk4D2+dJAm44\/U0Vl4ZMoY08TeAfdXHgiERB0dXg4yr7L237fx9MyFJtNMScYo+op6Jjwo90fx4MlC9rlwatwxaF9nbgK0o\/x2ee6fFva6TLmGaGSkDA5"} 02308{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":161,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":103,"flow_packet_id":3,"flow_last_seen":1621501262182,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621501262182,"pkt":"AAAAAAAAAAQA2OESCABFAAVibTZAAH4R2tg0uxSvypibefAsAbsFThjAy\/8AAB0IZEtuMTNmxFAAAEU0P4kZL2JzcQJCkWJO7BYAvn7jOS\/oPDLLELaAGZjPfdWe+CTrIzdiC9WRX3rH+cQNjCKbZa53WspbrWQ3y9Iddgk3mFf\/\/P8OYcu5S5eZdMR9fbh3X6m7e1P0w349oYB4hiM9IJyVYjIofcoBFkKxh\/5ebxmzh+XjVHAni37hnczZyCzMbpvTaS5Mo2\/ZngECyPdTH4R55wpjirrbqawWK5BXgasVyeycq3PgcjRIEDZMmdGuCfn6Or6mlQ5Oi0gPVZivFAfQTbBQpALI5TF4c0OEuWkV5PvIlcn\/R7+MoVcxfy0r0Gxfy5DTUZSVKcVUqd7yhkU9aooVQ64ePPS85n0Ao6nJaHk4CEcKYTxXKFGTV\/JRmN1fStNbk6PuLzUzSKy7W3AsorHxQi\/LmRhIln15AQZY9aFzjxmdp89pwdjIhQaDCc86JMYVdSIXjTQq8957N1jOVphrIDogsXbfM+ETcmeLbNKqN4fwVd+mT\/89Wjg3KjoISCw7cizx3pwneM1IZWZxw32ejl27XFc+DeXbCTyms0wwx5d4mug4d1+BMTCaWAoTeBSMDXB0j0tkDNHX2xtWAXf8\/UuzEfOvYCbb04iQFTA+2Hyu4GRbvJwOTWHAb6Y\/V0BD9+rx2H6RD7LGvrHh+f8uY0EPosNsFiCs+3i7J7uh6lA7HBXpprFebhJ4nBFU5ogCjUR6v4cQw9N50B8pFKaCLLkzxxoYWvp6aFiNZxcUELv9ZUwZSWCw5u9TxfZdk+lnaGdGEYWUKBNrO4TMaapbDNq4j7Vu95JXokG49C08JF5JMM4\/z45it8ndhYZEyZbzHD2yExEQ\/VN\/mKUwF8ibUn2C67S\/5tn76v1S1e7HnOhXa9tt7ko7BC5wl0mN\/vl7Boa7BeFOH9ChJqMRyakFr8qtdw7Yu8g3vIiwJEWJpLTwekZqiekCkjohBvin+U4rI8Z4iedGc5HpW5HGFoexz0CrVl5wTxzNhI8j0IRw+jVswS8qYTpoGTz3OrlpPStmJil9HnykMux+BL5xXOZ617kkr3QdqqRshG\/RQrR8s6QAYGI71oEFLMM4TOShFAvx7OQRDnnJcVkbGzqXs2GA+ynEHK77vOrqNEjJpn4aKnbZnLLPOZDQS24eO\/QA+vv4uiLfH2hoxa65Oz8gK+JnY4IVu3sZb9w57SJTYpFHSRkiWRXzCJ\/sWWaohJYMR8PWJxuCKDHkDpOYFa4Gqs5Z2wJN\/RR3okXqWJS7yxFbWwGA\/Ux6HYdQ3Ct6YGwLA0DbmZnkDdT8uknz2+RUM8H5unZqgX4DQ6X6XF3z+e9cZs+qvkrBFmI7iTg\/AWeOO4DzvapIASiBIUwtJXKqd88VrnmgGNuzFGO317nsPM\/31UoR27Yt3dsU0KGRIpm65J\/+Rpqv+FCFt3c\/28P38sc1iZpuj4G1ByY3uO9KITABAM93OOoXZVsw4nYNriGxowgXJm4ZpYPg6mQ2LTkJ1L1uH0ng6enuR+XlH1t3Mdwkm8\/\/s+srKemwScHPxez2jonymTIlyHWEj43rE3SOOstfJJIdIbioCt5eaO4rJ\/ZtzFVP3GREeo2yr+vwPjDBvXv+9IKyIRXu1pKvuEupgzLBzLb+08gepp2KupXz5AcDO7p5JSUs7lVhZLWrwC\/4LgHlJK00\/IeVej+hl6DABvNdRucAzmPdswdQTBDGuRv2XQeZ5xK3vAhBPzvMWU8ulKLrK4WenJ6YSemx045mCE+N3D0BzGu5PxpiypXC1Fu+3yqrqa1cp13uQg0a"} @@ -533,7 +533,7 @@ 02300{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":173,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":109,"flow_packet_id":1,"flow_last_seen":1621516405234,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621516405234,"pkt":"AAAAAAAAAAEATej1CABFAAViOZ5AAH4Raq6okEAFwUSpZOPvAbsFTiT5x\/8AAB0IzUnHeeUSQdQAAEU03jPmRxAy9OYylQgB73DOlVrCptv7ErpnY22OTRmr4wpzgeK3KwkGuqc0xjcaspxGnr6AdaN2xcChMtA2Y7IUI6FXy98k3lvliYUdwlbegMDaM0s2kOCEH3Q5e1wd\/wXjWcr6N0oOzawFyp9hVXwI7Q0kOSYeJlKwoxbwIoGt7YBZmAiPcan7Bi5oQyWPAWydB90gyIdx0d8HsFpltVW32pTZeG6z2CP9KXzoqL1WsfRBKPQpLg6kv3oYavjTBDOfvbG3i544r1+YdmIOCTSwSyCmI9DGVk8MczSIbJC0RPe4X9d\/gCsVsymdal9TdwxBqTtK7tvHTjEjpE2Tf9zS8Q8Gc5XsubCb6PKWxtWdDuV+ITz8lHNBp53kMGc9znlCSGBJ+oNWkpzQI4G8VgjVItmF+Zywys9D14q0rl8JP2cQboFSCzBrnPL2a2zEjzaiN8\/C2LlW8weYHLtePs7UcOLWgLnvnVwptNummGBctwDMgBNNvBf2oQ2BT3akVv85DLHFo7Mik5zFKo8Hm+zpDV42cxV43jlo01t6MR7pOAu2JhmZ1+Gmh9i4DhIdmnuAVFChlq0EBq1oKQrR4fmUxA2rjS0OXNZUgpLHLlJHctUJX60aeAJebb5ddjnK1JqXBjlvfbOAxFBhwR585AVOc\/N64kRyneM8sM9R6sU9iPp3yIrQOhQ0fDG2w0PRRpVMOhUEH7zw11a2+aNeZLGXC\/6Y0wE1yXsUVHJVJWZCYd86aXC4954s3IHZMqezQRrL1APK0Uj3+9FDgBevGUuM+k\/7d0zQnJ4rTTwqaISHNag4vkTDqKoEyOQwoaqyXKoPHPHUetc\/U1Vqj5HbYafoEp++uRVCALzeb9EokrzQzuCDkwwF8fL5EJSue04WpPsmcpNQzG8CgHMNpnU5AEbkeVy\/Tm60yzyRqb5aB2QQGaHn7nU734znkp6LBO+x8dI+\/uS4XkpdHKVM+kYZtiYdPByeui07cdpE8sH7XxtZdaodU1va3LT6DdZOGuWd3tIpMbwiom5ZO+c\/sxrsYNosVZXax\/HOCVpOj9VoxFKdAe7TnQA3BtohBLmAQi8Ky9PiOLlrtiEWSg9vuNLm8rQjNzi0+N0HK+xINajobf3jP8DLsPNa3nLBja1BI0rYBIU3yqIKQ8Dl32xsc063rGPnZ+4xKu9Myfb2s3u3GI3oGkrhwU\/1sQwXPwuGtN7SwiZALjqLgHgfC\/8El\/VnwzeViayYEnclukedsZZq1ZR3YWbmiKeCCwlk9jmv2WHZEh8jZQ02nH\/6uAirsc4PzXtVqbEdP3Uf\/51U+sQ2p6kyPgxPJ0dJiulfpzegAk1g9URlFtj1Prm9nXN52Avs85Ku6PnWn2K5Oit6t5szIh7CpXNXZ\/r7lQTCzx1x4hjw2bMC4\/V4zZV4WAYezFgThubuHBYUA88rT2uj7dCArSt2N45qbwc4Mgwud71EluROJDlek42tV+tCsyiaMJdhkWkSEEHDQPlPnH1ij3N1iW3QwoTcs+h7cVopFBb+GUTNIJl1Qk9qCEm5UYTfWF6aVd987Lzl3tTyv5D0h+cV+Wv94Y6Bu\/GmojJU611wdu67nR\/gcxGb0oSe62fODz9zWZV7kmDKM8ibcM\/HbDPHzMlg3XQsDk+2kA7o3GGvnoL0ABy\/WVJWStRZAa5xIrmxaZRdp8pG0k8n7D0+KdVj++U2WeulgSlFklaHDSc62eMMQsSdHdlV62KC3i0iGJUMvejrPxkl+j6oLKhMF1+skGbQ5aFITVGA"} 00647{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":173,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":109,"flow_packets_processed":1,"flow_first_seen":1621516405234,"flow_last_seen":1621516405234,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621516405234,"l3_proto":"ip4","src_ip":"168.144.64.5","dst_ip":"193.68.169.100","src_port":58351,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC","breed":"Acceptable","category":"Web"},"quic": {}} 02295{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":174,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":109,"flow_packet_id":2,"flow_last_seen":1621516405310,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621516405310,"pkt":"AAAAAAAAAAEATej1CABFAAViOaNAAH4RaqmokEAFwUSpZOPvAbsFTs7oyv8AAB0IzUnHeeUSQdQAAEU0YnBQC8L89wEgTmmr7BjHFODkqhpFJVx7yJAYrFg6afkiF3jCqd3RVPDW00NRXnMgjonKH81Ileorn5KxvS5+yQJRAfjCUHJ24j9a3WWl0AFqEbkF0TWWqMTP\/2idN+3yLS6puV95VhaYgqHrCvwkD4lAh7BWrsu31e\/HDOBztqIAj1XIxQN5nk4xsMisv2NZkICaS+1Cze8naUXXyoJiwMgIqBi5y8cABXF6JlVU6OWprkzVRIYKgbzPUVlJaith2PL9DAVy2TL8feQIj3EkaywH0gUPZYTZigDwJE1mDupdge9S6g+LSrQwDNdm8DmnC39N8zuv8VkX39gnJjPPIqLqt8YcZBaksYIxo+UVtdEoMWKD2dTTAbqL3muQp2Ja7H8Ae7XPH8EhKuwd7Kj3JTpB13ljCjHYeyiv5t8QcUXs+\/fTX+iNUrbYp27UUsB5CR6dNjgUgwn+qI9Kd2TVTpJFA+nvmNxH9t5xpLsEajZKGz0zBOH+ePQwjH4k6LiuIOgTcn56cc2K1OQr8g6DG6GL3qoUWI2dlMl0vWT7aDPYShopw41gzuRGjFELxdiX0M0b7As\/7rFy3G1wt+nR8GFD6BSLRMcYNH8HNXRu0MQO53XF18R+1YeIMH6X3b3CZuFq3Xfa2QILxODzwdrxgCNv+FS4NubkKVmTPXQe+uIgvq1qlryrWj\/xlUbBxH9IDjnd7Q4EC0wXt9aAeFTNi4El0ZGUFtEehFfXIXvGMKzGNTezfNJc+vD4F1uOWnnlAxd\/WNW79xPmd8oVDAkAoVRbYCE9wA05lkg9NHNsSNZQ4ZrHcfUP3vf64MKK+pkwlt\/1KIFbaqjllgaHwuNOpxQyFKZGOQ4mRm7MxKALa4\/fjze0Xdw0la4zY+K2Z6UBx0Bbe33vd2rVATAwh3fRljk25dM6tgVCsvKusLkEvU9VmPywN52CzB84wZBRt5xcE29SdbS99xZjGg98qXqdNlTjjAt8yu4XiAjezSVKKaQD3XaLeqSlZUs2O+44zB3zNNhhO5e5eFJ7vU6rWJlnEoMb5o7Dpqgg5GZm09GTgXY6uCnh4ZTxl96ofiZvX7ChhymeUh74eA1f1x3k5LEP7B+VvfkqNzqwQdVy+JB7y82M7PRA6h\/ZiXREpEY5E7rUhHhHzsCHTcFbeJCcw1KDmA\/8lN\/ad5x9wDVKuns1EoyFDZ39IMuXsGoV5K49EtAXhlRXfF2+Q4uYSZtKRw+dUt75YzrYSQ29ZHDGQClAhl8wOBfpzHpggjQ+gFIEYw0xq4417mXTvRAsHPlxM8bRQ8PcXIpBD1+\/T32bKmOrmzAVOK\/uM2XxkngmepayHjfPWCQlEhv1MTTUXO5FOHEIKK7YeWXB+45P5Jdn5DUTLIpWlu36Orwifl8JevozrwmxoIG1Zmf2m08oeXHqRUDXmNzjkDF8iRRGAJYOtcDtsPuCEzBA8dRTgS0HKprk4UBlCXOdnUl0o\/GH1EJbFeV6skk5xrmue7uPiLAyEVcPX3pmiAAOX53KWWhMQls04leVWEcDeyAFwvaITqnSDWVveqnmXMRxLOFZt1iaMGSJOlk+UqoJqz6OkW7fNx\/lAaehebe7Eqav3QkkugEaA1AnUOpe9DMxV3jHzO0ZsRV9G3EYn8EZ\/3pjUJ7Wdzgs2pUQKiy\/\/eGQsIQ+E9g46xeFn8UPrN8eiX3DgHzFdvQqN7n6GdAWkhJ2Tw7Bq6m8tC3wcytkE68x8FsP0lQnhvRc9Pi1wMCcL9Y5E9amIXbruhOYiuKw"} -00889{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":174,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":109,"flow_packets_processed":2,"flow_first_seen":1621516405234,"flow_last_seen":1621516405310,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":2700,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621516405310,"l3_proto":"ip4","src_ip":"168.144.64.5","dst_ip":"193.68.169.100","src_port":58351,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Google","breed":"Tracker\/Ads","category":"Web"},"quic": {"client_requested_server_name":"www.gstatic.com","user_agent":"dev Chrome\/92.0.4503.3 Windows NT 6.1; Win64; x64","version":"TLSv1.3","alpn":"h3-29","ja3":"169051af8572ac08ea1ddeee0db208bc","tls_supported_versions":"TLSv1.3"}} +00887{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":174,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":109,"flow_packets_processed":2,"flow_first_seen":1621516405234,"flow_last_seen":1621516405310,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":2700,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621516405310,"l3_proto":"ip4","src_ip":"168.144.64.5","dst_ip":"193.68.169.100","src_port":58351,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Google","breed":"Acceptable","category":"Web"},"quic": {"client_requested_server_name":"www.gstatic.com","user_agent":"dev Chrome\/92.0.4503.3 Windows NT 6.1; Win64; x64","version":"TLSv1.3","alpn":"h3-29","ja3":"169051af8572ac08ea1ddeee0db208bc","tls_supported_versions":"TLSv1.3"}} 02303{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":175,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":109,"flow_packet_id":3,"flow_last_seen":1621516405464,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621516405464,"pkt":"AAAAAAAAAAEATej1CABFAAViOaxAAH4RaqCokEAFwUSpZOPvAbsFThhFwP8AAB0IzUnHeeUSQdQAAEU0f14nS2wsq94otcbsx9Ja6N4Gglxg3u9DN5aawqtRKVNC4Pc2eIsI1t2bGSVlKf0XWigbLFgVoquYysOzgfEuJL\/MeSu45JN0vCO\/piH8bKThjLOmClUk1DH3WZNkFkEuaa0+lysZpqiBVvoWBmVXL7ELlhz6YnN18zze0\/2yDF90B6el4fx\/mt0wpW0qVA1R3rpNHACrqE8RyK6pVoPq3imcpEoLb3yO7yzrRrQA3ViWb4CcRSIQKKKvWiiBsQX5n0+0thXLMnu8ftL8SuxBDfepRmuDXajiiY60A0Ci0Vc1tK667yMn9eaC6rHTNh8nYovYhgNBYmIAwvsQCVPuw3uv7zcZj7QuzsQ+GoW7Ofo+0HVPqQPw3Fcv1w6\/sFDHM8ZQdgy\/TI9Xw4zrv10NHy01l+JQvzxLdL\/Mei6EzaqwXfOyDTaHClmTcUbiuXBRX2Vf7Bmroal1PmgVVCAi8AUTkagzmJDy6vDj2SKbbL\/ReTgBtoJf9YG9\/p5Hob\/OMMIyWWppTPBk2+0f1VYPZWnbqV9qBkb6EhNQ+49gd87e+9YYhhx1IWTlW9NLOLBaYwQFgXd9bbWWfmi29OGPyG3EG8nQHPU1eOA30M0hAL1iFzuLQ3C1KXPfegclGVZOp1CvUfjShhvg8c1OTN5s7Ps6ZLZZlgyBt9X6JmRDmehOI4NTymHV5ZtQR2lVl2TcptleL6k53AnKbBYD6fZ1m7Qm7wPSMZDBJsGDW2W75tps0sDwHgF2FlcJxcVSumnK5OY0dgyq\/v+QuVFHSKHpcM0iQXjJ9BYDELQJZka6TvX0wkBv\/HQW+INffppmt4qy4pX8Jnbh3Ni1t3tDnQ\/7fweO\/+RdKUkMiQ2HCjJPyE0ETTcZK654vByA7SxI0bxGOyrV39JtcFOkThujeZSYhhZM23Dz4XEH9y6JuKs63RrvY0IkUQVSK6GA0tRTMG3mwmAob\/hfPnlVRnA2pVbvTMeZUlWCHFzts0AL9+PXmCSER\/XfzrXwjfrJuvzm+7T\/lFRR+d\/i0xl2X0IkHFkuV9wydT+v0RqXfar5ItGT\/sh5mrWNveBVdVlQJkyY8DBePhN4ArItPiFG+htl6KN6q7WQdvLajCgHRaRtH4GQxWZtZmB1Fg3DZcxEek8e2BMmaOPY8gBgng9q608TDXo9Pt5mxnWStws0YA06UTqWaNh1x2Une7VSFk8tH41qCiAI\/n2bLjiAoqnpJB\/cQvnfvFuY74Da9t\/5SFaJC4LXt0ZQIRJhn8fMIsa+pDVIU+8qnOzaJqQU5AktC9HbX1ISQRPrusR+iRsZxLKNNS5lj2e3YvJYsOdA4xy3eH3PevVRBgLucZfc8W1Sg+7crP5FPF+V1oksLUAomnQAM+uLnpl7jWA5eWJfsqJT8r5wB\/HXm64IPwfS6kzQmr04rkzCSj4t9jKRGjOo1Cs0M2KVTyz5diNk8DfzKuTIVdn5aJBg\/JHs6Tfr60kgcyC4b4P7qkvjih7e9lIaD1s7QzKhQlA9RuZPuSNUkJNf9zFhAHrlKpelaHjuvOMD7bCvtJ13MWT53xGxxb3Tn2yae9wN5yrxBUdBvqKCc9sg8zRym9VCJUCAOFTs3LmsHQjtM74VOXrdEbkzWhp3f7mXZ2mms9zJ9eH6fhPzVnmEuOhWdc4vKs4t+Uni9Rz2QUxiNfcPb0AlKfZGRFS5DchrAfVT1vo9USbhMF3YNpBh\/huOyVHNzkm1++SOaPkTBO1wZlmVb\/GUDFQCUtbTRtKz5EY5n6osCa5b"} 00604{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":176,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":110,"flow_packets_processed":1,"flow_first_seen":1621516418037,"flow_last_seen":1621516418037,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1621516418037,"l3_proto":"ip4","src_ip":"168.144.64.5","dst_ip":"7.71.118.27","src_port":57319,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02309{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":176,"source":"quic_frags_ch_out_of_order_same_packet_craziness.pcapng","alias":"nDPId-test","flow_id":110,"flow_packet_id":1,"flow_last_seen":1621516418037,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1621516418037,"pkt":"AAAAAAAAAAEAYl3ZCABFAAViOjNAAH4RV2CokEAFB0d2G9\/nAbsFTh7BwP8AAB0IqOC6BJZvV6IAAEU0Dvi2qrd23QDxGu2B7vaN4MOlDBtGvpoN5pHp26m14lzRY20peRtUuQ9ptItsXATUG7EiTr9GCdRPLOQETwFtC6RhGNIdLTwnsdX1wtpxLn88sqordHPzeZRfgg7Si\/hIcgk2r6jQqYTKPyb2EXPMZun\/DZnzAKBT4U0s6IkU9DCx\/nVZgKb8ZQ0clSgRRcfwhUHErM8eTU8YJIOg18cKJLd06pcQOIJG7NWuFWxlP8hu\/nN0AYaI66fR8yko7HlWLvum1JaYm6FYnzxA32PBj5oh\/7LgHk9DvkAOButBFcUmyPrB4mG5I1fazNr3nwyskcAAwio84ahFtiK2AWGqstVtlbFkBz5vU1GgAY\/jFxeFFhQU9bkVT2J83JetFccigg0SDPuD5n+d+pF1ktpVFhfg9Pf7M1yVpEd2pTwggR6\/RMwbUXsIy6V\/3Zdy235MvBR99y9lqd30EtEWQFDwQx1rFv7OgXmz1sC52olWXTPJJtqeru5YJ4y1QXdwzngLTKdWwkivONoSni7YFaQywfkoSfUUq9yPIHkBPfRgLZjtRnJvNRzSUdIVLK+82oMRpqWSDyuehe79xRqTV3emacrIoUpKNe4ES0rwwIIxuczcriuAc\/oh36BCnJTnMLsUHOv35tL0tIW69QW2mqLxjVxs\/sB2ZTY81BvXCGKlb2GWWEZboz4kvNje42VnawDq2ARmXLjmZvqx5KpuiDDLCrFuudk1KPohXg8MYwloe1Z5ljen+Kflp\/0GhTarwpApPLhqD4dC0YGPGUPWy0M3SdsjYAYnO0ufi0JY1lS9wKfFr3M11xtfXz4eInUnYb5wKqBRyjzjYcDgMIhrig+xpGm3NO62u1F2ixUHh\/2sre7Dp47yLp70MwKIP+adl\/aS+nE3ZwouBFKcqjSAsPBSGZchE52M44ofrHvjCdZygdjpUAxYA3pbEVs8jkZwgMgJXo11MS4xaeJGvyTRcdWxgO7Z6GiCANH9t3fYZEhYzw2EjE5ykKJRHZRafzyzvQldpdzPPsPIEmtpkI3mtt2v+1cYj4DnaZTXJEzplScTixfIquKqwVCom+EBWD3psfkqjfjfGGAzGt5GoJ\/n556S51FLopQS5Sp3W5C+2M5ojItue3RQCrCTIS76Pfo66q4GsAOSUZ7\/hMt\/XWeMLHxlw2ixjPGWceCE+ADtTZrMdCOe\/3\/KfNqayz9c7lfFveFHD4SoBgMlybRWMCo89EVr9\/e9bgIvQH\/2HIKL\/1AnrBTYWGwjYvXcCZMo2XZ48Bf4TAHJOLQ27twcS66XbobssW7dEGTHzsxM2cbXA7Mt66nR8kV7FnqvM3Uw37ERNKYGRDJpbb0E5DL0AIoUX6jOOuHNgnhFdj03d8npRdhJrYtWfh1KUyehyWQPyGItDjRZyrH\/YzmHmQlGRGfRB2IOJPpW0Awf8t3u7i7GhjjxzZWH9y\/5\/UIGZyFN5xYeSW1RjHpBsgozg4u5tX+KFm7iqwM265C9T5IiUFRDJ7Y7z+ArBTMIKqef2Q0Utflwho4O5OPtNfbJpYHIlEDdM\/bpqXNeLkZvsI55ncrNB0jXRjS9R\/pqCZ1F8bfNDlgCa23mWVU\/e5BsYcM6YG+DEAJXDSOtIC6Sp\/ZcQNS4oqLP9h8MI0zXLT58ZIPXRXVMDFrxMhBGx\/6yOIu\/74H\/Y3fHvm7xBKcdhdXm+aB2FiySmLOWsjvBXvSzYQ3UF0qKHH+MtZqFhGOCJk+EykBVABGv1Auw7saDcOGWE1z6rr+udwYUhMrL"} @@ -563,9 +563,9 @@ ~~ total active/idle flows...: 113/113 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 3563053 bytes -~~ total memory freed........: 3563053 bytes -~~ total allocations/frees...: 37771/37771 +~~ total memory allocated....: 6177880 bytes +~~ total memory freed........: 6177880 bytes +~~ total allocations/frees...: 101967/101967 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 206 chars ~~ json string max len.......: 2321 chars diff --git a/test/results/quic_interop_V.pcapng.out b/test/results/quic_interop_V.pcapng.out index bd7f280e4..ef15bedc4 100644 --- a/test/results/quic_interop_V.pcapng.out +++ b/test/results/quic_interop_V.pcapng.out @@ -22,16 +22,16 @@ 00839{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":7,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":7,"flow_packets_processed":1,"flow_first_seen":1603816434519,"flow_last_seen":1603816434519,"flow_idle_time":180000,"flow_min_l4_payload_len":1232,"flow_max_l4_payload_len":1232,"flow_tot_l4_payload_len":1232,"flow_avg_l4_payload_len":1232,"midstream":0,"ts_msec":1603816434519,"l3_proto":"ip6","src_ip":"2001:b07:ac9:d5ae:a4d3:fe47:691e:807d","dst_ip":"2001:bc8:47a4:1c25::1","src_port":60346,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC","breed":"Acceptable","category":"Web"},"quic": {"client_requested_server_name":"h3.stammw.eu","version":"TLSv1.3","alpn":"hq-30,h3-30,hq-29,h3-29,hq-28,h3-28,hq-27,h3-27","ja3":"7d9e7f6dec1cb1dd8b79d72b1366b6cf","tls_supported_versions":"TLSv1.3"}} 00570{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":8,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":8,"flow_packets_processed":1,"flow_first_seen":1603816434523,"flow_last_seen":1603816434523,"flow_idle_time":180000,"flow_min_l4_payload_len":1252,"flow_max_l4_payload_len":1252,"flow_tot_l4_payload_len":1252,"flow_avg_l4_payload_len":1252,"midstream":0,"ts_msec":1603816434523,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"40.112.191.60","src_port":46576,"dst_port":4433,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02142{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_last_seen":1603816434523,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1294,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1294,"pkt_l4_len":1260,"ts_msec":1603816434523,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAUASTxAAEARQtzAqAGAKHC\/PLXwEVEE7Eu5ywoKCgoIUh1YuhDqcyAAAETShcZ7U61m3r3pKDSZMAlRkEkMX8IBatc2KSsG3VEj0lAsPYd+5xEo7F0R6rRII91EQq3kY6fRBVYjgUzkelUep6PIw4v1uOUHWVWj9\/CBoCuFmh0QBFTlwFV3ajZYJtEVj\/UMbkT8ggH6NbKSJV7\/7XCOY6sOXc7KO1y3bpcq5D78RQTF3QAnMEYSTjEkBHANDD5W9AIyB1dmHqwExvOJV7YrCF0Wz7pCUTi8XP9KFNvgkhOSPVQjF1KeCLRKAL3ZHtPolipZhKCqRtuCyeyoz\/WKMUWuH2pOJ\/WCN+fIaYqYSu2\/Uw9h6SGQoS6DN0anGtpDnUD0GFob1uYgJfvGsEIlEF4ovhbxwTVp7mrf8Jn1RwQU6cEaGVAGxcwFRF59HEd7DfQ2HqiN6ygOPpQYa4cx7qpW5pucG8spbD1\/cWsvhbhGqD8WXrUrT5FX8eR51cu5\/rSEZZ0hJlrQrcyu1Jo+wtEU248WCYzmcFDU3KkwLTXrWInL3I4\/3lLpKWAzyz04l7KeGoqcwCeKKQ6p1uyWxpMWebh\/pAeZzwZIk8uY57nKlrPOmivZENHW9oA7\/VrJHghXWWSPNWv94zdJtPbS4kaRkkyKA6YWscg88+FeMvb1pCnByg\/FBd8Mkh8FAhvUPdRBKBqvfa6hdS6kOEBzLUDEht1P\/hkx2oxe0tO1cCFKrfKPAgjP7fDs+HjYwYUjQcQs0Lrfeiezhk68WlVN7f3ydw4AyGklyENZMzjbp2KCDTQJw+bwFV8oeqGfVQRe12vWjCN19ZIAet6\/7N00iAsSHL0OYmwIy5kEm9ia7W54BjwDLqYTIVS2lLjOBW8eRTghxgSgQxvjGDeszyBcMdQvXcIFvNEPXDZvspUbePIw91S9T7A3jCp65i7X4r+fn3M7N5F7j58fappJzU95USbFKUMdxds5siewsczbT\/MrC2OkG0+JuLsutjVwruC3oxgf0F68j+vl1Wm0rJIMkpipHqVvhcHhV+OWaqezJa4AMHRf7fdSrYwPxKtdQTJG3\/g7anjqxa6WSX99h5LjVhbxHDD361DVddXanfGMVBhF7hsyy9ONqBFaE0X3vq+HEhBWkG9LtGG68wwwE5NwZds\/5HESH+ia5Ow\/sbVAD5094mw+zs9a70KyvM0z2kZ8P5B1wNaZ7JZ67KSZOdP\/DCz7bP9r0i+DKzjU4mo1fhcDYTbnyYL09iH+yrFC4uLIRq1vlDgFJ2X2xDITqMN6kx\/ZziHpUw0+tusqXNSXNMQMFKUZKnReB3GpZaA4xILTO73fVG7kLqQ2j9Pfhgr0XjkpujIdWgbDJPwVi0egmLmvkiBx2oWjN0pYUqFfvKMLMSROetLN33mIJ7WaM6DIBHm0ZoNLBntXqK2QERM+5VXgRG\/zKfBTkTfngbP7Dw38e4JcE1olS6CghzCOQzrj\/EPi9cO\/THKUsaoFe7VwubEl6zVajKWO\/ftqXQDEtcPyWqS1x9VkXgf+5HCH6y4ZfXz8j0oj\/gEliPbSFZd61V\/W+k+69wJ4Ve8CztvjyEeitwZuhoIUutC7Co\/agYewJuOHM9M9SEui8BMgVWEjqOMxUGgxy\/aNH+S0wwqZxbtmcgxtt\/+dU8H1VYtjo5PU7ihOGqkqbFa6tDbR7MCwkw=="} -00863{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":8,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":8,"flow_packets_processed":1,"flow_first_seen":1603816434523,"flow_last_seen":1603816434523,"flow_idle_time":180000,"flow_min_l4_payload_len":1252,"flow_max_l4_payload_len":1252,"flow_tot_l4_payload_len":1252,"flow_avg_l4_payload_len":1252,"midstream":0,"ts_msec":1603816434523,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"40.112.191.60","src_port":46576,"dst_port":4433,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"QUIC","breed":"Acceptable","category":"Web"},"quic": {"client_requested_server_name":"f5quic.com","version":"TLSv1.3","alpn":"hq-30,h3-30,hq-29,h3-29,hq-28,h3-28,hq-27,h3-27","ja3":"7d9e7f6dec1cb1dd8b79d72b1366b6cf","tls_supported_versions":"TLSv1.3"}} +00871{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":8,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":8,"flow_packets_processed":1,"flow_first_seen":1603816434523,"flow_last_seen":1603816434523,"flow_idle_time":180000,"flow_min_l4_payload_len":1252,"flow_max_l4_payload_len":1252,"flow_tot_l4_payload_len":1252,"flow_avg_l4_payload_len":1252,"midstream":0,"ts_msec":1603816434523,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"40.112.191.60","src_port":46576,"dst_port":4433,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"QUIC.Azure","breed":"Acceptable","category":"Cloud"},"quic": {"client_requested_server_name":"f5quic.com","version":"TLSv1.3","alpn":"hq-30,h3-30,hq-29,h3-29,hq-28,h3-28,hq-27,h3-27","ja3":"7d9e7f6dec1cb1dd8b79d72b1366b6cf","tls_supported_versions":"TLSv1.3"}} 00569{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":9,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":9,"flow_packets_processed":1,"flow_first_seen":1603816434524,"flow_last_seen":1603816434524,"flow_idle_time":180000,"flow_min_l4_payload_len":1252,"flow_max_l4_payload_len":1252,"flow_tot_l4_payload_len":1252,"flow_avg_l4_payload_len":1252,"midstream":0,"ts_msec":1603816434524,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"40.112.191.60","src_port":46334,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02136{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_last_seen":1603816434524,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1294,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1294,"pkt_l4_len":1260,"ts_msec":1603816434524,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAUAgmJAAEARCbbAqAGAKHC\/PLT+AbsE7KwIwQoKCgoIe34skUb\/aLsAAETSb8uSUd6EB7gNq4gf6KDxkhY+y87q3CLci6x1EsNvv80WGJPIpKwhzC8+vg4NXuO4unafv2NMJkJjRI6OL98YRtdvYGXB+F3JwCowCuwGqw6jTxikMXRPpRCAgRKO5X\/KxcEwJRdTBT2rlOzU+hO0yWkEtT4rCwTG1V9X6PEAkb8zWYSIsTTFWdbuo8+Hsr3EHPqfyeXbsSzOoMiqiG28CC1UB7fjZJ0W3T0asAlOYWGl8MIKuqHYSMDCaz5\/KR7GxLTjjCeuvA71YVTfkU0Gf1f4xW0HKl3ycj89fZPIImHw1dOmlLMZdNJPHN3oMEV1WzgH15lz2HPaXv7a5Th+I9CCo7LropS0BbFADYctmnMsqGggv3K7uKbyNnulVBXm7b\/tIGeDPKbxhMVyVFX\/OFstaFoYOfWt41Qv0Uz+5xguURoeuY7TUkuJQ2TlXG1IxX6EbnM98toW72ernv2vm8GcA06P94MCodt6GnFnJdalXwd3Z0Zgu8r3434Yhg444uk2HEryaQG3hHsq9RRP13JfK3yZ+q3HWXP97pXxl06amatIARReotx2af2MAxWD4J\/9LErkYyTqlEr6EnBC+7r1cV9IP3w6nfwYEb0VMSsQMzOKiqBofCNQtvNgMmkH5GMWZlDP0T3k9d+0l3FMevNqVwb+iznRosmDKbOnAOsNl2nNjXZYQXWhQqAThjmx79k1nVXVH\/HuAezLxegqma45cG67rPyGRqN3q1h5El6PYgtdZyE5yz+oVR6XOIkyz168X\/Rv7t73N+i0n+IFHPvHuQ+EK3e1BGUIifpyEElK5RsbL4HGjtaWcevK45MDQ3axvbDUEW\/w2lJrfPlXa\/XZ94sTcZvgd9dy1K9MAJdUT1E0ufvAhjda4LLkNYkdVZjhePaG\/OIP0+\/2yjL6i\/866d9NM8o49WaX\/O9Pd296qB4TZaRNaKuBx+CTsP+biUuW\/9YibPEOQBdFkjBprbbH1nXMOpEF6QqyTSSWy1mOqWI7NTc8ioxMC\/07KPAh6S5NvmgDw9rb7lm4u9afeFEO\/2Y2F04NKOOTYQjedcDqmY1izosf6wgBTRlHezP6uNhrQcmJzYaSn3Fg99mguDGzeymhTX46iCjpPSI\/wUScS13iOhxccWK+52NCIsSS1ArhMq7x5GIHJngmyLap8JYRZLzZek50uDc+cvlWv5aWpLq4oeFbzb2UpThvb0S8TbvXwHNE0GcN9NQ47Cz0xMuSlHF7VEKoW\/ldk\/T1mzEivHu6X4HhGg8NuDcJj6aZIVaJae1NxSt5gLl8MTFDp8u0m2DXTpjwFCV3AX\/hN8OLAAu3WZ+A6sHLc1Laby2OYoClrb6PAbfK8O93b7DnY1GdxskJ1zN2DGmXMfzpZYEvO6KwGvo9tWt5MopqXQ2LZWUoyLrLoGDkaMoRzTKI\/QFULy6GKZQuGdZK8BHoqiDwJoTG\/iTyF1KYSQbibwt0sOyty8uw9tMbzTSnr+UrS3c6KjbJG3GNT+Hel2hrgKBCTL1FLUatdsWvxb3xr1uQGvayWgC4e8BQxZ9J4DVcI4Jl9RFSGru0ncBQHVlkznYPLGR5hwEuTrIrbhESI0fIBtr8gRxzc5NuTahe+uchbMgzGi7qkmDsOQtGYpMw30QbIQ=="} -00805{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":9,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":9,"flow_packets_processed":1,"flow_first_seen":1603816434524,"flow_last_seen":1603816434524,"flow_idle_time":180000,"flow_min_l4_payload_len":1252,"flow_max_l4_payload_len":1252,"flow_tot_l4_payload_len":1252,"flow_avg_l4_payload_len":1252,"midstream":0,"ts_msec":1603816434524,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"40.112.191.60","src_port":46334,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC","breed":"Acceptable","category":"Web"},"quic": {"client_requested_server_name":"f5quic.com","version":"TLSv1.3","alpn":"hq-30,h3-30,hq-29,h3-29,hq-28,h3-28,hq-27,h3-27","ja3":"7d9e7f6dec1cb1dd8b79d72b1366b6cf","tls_supported_versions":"TLSv1.3"}} +00813{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":9,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":9,"flow_packets_processed":1,"flow_first_seen":1603816434524,"flow_last_seen":1603816434524,"flow_idle_time":180000,"flow_min_l4_payload_len":1252,"flow_max_l4_payload_len":1252,"flow_tot_l4_payload_len":1252,"flow_avg_l4_payload_len":1252,"midstream":0,"ts_msec":1603816434524,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"40.112.191.60","src_port":46334,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Azure","breed":"Acceptable","category":"Cloud"},"quic": {"client_requested_server_name":"f5quic.com","version":"TLSv1.3","alpn":"hq-30,h3-30,hq-29,h3-29,hq-28,h3-28,hq-27,h3-27","ja3":"7d9e7f6dec1cb1dd8b79d72b1366b6cf","tls_supported_versions":"TLSv1.3"}} 00573{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":10,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":10,"flow_packets_processed":1,"flow_first_seen":1603816434528,"flow_last_seen":1603816434528,"flow_idle_time":180000,"flow_min_l4_payload_len":1252,"flow_max_l4_payload_len":1252,"flow_tot_l4_payload_len":1252,"flow_avg_l4_payload_len":1252,"midstream":0,"ts_msec":1603816434528,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"202.238.220.92","src_port":38366,"dst_port":4433,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02128{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":10,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":10,"flow_packet_id":1,"flow_last_seen":1603816434528,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1294,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1294,"pkt_l4_len":1260,"ts_msec":1603816434528,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAUA5QJAAEAR53bAqAGAyu7cXJXeEVEE7LxswgoKCgoIN5KvB9nft6kAAETSHGVijjeaIj19wFPg1eU29TK6pHOMAuBm7PlkQXCoUAkcIsjKIox6Tem8bVN8W3P7l09wyVGafUKmNhonG2+PLUPwJedoIYbfaArvK\/RuwZUPJBHiPqclPj8GB4blfNLZCSxE7O80ZWg6IzmaH0ZyK96aL8u3DeLpkwvE+ZiYmPNHLkxCubDvJZKErdDSCNct\/8C0DNjLgLDA2edu7gd5la5GmHjIWyqKCsVDNCJZblHcVBL1VdA06pyamhaIutlHrJtt4MwRHnHaWsi4xtJmIF21kHBkIHdSNDwPpZdZQOo6t6Itpq1ZTpS7VN39q1L5s9axaQwh1msQpQnvxEMKRTjphoLon2C14B0FHuQO+nIydxdhsWr7CdUuXtsSSSuwWO4Ld68XCiQx9y1eBiBAB+GD2Wu\/lb9XwLxv5IssYnU4s6tBvuesFaIcboSu0qDauY6CaPlOVzIvtAJYMstwHjBjgOUg1VLVbW4e8RABqYyrAFgk1Y\/+PtHf\/PYsvCZhOCB5kqbImiRw3h1pD67YavEoB32fyii0nqrXhuOx80OsYd19rZfvwepXx7rsTO7Azrv1gfJUNVyN3GZFPVbu+9bah0bZVb2faEbPsXvHVJ7ADhVuYKBowG3\/vToH88gOsc5MmMiA7BPkeocUuJbep7qVkWVyD6A4XDSMgQOf4snKf3NMnwoOZ5+\/oEP35GdTw+gaNQtPml2DoGyADmvPE2GySCNdXh6kRDEzP1eIDWJ6cblFsWZLk3HJxSVWVK4L5nGv7G236HRvH7cao3OofLUezX5EJcTnlNBjPkG2QPEEcNrUyzgTzeskCKdHWBppAIz5V7d5Rm9KbgwRKyHgP52XfTCa9HE6G\/aWYw8rvnpb3BVO7AuVUTIl+JadVGBMO6HP9MQda7QUWFv6MTUs4VpAGaDAJWfobOxRrmQWeu9NDR0bYEXNNAf7RSIcYCgEjVOU9A87EHcp5jWmc9mASoXlXUjhMutb4712Z6btK9v5ePztTnZNKvllfQgWfQ0YcDu+IovA\/LzcmwpJeiamvlR4aeRi4IENGOnyfwZ+m2LklN5Vs3C\/uAPp9drDmngkL4hb+R4z1IEA0ohBJXoQ+GkgXZ77qbe6ISLXHCPXiKNO4b82HpsRurSda+ao+RM0sD0EiMBh\/TCkxcIcAIltsz8QoSaYF1MGi8GOXIhmTX1jWZrLAHyJmPKC9EuNW9neoG9EJZ+dIX5mFx0oGGaw2sdFPwhkPFTtqOk5AWokoPIwvT5vd4Sa519tHm6athzsvpY\/qhpMhYMBhIn+Ia+ZLRy9h52056DhP7uVx2GyT9ovjnsPolXuMkxrgw2OIdEvaKHwHSLmDh1euVdBDmyBUwspPiAOjuWMEDE13npg368409PBTQTw048QeZ\/V36AB8RGBYvtIGfzBKjh7cAm8l7WE9s5UvaZQy873oVec7lmimiZyEb5LyxRSzZWjXpzMqWJZuYCs9SpKSXnfZSSdiAHAKhypk11NUGFwk3vS\/I5fWfsFxUM+Rlf7z6obYtc9UnzwhZEp+DuRwFp0SSRdY9xJC2al7618o0Fetdd+n5VB8cJhD79oCRxpjuJClhZScv8yRHXQ2tWyL8V5prewYS8GgYGe0z2ZOFSP2ZvQeX70ng=="} 00863{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":10,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":10,"flow_packets_processed":1,"flow_first_seen":1603816434528,"flow_last_seen":1603816434528,"flow_idle_time":180000,"flow_min_l4_payload_len":1252,"flow_max_l4_payload_len":1252,"flow_tot_l4_payload_len":1252,"flow_avg_l4_payload_len":1252,"midstream":0,"ts_msec":1603816434528,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"202.238.220.92","src_port":38366,"dst_port":4433,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"QUIC","breed":"Acceptable","category":"Web"},"quic": {"client_requested_server_name":"mew.org","version":"TLSv1.3","alpn":"hq-30,h3-30,hq-29,h3-29,hq-28,h3-28,hq-27,h3-27","ja3":"7d9e7f6dec1cb1dd8b79d72b1366b6cf","tls_supported_versions":"TLSv1.3"}} 00535{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":11,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":11,"flow_packets_processed":1,"flow_first_seen":1603816434530,"flow_last_seen":1603816434530,"flow_idle_time":120000,"flow_min_l4_payload_len":556,"flow_max_l4_payload_len":556,"flow_tot_l4_payload_len":556,"flow_avg_l4_payload_len":556,"midstream":0,"ts_msec":1603816434530,"l3_proto":"ip4","src_ip":"3.121.242.54","dst_ip":"192.168.1.128","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} 01181{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":11,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":11,"flow_packet_id":1,"flow_last_seen":1603816434530,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":590,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":590,"pkt_l4_len":556,"ts_msec":1603816434530,"pkt":"PKn0qB\/spJGxgjQ5CABFwAJA69kAACYB7ksDefI2wKgBgAMDt3gAAAAARQAFALRdQAAhEei3wKgBgAN58ja3ogG7BOzsKsYKCgoKCHUJ14NKwS2PAABE0nUjXqgo3Pq+h\/Bzi9p31\/TZeG7dv7XIf5N1hruOb+rMEEShGYweXC+T8EETUns4xE1pcJfcd9QxJWLz4mk48BM1d7sz6D0g90Q7A6DSDnSX8zPHnk\/mBfB7WcT8ZfCXzHAFhGGnFcwiEQYipESmQ6UeXUdKLkbZVdxhnu5LdA7U8ofrC97xC4VdpB8+pct9Ef44k+OzR1LZByriJ678sYxqlbwGB9+J+7VwgUOg\/gH2R9dX6bQQUO7rTCoyUHrYGZ5osp+I31JLOOQ0C6bZs5jO72nIFTNVF37w0TIl1hS5YHNmjLHkXmrNxza9D1NWHtYItabi0jdmvYKXEW\/jtGDBbNI5Spt\/DdSwahkwacog7vEBAslclMpeaBEdIll7ht0275DdkEE5wCpSaptHi1ZfzWLt8\/3zVoN9gllA09tedp3dfnrCs3MbxDshoV7lFoWGdn\/dNMr60Cx3AUMtm2P3NvJ\/wl+FPKcSOjciGrJox3eMTCqBEuAzJo0ymq8aqrjO3V0G12SwfBJ9tJCn3UEWBx4Pq3qlqktq2\/Fy+CDEiIPPlLGrnjA5s631GXf+eke3F40ZavlVJrfNauZzZygjAUP+676+Kjhjmdgh5vVfrgA0zW4b73tJevIq4He558UKRJU4CMox8hYb3fCj6C3dh7FjwxE="} -00609{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":11,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":11,"flow_packets_processed":1,"flow_first_seen":1603816434530,"flow_last_seen":1603816434530,"flow_idle_time":120000,"flow_min_l4_payload_len":556,"flow_max_l4_payload_len":556,"flow_tot_l4_payload_len":556,"flow_avg_l4_payload_len":556,"midstream":0,"ts_msec":1603816434530,"l3_proto":"ip4","src_ip":"3.121.242.54","dst_ip":"192.168.1.128","l4_proto":"icmp","ndpi": {"flow_risk": {"35":"Suspicious entropy"},"proto":"ICMP","breed":"Acceptable","category":"Network"}} +00587{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":11,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":11,"flow_packets_processed":1,"flow_first_seen":1603816434530,"flow_last_seen":1603816434530,"flow_idle_time":120000,"flow_min_l4_payload_len":556,"flow_max_l4_payload_len":556,"flow_tot_l4_payload_len":556,"flow_avg_l4_payload_len":556,"midstream":0,"ts_msec":1603816434530,"l3_proto":"ip4","src_ip":"3.121.242.54","dst_ip":"192.168.1.128","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"},"entropy":7.594034} 00605{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":12,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":12,"flow_packets_processed":1,"flow_first_seen":1603816434535,"flow_last_seen":1603816434535,"flow_idle_time":180000,"flow_min_l4_payload_len":1232,"flow_max_l4_payload_len":1232,"flow_tot_l4_payload_len":1232,"flow_avg_l4_payload_len":1232,"midstream":0,"ts_msec":1603816434535,"l3_proto":"ip6","src_ip":"2001:b07:ac9:d5ae:a4d3:fe47:691e:807d","dst_ip":"2606:4700:10::6816:826","src_port":32957,"dst_port":4433,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02144{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":12,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":12,"flow_packet_id":1,"flow_last_seen":1603816434535,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1294,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":1294,"pkt_l4_len":1240,"ts_msec":1603816434535,"pkt":"pJGxgjQ5PKn0qB\/sht1gAJBbBNgRQCABCwcKydWupNP+R2kegH0mBkcAABAAAAAAAABoFggmgL0RUQTYhUTOCgoKCggKh53oSKcUIwAARL7ptyuGj3sWoCfzmGYT9c5knffzFTiJ5lVJXbpctUGbKL5ySK19+FWpax4\/nAYQUfvCM\/bhsgFtS9G+ZFtPXpli7k9OwELHwQ20mBGQWbjmI7hP6morZpTeRWxaKack+BC0iQiX9\/LIrfrGdoT1oDoUDperL3\/EWfbsAzs51Fr37OKsXNxMOnNCWganJYQDoS1NHvgUii8j2RT7vFE3V9d23tm2baG7XTpJE\/KumpBsVLcT3VzQxufgdMiVwmhOfmQTPXaJDGA\/jRTiFeXg7nXwXEtAxzBQgrLuBhQxPykcUp0c2\/phwIU04regmPrsDteoZwKZzuohFTkgaiJgBEO37GhILvwwBeV77OMpz83mtpaFJrhJUhOB5vM0\/RgcMPtcx4bSZUJUYD6nBLhQJ\/GvQEu7UlOsfkiIrZE+ZKc7Xlk9faNEXsEX+cAq53XDHpAkkbtjxhoLLEgwqg9w2+pJHK905szCqPYz1ey662LeHpygS8mmmH\/gOERXnPY24ktfjRbIPk+3jjlRJg9AEQHddCfLs\/0YynFjxEK6SkUDk3GOa0sGfGsU7zt7rbEh4JS4h\/\/R08A7nHPChHXr\/7ZgHR966vNTPtSXBteBzHwou8p5yVwauN1gN5GaWb31oFnrNAxiwuz4e2fwfa69YtXI4XWHFBvj4iNrdRBF9sHDZoob5bniwmHivCxgMW4+Jtbnaqfrv4Sp3dq00y6\/ur4ZEHV5m4FIMmbgmAyq9vvgmIFyJKBMGegGOoZYhISRV4ufDNEsgtjnm1Ha96l8R2gH9UD5FvAjfB\/ZwRBGmgFyc1RY+15Vl0HTZ4Rr+yCWwF2I4UFS+jzuwD+H6WEkNUgBjeLztMlKSo7QMs7PpOgFdZAlYejckZA1WodUw\/1bgj\/U6KGLbos4yPh+0rFNO0QtSRdW2TgBAAQucKeIvxgOUjTBEAP34nCw3lpKpedULlo5yFoLMltnNpkze\/b+9gBG8\/1mSO3ivzeDC3y6mANlLBm2iJns641SQdnTkf3L8X6YeBJsMYcaaiKYOyuuOiyeZy0YQZa4g5mFBz1gCqnQwBTBq6z8JWs1a\/iBlFkdzl55MjJD1jFCxVWdLyjInYMNmKxijI+ky9lNUsSaDzc5mgZpk3C0ZBbV058wqQx49fSF44m14OWseuaF+VY+qapJWKKL5t18OkWciu9MrAdQ4l66KAXEOIsGmkn8zlOyO4gaBESlpwfIO6YAp9wh9uTR9L+wkJgDcSe\/JWX30SUzbiRxqTmU9\/OJu2YJTPKi8wBs0qops1o6F9bQ4myo5lBZyqDquGfUWvrEXAbX82yldqPSTFnXWZt1UdImRyp1aGJVLjK7WjTb+ZSUcMVvxEHERZUt6VlUBe9SscDBCFdepioRLv56MnqrV+s4p\/g3CZ2sX0A9nX\/xgQxdccpjrif7tgBq+g7rjwIDWgS4NTZeETjOCtp53wYAhZZ32G\/hgRuBjIwqGUhTXHOoeOasvV+WD6Qh9WG\/ZAOn3eXObqDuYhD21bQbu7H9CTSFHgZo5\/P4wYz2WlEjbWMiQ9K7B5MQdxXUQYTDHm1OtDv1m9inaq9E9Mp1YP37ABzmfZ+XPVEzLA7x\/VqZvQgYfBYQAA=="} 00907{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":12,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":12,"flow_packets_processed":1,"flow_first_seen":1603816434535,"flow_last_seen":1603816434535,"flow_idle_time":180000,"flow_min_l4_payload_len":1232,"flow_max_l4_payload_len":1232,"flow_tot_l4_payload_len":1232,"flow_avg_l4_payload_len":1232,"midstream":0,"ts_msec":1603816434535,"l3_proto":"ip6","src_ip":"2001:b07:ac9:d5ae:a4d3:fe47:691e:807d","dst_ip":"2606:4700:10::6816:826","src_port":32957,"dst_port":4433,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"QUIC","breed":"Acceptable","category":"Web"},"quic": {"client_requested_server_name":"cloudflare-quic.com","version":"TLSv1.3","alpn":"hq-30,h3-30,hq-29,h3-29,hq-28,h3-28,hq-27,h3-27","ja3":"7d9e7f6dec1cb1dd8b79d72b1366b6cf","tls_supported_versions":"TLSv1.3"}} @@ -92,7 +92,7 @@ 00876{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":33,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":29,"flow_packets_processed":1,"flow_first_seen":1603816434606,"flow_last_seen":1603816434606,"flow_idle_time":180000,"flow_min_l4_payload_len":1252,"flow_max_l4_payload_len":1252,"flow_tot_l4_payload_len":1252,"flow_avg_l4_payload_len":1252,"midstream":0,"ts_msec":1603816434606,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"131.159.24.198","src_port":41587,"dst_port":4433,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"QUIC","breed":"Acceptable","category":"Web"},"quic": {"client_requested_server_name":"pandora.cm.in.tum.de","version":"TLSv1.3","alpn":"hq-30,h3-30,hq-29,h3-29,hq-28,h3-28,hq-27,h3-27","ja3":"7d9e7f6dec1cb1dd8b79d72b1366b6cf","tls_supported_versions":"TLSv1.3"}} 00536{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":34,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":30,"flow_packets_processed":1,"flow_first_seen":1603816434609,"flow_last_seen":1603816434609,"flow_idle_time":120000,"flow_min_l4_payload_len":556,"flow_max_l4_payload_len":556,"flow_tot_l4_payload_len":556,"flow_avg_l4_payload_len":556,"midstream":0,"ts_msec":1603816434609,"l3_proto":"ip4","src_ip":"51.158.105.98","dst_ip":"192.168.1.128","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} 01183{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":34,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":30,"flow_packet_id":1,"flow_last_seen":1603816434609,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":590,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":590,"pkt_l4_len":556,"ts_msec":1603816434609,"pkt":"PKn0qB\/spJGxgjQ5CABFAAJA990AAC0BNLcznmliwKgBgAMKP5oAAAAARQAFAKEiQAAwEUWiwKgBgDOeaWLKrwG7BOynncIKCgoKCBGs9QKfvVcQAABE0lvluJrmL\/hMeUw3YRhBIJ\/7gLtKpaIz\/yfYSAz6s8M\/iZU1xT7UiPmoiPsMT3FCwMnulK4pxlFMwSTfXCJHpc614jjRRPQY0r4A52kRAqbpnpm4pGdhwJNk2VhjYh04QB+ATZnDkcsklWaxwa1n6YHU9l\/hwXdVfRMJRZaRjlnNVjFzYTJDWF1bqR3R+8VW0waOTiwhJbmwo0jy0HGIxrRni0iCPehpoLwTjyK71TyZayvNhxdtGvZzTbpHaeAT15y\/CNrfq29HSv4IbvE0UmtwPnAkf\/K1m2amootTqW7mZ0NRHFK3HiA6yyoxrFYKU9\/CqXLS00PyxBFYvXIH8JHdvMhif7EW2Q2vZzfwwkJPwkHVXd+ngfY6wGLILtNDXV2ivGtdy3XuvH2ccmQEKSFZ73Hx9iHdBl6qjfCYRhGp6e+IEQqSNu4vIjwJrHd1DI7AFuP5HVV3t0uwiRNlmNLYg\/\/iQ8SXBZOZZXE4JJ7SqpmG4T8bxGnZ3BCjiEFishkM4w78EsJooOt\/y+Ru+rpDXeXF0DEDfcvmU78O5MK3Ul65ZjzZQp5A08B7wuQCd5NseMaqkP4jaydGTyiWvmW0mmoH\/qDqrJMH+DDDY2TMH7n1pK4uNzfng27Vymwlz4bVFY+NOz3R05sw0AhIXP9mFCKSmts="} -00610{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":34,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":30,"flow_packets_processed":1,"flow_first_seen":1603816434609,"flow_last_seen":1603816434609,"flow_idle_time":120000,"flow_min_l4_payload_len":556,"flow_max_l4_payload_len":556,"flow_tot_l4_payload_len":556,"flow_avg_l4_payload_len":556,"midstream":0,"ts_msec":1603816434609,"l3_proto":"ip4","src_ip":"51.158.105.98","dst_ip":"192.168.1.128","l4_proto":"icmp","ndpi": {"flow_risk": {"35":"Suspicious entropy"},"proto":"ICMP","breed":"Acceptable","category":"Network"}} +00588{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":34,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":30,"flow_packets_processed":1,"flow_first_seen":1603816434609,"flow_last_seen":1603816434609,"flow_idle_time":120000,"flow_min_l4_payload_len":556,"flow_max_l4_payload_len":556,"flow_tot_l4_payload_len":556,"flow_avg_l4_payload_len":556,"midstream":0,"ts_msec":1603816434609,"l3_proto":"ip4","src_ip":"51.158.105.98","dst_ip":"192.168.1.128","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"},"entropy":7.654703} 00506{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":35,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":19,"flow_packet_id":2,"flow_last_seen":1603816434622,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":89,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":89,"pkt_l4_len":35,"ts_msec":1603816434622,"pkt":"PKn0qB\/spJGxgjQ5ht1gDsWjACMR8CoF0BgM6YEAzSri\/bO+xasgAQsHCsnVrqTT\/kdpHoB9EVGcCQAjCvHgAAAAAAAIawwAN\/DoMJL\/AAAd\/wAAHP8AABs="} 00572{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":36,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":31,"flow_packets_processed":1,"flow_first_seen":1603816434628,"flow_last_seen":1603816434628,"flow_idle_time":180000,"flow_min_l4_payload_len":1252,"flow_max_l4_payload_len":1252,"flow_tot_l4_payload_len":1252,"flow_avg_l4_payload_len":1252,"midstream":0,"ts_msec":1603816434628,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"202.238.220.92","src_port":38933,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02134{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":36,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":31,"flow_packet_id":1,"flow_last_seen":1603816434628,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1294,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1294,"pkt_l4_len":1260,"ts_msec":1603816434628,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAUAStBAAEARganAqAGAyu7cXJgVAbsE7FzZxgoKCgoISaS\/HP4FIE0AAETS8b\/jD+OLMZ5ZfmIPp7wLwtSW\/3e3V56tG1ccXR3vL4iMRvcTifVjxLwR1VEj5kxXicua4ELuOiBh14YJiINigpT2w+4dKhfV++T2HAdDXb9HRo8Wp5\/Q2I0xH7P0GEZjVSlxh\/KVM7Q8JSVkblMvtsmlTbMHoKyKgv5ZVuhR9rKzyWjc0bDTpihNkKGhI2W23K8YpCOo163pvnpUs8vCjpMKx6Y+XLOjz86VHxZ\/dSIUgwZkfU3hXvxraGDqsOM6nk2BsxRj6ED+eksutrG0VvP5Wbl\/nwohJ3snk4n+kCBY8+CDoT5Q6xIqcKNeqA91veY6WDNW65NdLK9tq0Kt6NyRCQ0iHC1fm8oqxzK49Xy9Yr2klZXjGA6Wb9UmYx6KSJdvg6i+UYQf+hP3vTAcVrvclwQjn1Ttts6+sIXx63DdYoKsDizIkqnYCVuj0roAtIdLG95OmHxjKHrmpsQyLltGhTZMsYJQRCx5M8PpL+vjXo6pu+GHq\/GNM20vpbcH4SfliMSbdeHv4qviRxdJ9R8w9OkBT6XZozO3wWdBmA6PqET53j\/ug0iSc1MIiO+\/q4LSySrTDiP2OBzfwZT7hTAaYz1DN1CxY6wbbPEjnyqCdpqZ1PaOkaWb8OYt7bm6J9VMzWbMZaVbajU0njanBfI51vKbom0V4qvMvcrqXEEunVPVtjgIskNplvDAftVJ2vZJjRMGUEv2c4SLniMT\/gRm2OeeaPXHe1brAnbRvP5KwVwSyHq8W08M66VBt+caimizIdJuqJqF1FGzRpHgQJNETaOqosq4CaLQrU1BEEg3UbRSYSWKj7OLTgEqG1JOZb\/nz1GI+TfOOMiy+107aqM+S\/i3Tju69xYk1X3WP1Ozrd6Wj6AC50FxHQQFSXlNPa5e\/vjVo4rFyU+uJE9u8JoYphh7MyJDB1VngH+kgiqxcBa2QBM5E51d4uR1hQLe+c6gd3MDh43gdsQryQiQifYdGhNRWZZaw2p8fRtUP4Uwyq\/B0bHFpZ4t6PuvIBU1+212nGGZUAL7j3HFR48RnO1qbO+GAhey5N9lWYMlU5tavGiXfOhlX6cAsUEQ2Q6TLV\/ZCB5CQG5QDTtdPH0QZSPPPDEVyy6HE2QB0rH4vjru2j5voDUPBjLlpBQ\/NL5R+mTgOnDFh7tGqQnBHhyDGFO\/50NeIGNTAc07+9N1IfFyQChGLc3grwS1SkOgfURlQLF+0ioikEL5irbMrmWTd851GONI9exui+8KOT8c959NcGrcyY1CIpxJc6JPQNgq4cGI4ljycOhrXFfcY+tJlEO3E0yGYN4gMAGSars7BkXFZLPWbZY+Sb4jXpDImxv+f95nzmTySeAQGcAaOitCLcJ318ljtkj4SzzBlngK7\/jHpA1EPvZ2SJKmWjryUfQf4JJVEzK0DHUTA6qLYV+785FtwR53Rvcfx8ZKasxHIdWmDmMQfSDcjCfFkiPKXadftOSR0e\/XsF34XRoyBUx5eKGVWThXeNxNkMdpKbVofP1BRG3kl02O63aebe4V6uZI5YzyQUh4Dl097fgC5KIZDSXh1zEWqkg2eojIxOsLE8glsZ++gAFLU+Q749QmZTjBy2vyjMlxdSRKWMC6H66lOKBGFFFOZV6nr8Cmiz6E4iT7yg=="} @@ -105,7 +105,7 @@ 00921{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":38,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":33,"flow_packets_processed":1,"flow_first_seen":1603816434628,"flow_last_seen":1603816434628,"flow_idle_time":180000,"flow_min_l4_payload_len":1232,"flow_max_l4_payload_len":1232,"flow_tot_l4_payload_len":1232,"flow_avg_l4_payload_len":1232,"midstream":0,"ts_msec":1603816434628,"l3_proto":"ip6","src_ip":"2001:b07:ac9:d5ae:a4d3:fe47:691e:807d","dst_ip":"2604:a880:800:a1::1279:3001","src_port":51040,"dst_port":4433,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"QUIC","breed":"Acceptable","category":"Web"},"quic": {"client_requested_server_name":"http3-test.litespeedtech.com","version":"TLSv1.3","alpn":"hq-30,h3-30,hq-29,h3-29,hq-28,h3-28,hq-27,h3-27","ja3":"7d9e7f6dec1cb1dd8b79d72b1366b6cf","tls_supported_versions":"TLSv1.3"}} 00537{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":39,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":34,"flow_packets_processed":1,"flow_first_seen":1603816434629,"flow_last_seen":1603816434629,"flow_idle_time":120000,"flow_min_l4_payload_len":556,"flow_max_l4_payload_len":556,"flow_tot_l4_payload_len":556,"flow_avg_l4_payload_len":556,"midstream":0,"ts_msec":1603816434629,"l3_proto":"ip4","src_ip":"131.159.24.198","dst_ip":"192.168.1.128","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} 01180{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":39,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":34,"flow_packet_id":1,"flow_last_seen":1603816434629,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":590,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":590,"pkt_l4_len":556,"ts_msec":1603816434629,"pkt":"PKn0qB\/spJGxgjQ5CABFAAJAgVoAADQBpNWDnxjGwKgBgAMDhTkAAAAARQAFAE67QAA0EZSkwKgBgIOfGMaicxFRBOyPwMEKCgoKCAqQphKlf+flAABE0q1MzAF7B\/pTV0kG5xawMpe3HkhLaz5LmMUUyw3WhYoi5nbpPV7NpV4GM27AXpOgHO\/SzLtIdktFTC4TCKMp7m9qMnCbweSvMGChHkpC5U7w60\/uPzwGl47ucIe9rYiZgKyYjN+8oftGbKB4AlEqhdFs2MoFYovXtoKkQBN7VSB0IxvuY2TC3GidshXx3wTMXfzuo1\/6i1KLTmmNbxSq1CGPdP1PQ24uDLBbi+meANNn06rbl+K9tUdkmsxH+USREu4XCkprwqJDGZjipci4pVwimHHp5mYTfFDWt8XxRCHJmOScE5wt7DLDqP6wUv\/R9RjuGRN\/nD4BOc5F4KnrlgXBSjWA8uw\/1hUs9cHVpYBS0ltoa5wxXIx++EBaRxTWEi36GVZ65l2iVnWKkd\/xq7p88n0OTSzw9MX6zL1vpn8Q3b5hVpTOfk0XSi5xbalOfjBvaK425FOHISkLRT4hHBTrZPDUxwxwBg08G2H36nvO3sZ2DqZCH92UgDfl3OrnJTQ5kZer0RXiGe8JxWv76LxDqR1kJ0SXR282tjRVBUWk2yeunxwz3vNCj4omHVmk44mRi251cY+XJzT44HEva4iNMf74w7Rm7ot9s3dpNfVwJPF0r16L56vzdWhG5cGOJ1D+VSlbkJMR4r0BQwF2\/eCtSeTN+rk="} -00611{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":39,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":34,"flow_packets_processed":1,"flow_first_seen":1603816434629,"flow_last_seen":1603816434629,"flow_idle_time":120000,"flow_min_l4_payload_len":556,"flow_max_l4_payload_len":556,"flow_tot_l4_payload_len":556,"flow_avg_l4_payload_len":556,"midstream":0,"ts_msec":1603816434629,"l3_proto":"ip4","src_ip":"131.159.24.198","dst_ip":"192.168.1.128","l4_proto":"icmp","ndpi": {"flow_risk": {"35":"Suspicious entropy"},"proto":"ICMP","breed":"Acceptable","category":"Network"}} +00589{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":39,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":34,"flow_packets_processed":1,"flow_first_seen":1603816434629,"flow_last_seen":1603816434629,"flow_idle_time":120000,"flow_min_l4_payload_len":556,"flow_max_l4_payload_len":556,"flow_tot_l4_payload_len":556,"flow_avg_l4_payload_len":556,"midstream":0,"ts_msec":1603816434629,"l3_proto":"ip4","src_ip":"131.159.24.198","dst_ip":"192.168.1.128","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"},"entropy":7.619289} 00572{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":40,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":35,"flow_packets_processed":1,"flow_first_seen":1603816434640,"flow_last_seen":1603816434640,"flow_idle_time":180000,"flow_min_l4_payload_len":1252,"flow_max_l4_payload_len":1252,"flow_tot_l4_payload_len":1252,"flow_avg_l4_payload_len":1252,"midstream":0,"ts_msec":1603816434640,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"51.158.105.98","src_port":45250,"dst_port":4433,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02140{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":40,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":35,"flow_packet_id":1,"flow_last_seen":1603816434640,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1294,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1294,"pkt_l4_len":1260,"ts_msec":1603816434640,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAUAXZdAAEAReS3AqAGAM55pYrDCEVEE7CF4zAoKCgoI\/WffY03wSeUAAETSMHofJsIVRtpuQGVddBW97CfvMNh6FstJkOMpUt\/yyfMol2NH\/cmw9076\/GVp8Jiw6RRO55nAlaDXRKDx+fRRFB3MWLmB\/9BdlA7rKSF+bxrlmvb7IG3rx2evLnOEA295WB7h7yye\/Yb8SM1ckobonKrZZ3VSIcOyeDvx1To8yKU8S+qgO5UB6V6j3ZR4z8tia9hoRBaJuuWjnRXPIzRC\/Y4Ty4G0TTfbVLamm4ej+5tVGNr3TS7pN2Xzt9lr5OogvAmipVfcrFQmzNA\/+bixOvtJICDh3fR9sII+Aa6F3m95yiDF8HdhXx8TxWV640MZkTOca5MbcwS+YPz+INAIjF0s2owurg4clHkrQ\/h1vY9wfL8cau+doFTFKxQWkVu3t2i\/+mAsWEv1COMBJgtwWY\/1oMYnha9PWceb7bjtXvQ0AFrjBC2iUpE8uKG2lpMj3vw++EDHs4D8UOswAsYKSR3QKTNy5\/n9F2K6wbOe4lbPp1tEUC9i4BjrP65N5Jjd4whCLlWExxdcuUiqmeRWX1rLfPxynJrkw7vqaREC00sCdzi7Lh2rgh1ZgrEUMSznXgMtkuiWXjnmdl6yNUvpIov2oxF5IIqE7+inmRUO\/4bFKluz0rJxSvweOGUOG06qc89\/fVfEYvQVfSGie\/2jaZPAoa73lw60ChYZL5W8YQTUE+iYwCEs\/LrU43Io05inp4fW99XL+dqJLeBaKkadyRCr+ZlWnxdK3SIVAKssrqk8c+dwBP8Ga9TvI0fwtqyE9zLeGdLLth+UrgzbKZkjPtZvumQptE3y8vzXm3rNGckk+s+tH5kfuTErhMMgcEqqghapUSbghSKFnvd8KXrp5I5dImNV23VsAFnZphiNdSMrAO\/5tN9cHTB5kZFEzKzu5mIwtp39YSpIVho1618W4woojYayBTAYGdCFJnsdHAOWZ0YNc9fXqn3t7pH0RfvXqhkQ14VLJ65JuJqy\/Qz9StzBGBZch\/xsRQnL8tGwRc9QlrXGc3QWq7muqAOCyzpHoMChq2oTRE\/8HPgudmPNkrAf\/ScwBASioyMRhmPXbQOnz8kpZqhiLFLzbv+SqaBxgR+bgVYn1+3zxEWz0OQ7t81FdQLiQ\/r7o1w\/5GTxaT2UQy4+HSu3XgrEmc70xQDowI3TS6l1xbMtq6G0wpiqDxghwCsLBT2Jp0llaTYvV20z5T8ax80YSjv99Judp7QAD+5ZWDqxTHKL7rG3JmR6R8uIhzq4m21IYTygNOeNDTZrVPa3NY1BluNOiJM0ojQMwAtKPXhJSECktSWYBn4OIxP0YP6tXleYVmyb\/7bsrgrloCmarQYyCzGzZUopQB5p32ofLV7NTKVj48TfiOfWu7G7+u2kMk6czrGQwjYr399xRe06yg2sy+HVyEgd6XGMtNrXxL3I24LS63NRpc2fVvxrjZFP5bKendh2XIq59I5JF37M+rn6izwnuj0OrSHOnrx4VNLacB+DNwcXJTwF6fVCp5WfoIclvXXgD5bQwPAiNcduRQACIAJ6RQmeAmxrOjgDcNXfvMKHilUpISNlFeHOjhQMA+MiaVzNspXJLCod8B953YO\/H92LBu4hBpcVIl5YP489aYAYtVAU\/QpiEmGNr0vZKsef4Zb9RxDNgQgxIA=="} 00870{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":40,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":35,"flow_packets_processed":1,"flow_first_seen":1603816434640,"flow_last_seen":1603816434640,"flow_idle_time":180000,"flow_min_l4_payload_len":1252,"flow_max_l4_payload_len":1252,"flow_tot_l4_payload_len":1252,"flow_avg_l4_payload_len":1252,"midstream":0,"ts_msec":1603816434640,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"51.158.105.98","src_port":45250,"dst_port":4433,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"QUIC","breed":"Acceptable","category":"Web"},"quic": {"client_requested_server_name":"quic.seemann.io","version":"TLSv1.3","alpn":"hq-30,h3-30,hq-29,h3-29,hq-28,h3-28,hq-27,h3-27","ja3":"7d9e7f6dec1cb1dd8b79d72b1366b6cf","tls_supported_versions":"TLSv1.3"}} @@ -137,7 +137,7 @@ 00849{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":50,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":43,"flow_packets_processed":1,"flow_first_seen":1603816434659,"flow_last_seen":1603816434659,"flow_idle_time":180000,"flow_min_l4_payload_len":1232,"flow_max_l4_payload_len":1232,"flow_tot_l4_payload_len":1232,"flow_avg_l4_payload_len":1232,"midstream":0,"ts_msec":1603816434659,"l3_proto":"ip6","src_ip":"2001:b07:ac9:d5ae:a4d3:fe47:691e:807d","dst_ip":"2606:4700:10::6816:826","src_port":46353,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC","breed":"Acceptable","category":"Web"},"quic": {"client_requested_server_name":"cloudflare-quic.com","version":"TLSv1.3","alpn":"hq-30,h3-30,hq-29,h3-29,hq-28,h3-28,hq-27,h3-27","ja3":"7d9e7f6dec1cb1dd8b79d72b1366b6cf","tls_supported_versions":"TLSv1.3"}} 00572{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":51,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":44,"flow_packets_processed":1,"flow_first_seen":1603816434661,"flow_last_seen":1603816434661,"flow_idle_time":180000,"flow_min_l4_payload_len":1252,"flow_max_l4_payload_len":1252,"flow_tot_l4_payload_len":1252,"flow_avg_l4_payload_len":1252,"midstream":0,"ts_msec":1603816434661,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"40.112.191.60","src_port":53791,"dst_port":4434,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02144{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":51,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":44,"flow_packet_id":1,"flow_last_seen":1603816434661,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1294,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1294,"pkt_l4_len":1260,"ts_msec":1603816434661,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAUAqp9AAEAR4XjAqAGAKHC\/PNIfEVIE7KqIyQoKCgoIcBuNCNTaAX0AAETSsdkQHvJcN7bcF1ORvnbsKUKjlPXY0qQr5k5uOcDOcZrEKpvgL9RbsKleW8ZMaZNBIcnwq2KO7Ra5INHkVKJRC0TkUHMwFXdKdeaESLl2Sccd706kHiSPpX2Lbm+12fv10onPbU6DngslVSwo5iC2jlneokoStHZ4sxg1C5Je9i6sU3G77ZkPXvlXk0NdQQdexNFkb5jV\/JGW0vFPxDe\/qF9kedjCbIxx+p372PhnBv7iEwZ5Yhty+\/qNKY4yyyzUUwAkAmsK2pn5dzcchowy2PxUUm7hjeS7h+ta9tYiPjGP4k1V5zZKY7Q1iEzKbQmeKLLMluT7Ze6EQ\/94FkLhmXXWckZ88YK2QIDTY12s2\/+YoUrmy0fuxliVJc4e7t5KZxll\/xsK3NXnecJzT\/C9JRu8GZI0MGntc6sD+SVMUDoRX5MmL6JI3Lgrth1lbQy1hnltXa2ICmJpXg4UGGlDL1Pjydtfs82r+A5HZhHO8I+yeL60lJGO\/pmXurcvVllxGtQGjKy0Qx8L\/+0\/h97ODK4A9BOM8c5uVRJZi+ae5YWCQBxdqswC\/na2\/hdsvvl7+jK\/hb5lcLu18N2HToRBmI2OttnAnni74F8psk6eNPlA1WXh4QFnhdp7k1TRWG82dah5Np6uhn0FWu8spp+GpOz1PstbpUlg7HUDKDRocRvdo+XzWoapXRLt2rZBMpFM5+qBvFVKX6Ap5vpKqXx1vyTZc7a1PZSOkBPGsuBfMn\/e6CFzZ\/7SKPFuN1FEHhp6qVSfqkNu+E65oEYHbyp1GfsjmuOEnOWm9QuYUWXPMO\/ZpslsQLq28PkTI45zSR3jBaqY+U4cAU8hHI7Y40pZi0OVHAUG3Cp6mgeeNysES80m0WoJn1e6vRigeA1nc\/I4X7I+sPdNk2rBF6nEfBWEHw7MllB3iWKvvfivqsRWGfnLPVIWWdgqIoeFXHZ0RtFAK+dhBCktFzDp\/q6hAfIktX3z+sj5E4pGLpkcvClK3JUCXIBwpBXNz\/Kc9u134cEFWcWfbtjt65orTzu8PxGQYP+2jYE6lnk\/tcEolSkAelGkBK\/fE95QONEIEfiGb2tudRlXWTXRf\/FFFuldF0FdSJr50n\/Ih08O2ebAjk8ljjBC4Vr56KppkjdyyoUri8YzcV36sbFJqSwNQqsETWwcWH3GRqKMaQ+n+GVJUfR2mVE\/e4E852F32tsINiUu9KMW+toNgqOQfW3axNf6JaPFYtyy7MrNLsqhd2DTcip3+w6pKInaMiPiiKc8Fs2riJwto+W7a3bpQaoELeNUhEukCZCq\/FzN9PqVxk6EFWsqUSSSGklINGSbIS8sc+UAhevcQz0048wkjFBmEZFqu5A\/ObrRfWUEjpP8hKYzq9fOtRsoabYuH0GT29NVVZ6mp6+ZCCS2cAvfDT18d5ydh7ws+klcqRStiKM5PnIuDiY9ahp4jcvj\/XCvOWH28khmORKIgTIM5tVtnApY5TcVPqz7Uqmg2PcjSYyRBrJch\/eSfjOrA\/cCMqhxLApIy5m9eIL4iY+YzrKwVPTBJ1t2v4mujsR71BWWVXgie2CQjixGfOz6PTiXloHY0ohyCpxw0Cg0ysy1PcwnMPh+3oGN+0IKbU7LLyLHzUsIyN44wigmXzAl6Q=="} -00865{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":51,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":44,"flow_packets_processed":1,"flow_first_seen":1603816434661,"flow_last_seen":1603816434661,"flow_idle_time":180000,"flow_min_l4_payload_len":1252,"flow_max_l4_payload_len":1252,"flow_tot_l4_payload_len":1252,"flow_avg_l4_payload_len":1252,"midstream":0,"ts_msec":1603816434661,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"40.112.191.60","src_port":53791,"dst_port":4434,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"QUIC","breed":"Acceptable","category":"Web"},"quic": {"client_requested_server_name":"f5quic.com","version":"TLSv1.3","alpn":"hq-30,h3-30,hq-29,h3-29,hq-28,h3-28,hq-27,h3-27","ja3":"7d9e7f6dec1cb1dd8b79d72b1366b6cf","tls_supported_versions":"TLSv1.3"}} +00873{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":51,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":44,"flow_packets_processed":1,"flow_first_seen":1603816434661,"flow_last_seen":1603816434661,"flow_idle_time":180000,"flow_min_l4_payload_len":1252,"flow_max_l4_payload_len":1252,"flow_tot_l4_payload_len":1252,"flow_avg_l4_payload_len":1252,"midstream":0,"ts_msec":1603816434661,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"40.112.191.60","src_port":53791,"dst_port":4434,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"QUIC.Azure","breed":"Acceptable","category":"Cloud"},"quic": {"client_requested_server_name":"f5quic.com","version":"TLSv1.3","alpn":"hq-30,h3-30,hq-29,h3-29,hq-28,h3-28,hq-27,h3-27","ja3":"7d9e7f6dec1cb1dd8b79d72b1366b6cf","tls_supported_versions":"TLSv1.3"}} 00572{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":52,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":45,"flow_packets_processed":1,"flow_first_seen":1603816434664,"flow_last_seen":1603816434664,"flow_idle_time":180000,"flow_min_l4_payload_len":1252,"flow_max_l4_payload_len":1252,"flow_tot_l4_payload_len":1252,"flow_avg_l4_payload_len":1252,"midstream":0,"ts_msec":1603816434664,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"193.190.10.98","src_port":59515,"dst_port":4434,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02147{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":52,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":45,"flow_packet_id":1,"flow_last_seen":1603816434664,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1294,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1294,"pkt_l4_len":1260,"ts_msec":1603816434664,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAUA4mFAAEARxULAqAGAwb4KYuh7EVIE7MZSwQoKCgoIhDOd38iF14kAAETS+DrcKxcR6weCAMpXP0WCjIu9ZBcpWi0OIwLjGToed\/giv9qrtDo9ivnhToDBOwIFut7lx8oGofCTHgF7Bu0VwbCafc3NxbT0fVzbuULC9eYaVRWQHPCUD3HNkinLSEKLzkqEotl3g646wEpRi\/ugoezcuEqO2y6FIB5R6lgny7Nkkc+zMDGl\/vVsq9D4yR\/HW1d+8htwfQLJRpA9hzqrxRXBKybzFVVjhg+KSz67S75CNguDyG4FD4d5JXshyl\/M4INjh32wAMrYFGa8t+2d68fOM2TsdLASGnjmnLNA7\/Pf8UMA6n7BdmW2IJneYpplOs2JDLXzJklKXNuJdllZWQX88VAVkIZdlhRUIxXv\/f7UmxqAgBcsb65UxpALzeD9UOYFX7eXnFX3CBNctLx4OV4vy5qTojgYXWndnvZWDyo9r1nMBp8D6VlFL3WOfCfGoqwqeHusn5C43hBSHrku\/bXz9iJXIhkW2exazvoHN691IPr0B73C3NnmhicLFxNH7FU7WO\/4IL+6sD9DZXTIjSg6oTpPZcbUD6nL7y5Da7hPow3PhI\/sdvRXmbzab8jO1EGiZZHwGfa4q6m9yRM\/TXA5uhhLvU2EfXT91420relOj408ZVI6EUSGceNLMighOPfPAfp0WOhbMCbd98H61M55hJNktUMuazO1d0gcsWhNN7ihq3R6vEE9ycG3wWK4AZXs7o9pNpiOjFyi\/1mC6Ku8u1sBA1oNJJOJnGURm0YtMoufHAuKV2LJVu2OeQAP\/A2\/w5vSvzrQLOGEBdMHP3rIjZlGA4ez8O3T8wl88X4DTz9tphYgqFCKVqs8At9jd7jId653CvC+xEYdEiNG9bQtgVNzXeRz5DgAY\/Rramv\/s0Mz9eqNUZ5kDg4J0SUVs70edYwUxeTQM\/DGMsrfTyMpxJinyaJ+lIbkswjz4fLDe6hTAtCperVOSIVU7PFEEJNopz\/TdPDhB\/\/OU+mjuGnm9dVJqiOBsKq6hwakuMJMeEbqZ4oR6\/2tTEOQMV7c3m8hAgBlfCT+et0oHj0In1XsO41lgeBhcmsxfgpL0+MgrRWpX3hNlmOw2YFL7IPahaVoqqwt+hlD2GAaUYWeZHKQIID8JZod24qH7\/lYJ76jofC+JdWXEJ7R4KLVHjma\/RdasqECMSrg4m7keaHTZDKrBR35ahliIHV+sND3+6E5IN\/2QdoUlOi4\/UYlyycPYl2QrEjCc4E8TPnrA7HhR8cbOqvr2NJUiO3vmvNIk9u905r1d+yKr0KSvjEMW4aoGs1cnkqp7BFwfwUFTFXE57dIo29rq+a60tDyag9gqUpuo7QsXjOi2fVAkTyRGrjCd9eSs5MDoGygOvvn\/yw4ZAA3XpTxroAMLQ9Sj\/92T0qxoDCFA5OG7E8A7GbyiO5B2nEiMAOZpw+5PZXL4BrU03Z37oc83D+zHRg9XCBGkB3eyfyP2\/ya8kSOgnWI5DRzDtrL+axTWaV4naIX3w78wYegwyfuMaorTISN4Ye+UzmrsF4ld5d7Pp68ZmvyPCebtO\/KSElf\/sucwWTuBzbcyui8aFCG0Vq9OlG0\/qaPlP1qL9A8E8F37BOHLRzvh\/sbn8ks0BPPWFNRGNxMVhkFaWjx9NYOtOhnexATQq7v4e\/jeA=="} 00878{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":52,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":45,"flow_packets_processed":1,"flow_first_seen":1603816434664,"flow_last_seen":1603816434664,"flow_idle_time":180000,"flow_min_l4_payload_len":1252,"flow_max_l4_payload_len":1252,"flow_tot_l4_payload_len":1252,"flow_avg_l4_payload_len":1252,"midstream":0,"ts_msec":1603816434664,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"193.190.10.98","src_port":59515,"dst_port":4434,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"QUIC","breed":"Acceptable","category":"Web"},"quic": {"client_requested_server_name":"quicker.edm.uhasselt.be","version":"TLSv1.3","alpn":"hq-30,h3-30,hq-29,h3-29,hq-28,h3-28,hq-27,h3-27","ja3":"7d9e7f6dec1cb1dd8b79d72b1366b6cf","tls_supported_versions":"TLSv1.3"}} @@ -185,10 +185,10 @@ 02145{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":74,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":15,"flow_packet_id":2,"flow_last_seen":1603816434719,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1294,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1294,"pkt_l4_len":1260,"ts_msec":1603816434719,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAUAschAAEARJZfAqAGAg58YxobPAbsE7L65wQoKCgoIJv2XczUh4RIAAETSm4e+jGeUlE\/B12fljD+RqcpH47cYVTGlgRrNPB1pt4i\/tbOCC9Ip3Az5ZlXd\/FK3y+qA0RLTj+Hs3M0j8vRCArTbVM4C5NgRxsbhmviOgStjfj9\/bYsZv\/EjOBw1tJ7JBggMh5UbD2IApoVeQbXiGPK49HtmmZ2e8vNh\/DENBlDkfNiA\/Ze5qo3h724av1SIVZrOuvswt3oWie0bK5Roue+xJHmSYlIdNZfnzXpwBh7c35jaMUWDvYBeZmckm7kJc\/YlpNj25UQZsKAQzZSxGyFkwPWE1VZIIf2sR\/CiM5RFNmS8PgkHq67u5CQ3Sonb6Zl53+rO66OPeJhUkGQNaSql8mMy7iu+inJtNa+Jv8r+Mk+hsReHOd3O8emp6fJ1y9UM73fh5DirDtvnZZ3V6jRJ2r4Rygc+0kMBn4CyZ+getScc\/+R2siF\/4EkcSN\/DfCIEwaf5cBdqU7sUr9jhm8ebduyUf8MMp0mo8YLH5Ld6gayewdIiX7e5MgOtKMtgw+6gQh+Bv2MsHuSZkTMTDQf6U2V6WVpP0Y9J+TKxzWfaCPfnLyfJhAvO09EXRL4v5CauDRrgK66O64n5FFSoPkt\/cTCu2ZrnJUnl73ZUh5IMHcF5qrpyNgwYRdzmLOBKKUcbZsDmgTWWmVQic025bFbbeJANUemP9rPrhK8vpdcFoj5tc09KJOg24DVw0N\/8s0k41J4q5XkRqvAq3Jh031h89LKhx6BQhfHBc1CWUzEmpurvpV2Ys4EtVyEOa76yxKI9JcwQIwxvIQGEJ9wsNhbJGOcCGN65fV293I4+Q6O6oqi3DRDkz7R3WSxRmE3ALQUURzNbLPzkf5OpbRxMjRgBCXiLLxDLAMGYwM3F2kI+ZHH4x55d95IB1d\/psHRZShyVEYlzUKCnwu29d26MEawfpZVAaMzVRo7xXV35ZRY1D8\/9qSuz0fyLsjjlwkVcHKzvWu8cUA31sZxhNy8BdqKz2pVYPgrewKlXoKgRl99L31koA071JJjVhvzH\/gU32UecgmYeQp250l9S+wco1ff4R4UyUmOfphDkNe9Tg\/fRpjxgKleIR8kU42W8ME9YzuK+U6l+SwzLtodLt+wCvEs\/5vVCJoajkAEX1WivqyUrV84SFPKxXwpiL7TWr5xgs9A6ntAG+LEQ4Fzm\/5n84NssQOABVYGxSC+XA8kEi5T+j7oP5Z\/shgDlJzIXGmWwZLuGT\/FxXFjW5dDx3DqqqjLeUaGgzxk\/EyBCH1h+zMLqNGXZu5UCHMlMD0h27AhID+7gDIkyKn3TFzqvA52QgVRJ5KzL9Mb0vBqkit66U3SK0k0xi\/SfXE85fTw0NQH2x4wd\/v387iGFuVPBH6D0J7PwX5flRLQgBtOy5jnJbhc6rzs0BouQP8a1FymWYQx9YUWzK8DXbNzSVWzXnmMxjgztNz1o7b+kh5m6wUcvmLd6ZGQW6FIkZrd0dtEs\/RrJ1+OEeg0MfVSwR9Ik1PmVJoBjjnSVS\/EB5t+GQt0btx30I4eSEVuRu2nS\/9zrg3dvua9zEzH6y3wCr08vFuCZT1u8r3v5iOQmHyKv5pfKvsINf\/+Z3UqZAAlmAb7gj\/svvnlt+IBIlM\/2nf4NpSTCux5l816mDS9Bl2mt29n21gH0vw=="} 00572{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":75,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":56,"flow_packets_processed":1,"flow_first_seen":1603816434721,"flow_last_seen":1603816434721,"flow_idle_time":180000,"flow_min_l4_payload_len":1252,"flow_max_l4_payload_len":1252,"flow_tot_l4_payload_len":1252,"flow_avg_l4_payload_len":1252,"midstream":0,"ts_msec":1603816434721,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"138.91.188.147","src_port":39975,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02146{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":75,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":56,"flow_packet_id":1,"flow_last_seen":1603816434721,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1294,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1294,"pkt_l4_len":1260,"ts_msec":1603816434721,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAUAzsFAAEARXhTAqAGAilu8k5wnAbsE7JrHxQoKCgoIhyfaf9ET5OIAAETSThHzecvOQHDw4M1KEvEdEUCr7CAD3OCoyACaSfQrzochTChRx6wrvVz+n+iOMS1T7uOrLABH\/lkEcgzaWAuVRzM5GGhP0QAKdeAxNm0AsijqoG67hGFscKpx5Av3K9sq9rDX7Y\/VGCtKE++QbiaTUGCfsHrykmsrI7QPeSxlf3ybNOigAkts1eOpMwz25k+b9PnMwdGgxKqc+p7n+EcjPFQejHtIcCrVrKASMN5dFF0N\/aceKWgkpv55cG51Qbpmor1iK5rkX+Jp2MWmVKxJJKA6VEfDmOs8+rh9\/bYDHg0cT0TQf4Zr2hLCg6RgKQkQcpxpjnqjjVnWbgl6v1vpjXEkfqOp6LQ7SyRj3OKJU+CC+q8T3ZrAxjtbgQTH6BSqNj5efXKABdLu2ZE9S1a376exw1gxC4aD7EfQxqzjGirRnUARwvI2VMbxxc2dHnrZzXTVUrVa81Vp5nVMETLO1bny7V5SddubE07uIzwFndMmsYTjkTJwD5XPAMks1RFaNVtVW04V3zer0QaCSFmPpOrKA2ENZYUXRl+1Ms5r0ujaH\/BvGzVlt7DDNrWHHosR4VC\/ma1LSnbA+WH2DeEaYdOBu9k38i9r4ijFtLZ3F8QT0b+bWuRxlbf8JzOO6XJygAjh4eIcY9Ifn6Ag7e30VziB3U79j2fB4F\/Mt+Uv+l2lFBFVyIRYWLQl09QlzkOdaohOuoVGT+vunC1+0eAqFF3oxCobr0gBT9\/9LcLUFdypCpP4\/SwPWvfF+zqYocBjePElav4+tGCKrt\/mkRyKvh\/nYulR4dFSm9pIzgjYoT78ZAE2lNPXyk6\/wkm6W4x\/Hk6rPPDi5szKTPrrB0V1qBTNahyFnb9FvHoXB4fK89PmOZMp\/yecWo4kP\/4lCl\/0sXffd\/0V5mQwriutI7UUKJmZLeDjdWC8J0aU6CLm\/SAEqxf88fV5pVMs0AYkAPp\/9j6IANm3UDJnqgRh8cV1\/31bcLPsjWchpJZggmMYkHI2wDN3Sl9zv+cjKCe7+jCl4jW8L\/ekF6HvMfC0eZ4nbal4FyAx8lo4Ue7X8ccf91\/AaqxYlfnlLzjGSpAQtt5baUgZHgnmszaHCnFbo2HHjdmmeu9Y473RvYemO3l50MKmLZG8lmdXQYv688u9bT4irxXqmbHi\/KHwUDOgFg0j8s0Y\/EmH\/pUgZCvgDFCtWtE6OW\/Hyq+5Cq\/HLgwB+IqdME7iVh3EnO3YfKXA50YgeqN5yY5ZNK6jO6v4bbk7\/wLtWdLdrB98VjrtJxA3EfSPn3vx7DFBmIWTYqLE+TpavUx0HxH19PjHereWaV9o6Cgs6+3PWf4tHc03d1rwK6f0xuBoogN97dsTvTJpqwpURumirQKVo3x+5CvP7oOU957Rt\/07vk0ZfIXTZECv+R5Y+R5gZfgoFzxzcENMe3qIbQZk8PFnchoS4GL\/8Y3H5Zb9Ei56qun9YxSW1Biasm72GWT1NwX2gR1bQjPxGosYAY\/6xPeLmkDAtOOTQ4g1vxcLLP8ZY+VaGsUNC8YbA40ig6LjBd1CD5E8RiAqEa9E2sD4lNd4+rToxZT0gmByW82p\/TzmPxSzryYrUGNjoU4d233l88kz7+WQyjC7tX8oBOiRLI2cu8Cgzkq+Qerk7O1ahg=="} -00834{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":75,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":56,"flow_packets_processed":1,"flow_first_seen":1603816434721,"flow_last_seen":1603816434721,"flow_idle_time":180000,"flow_min_l4_payload_len":1252,"flow_max_l4_payload_len":1252,"flow_tot_l4_payload_len":1252,"flow_avg_l4_payload_len":1252,"midstream":0,"ts_msec":1603816434721,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"138.91.188.147","src_port":39975,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Microsoft","breed":"Safe","category":"Cloud"},"quic": {"client_requested_server_name":"quic.westus.cloudapp.azure.com","version":"TLSv1.3","alpn":"hq-30,h3-30,hq-29,h3-29,hq-28,h3-28,hq-27,h3-27","ja3":"7d9e7f6dec1cb1dd8b79d72b1366b6cf","tls_supported_versions":"TLSv1.3"}} +00836{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":75,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":56,"flow_packets_processed":1,"flow_first_seen":1603816434721,"flow_last_seen":1603816434721,"flow_idle_time":180000,"flow_min_l4_payload_len":1252,"flow_max_l4_payload_len":1252,"flow_tot_l4_payload_len":1252,"flow_avg_l4_payload_len":1252,"midstream":0,"ts_msec":1603816434721,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"138.91.188.147","src_port":39975,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Azure","breed":"Acceptable","category":"Cloud"},"quic": {"client_requested_server_name":"quic.westus.cloudapp.azure.com","version":"TLSv1.3","alpn":"hq-30,h3-30,hq-29,h3-29,hq-28,h3-28,hq-27,h3-27","ja3":"7d9e7f6dec1cb1dd8b79d72b1366b6cf","tls_supported_versions":"TLSv1.3"}} 00573{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":76,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":57,"flow_packets_processed":1,"flow_first_seen":1603816434721,"flow_last_seen":1603816434721,"flow_idle_time":180000,"flow_min_l4_payload_len":1252,"flow_max_l4_payload_len":1252,"flow_tot_l4_payload_len":1252,"flow_avg_l4_payload_len":1252,"midstream":0,"ts_msec":1603816434721,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"138.91.188.147","src_port":50705,"dst_port":4434,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02138{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":76,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":57,"flow_packet_id":1,"flow_last_seen":1603816434721,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1294,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1294,"pkt_l4_len":1260,"ts_msec":1603816434721,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAUApPtAAEARh9rAqAGAilu8k8YREVIE7C6GxwoKCgoI6izyia7+eS8AAETSt+QbRbxl9Fm+cZhPehbbyuY4X98qiUiG97DtvQxOnW4mI8Cl3JV0HG80thoAdqQu1a\/K85y1Ygj5RP4637KMtJIeTQw7yPPnXHP0zU4RjZ62TRhNYZ6eNVI8rDTqX1U17UTGdzCJDQ6P3bwSFn\/hecgMOHAgJBSmXtzvmrL3MX129OuthefAiwdrij8dlZ+1POyInLQ1s4zElf1Qtel5JDZstCNGEQMu3Yksb7Fp8N8QxRhMiYahy\/rNZuX1sDo+S8Kt0f4nxECcA68o5O3j7RZ0UkQbCk7TY7P0k6hNhGbG8k6dzns2FDeBH2AWR18Xa6EbgQ+OE51BsT69F5Mw6Qv4zVxrj3nvm+j8ViswJ2lGHUVv\/wERdeEUkom6scesBC8GBF5oO+ERsonLbBlk0k64qeF0Mq16CQ2Tk4A1XJsEkeKkk13FfpgZ4xmju7ZvBKg6vyEj2GwP\/prZKaMYyek4cy3+1jkURWmaCVIJ30zt\/SxehiygkHDUiHnhD4bbKnxoZnxLWYNZlzO2olSPOXGBVUKEmol6Z1tK9f9JtrTB1m6tWsGbvwGSZA1y816T1+9q3kC45+v+o6ZmsHQTQIKTABYPnt8Wtf0hV33bQFBnhVsk2Gxdzjdom1ZLnDG+UAt4D1lf5cwBPUEisJIkPJBWS+rRvxC4DSNxciNVRjBHHot+7iiljC6QJOc8tv9ovBuMSSgCyDMe9n6HZtnwKuFrJijK9sqICpmLcJkRKxtUrOmfIadJlbAhdaPlAaOtL\/gMLjBp5boNC8pc8oLdF5gMKu0u6JrSWcFM7DMe\/SsSxMHlXi6oim5b0Bp8EthbxMMoLevrzbay70814zyI4WTOGY9vs32q1YnE4xZtSITnSbueYtYs5y6gAD+78I0tPBp\/bsV8QK5jclDqhGJvB+AVr\/WiMRT4OB9wSBwZXgYvAqWVfPSOkoHm3S6eJCcDs9F2x+hzEigXYsc84EvM4A1FCIAV7dO57go8nEQBW53ScAoMrWnMLYP0jkSI6suyGhiNp+h\/hClT+r\/Op92bWLS0pmZuvcNoTh4NLNKHapDtFwkQScIFRJ5B3b8fbGgludLcc2EtUA94Vc8QXVeNTIe0oP4s79m2XlQxy5y6O6OOkdY\/eUiYY9ApibduptWlMeUaNEA943We+rSbYXAEwOAraCMgbo\/PxzNUEPSqGnFDmTG9n+KnmYQi\/Alvs3QfYLLJt92WPsYBjHomiJjYWrbbdpMsFSvM2JeGnLfPMCegUq7+rsZIXjLTFB9Be+d9JUJ623MReNEYoMx8+sr6dCv2Gspxsl42k\/5L+7+ZDtFPo3XT6sEDxDYJvaEBjW39mG5b7C2beKtDSKu9M+wzWHdHw90KV7KS6\/DYWbLEkLOhVtsHdqM\/8MkUyr0noHt59IlTRvNBTWfpVdPC4nFiuDekpKBrvN+3EkNvSU3PCcM3kbQrdBSuFh0g28\/mzkqSAv0ZX5bxXIyBY6lC2UEqGMZo8UOe\/BO8r+hCIJMGZ7nG2fzy\/+YOPtJrO9Mb4J6yQmY0rqVI+EvjNDPprLHMCYe5Q5VOAznPM\/b5ELOgKrzgym72uZNPWn3W6OK4K\/yCjCGoXsltbqumaaP0\/hRyLF6fCMMUuvnes1g8uU+5d9gQLw=="} -00892{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":76,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":57,"flow_packets_processed":1,"flow_first_seen":1603816434721,"flow_last_seen":1603816434721,"flow_idle_time":180000,"flow_min_l4_payload_len":1252,"flow_max_l4_payload_len":1252,"flow_tot_l4_payload_len":1252,"flow_avg_l4_payload_len":1252,"midstream":0,"ts_msec":1603816434721,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"138.91.188.147","src_port":50705,"dst_port":4434,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"QUIC.Microsoft","breed":"Safe","category":"Cloud"},"quic": {"client_requested_server_name":"quic.westus.cloudapp.azure.com","version":"TLSv1.3","alpn":"hq-30,h3-30,hq-29,h3-29,hq-28,h3-28,hq-27,h3-27","ja3":"7d9e7f6dec1cb1dd8b79d72b1366b6cf","tls_supported_versions":"TLSv1.3"}} +00894{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":76,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":57,"flow_packets_processed":1,"flow_first_seen":1603816434721,"flow_last_seen":1603816434721,"flow_idle_time":180000,"flow_min_l4_payload_len":1252,"flow_max_l4_payload_len":1252,"flow_tot_l4_payload_len":1252,"flow_avg_l4_payload_len":1252,"midstream":0,"ts_msec":1603816434721,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"138.91.188.147","src_port":50705,"dst_port":4434,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"QUIC.Azure","breed":"Acceptable","category":"Cloud"},"quic": {"client_requested_server_name":"quic.westus.cloudapp.azure.com","version":"TLSv1.3","alpn":"hq-30,h3-30,hq-29,h3-29,hq-28,h3-28,hq-27,h3-27","ja3":"7d9e7f6dec1cb1dd8b79d72b1366b6cf","tls_supported_versions":"TLSv1.3"}} 00536{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":77,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":33,"flow_packet_id":2,"flow_last_seen":1603816434722,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":109,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":109,"pkt_l4_len":55,"ts_msec":1603816434722,"pkt":"PKn0qB\/spJGxgjQ5ht1gDhB1ADcRMiYEqIAIAAChAAAAABJ5MAEgAQsHCsnVrqTT\/kdpHoB9EVHHYAA38EDMAAAAAAAIJzYQ4GSWjENRMDQzUTA0NlEwNTD\/AAAb\/wAAHP8AAB3\/AAAe\/wAAHw=="} 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":78,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":24,"flow_packet_id":2,"flow_last_seen":1603816434725,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":113,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":113,"pkt_l4_len":59,"ts_msec":1603816434725,"pkt":"PKn0qB\/spJGxgjQ5ht1gBLlEADsRMSYAHxgjENIwUQN9nn11N08gAQsHCsnVrqTT\/kdpHoB9EVLLcAA7grWbAAAAAAAI85\/7s6OU42n\/AAAg\/wAAH\/8AAB3\/AAAe\/wAAHP8AABtQQ1ExUENRMMoKiqo="} 00605{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":79,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":58,"flow_packets_processed":1,"flow_first_seen":1603816434729,"flow_last_seen":1603816434729,"flow_idle_time":180000,"flow_min_l4_payload_len":1232,"flow_max_l4_payload_len":1232,"flow_tot_l4_payload_len":1232,"flow_avg_l4_payload_len":1232,"midstream":0,"ts_msec":1603816434729,"l3_proto":"ip6","src_ip":"2001:b07:ac9:d5ae:a4d3:fe47:691e:807d","dst_ip":"2606:4700:10::6816:826","src_port":41857,"dst_port":4434,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -206,7 +206,7 @@ 00876{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":83,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":61,"flow_packets_processed":1,"flow_first_seen":1603816434743,"flow_last_seen":1603816434743,"flow_idle_time":180000,"flow_min_l4_payload_len":1252,"flow_max_l4_payload_len":1252,"flow_tot_l4_payload_len":1252,"flow_avg_l4_payload_len":1252,"midstream":0,"ts_msec":1603816434743,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"131.159.24.198","src_port":48644,"dst_port":4434,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"QUIC","breed":"Acceptable","category":"Web"},"quic": {"client_requested_server_name":"pandora.cm.in.tum.de","version":"TLSv1.3","alpn":"hq-30,h3-30,hq-29,h3-29,hq-28,h3-28,hq-27,h3-27","ja3":"7d9e7f6dec1cb1dd8b79d72b1366b6cf","tls_supported_versions":"TLSv1.3"}} 00573{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":84,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":62,"flow_packets_processed":1,"flow_first_seen":1603816434743,"flow_last_seen":1603816434743,"flow_idle_time":180000,"flow_min_l4_payload_len":1252,"flow_max_l4_payload_len":1252,"flow_tot_l4_payload_len":1252,"flow_avg_l4_payload_len":1252,"midstream":0,"ts_msec":1603816434743,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"138.91.188.147","src_port":42468,"dst_port":4433,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02148{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":84,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":62,"flow_packet_id":1,"flow_last_seen":1603816434743,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1294,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1294,"pkt_l4_len":1260,"ts_msec":1603816434743,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAUAP7ZAAEAR7R\/AqAGAilu8k6XkEVEE7HdHzAoKCgoIR0aH1pvahxkAAETSPnSjK947ByD+BwPD1aG8hiXIT+yh1\/\/dJPToYueaTYmcm5W39inFapwMfwXtPNuHyuKzvQi4tEhoFP7o5cr7L\/YLfOvRTXCcf\/nBs2i0GOysW2g+q+ySQiTJnXYhgdgzrVd+5t3w\/PQw6fy9t\/m\/yds5zVgFZvkcK9+PBnMGkX69jNHZy\/lqJ01nDFjal9f8GD69jzEKMTGYvMSJQA7RNeC\/KD8eOpHjj9WBygsq6CUYIr8fo6US3BfgPq9gd0A0tmwg39CMW8XvWjfxQE42A0qdKexPHBHbO44RrgN1lYWHsF9KHFf0oG1zpJP\/biAOd06E+L4G8kH7VJLNs7ScFYpQk1sjfWbopJV2NDDRk5n\/u159T7mAS9TPir6Mkav0xo3zJWRpgX5F8BCPA+wy2ILkS4PSS1v0MrOJCoimlv1DqJ5OlW084DnCjwz8IJMv\/SKXa7+4NnVr\/\/ESvUHOac9wGGR1zXP9FI\/x3cL3p4u9H6RWhCPW4QyjHaemmC\/gfB\/0E+a4D2sYjszc275uEiiMk9YkT5MYHrBeYLCaU7Q8DxDwccUne3cpoJ4lHHcYLSLAlSL\/\/KY7h+VxvR+zoxuGflSDjAs1poqdo\/IUube0PEi4UTgbHuGAtXxbtiHSdrpAoua4+6szPVBhRGKex4yMRpVhbH8S+dN3Pyg3B24A0\/OVSzrM5pnJd27z5j0Gd+CA6I3BX8Yp+2hPRnK41jUW3bVktO7edHptm5sFjlFYICv0SOarAbQ6n2DmwLm92sqQh3QS9Lmm4WOx2XCagFIPZIDiZeLTTkq+aszsag6ixBzFj1pcSsByUB\/GhjosZxT0Gj4yUoAQIHzUTJg7J3nKc68zoJAksRF0IX4lzCTP2m7zWWuJzrV47gUbv+qb40KFRAbhbw5Dyw8fAJ3D9TlnxYIcqnqk4LMimkerR+VyVCXS\/6WHTRMPm4MtIHNddK1\/U\/48s6JsJR68VJBGumfircAqWj50LwIeATognNP1DIA70mG9JvdMDmO2oTwy6ySJN4Y3y06X7q3Z8NCtiC\/iI2uhGloDLFxuymBLemWj0VpyeCZG0yIpqIc1HEmv6XKNmjw7z8uZ8Y5Cfh3l0rF5wkKZKiS1xmPWaos69hnGAavOUwNzlyVD3k8VynbijwHzavIsoRY3BLDI4EUCUOPCvrOJTxW67HBmCCikO43iO+akkrn7xaV4Xo\/zs2kx7KWcSSCAiFYi2fQxAO4dtBo2lzxCU5sDKZWyE2j\/3FtfwJAdNdp2IztD++HqzRoQ387gULsMy0sNutEk1+pbY\/0fe+lCMT8UDYTOJkXwNxjYJql09DmDSST+acm9N1pvUw5rNb4b3q6LcSzpLxBR68KiN6n1WdGdEBNNLh4GVDxkIJvPtKALCuwiML8mF7tHe9HaxwxTrg\/pGssCVS5xDRj73Jovu\/IOG05VG5UNPKU18Acro3NlKckFYERDjRmsoE81UwYtkwm7N7d2F1WbVoupTw027C7AT7qM8FKZYTL16DfcvuloswPjS71+3GJDR59F44OqreAhoGhdcp+Xh8QSIYeTsyxnGWk0kqW4A4ueD9T9D7LMkceoPCCE+H9fBRiJlRLBVUKyk4ZJsKg4xzaX\/xksDV8yz35z5z93CJ\/IWw=="} -00892{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":84,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":62,"flow_packets_processed":1,"flow_first_seen":1603816434743,"flow_last_seen":1603816434743,"flow_idle_time":180000,"flow_min_l4_payload_len":1252,"flow_max_l4_payload_len":1252,"flow_tot_l4_payload_len":1252,"flow_avg_l4_payload_len":1252,"midstream":0,"ts_msec":1603816434743,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"138.91.188.147","src_port":42468,"dst_port":4433,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"QUIC.Microsoft","breed":"Safe","category":"Cloud"},"quic": {"client_requested_server_name":"quic.westus.cloudapp.azure.com","version":"TLSv1.3","alpn":"hq-30,h3-30,hq-29,h3-29,hq-28,h3-28,hq-27,h3-27","ja3":"7d9e7f6dec1cb1dd8b79d72b1366b6cf","tls_supported_versions":"TLSv1.3"}} +00894{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":84,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":62,"flow_packets_processed":1,"flow_first_seen":1603816434743,"flow_last_seen":1603816434743,"flow_idle_time":180000,"flow_min_l4_payload_len":1252,"flow_max_l4_payload_len":1252,"flow_tot_l4_payload_len":1252,"flow_avg_l4_payload_len":1252,"midstream":0,"ts_msec":1603816434743,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"138.91.188.147","src_port":42468,"dst_port":4433,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"QUIC.Azure","breed":"Acceptable","category":"Cloud"},"quic": {"client_requested_server_name":"quic.westus.cloudapp.azure.com","version":"TLSv1.3","alpn":"hq-30,h3-30,hq-29,h3-29,hq-28,h3-28,hq-27,h3-27","ja3":"7d9e7f6dec1cb1dd8b79d72b1366b6cf","tls_supported_versions":"TLSv1.3"}} 02140{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":85,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":23,"flow_packet_id":2,"flow_last_seen":1603816434745,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1294,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":1294,"pkt_l4_len":1240,"ts_msec":1603816434745,"pkt":"pJGxgjQ5PKn0qB\/sht1gBnpkBNgRQCABCwcKydWupNP+R2kegH0kAIkCAAAAAPA8kf\/+aaRU25URUQTY3a\/ICgoKCgj9UoceU8iiQAAARL6ASJxduLYM4xsAvBTFbnnnMgyZmTRslgR5MTLzlGRvRpNyp8S8YSqhWi2EmIsbwpUo7wbHPWhyFPr99JEnZIlhcjYPyxEGseCwFKnV2A0\/LB+svcKwvaZro6Z2b6a5Qb2NXM0oceBQSsPvPMg08kktxPj6SOee45akgVhY4DzKTwOEuk83sHBjlwEQifFccsbM9rqqjEuAyt6JNZnZPoxNz1G+S71LAyfhU0K8u707IjCNbt043hVKiDAAP5Ls\/kOK5\/P5wqDCSLczv4J+lN2F6A33FYO\/MH2HOQiHb42Npm0EKTL+3SUNLPF87XHIdatFGKqcZkjBNCnSSbcZX2rEd6EUtj2nyhPr+r+nFeDhikrv+PxIFsc4VtD7WW0xDr26dPr5aSb061H45m8ZE0qNRBQR5tFZnbTGbyvde2q0Qpki81IBl6UJt1pUmavS5bxq5HrjSyr+NuMKr1axIeHUWwVKneV0bHR+2mJcQo9V+yDL+oVm6ynfkdvz+nfkBGIwjGTvIVMQdFq8yx2LVqO\/qhKk6WPhCoWu9SDfjAy3GRJgBH2n4\/AbuSFWy2FX3xB+FF8PVmqqU3lrXAwclcYyJxho6IWefEErywTT+xmJJToC+y\/V9RX\/POWQWAr70juowrxsRoO0Y3cHtF1mRnK77ko\/Z2bo+32+o7WcpTcj05oFRjeFzF\/bQhzfov7nC9AvF49NZTgKdU080+rsO\/a47JDDU9xRZIAdg7wur3suP\/23X5uAgAdvy9UfsMqaYaHuALSqzHmgmG+LU\/6oOzEiGUuM8xxO480fAsxJEYsa6aGv2IZSIrscvxw7PTjaAwUenIyoO3VqZ+CINAlZcJTfYDfC9Hoc9OdcdGsqCYKUW2wEzwexc9d2EUKPuBdQN2dXat5aWucUNWLDcCZgqT4lbJEnTA2hr0ad5eSaqS6BfcqZWuOLYKUHB67L8Lmnq2zuNtqKmvXXpYPuIvpGFWs7G7GD6CQFOGRklyTm3tEhq+17muIZPvSti1DEepk\/jf609KGeKiujNRiayZCXOCYOzkT28aBRRNckMsvT0LKNcigIKfjCDjIrh9aBkhLcgwpdGyl0y0h5hzDf\/4VXIhtMY0ORmfK1bAFgAlZBgLLfAp9\/vELXdZmlDRSB768DANFA4iwCGp8+E5loZtSnwVUJwBA4KRJzszszKovh\/eLZuleX\/lWlVGnatUN4nwRXaA1HElTOEdLlw6fZcHl\/Bdp4mHTJ8y+9+pA69KKpbmTruDVoXYkxoxHu9SNP1A3\/1SU74fa+4vsnpiYx3onvBAsr5gEzR0pL43F78fgO+m6gor7Et7VdeE4b0ZBmKRybKRoGjfTeCumdBa1nXpC30UmUVAo+zHRyQ1fZ2xkGMwXeR8l2HdsJlr15wXYvnfd6lL7qDoJjy440fHRTo9Bsr\/clAcx+A\/nz+C5jTYcda4m99NqYRLQUmM0ojNMm3OJF4cbzbp6ia5SamPyogQ1msqIhDfkv9Q2tHko55jTHfOK86Fc81Rz9PlrSPeKqSQiDiYO0Ad6xLICN\/o4TcHWtv1wNgnzDEw5LNMuaUGnl4D4FXXeGTZ793MSG1gIEgmaX3GvG52P40BhE04PqAmddEQ=="} 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":86,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":41,"flow_packet_id":2,"flow_last_seen":1603816434749,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":89,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":89,"pkt_l4_len":35,"ts_msec":1603816434749,"pkt":"PKn0qB\/spJGxgjQ5ht1gCsonACMRMSABGfAABQwhVAAB\/\/4zO5YgAQsHCsnVrqTT\/kdpHoB9EVGzHAAjCaG2AAAAAAAI2i99jGY\/xbL\/AAAd\/wAAHP8AABs="} 02145{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":87,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":25,"flow_packet_id":2,"flow_last_seen":1603816434750,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1294,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1294,"pkt_l4_len":1260,"ts_msec":1603816434750,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAUA8Y1AAEAREMTAqAGAR8opqZMdEVEE7OQ\/wwoKCgoIqaWx\/UJ+JLQAAETSC8vS9NYx\/piHxwl8s8tPMp6kRvO2UBaRMuZHcUr7jludPMV53ZjKHSEyJP+9E8\/YwfQgCjydB0456RwGo1\/cbqx+RH1Q8+a1Bo1DdJBYSWHzgdWM0CbI8YB14t04OHAilhwb5MlDY0NSInVq7T8MAzGcexUB7xgxT3QdMV0ajcdAA4QbbUxGpL\/JsbBCdpMKcKPK2DVQFnN0kkOHn9OlQg4o9cA4XLljFnTIscrDUPaU8cEzYClT6gYQP2jfUUOYkMZZULYk5bpXO7ax5xa50czA2ls0cdXBQf7YUbq+XEnU8cGtnVcx69nAz\/CACNjhFN4oROsXXKDcRVVrHQlIHQT9PZ1APNWYKwMR9C2+9u8dIrhct2cOe+7nRU5qzDx+30cas94Oc2UBgVvL4WrIGpSaoUpJWOS0GeDoGOZ\/NWWg33pgJHnq+fY7ZzZHaHkXZjK77y1bAHB5Tr17hCnN5b0yRFsFoYe9i3Wjp9k8hE3VZmn0SbrwA2HbX31Rwes9jjmIw\/os2DIcecacn2FrvDVlDqA+PQeIAXs\/2y71axQ4RLDic1gPyOF1NF3TOt80pLqz6lBzfCDO3rQH87n\/FiG2UQCjXUWyj00vQBE0K4S49nrAnDyF86E+RmqfHyjAEU7mfiLFjvU+SSLwbi\/fJZjzvnUDZSqjvi6f0IiNao51VPDI0VABW13IqPcImOawEl8JX5u0SQuxZjMaB+gkN47AMk5gGVpUcxeJ7Z9XwIs0K0lZDbqGWCXMCdIud52cUv5Q7a4BkzKCwhQfbEBvI2t+x0ewDQFUYQ17Lne1\/93MxOPU47Wf8TBSnv+VQbWOxLdCg2nECwvv8CsEtJFeZWh\/ha1cf4fZct1vISvq8GJAxKd76jGaP\/45zQLjR4HASo2rVXFn0L\/ETUkSvIfvqvSOkP0YtSO\/ZLn52LtlBuvcA71G0tQ37DmpzKxqMVV6sHgX3+zStA9c6eE7Wp\/gkgIS2yyC89rXKte79UGlVKqDYHmP54LWQ33xn\/ghDB5Udev516Q4LJ\/LYK1naDjh4zdtyWDOyHtV6dDjzohTwANBgk7tTb8qpeFDkvo\/5XKUnTRyFT6z1vDtwXisGZ3PyPwdthxyiwl227D+CWkoTh6C7df5\/ykCgFfvvCvgoQH8u8rshHs55PKOGBg5Hqs5deERSp3QXO5XGtS3KFrfrVEg6HdcbkCxSBW6ksxlYLzTFTTuuN3qPrqUBpBL+bmMKRSiOP1Qzjapvnxaf9gMa1yPSmZaOdEDbYJpPK7oha37il+Yc\/Ki35zS\/SKKrO9P2OR76tBQ1tVYddL33Ezyaaiyq3JlG\/nwWmfV5D2y+Js0\/lW0oPF+SLaGcNUfweLLinRJd+WusXgPVh9RJ+wX\/ykCIdqWlM284dJEMxAAj6BoI4wNZMRXYMh7U0nrCrpYSTFx7EaqFBm7HBPZbeFEUO8nxhWclcKvpJfe5Sf5yDohJz\/1ozHUKuzC9D3+QBJjDqURTWaAew7pm4H1KncN+qU8PnTQKXvs8sV4kCe3iQ+i0\/nVCMUjviEYY1\/hUg1AA4cxVLMRpwljkJ+SrVfWXClIk9dlebLFDCqTEzVG8u0wwo9BmMF63RqgLA7RedBbfzfYGr0pGXf\/l2NvPGQXqdbLDg=="} @@ -248,14 +248,14 @@ 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":107,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":46,"flow_packet_id":2,"flow_last_seen":1603816434802,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":89,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":89,"pkt_l4_len":35,"ts_msec":1603816434802,"pkt":"PKn0qB\/spJGxgjQ5ht1gDen3ACMRMCABSAB4FwEBvnZO\/\/4EYx0gAQsHCsnVrqTT\/kdpHoB9EVLCfAAjD9qPAAAAAAAIIsGdLtPZLyX\/AAAd\/wAAGxoqOko="} 00538{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":108,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":71,"flow_packets_processed":1,"flow_first_seen":1603816434806,"flow_last_seen":1603816434806,"flow_idle_time":120000,"flow_min_l4_payload_len":556,"flow_max_l4_payload_len":556,"flow_tot_l4_payload_len":556,"flow_avg_l4_payload_len":556,"midstream":0,"ts_msec":1603816434806,"l3_proto":"ip4","src_ip":"202.238.220.92","dst_ip":"192.168.1.128","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} 01181{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":108,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":71,"flow_packet_id":1,"flow_last_seen":1603816434806,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":590,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":590,"pkt_l4_len":556,"ts_msec":1603816434806,"pkt":"PKn0qB\/spJGxgjQ5CABFAAJA3rwAADIBPo3K7txcwKgBgAMDrQAAAAAARQAFAOUCQAAtEfp2wKgBgMru3FyV3hFRBOy8bMIKCgoKCDeSrwfZ37epAABE0hxlYo43miI9fcBT4NXlNvUyuqRzjALgZuz5ZEFwqFAJHCLIyiKMek3pvG1TfFtz+5dPcMlRmn1CpjYaJxtvjy1D8CXnaCGG32gK7yv0bsGVDyQR4j6nJT4\/BgeG5XzS2QksROzvNGVoOiM5mh9Gcivemi\/Ltw3i6ZMLxPmYmJjzRy5MQrmw7yWShK3Q0gjXLf\/AtAzYy4CwwNnnbu4HeZWuRph4yFsqigrFQzQiWW5R3FQS9VXQNOqcmpoWiLrZR6ybbeDMER5x2lrIuMbSZiBdtZBwZCB3UjQ8D6WXWUDqOreiLaatWU6Uu1Td\/atS+bPWsWkMIdZrEKUJ78RDCkU46YaC6J9gteAdBR7kDvpyMncXYbFq+wnVLl7bEkkrsFjuC3evFwokMfctXgYgQAfhg9lrv5W\/V8C8b+SLLGJ1OLOrQb7nrBWiHG6ErtKg2rmOgmj5TlcyL7QCWDLLcB4wY4DlINVS1W1uHvEQAamMqwBYJNWP\/j7R3\/z2LLwmYTggeZKmyJokcN4daQ+u2GrxKAd9n8ootJ6q14bjsfNDrGHdfa2X78HqV8e67EzuwM679YHyVDVcjdxmRT1W7vvW2odG2VW9n2hGz7F7x1SewA4VbmCgaMBt\/706B\/PIDrHOTJjIgOwT5HqHFLiW3qe6lZFlcg8="} -00612{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":108,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":71,"flow_packets_processed":1,"flow_first_seen":1603816434806,"flow_last_seen":1603816434806,"flow_idle_time":120000,"flow_min_l4_payload_len":556,"flow_max_l4_payload_len":556,"flow_tot_l4_payload_len":556,"flow_avg_l4_payload_len":556,"midstream":0,"ts_msec":1603816434806,"l3_proto":"ip4","src_ip":"202.238.220.92","dst_ip":"192.168.1.128","l4_proto":"icmp","ndpi": {"flow_risk": {"35":"Suspicious entropy"},"proto":"ICMP","breed":"Acceptable","category":"Network"}} +00590{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":108,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":71,"flow_packets_processed":1,"flow_first_seen":1603816434806,"flow_last_seen":1603816434806,"flow_idle_time":120000,"flow_min_l4_payload_len":556,"flow_max_l4_payload_len":556,"flow_tot_l4_payload_len":556,"flow_avg_l4_payload_len":556,"midstream":0,"ts_msec":1603816434806,"l3_proto":"ip4","src_ip":"202.238.220.92","dst_ip":"192.168.1.128","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"},"entropy":7.598216} 01190{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":109,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":30,"flow_packet_id":3,"flow_last_seen":1603816434806,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":590,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":590,"pkt_l4_len":556,"ts_msec":1603816434806,"pkt":"PKn0qB\/spJGxgjQ5CABFAAJA9\/UAAC0BNJ8znmliwKgBgAMK13gAAAAARQAFAGANQAAwEYa3wKgBgDOeaWKq1xFSBOwXccwKCgoKCNp6o2ufRw8jAABE0iMFIf440snHtaQbpLTAJ\/\/X0Fab87I\/F+H+s8yGuc1DMj7IRCVccfx4Cactg6LpwLVqjp+zMpHzZNYgE+iBS5eSSQ5R1VIB3pIpWgR10BZu4jbgQ9OaBdQdBe6vEK8fOHQlW4z6tk88yOBPCZ9MOnhihM498wDmMjf47XEsFDB\/7XQLydimXkVgGcIAWfjRxaXaSbJMTKKvAYms0ejZnQnA1ViSWn1r\/yep9jMB4Ha216Bw+8\/bwb+zk8NWbJkU1joIp6LywbS8BKMNdkB8CvtxCpRm+uw4pI4+h7Ir2vhBxo8l109zWnww9jHcvrRJCAiVTzHX0IEoiynIkV5hfnomioZ+rfmWQ18DCMdbTm0g8xPqOvlcFJ4riKg6eD9T\/06FbQ\/gfMez3fH3QaSeBi2r\/TOHCN1q7d2RWFd\/zfCVFlJ5yK8kQ\/oLJ\/FOsWcUoocGzw5wDW2ZJKlMLUQVjXb6yA+tyXiZShAlzoYqYN0T4FvgLVOww\/BRgkMCtO+yhyv+IhNBUZ7HwVrODYj2Fkrg4imzgs1D4nwXIka\/LTCNZAzA2HaoTn\/7dnEMFUXWjYgl6Vcr7VmuvChO2Lk2W46SOWZvSzgpXd4SdNTImeyxURq7mYLuukLenDSue9Jo+fNHodI6Y4FhBpA6\/I5BPKpcZmf\/iYU="} 02142{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":110,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":42,"flow_packet_id":2,"flow_last_seen":1603816434806,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1294,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1294,"pkt_l4_len":1260,"ts_msec":1603816434806,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAUAlgRAAEARiNnAqAGAhfLO9LMfEVIE7M5rxAoKCgoIJ05Q063kdsUAAETSbVS8wmTCayioaeEDJ0E7Ag7cjypWJklnY03J30b1mdxIVOpIcCjzHgeNDAUeVGYchax6RLhjbFwwP3C\/qxh1OO8O83qldI1OYg6x3GPEV9dhbYkGdVcPi3mfVEvzh3eS8WnvbGq3a4H9q5E9mDKl7buMufgYFu2sl2hZ01ag0mTo116H4e6bMaTreq2mI8kmjdhWNv55TN2Tbo0qvafHS0QviZ2QSLwEnQh4J+FGfyqh3grvQtfWOnpdR8XEyF6DDe7LL\/KlLa4NwBuxumU\/mO\/SIZ8t8LmkA6HXglfpy4tEgA4X4H4bW8fdrEeEGZwPR7eDrKq9RqBC5oKz7o\/7sHblT4DHTu2jye83jOCQIrWBGQDr5qMowkCj2D+qE7I8qnehPTO3H56afZrW0y49JxTPEZjoHsKNr9nvjAleyeYuaG86WZoQwGHWl1q\/do2IozVSEZwB4ZhhqabxXQE\/bLsaV5zpA9VarwnHFfuqnigS8SW0VNHxqwF42AsxDhJ1ZhApy7feoO0PJvvB2oMY1tQHPKfitH7JeAITAfnhaBY2YdONDcZk5oBrPbcpcIaGvU\/fGwgBQ3eir6s7iNWqBonZzNxwiJDZOCaLqzesvSlVLwJWfVmI2gbBdEGORyuW8xbxQbWWWdwZ2ECu1W5iPFYWZNmDQ5+p+xP+v2p\/q9Zri2SEgtxNFAlFqBgYJSEcW+nfhelld\/8X+b4MFcnpWATco0d+cUaZqJ4oe\/SV5lTkb+r+kBl4Fi8vLnITjPgbX+wBQtuHCeIhIpPSGbKfX0e3KDUQANebIeZRTrYcajrn1fFRlg2x0mgRQZE3eh9zOE\/6NevPmRKd3whKrB4OrWwNw\/SlNsbpFrYxTvS9sFHtHn\/Uuh9Itnw6lb7ILr8jkDVyk4MOLQUBCbcYUCUwkQa6hAPdxDGJGAORwPlVdN1voToAmZpSEQkdedqob3cIiQWZE5mZWy5zSP4b+LhOHf9ORwzuNzfdlhFMGkZsYkTm4i9Glf9wL0Xp7g4iBWo1g\/ERgUa+jz9aU\/5pM9Q2WKNxTb0oWtxniWBS8Lxmsp0IiDMHvpKQ3FN7FMkHusFent8sdfLu8GN0db\/htJ0tYyNHKrn+\/ukQfcuGZu1CZ8pcapnxZCaWzdysytGbuUF0sN2\/rXvBKbrUoGOi\/yQYHoSWzZe4tWPuiFsnEL3ZfeQW8rimwLD7SocitIb0a8vtHdDj\/GmOBVkGDMBGCNjj8XxF6Z2FQBo+4oYwGZuGhSsfMXRlNNFIfFsIHDW9OAdCunv3+x5JsDNF8ukUbcH9anX6B8hHXxQel+qabQ+aJWYsgcN\/hIaoFyjxqHkiZZ0o818BWeuCXCM0HKhfsQvXHf4ucJSBS8pc2EzJ5EUcQ\/dllBKRQbIrXCSSmkQFN4Gab363GSeUDA3rD\/GBoK5b27D4o8WAAnT3izN4JAXB+H9hgMX9A0cMJMRRasU585OfR07ntlSr7v2dExw66EL\/j1gd3QFNGbnOWToZJQicIfGV\/RtMUnXQYizsWgjoqWOPbw2wWrCqJhhbkxH+WHFJq0Mlwe32rpddmRI7+CtcRWBotdeJJ3xxfL7AYrxPw3cctN1iTAucOHdUCyCwYu\/wN2z2Li9nrj7J9G4sQVWMiuNy4Q=="} 02137{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":111,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":44,"flow_packet_id":2,"flow_last_seen":1603816434812,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1294,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1294,"pkt_l4_len":1260,"ts_msec":1603816434812,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAUAqqBAAEAR4XfAqAGAKHC\/PNIfEVIE7NGPyAoKCgoIcBuNCNTaAX0AAETSdrPs58Nd4whderbUQKKE9lqbT2Q5dWXTzCU30Nuk49rwMOYzrP9hqurmfQzCfogq7GSDP2MPa19fV3S+tzaflHzUKhrCPd4WQ1zA7H6cNQz\/lRUSpnQOWA0uQAhhAk+IZiglMuTPFh7AnCe7BzheAkGio7m9ekHUnqgl2NpmpwBBQY2oKhqJXzck7whQvip39IREDqyYyokoeQbGf08lhmJrRyewd07SbXyZCbXrujwWAH9r0NguWbmeWQiWcLTQKzzy4g6sxprDxKvBtQqoDYhvf3TyqAO0JNQb6gL5PnsCQpPHeNU738v6N2EJwaCYld1aJc1nCH2E7UBhR1ArdPBQvdD2ti3qSdfkpRxzBao2iX1sHBqDyALe5QD\/8T0uZDT7mlUSPcUSCQVDdwUfo1H5Gw1rANt1KrnL+D7EeJEt30JdQogzd+25oyRRh\/N33koVbRPkvhHtyEiSOAqUcF2k5Cww7VSNAXDrSWJ3nfwrxyNNGcTk1vbfU9FQjS7xTsCs1DcL3tIwTh\/F\/WqE0Qefzo3L9DVZUBF95w+x+NrXTVfTMFyerU2W9IiTbdFPifHfNydqoB4UA6KdAkF420byZMA9uYn1eronWwg6zZLfNiMThXS7INZHCSmquoQM48twpJMiC8QLa2BKxvBs5MAXCaES3COreo36bEsm9T7MBNPrIFP83x9oS3Dwv962KtUHkL2c7dl+XXAGkrol0zp9I4duf7jIdkEwKt6bINytvQ7NOpnpqMe2V\/od99AzLNPugOYXhVlxSXXrKEIlIoBOH\/vFhTYqHBMHhKDUlY83Lqn6rlae+5ldEt\/PYxQqh9RlSvlTKizFbfa1Pqv6mluoxnZYLP\/Q1ytoMX++Rq54VSapX63zxer6E2Fc0D7Z6VXClsXzgGzvHubNlFS8CT4jYJOejwFK\/O29QfOBILbMoFfrRtMOMvJfvtl8oUyriiHZ+EYZfkq6QJnQfCI7a6a+eQggExHpUAScmRSiTG+IYeca3pfV6WTNGjJdxkNLPzA1Z5SNnLP6zTKrtTQschUTrKbBMGzeDxKanuLhkyCaGkNHJ+E9jo1kVSKyouGn1Xz0RovKIuTZdoKvIiFgJRBRTx8b8VxdFjPJBtQkuwYKYuNAT\/hv6yiy\/pQHRSFz+yZmlAIEJ6DuwyjItKkBePqNsaDsx8Am8smaYhsjEC8vmWFe5WEi20pG0HiVg5O5kSIY5y\/ziwUKkKhqlYGirFSKeTAYJVJpGBDrmIOk\/QXL5fYdpveFiq0l+piS3JuL7TGHxf5NvUDjc8PuuHAyslhM7YLSZqEKmlqBzNKi4Z+4Im8\/q3Qs2A9hPYC\/n9KxnKOeVVg7MxmNr3suDiWJ08nJtK7eU\/3Dvj\/ONoqM5exqmHYkJmeB\/i3BYkfgX807asMnZtideGvH\/mPNTuLBycK5oBic1paBSf3T6UKDwFomFMK4zRvQ2RTDSsREhwoKBAz9DUi22uSOarNzx4IBJQAnBsKlI7YkUFuQf2bHXLeTlc3sjH22aTbkcpuNQVPhD3jsXLo+uLTFSabB0ejUHrkQJu7N55kc5Hjl\/l+it9+skmXrEhRgrnh+Crc2M75SVQkMGW4nqifvwIUFkprpgBKS3scwqrMQ4XMu9+qfHYRTYA=="} 02132{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":112,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":45,"flow_packet_id":2,"flow_last_seen":1603816434815,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1294,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1294,"pkt_l4_len":1260,"ts_msec":1603816434815,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAUAv\/VAAEAR567AqAGAwb4KYuh7EVIE7CoKxAoKCgoIhDOd38iF14kAAETSuj\/6PpYLanmhufRbzBfIfJWqpHveuI64\/eSlK93oC4y6GPXD69PeaFagOPTyFkLIpcEu43y7OCQ1Z35Isk5hak2XHZkMptd7KrQ0EFnJR20xJ\/8s4Hh47hOyrjz0Tb8KAyxJMBwDu01llmEO1Z0EcUEdsorSKLQ\/VLYtmHdEq54kYxwJK6cbambFBrjQfMNHN\/UVp0rFqJczDmgAC1L2e2MT22BlqqRvoo0urlHqeJYQ0fzf9Ma12psTRriGSLqomnfjAnDrYcUuJXKUNEdXIMo0IvCKK8Z2qE53aAwCfpEoAKMk5gq0fRGK85o3RF+aZZt44gpgPnPnQ3e3amJGJyTfNiB0r1\/n8TxhrJAQSkdTnqq4YW8ifhktYPIg4kTB2ijlN5mXKs6fM7HXB7edk1jJ2vRSPS\/Sd1iJC6K7IVGG+b05Hvoqeh26GxYLnmUShKxodNsm5bqP4KQTECZRHJGO5bC3iH2e9AmHFRtcJuV0TEnymRBdJso15Mw5WSKs6MiqZOUVTNhH\/pBSIvkiB59cpoQ2kryiNnrZYHeBm0GW1xHBJINLpHgWU+YOcS01DrnAzJKiAR++TsJqZLlDgEWdgltoevZ9gIp62LQq23k1aN8sOGWxJHB6SR2oFKCim70PXdVeVV2H14toHpbqvnGJ5OQ5TAo9F8H1kILTASoi7zMbCXU+ihgxAsvPHQ0ma57WHD5eEfq+qwnIiOkWrwxRNyE378pWGBYwI8oYScRtd2e51pW5YbrsHNUZOF1BRwr4kRNdeYmvBnBCWqp1oBtltIzrn\/Gfcg3DcXmKdv+wNqmSl5ckBYOsYJvjs7+A0lZkaQsFSCJS6cHnp21uzZtbuJMxnGuFlucbDvkJrbZFiIDRi1zfBizG5xYGqI2LuZiKga47IwNdNLC8VwTruNg1oItufwg14MMC+X8kARERXQPJMtpnlcPMl3ZXZ+eP3TlPgYKElfm8xvSbmiMo\/gyHVDPysxCqGIaONg8hr1XRFRbXCrsQZqBHdR1BEHr2erluZx33TA9nEW4ljFgCY54FmKcPcThHKkex0pfCGVG0rDwn5CMiYlKCqMkq82agukv3RtcLDwavHHxrRJ4GFUlIajj9luP5Su+tOXWCKfvD7RL2peHKYq0oE1i9rkQ3J+6rPx1pfTLMCYUSGyR2ULLEVyAXotaIxy15QIlAlmWMZrgC+hXiaIxq+hUyINFVkc4FAkBBRAU3EDU5yTv1VQUZR++HeJPUvDn0Ly7STUB7C9GMGsanejmwI9FYR1azwvEiMPzo62YRjgMbM2H450bCbY\/ihQkhW6vCoJACsZGMust90L1tttL0aGDUuM2ekxmmP2SR2XGKJhksWGNk4Qk8NcSbtQGw4rBlTHKDoA+TNa0noiVD30cGIgXZvR4LzxoKJTHmmdOUfJnlbktOUO+L10wT6chVbloEO7Gl6LmuuY63cBoGIu\/9oxZ1fVnf\/qtqp4c5WdmDqlzryd3pEbe\/IAUHs50fQBLfKzcvYMcdoYWKI2XujLzx99HtpnCDcHHfIGi2GBE7lCFUhpHVx\/3REbGwPNIrR5hVqLd9oAN0IWu46FpJq5LdwUTeovYvLw5NA\/DiXOdXc+4fQx+cmbBq4bCo5iPDOTurjVG+AT6KDA=="} 00537{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":113,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":72,"flow_packets_processed":1,"flow_first_seen":1603816434818,"flow_last_seen":1603816434818,"flow_idle_time":120000,"flow_min_l4_payload_len":556,"flow_max_l4_payload_len":556,"flow_tot_l4_payload_len":556,"flow_avg_l4_payload_len":556,"midstream":0,"ts_msec":1603816434818,"l3_proto":"ip4","src_ip":"18.189.84.245","dst_ip":"192.168.1.128","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} 01188{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":113,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":72,"flow_packet_id":1,"flow_last_seen":1603816434818,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":590,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":590,"pkt_l4_len":556,"ts_msec":1603816434818,"pkt":"PKn0qB\/spJGxgjQ5CABFAAJAOvYAABwBN+0SvVT1wKgBgAMDupoAAAAARQAFABYUQAAeERf\/wKgBgBK9VPXVKhFSBOwZ0sAKCgoKCEMxhVUtcFhGAABE0qWeLu1BQPCrvaqmOZLxcjaUsYk9VVde3D76gcDL+4IVysNvEgASSqVVEGYaLPIGcbZ3HxJwj7UTPMN9ktHDGQ7OWCRzA6fqhalBV5YwIQEg3hVGDI6qpqitsVwDd8\/MN70IjnRYlLSnGFiFQz\/+37tcMd3B47Z3XUJqAC2gmAtiiG7FB9bVCqu70\/\/gVbe+y8Aiq8lY3pgapL115bg44IU5ONIr0kPIychpXhB4nGil5WtRlR+PfDZaCteJDe8INKJO7W9rCoQHxbJrdHcgp7qNCAvNvwYE3E7IaJzWzZ\/MoUUAYGiQDU5QZNqlmNLsfw7HRz7KL6RKhXKo6arbCoyf+aekhlzkYvXUC6YXLfcX9b\/uhdcExVVj3t3h3bEjsqfwcBC2sK\/3+ftXoClqu\/uJmzlR\/hQg2UZDVSBch9t4LjNi+WntvWr6v5Vi\/KVQ7U43\/Gm4H1rcanEorBOGJAHhmqtXhOThueWcgpRyjQ5+C\/V2Y42zfQkNRgnvzhVV6TCNj3xIlnBpiCnjYGEauIM5QGTgy7j1eEARKu2SqfuTVUmi6oEn63B+sVeMBPtI+6+VRIb69rup\/\/2zzUrMqEGl1Ofqu0NMNJUBI++5TMEJqz8PBpY7++PNBvTXVMJHf\/6eUtUbUHVIf6h+Omvu2jYTq0R6BWM="} -00611{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":113,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":72,"flow_packets_processed":1,"flow_first_seen":1603816434818,"flow_last_seen":1603816434818,"flow_idle_time":120000,"flow_min_l4_payload_len":556,"flow_max_l4_payload_len":556,"flow_tot_l4_payload_len":556,"flow_avg_l4_payload_len":556,"midstream":0,"ts_msec":1603816434818,"l3_proto":"ip4","src_ip":"18.189.84.245","dst_ip":"192.168.1.128","l4_proto":"icmp","ndpi": {"flow_risk": {"35":"Suspicious entropy"},"proto":"ICMP","breed":"Acceptable","category":"Network"}} +00589{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":113,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":72,"flow_packets_processed":1,"flow_first_seen":1603816434818,"flow_last_seen":1603816434818,"flow_idle_time":120000,"flow_min_l4_payload_len":556,"flow_max_l4_payload_len":556,"flow_tot_l4_payload_len":556,"flow_avg_l4_payload_len":556,"midstream":0,"ts_msec":1603816434818,"l3_proto":"ip4","src_ip":"18.189.84.245","dst_ip":"192.168.1.128","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"},"entropy":7.556211} 02146{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":114,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":48,"flow_packet_id":2,"flow_last_seen":1603816434820,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1294,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1294,"pkt_l4_len":1260,"ts_msec":1603816434820,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAUApCNAAEARDmLAqAGAjOM0XK5LEVEE7GREwQoKCgoIlk3\/sw8\/b8wAAETS7HTMpNcxINQW3ZN+iCGS1z1IAElwdp\/JkpB1113BzMoCCRTe4FQcqzRNlPfFUuL337y9c\/m0xOQ2BSNabPaJGHp30QAKNdTWLRiE0u0lhDN37WkJ3a18g080qiPj3NOKBzBb6Q2R2eP+Tu5VAgK0JBnSSQxscnBGZYx8erjfdk\/KfB+k80tJ23vgNCBrw5\/QJHyIKFr6T5gcmaoduB6MP68CbMsVTh+UudjvNuCb47BBuKD37H0qZ3vrzszhEdCnaBPaTgDC+BRg\/7zjd8y+\/IMXoc4lcJ6yCEUNd5PMsCArc8JfRjxmtTjKsNnWLKbOCz7De91KYHmwGYzaF+m0hYb600XnI1+GfBH+Yt7Rmih6ZJFb61s4n\/p947s86kVOIDjkRzXFc5rj\/5TsZlNwMgHK1trFOYKfIQD\/nGNPAy3b1yszE1t6bon4A+5+sfdvgO3Pb0vQv7a2RjiEoNWsOgLHHYRaOns5wLvhGDh7p2oiwYoA0dOQULiPA3oPFIYn3l5BexqjNtcP9rDwal7aPEC5NULq7Zmi8SqPrNQKrHxduW\/ejURdhLL6oGYtylwTjf6fFdLzV74euKvQMJtzqOmUVsGs7ytHwIW0zUSVdcXZXNdfHTIBhQmt1LEXywwM9sEku5ONFT5vw3iqnJaeuQ3Z9RVWM6JVZBIIyhtRHSHLMWoMYyVHbzNHU6KHtgRqx4XiFpODAS4ZKLu+YaxH\/jgJPdH9GCKqWFOo09L\/MFa9JOyzZTBHgPL9\/n6dV\/AjYlz2WHUbgl4B47TvtoGesKFiqCifWwa9T\/QAs6VqSsxDxakmj9BwRcyJY9Fh+S0GJgfOD3vdFv7r+qe3nnZPXIMdHvVuagTE0AYBONNrKgYdX4Ky4qhLEEd5cE9ERtsD2WvjOGP2X1nIyl6Z5fwtC4lFzD4HiYxcWYOwEoRb4XOLMLjHU1VRqf56Q7VOoNVljrqpfUTD3\/kymwOaOw9lLI9P78KYSDd0ItN84RFi9m1ZATEA4B8xDEQ0xgm7gZL75Bj+DcL6tIj3M5q5t+D3grLTkPWXTTA36Ac5nJ553GrmMeyNqRY+oz7\/jmpae2pHhn5y5a\/JNHh99ySrjiURwgTDidnXFv\/avhfUTEIKYf9vmF1mBR2BjGIWblU\/xSsHPpQooMBCE1pv+edhptbedN01raww3dKDhm8PKg0\/39zcyjrIDUoGuCyt7fcWYxL1rSfHDWFvTo3rOPuLREGMhWKH0rTw1rfsvP7pj9wRWFuq+5bjg1YEYzOa+4ow\/G36iMyOEYXSETkFxk1k9PKRQcdv+hmZ7Yysh6jGqSQYubSckYOn7rzqjXzTbZJ4cVerQWc6vzgu\/f8kKoOJaHeHCNS3S8Ih7LoFy\/3HhVH9BOwbPs1b8AjTnrabB9wJd2L4xt25UkVcDS6dONKmrmw3h\/i2PdMTiY3wE4W1wVKTbunysVPKp2ppBpsra6Hdm1iIJV6HfCSSXwO8AyqeAGhx5QFqNqN2LYiejuoyXFW2FmijSjtLOK+Ec8dkYkpgamnxA4iCyf\/yyvNIxQuF3Qi\/hZNj\/3Ane7tlBEi6cG9xsu3lWfzaAh0Qz\/MZBLCWHCiMGpcbinSxoJxeieJR4hwsH6aIGBBARlcM87JIeY9evAugxQ=="} 02144{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":115,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":47,"flow_packet_id":2,"flow_last_seen":1603816434821,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1294,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":1294,"pkt_l4_len":1240,"ts_msec":1603816434821,"pkt":"pJGxgjQ5PKn0qB\/sht1gDnzNBNgRQCABCwcKydWupNP+R2kegH0mAB8YIxDSMFEDfZ59dTdPtKIBuwTYf3DECgoKCgiO5tu+VRPaUgAARL4uI1WmPGK3DVcwUtE9UzI\/fGSOKvWUIfYmoO3D6w75gyG6cAgBjzUk1WiaTNGr26SzX\/zj3x5ZOIMX2zmIddjoIJovY\/VksJrC3pfUCteiUGgedji71vrrn0fRMQEFiIkPaa+o8LGRwzZKy8VL3G9cV5Q0+xLvukUHxPfTXr+qeeoAkO2JrC0axiSb2dt+XmaJ0v8nr3ud+va3668mZsfa5EeFafHaj8m49xF7nuzVpSiWax1aZSZzIz6eskzoc+1ob4msOELhchJT5jSTUaY4j8tszC8K1inc5HuVJQLo8TDvFonmdmM0XKQKaWAqfBpL0CUAHrxZaa7bFxHWCI+KCUFVNkIiEsJLT7NG1KiOxkI4gvAPMqLHQoSqFHaylCrhyi1kFotT2StbIZXec2UmPZu2coK0kaliS7gU+LJp4Q8aOd\/VQfT+XwTsJ91oSb1hOc3RVgo0quwGh5ZyNdKZAdfV8mq\/WMkDj4BcFPubTYXGgusxS\/MyTqzT1EFGuLIWfyAbYZyodoA4VbTOGXJwfjifkHUQ+UF72jq+Pt7WCCIYrTBJQnTBEUt2MXfl7vDq69U1d9nIXWmxmxitkWebhf3a424eVpSg7vx40Hu84MnwnUTI47yC+ao94ZGXsWQUy81CB15Bxl9YeNY2dJgyiP+5AD9Mhxzqup58xGvvgfzwiN+8b9hNWQCIXG3bcsVJVlFTJ+jyJ9stfjENb7psSrJSchNgxcdmCDy8kzTYUD7r2Kyu23la\/A94iZaAc3a3efSo5IpoqV3d1rp5ZAXMrr7FuDpbBbwpjWOv21FHy9XJpndYMkbIqf\/7foTiABMd4OD5ZERwg0xFUm2\/h9OWCHJH83WAL\/V5NLmuNQVhvxqDt4v9kRbwpq1I6YlY65WMno6Jktn5XADL\/7yB9qcTbstxiHDTP9HA52vwZywCZsUeMNyVpwbs6++IutqZF2u1m5rA1TU892YkmC4kF\/6hNawh4kh9uCP\/dmrEgG3fl\/J1TK58qG0QytYAfCJ0cQ5JLCxfl\/NL8mZSVRO1SYiuLHK3ygtYTMGI6vHbmzBIw7efY9+H20\/n9OdFhPZypP\/u3dYpp4p\/C2O0s6ViK29wOFT+K2UH57w75L7qCQIQY8Jmg4QscecIv0AWmnfsG6wos8x03+j\/JR8bgGEsH1SV8kBWJgmpv\/L4R9h36Dkk7I7wbtNl01psL0lyiPNL+Ovmtqzx+\/3Q62hpJ76z0PUEL8rN8W\/mbea\/y56YejegoW0NiHWhNlluWfwxxnN42q0YVuXvbq45KHAswsaiAvSLHS1\/Hfet1IEJQbT92EAZjtTIJs1ukk6S8C7JBdY2mP1nien9nfYAxxwA\/H5mWvSq0j8RX\/AxShyK\/7L5A8yyjy03hGEmr9rECJ4SlYdMS5IlK68iFiJ4CMvIJ+6AyWXezGevi+5ey4ofkQCxFpY1W0uO7lu7+1aV90Ifn3KxnAwNm6+ry4yHqk6IaT4+FTyUTD70bZ5KtnE5J0z9NnVQAnXfMQNLWwACkQ3k4t1jyk2PI9+I4B+PL+e\/IT7Vzp7naSY2nO4exFruJXfEn4uVZmLymCx9K0eX21XvezrLYl21gesFXXXoMBP7pIhtLQ=="} 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":116,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":70,"flow_packet_id":2,"flow_last_seen":1603816434822,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":89,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":89,"pkt_l4_len":35,"ts_msec":1603816434822,"pkt":"PKn0qB\/spJGxgjQ5ht1gCEs0ACMR8CoF0BgM6YEAzSri\/bO+xasgAQsHCsnVrqTT\/kdpHoB9EVKuPQAj8mT+AAAAAAAIITUj3tZzyB\/\/AAAd\/wAAHP8AABs="} @@ -269,7 +269,7 @@ 00474{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":122,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":44,"flow_packet_id":3,"flow_last_seen":1603816434848,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":69,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":69,"pkt_l4_len":35,"ts_msec":1603816434848,"pkt":"PKn0qB\/spJGxgjQ5CABFAAA3DrxAAOER4SQocL88wKgBgBFS0h8AI+oo4AAAAAAACHAbjQjU2gF9\/wAAIP8AAB2a+srq"} 00533{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":124,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":74,"flow_packets_processed":1,"flow_first_seen":1603816434855,"flow_last_seen":1603816434855,"flow_idle_time":120000,"flow_min_l4_payload_len":63,"flow_max_l4_payload_len":63,"flow_tot_l4_payload_len":63,"flow_avg_l4_payload_len":63,"midstream":0,"ts_msec":1603816434855,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"40.112.191.60","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} 00517{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":124,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":74,"flow_packet_id":1,"flow_last_seen":1603816434855,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":97,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":97,"pkt_l4_len":63,"ts_msec":1603816434855,"pkt":"pJGxgjQ5PKn0qB\/sCABFwABTzwsAAEABAQrAqAGAKHC\/PAMDpwYAAAAARQAANz5UQADiEbCMKHC\/PMCoAYARUbXwACMeH\/IAAAAAAAhSHVi6EOpzIP8AACD\/AAAdujqKGg=="} -00566{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":124,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":74,"flow_packets_processed":1,"flow_first_seen":1603816434855,"flow_last_seen":1603816434855,"flow_idle_time":120000,"flow_min_l4_payload_len":63,"flow_max_l4_payload_len":63,"flow_tot_l4_payload_len":63,"flow_avg_l4_payload_len":63,"midstream":0,"ts_msec":1603816434855,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"40.112.191.60","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"}} +00591{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":124,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":74,"flow_packets_processed":1,"flow_first_seen":1603816434855,"flow_last_seen":1603816434855,"flow_idle_time":120000,"flow_min_l4_payload_len":63,"flow_max_l4_payload_len":63,"flow_tot_l4_payload_len":63,"flow_avg_l4_payload_len":63,"midstream":0,"ts_msec":1603816434855,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"40.112.191.60","l4_proto":"icmp","ndpi": {"proto":"ICMP.Azure","breed":"Acceptable","category":"Network"},"entropy":4.724892} 02142{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":125,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":55,"flow_packet_id":2,"flow_last_seen":1603816434858,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1294,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":1294,"pkt_l4_len":1240,"ts_msec":1603816434858,"pkt":"pJGxgjQ5PKn0qB\/sht1gAxFJBNgRQCABCwcKydWupNP+R2kegH0kAIkCAAAAAPA8kf\/+aaRUr3wRUgTYu\/LHCgoKCgi+3m+0woW7wAAARL7GquBTGstjJfkM0HNCxgIAREBilxluQhOJlSo3RAJ3sT9YPO\/sQIsdu3\/IepBfUNrpFqupXs61nKnqxJbpzxm4pP4Uet+yqKBfL+M5sZl9PAH7Jj\/GqWj5hATKgnFlarPfqBSj9ebDuM9wxcuFyTqW04DSxk68M1O0uEKdC3hX6Nasxll7WkuCJBNdHdhbRwkrTxC93fxA7Bo+1ttTS+SluGuitxn3q\/f1rhqU3Rtof6iLtaCMP0POUaELPjXeochFM+KP8w+TYjbP1UR+98l3xiMRsa7Boz\/Qn6\/B9lV05gqwE+V+ndrFgiC6SU2W1mGV5dAwfiTvH0i+sGYWDheOhTxFh6v8dwHFK7yfV+qBRnmZIuILrC0ZVc8DVJxRZ00C\/VbecBGOpvKklKxAhnnr4FaiLAx4of\/xkA7t65SFTPGeySaODDta0iajRz3Okg02VlMpJCp4MYtxYVLkYQJvT4qBY\/Q3SYLhujBzrXGbyPfARPZmwKI+Y09++2g8fVjcnUT7cUy2MYcUv3gS8YX693nsVG9GuYuD1Tpc8V\/QW\/ws803NpuGE0fKAOcl7K0x276q2yxhP4KOxhUYk5nzfMGdKYR8tOed7SIHx6I89XxqDLNj\/yeFLjKcS4vphg1MO3ZXRhQu5dGqvsBgmNLF0BLZQE2exAkHM5YlM2d+2Cf5jNJkQmQN96lH4hYOcq+3cMuM0nA85Rh1rVe7urpKa+zhkSNys+oQxwrcKrhB1E8ov6Ir8fjnl9I+CB2E1uCIrXxRxtwOS4nAygc4OHQ9E8aOsj2\/w2X7PRaEwVsM1LrOKeZdUF3LQvTK2DdFbDcrW178BHsEuvh0b\/WIkKQOYUw7iOzrs1SVYgZoQ968zdkRsGSxVafnB0RpYxFcTvGFDKuA6adIdu87Np0MEASWmobXOe+0750NQu\/52K496y+JfUKhL9v1vUZoJcxA4fRjfC7Bh08mLSoPcW2iuYUY5Qfwalz27W5Ykaj0l4a4+FKTTpRfNlIedHfrTqbsQ6rbIQr8tJ+81mqHbG9Zyr8zA2muAME8q9aJsgu+U1HLzCGfWgvZFEV2EknFvEylSdE1r8PywLZ7inFg9hamDgdP5uitPIq1K8RDkjORQoXcwTc3g4iux2RI7AaBEJ4aQ64IImqf2vmsA7Hm9gV4zbJ5GdvI+BL7kLlAKNgqCno4ViE2PY+dAn7DOvAESo8acbeQESQp7Rk3XM18OTLnXB+4WbgD8q7fXA+ECTUMkpHSzm+lB\/4uh\/yExcfDM5gQRfvC\/spXzxuIqVWl2moJyhaC686aJ4KP\/t4qLF+0UIdSblurMexwFEcHDduM5IRHawmbrUFCfEQ+n4o\/SryqiP6om0IN1nAFm1ylhTzYdhrqGwZGRimjSXQBGvHoRTYsAlUs8s7gIQ9BZOAZT5zXBTy9plxFRn0xuOTisgPDNearpDgC37gTQLBm56fc\/xKHrVFHO5kMHOj6NVCppn2SoJ6\/fLiZL3tw3F0wrYIRE9J7EJb3sJ1aGsgL3pCgWOt7Qvk25++jdWqnsAR14C4ICoJzYNOJ6kjejpAxjuQX8JcLxcnqs2SWXAF1o2jEryGZfGoV3+v\/u2H1\/3a+NF9jJ5g=="} 00521{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":126,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":23,"flow_packet_id":3,"flow_last_seen":1603816434861,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":97,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":97,"pkt_l4_len":43,"ts_msec":1603816434861,"pkt":"PKn0qB\/spJGxgjQ5ht1gCRGvACsRNCQAiQIAAAAA8DyR\/\/5ppFQgAQsHCsnVrqTT\/kdpHoB9EVHblQArGxDIAAAAAAAI\/VKHHlPIokDaehpK\/wAAHf8AAB7\/AAAf\/wAAIA=="} 00466{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":127,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":26,"flow_packet_id":3,"flow_last_seen":1603816434871,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":61,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":61,"pkt_l4_len":27,"ts_msec":1603816434871,"pkt":"PKn0qB\/spJGxgjQ5CABFAAAvPS1AACoRkCmM4zRcwKgBgAG7k5gAGycshAAAAAAACPBGL7QnI4n3\/wAAHQ=="} @@ -278,7 +278,7 @@ 02138{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":130,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":58,"flow_packet_id":2,"flow_last_seen":1603816434880,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1294,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":1294,"pkt_l4_len":1240,"ts_msec":1603816434880,"pkt":"pJGxgjQ5PKn0qB\/sht1gAgKbBNgRQCABCwcKydWupNP+R2kegH0mBkcAABAAAAAAAABoFggmo4ERUgTY5TrBCgoKCghziEmCXfFrHwAARL5LtYR3ejPf\/p3z4CC05PowI2I8\/yhShfm5nPX+w2RMm09Epp7xl+kBRRhqGjOWMvDuvKtjnCZP4h43yInAnyoQy6CqAqM2X0CJjYqFRLzhwJbIqw2DVbxOowFB4MPGm0ZSauJhv35hdaMdrkpEWiZjZxAcIt9QXdAe3ei5ci4QFJrTlck2vWOijZIoEgmR7v8f3b2ShmI6CdJBBEhbx7x+xdhmvF7QyLqpOKHrLTEfG+pOv4\/x0hdm8B4rKN9lYhLlGSoGddMbooBzzRUA7p16+7rbjImGPkS1MotpttG8+odH6+SDLBY+X3GstYZ1FO\/bzamHEZxYZMgP1ghrma\/s7dEMtCivJ8V9DDtANnntchI6kgniK9bzzOeDCsdM9ITRIlN2z\/Af3okU9roB71yq\/9DX\/TdkJvaU2WO+UeMMmr8r9mAF+UKfPefAvtmM4XpTI7S0sOggW9+ylbRk868BabyiGaalY7v6ElyxYQX5Lm+7f22jDAR\/1Rxw+pqMGJoYSAUT0vcKEq7ImLo5wdD1HbPPsQSmOUj6sUs4CO\/fnKY8anJpGjgDy0aXUYk8jHpkks0Ogglg+nRuCH++j5UW1f7ZAEpNa9vxdlT60Esd66TkVHOw+4sOrTBkOSin7f9JufqnL0\/oha9fVnFNoEifDQokis3kLSU3qOhha5NehjGyqXC4mPnsRXhV1FSJLx2VGefOAKopFDtlBUj77lmzpE4bT3pVw7XDcnU98fJgVGUI0JycRmnYXeBdfKKKe\/C3yD3TJtdWJpUxFWlLU5JBLw1DK7Jaeoa2CHR+Mm+Uos1NDX1p\/Tae7YJ3QTohWBSmBEM8sQU24dwTVN4u9NduhdNUw4abqXZHWWatpGkhOGi+ztCmJQyFuKmz76ia0aYCpdIQEteOm4a+0nCcqQW98i\/PWMOzXN5N4iJBlj7Z1kEIRjKqOh15d3MSiivlm0kY3uvwpzNG6z\/mG64H\/Ch0ZjLDFL0Lh7Mq4u7sR0TzJNJGk7sVaiEPpK8iv5ewweeTFC5Rl0GpKG2cTtrRDh3Jlv0fDheeAqwjrpXOD7ekCHhXvPoBEqPIW59s0aKn33+\/B+x4kneJZP\/w76GqJhpArO5oYmd2nyPv2SM++J5j4el8Gz8DMsGeqEBtxHDWRjkM1rYAvTzN5xb8x5DuFADLFqHlRDraOgEM0xdsEf3hQUK7mhuUCaQGZBsNRdHnNvZL2CgICOnYLx\/yP6eBn+tj4fdyypHuoUxCV0l91OyAz1zzMppQmM\/MZw4IjgKddLGGzkfD9eH5L2StADzoe\/+tl+Vy4q2cConEMFDs6PaRjEIki+cwlbYxOX5IGAOH+nU45b+AhHH3CTnzqcfB1hVJ27u+6GOUu8zMsLgjDTrc3Bi318\/NgqlATYv79utqKeVxozT3TLQMpSZijN7B8+4KqJeZKEmn2cSaCzlZY7LsE5mGMSEER6hyX0D9p3bjlWs1ZL9V6nrrfHoSzPveONxywVsTghmtxCvne0EGPCkAlJjIUsDS0C0WhRU05kFBDzqpkLuoJAtfN6wRz1A7m00svwCrcx6jydEIcQPaUg5llHIZhpOg+oB895RjVpCjMpMpvctTtfDIJJw1H3cf+g=="} 00539{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":131,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":75,"flow_packets_processed":1,"flow_first_seen":1603816434886,"flow_last_seen":1603816434886,"flow_idle_time":120000,"flow_min_l4_payload_len":556,"flow_max_l4_payload_len":556,"flow_tot_l4_payload_len":556,"flow_avg_l4_payload_len":556,"midstream":0,"ts_msec":1603816434886,"l3_proto":"ip4","src_ip":"133.242.206.244","dst_ip":"192.168.1.128","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} 01185{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":131,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":75,"flow_packet_id":1,"flow_last_seen":1603816434886,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":590,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":590,"pkt_l4_len":556,"ts_msec":1603816434886,"pkt":"PKn0qB\/spJGxgjQ5CABFAAJAYQkAAC0BE6WF8s70wKgBgAMDPAcAAAAARQAFAILLQAApEbMSwKgBgIXyzvS\/\/xFRBOzO1McKCgoKCBW0hlcD4wtQAABE0o5ETsyCKfAiv3GjrhWWAHytWjhKjuCcE8PQ+8\/rlGyAU8f1x+Mk3FCdRieZy\/gIKc\/JJBqsu6Id+Y5I6UUEss09jcswdjUwYmczoGMjYqPo0TgEgq07LxXN2ezzpPgN8+p4f8xWtCxwb8JafjHIFjRWKZy5A\/ktd7oDLtros16gjzk4ANxurCLBEjXn1mc4A1OkxNBYnuq2VBy6bBpOv61yDRD8YC\/\/cKt+DeKlIab2wioxKuuqTJaa6bcvjsxaGxss1fmXynI35PYXkvPyrb+OmmsPeoZV51Hz2RzGwPglrJrYbrEQT\/ivLiFpZ023Tc\/UX5\/6yEdVpklz8RpLexVa6Bn2z1jbV1c+PvjbnEyP4B3XT1q2R1U8Zg+Hg2foBKQpPal7OLyEEZLoYQ0+yrbDuTkJcdCxkssUJpGttMtaDpOYAt3rqklkL5jPHrEd1C+FSNb\/c7TK\/C4zJ9DojLveQhKMASAjgDcBaayNHzmzBxrLpcHuZ77JWq9eQca55sxDzWYh2vyNpayRp3s936eLgTzDYJED3HFsEu7Un7VVKrpKCJGjDAw7oK0mEPfQD9p25UX36n9yQOALJibj1tF+6rPwcqd1enHsqJO2F24HI5WHL0GiGGP5cRaXpNzZ+ijbLCxtX7NKJN8+IHswHT8wg8Yb1lU="} -00613{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":131,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":75,"flow_packets_processed":1,"flow_first_seen":1603816434886,"flow_last_seen":1603816434886,"flow_idle_time":120000,"flow_min_l4_payload_len":556,"flow_max_l4_payload_len":556,"flow_tot_l4_payload_len":556,"flow_avg_l4_payload_len":556,"midstream":0,"ts_msec":1603816434886,"l3_proto":"ip4","src_ip":"133.242.206.244","dst_ip":"192.168.1.128","l4_proto":"icmp","ndpi": {"flow_risk": {"35":"Suspicious entropy"},"proto":"ICMP","breed":"Acceptable","category":"Network"}} +00591{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":131,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":75,"flow_packets_processed":1,"flow_first_seen":1603816434886,"flow_last_seen":1603816434886,"flow_idle_time":120000,"flow_min_l4_payload_len":556,"flow_max_l4_payload_len":556,"flow_tot_l4_payload_len":556,"flow_avg_l4_payload_len":556,"midstream":0,"ts_msec":1603816434886,"l3_proto":"ip4","src_ip":"133.242.206.244","dst_ip":"192.168.1.128","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"},"entropy":7.612374} 00474{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":132,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":31,"flow_packet_id":3,"flow_last_seen":1603816434890,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":69,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":69,"pkt_l4_len":35,"ts_msec":1603816434890,"pkt":"PKn0qB\/spJGxgjQ5CABFAAA3dApAADIRazjK7txcwKgBgAG7mBUAI5npkwAAAAAACEmkvxz+BSBNGio6Sv8AACD\/AAAd"} 02137{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":133,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":62,"flow_packet_id":2,"flow_last_seen":1603816434894,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1294,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1294,"pkt_l4_len":1260,"ts_msec":1603816434894,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAUAwXZAAEARa1\/AqAGAilu8k6XkEVEE7KGrwQoKCgoIR0aH1pvahxkAAETSKZaHE9N9GtJMYvv9ifpVeuysckzKOAoBynmJqbZIyXXd6Q0OaiDA1+eXkNpoukJH66d1qZWl2up+oJkJlE2iNPjRL4rTXi4tGFWkOc7OU1ijBfm7sZPOTclysKOTLlG\/wLwmM+4bmiv8t1VJI8ny49KjxXkbGme9dgA0bkSUFasSUnlJAUa50AK97fShfQXzqeK5Dg+WXkJ5xuGOQHrunpIaEPTkH8dZAQC0kgGeFDv4HG0pqkwbzV+IYkH7SmFammklwji5+p3TbOylB01wJbffLThybxWnDqogivkmpQmkVpMhBwMu\/9xKEoVlmIM6B4v9QOFFHqhSd9Fs3q++BMu\/YhweSpnGUx72yfkjBJM\/IRzi1GX4pw11eJz1\/3qBdeWldk+sRUQcox4In2qe+wuxVw2osgoNlI9YvrG4D8P\/zIyWUtdNaLtHhPMgDgiAC91NDmgmJENXcA\/RXPQYvhOdBOfaMfqQoVoSR7Q4FTIccfFsCF+5xHFnMAndfXwOCyIdbeaeIVCpMSQ3bCvvDIsU716Wq\/5J449XPD5T8+ox9fqnlN0Jxyqab0XJ72k9txuNkHNYBZFINRTioCXl6izgIEtcruHCYZt+ILtV2gUUjuR8FtecwJtSSrY5wTZrfp6mz9U9VqFe6kCmkDBYZVE9CTSh5jPIMshdFPvlPyb9jOL5Oce8EEmxF50G+MImURL0E5jw4S6VFP1JWS9s3SOl2ok90TOvvWFQkYQVIGjzaMpXtyBqGjbtpCnFbad8ojifR\/YqGipZKY7YjkWGjouJV\/EDirr0Js9ZOS2bLt0d5OKTRnFRrYMUX7KY8zvzFslodkxSsLJ9F5kbgxZelMuuAZS\/WjzvvYQWm+fu6fqiOFgxzt4cf5I3rtZr1vhb\/mlhSZdfx+5dh2+Bw05\/c+ZhZcGWQVWlIJoLVTK8wVhhxCprdVxcD8azYdyGHI2yjdhdg8y5T1SHS+wMUv3TrTEkgaPMJSS\/bG830bq4zk9YF1gPTLVzdsj3uGV0Cb2GuAxyajIFBjWG43Q+tx8KNtdSeW621EE8H3LtU5Co2FzEFLWry1aFgbJB2zQ2iUthr7o+cxvl+I9ObWsbtyiFbbosM9ubsa940D830mP6uzArtiDHR\/\/tFLOFL88JLiryCWee0dBawNwyN0l3KoWaf0+xrkvJmDrQtP2edAcztmf7vS5YtS7p+DLQu7CH9K63Utaw3a3fUEMW7mKw5KR+OTvLaDXf+fl5pRlYNEqDRWXH4I909g6Vz4OrKab3fRk6tpbyc6YOZkWMRgcj4QWKv9Jjdy\/GO0VWic\/I9O\/C9pHvyAImGRQQ3Dlm9KvoTkJ8oWVAyBE0qeiaF6eLmq95FTaIvn+MgWKZGoMFAxQpObBG41iLXc68P\/q28rKfRP2cjjT0E2a5yH6RR4ZhTZalehf32S79m5P3+jb7+Xyy8XIUQjKRHLykyRjpXm2fvzGkfd\/uvjbx1WH97nbN6TLHvxcWmIC9p8hr1ew6jGo88bbJUcg867GJeVKG4nDMxlqcviS+1Hf8Ar25WRbo1aTF5rpBjU67mAtQodxvng7drgHRjfXYl0zhU6OqWR+vayEfq8beOLohWXa2bFgOH+TtDLfzLUWOS7634STReD98JKgMwA=="} 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":134,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":65,"flow_packet_id":2,"flow_last_seen":1603816434897,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":89,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":89,"pkt_l4_len":35,"ts_msec":1603816434897,"pkt":"PKn0qB\/spJGxgjQ5ht1gCwDeACMRMCABSAB4FwEBvnZO\/\/4EYx0gAQsHCsnVrqTT\/kdpHoB9EVHPlAAjX2HlAAAAAAAIQNHw6Rif2eH\/AAAd\/wAAGxoqOko="} @@ -298,7 +298,7 @@ 00588{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":150,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":67,"flow_packet_id":3,"flow_last_seen":1603816435011,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":145,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":145,"pkt_l4_len":91,"ts_msec":1603816435011,"pkt":"pJGxgjQ5PKn0qB\/sht1gCTD0AFs6QCABCwcKydWupNP+R2kegH0kAIkCAAAAAPA8kf\/+aaRUAQQRVgAAAABgCRGvACsRNCQAiQIAAAAA8DyR\/\/5ppFQgAQsHCsnVrqTT\/kdpHoB9EVHblQArPxCkAAAAAAAI\/VKHHlPIokDaehpK\/wAAHf8AAB7\/AAAf\/wAAIA=="} 00533{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":152,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":76,"flow_packets_processed":1,"flow_first_seen":1603816435020,"flow_last_seen":1603816435020,"flow_idle_time":120000,"flow_min_l4_payload_len":55,"flow_max_l4_payload_len":55,"flow_tot_l4_payload_len":55,"flow_avg_l4_payload_len":55,"midstream":0,"ts_msec":1603816435020,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"140.227.52.92","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} 00502{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":152,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":76,"flow_packet_id":1,"flow_last_seen":1603816435020,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":89,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":89,"pkt_l4_len":55,"ts_msec":1603816435020,"pkt":"pJGxgjQ5PKn0qB\/sCABFwABLWwEAAEABm4nAqAGAjOM0XAMDgJEAAAAARQAALz1HQAAqEZAPjOM0XMCoAYABu5OYABvoK8MAAAAAAAjwRi+0JyOJ9\/8AAB0="} -00566{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":152,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":76,"flow_packets_processed":1,"flow_first_seen":1603816435020,"flow_last_seen":1603816435020,"flow_idle_time":120000,"flow_min_l4_payload_len":55,"flow_max_l4_payload_len":55,"flow_tot_l4_payload_len":55,"flow_avg_l4_payload_len":55,"midstream":0,"ts_msec":1603816435020,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"140.227.52.92","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"}} +00585{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":152,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":76,"flow_packets_processed":1,"flow_first_seen":1603816435020,"flow_last_seen":1603816435020,"flow_idle_time":120000,"flow_min_l4_payload_len":55,"flow_max_l4_payload_len":55,"flow_tot_l4_payload_len":55,"flow_avg_l4_payload_len":55,"midstream":0,"ts_msec":1603816435020,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"140.227.52.92","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"},"entropy":4.659827} 02146{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":153,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":15,"flow_packet_id":3,"flow_last_seen":1603816435020,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1294,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1294,"pkt_l4_len":1260,"ts_msec":1603816435020,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAUAaXxAAEARbePAqAGAg58YxobPAbsE7CCRywoKCgoIJv2XczUh4RIAAETSbCxdVvXUX9XjSdEekuKYBaaXvtdleeAoC7w0t1zysEAi8tmmk\/irguMUfevsR+4Ix3ykT3XI5ywdd9iZ2jEEpXdKcBNTILwVo9RsE2t9EwWhoq5\/2T\/d0RKrFr8WtXqw8R81Lc9NfiQcl+03MG9MvRdcSultVc\/J1\/ZsUKnUEchEiSxzxC+Bh9AJTZqdlAjdxHnzTMm8xi3GQm6bMwAMTxvoRcjoGFuP\/jsOpyTpax0np5jI5wvAneUYSZi\/TgHF\/m8zKEHvyg7GMb3qHu7n\/RSycakCUo6vcofHTkxeQVCCRngbPUJ9tSzw1NtS2gM31yeDwbXURmAo9cCWFob2vDSUwjpS5E4Bzmlgq4msvVlsTMrZEpAhNoUHdjHy4QjtukGArqr5ysTKErAC4Awr5rI3yHlLGqm+45AjHIVXYBIC02L4V+2\/NakDwhKYWvsC8fxBwr7XFo9wng0iEMUuvvwpf3rRyeyquDhJCKiPgZqbE4vibuLP3YjbRmkwnzwoxp4JbGmV6sCYODAB+6uR9yWT2DvYh2Rb\/rOtm0wd1MTHRHgjq65\/Q9ZAV73R3b3X9eYSSjZWx+KotHN704t02EkkPjksNKXNye16bccDD5IXgwJUTDiyc6d0LRseUDRuGQDw0kuZ+ll0kG2i4WlqtUdTnp8918DucjmW2VDKzNjeIA39VHQWqziQ1ddqPEX2hN++O4sXWiPb63hxUkBl\/1utZAUStyF7eS3pGlLVhZF\/znUUZa3M+0DGGywvSBI2oj4pSimzVz7N20pvszlriqxtYYleocY\/YE3jUUemgCpo75mWgtJOBRyLbyK9A6hraxh7Olf0MRas13AcLep+ICMnSJfWbjp\/GkdnPkR\/C5xIcrNwENdzdFsACnHqaoD2O6863JhZYdMEnWVSkYIq+Qo3evifk+os89mbDYj7FZGfwtqfdt3rABEss73A7ji44N9TcuujgLAvCHsKuJvwI7zuwPeUe9hxI\/RPeoFnolmIFjlDPLJQoIkxVdnaINbjrLTY2LfZda6\/LCv8sM\/bd\/AmWDDDh73GxJl1z703OS5uL1l7MQlkB\/g4ilEAjMQXXXHecuH\/deyjep8GWLhkSiTJ4HHr+05f4SIdPiicarLt9LEk2eLRpP+UFPHooao1g8mjZx0KcuHnQr0iaMhZmOeSp7JakH1ow9hqHE6Ef3Xm3Pc4cZx4QtZl7vmWkwcxpbDzsE83GDarD6V2tKvmXQhxD9\/w2J7v63jI+9Lb+ZNkqXvr7OsDvbbvf2VuKSQhAY47DGEam5DlA7ysmY73v2mnyh5eWPe3e\/N+mJaLUlQ6UUxA2gOWmJj17O3Q2\/OSuoxzzA\/RzjfOOrzblYj\/gviQOtnjWavb6c7C2hqIBHAiEqk9l7GIM9LKnUeZw2+IvAmVQbKf1z8qvly8H0RJkDAyVeMEDY4Oueq1xKRIhCACrJcwvC8lIz\/kBgPhANKqur60SDXAg6fF5Jr+WTWixT3BBTygw1VtL5D2yCH07\/ZeeZ6+sIIJRb0PchDdQH+b86Sz3C6rgJrYhidtZTL8xu0okPJOirpfLuxNgzMoFYlSLzK2q+LfyeGhBlFnlOErJr7Z3kyibZ8CPOcYiSJxmJmJS2Sz\/7dQIIdrxSXIOJ44rg=="} 02144{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":154,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":21,"flow_packet_id":3,"flow_last_seen":1603816435039,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1294,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1294,"pkt_l4_len":1260,"ts_msec":1603816435039,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAUA8yhAAEARtHvAqAGAwb4KYucjEVEE7IO1ygoKCgoIOPxKwZ+D2JAAAETSAJFoZu6ZFSpwLFV6hiZTR47jUS41WdtYAT8QoVp4QUvp4\/U+CeuL12NJ9cdpFoxjFRLXb9wuezWVsTtDBnS4K6pdWVx3JISdo3Hg9vv92iLBGx7WrsJk8BaLLe6\/TF070AyV1Am4wkvBptaERGAsXat9fICiw6sSNnyvyu93exRK\/WX8w2qBN3X80dpruqcJopZrcUilx+uGC2JbRmdaNpZMRkMnsHk4XDu1V7Wg8y9sWoBeIG9441s8diFExDZt4WiDaMPjLPVeMxlkIETAYSa\/9fznHkXpMruAiRTnEZLJVO4VW2kJyC2T\/rtwUwXKm2UlX0OPximAmDLyHjrHU8u9SBXihZ3\/TK3gPkBbeh1Hd2bE9vCs17C65A0yF\/nlMxY2kBJ27VhHqt7N\/7N0+8Zn60DhBQJfbHcigdpd\/vWcXEf75OaIxJhEv94WeTIUReIWIO6n\/ocDVDDnGMy0kcgICeEWpf2U+P4wPrdJqHVgSMWQTvUYq\/lMbnu92dPqw23rR+qTU39KP57+Jvj4U+YGx2M2lzuspjMBvLKyfyrInDkezDxmwzkhz+y5qWW1O3Wbz1WWRDMMAy4GEDYMb1V\/xm61xcdQ62aMVFlALOuOpP0XG1C3j+dpuiXJ9kBfmUu3LcFycS3OjZBWxIQUSY3XFSFAcWcfwra48dy4adZPOj\/MUhkOLAVo9b9a+u8QJGm2zUtGf0kOx38ovk3lYOgaRipnJJ8vIMpATkHsxVRic9I0ZXJm+7AksCq8+kySEpW30YMDc6Jvho49GTnYB1iPF2TX90GuBzh1scv+c9uZhwrrkogtGQ3Qt5xiXI60JrZl4XgyA0FplaIOMYo5wvqra+HlEE12scYeFIAQSc3ZxvupvTqfsQH6z\/DgfiLpTnpXwLa1Pz\/9ARjFmrUfeQvWaao9eaNGSFn3UIEcAn1xIrUyX1hYZ6EKNi6qxeZf9ctMY0c+JumI\/GtULEmSigyQc8+WbI8IUqAVlJ2zJ0nbUbm6LKMofaMEpMiO8YpYpQjDW5dFxxPU2uBU1vcH7lahoVNuemf8xMu7DZqCSU92E3Y5PlWTglaqh\/jgo9RVX0QrYcdEpKAmTVtZsIDnLJ+3SggsqfbnkzPPt8WEGWQmNz01mr7bumpTElcwOlViD4GPvM4CQvp2ezVbZ6eP\/zVVPtU\/bCxT6kinVV9rNAyyZRxreGD\/x5Mc6bN5F9hHR5xGF4p0n\/5lmjx4gt3BJ\/w++a2bLQnj4xjEl\/3Fozvh2FpsmnYILiPnM6i4CU55SR\/IYGdfUTOO1doGd6X\/97bGc9vuZ+WA0B1iVa+7QOAcxpH\/5Rk+Nn3By3H\/i1Q1+XPqqFgEyws790btPgdFBw4xqEtGo\/lV6YpV1k1K+m76nKndTDHLzG2YJI2ovBFLisi0H3M8d9I75aHm5e60aRxcLNmvpI6uSvNIwZrSbQPpvAFwrELol+TYcfoxxSv1QMUvnyivF5plThE0Fdi9HbNhQAResG9lukYZa7mrNE6qt3aZie11IkkPcja0jFnDOa5N6UjV08KKgq1ZzH8REIr0BMV\/+jPNhrM1jSTHSEUa9qVjYZLfgSxYOqQC1o5BgNouaXjKG3zuONi0oZHIlg6j5CLLwKe06jZw22kviYW5hw=="} 00518{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":156,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":71,"flow_packet_id":3,"flow_last_seen":1603816435041,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":97,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":97,"pkt_l4_len":63,"ts_msec":1603816435041,"pkt":"pJGxgjQ5PKn0qB\/sCABFwABTFFcAAEAB\/B\/AqAGAyu7cXAMDZqUAAAAARQAAN3QfQAAyEWsjyu7cXMCoAYABu5gVACN26bYAAAAAAAhJpL8c\/gUgTRoqOkr\/AAAg\/wAAHQ=="} @@ -306,7 +306,7 @@ 02133{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":158,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_last_seen":1603816435051,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1294,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1294,"pkt_l4_len":1260,"ts_msec":1603816435051,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAUAz4xAAEARMsXAqAGAR8opqZMLAbsE7N+ZywoKCgoINqH1Vk80LhQAAETSdqS36solf0Ab89L7mqA3Knug2T7B6DNFvbmqzYYg7z8pTTq0Acup1slaLWQfLYK6ZHGXLXoy9HCapsVbyKs+4a1Ck5zAaPGtgxmdvlM5jE9K8xDI+on5isunAh7mHsuADTtBlKqnX\/EdGgDTjwUBKX46Tt9DO9QZhGB3nGqV\/4+z\/cIiBacZdrs1gyf5IWqMQ3oDHqXJMeDX\/++QivGdBpDuXXizfMmRavNz8fW7QWvk6g9YaCWouxFjTNs9qBheHmJegvBMQMISMd+bAf7u9XAQBW1fBTXZGlT1mAB4LgPrF27DGaddpSouN0qjNSZD03\/hGYU\/2RRvg84jVp0fHK8tqy2THjuWOEa+iQ9\/qlgsJzi5h6Vh1ME\/X9i+2L5Bp8ojkt426bcWcAMxXpthJW2tG5udZ2L7Udjw9zGWa95H29sfm\/538Vtplx74Y\/AibU0ZtGAE1TEsR0vTJTOg3\/0hUC80O6GjBxCFlGcVchV4DXXhg96S8ATeFevkfJuFHnEbdUcFwPQqLR+jUU27ymEJyXaeSdDSySAbUk0nV+leFF3RmsQ62UW86Q9WYjHGZrKenYBvDzgAtd27Vn07hkik6vRUH0PMss0AdBwjyT7afqzqv5WXWRCif\/XewgmwX36ksD2rOPy3kOHOCjdzVZaGpjoEOOK86cfkHLtihgkVDTNY3zeOt7lDQ2EtxRpV76bigIBOAEg5e3BqotdiIrkbhHIRCxozC6w9pIrkvSvHjksIBtO8HemVJYKBGzhKaWimQMO4siHxOUq2QXQ4U1OBspI4ydIgdYoDaDTCZynOSfpEwiChaMhdDLcLsu5ngDxCDmEEajrY3PusoHFvRpNBdSjyfiE\/UWagHyysadBim+eKPfgmHyilmyKNRJ5aw025iSrl0Q1599BxNOxEPmI1kYw39ecbDRrL5lFQSMpn8HiwrtrnkWg3IXWHhsCBoG0vRIl20WV3gO+FHJ6++i8vHoXUGQnpdOdAuss5MvZE2M9d0jMzQNvvBq+MmkRPz5UnGp00Q89A1ufKVFGJoAOpmfYIvxgFYxNH6W0j2Vm+oTEKDU3aR8AQg07jvkeuTahluUPzCrGmFw14ItB\/Kl8Z0JaWbwm2VrGsxteZrA3roR0x\/kxU6N0akKmKYfmm9pyIFFCwiVhssB8IQ62gL1rrZIXAwyNKALuAGIC\/d5RetkG9nNKJya+s2qmBbXlY5Pf01aVBKM9Jyd+XaF4Lk7jO8nN5LZEWUdBlGCjFxjADKipmMRIZLESfFVJegQUNhQ\/8036Zyn4M5+OX+0fBMJyjkeibCTM3Pw+KV8sBL\/xuuTbUP1SqKfXdHQap9Ww8mYIgQHmeltn+Zjt7oGPaAKjXZ4VkGPWJu0I8T0zYj2M7kI9yFDmw8mEyIiLzu7VzoP92FnEDtP9rkp2oBOYrDuhUTxi35o780+zMlWh2IZTdSb2LghZV4iYsKZOta0R2SUvWLZJL5hCHm7jxBhaOn7bLJGCkuqmGfdLSYUStyx4S0ViJ87T6ox3TfRgepJG1F9HKRehFBbTsgre67w1IU2IbBXiBVnuV0pUBNjh+EMYJy2P809zlBsTvn5cjDYEFw2SwcAk+rbi37vohWbrHT6ygZDeA\/bKoYH8le3bSC1n35Q=="} 00534{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":160,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":77,"flow_packets_processed":1,"flow_first_seen":1603816435054,"flow_last_seen":1603816435054,"flow_idle_time":120000,"flow_min_l4_payload_len":79,"flow_max_l4_payload_len":79,"flow_tot_l4_payload_len":79,"flow_avg_l4_payload_len":79,"midstream":0,"ts_msec":1603816435054,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"138.91.188.147","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} 00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":160,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":77,"flow_packet_id":1,"flow_last_seen":1603816435054,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":113,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":113,"pkt_l4_len":79,"ts_msec":1603816435054,"pkt":"pJGxgjQ5PKn0qB\/sCABFwABjzKMAAEABpB\/AqAGAilu8kwMDBlkAAAAARQAARytRQABhEeU9ilu8k8CoAYABu5wnADNhmZkAAAAAAAiHJ9p\/0RPk4iq6Cpr\/AAAf\/wAAHv8AAB3\/AAAc\/wAAG6vNAAA="} -00567{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":160,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":77,"flow_packets_processed":1,"flow_first_seen":1603816435054,"flow_last_seen":1603816435054,"flow_idle_time":120000,"flow_min_l4_payload_len":79,"flow_max_l4_payload_len":79,"flow_tot_l4_payload_len":79,"flow_avg_l4_payload_len":79,"midstream":0,"ts_msec":1603816435054,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"138.91.188.147","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"}} +00592{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":160,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":77,"flow_packets_processed":1,"flow_first_seen":1603816435054,"flow_last_seen":1603816435054,"flow_idle_time":120000,"flow_min_l4_payload_len":79,"flow_max_l4_payload_len":79,"flow_tot_l4_payload_len":79,"flow_avg_l4_payload_len":79,"midstream":0,"ts_msec":1603816435054,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"138.91.188.147","l4_proto":"icmp","ndpi": {"proto":"ICMP.Azure","breed":"Acceptable","category":"Network"},"entropy":4.574416} 02142{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":161,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":28,"flow_packet_id":3,"flow_last_seen":1603816435056,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1294,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1294,"pkt_l4_len":1260,"ts_msec":1603816435056,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAUAc4dAAEARNB3AqAGAwb4KYsH6AbsE7A4LwwoKCgoIc5O0PcfI+J8AAETSnZB+xnJM99G6Q\/d9C\/zr5HEpnMUU7Uzl9o7F2pHUvXWF+eaOuaXbUguGfkZr+UO4fDDpGMWJcW2gnjW72fFjlNMGDKKI9\/ZP9ZA1glgIGegXlGJSdli+Pp3huWgJxIGmZ490OQ994a7wYqGxVMGut5Y1hSQaO3gco7MbMkOvEf\/zmFMM5C+p0r6Mf56a6dXkQNko+KNVhEVyOb1xVZLV8dOQDUIMTC0htSAUobZKs97CfcDzDPPUpx\/PcpO+eLw\/ajHv2FWwYkxKsrJQ1ocjJHyrqe+hxWKy4kyL4UPz7JErk34CodfXB\/p3nDb46frKA1pzroowhV8mlBCwqe83yGT4cOuFapq9NTo6aVTsNZbTHBg4UwZwYnBBRLn83L5L+of4ilKPQ8HEBrXaasZYpxIovfK6Yfwbi0sN2bNXkEmVuN5wCUMVl8fGu5jBcUI7KRLLEjf53\/\/xq3mMzcawuEO3q6EL3aFaNvIIno6WCJjX1lEXbaM4PRCpAUrWfCMHiUCH\/Io+Reu15cxq0AT0qV74OXhW86vje6EMtCVAa+31o8p+ZQVtJ1AMaK5vgnH5LHeUyVh0qKz5d8yObZUd7eC+njbvfeZ5t1e0oNK1crwEMQTVFpsYtTOgdfdB\/JnxT4xT\/8i2sOxpM+28SzbigiYX1q+WR9EwkpjG9p1wCKCl8jVBD81w2dy9joY7xNP89qHwRdynXs6e5MwTopsl4SXhAX8B8bOF7D9Trj4rSlbRxnkP2D5V199qnEcDDEBWR1cRsDjxYrcxMwfq\/NQzaomVM3ViVIcsT8wMglmbEBBibmKpkRhde7fpAhsJTZzjVLn9sNkWn3gNA5gnbI2\/41Yh7uvaQFr2kvoweDYwO+IHudabhPWRAoNxB\/X0D1KbbI4e71mqpjmuN+HYs0UMRCTfyULKGQxS34qZIBhyOSawbPZEw+dEeqnEucUhsBAyJDz2iwOsZWWwahG1kOoU718TPlTkQpKyAhW83lMggSLcqimihHKzzRPeE0cvIkOWKQOhpd+3aHaW1vhops4TflBneiQU8bQjDFsr\/Yh6rHawrbxFhTwoDaKDgt1dTJLtWfMm4nDBjLOHUR8Hyun\/mJ2x7kp6pN+DLiU6h7JouKk6bFh75K8LTHFjX\/UgLXrwixIXOexQMztXJDdoT7yIeAfzHpKlUwOahfD6P92QgkmJXXOa9AyjbZezdHabm+yR9Yys6maB\/OvBV\/jlaaagSgXExVBNQNha4UMQKGNN65dVay1IJFQGMpvaQdAqM41pX96CvdgDGDs\/rrP4Xk0ClJ\/iZ1ZbRfLc7gjLfSgcv9W+so2+4pUA4sqnUYgoN7tf5qZbnqFf6L2zHRx0BMeAbtAAq\/CqlXvXwaohL24I41eQ4xhnQcPP28J6E5HLQOnmpc3LsiG3g6TqW8lO0WBALmzZ2CQFEdbgvbvwIjVgLNckIpFG59LvtmPBsLhhgFF0UC1ThTD+ZF6iqyMB8np7zis8SE9aE96yPG8HMIN6d7vYLJO0TDU\/+d2Wf\/dzagvinlS1HdXnDZu4tfk7UuCAwp3RUlUa5NN00siR8iyopK9U++zwaWfLfS0Xb\/oKkEejTM0UU4HKWmdoIuZ6NQCdx0YvJPt6Dt\/vX4NGMTUgxkvrww=="} 01179{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":162,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":75,"flow_packet_id":2,"flow_last_seen":1603816435065,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":590,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":590,"pkt_l4_len":556,"ts_msec":1603816435065,"pkt":"PKn0qB\/spJGxgjQ5CABFAAJAYSwAAC0BE4KF8s70wKgBgAMDwBYAAAAARQAFAKWpQAApEZA0wKgBgIXyzvS\/\/xFRBOzjecYKCgoKCBW0hlcD4wtQAABE0gep5OwUGdJ+jrUTIH6kTCr9JphdmQnCaToectAP7aBZTs9X8+aQRg9WKkeK+Ntyt2y42T7VPMxHRqyJ5HDVUu2fWV2vSo0hZDumZAjPm4I65T0mHoFoK\/pX\/EnopPzgGvvZuBfkigt59xWJwoYHLoI7bXGm7cXEBvVFJlEQqzu3imR4pja4qGK9+vi3bgpzbfSzXf8weoD0Ho+fZ9R9jyIm5moFv3zOumlbFWke81R1Aoh\/0JO9F8EXkFDakHbUitaN8eX6B31ywNw+ZFxklbFpItKJamccTeBUALuf72ycqZenJmSPThvZhGlbD93EDeVeg3MjMMBavds8nTQYd3lIBDzfTrgqANUQmkRdjGNGUa1IuGtDRg4i1AlfhuEpS84s\/cTich4Bs4yzwBOAQnkYf7+vsBGfJoCsiw9RAFQ1d8zd9CSejNDHt4TRxBG3t1aIEVWdCVegj2EiqM36pkSGtTju0y26akceptMlPxw20L10Fbxj6kxEiHgzfTlrfoUcNB934Q\/9I1klF3k+c8ytEHHEmLPTjLesXLdhLK4WATtWjwEw6MmmQL88EzVrfBKP10JLTX+Y7QQZZLW0AaOu5+MsiKOa8YMj1iaULkTtvezuzGreBdWFm07U7YZFiEk+V5S0A0fbI1iUGaC661T7jhjWhoA="} 02140{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":163,"source":"quic_interop_V.pcapng","alias":"nDPId-test","flow_id":9,"flow_packet_id":3,"flow_last_seen":1603816435066,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1294,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1294,"pkt_l4_len":1260,"ts_msec":1603816435066,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAUA8\/FAAEARmCbAqAGAKHC\/PLT+AbsE7HrXzQoKCgoIe34skUb\/aLsAAETSUIiosGlnvHa9VGYZsanz+OcH+cwMI1OyqJpSTiwVQp+pa+cvLnk1xD7FfTSPB2faQWqeHBrGeNaD3gkVu0FBsDhFoTBRjosivdt5dwn45DbUuP5JDC0BNFXM4yPV7yi7BqWs75UJ+Q7KyBO4BN7k1hEQmMIccZKtnYEzl+0N8Xp30iV3ueG3t9oN35SwoeGAUiNlBZHm8HoNHKcd8ut9W5RlyOJBamRYSa+q\/NenUQjXReci8aoFL8lhUGZQUYZrJf40QjfqdgVyMGPLjRBrHF+0Kvj8Fm2WKormrrbrBvavmVB8KzYAvISrb5k4niPPXbr3IsCny3Jr5TywG14X7pbloF7xlHn\/Rl4pScJYl7yD+\/2UQCUKTE97RHXFKlk6CJ+nHmYtG+a5BHvkiTFYeJeuic2aD+p4RF69LgDDmYGr2alCr\/w24WxxX8loeDDJWAWkJuEwcdx11+cKHyubf48rrsCtck0nq2DuituNd90Apvp8HcHP40cSwTQN\/oojKXG3CNUg38I7O0p8fR6kmHVpwSXRBVL0oekKhNPM5kYqERxvtkmx9GvOTyVLelfPP64EfIaKbUydK1ATXQ+7nmw5BrUB8VjOTfNgfwt2t66YWBfxrsUwU+DdwpTOT5+WRwEmkgU5G6fJpszv3yoilIwni6iEXCyfPCOpyihvbPC0BPK3XpBX6Y8d8RcPMrafwvoLwiPNRxCgXzGdR0\/hyon\/WNaIDGHLEGOrU1gr0hal\/jrbIQreO5G7yo7h15uz3ZIF\/sS9FlwwWTXKi36FAXJeBVg0QXYzFdRWnhUmhCFt7Mta\/VFMiJ+ZbhxURK5com6xbD5RfTL\/9RibE\/biWcJaCFDGyq5YEp2+VDCUMaOqSMigscCSJFFFObsnLGD3FAZeckMvLZ8fc2KUlz+kDKt\/ikaQLfAHvyztHNNztILLKn623l4lhOxXFST1xyri+YLWT3uxRFtcYcjCHEF99vD6CDTIXLzEiCijLxDl+65ahUBaQNOOZSAxFNMjbHRi9XO5Snu7ls1g8XNQUuEZFzBMHxdHpED2paFJn2A5S+pqp7ml3xnwi68Nb7CGYIrg3aesFoLzWHqIQqheFs6syggOhlIJUeLrwYAdsLPWy3b9mt9i6Qmsc5Kz6859tpYkmkfs\/baXdjmFWtnuU7iEuEqgGVX9fti1jXghXS0mcuLs+bG2EJJqNZJFfP1U0VL7GdUrm7hCh1QJ39U2fX4iIBCOPwmTDo5NcoMJg9F5iPivGwtz4\/Ih2Fb1G6MAlrmLeistW0eZusOEY57jXWxR2VOcSF\/Zxl+LhyX2\/sO4ltfnzWQzMTLTOudIzAAsMehM\/pT\/Hu1UL6tKispaPB81EZzAFEkUlji88WHGktqXIfDU6NtboaEs0tF4b56t532tn4DkgEI9M61NMhSqPtRc\/PweuB8UtB0uV6HsE38TaKMm+9Chaz4071J0iufrEozD1o2SGjMaIP6GebSpHQGBGZPi4Jn7GFZn4aYqresPzqhYKV5ZMH6l8yx\/habmjJAMSlTLPPCog4a8qeRAicout4RVWft8\/2HKbxAt9\/b4W2QeswYpDEA2skmYp+ixPjWtoTGESKdglj3uRL2tFj8ehd+tOD4epIaWNe+3wtW0JIQvow=="} @@ -405,9 +405,9 @@ ~~ total active/idle flows...: 77/77 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2401706 bytes -~~ total memory freed........: 2401706 bytes -~~ total allocations/frees...: 36568/36568 +~~ total memory allocated....: 5031797 bytes +~~ total memory freed........: 5031797 bytes +~~ total allocations/frees...: 100764/100764 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 172 chars ~~ json string max len.......: 2158 chars diff --git a/test/results/quic_q39.pcap.out b/test/results/quic_q39.pcap.out index 3de4b7b84..993031bb8 100644 --- a/test/results/quic_q39.pcap.out +++ b/test/results/quic_q39.pcap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1929910 bytes -~~ total memory freed........: 1929910 bytes -~~ total allocations/frees...: 35399/35399 +~~ total memory allocated....: 4592225 bytes +~~ total memory freed........: 4592225 bytes +~~ total allocations/frees...: 99595/99595 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 161 chars ~~ json string max len.......: 2240 chars diff --git a/test/results/quic_q43.pcap.out b/test/results/quic_q43.pcap.out index a9e1ab556..a66e79c1c 100644 --- a/test/results/quic_q43.pcap.out +++ b/test/results/quic_q43.pcap.out @@ -13,9 +13,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1928182 bytes -~~ total memory freed........: 1928182 bytes -~~ total allocations/frees...: 35340/35340 +~~ total memory allocated....: 4590497 bytes +~~ total memory freed........: 4590497 bytes +~~ total allocations/frees...: 99536/99536 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 160 chars ~~ json string max len.......: 2240 chars diff --git a/test/results/quic_q46.pcap.out b/test/results/quic_q46.pcap.out index 3070fb795..5f0edad61 100644 --- a/test/results/quic_q46.pcap.out +++ b/test/results/quic_q46.pcap.out @@ -1,7 +1,7 @@ 00442{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"quic_q46.pcap","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} 00562{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"quic_q46.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1559632338055,"flow_last_seen":1559632338055,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1559632338055,"l3_proto":"ip4","src_ip":"172.29.42.236","dst_ip":"153.20.183.203","src_port":38292,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02240{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"quic_q46.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1559632338055,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1559632338055,"pkt":"AAAAAAAAAAAA4JDHCABFAAVic3hAAD8RmymsHSrsmRS3y5WUAbsFTk\/Qw1EwNDZQ6s\/m5wbfJy0AAAAEYNpYkp9oOdCGDvxYpAEEAAQAQ0hMTxoAAABQQUQAtgEAAFNOSQDFAQAAU1RLAP0BAABTTk8AMQIAAFZFUgA1AgAAQ0NTAEUCAABOT05DZQIAAEFFQURpAgAAVUFJRJQCAABTQ0lEpAIAAFRDSUSoAgAAUERNRKwCAABTTUhMsAIAAElDU0y0AgAATk9OUNQCAABQVUJT9AIAAE1JRFP4AgAAU0NMU\/wCAABLRVhTAAMAAFhMQ1QIAwAAQ1NDVAgDAABDT1BUDAMAAENDUlQcAwAASVJUVCADAABDRkNXJAMAAFNGQ1coAwAALS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tcGxheS5nb29nbGUuY29tTF5QaJRKaTNoSpJ2byVw\/n2jR\/SXiDAUaxRXCyDlaH13oYGRvmmLh5UfnwV+qkP8rBLql6P0cVhpCGDXJyou7qdg+dnByWJAkTSY+CUh8yfYOYMRdIFYIeO6ZKEQGzvhOWxsGdkkbQk0joNdUTA0NgHogWCSkhrofu2AhqIVgpFc9hnRMDAwMDAwMDAg1WpdFEihkws6cxoJh1cnEudv5EFFU0dDaHJvbWUvNzQuMC4zNzI5LjE1NyBBbmRyb2lkIDguMC4wOyBCTkQtTDIxqZ2LiTEPPlI5bOtRl2sWwwAAAABYNTA5AQAAAB4AAAA+5+ExAY9KZ43WAi5gboQGad\/XZY9NgsCyvAvlen24imYZuixux5QJ4+eD6hkpSGJfDn9+XBFyJ61rFG0t2MkrZAAAAAEAAABDMjU1M\/in8FpHdkpOU1RQM\/in8FpHdkpn+K3FgBXj\/3u4AAAAAPAAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} -00719{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"quic_q46.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1559632338055,"flow_last_seen":1559632338055,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1559632338055,"l3_proto":"ip4","src_ip":"172.29.42.236","dst_ip":"153.20.183.203","src_port":38292,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Google","breed":"Tracker\/Ads","category":"Web"},"quic": {"client_requested_server_name":"play.google.com","user_agent":"Chrome\/74.0.3729.157 Android 8.0.0; BND-L21"}} +00717{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"quic_q46.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1559632338055,"flow_last_seen":1559632338055,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1559632338055,"l3_proto":"ip4","src_ip":"172.29.42.236","dst_ip":"153.20.183.203","src_port":38292,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Google","breed":"Acceptable","category":"Web"},"quic": {"client_requested_server_name":"play.google.com","user_agent":"Chrome\/74.0.3729.157 Android 8.0.0; BND-L21"}} 00474{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"quic_q46.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1559632338083,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1559632338083,"pkt":"AAAAAAAAAAAA4JDHCABFAABAAABAADQRHsSZFLfLrB0q7AG7lZQALNrDw1EwNDYF6s\/m5wbfJy0AAAAFbGsm7eq1vsQbMX0cQAQkIAMA"} 02250{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"quic_q46.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1559632338308,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1559632338308,"pkt":"AAAAAAAAAAAA4JDHCABFgAViAABAADURGCKZFLfLrB0q7AG7lZQFTiJnQAtQvT4L41LYkTDHbWnvY3Q7xNlk7lPAOJoU7qSEDNxr\/eXA5HdvGouKSa5JA+EfJXVcrF5I8JeTQOik+2bWgM1nMhrT0SQGJgoDC3vmiFQsGJJjkMZScnfQIf1wQxM8bMy1rX9IG5gNouAF2UDgTxNWxp8Z+kpanynzPm9Aewt1Q8YQSGSHVmFR2wS\/qJorTHWD8seoBDxiXr\/Jrzhp+T4G7aWy+PK4peW1lunM5ZwayH+2G6AF72mr+9NShIq31T+R\/i7G00e0d8lC08arFgrP7xbHltzNsevJw7TO7heoxYjLOdwd79cQPJBHGN6cAkZED6B76kDGTUdX1AYSpun6LhwRHlxgVuFQtfE7y\/DnLBUYzAcWntPYNYvGghUNITCLh8lnobrCJOOpgpG31oH5+kuwGIUSXbKA+01pRlfgd5gXolZKhK3pWOerj\/frjDS+2g8vClgYRT1+lV7rb2y\/Iik5yjyOhRlKWs5VLZ7VCWYVKqICcZsTvon\/NMVVMYb6HJJ32Yz2ORvo8ebpxTje4yqrxC+qapfY5RwYmEaDmI1L2w04UoqZ0dJ1NSSxDm6HXMu+ZshF6SujBNEG42mGdRf6IaSoNlxzMkSyrtk+YmufaVAWXNamgtbe+ZtSIpyI7W+63DDWITJezj4w9w00cUFEntoLNlOB+zElDxYScTOE3CpSs44g2fcVw+4rvMHfwuxPeTdHzp4MAsePKq+zngj\/90JBFE\/tDfTVYbaRpu5lmM3pDSvtX0fT5TvOH843VTAPlB2fm8MHtEMU7PIrg8lvLI5kYBqaI59yOALOtxEFcXeKMhTylktz05RjIrZg6ifgDckMo48nJYsJtSpscdyoK9zfGzj4NaovMFvwwWNIopaYds\/P+xBZkC90KYsz06jFDLqNdcZXDkHaPFJXZAxXx9set1Fg3lj6r\/AobA8N7sLKydAgxC\/rtEWCBX5wbSuX8kpFOJgGKfLdk0JYmC7zbnJyfyy+C6ukhZHN0cU81AFqszDmIIshOZAY4iWz5aWIzL1ctZtibQ5iLAcoUfb250TuivT+FGWq8x3DLfXpYTdXUgbMkK8lTQJuOYtFhD4fHRbg8qZIkwDODXwLSUcnqUn+Q2uzh8PtHzNYdam5Obh2M8GgLW8ukG2P6sOp8CokFzXYzFsiExtyxRsQxvskOlQmLevtIDnsShgWKCRO7UN+uhRGaYGLmSq2\/5t1JyMiF0cem8I\/nOK0mRwXY7N+ECcoaRDXyTKJR\/4pe4u8s4tPdTtCzoa7o8ItJAgr6FkTuYLEo2hwMyPm4hV38utdskBYyUhI6Vz27vbgYAi5nzlUMaKyr3bk72PVb2h6cE+5pbWp8t27oXh4ceZgCJ1CqxGsEI5zHMEsBX6U\/74OCgAAVZMzKh0lFrwDdkIuV+i7biu6I3DoZxr1X50m6VKkaA+qvAjpG+BPOMuRH3\/5\/vE6iwiiUVaV8HIEZpVud+gx9Rzu573VwQ87CJfVs7RmgLI88d6qzIEQAYp5JQrr2lJf1+r4xl60u3ZAa+E+ox2R3gSbE67e9uWolVz8QS9Ep2IK7cfXKJOfNxu70MQcIVFRson71WUtcVpILsaqgb9rATvfzoNmtskVITRoIpqD+mi2ZJvPx6FmM5uP7YQiAppyWykt6puGjRFKGSfbt2gGFGLSdxE20Jo0zgDKZvUFlb4u07xu5j8JVjk7HreBYMQixh6ugURELWsT7GFnQi1VQvh64jRAmDcuARkYMw2228CWbF39WsM9a4SaEoLaEPaqo3lcdKo0+Sgn7WsqvH1w"} 00564{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":20,"source":"quic_q46.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":20,"flow_first_seen":1559632338055,"flow_last_seen":1559632338367,"flow_idle_time":180000,"flow_min_l4_payload_len":28,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":20401,"flow_avg_l4_payload_len":1020,"midstream":0,"ts_msec":1559632338367,"l3_proto":"ip4","src_ip":"172.29.42.236","dst_ip":"153.20.183.203","src_port":38292,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1928748 bytes -~~ total memory freed........: 1928748 bytes -~~ total allocations/frees...: 35359/35359 +~~ total memory allocated....: 4591063 bytes +~~ total memory freed........: 4591063 bytes +~~ total allocations/frees...: 99555/99555 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 161 chars ~~ json string max len.......: 2255 chars diff --git a/test/results/quic_q46_b.pcap.out b/test/results/quic_q46_b.pcap.out index 59e085931..c90433324 100644 --- a/test/results/quic_q46_b.pcap.out +++ b/test/results/quic_q46_b.pcap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1928750 bytes -~~ total memory freed........: 1928750 bytes -~~ total allocations/frees...: 35359/35359 +~~ total memory allocated....: 4591065 bytes +~~ total memory freed........: 4591065 bytes +~~ total allocations/frees...: 99555/99555 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 163 chars ~~ json string max len.......: 2336 chars diff --git a/test/results/quic_q50.pcap.out b/test/results/quic_q50.pcap.out index 59eb46362..099682c86 100644 --- a/test/results/quic_q50.pcap.out +++ b/test/results/quic_q50.pcap.out @@ -1,7 +1,7 @@ 00442{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"quic_q50.pcap","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} 00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"quic_q50.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1592388088469,"flow_last_seen":1592388088469,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1592388088469,"l3_proto":"ip4","src_ip":"248.144.129.147","dst_ip":"184.151.193.237","src_port":39203,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02254{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"quic_q50.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1592388088469,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1592388088469,"pkt":"AAAAAAAAAAUAeJuECABFAAVi6fZAAD8RV+v4kIGTuJfB7ZkjAbsFTkJ3y1EwNTAI30oInk7\/XnoAAEU0Sh+G6jJaQ+WVeKqfVhwekyVcdAg3VVt4yXAoIvukSElad3ZdF7cP3aK8QwnOEdppZZL4NlS1J14QMkJkSKLH7KTs\/J1g5Qy7Td2oJivMgU4heBjsrEKX+Kl+zumCGj7r3rx\/PiGGoerDCuUYVs8\/3DPxrp05vPpL4oM6Ym20RL14LkdkclpZEotPzAVfKrp+bORIrEsOakCOFcnmRLxpaPe+skuFxQ7e+No86i++ZXUpHINRIOrrAKO6MnqhHg136TH30JRy5V1vvrx9mRvozkvzR4RrmmOWFYy9MHcYvR9ozsenVMRZ7mYRkPWmCIPXpnhEE4otBm+PYFJSnVZnoQYn2HvDgKZX+IG0tDtVasnvuIWtUyehZMOA3Auz2JN+nSjxfDEV9Q5eGeh8ZL7tXInICXQpmTBohUGs0nyUi\/EfxDhlCRPETyBYxPytgznwCOTRnGV6yUDNYNW6V2twpvbbFw15F57Y24i98N43glYYJUVqHmVwrosseQvdWLtOLEXpAKvwYCJ3nJpSVOyBYXd8okAO08VeVbydpen0iUOESN83ACwm402annjMIqbJEkKbZr1E\/bWLUE9ayryc3t4SI0rfAV3P7Bzoh+ePS0lFG2mEbR3Stl4jejVA5bbBNdQAl2XVCvlfkMcgN6wNzkaUtoY\/V5wJqcqWfzxU\/7CxIyuqjs2t5GkAirbR6GD1vSMG8A49cBdJIe0YUwOEL94vJZZ6kgFxLSzbkqIb\/JGeunCp3ImPtw51lpSKmOzgu+aiRAw0072bcZedmowvyNmMZ6ZwF9G2\/T1BzTiaxUQiuwph0MpDNq0KE8ZLx7252+rHJYkpatjHePpFvOb3XaUfP7KqMGQXysXzDurgMN+iUJmRB27gfV7BceLcaKv4JsOEla7D\/ujhuQ0U6YFyo2O4mZUs06yMlW36Jh9WkejggHA6SE58C6aM0tZVAq4PzUVmlUFs52p22qgRq5vex74TEu58hdkCQjr1pQ94XFmXqgk+AVK0nXtqdM4JYhPeaV0edHucrnphtrDalQIUwHX7zoFqP\/AzYEoeCztqDi\/kawodxc4PmEb6NM25k\/CXUeCX4uUwv5+p46bN3O1M+xvlb2rRRFG9UZ157Oh+jebOu+0rTdiK67yyDJDMe2VTvGsXi+\/G2gN2zIWwGydc\/InHPRNNQKfHhC2jggd6wv4d71pPOaI+XNe1l7JNMzHwfbkZBDlCbcSj+rryXRGPQIhCscDZiFFGrGBnyyH57ea6sGM\/d37gVVa+ukJTnovNq\/9LafSrWBaF2RrNYGE+TcplNYI0Sq5eb9DrfHpoz4HPjO4w6uwZIeHQjlw00+daMYbUpNYvzBru4JYoG4+FnfLnaJ2RX6rVgfBQIqnPe+8ho+oVfDUJnsA6e5JTlC5uDUaaRcrC0+Ji\/wYvhpr9KixWcINr\/Q6IJf8RuaNMWGUoYQRmSfJSGr9d2O1TlO6mLpi0PyY9rao+oramJEZVMS9CvaFzYMM4ekODEtI9lvm8GVMwUuwhbqucZBCNIlAueuvDA9mFax9H3Da0FnXF80HbkF0G0pCqtWSLbDFAFtV9SICp3zwHTJ2IckUyzfK6paD68rLKFhUUBI7WeX4+s0d4Jr10hLHheThooXnr5xOHtBeSEaQFC9zlGwwIuoXzDqApq3BbVKodu6HoOITstmadm3\/MIc7\/KuaqI9NjMgaFSVmEVWOH4WbQci9HsoHbnpJWe8KeP3p1LSqGOSM6yXozbpkk0hMRvAJ\/Gnzq8KxN6H6U"} -00722{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"quic_q50.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1592388088469,"flow_last_seen":1592388088469,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1592388088469,"l3_proto":"ip4","src_ip":"248.144.129.147","dst_ip":"184.151.193.237","src_port":39203,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC","breed":"Acceptable","category":"Web"},"quic": {"client_requested_server_name":"www.googletagmanager.com","user_agent":"Chrome\/83.0.4103.101 Android 8.0.0; LDN-L21"}} +00737{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"quic_q50.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1592388088469,"flow_last_seen":1592388088469,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1592388088469,"l3_proto":"ip4","src_ip":"248.144.129.147","dst_ip":"184.151.193.237","src_port":39203,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.GoogleServices","breed":"Acceptable","category":"Web"},"quic": {"client_requested_server_name":"www.googletagmanager.com","user_agent":"Chrome\/83.0.4103.101 Android 8.0.0; LDN-L21"}} 00484{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"quic_q50.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1592388088511,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":84,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":84,"pkt_l4_len":50,"ts_msec":1592388088511,"pkt":"AAAAAAAAABAAH2tiCABFAABGAABAADgRTf64l8Ht+JCBkwG7mSMAMgZJwVEwNTAACN9KCJ5O\/156AEAYUqG2lTe2LeIe+Cm8S2sDMjR\/1C7uy5\/p"} 02258{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"quic_q50.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1592388088591,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1592388088591,"pkt":"AAAAAAAAABAAH2tiCABFAAViAABAADgRSOK4l8Ht+JCBkwG7mSMFTuaIwlEwNTAACN9KCJ5O\/156AEU0EsFIWbfyiDTriLZoVpXe8mBihbaaK+GuQgLUM2k18a9drw\/KbHYn2D+KnhueaQuI4b5RnobWiDslIfKd8Mirh6o2aIs9a9qw7cUa8PBv7bzqEIAEQzk13O3\/Bmcqazsp\/+kXQrRut7wvxnShl1xW4sNpOBXqxvlB\/nqN8wg\/PWpL9O\/FPVIgCehFv30qEPc3PeeKKCKLfVTqnxPixlqgAYeET9TKamxZDJ72\/UQ6NmlBJ28\/YXsjTDsXud+7gYqA\/RkmlBMjxYZbTaJJhQMqHb0o8hdYWan65TAd6PfEjGBDGWn2GDNSSzDYoVEizxOqWERff9oCjTo1xFO9yhHRjaWZgSFmltr5w5\/Hr6eKjmrddpc4Z+wxKpPufinLcs1Intywm6Clf6ukiL4ZIaBU1Zh4teRYOLqycNHKR892rQ3DuuxVXnpFwyl0zeIkME4yZSYiRCwgQLAMZ5FSfPbweT6hIb84RvwHrX1jO2SDi8RMi1Aevd6oV+JrNOluFTTAKRyLOen4BBBYTSn14h5EAGO0Yjv6iLbKRjvUAlFcrcWVM6\/JgP5X8XCg0n0XzSdc4uh5LhvkR\/h7IvFVZq89RpXeIhO2gstbOOib2aW\/JqKDzWo1j1Ph5gagHkB6L9a5Hjd8OSrqenRM\/Y9mJweUVKkHNmEigtNsMArIaCyxyspF5no9KUYo2Kbty26OhRt50wzulToOyP4NcHmZfEkQflkdukX3pqNAt7MXd3wyob825\/JiVxf+3hjyosU4MNO3H0eUpL9ozj7HdUKWylpVr+NEYpL6oqxrmoewXJqd9\/7HqfpRoNonB9ea0mdvP5YegQRlI+fyAKUMnIwTWXpzfIN2RNvsJqvBECokakuvOOGofWVmnplR5MVVywVaMLE82YUsCGwIntd0a+EJxQgL7mKQ6dtgeQsn1wbHWS02ZvPuWP8OYrCE67jL2v1bL6\/2h+1XCxsQAztrS+QayoAW0KvlpCNW9ac0DTJNHWRO2pghx+tJZNveH28v6DEDiBrmIsxaWJtQIYwcHaS\/T1k9TL2LCukku0Taxl6+Feh7bikCsuVDfdGwZ2pRT01H4nEVENqSGeosdtxGfJ5JRhSV8U5ag1spdFlq0h3UcT8UYP6G3yr+GnTpv73QkQAN+x4OlLFujbI1BhryJRxg9c7xx4qXcEgWlOzLD1VUeIdTUw\/9wkqyS1DOLPWvJnyAWGAWLaLCSlJLekJUN7pBX8rjCfjU7xo6oWXvXMJVSzQZFernDGNc1++8ggV6oievhZKX7xQRNWnCNZClyhkVOAkRHz4B3Pu3La7QFMMFFm3BSS2brzbRyt2jJlkAxNS9aG4l00\/e6zrsSU1aVXhBuBimpONptOjBqK0HbHQLakoucHQiK+bYxbUBefBnGFTfqhmwHZxdyKtPzhH3xEm3CA5vgkPLpEOwlHEjoUbCvszlSBn0Wji8fHC4RVgQwIFqC5GXdKL2QfiRV\/OvVRBkGEKL67PAQH2qyWcGdC4moBOq1ncmuB4DIPvYwpdxlKDGChU2pNuD6lgg74F4ueOWbMcxGtj9TFP7rZPwDq2LKcVUPI30oOBmdOZPG\/tCzNe3afxNrp9eBk\/djyjs8g0B3CLoc0Rdn7ZnCf84F4GyVSI33v4zkOEKnbfwYmbCwm+M0HtlcdG9KI8P8CfdRpGL7i2rguXb1EIkg\/EYpYXxNoWqt46R76SStqYAB32M+Hm2ZBhlK23TOEoqV6bZc6sFLkDbytR7T7rgeeKXoBeF+Tvf8o\/ifp\/T"} 00566{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":20,"source":"quic_q50.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":20,"flow_first_seen":1592388088469,"flow_last_seen":1592388088935,"flow_idle_time":180000,"flow_min_l4_payload_len":25,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":19594,"flow_avg_l4_payload_len":979,"midstream":0,"ts_msec":1592388088935,"l3_proto":"ip4","src_ip":"248.144.129.147","dst_ip":"184.151.193.237","src_port":39203,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1934254 bytes -~~ total memory freed........: 1934254 bytes -~~ total allocations/frees...: 35369/35369 +~~ total memory allocated....: 4596569 bytes +~~ total memory freed........: 4596569 bytes +~~ total allocations/frees...: 99565/99565 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 161 chars ~~ json string max len.......: 2263 chars diff --git a/test/results/quic_t50.pcap.out b/test/results/quic_t50.pcap.out index 06267ae47..5905a57c4 100644 --- a/test/results/quic_t50.pcap.out +++ b/test/results/quic_t50.pcap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1934041 bytes -~~ total memory freed........: 1934041 bytes -~~ total allocations/frees...: 35363/35363 +~~ total memory allocated....: 4596356 bytes +~~ total memory freed........: 4596356 bytes +~~ total allocations/frees...: 99559/99559 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 161 chars ~~ json string max len.......: 2272 chars diff --git a/test/results/quic_t51.pcap.out b/test/results/quic_t51.pcap.out index 9a630cc32..ba4d63bd6 100644 --- a/test/results/quic_t51.pcap.out +++ b/test/results/quic_t51.pcap.out @@ -1,7 +1,7 @@ 00442{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"quic_t51.pcap","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} 00564{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"quic_t51.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1598620434413,"flow_last_seen":1598620434413,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1598620434413,"l3_proto":"ip4","src_ip":"187.227.136.152","dst_ip":"211.247.147.90","src_port":55356,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02253{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"quic_t51.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1598620434413,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1598620434413,"pkt":"AAAAAAAAAAgAH83gCABFAAViXjpAAH8R7IK744iY0\/eTWtg8AbsFTvswwVQwNTEI\/5QVtbAFhg0AAEU0lc1seKsogM0xJ2my4Aiqph+R\/2N2Tlopv6L1CTJ74mgIopdeTMsbdYmmZHP80OXizzota6YFHVZ9VeAcEZo8pgEgiYZUg70bNed022uBY2n4AIBJaoTaZc4dlK\/B4TiUFC+WiYMdxcvH3S2VlmhK+Rc2gUQHqAYLkzqvz5M6NYLldilKxcCw\/ToJ+zu5fHTAbQipFFqbD95GLa7oBCU7jPE\/wj2QE1M9Wk52+SrgbNiKCHm0Oi8\/\/aC+8QR8oPQVWsQzjkcyagMWDaycHo+Z2gh2YqGCJoepFNsqgtO8uWWNDiaisHNHQDCPrCt5EDVvLMLkZZQTcE9bxIhJucB4CNr926kRAjaB4Y5CqDAEear5TtCJ3Iu0C2bzBjoi5J9LPiwVBQYhfxtqGdX9O3nANKjdbMVqvYl742MGo2YFm2J507oPMBXLqPJW2a2j\/XlrdIcqLJLXy1ruiet2Yfof5cTaMXQp6wyOq8s2kLEeb0RqG380zHAhUvwTfCiEYvwSN8+LPb7d1HKu3JRvbfM4A2u6D3\/ccc40B8jpt6t8mVTCa92M7s8hgVfDHCvoiaTxRF07ULZWTbuRFjLXA3G\/QLzl0b2QQA3PRqMO1r4YLM9IhL+9TjIm9kskk81nFsbcqeUPPCIl5SvakooZ1Ne4vlHJM7vcPwHkRJHa+PMjtknf1D9FmcaRoK2gywFTRk2j2RKXeNNGP3fOGBMRmVstntMO9HlCQR0pqWkIJ+jw+vDqFHMVZBwco3px5tJKsYik1W4I7vDVokn8tYkCXuWkDqmw9KvnktOeNU+eoLbnbQi\/AJnaCX22\/pOnvMBDUqcAEyxhhPUDxacTTuyCy01g9D7qNJmAhz3k5MC2zTm67IILY1heZ2AuYvQwYQOss3bJtjPNa+uV1pVbQiVw6S2nvxKgtq5Z9DSuXhvsbTOp5GSq1YV0eewMUT6nB6ejScFWGv+XM50Rf10iuSgO6pXznyY29qMMOcdfxFMWk8ZhEALkKLXeqjM+FjHgPqVYhtjd0Mxa3xCi4pEnff1YF4nj78KYHZrV2zxl6ihclVVh4iHXNFGI+s63vsFXEOTBejfPsr6+VmTDJ1+o1kNk93XUE\/bQ82a18NJPdXQ6kf26Qjcc4RqnTvAmrWh\/6fmG4zIriY7A9z8t4eO9Qfr9TLO3k0B5JOVnWVTqlbOvrJgEzV95Hv0ioO0xIj5BnxrbLnlwbNfPjVGTcRNAh71gU32J8rr6rCxxCaTv4RU7KdiQ+zigC0LKK7x4OPs9n2Ka2KUPy25mrLQ\/hk5IjtzsrqqQ2MzNcZhxb0kkNCxELzOQUMbpkFnw3XGvEDCJVplyR1UqjiDFOL8\/JfuephE1oyHWeOYVwVd2Cwv2PGGx05T5JJWiwFxWUNPRdBpTvDS0w\/p4Nd\/c2GPaorYCv1rEFAbYJpF4F6I30H8WeSXKzzhCDJKK0+cDwsUjqsSRJxU4ftS+uYB0XeJmKhKFuSfMEVI0q1YpMQZE\/G2MC4zAighNsEoUwNwWYS2545Iu3+Eegoe47B\/k8tCSheavZoHCQ6GLnzYKEdctMGvZqMVOXsPQnYlobmVfhCoHYAqTL++rI+V2XgKmzpdEDycwwsSLkVWoYU4lGAoPMP3kxasfCnUHU\/V6gkc7C3bskka9cplZd3pC0DtI8Ams8W1VIknYpHJDhbirGSRTc6oJbJQK8NbF0mBg+7QAzF7Cg20VSPH1oCq1EEodwhHlQBTHEkDIUOOWm8A2kePv2bx2BTxVuCDz2D78zh51"} -00839{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"quic_t51.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1598620434413,"flow_last_seen":1598620434413,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1598620434413,"l3_proto":"ip4","src_ip":"187.227.136.152","dst_ip":"211.247.147.90","src_port":55356,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Google","breed":"Tracker\/Ads","category":"Web"},"quic": {"client_requested_server_name":"www.google.com","user_agent":"dev Chrome\/86.0.4240.9 Windows NT 6.1; Win64; x64","version":"TLSv1.3","alpn":"h3-T051","ja3":"92e76078d514999cd950474995dab2b5","tls_supported_versions":"TLSv1.3"}} +00837{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"quic_t51.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1598620434413,"flow_last_seen":1598620434413,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1598620434413,"l3_proto":"ip4","src_ip":"187.227.136.152","dst_ip":"211.247.147.90","src_port":55356,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Google","breed":"Acceptable","category":"Web"},"quic": {"client_requested_server_name":"www.google.com","user_agent":"dev Chrome\/86.0.4240.9 Windows NT 6.1; Win64; x64","version":"TLSv1.3","alpn":"h3-T051","ja3":"92e76078d514999cd950474995dab2b5","tls_supported_versions":"TLSv1.3"}} 02259{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"quic_t51.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1598620434419,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1598620434419,"pkt":"AAAAAAAAAAIA\/tPQCABFAAViAABAADcRkr3T95Nau+OImAG72DwFTvx1wFQwNTEACP+UFbWwBYYNAEU0cA7ob5DRu6SNsqDMEz7qri8UnfijZV8Hhw\/oxky0x+Zt0s6erWm7kWn2+1owrYTdI9p89OpW\/6ptpwv9v0J5BjJyyLuuQ7qMgzGXDs2ur++juUsUpOdkAs5K5BYVfQAmPmXEGyVgmyCeUg1T7Vj6FslmnDV909IngQqr2X3bAL3as4fB8O0bAq64I2nnjXRSsXtOF+WecFDOIkhsUozc+8M2nJh6kczAN6BO7Q6B24T4pTF7f\/SWotAh0wmioZGWvmsK3tbjrCGONmSc7G6EA+eCMtEUY\/yq8VyKOSmIHald\/L7JGCPyNYCQuoSWiWNaW\/I+iZ2Tm83YJ0ULZZc8urwFDYH3aj1AkglwflqENARW1+\/0Wgf8CdNT18FiabAis+X7vPL\/K0rfVmIy72rlRNRfOG7y7nzx1KwQOQc8aCVF3CWYU+Lmd10cKRMsTRDen+t7CfJT6D6czKmRS9zHy8defw2VL+sr4ea6knMol1lydS5om9MxXCYpqegXuWZiFTSbzJvhE4RaqOqWqlC3CyDO4ySp0wcYRr6Xiz\/ypHsBLBgujZNocUdxB92srmLhWvU+EKXNqnvn4sN9tP\/B4VI81UNJfpKqafd5TbC3xVerPG2FpOE4rg1k2rQi9r6v1+PQ\/d3R0LlFcbJ1hI9fgnNKZUfeIejFNzw84ZCPAGKEZF9DRij\/q7+ynKTHsKprl5SyrzqmDatgR6jPni4YdUIipVxz2xAMDSfgGHJudxWet0g70XvUgRUnZwnINCVHKug\/Cwaar4s1XCM8uhzoEef40bHIf\/1cPPikcn5BGvUj0yq5vKOgKlUAn1Pgd3RmxD4udRVK4hr3Qq2qz0yzGHjPkF5V31PdO+LbljCDil0atM9nNzYRQDTxXIy4ROBhbRF0GC5xxy\/5G1Z3EVEXnUgV7cKAoSoRYsJk+ehBddHi\/2\/aZLTP9GUgaj03e1ZAUqg\/pLbgzkOggtkBYwlEystem00J3RiW59azSXPWDzpQD37GvUqWpvchJjuAPROhp0eQOeyP6Sm5m8Ha1f9MDT\/mDWqN\/iBuFORPOJebKiYDmtBTotFqfXW1txgynw6EHUJzSE+pl4MdTTWGiKeLLjK6VcgkjK3QCvZi2YAV34jHwjHZGw2P\/U6KrMCfYoKLgcta7eGwEJgt1TEOATVA86YdSNrUK8Cm6qplxo7u2vCTdHfHERZHXlWiV5V+M6yg8jJ+w71hYe+9QRnWDWxxhFwqS3Rom5NgfL3qyZPAg7B0TvVcGC3k1t2hVxdIBJT1YLB9P8xcq205KojLAkrnJ6A03YtC2cE+\/GfTI6rrSdcn22uQHH1uwQgPFlvo5F8SRGnmtqbBCoQkhDA10opFpEUHAKVRysF1xT\/NgfiMQHD+An4IrPRfuv9gDg0rUkwJww22wh5gLlRkZ\/Syy5BClTzH9Eje2q1QlkG4NyNIdxlgTeTWfrV+owYm4Q+FXDFSqiziTTjYt929oBaNekN7DaLZNKBHzE9aRpnZjKaGJOIkilbSRnfMsOP+KhOdyxkYqJB7lgyVuE7zA+Cs6QfiNfeFBdysqGJcMLaCJe1XQZYseYZCHv9I1fYRd7rHJDJ5TLxG9ZoKBvyy9qAFruCnQdJM3kRJUF0ZdxtTsL1YtSrJYqn3hcGRfsN64Wu2ioNCdgwzJ\/IOr225URP0O\/yfvAjNTo393KgekGIplrSAr2vqB7j6oyQmlBJgPRuYDzTKmIMBKNHRY+Gk4U31TV\/ldcN5g5htDYX20DA3i7tEfKzfbUYY"} 02260{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"quic_t51.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1598620434482,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1598620434482,"pkt":"AAAAAAAAAAgAH83gCABFAAViXl9AAH8R7F2744iY0\/eTWtg8AbsFTtamzVQwNTEI\/5QVtbAFhg0AAEU0KsIg8w2st8fMy25uq6gsPA7KRO4wWARaQxn0e+nvMAG\/ncVOK2\/1iV8zM1GT+gj2yfRnYitTLViCwPF0TV0R7p64xnLqwrHTiNaW89JgMAHQze00LP7FiTbOvqpo5S+7AzCO4J36LH8gasnIPNye5ytyGP9hxarM0Gwv6wB1BKIgh6Hfi9vN\/Jaq\/hKaWtnsFyqFx21T1U0YmQzCOhcYGHZNHNGEmxqlfOiET0cy7A2zooythTNQBScefWz4fyugA0KO5z5EPbOCuLPnOhJ8u0jAA5snZ9Av4lfTCNurCTo\/b96gqEMXFCAN6kklskS6mSW1P2yxo93FRN9w3VFPyMe8m7WnAxPUMrijM3bZFrpYXz6N3LoSvj\/7t1mbaz3Ew6W7CCET2\/vUPuty0yYuKN9hlZRGZDAOI7p7UV84zBa3MKUoIB90BBwtqXlv\/AcyfRFhSrAf1TPDIen8IRojBr5qTqwwDIcvMREVIsmeXYDDAIh87njz+3l6UiC0r72z0Vz8KlwPmvyd1tNbK4UoVu5yliqV7BzHAT0P+flRjAVL+Vtw\/1eTO0KLmizThDqycqyAF1MjS6cC4BRlgBDuBvC7oqizuHTk4JOICP+TLa71t9U0MO4SvptmKRFy9UA159ziHHDRbAhIzzVEm+HGxTjT93PUzlkT4beWAgYYW5swcH8m2E+qX\/jfh4l+RAJ7s1FC99eqQD\/G2qHKz49sTvtw3eknSSHiADw1dFNDiGytHeAJqgKsYZ6xbxYgMT8vQQJWpcCaoPnc1R\/36QBSKDfO0Ei6I0Nk2Twp2jW7ybYg3WV9zcO8mcO+t2rUANioNNaghKiQ6\/\/kCvnfaOZl9\/nMaaP8oRI80YNnM3bBLePCUoIodPlfRsS+qRORwVaYVbmTkVd+7OOE68KIf+CtQJzWPG1I9szX6EUokwcVW4JeKB3DLXSgUJqbrCp8nB5Gt1Xl+DVmAWNn0zlmAkUkIYwVaRlUBt12nmZM5GfCFjeNYwyxKhMtco0zqNoFh6GPimEo\/HJoIaculB01PGh4MlKE33m6lcbQnV2mcjQy9+X6G7gJAvssvNVim+h2CyUIa0AFnvBEp0BZ0LQBw4xxW1+LO+851oEKlpBHf2CaPTJQbQ3lYLcFUbbZ7WxtncvtHzy\/SI9UgKeWcagnCcsYLbPsnPnloEl6cnUj6vnGVoFZ0zI4TVPk88\/biBoFXX37AYSAsISWoXJh5fdyK7Ub3uTshAtqeqBBTUeUFjb5Aj4cdCLyefeqdX7eVX7iolZTDjMHw6WHcQg9j8QT5ZehE6eQ3EWBv\/dyJkxi+P\/\/5RRqzAOol5xZb6h4LuhsvzWHQihAaP9MzFNZJKsrSoe\/spLPEQi09YKZ53xMfFjPTNozP7awNtIb6QltDJNIByFfslEQklWBp3nSDDraHwFBspLwhrXO\/4KJq80I0e6UvL2AGkUJ3WcnYVtrSbxxk4APJ7JesOtrVvfG0zUeYMWMSCdfwkF4KodqZGtJ3QATjzBea+nTD5uHk34dDyJnSJKk0ILq0jIFLho8LlWIyJH4QOXOz4qaWrv1Yq7zohspvZk7qqBfzWtq9nyRWQ1TZln6OTuRj1nSwDkH3Qwyv3P3ftVCIjgLduzJ1KxoPir\/gAp5xz8YWBMXoD3IJzkv\/PGQNpizq54tSdx\/+EwNQ0FXkMrTDVKVITAuSnBIkg9sH6JW+WpNYsbAPv3JnEFyzt8fIeM\/r0Qmf+N6zxgE9jaSg9C2Ue6YSiQO2VAdyYTxTvnFaxwR"} 00568{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":642,"source":"quic_t51.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":642,"flow_first_seen":1598620434413,"flow_last_seen":1598620524479,"flow_idle_time":180000,"flow_min_l4_payload_len":25,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":546754,"flow_avg_l4_payload_len":851,"midstream":0,"ts_msec":1598620524479,"l3_proto":"ip4","src_ip":"187.227.136.152","dst_ip":"211.247.147.90","src_port":55356,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1952314 bytes -~~ total memory freed........: 1952314 bytes -~~ total allocations/frees...: 35993/35993 +~~ total memory allocated....: 4614629 bytes +~~ total memory freed........: 4614629 bytes +~~ total allocations/frees...: 100189/100189 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 162 chars ~~ json string max len.......: 2265 chars diff --git a/test/results/quickplay.pcap.out b/test/results/quickplay.pcap.out index 300dd0035..e3b4b3e32 100644 --- a/test/results/quickplay.pcap.out +++ b/test/results/quickplay.pcap.out @@ -20,7 +20,7 @@ 00796{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":9,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1429000037314,"flow_last_seen":1429000037314,"flow_idle_time":7440000,"flow_min_l4_payload_len":187,"flow_max_l4_payload_len":187,"flow_tot_l4_payload_len":187,"flow_avg_l4_payload_len":187,"midstream":1,"ts_msec":1429000037314,"l3_proto":"ip4","src_ip":"10.54.169.250","dst_ip":"173.252.74.22","src_port":52288,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.Facebook","breed":"Fun","category":"SocialNetwork"},"http": {"hostname":"www.facebook.com","url":"www.facebook.com\/mobile\/status.php","code":0,"content_type":"","user_agent":"Dalvik\/1.6.0 (Linux; U; Android 4.4.4; MI 3W MIUI\/V6.4.2.0.KXDMICB)"}} 00561{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":10,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":1,"flow_first_seen":1429000037600,"flow_last_seen":1429000037600,"flow_idle_time":7440000,"flow_min_l4_payload_len":185,"flow_max_l4_payload_len":185,"flow_tot_l4_payload_len":185,"flow_avg_l4_payload_len":185,"midstream":1,"ts_msec":1429000037600,"l3_proto":"ip4","src_ip":"10.54.169.250","dst_ip":"120.28.26.231","src_port":33277,"dst_port":80,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00699{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":10,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_last_seen":1429000037600,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":241,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":241,"pkt_l4_len":205,"ts_msec":1429000037600,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAAOEBz0AAPwbyFAo2qfp4HBrngf0AUJlyzTdc8IHSUBgAc3meAABHRVQgL2dlbmVyYXRlXzIwNCBIVFRQLzEuMQ0KVXNlci1BZ2VudDogRGFsdmlrLzEuNi4wIChMaW51eDsgVTsgQW5kcm9pZCA0LjQuNDsgTUkgM1cgTUlVSS9WNi40LjIuMC5LWERNSUNCKQ0KSG9zdDogY2xpZW50czMuZ29vZ2xlLmNvbQ0KQ29ubmVjdGlvbjogS2VlcC1BbGl2ZQ0KQWNjZXB0LUVuY29kaW5nOiBnemlwDQoNCg=="} -00794{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":10,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":1,"flow_first_seen":1429000037600,"flow_last_seen":1429000037600,"flow_idle_time":7440000,"flow_min_l4_payload_len":185,"flow_max_l4_payload_len":185,"flow_tot_l4_payload_len":185,"flow_avg_l4_payload_len":185,"midstream":1,"ts_msec":1429000037600,"l3_proto":"ip4","src_ip":"10.54.169.250","dst_ip":"120.28.26.231","src_port":33277,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.Google","breed":"Tracker\/Ads","category":"Web"},"http": {"hostname":"clients3.google.com","url":"clients3.google.com\/generate_204","code":0,"content_type":"","user_agent":"Dalvik\/1.6.0 (Linux; U; Android 4.4.4; MI 3W MIUI\/V6.4.2.0.KXDMICB)"}} +00792{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":10,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":1,"flow_first_seen":1429000037600,"flow_last_seen":1429000037600,"flow_idle_time":7440000,"flow_min_l4_payload_len":185,"flow_max_l4_payload_len":185,"flow_tot_l4_payload_len":185,"flow_avg_l4_payload_len":185,"midstream":1,"ts_msec":1429000037600,"l3_proto":"ip4","src_ip":"10.54.169.250","dst_ip":"120.28.26.231","src_port":33277,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.Google","breed":"Acceptable","category":"Web"},"http": {"hostname":"clients3.google.com","url":"clients3.google.com\/generate_204","code":0,"content_type":"","user_agent":"Dalvik\/1.6.0 (Linux; U; Android 4.4.4; MI 3W MIUI\/V6.4.2.0.KXDMICB)"}} 00560{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":11,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_last_seen":1429000037659,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":137,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":137,"pkt_l4_len":101,"ts_msec":1429000037659,"pkt":"AAACEgAAAAAAAAAAAAAIAEUcAHlLmEAArQY6l3gcGucKNqn6AFCB\/VzwgdKZcs3wUBgIIqKRAABIVFRQLzEuMSAyMDQgTm8gQ29udGVudA0KRGF0ZTogVHVlLCAxNCBBcHIgMjAxNSAwODoyNzoxNyBHTVQNClNlcnZlcjogR0ZFLzIuMA0KDQo="} 00829{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":12,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_last_seen":1429000037771,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":339,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":339,"pkt_l4_len":303,"ts_msec":1429000037771,"pkt":"AAACEgAAAAAAAAAAAAAIAEUcAUMgAkAArQYAVK38ShYKNqn6AFDMQGR3Qx6qvJUxUBj\/\/2USAABIVFRQLzEuMSAyMDQgTm8gQ29udGVudA0KQ2FjaGUtQ29udHJvbDogcHJpdmF0ZSwgbm8tc3RvcmUsIG5vLWNhY2hlLCBtdXN0LXJldmFsaWRhdGUNCkVkZ2UtY29udHJvbDogY2FjaGUtbWF4YWdlPTI4ZA0KWC1GQi1EZWJ1ZzogSENQcUMxYW5HZGxXZUVqMEIwU3F1MHVIQzU2N3BTRzJERlZvSXdHYmRXNFovN1dydjVhM0ZQZEY5V1FIMDUrNFREZVFXV3FiZjA4djA4c1RURE81VWc9PQ0KRGF0ZTogVHVlLCAxNCBBcHIgMjAxNSAwODoyNzoxNyBHTVQNCkNvbm5lY3Rpb246IGtlZXAtYWxpdmUNCg0K"} 00864{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":13,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1429000039509,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":365,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":365,"pkt_l4_len":329,"ts_msec":1429000039509,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAAV1DA0AAPwaoIgo2qfp4HCMpxewAUEHDig\/6xw2tUBgAhzcPAABHRVQgL3NvbHIvUmVzdEFwaVNpbmdUZWxfUEgvcmVzdGFwaS9tb3ZpZXMvNjI0MT9hcGlLZXk9cXdlcnR5JmRldmljZT1hbmRyb2lkbW9iaWxlJmxvY2FsZT1lbmcmbmV0d29yaz1XSUZJJnBhZ2VOdW1iZXI9MSZwYWdlU2l6ZT01MCBIVFRQLzEuMQ0KVXNlci1BZ2VudDogRGFsdmlrLzEuNi4wIChMaW51eDsgVTsgQW5kcm9pZCA0LjQuNDsgTUkgM1cgTUlVSS9WNi40LjIuMC5LWERNSUNCKQ0KSG9zdDogYXBpLXNpbmd0ZWxoYXdrLnF1aWNrcGxheS5jb20NCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCkFjY2VwdC1FbmNvZGluZzogZ3ppcA0KDQo="} @@ -40,7 +40,7 @@ 01043{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":23,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":2,"flow_last_seen":1429000049272,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":500,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":500,"pkt_l4_len":464,"ts_msec":1429000049272,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAAeTkfkAAPwYGIQo2qfp4HCMoyycAUPhJNysVgOaYUBgDEEglAABHRVQgL3NlZy92b2wxL3MvV2FybmVyL3FwbWV6emhhd2tkaWdpdGFsY29udGFnaW9uMjA1NDAzM2ZlYXR1cmVlbmdsaXNoMjBsdHJ0MjM5NzZmcHM3ODM0MTkyLzIwMTUtMDItMDIvU1RWODBSMTkyL3FwbWV6ei1IYXdrX0RpZ2l0YWxfQ09OVEFHSU9OXzIwNTQwMzNfRkVBVFVSRV9FTkdMSVNIXzJfMF9MVFJUXzIzOTc2ZnBzXzc4MzQxOTIubTJ0X1NUVjgwUjE5Mi0wMDAxLnRzIEhUVFAvMS4xDQpIb3N0OiB2b2Qtc2luZ3RlbGhhd2sucXVpY2twbGF5LmNvbQ0KQ29ubmVjdGlvbjoga2VlcC1hbGl2ZQ0KVXNlci1BZ2VudDogTW96aWxsYS81LjAgKExpbnV4OyBBbmRyb2lkIDQuNC40OyBNSSAzVyBCdWlsZC9LVFU4NFApIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIFZlcnNpb24vNC4wIENocm9tZS8zMy4wLjAuMCBNb2JpbGUgU2FmYXJpLzUzNy4zNg0KDQo="} 00564{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":24,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":1,"flow_first_seen":1429000050062,"flow_last_seen":1429000050062,"flow_idle_time":7440000,"flow_min_l4_payload_len":540,"flow_max_l4_payload_len":540,"flow_tot_l4_payload_len":540,"flow_avg_l4_payload_len":540,"midstream":1,"ts_msec":1429000050062,"l3_proto":"ip4","src_ip":"10.54.169.250","dst_ip":"203.205.151.160","src_port":54883,"dst_port":80,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 01177{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":1,"flow_last_seen":1429000050062,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":596,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":596,"pkt_l4_len":560,"ts_msec":1429000050062,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAAkSlZkAAPwZ8rwo2qfrLzZeg1mMAUMsBdKl7s0qnUBgAbhITAABQT1NUIGh0dHA6Ly9oa2V4dHNob3J0LndlaXhpbi5xcS5jb20vY2dpLWJpbi9taWNyb21zZy1iaW4vbW1zbnNzeW5jIEhUVFAvMS4xDQpBY2NlcHQ6ICovKg0KQ2FjaGUtQ29udHJvbDogbm8tY2FjaGUNCkNvbm5lY3Rpb246IGNsb3NlDQpDb250ZW50LUxlbmd0aDogMjc1DQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQ0KSG9zdDogaGtleHRzaG9ydC53ZWl4aW4ucXEuY29tDQpVc2VyLUFnZW50OiBNaWNyb01lc3NlbmdlciBDbGllbnQNCg0KjV8mAQBBVSvQfd8CEAIXSGRsPmwM34SDANYBswPsAcTdAQKE1XHhkgwTYJ\/4C3eKbQVsdC1Dk55XBGM8iLIuJNxQ2mKDGCiEu7hKfZxRSGMz97qFq2jItoGcPUyJfVpIIUYedk0uwBKYCKwk1caV589saz0xALfFf\/iYFlFx1AxUdy484YNnqVDF8K+kVH3f2c9yoInZasFWfv137RkUwmCH+br0dsm2pY5PlW8IbHQGBJKkdj6f6t1lujHjoakqif1dkWjRkTjcDfsFtBglw4jP18zIVy+uqXK+1IUwvsPz80+hSVjN5hP25Llmt\/ESe34eB\/LJMU4AkN\/2f0FWCACM2tXWSzYfJGQOBiLS2DO0iM0="} -00800{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":24,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":1,"flow_first_seen":1429000050062,"flow_last_seen":1429000050062,"flow_idle_time":7440000,"flow_min_l4_payload_len":540,"flow_max_l4_payload_len":540,"flow_tot_l4_payload_len":540,"flow_avg_l4_payload_len":540,"midstream":1,"ts_msec":1429000050062,"l3_proto":"ip4","src_ip":"10.54.169.250","dst_ip":"203.205.151.160","src_port":54883,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.QQ","breed":"Fun","category":"Chat"},"http": {"hostname":"hkextshort.weixin.qq.com","url":"hkextshort.weixin.qq.comhttp:\/\/hkextshort.weixin.qq.com\/cgi-bin\/micromsg-bin\/mmsnssync","code":0,"content_type":"","user_agent":"MicroMessenger Client"}} +00776{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":24,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":1,"flow_first_seen":1429000050062,"flow_last_seen":1429000050062,"flow_idle_time":7440000,"flow_min_l4_payload_len":540,"flow_max_l4_payload_len":540,"flow_tot_l4_payload_len":540,"flow_avg_l4_payload_len":540,"midstream":1,"ts_msec":1429000050062,"l3_proto":"ip4","src_ip":"10.54.169.250","dst_ip":"203.205.151.160","src_port":54883,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.QQ","breed":"Fun","category":"Chat"},"http": {"hostname":"hkextshort.weixin.qq.com","url":"http:\/\/hkextshort.weixin.qq.com\/cgi-bin\/micromsg-bin\/mmsnssync","code":0,"content_type":"","user_agent":"MicroMessenger Client"}} 01931{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":25,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":3,"flow_last_seen":1429000051331,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":1152,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":1152,"pkt_l4_len":1116,"ts_msec":1429000051331,"pkt":"AAACEgAAAAAAAAAAAAAIAEUcBHAsp0AArAZOUHgcIygKNqn6AFDLJxWDzlj4STjnUBgIQ33VAAByqbIRKSnXO3n7wDbsfUk8e6VuWplgy2s+dhRInKblJDspkbYpMraIC2G\/R+GUD+2cHzU1WK917CgXy1UuWGNRG3nVdbmkpW6gXyTrK\/GWE44kpRkGnzPXCIHXPX744dGFJMegxO0qTCK1Fo6i3uEpacGLcKMMoyNpcaQHAYLI622xbJ8B36qbIZZWruxvDu7KIDG5e3mPu31z9S2QcHaVE4BE1tKVMaRT4CoWi1PkV85kYTw7+lXQj9CaQqhbKReGPL\/tcLMkyzZwE6IHJUK26PQvKyhEuU6GAQ+r9LcupqVlcd+NUyod+WhKMRAmSJil\/BRUsIdoudcrCIqRJzR5jVUoqyj\/ptMT5SVgA5N26bnxszCob1V6PGoSqrFbXGqUSFChkbSJKFRTCvxPDJYyRcjsMaoU12chr9o101HtsZqTm8Y5QbIAN7B8AVumqqy0fH9lTC67oIzCP4XCUFPOzmsTGixU55n8PiHFsO9k6FHgmL2Qpx9XZ7LZZq6kKLQZ6YEj4wSZ17X4PtdheB86DsQcq8hTQKwZ50xFXAuqOJAfjJ3Fwvpkhy0irBq+moIpZIUyDIXip19wI5TntRdQ6klOXxoMR4h+rkQF9NIWAZsF4N+T7NhEDH0IhJ+7C8yW\/XKrXV2QuHcZeah99tklt\/1RoCV3tlE3iI+9KsShs\/QYEoI2GuydlkjMnZTY8FZqf7NGoRzmtcyCTcSq7ihdZ8emY8+Em76YXV5DqpjEXAEAd6Ihi3wXtxe47OSDIzuYkFbw07vSe8r5pw+O8CvCFNmM+\/R5XtTzDC6jpCkjK2Ks4K8eO1sR7xVxwgkYKLOtWeJvnPFsHRpwPxtVG35fKrArPruPuT5oZOx\/pQJT9cFmcAl3RKKARXXxajyJ2qH50U92ABd9K3dq1HyFHG2aoh8ZR\/WT1vs31Bm0M7ATJhQL2l2m4hoGBonCWxZz758eNTp\/kC\/zRYgzH6m74xpGj038MxNX4to5jr+JtrVTP6loTNL8hf21+Z1vRJ8TKNwrI0CwNIptRF429nB7n+Pl6NrVJTHjMQt5IoQZRVlFDepGzD3fSDZZ4GjFo43mYzPMjWk0+FMIfnOvn6Gn8nXWwKtX1oF2fKKInSceON8GTZBwiFeJbBUg69aGCibPn5BkMxekscJXDNFdCB2xNetElbFYP+YoyUHk8ZsDR\/PLX1ywopxm9Q\/Py6arJrU3L+8wIopRGPUBVivuDfLh0pGSoWdpGKSTKIBICVrgSbSPdIgZjbfO0v4LLFX+kYV8QKziGFA\/WUp+nU5eMYE6UsEvLHeSktqvq0aUc+dVpxaKqVHlN+ect0oR9LY9MKkAeQsdVq1CuWDxS+xrJyD\/Uu+pp1IZey306exBm3ut4YWy7OXTRL0TOwdk6mtjCmzQzJRmtiRCxM7bjXgmi1lSWiwmYs4+DuYZWGKvtZHnnKOVsVmU8qj1T9ly"} 01177{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":26,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":2,"flow_last_seen":1429000051366,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":596,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":596,"pkt_l4_len":560,"ts_msec":1429000051366,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAAkSlZ0AAPwZ8rgo2qfrLzZeg1mMAUMsBdKl7s0qnUBgAbhITAABQT1NUIGh0dHA6Ly9oa2V4dHNob3J0LndlaXhpbi5xcS5jb20vY2dpLWJpbi9taWNyb21zZy1iaW4vbW1zbnNzeW5jIEhUVFAvMS4xDQpBY2NlcHQ6ICovKg0KQ2FjaGUtQ29udHJvbDogbm8tY2FjaGUNCkNvbm5lY3Rpb246IGNsb3NlDQpDb250ZW50LUxlbmd0aDogMjc1DQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQ0KSG9zdDogaGtleHRzaG9ydC53ZWl4aW4ucXEuY29tDQpVc2VyLUFnZW50OiBNaWNyb01lc3NlbmdlciBDbGllbnQNCg0KjV8mAQBBVSvQfd8CEAIXSGRsPmwM34SDANYBswPsAcTdAQKE1XHhkgwTYJ\/4C3eKbQVsdC1Dk55XBGM8iLIuJNxQ2mKDGCiEu7hKfZxRSGMz97qFq2jItoGcPUyJfVpIIUYedk0uwBKYCKwk1caV589saz0xALfFf\/iYFlFx1AxUdy484YNnqVDF8K+kVH3f2c9yoInZasFWfv137RkUwmCH+br0dsm2pY5PlW8IbHQGBJKkdj6f6t1lujHjoakqif1dkWjRkTjcDfsFtBglw4jP18zIVy+uqXK+1IUwvsPz80+hSVjN5hP25Llmt\/ESe34eB\/LJMU4AkN\/2f0FWCACM2tXWSzYfJGQOBiLS2DO0iM0="} 00575{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":28,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":3,"flow_last_seen":1429000052145,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":145,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":145,"pkt_l4_len":109,"ts_msec":1429000052145,"pkt":"AAACEgAAAAAAAAAAAAAIAEUcAIFK0UAArQZq68vNl6AKNqn6AFDWY3uzUB\/LAXbFUBgIIl2QAADLSVkFxdhO01jGkqqir\/4Pe\/qItPtTf6ajYud7yQvoMcf18CvkFV3iH59UBVcusMzzLrB7pfuUH4Sme9ekIxa0n3Xkcqj9Zb8GTsGgT4pSgGI1jIGtnmYZvw=="} @@ -49,26 +49,26 @@ 01094{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":29,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":1,"flow_first_seen":1429000052217,"flow_last_seen":1429000052217,"flow_idle_time":7440000,"flow_min_l4_payload_len":444,"flow_max_l4_payload_len":444,"flow_tot_l4_payload_len":444,"flow_avg_l4_payload_len":444,"midstream":1,"ts_msec":1429000052217,"l3_proto":"ip4","src_ip":"10.54.169.250","dst_ip":"120.28.35.40","src_port":52009,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP","breed":"Acceptable","category":"Streaming"},"http": {"hostname":"vod-singtelhawk.quickplay.com","url":"vod-singtelhawk.quickplay.com\/seg\/vol1\/s\/Warner\/qpmezzhawkdigitalcontagion2054033featureenglish20ltrt23976fps7834192\/2015-02-02\/STV80R192\/qpmezz-Hawk_Digital_CONTAGION_2054033_FEATURE_ENGLISH_2_0_LTRT_23976fps_7834192.m2t_STV80R192-0020.ts","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Linux; Android 4.4.4; MI 3W Build\/KTU84P) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/33.0.0.0 Mobile Safari\/537.36"}} 00564{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":30,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":1,"flow_first_seen":1429000052348,"flow_last_seen":1429000052348,"flow_idle_time":7440000,"flow_min_l4_payload_len":324,"flow_max_l4_payload_len":324,"flow_tot_l4_payload_len":324,"flow_avg_l4_payload_len":324,"midstream":1,"ts_msec":1429000052348,"l3_proto":"ip4","src_ip":"10.54.169.250","dst_ip":"203.205.129.101","src_port":42761,"dst_port":80,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00884{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":30,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":1,"flow_last_seen":1429000052348,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":380,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":380,"pkt_l4_len":344,"ts_msec":1429000052348,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAAWw6SUAAPwb+3wo2qfrLzYFlpwkAUDA+6IKRcovGUBgAblluAABQT1NUIGh0dHA6Ly9oa2V4dHNob3J0LndlaXhpbi5xcS5jb20vY2dpLWJpbi9taWNyb21zZy1iaW4vbW1iYXRjaGVtb2ppZG93bmxvYWQgSFRUUC8xLjENCkFjY2VwdDogKi8qDQpDYWNoZS1Db250cm9sOiBuby1jYWNoZQ0KQ29ubmVjdGlvbjogY2xvc2UNCkNvbnRlbnQtTGVuZ3RoOiA0OQ0KQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi9vY3RldC1zdHJlYW0NCkhvc3Q6IGhrZXh0c2hvcnQud2VpeGluLnFxLmNvbQ0KVXNlci1BZ2VudDogTWljcm9NZXNzZW5nZXIgQ2xpZW50DQoNCoZfJgEAQVUr0H3fAhACF0hkbD5sDN+EgwC5BQICxN0BAmqbBe97kd9DUUv3xZ4Sxtk="} -00811{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":30,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":1,"flow_first_seen":1429000052348,"flow_last_seen":1429000052348,"flow_idle_time":7440000,"flow_min_l4_payload_len":324,"flow_max_l4_payload_len":324,"flow_tot_l4_payload_len":324,"flow_avg_l4_payload_len":324,"midstream":1,"ts_msec":1429000052348,"l3_proto":"ip4","src_ip":"10.54.169.250","dst_ip":"203.205.129.101","src_port":42761,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.QQ","breed":"Fun","category":"Chat"},"http": {"hostname":"hkextshort.weixin.qq.com","url":"hkextshort.weixin.qq.comhttp:\/\/hkextshort.weixin.qq.com\/cgi-bin\/micromsg-bin\/mmbatchemojidownload","code":0,"content_type":"","user_agent":"MicroMessenger Client"}} +00787{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":30,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":1,"flow_first_seen":1429000052348,"flow_last_seen":1429000052348,"flow_idle_time":7440000,"flow_min_l4_payload_len":324,"flow_max_l4_payload_len":324,"flow_tot_l4_payload_len":324,"flow_avg_l4_payload_len":324,"midstream":1,"ts_msec":1429000052348,"l3_proto":"ip4","src_ip":"10.54.169.250","dst_ip":"203.205.129.101","src_port":42761,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.QQ","breed":"Fun","category":"Chat"},"http": {"hostname":"hkextshort.weixin.qq.com","url":"http:\/\/hkextshort.weixin.qq.com\/cgi-bin\/micromsg-bin\/mmbatchemojidownload","code":0,"content_type":"","user_agent":"MicroMessenger Client"}} 00564{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":31,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":1,"flow_first_seen":1429000052350,"flow_last_seen":1429000052350,"flow_idle_time":7440000,"flow_min_l4_payload_len":405,"flow_max_l4_payload_len":405,"flow_tot_l4_payload_len":405,"flow_avg_l4_payload_len":405,"midstream":1,"ts_msec":1429000052350,"l3_proto":"ip4","src_ip":"10.54.169.250","dst_ip":"203.205.151.160","src_port":54885,"dst_port":80,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00994{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":31,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":1,"flow_last_seen":1429000052350,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":461,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":461,"pkt_l4_len":425,"ts_msec":1429000052350,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAAb2qTEAAPwZ4UAo2qfrLzZeg1mUAUE+SeI3XHwqaUBgAbsqdAABQT1NUIGh0dHA6Ly9oa2V4dHNob3J0LndlaXhpbi5xcS5jb20vY2dpLWJpbi9taWNyb21zZy1iaW4vZ2V0Y29udGFjdGxhYmVsbGlzdCBIVFRQLzEuMQ0KQWNjZXB0OiAqLyoNCkNhY2hlLUNvbnRyb2w6IG5vLWNhY2hlDQpDb25uZWN0aW9uOiBjbG9zZQ0KQ29udGVudC1MZW5ndGg6IDEzMA0KQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi9vY3RldC1zdHJlYW0NCkhvc3Q6IGhrZXh0c2hvcnQud2VpeGluLnFxLmNvbQ0KVXNlci1BZ2VudDogTWljcm9NZXNzZW5nZXIgQ2xpZW50DQoNColfJgEAQVUr0H3fAhACF0hkbD5sDN+EgwD\/BNABUsTdAQKE1XHhkgwTYJ\/4C3eKbQVsdC1Dk55XBGM8iLIuJNxQ2mKDGCiEu7hKfZxRSGMz97qFq2jItoGcPUyJfVpIIUYeQoz6VrtJH00pu+gvbU58lmESj2o4D7TnERbmXXALCqM="} -00810{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":31,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":1,"flow_first_seen":1429000052350,"flow_last_seen":1429000052350,"flow_idle_time":7440000,"flow_min_l4_payload_len":405,"flow_max_l4_payload_len":405,"flow_tot_l4_payload_len":405,"flow_avg_l4_payload_len":405,"midstream":1,"ts_msec":1429000052350,"l3_proto":"ip4","src_ip":"10.54.169.250","dst_ip":"203.205.151.160","src_port":54885,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.QQ","breed":"Fun","category":"Chat"},"http": {"hostname":"hkextshort.weixin.qq.com","url":"hkextshort.weixin.qq.comhttp:\/\/hkextshort.weixin.qq.com\/cgi-bin\/micromsg-bin\/getcontactlabellist","code":0,"content_type":"","user_agent":"MicroMessenger Client"}} +00786{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":31,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":1,"flow_first_seen":1429000052350,"flow_last_seen":1429000052350,"flow_idle_time":7440000,"flow_min_l4_payload_len":405,"flow_max_l4_payload_len":405,"flow_tot_l4_payload_len":405,"flow_avg_l4_payload_len":405,"midstream":1,"ts_msec":1429000052350,"l3_proto":"ip4","src_ip":"10.54.169.250","dst_ip":"203.205.151.160","src_port":54885,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.QQ","breed":"Fun","category":"Chat"},"http": {"hostname":"hkextshort.weixin.qq.com","url":"http:\/\/hkextshort.weixin.qq.com\/cgi-bin\/micromsg-bin\/getcontactlabellist","code":0,"content_type":"","user_agent":"MicroMessenger Client"}} 00724{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":32,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":2,"flow_last_seen":1429000052688,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":261,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":261,"pkt_l4_len":225,"ts_msec":1429000052688,"pkt":"AAACEgAAAAAAAAAAAAAIAEUcAPWIBEAArAZEf8vNgWUKNqn6AFCnCZFyi8YwPunGUBgIIppgAABIVFRQLzEuMSAyMDAgT0sNCkNvbm5lY3Rpb246IGNsb3NlDQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQ0KQ29udGVudC1EaXNwb3NpdGlvbjogYXR0YWNobWVudDsgZmlsZW5hbWU9bWljcm9tc2dyZXNwLmRhdA0KQ29udGVudC1MZW5ndGg6IDQ3DQoNCn5fAAAAAFUr0H3fAhACF0hkbD5sDN+EgwC5BQwMAADES8+zVe2SBL6tUVxA2Vh6"} 00725{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":33,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":2,"flow_last_seen":1429000053611,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":261,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":261,"pkt_l4_len":225,"ts_msec":1429000053611,"pkt":"AAACEgAAAAAAAAAAAAAIAEUcAPUJYEAArQar6MvNl6AKNqn6AFDWZdcfCppPknoiUBgIIrzYAABIVFRQLzEuMSAyMDAgT0sNCkNvbm5lY3Rpb246IGNsb3NlDQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQ0KQ29udGVudC1EaXNwb3NpdGlvbjogYXR0YWNobWVudDsgZmlsZW5hbWU9bWljcm9tc2dyZXNwLmRhdA0KQ29udGVudC1MZW5ndGg6IDQ3DQoNCn5fAAAAAFUr0H3fAhACF0hkbD5sDN+EgwD\/BAgIAACTADJ0e1hwz8xBqPPud44t"} 02355{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":34,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":2,"flow_last_seen":1429000054555,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":1456,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":1456,"pkt_l4_len":1420,"ts_msec":1429000054555,"pkt":"AAACEgAAAAAAAAAAAAAIAEUcBaBrnEAArQYNK3gcIygKNqn6AFDLKctRyGZwAbOjUBAIIjnpAAC6eiaRjUv\/RPkOH82F5WosK669TTY41gIXUb5TM31DDCidAN9BA2XuM3HL8T4H8RaooiwzYVX\/NyYQvgJwozgBs+HWQERJo3j\/tFsg+NsbehQ2yqZ0ni5IF772nmOTUjjTqhvSyTYKL8LPX7\/SbJuUeesyVlCo1rcZrFyvobivL2QselZVKbZT9oXnVrTBXz9SgWOBGQjqM+6MYkHQqsKJwKvUzEiyfqsG7Y5ib\/HG3Cr61CWCOUzckjCo4x7\/2FXuS4bbTxyKoEXBeNcTCujBm4BW7TCl6yaZq2WXxGG4hvRF0Be\/m5kDX7D2ritov06P2eBHlozi8poVm+8iR+ps7ttJSDR9cRtIoZ6CzGQuMlpslQH3eGbKiA+TieQa5VKgPmn67A5ZHz6oVTfujJs8WKbjDDZ9Q0iRvNel4W1E1K\/\/zSVXoGcUMXf+jhnQwZpcpi1EdAnR+40BHozU+RTudhZL4Gple7Zf9xhKfQFyWOsUn76k3fkX1zxQlXwkMtX73RmtTyaB3L2pN7AlVM\/\/nWHu7EuLuT9DL9C5g0C9ndUmqL7NBsK0kAZZ78eDPfrNcCw\/ZFw2bNcbUFc\/DZYsLjg+otfm91LhV9Jp43mlKbIVnnDPmIDKMqjiCMwbTaSaZixrFny1uf5O00Y6dqEgtz9Pli4PyDpRhyoCvJu+i4H+d88Uaw2rkO46JoXyB7A5p5OjjhlkqrGyi1CwU0deobjNdyyDdV8jJ\/Pi9n3PsmZZgmuJXbUr3Wj33YeDG\/0Oj+2II0vRU4R2CMhv6eJcxCNdiNxlxN6WMj7SN4Xwx9cQTGloH0v9P+ZbhisAixQQx+c7VnS53a6eMHAGjtfp5Vfl\/a+fbz\/SS6+0wsbw43YigcJZdKwu\/J+7R2Vsvwwp\/\/0VJXCclXCvQKK9ZgSyMjcZXFFdVBYQ9ynX2PKUJbCiQo0ZSacbctiB0eo38ldIKG1HQXiG+IvrS8x51f+MHkxe\/Qz6gFVONzxqGI2AuPK799Gz1u48EzIlwqf+hfJ5+80+67LPm7OKnX\/+Hglw20t2bXScSU\/7a\/No7LXMZaiPPFjItOLkydDIZdblKbD9VzRcriDGIikYRE2vOO7ef0bABx9ekxq7Y6qOz8wz2bfi82kKdO6ZKos8mJ6Z5zMskbhz5TARjuFwb\/y0CNvNRI3ZzaCcWvcSerQm6YI5Qkh9hi+UFoCigmvOa40ltrSAgZJLwEzoigbbL\/Fux90aNws71lhYIk5rLapLHllGTYci4NeZq+lysN0NJeGSVgJjhywSjEcv98KS01SOoGP+L8hkrHHDndozayAIZx7KNatPdBhHierZx9hk7YaR2QyAaOf\/KGZ26mtXJD+fZ9qzzRf7VPOJIXRan6Mvh2X5ksvc+d2E+xpW4ZS3heqwr3GFyseSzu+SItPTkyOePTh5SBKlnurq4GBXzKzTiVp1gCObUjjb361kLXFDG8pv8RFHz9T71D1Nc2wSTzFugnvV1UNFiSfCUv5Hf3vreasQSxEc5M2HufON7Ls2Sq1av0HxiKW3cr3g1hTf6isQpBvLi2kzfVTuUfjZ4NfuituEBPk76dM0NGhwCE37DhDWyEA0CskC\/3LGpzpkwJVXZJneb4tZ6ZUUp9Tq8jwnKJrc9Xm0\/K+NOqhD9cfXeA0wPmIBqb\/50HOtK0ivaxJQrriFNfYzXGvwDWExqj3032B+UnoRZ9sdl+HDci1tJl2ZYTWQ\/jnW4QU+eyZsftpA1fidaKNXFUm98r6LCSgwEpKQko1ga3+vGDjVtQbFJqqZZSUhMiGE7JxSiWQR6m1VFOyrIP\/NGSlhQwEVU0AVlSc0flRUDOO1ef3Q8CCp+aj8TUh3wwIIfQUflA=="} 00564{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":35,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":1,"flow_first_seen":1429000054595,"flow_last_seen":1429000054595,"flow_idle_time":7440000,"flow_min_l4_payload_len":560,"flow_max_l4_payload_len":560,"flow_tot_l4_payload_len":560,"flow_avg_l4_payload_len":560,"midstream":1,"ts_msec":1429000054595,"l3_proto":"ip4","src_ip":"10.54.169.250","dst_ip":"203.205.129.101","src_port":42762,"dst_port":80,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 01205{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":35,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":1,"flow_last_seen":1429000054595,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":616,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":616,"pkt_l4_len":580,"ts_msec":1429000054595,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAAljROkAAPwZnAgo2qfrLzYFlpwoAUAw7AlWKyQifUBgAbo2ZAABQT1NUIGh0dHA6Ly9oa2V4dHNob3J0LndlaXhpbi5xcS5jb20vY2dpLWJpbi9taWNyb21zZy1iaW4vYW5kcm9pZGdjbXJlZyBIVFRQLzEuMQ0KQWNjZXB0OiAqLyoNCkNhY2hlLUNvbnRyb2w6IG5vLWNhY2hlDQpDb25uZWN0aW9uOiBjbG9zZQ0KQ29udGVudC1MZW5ndGg6IDI5MQ0KQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi9vY3RldC1zdHJlYW0NCkhvc3Q6IGhrZXh0c2hvcnQud2VpeGluLnFxLmNvbQ0KVXNlci1BZ2VudDogTWljcm9NZXNzZW5nZXIgQ2xpZW50DQoNCo1fJgEAQVUr0H3fAhACF0hkbD5sDN+EgwDvBPUC9wHE3QEChNVx4ZIME2Cf+At3im0FbHQtQ5OeVwRjPIiyLiTcUNpigxgohLu4Sn2cUUhjM\/e6hatoyLaBnD1MiX1aSCFGHqc7sd1LbQ4Ji50\/nmut+cRtfu64v\/XpBgMs3P9k27B87PKWuZeRn0c7PoUNWA2a8JliIiEG\/iNlGYYh7Jh9YEWG\/gDJeOxQbfTuL3jKYttVpQbSW5W7M23rsRNXzMxlPjm7V+eiXogw4ZTrI0SYQBetGJTy4I9tf1xmHMyE6HsFYIlHFXzsGgJQf7uh78Qo0Kz+t0syWOECVQvp3s423G3nllPk9jmdcOLrj5HgsV0zUjYpYNBzzWvoRGUwiRoLkw=="} -00804{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":35,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":1,"flow_first_seen":1429000054595,"flow_last_seen":1429000054595,"flow_idle_time":7440000,"flow_min_l4_payload_len":560,"flow_max_l4_payload_len":560,"flow_tot_l4_payload_len":560,"flow_avg_l4_payload_len":560,"midstream":1,"ts_msec":1429000054595,"l3_proto":"ip4","src_ip":"10.54.169.250","dst_ip":"203.205.129.101","src_port":42762,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.QQ","breed":"Fun","category":"Chat"},"http": {"hostname":"hkextshort.weixin.qq.com","url":"hkextshort.weixin.qq.comhttp:\/\/hkextshort.weixin.qq.com\/cgi-bin\/micromsg-bin\/androidgcmreg","code":0,"content_type":"","user_agent":"MicroMessenger Client"}} +00780{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":35,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":1,"flow_first_seen":1429000054595,"flow_last_seen":1429000054595,"flow_idle_time":7440000,"flow_min_l4_payload_len":560,"flow_max_l4_payload_len":560,"flow_tot_l4_payload_len":560,"flow_avg_l4_payload_len":560,"midstream":1,"ts_msec":1429000054595,"l3_proto":"ip4","src_ip":"10.54.169.250","dst_ip":"203.205.129.101","src_port":42762,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.QQ","breed":"Fun","category":"Chat"},"http": {"hostname":"hkextshort.weixin.qq.com","url":"http:\/\/hkextshort.weixin.qq.com\/cgi-bin\/micromsg-bin\/androidgcmreg","code":0,"content_type":"","user_agent":"MicroMessenger Client"}} 01045{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":36,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":3,"flow_last_seen":1429000054688,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":500,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":500,"pkt_l4_len":464,"ts_msec":1429000054688,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAAeRjvEAAPwaG4wo2qfp4HCMoyykAUHABs6PLUc5cUBgk\/ZRuAABHRVQgL3NlZy92b2wxL3MvV2FybmVyL3FwbWV6emhhd2tkaWdpdGFsY29udGFnaW9uMjA1NDAzM2ZlYXR1cmVlbmdsaXNoMjBsdHJ0MjM5NzZmcHM3ODM0MTkyLzIwMTUtMDItMDIvU1RWODBSMTkyL3FwbWV6ei1IYXdrX0RpZ2l0YWxfQ09OVEFHSU9OXzIwNTQwMzNfRkVBVFVSRV9FTkdMSVNIXzJfMF9MVFJUXzIzOTc2ZnBzXzc4MzQxOTIubTJ0X1NUVjgwUjE5Mi0wMDIxLnRzIEhUVFAvMS4xDQpIb3N0OiB2b2Qtc2luZ3RlbGhhd2sucXVpY2twbGF5LmNvbQ0KQ29ubmVjdGlvbjoga2VlcC1hbGl2ZQ0KVXNlci1BZ2VudDogTW96aWxsYS81LjAgKExpbnV4OyBBbmRyb2lkIDQuNC40OyBNSSAzVyBCdWlsZC9LVFU4NFApIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIFZlcnNpb24vNC4wIENocm9tZS8zMy4wLjAuMCBNb2JpbGUgU2FmYXJpLzUzNy4zNg0KDQo="} 00726{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":37,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":2,"flow_last_seen":1429000054967,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":261,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":261,"pkt_l4_len":225,"ts_msec":1429000054967,"pkt":"AAACEgAAAAAAAAAAAAAIAEUcAPUEEkAArQbHccvNgWUKNqn6AFCnCorJCJ8MOwSFUBgII8UCAABIVFRQLzEuMSAyMDAgT0sNCkNvbm5lY3Rpb246IGNsb3NlDQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQ0KQ29udGVudC1EaXNwb3NpdGlvbjogYXR0YWNobWVudDsgZmlsZW5hbWU9bWljcm9tc2dyZXNwLmRhdA0KQ29udGVudC1MZW5ndGg6IDQ3DQoNCn5fAAAAAFUr0H3fAhACF0hkbD5sDN+EgwDvBAYGAAAXudj2eCNNjv4Uv\/n42\/lx"} 00725{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":38,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":3,"flow_last_seen":1429000055158,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":261,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":261,"pkt_l4_len":225,"ts_msec":1429000055158,"pkt":"AAACEgAAAAAAAAAAAAAIAEUcAPUJYkAArAas5svNl6AKNqn6AFDWZdcfCppPknoiUBkIIrzXAABIVFRQLzEuMSAyMDAgT0sNCkNvbm5lY3Rpb246IGNsb3NlDQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQ0KQ29udGVudC1EaXNwb3NpdGlvbjogYXR0YWNobWVudDsgZmlsZW5hbWU9bWljcm9tc2dyZXNwLmRhdA0KQ29udGVudC1MZW5ndGg6IDQ3DQoNCn5fAAAAAFUr0H3fAhACF0hkbD5sDN+EgwD\/BAgIAACTADJ0e1hwz8xBqPPud44t"} 00564{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":83,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":1,"flow_first_seen":1429000110390,"flow_last_seen":1429000110390,"flow_idle_time":7440000,"flow_min_l4_payload_len":625,"flow_max_l4_payload_len":625,"flow_tot_l4_payload_len":625,"flow_avg_l4_payload_len":625,"midstream":1,"ts_msec":1429000110390,"l3_proto":"ip4","src_ip":"10.54.169.250","dst_ip":"203.205.147.215","src_port":35670,"dst_port":80,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 01290{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":83,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":1,"flow_last_seen":1429000110390,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":681,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":681,"pkt_l4_len":645,"ts_msec":1429000110390,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAApm620AAPwZqrgo2qfrLzZPXi1YAUBkYU+pems3wUBgAbqLPAABQT1NUIGh0dHA6Ly9oa21pbm9yc2hvcnQud2VpeGluLnFxLmNvbS9jZ2ktYmluL21pY3JvbXNnLWJpbi9ydGt2cmVwb3J0IEhUVFAvMS4xDQpBY2NlcHQ6ICovKg0KQ2FjaGUtQ29udHJvbDogbm8tY2FjaGUNCkNvbm5lY3Rpb246IGNsb3NlDQpDb250ZW50LUxlbmd0aDogMzU1DQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQ0KSG9zdDogaGttaW5vcnNob3J0LndlaXhpbi5xcS5jb20NClVzZXItQWdlbnQ6IE1pY3JvTWVzc2VuZ2VyIENsaWVudA0KDQqNXyYBAEFVK9B93wIQAhdIZGw+bAzfhIMAzAXaBLgCxN0BAsPj4k0n0ICdjYK52ViOWnOC4Vzgxi7+iegOsMW+oW6QdEAHg+UlyxaSBb9\/s0oeR4gum6gk+uWhqjv3Tkoz3jpOxZ3uqg5IoeAevVK78mE+75Mm5QEXaL\/24wa8I4nsiJTVEr54yg9WsIjA1I\/cd65YM57jS4+t1kJ\/xpqwwPsMfqK2G34N85Xo0uWP1F2PyLEjHiJZyK4xRu\/XYVzahdDn1vQRPtqQ3i2o6ggKNGN3kBkFa6C2GO0zTqwt7XUYqb0ppGq3KKIyPCtrTg5YICuEsfTDMTLer3J067M5VD93Ij+RkxqqGFN9+gvu+C\/smM0OksnEYsvtVnkr65ZF5Pk4qVPYHRDIlRcRHe0XzckIkJitYHFr8VSN2R6GxFfZK0YtMPQdmLxH6qLecheL3Cuuz7XcYpBc6JGpDIih+q4v"} -00807{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":83,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":1,"flow_first_seen":1429000110390,"flow_last_seen":1429000110390,"flow_idle_time":7440000,"flow_min_l4_payload_len":625,"flow_max_l4_payload_len":625,"flow_tot_l4_payload_len":625,"flow_avg_l4_payload_len":625,"midstream":1,"ts_msec":1429000110390,"l3_proto":"ip4","src_ip":"10.54.169.250","dst_ip":"203.205.147.215","src_port":35670,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.QQ","breed":"Fun","category":"Chat"},"http": {"hostname":"hkminorshort.weixin.qq.com","url":"hkminorshort.weixin.qq.comhttp:\/\/hkminorshort.weixin.qq.com\/cgi-bin\/micromsg-bin\/rtkvreport","code":0,"content_type":"","user_agent":"MicroMessenger Client"}} +00781{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":83,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":1,"flow_first_seen":1429000110390,"flow_last_seen":1429000110390,"flow_idle_time":7440000,"flow_min_l4_payload_len":625,"flow_max_l4_payload_len":625,"flow_tot_l4_payload_len":625,"flow_avg_l4_payload_len":625,"midstream":1,"ts_msec":1429000110390,"l3_proto":"ip4","src_ip":"10.54.169.250","dst_ip":"203.205.147.215","src_port":35670,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.QQ","breed":"Fun","category":"Chat"},"http": {"hostname":"hkminorshort.weixin.qq.com","url":"http:\/\/hkminorshort.weixin.qq.com\/cgi-bin\/micromsg-bin\/rtkvreport","code":0,"content_type":"","user_agent":"MicroMessenger Client"}} 00729{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":84,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":2,"flow_last_seen":1429000110528,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":262,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":262,"pkt_l4_len":226,"ts_msec":1429000110528,"pkt":"AAACEgAAAAAAAAAAAAAIAEUcAPYrhEAArQaNjMvNk9cKNqn6AFCLVl6azfAZGFZbUBgIKKjyAABIVFRQLzEuMSAyMDAgT0sNCkNvbm5lY3Rpb246IGNsb3NlDQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQ0KQ29udGVudC1EaXNwb3NpdGlvbjogYXR0YWNobWVudDsgZmlsZW5hbWU9bWljcm9tc2dyZXNwLmRhdA0KQ29udGVudC1MZW5ndGg6IDQ4DQoNCoJfAAAAAFUr0H3fAhACF0hkbD5sDN+EgwDMBQYGAIBAF7nY9ngjTY7+FL\/5+Nv5cQ=="} 00562{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":90,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":1,"flow_first_seen":1429000117728,"flow_last_seen":1429000117728,"flow_idle_time":7440000,"flow_min_l4_payload_len":582,"flow_max_l4_payload_len":582,"flow_tot_l4_payload_len":582,"flow_avg_l4_payload_len":582,"midstream":1,"ts_msec":1429000117728,"l3_proto":"ip4","src_ip":"10.54.169.250","dst_ip":"54.179.140.65","src_port":56381,"dst_port":80,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 01228{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":90,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":1,"flow_last_seen":1429000117728,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":638,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":638,"pkt_l4_len":602,"ts_msec":1429000117728,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAAm69YkAAPwYFAwo2qfo2s4xB3D0AUJYYUVzgorreUBgAc7mmAABHRVQgL3Bhc3MvdjIvc2FmZS91c2VyL2NvcmVJbmZvP3NpZ25hdHVyZT11JTJGNzNkRVhCSGJlamV2MElTTnduR3l5ZmVUdyUzRCZ1c2VySWQ9TXo1WHI1VVhLdXc4M2h4ZDZZbXMydyUzRCUzRCBIVFRQLzEuMQ0KQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQNCkNvb2tpZTogY1VzZXJJZD1SbmVTNDhuLWRZX1ZlMllKU3NWLXF0RUxvOG87IHNlcnZpY2VUb2tlbj1qYWl5azdjUlQ0WDI0RWp3eENnQUxHOEFJdk9pWmNWTFU1cCsyaW9HSzVaK1MrWDFLbkJwOHBGUDJIV3FhVFJEWHU1eUY3YjZqaDdYdDQxZTZZOXYyUVRGN2tnbUhrSjBhSXJ0Sm9iOTBaZ2lBMy8rYlZQWXBrcVM3ajhUREorNEo3Rkt3VzFsZDZCWSswakU4SncxbGYrTVE0OEVUQmlOc01FbEthUGh2MEREOVZvUlMxNXRVM2dSMHlmVEcxWHMNClVzZXItQWdlbnQ6IERhbHZpay8xLjYuMCAoTGludXg7IFU7IEFuZHJvaWQgNC40LjQ7IE1JIDNXIE1JVUkvVjYuNC4yLjAuS1hETUlDQikNCkhvc3Q6IGFwaS5hY2NvdW50LnhpYW9taS5jb20NCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCkFjY2VwdC1FbmNvZGluZzogZ3ppcA0KDQo="} -00896{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":90,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":1,"flow_first_seen":1429000117728,"flow_last_seen":1429000117728,"flow_idle_time":7440000,"flow_min_l4_payload_len":582,"flow_max_l4_payload_len":582,"flow_tot_l4_payload_len":582,"flow_avg_l4_payload_len":582,"midstream":1,"ts_msec":1429000117728,"l3_proto":"ip4","src_ip":"10.54.169.250","dst_ip":"54.179.140.65","src_port":56381,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.Amazon","breed":"Acceptable","category":"Web"},"http": {"hostname":"api.account.xiaomi.com","url":"api.account.xiaomi.com\/pass\/v2\/safe\/user\/coreInfo?signature=u%2F73dEXBHbejev0ISNwnGyyfeTw%3D&userId=Mz5Xr5UXKuw83hxd6Yms2w%3D%3D","code":0,"content_type":"","user_agent":"Dalvik\/1.6.0 (Linux; U; Android 4.4.4; MI 3W MIUI\/V6.4.2.0.KXDMICB)"}} +00901{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":90,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":1,"flow_first_seen":1429000117728,"flow_last_seen":1429000117728,"flow_idle_time":7440000,"flow_min_l4_payload_len":582,"flow_max_l4_payload_len":582,"flow_tot_l4_payload_len":582,"flow_avg_l4_payload_len":582,"midstream":1,"ts_msec":1429000117728,"l3_proto":"ip4","src_ip":"10.54.169.250","dst_ip":"54.179.140.65","src_port":56381,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.AmazonAWS","breed":"Acceptable","category":"Cloud"},"http": {"hostname":"api.account.xiaomi.com","url":"api.account.xiaomi.com\/pass\/v2\/safe\/user\/coreInfo?signature=u%2F73dEXBHbejev0ISNwnGyyfeTw%3D&userId=Mz5Xr5UXKuw83hxd6Yms2w%3D%3D","code":0,"content_type":"","user_agent":"Dalvik\/1.6.0 (Linux; U; Android 4.4.4; MI 3W MIUI\/V6.4.2.0.KXDMICB)"}} 01498{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":92,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":2,"flow_last_seen":1429000118045,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":831,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":831,"pkt_l4_len":795,"ts_msec":1429000118045,"pkt":"AAACEgAAAAAAAAAAAAAIAEUcAy+57kAArQaZmTazjEEKNqn6AFDcPeCiut6WGFOiUBgIJVI5AABIVFRQLzEuMSAyMDAgT0sNCkNhY2hlLUNvbnRyb2w6IG5vLWNhY2hlDQpDb250ZW50LUVuY29kaW5nOiBnemlwDQpEYXRlOiBUdWUsIDE0IEFwciAyMDE1IDA4OjI4OjM3IEdNVA0KU2VydmVyOiBUZW5naW5lLzIuMC4xDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL2pzb247Y2hhcnNldD11dGYtOA0KQ29udGVudC1MZW5ndGg6IDU1Ng0KDQofiwgAAAAAAAADBMHXokMwAADQD+pDVCuuR7VCzdrerESNxijK199zgLVnYggNE5ULioIZGP6CKSQ+J1Ue9LQPP\/PeL9xYw3Gkgs8aCeFd\/zZqCdqbSs4SDagv3Q8gbXJOLHNZZfmdTsJ6vPDYpe+\/rdailf+Vy4WCt5JCSfPLvLm\/VjBPjj45GMX6eUks60t+xxt21vhZm+cZaqa7DoZ7yob2ejBdIHAVjR1TTdJhFubG5KBya8nY0zzMWLsuzvCvt9glIynGQHg+BLRZzPC8ZTGPUyOvUh05tiZ\/balrrwKQt2cEeJstEBP0D5BLZnKvY160w+\/OrxB+sjFauMt5dnHUcI3t7SoTqChgxCrhMkNhG6YVl2LK8pgjuYhqcDRox+KgQzOA\/hLmGzg3uirtssbFIVC5Aro3ACcGCwISGwb1VxWHonPvyWHNDlG81Bqq3QQetunNZnl6oz4rq\/ZHNPTVG61wMgLdvvo4GWhjgZ\/bnblrSFNGd7Mdr5MexXVx6SfeJVyvwBelPETxWHKKoRDa8ZjUvT0cEJOB7G\/G7e4ZZ\/83OAc7CIIAAEA\/iIulwzriBqhJkUE6bpVlTg1QY+rX1\/uCF5JNOyMtykH7DdhqEwaXY8s7mPz38wS8mngvjnR+4AS+bZOCqFuqMeaMn6SzJIMOPFhSp7GcsxUbtqiwMa7\/yvtnpf2t24H4WaAC+sVExSgCQaWyVTSeVY6vezz8ABeIl3WAAgAA"} 00562{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":105,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":1,"flow_first_seen":1429000153937,"flow_last_seen":1429000153937,"flow_idle_time":7440000,"flow_min_l4_payload_len":446,"flow_max_l4_payload_len":446,"flow_tot_l4_payload_len":446,"flow_avg_l4_payload_len":446,"midstream":1,"ts_msec":1429000153937,"l3_proto":"ip4","src_ip":"10.54.169.250","dst_ip":"120.28.35.40","src_port":52017,"dst_port":80,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 01049{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":105,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":1,"flow_last_seen":1429000153937,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":502,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":502,"pkt_l4_len":466,"ts_msec":1429000153937,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAAeag6kAAPwZJswo2qfp4HCMoyzEAUC00WpDdwOXGUBgBycCpAABHRVQgL3NlZy92b2wxL3MvV2FybmVyL3FwbWV6emhhd2tkaWdpdGFsY29udGFnaW9uMjA1NDAzM2ZlYXR1cmVlbmdsaXNoMjBsdHJ0MjM5NzZmcHM3ODM0MTkyLzIwMTUtMDItMDIvU1RWNTEwUjM2MC9xcG1lenotSGF3a19EaWdpdGFsX0NPTlRBR0lPTl8yMDU0MDMzX0ZFQVRVUkVfRU5HTElTSF8yXzBfTFRSVF8yMzk3NmZwc183ODM0MTkyLm0ydF9TVFY1MTBSMzYwLTAwNDgudHMgSFRUUC8xLjENCkhvc3Q6IHZvZC1zaW5ndGVsaGF3ay5xdWlja3BsYXkuY29tDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoTGludXg7IEFuZHJvaWQgNC40LjQ7IE1JIDNXIEJ1aWxkL0tUVTg0UCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgVmVyc2lvbi80LjAgQ2hyb21lLzMzLjAuMC4wIE1vYmlsZSBTYWZhcmkvNTM3LjM2DQoNCg=="} @@ -125,9 +125,9 @@ ~~ total active/idle flows...: 21/21 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1969957 bytes -~~ total memory freed........: 1969957 bytes -~~ total allocations/frees...: 35595/35595 +~~ total memory allocated....: 4624063 bytes +~~ total memory freed........: 4624063 bytes +~~ total allocations/frees...: 99805/99805 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 165 chars ~~ json string max len.......: 2360 chars diff --git a/test/results/radius_false_positive.pcapng.out b/test/results/radius_false_positive.pcapng.out new file mode 100644 index 000000000..81a8a10da --- /dev/null +++ b/test/results/radius_false_positive.pcapng.out @@ -0,0 +1,23 @@ +00457{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"radius_false_positive.pcapng","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} +00612{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"radius_false_positive.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1638897892722,"flow_last_seen":1638897892722,"flow_idle_time":180000,"flow_min_l4_payload_len":1230,"flow_max_l4_payload_len":1230,"flow_tot_l4_payload_len":1230,"flow_avg_l4_payload_len":1230,"midstream":0,"ts_msec":1638897892722,"l3_proto":"ip6","src_ip":"2bc6:b5ac:cb3b:676b::18","dst_ip":"3dba:3762:c186:e122:89b0:5170:a86c:ecff","src_port":443,"dst_port":53129,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +02131{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"radius_false_positive.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1638897892722,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1292,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":1292,"pkt_l4_len":1238,"ts_msec":1638897892722,"pkt":"AAAAAAAAAAUAHNVSht1ohf3HBNYRNyvGtazLO2drAAAAAAAAABg9ujdiwYbhIomwUXCobOz\/AbvPiQTW\/+II9QTO5\/6moMoBfKc4frxprVfBsxdaQAED2QEABgCgAQJbUkVKAAcAAABTVEsAOAAAAFNOTwBsAAAAUFJPRmwBAABTQ0ZH8wEAAFJSRUr3AQAAU1RUTP8BAABDUlT\/GwIAADVoRFFcZEfiQgn1oXI2ORzyXhwGYKf\/Flu1\/kK\/l4UH4q9DCId2Xb2zn9efGujSc\/F0aNOeHZb6KAjEeRC9dXjLQIA3XVxkxqhCJrs95QV3gGPSLgjsQQ873Rxpmhq\/VDe1SdA9fAVAXfMUX1s0Z5mAWpV6sSbDkPHYULs7X0KVe+fR2Ai5noT8neP+HJa14zskJKzRF7WTWAfIPB94k7XcyneleZDZy\/LsPNPpKzumkgJT693IGvFFGpwQ7o47hVb2V37u8BaJMyzZuDr4CIc8F1YA1joFN7OPyOLc3a+gm+fEb18FG1gS\/ZrcntqavJ3HLz5Vi8zFgzSja7rxlz5ZT0Fgr\/\/hUJDycGNBHRHMai1MLz1CKo55ez2Vq+oMFJFtHL8m7Yk0AZ6oTphvz\/47C32mJ\/BonrdxqQzXuP2SrkxlJp8ughvQJBkM+kPiZ+nnveyN+ypLny4LxyWPno4oScYJJSbW2FdJTZlTQ0ZHBgAAAEFFQUQIAAAAU0NJRBgAAABQVUJTOwAAAEtFWFM\/AAAAT0JJVEcAAABFWFBZTwAAAEFFU0dDQzIwYXTY6XlRVYYUrxtElpX4jCAAAK5TCWYobSWz756zKFc0+OhHde7JrmIR8db7Z6FsadZoQzI1NVZwm2DcDowaV9aKYgAAAAANAAAAcj3bAAAAAAAC1l9bpELMSn4CHk1io2ZOe6cCwpjjNUiKNMcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="} +02143{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"radius_false_positive.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1638897892751,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1292,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":1292,"pkt_l4_len":1238,"ts_msec":1638897892751,"pkt":"AAAAAAAAAAUAHNVSht1ohf3HBNYRNyvGtazLO2drAAAAAAAAABg9ujdiwYbhIomwUXCobOz\/AbvPiQTWXcUENlLj0f+6+Jgr1PUqO1anUCJ2f97tXf2Z8dBl2WTNukYCx1qDOvW8l6pBbA\/QzGs9GCu+xmb0GpSAkHyfZJ2yzr+NsYf988AiiEM8Mw9vmVCFpA4j3zmgSbUMUqgIFl\/ckMyhcXVUAjUruKWcZMMMomSxBL0vpnp1XovZUE8pJR53GIvlrl+aH1JwTdTEvoURGDfXj7HymZzIuiSpGYcRD4vDvqxyXwPsD4kklWrCDS5cMNSnSoB8eE1CrkyDZbEac8d6Z9X9O9hVutHpXHdc8gBWr725a+RbAoF\/nPg5l47cpx3KLC5AygsRsFUsycadOOJsrJqf+9lTAUvzlDtUj+J25fiK8TqR0Htv0gjY+Jf2ES1obpMcjsWCiXC6C0982Lwh98CIWpY1gYbDsiQa6EEuHVALLYQUT42cGlDbewsfp4Tjx+NbNHC0NZc0UCj102HBZbyY5AOE9r7wfqiQaj2v1GD0l19oUj5P0xtAFB0SNmmD5d08q+OoF+ZBA0E6SCA8jehYueJJlNRt2O31FJ1PeCVRpXT8NS7VE4tXMJ8ZArjTuP5NIrSPPhiEXOHrCn7C8kPSZZB1pxxVhkM4fCfMQWma2EIEU+REEtViwMip2cC0g0V4nnW\/YfK+57akB9Uu+0UaHviwxWuzhAxGMdVzbjXnwSWJNac8i6mybugAVsdsQkGBl70YyNWbeahKe2D3y1P1bYLnJrYbOkYRBF+Acbl4FGuz\/nCgMU7SEMmI0+\/U7iLhf8TNIcHbgmGN3xWUp8MMU9z3FDMAHi7oQ7vcqn2oU94rkkS4y8axIrx2QwCkDJN+5S2PReVaFfu1ihdUnHLmPXcZnAO8wWRnGVr5ewQO2snzrfhV6kqHoNqKp3sFYCKZ0h+VYPxDLQBix8ZW6P\/vNI9cAHY6sTfoSrJh69tT4CbgMvKAE\/sDmImL3P9qv\/1IhHstTBm1LX4GOfYYS3rPAwVQ4pUO6qOTB\/jrOTmqyO8ggnJnicgTHfMyrt\/YUwgZmzOkC+28uYLM3BRiFyBEWOfbvNmWpIppEHAM4TQ0LASWi29RTMAA6yhmP48DyvIzh6MvPkc0C7ttlJFR5dXsueCqSPXJSa6RHS4Ghz3UQkk\/bW1yQQQsHLm1zJ0CZlvZsfILcijdRrY9oJzL3OU10dq2OTOj0EwYIjYZjoMNzWrVQoyWC\/hUYzb6TZHFiQ0v1S83RquW6dw1uqUaQxnSA6gjTt36ObS8o0yGINds3ce3lWwTO8wJp\/1VtDvWP4mJz0R1RdgPl7H3Qc\/OIu\/Uiz172qtXeu\/a6zn7juIxWvjrSwDhsEYK4AndiRVwqXJA+\/U7JrGg\/1Z+sEaWCLNPlGxx1qPQc\/lXR7j8\/6rGoy9j+Sp2Y0lmI790AsfFUJVXzf8\/sNql\/iXQyYk27jdTY1xFLuqEW+0sJDJplhnhSo2HCLraX8NwZK089VGLFoARqXLlZelV4DNWO6zmal7a5naaLGht\/dyC7GGpM9macDSuMEKqgE9PYIHiWZZiwe0n1VqYdrMTEbEA3PMydAo+v0ArxApe\/wf93uRzNVvGy\/z5z3Li6zsJTZIl4sCmgnO9Hg9luCpGiq\/3VXjdOqOdtq2C1KUdQUsQ0qfvDVjcB41LwFOcvnc="} +00503{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"radius_false_positive.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1638897892751,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":85,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":85,"pkt_l4_len":31,"ts_msec":1638897892751,"pkt":"AAAAAAAAAAUAHNVSht1gBf3HAB8RNyvGtazLO2drAAAAAAAAABg9ujdiwYbhIomwUXCobOz\/AbvPiQAfGG4AA72ZrkYpyvqLS4TIp3bivr3zq\/PFuA=="} +00627{"flow_event_id":8,"flow_event_name":"not-detected","thread_id":0,"packet_id":10,"source":"radius_false_positive.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":10,"flow_first_seen":1638897892722,"flow_last_seen":1638897893066,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":1230,"flow_tot_l4_payload_len":6859,"flow_avg_l4_payload_len":685,"midstream":0,"ts_msec":1638897893066,"l3_proto":"ip6","src_ip":"2bc6:b5ac:cb3b:676b::18","dst_ip":"3dba:3762:c186:e122:89b0:5170:a86c:ecff","src_port":443,"dst_port":53129,"l4_proto":"udp","ndpi": {"proto":"Unknown","breed":"Unrated"}} +00612{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":10,"source":"radius_false_positive.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":10,"flow_first_seen":1638897892722,"flow_last_seen":1638897893066,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":1230,"flow_tot_l4_payload_len":6859,"flow_avg_l4_payload_len":685,"midstream":0,"ts_msec":1638897893066,"l3_proto":"ip6","src_ip":"2bc6:b5ac:cb3b:676b::18","dst_ip":"3dba:3762:c186:e122:89b0:5170:a86c:ecff","src_port":443,"dst_port":53129,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00171{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":10,"source":"radius_false_positive.pcapng","alias":"nDPId-test","total-events-serialized":8} +~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ +~~ packets captured/processed: 10/10 +~~ skipped flows.............: 0 +~~ total layer4 data length..: 6859 bytes +~~ total detected protocols..: 0 +~~ total active/idle flows...: 1/1 +~~ total timeout flows.......: 0 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ total memory allocated....: 4590729 bytes +~~ total memory freed........: 4590729 bytes +~~ total allocations/frees...: 99544/99544 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ json string min len.......: 176 chars +~~ json string max len.......: 2148 chars +~~ json string avg len.......: 1219 chars diff --git a/test/results/rdp.pcap.out b/test/results/rdp.pcap.out index 4b8af4cb8..7126ab5f1 100644 --- a/test/results/rdp.pcap.out +++ b/test/results/rdp.pcap.out @@ -4028,9 +4028,9 @@ ~~ total active/idle flows...: 0/0 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1926508 bytes -~~ total memory freed........: 1926508 bytes -~~ total allocations/frees...: 35335/35335 +~~ total memory allocated....: 4589247 bytes +~~ total memory freed........: 4589247 bytes +~~ total allocations/frees...: 99531/99531 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 161 chars ~~ json string max len.......: 2075 chars diff --git a/test/results/reasm_crash_anon.pcapng.out b/test/results/reasm_crash_anon.pcapng.out index 746cdece7..5b965e5ff 100644 --- a/test/results/reasm_crash_anon.pcapng.out +++ b/test/results/reasm_crash_anon.pcapng.out @@ -32,9 +32,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1942983 bytes -~~ total memory freed........: 1942983 bytes -~~ total allocations/frees...: 35542/35542 +~~ total memory allocated....: 4605298 bytes +~~ total memory freed........: 4605298 bytes +~~ total allocations/frees...: 99738/99738 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 173 chars ~~ json string max len.......: 594 chars diff --git a/test/results/reasm_segv_anon.pcapng.out b/test/results/reasm_segv_anon.pcapng.out index b7292d540..976a8fc11 100644 --- a/test/results/reasm_segv_anon.pcapng.out +++ b/test/results/reasm_segv_anon.pcapng.out @@ -3,7 +3,7 @@ 00198{"basic_event_id":15,"basic_event_name":"Captured packet size is smaller than packet size","thread_id":0,"packet_id":1,"source":"reasm_segv_anon.pcapng","alias":"nDPId-test","caplen":106,"len":110} 00560{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"reasm_segv_anon.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1550422828553,"flow_last_seen":1550422828553,"flow_idle_time":180000,"flow_min_l4_payload_len":64,"flow_max_l4_payload_len":64,"flow_tot_l4_payload_len":64,"flow_avg_l4_payload_len":64,"midstream":0,"ts_msec":1550422828553,"l3_proto":"ip4","src_ip":"145.76.2.236","dst_ip":"187.96.52.85","src_port":2152,"dst_port":2152,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"reasm_segv_anon.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1550422828553,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":106,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":110,"pkt_l4_len":72,"ts_msec":1550422828553,"pkt":"AAAAcxs8EFFy5LtdCABFeABcpb4AAEARUG2RTALsu2A0VQhoCGgASAAAMv8AOAn8kEPKcwAARQAANFkiQAB\/BgGSrBEkFT++kSvhEwBQ8LOPBjqqVCGAEAEBeCMAAAEBBQo6qnTxOqqFWQ=="} -00592{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"reasm_segv_anon.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1550422828553,"flow_last_seen":1550422828553,"flow_idle_time":180000,"flow_min_l4_payload_len":64,"flow_max_l4_payload_len":64,"flow_tot_l4_payload_len":64,"flow_avg_l4_payload_len":64,"midstream":0,"ts_msec":1550422828553,"l3_proto":"ip4","src_ip":"145.76.2.236","dst_ip":"187.96.52.85","src_port":2152,"dst_port":2152,"l4_proto":"udp","ndpi": {"proto":"GTP","breed":"Acceptable","category":"Network"}} +00598{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"reasm_segv_anon.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1550422828553,"flow_last_seen":1550422828553,"flow_idle_time":180000,"flow_min_l4_payload_len":64,"flow_max_l4_payload_len":64,"flow_tot_l4_payload_len":64,"flow_avg_l4_payload_len":64,"midstream":0,"ts_msec":1550422828553,"l3_proto":"ip4","src_ip":"145.76.2.236","dst_ip":"187.96.52.85","src_port":2152,"dst_port":2152,"l4_proto":"udp","ndpi": {"proto":"GTP.GTP_U","breed":"Acceptable","category":"Network"}} 00432{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":2,"source":"reasm_segv_anon.pcapng","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":106,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":110,"pkt_l4_len":0,"ts_msec":1550422828949,"pkt":"AAAAcxs8EFFy5LtdCABFeABcLoEAAEARx6qRTALsu2A0VQhoCGgASAAAMv8AOAn8kEPNcwAARQAANFkkQAB\/BgGQrBEkFT++kSvhEwBQ8LOPBjqqVCGAEAEBcqsAAAEBBQo6qnTxOqqK0Q=="} 00198{"basic_event_id":15,"basic_event_name":"Captured packet size is smaller than packet size","thread_id":0,"packet_id":2,"source":"reasm_segv_anon.pcapng","alias":"nDPId-test","caplen":106,"len":110} 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"reasm_segv_anon.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1550422828949,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":106,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":110,"pkt_l4_len":72,"ts_msec":1550422828949,"pkt":"AAAAcxs8EFFy5LtdCABFeABcLoEAAEARx6qRTALsu2A0VQhoCGgASAAAMv8AOAn8kEPNcwAARQAANFkkQAB\/BgGQrBEkFT++kSvhEwBQ8LOPBjqqVCGAEAEBcqsAAAEBBQo6qnTxOqqK0Q=="} @@ -70,10 +70,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1930502 bytes -~~ total memory freed........: 1930502 bytes -~~ total allocations/frees...: 35420/35420 +~~ total memory allocated....: 4592817 bytes +~~ total memory freed........: 4592817 bytes +~~ total allocations/frees...: 99616/99616 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 171 chars -~~ json string max len.......: 597 chars -~~ json string avg len.......: 391 chars +~~ json string max len.......: 603 chars +~~ json string avg len.......: 394 chars diff --git a/test/results/reddit.pcap.out b/test/results/reddit.pcap.out index 3bf3528bd..32eebbad3 100644 --- a/test/results/reddit.pcap.out +++ b/test/results/reddit.pcap.out @@ -20,11 +20,11 @@ 00956{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":16,"source":"reddit.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":1605291684451,"flow_last_seen":1605291684551,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605291684551,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80a::200a","src_port":40028,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.GoogleServices","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"safebrowsing.googleapis.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00486{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":20,"source":"reddit.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_last_seen":1605291684551,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605291684551,"pkt":"qtsDr8lk5EKm5WPyht1gB3LfACAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXmM3PABuxF7CxV06NLngBAB+1zSAAABAQgKqXTgG8LXMoo="} 00947{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":25,"source":"reddit.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":6,"flow_first_seen":1605291684452,"flow_last_seen":1605291684551,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":1565,"flow_avg_l4_payload_len":260,"midstream":0,"ts_msec":1605291684551,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56558,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.reddit.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -01215{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":27,"source":"reddit.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":8,"flow_first_seen":1605291684452,"flow_last_seen":1605291684551,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":457,"midstream":0,"ts_msec":1605291684551,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56558,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.reddit.com","server_names":"reddit.com,*.reddit.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","issuerDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.reddit.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"DB:E9:D5:FE:EB:EF:68:34:55:FD:62:BA:C9:BB:04:D4:E3:22:18:81"}} +01216{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":27,"source":"reddit.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":8,"flow_first_seen":1605291684452,"flow_last_seen":1605291684551,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":457,"midstream":0,"ts_msec":1605291684551,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56558,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.reddit.com","server_names":"reddit.com,*.reddit.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.reddit.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"DB:E9:D5:FE:EB:EF:68:34:55:FD:62:BA:C9:BB:04:D4:E3:22:18:81"}} 00956{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":29,"source":"reddit.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":6,"flow_first_seen":1605291684451,"flow_last_seen":1605291684551,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605291684551,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80a::200a","src_port":40030,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.GoogleServices","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"safebrowsing.googleapis.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00891{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":39,"source":"reddit.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":4,"flow_first_seen":1605291684481,"flow_last_seen":1605291684552,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291684552,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56560,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.reddit.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00947{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":56,"source":"reddit.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":6,"flow_first_seen":1605291684481,"flow_last_seen":1605291684592,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":1565,"flow_avg_l4_payload_len":260,"midstream":0,"ts_msec":1605291684592,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56560,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.reddit.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -01216{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":63,"source":"reddit.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":10,"flow_first_seen":1605291684481,"flow_last_seen":1605291684593,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":366,"midstream":0,"ts_msec":1605291684593,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56560,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.reddit.com","server_names":"reddit.com,*.reddit.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","issuerDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.reddit.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"DB:E9:D5:FE:EB:EF:68:34:55:FD:62:BA:C9:BB:04:D4:E3:22:18:81"}} +01217{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":63,"source":"reddit.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":10,"flow_first_seen":1605291684481,"flow_last_seen":1605291684593,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":366,"midstream":0,"ts_msec":1605291684593,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56560,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.reddit.com","server_names":"reddit.com,*.reddit.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.reddit.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"DB:E9:D5:FE:EB:EF:68:34:55:FD:62:BA:C9:BB:04:D4:E3:22:18:81"}} 00581{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":279,"source":"reddit.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1605291686035,"flow_last_seen":1605291686035,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1605291686035,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56562,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00499{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":279,"source":"reddit.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_last_seen":1605291686035,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291686035,"pkt":"qtsDr8lk5EKm5WPyht1gDzZzACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXmM3PIBu+DxzH8AAAAAoAL9INmFAAACBAWgBAIICql05ecAAAAAAQMDBw=="} 00581{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":280,"source":"reddit.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":1,"flow_first_seen":1605291686035,"flow_last_seen":1605291686035,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1605291686035,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56564,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -37,7 +37,7 @@ 00501{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":283,"source":"reddit.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_last_seen":1605291686035,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291686035,"pkt":"qtsDr8lk5EKm5WPyht1gB\/ybACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXmM3PoBu\/q4YysAAAAAoAL9ICkLAAACBAWgBAIICql05ecAAAAAAQMDBw=="} 00582{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":284,"source":"reddit.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":1,"flow_first_seen":1605291686035,"flow_last_seen":1605291686035,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1605291686035,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56572,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00500{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":284,"source":"reddit.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":1,"flow_last_seen":1605291686035,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291686035,"pkt":"qtsDr8lk5EKm5WPyht1gAreKACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXmM3PwBu8WSVasAAAAAoAL9IGuvAAACBAWgBAIICql05ecAAAAAAQMDBw=="} -01220{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":338,"source":"reddit.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":255,"flow_first_seen":1605291684452,"flow_last_seen":1605291686054,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":6245,"flow_tot_l4_payload_len":187363,"flow_avg_l4_payload_len":734,"midstream":0,"ts_msec":1605291686054,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56558,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.reddit.com","server_names":"reddit.com,*.reddit.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","issuerDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.reddit.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"DB:E9:D5:FE:EB:EF:68:34:55:FD:62:BA:C9:BB:04:D4:E3:22:18:81"}} +01221{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":338,"source":"reddit.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":255,"flow_first_seen":1605291684452,"flow_last_seen":1605291686054,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":6245,"flow_tot_l4_payload_len":187363,"flow_avg_l4_payload_len":734,"midstream":0,"ts_msec":1605291686054,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56558,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.reddit.com","server_names":"reddit.com,*.reddit.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.reddit.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"DB:E9:D5:FE:EB:EF:68:34:55:FD:62:BA:C9:BB:04:D4:E3:22:18:81"}} 00582{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":417,"source":"reddit.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":1,"flow_first_seen":1605291686060,"flow_last_seen":1605291686060,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1605291686060,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56574,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00500{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":417,"source":"reddit.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":1,"flow_last_seen":1605291686060,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291686060,"pkt":"qtsDr8lk5EKm5WPyht1gBKPwACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXmM3P4Bu+9x1NYAAAAAoAL9IMKJAAACBAWgBAIICql05gAAAAAAAQMDBw=="} 00582{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":418,"source":"reddit.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":1,"flow_first_seen":1605291686060,"flow_last_seen":1605291686060,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1605291686060,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56576,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -101,15 +101,15 @@ 00489{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":467,"source":"reddit.pcap","alias":"nDPId-test","flow_id":18,"flow_packet_id":3,"flow_last_seen":1605291686102,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605291686102,"pkt":"qtsDr8lk5EKm5WPyht1gBZ0wACAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXmM3QwBu2zjowYOlaP5gBAB+\/JSAAABAQgKqXTmKsLXOMY="} 00894{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":468,"source":"reddit.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":4,"flow_first_seen":1605291686064,"flow_last_seen":1605291686103,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291686103,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56588,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"preview.redd.it","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00954{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":470,"source":"reddit.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":6,"flow_first_seen":1605291686035,"flow_last_seen":1605291686105,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":1565,"flow_avg_l4_payload_len":260,"midstream":0,"ts_msec":1605291686105,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56564,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.redditstatic.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -01228{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":475,"source":"reddit.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":10,"flow_first_seen":1605291686035,"flow_last_seen":1605291686106,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":366,"midstream":0,"ts_msec":1605291686106,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56564,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.redditstatic.com","server_names":"www.redditstatic.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","issuerDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=www.redditstatic.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"24:BA:A2:05:04:98:6C:4E:72:57:0C:2C:45:25:9D:1F:8E:C3:CC:A8"}} +01229{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":475,"source":"reddit.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":10,"flow_first_seen":1605291686035,"flow_last_seen":1605291686106,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":366,"midstream":0,"ts_msec":1605291686106,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56564,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.redditstatic.com","server_names":"www.redditstatic.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=www.redditstatic.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"24:BA:A2:05:04:98:6C:4E:72:57:0C:2C:45:25:9D:1F:8E:C3:CC:A8"}} 00954{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":490,"source":"reddit.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":7,"flow_first_seen":1605291686035,"flow_last_seen":1605291686110,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":1565,"flow_avg_l4_payload_len":223,"midstream":0,"ts_msec":1605291686110,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56562,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.redditstatic.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -01227{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":492,"source":"reddit.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":9,"flow_first_seen":1605291686035,"flow_last_seen":1605291686110,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":406,"midstream":0,"ts_msec":1605291686110,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56562,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.redditstatic.com","server_names":"www.redditstatic.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","issuerDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=www.redditstatic.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"24:BA:A2:05:04:98:6C:4E:72:57:0C:2C:45:25:9D:1F:8E:C3:CC:A8"}} +01228{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":492,"source":"reddit.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":9,"flow_first_seen":1605291686035,"flow_last_seen":1605291686110,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":406,"midstream":0,"ts_msec":1605291686110,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56562,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.redditstatic.com","server_names":"www.redditstatic.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=www.redditstatic.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"24:BA:A2:05:04:98:6C:4E:72:57:0C:2C:45:25:9D:1F:8E:C3:CC:A8"}} 00954{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":498,"source":"reddit.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":7,"flow_first_seen":1605291686035,"flow_last_seen":1605291686127,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":1565,"flow_avg_l4_payload_len":223,"midstream":0,"ts_msec":1605291686127,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56568,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.redditstatic.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00954{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":501,"source":"reddit.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":7,"flow_first_seen":1605291686035,"flow_last_seen":1605291686128,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":1565,"flow_avg_l4_payload_len":223,"midstream":0,"ts_msec":1605291686128,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56570,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.redditstatic.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -01228{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":502,"source":"reddit.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":10,"flow_first_seen":1605291686035,"flow_last_seen":1605291686128,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":366,"midstream":0,"ts_msec":1605291686128,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56568,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.redditstatic.com","server_names":"www.redditstatic.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","issuerDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=www.redditstatic.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"24:BA:A2:05:04:98:6C:4E:72:57:0C:2C:45:25:9D:1F:8E:C3:CC:A8"}} -01228{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":508,"source":"reddit.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":10,"flow_first_seen":1605291686035,"flow_last_seen":1605291686128,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":366,"midstream":0,"ts_msec":1605291686128,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56570,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.redditstatic.com","server_names":"www.redditstatic.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","issuerDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=www.redditstatic.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"24:BA:A2:05:04:98:6C:4E:72:57:0C:2C:45:25:9D:1F:8E:C3:CC:A8"}} +01229{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":502,"source":"reddit.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":10,"flow_first_seen":1605291686035,"flow_last_seen":1605291686128,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":366,"midstream":0,"ts_msec":1605291686128,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56568,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.redditstatic.com","server_names":"www.redditstatic.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=www.redditstatic.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"24:BA:A2:05:04:98:6C:4E:72:57:0C:2C:45:25:9D:1F:8E:C3:CC:A8"}} +01229{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":508,"source":"reddit.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":10,"flow_first_seen":1605291686035,"flow_last_seen":1605291686128,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":366,"midstream":0,"ts_msec":1605291686128,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56570,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.redditstatic.com","server_names":"www.redditstatic.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=www.redditstatic.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"24:BA:A2:05:04:98:6C:4E:72:57:0C:2C:45:25:9D:1F:8E:C3:CC:A8"}} 00954{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":510,"source":"reddit.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":7,"flow_first_seen":1605291686035,"flow_last_seen":1605291686128,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":1565,"flow_avg_l4_payload_len":223,"midstream":0,"ts_msec":1605291686128,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56566,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.redditstatic.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -01228{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":516,"source":"reddit.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":10,"flow_first_seen":1605291686035,"flow_last_seen":1605291686129,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":366,"midstream":0,"ts_msec":1605291686129,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56566,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.redditstatic.com","server_names":"www.redditstatic.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","issuerDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=www.redditstatic.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"24:BA:A2:05:04:98:6C:4E:72:57:0C:2C:45:25:9D:1F:8E:C3:CC:A8"}} +01229{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":516,"source":"reddit.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":10,"flow_first_seen":1605291686035,"flow_last_seen":1605291686129,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":366,"midstream":0,"ts_msec":1605291686129,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56566,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.redditstatic.com","server_names":"www.redditstatic.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=www.redditstatic.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"24:BA:A2:05:04:98:6C:4E:72:57:0C:2C:45:25:9D:1F:8E:C3:CC:A8"}} 00502{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":518,"source":"reddit.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":2,"flow_last_seen":1605291686129,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291686129,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPQBk\/5sAAAAAAAAAAJdleYwqAcsBIEmLB5kd7IUo3\/YpAbvdELkPzEPbiYGyoBJXgE4hAAACBAV4AQMDAwQCCArC1zjcqXTmGA=="} 00502{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":519,"source":"reddit.pcap","alias":"nDPId-test","flow_id":19,"flow_packet_id":2,"flow_last_seen":1605291686129,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291686129,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPQBk\/5sAAAAAAAAAAJdleYwqAcsBIEmLB5kd7IUo3\/YpAbvdDvdaN0mUbYB0oBJXgO0tAAACBAV4AQMDAwQCCArC1zjbqXTmGA=="} 00955{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":521,"source":"reddit.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":7,"flow_first_seen":1605291686035,"flow_last_seen":1605291686129,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":1565,"flow_avg_l4_payload_len":223,"midstream":0,"ts_msec":1605291686129,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56572,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.redditstatic.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} @@ -117,34 +117,34 @@ 00488{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":525,"source":"reddit.pcap","alias":"nDPId-test","flow_id":19,"flow_packet_id":3,"flow_last_seen":1605291686129,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605291686129,"pkt":"qtsDr8lk5EKm5WPyht1gBTHMACAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXmM3Q4Bu5RtgHT3WjdKgBAB+3ESAAABAQgKqXTmRcLXONs="} 00900{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":527,"source":"reddit.pcap","alias":"nDPId-test","flow_id":20,"flow_packets_processed":4,"flow_first_seen":1605291686084,"flow_last_seen":1605291686129,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291686129,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56592,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"emoji.redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00900{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":528,"source":"reddit.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":4,"flow_first_seen":1605291686084,"flow_last_seen":1605291686130,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291686130,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56590,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"emoji.redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -01229{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":535,"source":"reddit.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":11,"flow_first_seen":1605291686035,"flow_last_seen":1605291686137,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":332,"midstream":0,"ts_msec":1605291686137,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56572,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.redditstatic.com","server_names":"www.redditstatic.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","issuerDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=www.redditstatic.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"24:BA:A2:05:04:98:6C:4E:72:57:0C:2C:45:25:9D:1F:8E:C3:CC:A8"}} +01230{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":535,"source":"reddit.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":11,"flow_first_seen":1605291686035,"flow_last_seen":1605291686137,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":332,"midstream":0,"ts_msec":1605291686137,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56572,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.redditstatic.com","server_names":"www.redditstatic.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=www.redditstatic.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"24:BA:A2:05:04:98:6C:4E:72:57:0C:2C:45:25:9D:1F:8E:C3:CC:A8"}} 00957{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":541,"source":"reddit.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":6,"flow_first_seen":1605291686060,"flow_last_seen":1605291686137,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":1565,"flow_avg_l4_payload_len":260,"midstream":0,"ts_msec":1605291686137,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56578,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"styles.redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -01241{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":554,"source":"reddit.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":10,"flow_first_seen":1605291686060,"flow_last_seen":1605291686138,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":366,"midstream":0,"ts_msec":1605291686138,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56578,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"styles.redditmedia.com","server_names":"*.redditmedia.com,redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","issuerDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redditmedia.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"96:A3:77:56:81:79:10:5C:E8:7F:F0:33:D2:7E:1C:45:08:2C:25:85"}} +01242{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":554,"source":"reddit.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":10,"flow_first_seen":1605291686060,"flow_last_seen":1605291686138,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":366,"midstream":0,"ts_msec":1605291686138,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56578,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"styles.redditmedia.com","server_names":"*.redditmedia.com,redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redditmedia.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"96:A3:77:56:81:79:10:5C:E8:7F:F0:33:D2:7E:1C:45:08:2C:25:85"}} 00957{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":571,"source":"reddit.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":6,"flow_first_seen":1605291686060,"flow_last_seen":1605291686138,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":1565,"flow_avg_l4_payload_len":260,"midstream":0,"ts_msec":1605291686138,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56576,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"styles.redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -01240{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":573,"source":"reddit.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":8,"flow_first_seen":1605291686060,"flow_last_seen":1605291686138,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":457,"midstream":0,"ts_msec":1605291686138,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56576,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"styles.redditmedia.com","server_names":"*.redditmedia.com,redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","issuerDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redditmedia.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"96:A3:77:56:81:79:10:5C:E8:7F:F0:33:D2:7E:1C:45:08:2C:25:85"}} +01241{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":573,"source":"reddit.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":8,"flow_first_seen":1605291686060,"flow_last_seen":1605291686138,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":457,"midstream":0,"ts_msec":1605291686138,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56576,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"styles.redditmedia.com","server_names":"*.redditmedia.com,redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redditmedia.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"96:A3:77:56:81:79:10:5C:E8:7F:F0:33:D2:7E:1C:45:08:2C:25:85"}} 00957{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":680,"source":"reddit.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":6,"flow_first_seen":1605291686060,"flow_last_seen":1605291686141,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":1565,"flow_avg_l4_payload_len":260,"midstream":0,"ts_msec":1605291686141,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56574,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"styles.redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00957{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":686,"source":"reddit.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":6,"flow_first_seen":1605291686060,"flow_last_seen":1605291686141,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":1565,"flow_avg_l4_payload_len":260,"midstream":0,"ts_msec":1605291686141,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56580,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"styles.redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -01240{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":688,"source":"reddit.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":9,"flow_first_seen":1605291686060,"flow_last_seen":1605291686141,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":406,"midstream":0,"ts_msec":1605291686141,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56574,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"styles.redditmedia.com","server_names":"*.redditmedia.com,redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","issuerDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redditmedia.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"96:A3:77:56:81:79:10:5C:E8:7F:F0:33:D2:7E:1C:45:08:2C:25:85"}} +01241{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":688,"source":"reddit.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":9,"flow_first_seen":1605291686060,"flow_last_seen":1605291686141,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":406,"midstream":0,"ts_msec":1605291686141,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56574,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"styles.redditmedia.com","server_names":"*.redditmedia.com,redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redditmedia.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"96:A3:77:56:81:79:10:5C:E8:7F:F0:33:D2:7E:1C:45:08:2C:25:85"}} 00950{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":696,"source":"reddit.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":6,"flow_first_seen":1605291686064,"flow_last_seen":1605291686141,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":1565,"flow_avg_l4_payload_len":260,"midstream":0,"ts_msec":1605291686141,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56582,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"preview.redd.it","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -01210{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":700,"source":"reddit.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":10,"flow_first_seen":1605291686064,"flow_last_seen":1605291686142,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":366,"midstream":0,"ts_msec":1605291686142,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56582,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"preview.redd.it","server_names":"redd.it,*.redd.it","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","issuerDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redd.it","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"3D:15:31:F3:94:55:33:92:88:5C:61:40:B0:FD:ED:27:6D:29:3A:12"}} -01241{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":713,"source":"reddit.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":10,"flow_first_seen":1605291686060,"flow_last_seen":1605291686144,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":366,"midstream":0,"ts_msec":1605291686144,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56580,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"styles.redditmedia.com","server_names":"*.redditmedia.com,redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","issuerDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redditmedia.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"96:A3:77:56:81:79:10:5C:E8:7F:F0:33:D2:7E:1C:45:08:2C:25:85"}} +01211{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":700,"source":"reddit.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":10,"flow_first_seen":1605291686064,"flow_last_seen":1605291686142,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":366,"midstream":0,"ts_msec":1605291686142,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56582,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"preview.redd.it","server_names":"redd.it,*.redd.it","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redd.it","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"3D:15:31:F3:94:55:33:92:88:5C:61:40:B0:FD:ED:27:6D:29:3A:12"}} +01242{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":713,"source":"reddit.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":10,"flow_first_seen":1605291686060,"flow_last_seen":1605291686144,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":366,"midstream":0,"ts_msec":1605291686144,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56580,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"styles.redditmedia.com","server_names":"*.redditmedia.com,redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redditmedia.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"96:A3:77:56:81:79:10:5C:E8:7F:F0:33:D2:7E:1C:45:08:2C:25:85"}} 00950{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":717,"source":"reddit.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":6,"flow_first_seen":1605291686064,"flow_last_seen":1605291686144,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":1565,"flow_avg_l4_payload_len":260,"midstream":0,"ts_msec":1605291686144,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56584,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"preview.redd.it","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -01209{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":722,"source":"reddit.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":9,"flow_first_seen":1605291686064,"flow_last_seen":1605291686145,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":406,"midstream":0,"ts_msec":1605291686145,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56584,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"preview.redd.it","server_names":"redd.it,*.redd.it","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","issuerDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redd.it","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"3D:15:31:F3:94:55:33:92:88:5C:61:40:B0:FD:ED:27:6D:29:3A:12"}} +01210{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":722,"source":"reddit.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":9,"flow_first_seen":1605291686064,"flow_last_seen":1605291686145,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":406,"midstream":0,"ts_msec":1605291686145,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56584,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"preview.redd.it","server_names":"redd.it,*.redd.it","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redd.it","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"3D:15:31:F3:94:55:33:92:88:5C:61:40:B0:FD:ED:27:6D:29:3A:12"}} 00950{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":736,"source":"reddit.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":7,"flow_first_seen":1605291686064,"flow_last_seen":1605291686146,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":1565,"flow_avg_l4_payload_len":223,"midstream":0,"ts_msec":1605291686146,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56586,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"preview.redd.it","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -01209{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":738,"source":"reddit.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":9,"flow_first_seen":1605291686064,"flow_last_seen":1605291686146,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":406,"midstream":0,"ts_msec":1605291686146,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56586,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"preview.redd.it","server_names":"redd.it,*.redd.it","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","issuerDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redd.it","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"3D:15:31:F3:94:55:33:92:88:5C:61:40:B0:FD:ED:27:6D:29:3A:12"}} +01210{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":738,"source":"reddit.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":9,"flow_first_seen":1605291686064,"flow_last_seen":1605291686146,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":406,"midstream":0,"ts_msec":1605291686146,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56586,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"preview.redd.it","server_names":"redd.it,*.redd.it","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redd.it","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"3D:15:31:F3:94:55:33:92:88:5C:61:40:B0:FD:ED:27:6D:29:3A:12"}} 00950{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":751,"source":"reddit.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":7,"flow_first_seen":1605291686064,"flow_last_seen":1605291686148,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":1565,"flow_avg_l4_payload_len":223,"midstream":0,"ts_msec":1605291686148,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56588,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"preview.redd.it","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -01209{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":754,"source":"reddit.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":9,"flow_first_seen":1605291686064,"flow_last_seen":1605291686148,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":406,"midstream":0,"ts_msec":1605291686148,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56588,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"preview.redd.it","server_names":"redd.it,*.redd.it","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","issuerDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redd.it","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"3D:15:31:F3:94:55:33:92:88:5C:61:40:B0:FD:ED:27:6D:29:3A:12"}} +01210{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":754,"source":"reddit.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":9,"flow_first_seen":1605291686064,"flow_last_seen":1605291686148,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":406,"midstream":0,"ts_msec":1605291686148,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56588,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"preview.redd.it","server_names":"redd.it,*.redd.it","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redd.it","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"3D:15:31:F3:94:55:33:92:88:5C:61:40:B0:FD:ED:27:6D:29:3A:12"}} 00956{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":807,"source":"reddit.pcap","alias":"nDPId-test","flow_id":20,"flow_packets_processed":6,"flow_first_seen":1605291686084,"flow_last_seen":1605291686182,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":1565,"flow_avg_l4_payload_len":260,"midstream":0,"ts_msec":1605291686182,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56592,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"emoji.redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -01239{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":809,"source":"reddit.pcap","alias":"nDPId-test","flow_id":20,"flow_packets_processed":8,"flow_first_seen":1605291686084,"flow_last_seen":1605291686182,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":457,"midstream":0,"ts_msec":1605291686182,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56592,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"emoji.redditmedia.com","server_names":"*.redditmedia.com,redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","issuerDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redditmedia.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"96:A3:77:56:81:79:10:5C:E8:7F:F0:33:D2:7E:1C:45:08:2C:25:85"}} +01240{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":809,"source":"reddit.pcap","alias":"nDPId-test","flow_id":20,"flow_packets_processed":8,"flow_first_seen":1605291686084,"flow_last_seen":1605291686182,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":457,"midstream":0,"ts_msec":1605291686182,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56592,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"emoji.redditmedia.com","server_names":"*.redditmedia.com,redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redditmedia.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"96:A3:77:56:81:79:10:5C:E8:7F:F0:33:D2:7E:1C:45:08:2C:25:85"}} 00956{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":811,"source":"reddit.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":6,"flow_first_seen":1605291686084,"flow_last_seen":1605291686182,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":1565,"flow_avg_l4_payload_len":260,"midstream":0,"ts_msec":1605291686182,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56590,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"emoji.redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -01239{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":818,"source":"reddit.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":9,"flow_first_seen":1605291686084,"flow_last_seen":1605291686183,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":406,"midstream":0,"ts_msec":1605291686183,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56590,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"emoji.redditmedia.com","server_names":"*.redditmedia.com,redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","issuerDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redditmedia.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"96:A3:77:56:81:79:10:5C:E8:7F:F0:33:D2:7E:1C:45:08:2C:25:85"}} +01240{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":818,"source":"reddit.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":9,"flow_first_seen":1605291686084,"flow_last_seen":1605291686183,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":406,"midstream":0,"ts_msec":1605291686183,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56590,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"emoji.redditmedia.com","server_names":"*.redditmedia.com,redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redditmedia.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"96:A3:77:56:81:79:10:5C:E8:7F:F0:33:D2:7E:1C:45:08:2C:25:85"}} 00583{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1160,"source":"reddit.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":1,"flow_first_seen":1605291686301,"flow_last_seen":1605291686301,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1605291686301,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56594,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00501{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1160,"source":"reddit.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":1,"flow_last_seen":1605291686301,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291686301,"pkt":"qtsDr8lk5EKm5WPyht1gDu9XACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXmM3RIBuyQ3ML0AAAAAoAL9IDDZAAACBAWgBAIICql05vEAAAAAAQMDBw=="} 00503{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1203,"source":"reddit.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":2,"flow_last_seen":1605291686327,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291686327,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPQBk\/5sAAAAAAAAAAJdleYwqAcsBIEmLB5kd7IUo3\/YpAbvdEkHBFWUkNzC+oBJXgILuAAACBAV4AQMDAwQCCArC1zmoqXTm8Q=="} 00489{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1208,"source":"reddit.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":3,"flow_last_seen":1605291686327,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605291686327,"pkt":"qtsDr8lk5EKm5WPyht1gDu9XACAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXmM3RIBuyQ3ML5BwRVmgBAB+wbmAAABAQgKqXTnC8LXOag="} 00904{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1211,"source":"reddit.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":4,"flow_first_seen":1605291686301,"flow_last_seen":1605291686327,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291686327,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56594,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"b.thumbs.redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00960{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1398,"source":"reddit.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":6,"flow_first_seen":1605291686301,"flow_last_seen":1605291686419,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":1565,"flow_avg_l4_payload_len":260,"midstream":0,"ts_msec":1605291686419,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56594,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"b.thumbs.redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -01264{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1406,"source":"reddit.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":9,"flow_first_seen":1605291686301,"flow_last_seen":1605291686420,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":406,"midstream":0,"ts_msec":1605291686420,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56594,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"b.thumbs.redditmedia.com","server_names":"*.thumbs.redditmedia.com,thumbs.redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","issuerDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.thumbs.redditmedia.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"FF:F4:6C:CF:D6:FD:64:3E:50:17:A2:DE:B0:F2:B6:9B:76:59:C6:75"}} +01265{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1406,"source":"reddit.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":9,"flow_first_seen":1605291686301,"flow_last_seen":1605291686420,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":406,"midstream":0,"ts_msec":1605291686420,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56594,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"b.thumbs.redditmedia.com","server_names":"*.thumbs.redditmedia.com,thumbs.redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.thumbs.redditmedia.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"FF:F4:6C:CF:D6:FD:64:3E:50:17:A2:DE:B0:F2:B6:9B:76:59:C6:75"}} 00589{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1925,"source":"reddit.pcap","alias":"nDPId-test","flow_id":22,"flow_packets_processed":1,"flow_first_seen":1605291686985,"flow_last_seen":1605291686985,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1605291686985,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2002","src_port":50960,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00501{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1925,"source":"reddit.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":1,"flow_last_seen":1605291686985,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291686985,"pkt":"qtsDr8lk5EKm5WPyht1gAMi0ACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIBQAAAAAAACACxxABu7duD88AAAAAoAL9IJsfAAACBAWgBAIIClRf4AwAAAAAAQMDBw=="} 00582{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1926,"source":"reddit.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":1,"flow_first_seen":1605291686985,"flow_last_seen":1605291686985,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1605291686985,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::df9:21c6","src_port":43492,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -167,21 +167,21 @@ 00502{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2333,"source":"reddit.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":1,"flow_last_seen":1605291687485,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291687485,"pkt":"qtsDr8lk5EKm5WPyht1gDGJhACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACs2RLCx1IBu5\/PXZ4AAAAAoAL9IP2VAAACBAWgBAIICruOxrcAAAAAAQMDBw=="} 00503{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2341,"source":"reddit.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":2,"flow_last_seen":1605291687512,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291687512,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPQBk\/5sAAAAAAAAAAKzZEsIqAcsBIEmLB5kd7IUo3\/YpAbvHUvrRnoyfz12foBJXgAjWAAACBAV4AQMDAwQCCArC1z5Fu47Gtw=="} 00491{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2342,"source":"reddit.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":3,"flow_last_seen":1605291687513,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605291687513,"pkt":"qtsDr8lk5EKm5WPyht1gDGJhACAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACs2RLCx1IBu5\/PXZ\/60Z6NgBAB+4zMAAABAQgKu47G0sLXPkU="} -00909{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2343,"source":"reddit.pcap","alias":"nDPId-test","flow_id":25,"flow_packets_processed":4,"flow_first_seen":1605291687485,"flow_last_seen":1605291687513,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291687513,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::acd9:12c2","src_port":51026,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"securepubads.g.doubleclick.net","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00917{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2343,"source":"reddit.pcap","alias":"nDPId-test","flow_id":25,"flow_packets_processed":4,"flow_first_seen":1605291687485,"flow_last_seen":1605291687513,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291687513,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::acd9:12c2","src_port":51026,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Advertisement"},"tls": {"version":"TLSv1.2","client_requested_server_name":"securepubads.g.doubleclick.net","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00583{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2344,"source":"reddit.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":1,"flow_first_seen":1605291687514,"flow_last_seen":1605291687514,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1605291687514,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:789d","src_port":48240,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00501{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2344,"source":"reddit.pcap","alias":"nDPId-test","flow_id":26,"flow_packet_id":1,"flow_last_seen":1605291687514,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291687514,"pkt":"qtsDr8lk5EKm5WPyht1gD4BTACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXidvHABuwi2N5MAAAAAoAL9IOSoAAACBAWgBAIICiRA7pIAAAAAAQMDBw=="} 00503{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2351,"source":"reddit.pcap","alias":"nDPId-test","flow_id":26,"flow_packet_id":2,"flow_last_seen":1605291687545,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291687545,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPQBk\/5sAAAAAAAAAAJdleJ0qAcsBIEmLB5kd7IUo3\/YpAbu8cGxxKx0ItjeUoBJXgPGUAAACBAV4AQMDAwQCCArC1z5pJEDukg=="} 00489{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2353,"source":"reddit.pcap","alias":"nDPId-test","flow_id":26,"flow_packet_id":3,"flow_last_seen":1605291687545,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605291687545,"pkt":"qtsDr8lk5EKm5WPyht1gD4BTACAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXidvHABuwi2N5RscSsegBAB+3WHAAABAQgKJEDuscLXPmk="} 00901{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2355,"source":"reddit.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":4,"flow_first_seen":1605291687514,"flow_last_seen":1605291687545,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291687545,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:789d","src_port":48240,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Twitter","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"platform.twitter.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -00950{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2356,"source":"reddit.pcap","alias":"nDPId-test","flow_id":25,"flow_packets_processed":6,"flow_first_seen":1605291687485,"flow_last_seen":1605291687552,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":1905,"flow_avg_l4_payload_len":317,"midstream":0,"ts_msec":1605291687552,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::acd9:12c2","src_port":51026,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"securepubads.g.doubleclick.net","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00958{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2356,"source":"reddit.pcap","alias":"nDPId-test","flow_id":25,"flow_packets_processed":6,"flow_first_seen":1605291687485,"flow_last_seen":1605291687552,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":1905,"flow_avg_l4_payload_len":317,"midstream":0,"ts_msec":1605291687552,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::acd9:12c2","src_port":51026,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Advertisement"},"tls": {"version":"TLSv1.3","client_requested_server_name":"securepubads.g.doubleclick.net","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00957{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2382,"source":"reddit.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":6,"flow_first_seen":1605291687514,"flow_last_seen":1605291687606,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":1565,"flow_avg_l4_payload_len":260,"midstream":0,"ts_msec":1605291687606,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:789d","src_port":48240,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Twitter","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"platform.twitter.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -01282{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2390,"source":"reddit.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":9,"flow_first_seen":1605291687514,"flow_last_seen":1605291687606,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":406,"midstream":0,"ts_msec":1605291687606,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:789d","src_port":48240,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Twitter","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"platform.twitter.com","server_names":"platform.twitter.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","issuerDN":"C=US, ST=California, L=San Francisco, O=Twitter, Inc., OU=Twitter Security, CN=platform.twitter.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"2B:30:10:3B:07:2F:F2:EB:3D:08:E3:BB:45:61:F7:A3:9F:4C:A7:92"}} +01283{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2390,"source":"reddit.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":9,"flow_first_seen":1605291687514,"flow_last_seen":1605291687606,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":406,"midstream":0,"ts_msec":1605291687606,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:789d","src_port":48240,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Twitter","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"platform.twitter.com","server_names":"platform.twitter.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Twitter, Inc., OU=Twitter Security, CN=platform.twitter.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"2B:30:10:3B:07:2F:F2:EB:3D:08:E3:BB:45:61:F7:A3:9F:4C:A7:92"}} 00589{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2460,"source":"reddit.pcap","alias":"nDPId-test","flow_id":27,"flow_packets_processed":1,"flow_first_seen":1605291687642,"flow_last_seen":1605291687642,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1605291687642,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2008","src_port":39520,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00501{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2460,"source":"reddit.pcap","alias":"nDPId-test","flow_id":27,"flow_packet_id":1,"flow_last_seen":1605291687642,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291687642,"pkt":"qtsDr8lk5EKm5WPyht1gDI7+ACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIFgAAAAAAACAImmABu4PHuxgAAAAAoAL9IGTNAAACBAWgBAIICsL4XLwAAAAAAQMDBw=="} 00502{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2543,"source":"reddit.pcap","alias":"nDPId-test","flow_id":27,"flow_packet_id":2,"flow_last_seen":1605291687676,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291687676,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoAFFBABwgWAAAAAAAAIAgqAcsBIEmLB5kd7IUo3\/YpAbuaYOcfuuGDx7sZoBJXgGbFAAACBAV4AQMDAwQCCArC1z7qwvhcvA=="} 00489{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2544,"source":"reddit.pcap","alias":"nDPId-test","flow_id":27,"flow_packet_id":3,"flow_last_seen":1605291687676,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605291687676,"pkt":"qtsDr8lk5EKm5WPyht1gDI7+ACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIFgAAAAAAACAImmABu4PHuxnnH7rigBAB++qzAAABAQgKwvhc38LXPuo="} -00894{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2546,"source":"reddit.pcap","alias":"nDPId-test","flow_id":27,"flow_packets_processed":4,"flow_first_seen":1605291687642,"flow_last_seen":1605291687678,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291687678,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2008","src_port":39520,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.googletagmanager.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -00935{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2554,"source":"reddit.pcap","alias":"nDPId-test","flow_id":27,"flow_packets_processed":6,"flow_first_seen":1605291687642,"flow_last_seen":1605291687721,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605291687721,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2008","src_port":39520,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"www.googletagmanager.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00915{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2546,"source":"reddit.pcap","alias":"nDPId-test","flow_id":27,"flow_packets_processed":4,"flow_first_seen":1605291687642,"flow_last_seen":1605291687678,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291687678,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2008","src_port":39520,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.GoogleServices","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.googletagmanager.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00956{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2554,"source":"reddit.pcap","alias":"nDPId-test","flow_id":27,"flow_packets_processed":6,"flow_first_seen":1605291687642,"flow_last_seen":1605291687721,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605291687721,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2008","src_port":39520,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.GoogleServices","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"www.googletagmanager.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00583{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2578,"source":"reddit.pcap","alias":"nDPId-test","flow_id":28,"flow_packets_processed":1,"flow_first_seen":1605291687761,"flow_last_seen":1605291687761,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1605291687761,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::6853:b3d1","src_port":32970,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00501{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2578,"source":"reddit.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":1,"flow_last_seen":1605291687761,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291687761,"pkt":"qtsDr8lk5EKm5WPyht1gCTrZACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAABoU7PRgMoBuzRK2bcAAAAAoAL9IFSZAAACBAWgBAIIClvEqOkAAAAAAQMDBw=="} 00503{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2609,"source":"reddit.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":2,"flow_last_seen":1605291687790,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291687790,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPQBk\/5sAAAAAAAAAAGhTs9EqAcsBIEmLB5kd7IUo3\/YpAbuAylJzVUg0Stm4oBJXgFBhAAACBAV4AQMDAwQCCArC1z9gW8So6Q=="} @@ -212,15 +212,15 @@ 00903{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":3004,"source":"reddit.pcap","alias":"nDPId-test","flow_id":32,"flow_packets_processed":4,"flow_first_seen":1605291687933,"flow_last_seen":1605291687974,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291687974,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2620:116:800d:21:f916:5049:f87f:108e","src_port":48648,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"secure.quantserve.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00503{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3007,"source":"reddit.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":2,"flow_last_seen":1605291687975,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291687975,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPQBk\/5sAAAAAAAAAABc2hvEqAcsBIEmLB5kd7IUo3\/YpAbus6CNL5ddGO8iRoBJXgMJGAAACBAV4AQMDAwQCCArC10AVUckv+A=="} 00489{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3009,"source":"reddit.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":3,"flow_last_seen":1605291687975,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605291687975,"pkt":"qtsDr8lk5EKm5WPyht1gA0MZACAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAAAXNobxrOgBu0Y7yJEjS+XYgBAB+0YvAAABAQgKUckwIcLXQBU="} -00888{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":3014,"source":"reddit.pcap","alias":"nDPId-test","flow_id":33,"flow_packets_processed":4,"flow_first_seen":1605291687934,"flow_last_seen":1605291687975,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291687975,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::1736:86f1","src_port":44264,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"sb.scorecardresearch.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00898{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":3014,"source":"reddit.pcap","alias":"nDPId-test","flow_id":33,"flow_packets_processed":4,"flow_first_seen":1605291687934,"flow_last_seen":1605291687975,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291687975,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::1736:86f1","src_port":44264,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Advertisement"},"tls": {"version":"TLSv1.2","client_requested_server_name":"sb.scorecardresearch.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00917{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":3016,"source":"reddit.pcap","alias":"nDPId-test","flow_id":30,"flow_packets_processed":6,"flow_first_seen":1605291687896,"flow_last_seen":1605291687976,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":1905,"flow_avg_l4_payload_len":317,"midstream":0,"ts_msec":1605291687976,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::2278:cf94","src_port":39626,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"id.rlcdn.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00935{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":3105,"source":"reddit.pcap","alias":"nDPId-test","flow_id":31,"flow_packets_processed":6,"flow_first_seen":1605291687931,"flow_last_seen":1605291688024,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605291688024,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:806::200e","src_port":54862,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.YouTube","breed":"Fun","category":"Media"},"tls": {"version":"TLSv1.3","client_requested_server_name":"www.youtube.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -00929{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":3113,"source":"reddit.pcap","alias":"nDPId-test","flow_id":33,"flow_packets_processed":6,"flow_first_seen":1605291687934,"flow_last_seen":1605291688025,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":1905,"flow_avg_l4_payload_len":317,"midstream":0,"ts_msec":1605291688025,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::1736:86f1","src_port":44264,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"sb.scorecardresearch.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00939{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":3113,"source":"reddit.pcap","alias":"nDPId-test","flow_id":33,"flow_packets_processed":6,"flow_first_seen":1605291687934,"flow_last_seen":1605291688025,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":1905,"flow_avg_l4_payload_len":317,"midstream":0,"ts_msec":1605291688025,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::1736:86f1","src_port":44264,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Advertisement"},"tls": {"version":"TLSv1.3","client_requested_server_name":"sb.scorecardresearch.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00959{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":3144,"source":"reddit.pcap","alias":"nDPId-test","flow_id":32,"flow_packets_processed":6,"flow_first_seen":1605291687933,"flow_last_seen":1605291688036,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":1905,"flow_avg_l4_payload_len":317,"midstream":0,"ts_msec":1605291688036,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2620:116:800d:21:f916:5049:f87f:108e","src_port":48648,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"secure.quantserve.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"b898351eb5e266aefd3723d466935494","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -01336{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":3147,"source":"reddit.pcap","alias":"nDPId-test","flow_id":32,"flow_packets_processed":8,"flow_first_seen":1605291687933,"flow_last_seen":1605291688036,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":3881,"flow_avg_l4_payload_len":485,"midstream":0,"ts_msec":1605291688036,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2620:116:800d:21:f916:5049:f87f:108e","src_port":48648,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"secure.quantserve.com","server_names":"*.quantserve.com,*.quantcount.com,*.apextag.com,quantserve.com,quantcount.com,apextag.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"b898351eb5e266aefd3723d466935494","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","issuerDN":"C=US, ST=California, L=San Francisco, O=Quantcast Corporation, CN=*.quantserve.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"3A:30:B1:4A:CE:62:AF:55:B1:89:FF:0C:CB:69:E3:80:CB:B0:91:90"}} -01286{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":3157,"source":"reddit.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":255,"flow_first_seen":1605291687514,"flow_last_seen":1605291688036,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":6288,"flow_tot_l4_payload_len":239041,"flow_avg_l4_payload_len":937,"midstream":0,"ts_msec":1605291688036,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:789d","src_port":48240,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Twitter","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"platform.twitter.com","server_names":"platform.twitter.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","issuerDN":"C=US, ST=California, L=San Francisco, O=Twitter, Inc., OU=Twitter Security, CN=platform.twitter.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"2B:30:10:3B:07:2F:F2:EB:3D:08:E3:BB:45:61:F7:A3:9F:4C:A7:92"}} +01337{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":3147,"source":"reddit.pcap","alias":"nDPId-test","flow_id":32,"flow_packets_processed":8,"flow_first_seen":1605291687933,"flow_last_seen":1605291688036,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":3881,"flow_avg_l4_payload_len":485,"midstream":0,"ts_msec":1605291688036,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2620:116:800d:21:f916:5049:f87f:108e","src_port":48648,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"secure.quantserve.com","server_names":"*.quantserve.com,*.quantcount.com,*.apextag.com,quantserve.com,quantcount.com,apextag.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"b898351eb5e266aefd3723d466935494","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Quantcast Corporation, CN=*.quantserve.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"3A:30:B1:4A:CE:62:AF:55:B1:89:FF:0C:CB:69:E3:80:CB:B0:91:90"}} +01287{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":3157,"source":"reddit.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":255,"flow_first_seen":1605291687514,"flow_last_seen":1605291688036,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":6288,"flow_tot_l4_payload_len":239041,"flow_avg_l4_payload_len":937,"midstream":0,"ts_msec":1605291688036,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:789d","src_port":48240,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Twitter","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"platform.twitter.com","server_names":"platform.twitter.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Twitter, Inc., OU=Twitter Security, CN=platform.twitter.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"2B:30:10:3B:07:2F:F2:EB:3D:08:E3:BB:45:61:F7:A3:9F:4C:A7:92"}} 00960{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":3171,"source":"reddit.pcap","alias":"nDPId-test","flow_id":29,"flow_packets_processed":6,"flow_first_seen":1605291687800,"flow_last_seen":1605291688046,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":1905,"flow_avg_l4_payload_len":317,"midstream":0,"ts_msec":1605291688046,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::68f4:2ac8","src_port":56782,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Twitter","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"syndication.twitter.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"8d2a028aa94425f76ced7826b1f39039","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -01405{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":3174,"source":"reddit.pcap","alias":"nDPId-test","flow_id":29,"flow_packets_processed":9,"flow_first_seen":1605291687800,"flow_last_seen":1605291688046,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":3956,"flow_avg_l4_payload_len":439,"midstream":0,"ts_msec":1605291688046,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::68f4:2ac8","src_port":56782,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Twitter","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"syndication.twitter.com","server_names":"syndication.twitter.com,syndication.twimg.com,syndication-o.twitter.com,syndication-o.twimg.com,cdn.syndication.twitter.com,cdn.syndication.twimg.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"8d2a028aa94425f76ced7826b1f39039","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","issuerDN":"C=US, ST=California, L=San Francisco, O=Twitter, Inc., OU=lon3, CN=syndication.twitter.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"09:D3:FE:9A:3E:39:A7:E2:90:5B:C9:1F:3B:7D:CE:7C:7E:08:1C:6F"}} +01406{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":3174,"source":"reddit.pcap","alias":"nDPId-test","flow_id":29,"flow_packets_processed":9,"flow_first_seen":1605291687800,"flow_last_seen":1605291688046,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":3956,"flow_avg_l4_payload_len":439,"midstream":0,"ts_msec":1605291688046,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::68f4:2ac8","src_port":56782,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Twitter","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"syndication.twitter.com","server_names":"syndication.twitter.com,syndication.twimg.com,syndication-o.twitter.com,syndication-o.twimg.com,cdn.syndication.twitter.com,cdn.syndication.twimg.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"8d2a028aa94425f76ced7826b1f39039","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Twitter, Inc., OU=lon3, CN=syndication.twitter.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"09:D3:FE:9A:3E:39:A7:E2:90:5B:C9:1F:3B:7D:CE:7C:7E:08:1C:6F"}} 00583{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3346,"source":"reddit.pcap","alias":"nDPId-test","flow_id":34,"flow_packets_processed":1,"flow_first_seen":1605291688324,"flow_last_seen":1605291688324,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1605291688324,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::d83a:d1e6","src_port":51100,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00501{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3346,"source":"reddit.pcap","alias":"nDPId-test","flow_id":34,"flow_packet_id":1,"flow_last_seen":1605291688324,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291688324,"pkt":"qtsDr8lk5EKm5WPyht1gDP1bACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAADYOtHmx5wBu0pXpjQAAAAAoAL9INe7AAACBAWgBAIICn8mSwwAAAAAAQMDBw=="} 00583{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3358,"source":"reddit.pcap","alias":"nDPId-test","flow_id":35,"flow_packets_processed":1,"flow_first_seen":1605291688336,"flow_last_seen":1605291688336,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1605291688336,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::d83a:d1e6","src_port":51102,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -229,15 +229,15 @@ 00501{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3372,"source":"reddit.pcap","alias":"nDPId-test","flow_id":36,"flow_packet_id":1,"flow_last_seen":1605291688344,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291688344,"pkt":"qtsDr8lk5EKm5WPyht1gATUNACgGQCoBywEgSYsHmR3shSjf9ikmAJAAIZzuAAAGROP4wJOh23oBu4m0PmAAAAAAoAL9ICpwAAACBAWgBAIICgi3lpgAAAAAAQMDBw=="} 00503{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3437,"source":"reddit.pcap","alias":"nDPId-test","flow_id":34,"flow_packet_id":2,"flow_last_seen":1605291688365,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291688365,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPQBk\/5sAAAAAAAAAANg60eYqAcsBIEmLB5kd7IUo3\/YpAbvHnC63k25KV6Y1oBJXgLbhAAACBAV4AQMDAwQCCArC10GYfyZLDA=="} 00489{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3438,"source":"reddit.pcap","alias":"nDPId-test","flow_id":34,"flow_packet_id":3,"flow_last_seen":1605291688365,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605291688365,"pkt":"qtsDr8lk5EKm5WPyht1gDP1bACAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAADYOtHmx5wBu0pXpjUut5NvgBAB+zrKAAABAQgKfyZLNcLXQZg="} -00897{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":3439,"source":"reddit.pcap","alias":"nDPId-test","flow_id":34,"flow_packets_processed":4,"flow_first_seen":1605291688324,"flow_last_seen":1605291688365,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291688365,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::d83a:d1e6","src_port":51100,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ad.doubleclick.net","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00905{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":3439,"source":"reddit.pcap","alias":"nDPId-test","flow_id":34,"flow_packets_processed":4,"flow_first_seen":1605291688324,"flow_last_seen":1605291688365,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291688365,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::d83a:d1e6","src_port":51100,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Advertisement"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ad.doubleclick.net","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00503{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3440,"source":"reddit.pcap","alias":"nDPId-test","flow_id":35,"flow_packet_id":2,"flow_last_seen":1605291688370,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291688370,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPQBk\/5sAAAAAAAAAANg60eYqAcsBIEmLB5kd7IUo3\/YpAbvHnlMkjxA2CKc5oBJXgKoEAAACBAV4AQMDAwQCCArC10GjfyZLGA=="} 00489{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3444,"source":"reddit.pcap","alias":"nDPId-test","flow_id":35,"flow_packet_id":3,"flow_last_seen":1605291688370,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605291688370,"pkt":"qtsDr8lk5EKm5WPyht1gC0OFACAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAADYOtHmx54BuzYIpzlTJI8RgBAB+y30AAABAQgKfyZLOsLXQaM="} -00897{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":3446,"source":"reddit.pcap","alias":"nDPId-test","flow_id":35,"flow_packets_processed":4,"flow_first_seen":1605291688336,"flow_last_seen":1605291688371,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291688371,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::d83a:d1e6","src_port":51102,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ad.doubleclick.net","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00905{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":3446,"source":"reddit.pcap","alias":"nDPId-test","flow_id":35,"flow_packets_processed":4,"flow_first_seen":1605291688336,"flow_last_seen":1605291688371,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291688371,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::d83a:d1e6","src_port":51102,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Advertisement"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ad.doubleclick.net","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00503{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3449,"source":"reddit.pcap","alias":"nDPId-test","flow_id":36,"flow_packet_id":2,"flow_last_seen":1605291688371,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291688371,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSYAkAAhnO4AAAZE4\/jAk6EqAcsBIEmLB5kd7IUo3\/YpAbvbeuzTe9OJtD5hoBJXgGMHAAACBAV4AQMDAwQCCArC10GlCLeWmA=="} 00489{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3451,"source":"reddit.pcap","alias":"nDPId-test","flow_id":36,"flow_packet_id":3,"flow_last_seen":1605291688371,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605291688371,"pkt":"qtsDr8lk5EKm5WPyht1gATUNACAGQCoBywEgSYsHmR3shSjf9ikmAJAAIZzuAAAGROP4wJOh23oBu4m0PmHs03vUgBAB++b9AAABAQgKCLeWs8LXQaU="} 00902{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":3453,"source":"reddit.pcap","alias":"nDPId-test","flow_id":36,"flow_packets_processed":4,"flow_first_seen":1605291688344,"flow_last_seen":1605291688372,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291688372,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2600:9000:219c:ee00:6:44e3:f8c0:93a1","src_port":56186,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"rules.quantcount.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -00938{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":3517,"source":"reddit.pcap","alias":"nDPId-test","flow_id":34,"flow_packets_processed":6,"flow_first_seen":1605291688324,"flow_last_seen":1605291688408,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":1905,"flow_avg_l4_payload_len":317,"midstream":0,"ts_msec":1605291688408,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::d83a:d1e6","src_port":51100,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"ad.doubleclick.net","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -00938{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":3521,"source":"reddit.pcap","alias":"nDPId-test","flow_id":35,"flow_packets_processed":6,"flow_first_seen":1605291688336,"flow_last_seen":1605291688408,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":1905,"flow_avg_l4_payload_len":317,"midstream":0,"ts_msec":1605291688408,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::d83a:d1e6","src_port":51102,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"ad.doubleclick.net","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00946{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":3517,"source":"reddit.pcap","alias":"nDPId-test","flow_id":34,"flow_packets_processed":6,"flow_first_seen":1605291688324,"flow_last_seen":1605291688408,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":1905,"flow_avg_l4_payload_len":317,"midstream":0,"ts_msec":1605291688408,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::d83a:d1e6","src_port":51100,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Advertisement"},"tls": {"version":"TLSv1.3","client_requested_server_name":"ad.doubleclick.net","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00946{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":3521,"source":"reddit.pcap","alias":"nDPId-test","flow_id":35,"flow_packets_processed":6,"flow_first_seen":1605291688336,"flow_last_seen":1605291688408,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":1905,"flow_avg_l4_payload_len":317,"midstream":0,"ts_msec":1605291688408,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::d83a:d1e6","src_port":51102,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Advertisement"},"tls": {"version":"TLSv1.3","client_requested_server_name":"ad.doubleclick.net","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00943{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":3538,"source":"reddit.pcap","alias":"nDPId-test","flow_id":36,"flow_packets_processed":6,"flow_first_seen":1605291688344,"flow_last_seen":1605291688411,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605291688411,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2600:9000:219c:ee00:6:44e3:f8c0:93a1","src_port":56186,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"rules.quantcount.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00599{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3906,"source":"reddit.pcap","alias":"nDPId-test","flow_id":37,"flow_packets_processed":1,"flow_first_seen":1605291688611,"flow_last_seen":1605291688611,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1605291688611,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2606:2800:134:1a0d:1429:742:782:b6","src_port":39736,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00503{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3906,"source":"reddit.pcap","alias":"nDPId-test","flow_id":37,"flow_packet_id":1,"flow_last_seen":1605291688611,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291688611,"pkt":"qtsDr8lk5EKm5WPyht1gDEO\/ACgGQCoBywEgSYsHmR3shSjf9ikmBigAATQaDRQpB0IHggC2mzgBu\/F3Z44AAAAAoAL9IIe6AAACBAWgBAIICvY2BR4AAAAAAQMDBw=="} @@ -245,18 +245,18 @@ 00491{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3910,"source":"reddit.pcap","alias":"nDPId-test","flow_id":37,"flow_packet_id":3,"flow_last_seen":1605291688654,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605291688654,"pkt":"qtsDr8lk5EKm5WPyht1gDEO\/ACAGQCoBywEgSYsHmR3shSjf9ikmBigAATQaDRQpB0IHggC2mzgBu\/F3Z4+UttHFgBAB+0VLAAABAQgK9jYFScLXQr4="} 00922{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":3911,"source":"reddit.pcap","alias":"nDPId-test","flow_id":37,"flow_packets_processed":4,"flow_first_seen":1605291688611,"flow_last_seen":1605291688654,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291688654,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2606:2800:134:1a0d:1429:742:782:b6","src_port":39736,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Twitter","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"cdn.syndication.twimg.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00961{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":3999,"source":"reddit.pcap","alias":"nDPId-test","flow_id":37,"flow_packets_processed":6,"flow_first_seen":1605291688611,"flow_last_seen":1605291688705,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":616,"flow_avg_l4_payload_len":102,"midstream":0,"ts_msec":1605291688705,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2606:2800:134:1a0d:1429:742:782:b6","src_port":39736,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Twitter","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.3","client_requested_server_name":"cdn.syndication.twimg.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -01214{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":4029,"source":"reddit.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":255,"flow_first_seen":1605291686064,"flow_last_seen":1605291688712,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":4192,"flow_tot_l4_payload_len":148115,"flow_avg_l4_payload_len":580,"midstream":0,"ts_msec":1605291688712,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56582,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"preview.redd.it","server_names":"redd.it,*.redd.it","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","issuerDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redd.it","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"3D:15:31:F3:94:55:33:92:88:5C:61:40:B0:FD:ED:27:6D:29:3A:12"}} +01215{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":4029,"source":"reddit.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":255,"flow_first_seen":1605291686064,"flow_last_seen":1605291688712,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":4192,"flow_tot_l4_payload_len":148115,"flow_avg_l4_payload_len":580,"midstream":0,"ts_msec":1605291688712,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56582,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"preview.redd.it","server_names":"redd.it,*.redd.it","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redd.it","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"3D:15:31:F3:94:55:33:92:88:5C:61:40:B0:FD:ED:27:6D:29:3A:12"}} 00589{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":4030,"source":"reddit.pcap","alias":"nDPId-test","flow_id":38,"flow_packets_processed":1,"flow_first_seen":1605291688712,"flow_last_seen":1605291688712,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1605291688712,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:808::2006","src_port":54726,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00501{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4030,"source":"reddit.pcap","alias":"nDPId-test","flow_id":38,"flow_packet_id":1,"flow_last_seen":1605291688712,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291688712,"pkt":"qtsDr8lk5EKm5WPyht1gBqw+ACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcICAAAAAAAACAG1cYBu1QhHQQAAAAAoAL9IGnKAAACBAWgBAIICoWLJ5EAAAAAAQMDBw=="} 00589{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":4145,"source":"reddit.pcap","alias":"nDPId-test","flow_id":39,"flow_packets_processed":1,"flow_first_seen":1605291688749,"flow_last_seen":1605291688749,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1605291688749,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2004","src_port":57282,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00502{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4145,"source":"reddit.pcap","alias":"nDPId-test","flow_id":39,"flow_packet_id":1,"flow_last_seen":1605291688749,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291688749,"pkt":"qtsDr8lk5EKm5WPyht1gCJDMACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIBQAAAAAAACAE38IBu+NAO7IAAAAAoAL9ICgwAAACBAWgBAIICm3\/yPIAAAAAAQMDBw=="} 00502{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4156,"source":"reddit.pcap","alias":"nDPId-test","flow_id":38,"flow_packet_id":2,"flow_last_seen":1605291688754,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291688754,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoAFFBABwgIAAAAAAAAIAYqAcsBIEmLB5kd7IUo3\/YpAbvVxjGyAqhUIR0FoBJXgNU8AAACBAV4AQMDAwQCCArC10MXhYsnkQ=="} 00489{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4158,"source":"reddit.pcap","alias":"nDPId-test","flow_id":38,"flow_packet_id":3,"flow_last_seen":1605291688754,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605291688754,"pkt":"qtsDr8lk5EKm5WPyht1gBqw+ACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcICAAAAAAAACAG1cYBu1QhHQUxsgKpgBAB+1kkAAABAQgKhYsnu8LXQxc="} -00907{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4161,"source":"reddit.pcap","alias":"nDPId-test","flow_id":38,"flow_packets_processed":4,"flow_first_seen":1605291688712,"flow_last_seen":1605291688754,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291688754,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:808::2006","src_port":54726,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"static.doubleclick.net","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00915{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4161,"source":"reddit.pcap","alias":"nDPId-test","flow_id":38,"flow_packets_processed":4,"flow_first_seen":1605291688712,"flow_last_seen":1605291688754,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291688754,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:808::2006","src_port":54726,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Advertisement"},"tls": {"version":"TLSv1.2","client_requested_server_name":"static.doubleclick.net","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00504{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4267,"source":"reddit.pcap","alias":"nDPId-test","flow_id":39,"flow_packet_id":2,"flow_last_seen":1605291688786,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291688786,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoAFFBABwgFAAAAAAAAIAQqAcsBIEmLB5kd7IUo3\/YpAbvfwoEYYXPjQDuzoBJXgOVIAAACBAV4AQMDAwQCCArC10M\/bf\/I8g=="} 00490{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4268,"source":"reddit.pcap","alias":"nDPId-test","flow_id":39,"flow_packet_id":3,"flow_last_seen":1605291688786,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605291688786,"pkt":"qtsDr8lk5EKm5WPyht1gCJDMACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIBQAAAAAAACAE38IBu+NAO7OBGGF0gBAB+2k0AAABAQgKbf\/JGMLXQz8="} -00899{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4269,"source":"reddit.pcap","alias":"nDPId-test","flow_id":39,"flow_packets_processed":4,"flow_first_seen":1605291688749,"flow_last_seen":1605291688786,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291688786,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2004","src_port":57282,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.google.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -00948{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":4414,"source":"reddit.pcap","alias":"nDPId-test","flow_id":38,"flow_packets_processed":6,"flow_first_seen":1605291688712,"flow_last_seen":1605291688813,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605291688813,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:808::2006","src_port":54726,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"static.doubleclick.net","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00897{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4269,"source":"reddit.pcap","alias":"nDPId-test","flow_id":39,"flow_packets_processed":4,"flow_first_seen":1605291688749,"flow_last_seen":1605291688786,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291688786,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2004","src_port":57282,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.google.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00956{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":4414,"source":"reddit.pcap","alias":"nDPId-test","flow_id":38,"flow_packets_processed":6,"flow_first_seen":1605291688712,"flow_last_seen":1605291688813,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605291688813,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:808::2006","src_port":54726,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Advertisement"},"tls": {"version":"TLSv1.3","client_requested_server_name":"static.doubleclick.net","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00589{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":4492,"source":"reddit.pcap","alias":"nDPId-test","flow_id":40,"flow_packets_processed":1,"flow_first_seen":1605291688830,"flow_last_seen":1605291688830,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1605291688830,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2001","src_port":58122,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00501{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4492,"source":"reddit.pcap","alias":"nDPId-test","flow_id":40,"flow_packet_id":1,"flow_last_seen":1605291688830,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291688830,"pkt":"qtsDr8lk5EKm5WPyht1gBrB0ACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIBQAAAAAAACAB4woBuyKqv5AAAAAAoAL9IFwjAAACBAWgBAIICu7gTZEAAAAAAQMDBw=="} 00589{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":4499,"source":"reddit.pcap","alias":"nDPId-test","flow_id":41,"flow_packets_processed":1,"flow_first_seen":1605291688831,"flow_last_seen":1605291688831,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1605291688831,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:815::2016","src_port":52296,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -265,13 +265,13 @@ 00503{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4537,"source":"reddit.pcap","alias":"nDPId-test","flow_id":42,"flow_packet_id":1,"flow_last_seen":1605291688843,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291688843,"pkt":"qtsDr8lk5EKm5WPyht1gAjZHACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIDAAAAAAAACADuMYBu5\/Vp\/oAAAAAoAL9IC3PAAACBAWgBAIICjfz93gAAAAAAQMDBw=="} 00589{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":4538,"source":"reddit.pcap","alias":"nDPId-test","flow_id":43,"flow_packets_processed":1,"flow_first_seen":1605291688843,"flow_last_seen":1605291688843,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1605291688843,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80c::2003","src_port":47304,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00501{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4538,"source":"reddit.pcap","alias":"nDPId-test","flow_id":43,"flow_packet_id":1,"flow_last_seen":1605291688843,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291688843,"pkt":"qtsDr8lk5EKm5WPyht1gC3ZcACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIDAAAAAAAACADuMgBu1ulIdYAAAAAoAL9IPghAAACBAWgBAIICjfz93gAAAAAAQMDBw=="} -00940{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":4539,"source":"reddit.pcap","alias":"nDPId-test","flow_id":39,"flow_packets_processed":6,"flow_first_seen":1605291688749,"flow_last_seen":1605291688848,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605291688848,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2004","src_port":57282,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"www.google.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00938{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":4539,"source":"reddit.pcap","alias":"nDPId-test","flow_id":39,"flow_packets_processed":6,"flow_first_seen":1605291688749,"flow_last_seen":1605291688848,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605291688848,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2004","src_port":57282,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"www.google.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00503{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4815,"source":"reddit.pcap","alias":"nDPId-test","flow_id":42,"flow_packet_id":2,"flow_last_seen":1605291688889,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291688889,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoAFFBABwgMAAAAAAAAIAMqAcsBIEmLB5kd7IUo3\/YpAbu4xvp17E2f1af7oBJXgOZHAAACBAV4AQMDAwQCCArC10OnN\/P3eA=="} 00503{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4816,"source":"reddit.pcap","alias":"nDPId-test","flow_id":43,"flow_packet_id":2,"flow_last_seen":1605291688889,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291688889,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoAFFBABwgMAAAAAAAAIAMqAcsBIEmLB5kd7IUo3\/YpAbu4yD8lZERbpSHXoBJXgPP1AAACBAV4AQMDAwQCCArC10OmN\/P3eA=="} 00492{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4820,"source":"reddit.pcap","alias":"nDPId-test","flow_id":42,"flow_packet_id":3,"flow_last_seen":1605291688889,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605291688889,"pkt":"qtsDr8lk5EKm5WPyht1gAjZHACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIDAAAAAAAACADuMYBu5\/Vp\/v6dexOgBAB+2orAAABAQgKN\/P3psLXQ6c="} 00491{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4821,"source":"reddit.pcap","alias":"nDPId-test","flow_id":43,"flow_packet_id":3,"flow_last_seen":1605291688889,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605291688889,"pkt":"qtsDr8lk5EKm5WPyht1gC3ZcACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIDAAAAAAAACADuMgBu1ulIdc\/JWRFgBAB+3fZAAABAQgKN\/P3psLXQ6Y="} -00902{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4826,"source":"reddit.pcap","alias":"nDPId-test","flow_id":42,"flow_packets_processed":4,"flow_first_seen":1605291688843,"flow_last_seen":1605291688889,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291688889,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80c::2003","src_port":47302,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"fonts.gstatic.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -00902{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4827,"source":"reddit.pcap","alias":"nDPId-test","flow_id":43,"flow_packets_processed":4,"flow_first_seen":1605291688843,"flow_last_seen":1605291688889,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291688889,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80c::2003","src_port":47304,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"fonts.gstatic.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00900{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4826,"source":"reddit.pcap","alias":"nDPId-test","flow_id":42,"flow_packets_processed":4,"flow_first_seen":1605291688843,"flow_last_seen":1605291688889,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291688889,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80c::2003","src_port":47302,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"fonts.gstatic.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00900{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4827,"source":"reddit.pcap","alias":"nDPId-test","flow_id":43,"flow_packets_processed":4,"flow_first_seen":1605291688843,"flow_last_seen":1605291688889,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291688889,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80c::2003","src_port":47304,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"fonts.gstatic.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00502{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4856,"source":"reddit.pcap","alias":"nDPId-test","flow_id":40,"flow_packet_id":2,"flow_last_seen":1605291688893,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291688893,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoAFFBABwgFAAAAAAAAIAEqAcsBIEmLB5kd7IUo3\/YpAbvjCkXQfikiqr+RoBJXgDd0AAACBAV4AQMDAwQCCArC10OZ7uBNkQ=="} 00489{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4858,"source":"reddit.pcap","alias":"nDPId-test","flow_id":40,"flow_packet_id":3,"flow_last_seen":1605291688893,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605291688893,"pkt":"qtsDr8lk5EKm5WPyht1gBrB0ACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIBQAAAAAAACAB4woBuyKqv5FF0H4qgBAB+7tFAAABAQgK7uBN0cLXQ5k="} 00892{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4861,"source":"reddit.pcap","alias":"nDPId-test","flow_id":40,"flow_packets_processed":4,"flow_first_seen":1605291688830,"flow_last_seen":1605291688894,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291688894,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2001","src_port":58122,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.YouTube","breed":"Fun","category":"Media"},"tls": {"version":"TLSv1.2","client_requested_server_name":"yt3.ggpht.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} @@ -280,25 +280,25 @@ 00890{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4885,"source":"reddit.pcap","alias":"nDPId-test","flow_id":41,"flow_packets_processed":4,"flow_first_seen":1605291688831,"flow_last_seen":1605291688895,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291688895,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:815::2016","src_port":52296,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.YouTube","breed":"Fun","category":"Media"},"tls": {"version":"TLSv1.2","client_requested_server_name":"i.ytimg.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00933{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":5588,"source":"reddit.pcap","alias":"nDPId-test","flow_id":40,"flow_packets_processed":6,"flow_first_seen":1605291688830,"flow_last_seen":1605291688963,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605291688963,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2001","src_port":58122,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.YouTube","breed":"Fun","category":"Media"},"tls": {"version":"TLSv1.3","client_requested_server_name":"yt3.ggpht.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00931{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":5606,"source":"reddit.pcap","alias":"nDPId-test","flow_id":41,"flow_packets_processed":6,"flow_first_seen":1605291688831,"flow_last_seen":1605291688963,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605291688963,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:815::2016","src_port":52296,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.YouTube","breed":"Fun","category":"Media"},"tls": {"version":"TLSv1.3","client_requested_server_name":"i.ytimg.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -00943{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":5611,"source":"reddit.pcap","alias":"nDPId-test","flow_id":42,"flow_packets_processed":6,"flow_first_seen":1605291688843,"flow_last_seen":1605291688963,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605291688963,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80c::2003","src_port":47302,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"fonts.gstatic.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -00943{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":5621,"source":"reddit.pcap","alias":"nDPId-test","flow_id":43,"flow_packets_processed":6,"flow_first_seen":1605291688843,"flow_last_seen":1605291688963,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605291688963,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80c::2003","src_port":47304,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"fonts.gstatic.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00941{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":5611,"source":"reddit.pcap","alias":"nDPId-test","flow_id":42,"flow_packets_processed":6,"flow_first_seen":1605291688843,"flow_last_seen":1605291688963,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605291688963,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80c::2003","src_port":47302,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"fonts.gstatic.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00941{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":5621,"source":"reddit.pcap","alias":"nDPId-test","flow_id":43,"flow_packets_processed":6,"flow_first_seen":1605291688843,"flow_last_seen":1605291688963,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605291688963,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80c::2003","src_port":47304,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"fonts.gstatic.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00583{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":7094,"source":"reddit.pcap","alias":"nDPId-test","flow_id":44,"flow_packets_processed":1,"flow_first_seen":1605291689408,"flow_last_seen":1605291689408,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1605291689408,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56640,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00501{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7094,"source":"reddit.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":1,"flow_last_seen":1605291689408,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291689408,"pkt":"qtsDr8lk5EKm5WPyht1gCYSFACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXmM3UABuxOPoYYAAAAAoAL9IMRnAAACBAWgBAIICql08xMAAAAAAQMDBw=="} 00503{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7110,"source":"reddit.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":2,"flow_last_seen":1605291689433,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291689433,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPQBk\/5sAAAAAAAAAAJdleYwqAcsBIEmLB5kd7IUo3\/YpAbvdQHZ86cETj6GHoBJXgAFCAAACBAV4AQMDAwQCCArC10XLqXTzEw=="} 00489{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7111,"source":"reddit.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":3,"flow_last_seen":1605291689433,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605291689433,"pkt":"qtsDr8lk5EKm5WPyht1gCYSFACAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXmM3UABuxOPoYd2fOnCgBAB+4U5AAABAQgKqXTzLcLXRcs="} 00898{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":7112,"source":"reddit.pcap","alias":"nDPId-test","flow_id":44,"flow_packets_processed":4,"flow_first_seen":1605291689408,"flow_last_seen":1605291689434,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291689434,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56640,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"gateway.reddit.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00954{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":8671,"source":"reddit.pcap","alias":"nDPId-test","flow_id":44,"flow_packets_processed":6,"flow_first_seen":1605291689408,"flow_last_seen":1605291689577,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":1565,"flow_avg_l4_payload_len":260,"midstream":0,"ts_msec":1605291689577,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56640,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"gateway.reddit.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -01223{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":8678,"source":"reddit.pcap","alias":"nDPId-test","flow_id":44,"flow_packets_processed":10,"flow_first_seen":1605291689408,"flow_last_seen":1605291689578,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":366,"midstream":0,"ts_msec":1605291689578,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56640,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"gateway.reddit.com","server_names":"reddit.com,*.reddit.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","issuerDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.reddit.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"DB:E9:D5:FE:EB:EF:68:34:55:FD:62:BA:C9:BB:04:D4:E3:22:18:81"}} +01224{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":8678,"source":"reddit.pcap","alias":"nDPId-test","flow_id":44,"flow_packets_processed":10,"flow_first_seen":1605291689408,"flow_last_seen":1605291689578,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1048,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":366,"midstream":0,"ts_msec":1605291689578,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56640,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Reddit","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"gateway.reddit.com","server_names":"reddit.com,*.reddit.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.reddit.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"DB:E9:D5:FE:EB:EF:68:34:55:FD:62:BA:C9:BB:04:D4:E3:22:18:81"}} 00589{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":9080,"source":"reddit.pcap","alias":"nDPId-test","flow_id":45,"flow_packets_processed":1,"flow_first_seen":1605291690373,"flow_last_seen":1605291690373,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1605291690373,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2002","src_port":51006,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00501{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9080,"source":"reddit.pcap","alias":"nDPId-test","flow_id":45,"flow_packet_id":1,"flow_last_seen":1605291690373,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291690373,"pkt":"qtsDr8lk5EKm5WPyht1gB68TACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIBQAAAAAAACACxz4Buz6Su2UAAAAAoAL9IFr7AAACBAWgBAIIClRf7UgAAAAAAQMDBw=="} 00589{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":9081,"source":"reddit.pcap","alias":"nDPId-test","flow_id":46,"flow_packets_processed":1,"flow_first_seen":1605291690384,"flow_last_seen":1605291690384,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1605291690384,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::2002","src_port":59336,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00501{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9081,"source":"reddit.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":1,"flow_last_seen":1605291690384,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291690384,"pkt":"qtsDr8lk5EKm5WPyht1gCvtsACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcICwAAAAAAACAC58gBu5uynDEAAAAAoAL9IAqWAAACBAWgBAIICgxmJysAAAAAAQMDBw=="} 00503{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9082,"source":"reddit.pcap","alias":"nDPId-test","flow_id":45,"flow_packet_id":2,"flow_last_seen":1605291690396,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291690396,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoAFFBABwgFAAAAAAAAIAIqAcsBIEmLB5kd7IUo3\/YpAbvHPls7Xl4+krtmoBJXgDq4AAACBAV4AQMDAwQCCArC10mNVF\/tSA=="} 00490{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9083,"source":"reddit.pcap","alias":"nDPId-test","flow_id":45,"flow_packet_id":3,"flow_last_seen":1605291690396,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605291690396,"pkt":"qtsDr8lk5EKm5WPyht1gB68TACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIBQAAAAAAACACxz4Buz6Su2ZbO15fgBAB+76yAAABAQgKVF\/tX8LXSY0="} -00904{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":9084,"source":"reddit.pcap","alias":"nDPId-test","flow_id":45,"flow_packets_processed":4,"flow_first_seen":1605291690373,"flow_last_seen":1605291690396,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291690396,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2002","src_port":51006,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"adservice.google.fr","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00902{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":9084,"source":"reddit.pcap","alias":"nDPId-test","flow_id":45,"flow_packets_processed":4,"flow_first_seen":1605291690373,"flow_last_seen":1605291690396,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291690396,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2002","src_port":51006,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"adservice.google.fr","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00503{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9086,"source":"reddit.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":2,"flow_last_seen":1605291690402,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291690402,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoAFFBABwgLAAAAAAAAIAIqAcsBIEmLB5kd7IUo3\/YpAbvnyP\/5OOmbspwyoBJXgGsCAAACBAV4AQMDAwQCCArC10mUDGYnKw=="} 00490{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9087,"source":"reddit.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":3,"flow_last_seen":1605291690402,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605291690402,"pkt":"qtsDr8lk5EKm5WPyht1gCvtsACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcICwAAAAAAACAC58gBu5uynDL\/+TjqgBAB++8BAAABAQgKDGYnPcLXSZQ="} -00905{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":9088,"source":"reddit.pcap","alias":"nDPId-test","flow_id":46,"flow_packets_processed":4,"flow_first_seen":1605291690384,"flow_last_seen":1605291690403,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291690403,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::2002","src_port":59336,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"adservice.google.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00903{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":9088,"source":"reddit.pcap","alias":"nDPId-test","flow_id":46,"flow_packets_processed":4,"flow_first_seen":1605291690384,"flow_last_seen":1605291690403,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291690403,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::2002","src_port":59336,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"adservice.google.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00583{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":9089,"source":"reddit.pcap","alias":"nDPId-test","flow_id":47,"flow_packets_processed":1,"flow_first_seen":1605291690405,"flow_last_seen":1605291690405,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1605291690405,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::345f:7ca5","src_port":46646,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00501{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9089,"source":"reddit.pcap","alias":"nDPId-test","flow_id":47,"flow_packet_id":1,"flow_last_seen":1605291690405,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291690405,"pkt":"qtsDr8lk5EKm5WPyht1gBYjGACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAAA0X3yltjYBu5sO15YAAAAAoAL9IOjCAAACBAWgBAIICgKUPwEAAAAAAQMDBw=="} 00589{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":9090,"source":"reddit.pcap","alias":"nDPId-test","flow_id":48,"flow_packets_processed":1,"flow_first_seen":1605291690421,"flow_last_seen":1605291690421,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1605291690421,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::2001","src_port":59624,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -306,14 +306,14 @@ 00505{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9093,"source":"reddit.pcap","alias":"nDPId-test","flow_id":47,"flow_packet_id":2,"flow_last_seen":1605291690440,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291690440,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPQBk\/5sAAAAAAAAAADRffKUqAcsBIEmLB5kd7IUo3\/YpAbu2Nv\/zx++bDteXoBJXgLoLAAACBAV4AQMDAwQCCArC10m3ApQ\/AQ=="} 00491{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9094,"source":"reddit.pcap","alias":"nDPId-test","flow_id":47,"flow_packet_id":3,"flow_last_seen":1605291690440,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605291690440,"pkt":"qtsDr8lk5EKm5WPyht1gBYjGACAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAAA0X3yltjYBu5sO15f\/88fwgBAB+z36AAABAQgKApQ\/JMLXSbc="} 00903{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":9095,"source":"reddit.pcap","alias":"nDPId-test","flow_id":47,"flow_packets_processed":4,"flow_first_seen":1605291690405,"flow_last_seen":1605291690440,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291690440,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::345f:7ca5","src_port":46646,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"aax-eu.amazon-adsystem.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -00945{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":9096,"source":"reddit.pcap","alias":"nDPId-test","flow_id":45,"flow_packets_processed":6,"flow_first_seen":1605291690373,"flow_last_seen":1605291690448,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605291690448,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2002","src_port":51006,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"adservice.google.fr","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00943{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":9096,"source":"reddit.pcap","alias":"nDPId-test","flow_id":45,"flow_packets_processed":6,"flow_first_seen":1605291690373,"flow_last_seen":1605291690448,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605291690448,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2002","src_port":51006,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"adservice.google.fr","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00502{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9098,"source":"reddit.pcap","alias":"nDPId-test","flow_id":48,"flow_packet_id":2,"flow_last_seen":1605291690449,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291690449,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoAFFBABwgLAAAAAAAAIAEqAcsBIEmLB5kd7IUo3\/YpAbvo6PvOtUOc0w2EoBJXgGkiAAACBAV4AQMDAwQCCArC10m3XwTqiA=="} -00946{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":9099,"source":"reddit.pcap","alias":"nDPId-test","flow_id":46,"flow_packets_processed":6,"flow_first_seen":1605291690384,"flow_last_seen":1605291690449,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605291690449,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::2002","src_port":59336,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"adservice.google.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00944{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":9099,"source":"reddit.pcap","alias":"nDPId-test","flow_id":46,"flow_packets_processed":6,"flow_first_seen":1605291690384,"flow_last_seen":1605291690449,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605291690449,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::2002","src_port":59336,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"adservice.google.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00489{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9105,"source":"reddit.pcap","alias":"nDPId-test","flow_id":48,"flow_packet_id":3,"flow_last_seen":1605291690449,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605291690449,"pkt":"qtsDr8lk5EKm5WPyht1gBJW4ACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcICwAAAAAAACAB6OgBu5zTDYT7zrVEgBAB++0WAAABAQgKXwTqpcLXSbc="} -00982{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":9112,"source":"reddit.pcap","alias":"nDPId-test","flow_id":48,"flow_packets_processed":4,"flow_first_seen":1605291690421,"flow_last_seen":1605291690449,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291690449,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::2001","src_port":59624,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"16":"Suspicious DGA domain name"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"8a755a3fef0b189d8ab5b0d10758f68a.safeframe.googlesyndication.co","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -01023{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":9134,"source":"reddit.pcap","alias":"nDPId-test","flow_id":48,"flow_packets_processed":6,"flow_first_seen":1605291690421,"flow_last_seen":1605291690483,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605291690483,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::2001","src_port":59624,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"16":"Suspicious DGA domain name"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"8a755a3fef0b189d8ab5b0d10758f68a.safeframe.googlesyndication.co","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00957{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":9112,"source":"reddit.pcap","alias":"nDPId-test","flow_id":48,"flow_packets_processed":4,"flow_first_seen":1605291690421,"flow_last_seen":1605291690449,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291690449,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::2001","src_port":59624,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Advertisement"},"tls": {"version":"TLSv1.2","client_requested_server_name":"8a755a3fef0b189d8ab5b0d10758f68a.safeframe.googlesyndication.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00998{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":9134,"source":"reddit.pcap","alias":"nDPId-test","flow_id":48,"flow_packets_processed":6,"flow_first_seen":1605291690421,"flow_last_seen":1605291690483,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605291690483,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::2001","src_port":59624,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Advertisement"},"tls": {"version":"TLSv1.3","client_requested_server_name":"8a755a3fef0b189d8ab5b0d10758f68a.safeframe.googlesyndication.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00959{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":9160,"source":"reddit.pcap","alias":"nDPId-test","flow_id":47,"flow_packets_processed":6,"flow_first_seen":1605291690405,"flow_last_seen":1605291690501,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1360,"flow_tot_l4_payload_len":1877,"flow_avg_l4_payload_len":312,"midstream":0,"ts_msec":1605291690501,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::345f:7ca5","src_port":46646,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"aax-eu.amazon-adsystem.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"49b45fc1ab090aa3a159778313fc9b9e","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -01263{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":9166,"source":"reddit.pcap","alias":"nDPId-test","flow_id":47,"flow_packets_processed":12,"flow_first_seen":1605291690405,"flow_last_seen":1605291690502,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1360,"flow_tot_l4_payload_len":5957,"flow_avg_l4_payload_len":496,"midstream":0,"ts_msec":1605291690502,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::345f:7ca5","src_port":46646,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"aax-eu.amazon-adsystem.com","server_names":"aax-eu.amazon-adsystem.com,aax.amazon-adsystem.com,aax-cpm.amazon-adsystem.com,aax-dtb-web.amazon-adsystem.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"49b45fc1ab090aa3a159778313fc9b9e","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Amazon, OU=Server CA 1B, CN=Amazon","issuerDN":"CN=aax-eu.amazon-adsystem.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"5D:18:8E:CB:B7:91:5C:79:26:B5:08:49:FF:2C:24:D8:06:54:91:8B"}} +01264{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":9166,"source":"reddit.pcap","alias":"nDPId-test","flow_id":47,"flow_packets_processed":12,"flow_first_seen":1605291690405,"flow_last_seen":1605291690502,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1360,"flow_tot_l4_payload_len":5957,"flow_avg_l4_payload_len":496,"midstream":0,"ts_msec":1605291690502,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::345f:7ca5","src_port":46646,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"aax-eu.amazon-adsystem.com","server_names":"aax-eu.amazon-adsystem.com,aax.amazon-adsystem.com,aax-cpm.amazon-adsystem.com,aax-dtb-web.amazon-adsystem.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"49b45fc1ab090aa3a159778313fc9b9e","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Amazon, OU=Server CA 1B, CN=Amazon","subjectDN":"CN=aax-eu.amazon-adsystem.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"5D:18:8E:CB:B7:91:5C:79:26:B5:08:49:FF:2C:24:D8:06:54:91:8B"}} 00589{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":9279,"source":"reddit.pcap","alias":"nDPId-test","flow_id":49,"flow_packets_processed":1,"flow_first_seen":1605291690926,"flow_last_seen":1605291690926,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1605291690926,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:808::2001","src_port":46806,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00502{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9279,"source":"reddit.pcap","alias":"nDPId-test","flow_id":49,"flow_packet_id":1,"flow_last_seen":1605291690926,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291690926,"pkt":"qtsDr8lk5EKm5WPyht1gDDgdACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcICAAAAAAAACABttYBu\/eX0dQAAAAAoAL9IKwyAAACBAWgBAIIChrDFp8AAAAAAQMDBw=="} 00589{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":9280,"source":"reddit.pcap","alias":"nDPId-test","flow_id":50,"flow_packets_processed":1,"flow_first_seen":1605291690926,"flow_last_seen":1605291690926,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1605291690926,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:808::2001","src_port":46808,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -356,14 +356,14 @@ 00502{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9316,"source":"reddit.pcap","alias":"nDPId-test","flow_id":56,"flow_packet_id":2,"flow_last_seen":1605291690956,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291690956,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoAFFBABwgPAAAAAAAAIAEqAcsBIEmLB5kd7IUo3\/YpAbuQZgWfUkJjbNefoBJXgN3ZAAACBAV4AQMDAwQCCArC10u+uJU7NA=="} 00489{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9317,"source":"reddit.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":3,"flow_last_seen":1605291690956,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605291690956,"pkt":"qtsDr8lk5EKm5WPyht1gBnVWACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIDwAAAAAAACABkGQBuyvivtxMvwvLgBAB+7F0AAABAQgKuJU7UsLXS74="} 00489{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9318,"source":"reddit.pcap","alias":"nDPId-test","flow_id":56,"flow_packet_id":3,"flow_last_seen":1605291690956,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605291690956,"pkt":"qtsDr8lk5EKm5WPyht1gDhWZACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIDwAAAAAAACABkGYBu2Ns158Fn1JDgBAB+2HNAAABAQgKuJU7UsLXS74="} -00910{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":9319,"source":"reddit.pcap","alias":"nDPId-test","flow_id":55,"flow_packets_processed":4,"flow_first_seen":1605291690926,"flow_last_seen":1605291690956,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291690956,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80f::2001","src_port":36964,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"tpc.googlesyndication.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -00910{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":9320,"source":"reddit.pcap","alias":"nDPId-test","flow_id":56,"flow_packets_processed":4,"flow_first_seen":1605291690926,"flow_last_seen":1605291690956,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291690956,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80f::2001","src_port":36966,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"tpc.googlesyndication.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00918{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":9319,"source":"reddit.pcap","alias":"nDPId-test","flow_id":55,"flow_packets_processed":4,"flow_first_seen":1605291690926,"flow_last_seen":1605291690956,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291690956,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80f::2001","src_port":36964,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Advertisement"},"tls": {"version":"TLSv1.2","client_requested_server_name":"tpc.googlesyndication.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00918{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":9320,"source":"reddit.pcap","alias":"nDPId-test","flow_id":56,"flow_packets_processed":4,"flow_first_seen":1605291690926,"flow_last_seen":1605291690956,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291690956,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80f::2001","src_port":36966,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Advertisement"},"tls": {"version":"TLSv1.2","client_requested_server_name":"tpc.googlesyndication.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00503{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9321,"source":"reddit.pcap","alias":"nDPId-test","flow_id":58,"flow_packet_id":2,"flow_last_seen":1605291690957,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291690957,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoAFFBABwgPAAAAAAAAIAEqAcsBIEmLB5kd7IUo3\/YpAbuQan0Owi4YaAsmoBJXgA33AAACBAV4AQMDAwQCCArC10u\/uJU7NA=="} 00502{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9322,"source":"reddit.pcap","alias":"nDPId-test","flow_id":57,"flow_packet_id":2,"flow_last_seen":1605291690957,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291690957,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoAFFBABwgPAAAAAAAAIAEqAcsBIEmLB5kd7IUo3\/YpAbuQaPhCx3meEC1CoBJXgOW1AAACBAV4AQMDAwQCCArC10u+uJU7NA=="} 00489{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9323,"source":"reddit.pcap","alias":"nDPId-test","flow_id":58,"flow_packet_id":3,"flow_last_seen":1605291690957,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605291690957,"pkt":"qtsDr8lk5EKm5WPyht1gCQMiACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIDwAAAAAAACABkGoBuxhoCyZ9DsIvgBAB+5HpAAABAQgKuJU7U8LXS78="} 00489{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9324,"source":"reddit.pcap","alias":"nDPId-test","flow_id":57,"flow_packet_id":3,"flow_last_seen":1605291690957,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605291690957,"pkt":"qtsDr8lk5EKm5WPyht1gB5miACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIDwAAAAAAACABkGgBu54QLUL4Qsd6gBAB+2moAAABAQgKuJU7U8LXS74="} -00910{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":9325,"source":"reddit.pcap","alias":"nDPId-test","flow_id":58,"flow_packets_processed":4,"flow_first_seen":1605291690926,"flow_last_seen":1605291690957,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291690957,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80f::2001","src_port":36970,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"tpc.googlesyndication.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -00910{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":9326,"source":"reddit.pcap","alias":"nDPId-test","flow_id":57,"flow_packets_processed":4,"flow_first_seen":1605291690926,"flow_last_seen":1605291690957,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291690957,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80f::2001","src_port":36968,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"tpc.googlesyndication.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00918{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":9325,"source":"reddit.pcap","alias":"nDPId-test","flow_id":58,"flow_packets_processed":4,"flow_first_seen":1605291690926,"flow_last_seen":1605291690957,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291690957,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80f::2001","src_port":36970,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Advertisement"},"tls": {"version":"TLSv1.2","client_requested_server_name":"tpc.googlesyndication.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00918{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":9326,"source":"reddit.pcap","alias":"nDPId-test","flow_id":57,"flow_packets_processed":4,"flow_first_seen":1605291690926,"flow_last_seen":1605291690957,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291690957,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80f::2001","src_port":36968,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Advertisement"},"tls": {"version":"TLSv1.2","client_requested_server_name":"tpc.googlesyndication.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00929{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":9344,"source":"reddit.pcap","alias":"nDPId-test","flow_id":49,"flow_packets_processed":6,"flow_first_seen":1605291690926,"flow_last_seen":1605291690990,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605291690990,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:808::2001","src_port":46806,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"cdn.ampproject.org","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00589{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":9357,"source":"reddit.pcap","alias":"nDPId-test","flow_id":59,"flow_packets_processed":1,"flow_first_seen":1605291690992,"flow_last_seen":1605291690992,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1605291690992,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80f::2001","src_port":36972,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00501{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9357,"source":"reddit.pcap","alias":"nDPId-test","flow_id":59,"flow_packet_id":1,"flow_last_seen":1605291690992,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291690992,"pkt":"qtsDr8lk5EKm5WPyht1gDPazACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIDwAAAAAAACABkGwBu4uuzGcAAAAAoAL9IIFCAAACBAWgBAIICriVO3YAAAAAAQMDBw=="} @@ -372,10 +372,10 @@ 00929{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":9391,"source":"reddit.pcap","alias":"nDPId-test","flow_id":52,"flow_packets_processed":6,"flow_first_seen":1605291690926,"flow_last_seen":1605291690998,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605291690998,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:808::2001","src_port":46812,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"cdn.ampproject.org","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00929{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":9406,"source":"reddit.pcap","alias":"nDPId-test","flow_id":53,"flow_packets_processed":6,"flow_first_seen":1605291690926,"flow_last_seen":1605291690999,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605291690999,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:808::2001","src_port":46814,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"cdn.ampproject.org","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00952{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":9417,"source":"reddit.pcap","alias":"nDPId-test","flow_id":54,"flow_packets_processed":6,"flow_first_seen":1605291690926,"flow_last_seen":1605291690999,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605291690999,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:811::200a","src_port":38166,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.GoogleServices","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"fonts.googleapis.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -00951{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":9427,"source":"reddit.pcap","alias":"nDPId-test","flow_id":55,"flow_packets_processed":6,"flow_first_seen":1605291690926,"flow_last_seen":1605291691002,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605291691002,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80f::2001","src_port":36964,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"tpc.googlesyndication.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -00951{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":9434,"source":"reddit.pcap","alias":"nDPId-test","flow_id":56,"flow_packets_processed":6,"flow_first_seen":1605291690926,"flow_last_seen":1605291691003,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605291691003,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80f::2001","src_port":36966,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"tpc.googlesyndication.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -00951{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":9436,"source":"reddit.pcap","alias":"nDPId-test","flow_id":58,"flow_packets_processed":6,"flow_first_seen":1605291690926,"flow_last_seen":1605291691003,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605291691003,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80f::2001","src_port":36970,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"tpc.googlesyndication.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -00951{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":9446,"source":"reddit.pcap","alias":"nDPId-test","flow_id":57,"flow_packets_processed":6,"flow_first_seen":1605291690926,"flow_last_seen":1605291691004,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605291691004,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80f::2001","src_port":36968,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"tpc.googlesyndication.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00959{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":9427,"source":"reddit.pcap","alias":"nDPId-test","flow_id":55,"flow_packets_processed":6,"flow_first_seen":1605291690926,"flow_last_seen":1605291691002,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605291691002,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80f::2001","src_port":36964,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Advertisement"},"tls": {"version":"TLSv1.3","client_requested_server_name":"tpc.googlesyndication.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00959{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":9434,"source":"reddit.pcap","alias":"nDPId-test","flow_id":56,"flow_packets_processed":6,"flow_first_seen":1605291690926,"flow_last_seen":1605291691003,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605291691003,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80f::2001","src_port":36966,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Advertisement"},"tls": {"version":"TLSv1.3","client_requested_server_name":"tpc.googlesyndication.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00959{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":9436,"source":"reddit.pcap","alias":"nDPId-test","flow_id":58,"flow_packets_processed":6,"flow_first_seen":1605291690926,"flow_last_seen":1605291691003,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605291691003,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80f::2001","src_port":36970,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Advertisement"},"tls": {"version":"TLSv1.3","client_requested_server_name":"tpc.googlesyndication.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00959{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":9446,"source":"reddit.pcap","alias":"nDPId-test","flow_id":57,"flow_packets_processed":6,"flow_first_seen":1605291690926,"flow_last_seen":1605291691004,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605291691004,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80f::2001","src_port":36968,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Advertisement"},"tls": {"version":"TLSv1.3","client_requested_server_name":"tpc.googlesyndication.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00502{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9475,"source":"reddit.pcap","alias":"nDPId-test","flow_id":59,"flow_packet_id":2,"flow_last_seen":1605291691029,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605291691029,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoAFFBABwgPAAAAAAAAIAEqAcsBIEmLB5kd7IUo3\/YpAbuQbO1037mLrsxooBJXgErvAAACBAV4AQMDAwQCCArC10wIuJU7dg=="} 00474{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9476,"source":"reddit.pcap","alias":"nDPId-test","flow_id":59,"flow_packet_id":3,"flow_last_seen":1605291691029,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":74,"pkt_l4_len":20,"ts_msec":1605291691029,"pkt":"qtsDr8lk5EKm5WPyht1gBfK\/ABQGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIDwAAAAAAACABkGwBu4uuzGgAAAAAUAQAANo6AAA="} 00584{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":11226,"source":"reddit.pcap","alias":"nDPId-test","flow_id":60,"flow_packets_processed":1,"flow_first_seen":1605291696948,"flow_last_seen":1605291696948,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1605291696948,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::34d3:acec","src_port":47006,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -384,7 +384,7 @@ 00490{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":11228,"source":"reddit.pcap","alias":"nDPId-test","flow_id":60,"flow_packet_id":3,"flow_last_seen":1605291696965,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605291696965,"pkt":"qtsDr8lk5EKm5WPyht1gDNdJACAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAAA006zst54Bu3jHKBUfTisWgBAB+3eDAAABAQgKUiG5tMLXYzc="} 00884{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":11229,"source":"reddit.pcap","alias":"nDPId-test","flow_id":60,"flow_packets_processed":4,"flow_first_seen":1605291696948,"flow_last_seen":1605291696965,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605291696965,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::34d3:acec","src_port":47006,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"d9.flashtalking.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00940{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":11233,"source":"reddit.pcap","alias":"nDPId-test","flow_id":60,"flow_packets_processed":6,"flow_first_seen":1605291696948,"flow_last_seen":1605291697033,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":1905,"flow_avg_l4_payload_len":317,"midstream":0,"ts_msec":1605291697033,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::34d3:acec","src_port":47006,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"d9.flashtalking.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -01353{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":11239,"source":"reddit.pcap","alias":"nDPId-test","flow_id":60,"flow_packets_processed":12,"flow_first_seen":1605291696948,"flow_last_seen":1605291697034,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":6001,"flow_avg_l4_payload_len":500,"midstream":0,"ts_msec":1605291697034,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::34d3:acec","src_port":47006,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"d9.flashtalking.com","server_names":"tag.device9.com,www.tag.device9.com,fp.zenaps.com,the.sciencebehindecommerce.com,d9.flashtalking.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http:\/\/certs.godaddy.com\/repository\/, CN=Go Daddy Secure Certificate Authority - G2","issuerDN":"OU=Domain Control Validated, CN=tag.device9.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"8B:5C:A4:62:70:92:3A:09:C3:72:49:B2:A2:22:32:16:22:87:9D:F3"}} +01354{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":11239,"source":"reddit.pcap","alias":"nDPId-test","flow_id":60,"flow_packets_processed":12,"flow_first_seen":1605291696948,"flow_last_seen":1605291697034,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":6001,"flow_avg_l4_payload_len":500,"midstream":0,"ts_msec":1605291697034,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::34d3:acec","src_port":47006,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"d9.flashtalking.com","server_names":"tag.device9.com,www.tag.device9.com,fp.zenaps.com,the.sciencebehindecommerce.com,d9.flashtalking.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http:\/\/certs.godaddy.com\/repository\/, CN=Go Daddy Secure Certificate Authority - G2","subjectDN":"OU=Domain Control Validated, CN=tag.device9.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"8B:5C:A4:62:70:92:3A:09:C3:72:49:B2:A2:22:32:16:22:87:9D:F3"}} 00601{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":11682,"source":"reddit.pcap","alias":"nDPId-test","flow_id":39,"flow_packets_processed":39,"flow_first_seen":1605291688749,"flow_last_seen":1605291688963,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":10966,"flow_avg_l4_payload_len":281,"midstream":0,"ts_msec":1605291698785,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2004","src_port":57282,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00600{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":11682,"source":"reddit.pcap","alias":"nDPId-test","flow_id":46,"flow_packets_processed":33,"flow_first_seen":1605291690384,"flow_last_seen":1605291690520,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":6642,"flow_avg_l4_payload_len":201,"midstream":0,"ts_msec":1605291698785,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::2002","src_port":59336,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00597{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":11682,"source":"reddit.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":782,"flow_first_seen":1605291687514,"flow_last_seen":1605291688963,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":6288,"flow_tot_l4_payload_len":596288,"flow_avg_l4_payload_len":762,"midstream":0,"ts_msec":1605291698785,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:789d","src_port":48240,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -455,10 +455,10 @@ ~~ total active/idle flows...: 60/60 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2958723 bytes -~~ total memory freed........: 2958723 bytes -~~ total allocations/frees...: 47611/47611 +~~ total memory allocated....: 5596022 bytes +~~ total memory freed........: 5596022 bytes +~~ total allocations/frees...: 111807/111807 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 164 chars -~~ json string max len.......: 1410 chars +~~ json string max len.......: 1411 chars ~~ json string avg len.......: 857 chars diff --git a/test/results/rtsp.pcap.out b/test/results/rtsp.pcap.out index 9395c0b8b..7e950b34f 100644 --- a/test/results/rtsp.pcap.out +++ b/test/results/rtsp.pcap.out @@ -50,9 +50,9 @@ ~~ total active/idle flows...: 7/7 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1968680 bytes -~~ total memory freed........: 1968680 bytes -~~ total allocations/frees...: 35932/35932 +~~ total memory allocated....: 4628451 bytes +~~ total memory freed........: 4628451 bytes +~~ total allocations/frees...: 100128/100128 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 159 chars ~~ json string max len.......: 651 chars diff --git a/test/results/rtsp_setup_http.pcapng.out b/test/results/rtsp_setup_http.pcapng.out index 4b47bf9c8..c190ca7d7 100644 --- a/test/results/rtsp_setup_http.pcapng.out +++ b/test/results/rtsp_setup_http.pcapng.out @@ -12,9 +12,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1930253 bytes -~~ total memory freed........: 1930253 bytes -~~ total allocations/frees...: 35341/35341 +~~ total memory allocated....: 4592568 bytes +~~ total memory freed........: 4592568 bytes +~~ total allocations/frees...: 99537/99537 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 169 chars ~~ json string max len.......: 701 chars diff --git a/test/results/rx.pcap.out b/test/results/rx.pcap.out index 8afeb423c..59fad6367 100644 --- a/test/results/rx.pcap.out +++ b/test/results/rx.pcap.out @@ -38,9 +38,9 @@ ~~ total active/idle flows...: 5/5 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1938416 bytes -~~ total memory freed........: 1938416 bytes -~~ total allocations/frees...: 35482/35482 +~~ total memory allocated....: 4599035 bytes +~~ total memory freed........: 4599035 bytes +~~ total allocations/frees...: 99678/99678 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 157 chars ~~ json string max len.......: 1892 chars diff --git a/test/results/s7comm.pcap.out b/test/results/s7comm.pcap.out index 65192afa5..6ea4062a7 100644 --- a/test/results/s7comm.pcap.out +++ b/test/results/s7comm.pcap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1929719 bytes -~~ total memory freed........: 1929719 bytes -~~ total allocations/frees...: 35393/35393 +~~ total memory allocated....: 4592034 bytes +~~ total memory freed........: 4592034 bytes +~~ total allocations/frees...: 99589/99589 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 159 chars ~~ json string max len.......: 589 chars diff --git a/test/results/safari.pcap.out b/test/results/safari.pcap.out index 2c1bcadcf..de0a07830 100644 --- a/test/results/safari.pcap.out +++ b/test/results/safari.pcap.out @@ -5,7 +5,7 @@ 00456{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"safari.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1620898024085,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1620898024085,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGrCfAqAGykjA6EtfeAbt7aT+9DGPz3YAQECxliAAAAQEICjMwxXQ6Vqpv"} 00813{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"safari.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1620898024056,"flow_last_seen":1620898024085,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":235,"flow_tot_l4_payload_len":235,"flow_avg_l4_payload_len":58,"midstream":0,"ts_msec":1620898024085,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55262,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.iit.cnr.it","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}} 00870{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"safari.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":1620898024056,"flow_last_seen":1620898024120,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1675,"flow_avg_l4_payload_len":279,"midstream":0,"ts_msec":1620898024120,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55262,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.iit.cnr.it","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"263c859c5391203d774bc0599793d915","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}} -01158{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":8,"source":"safari.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":8,"flow_first_seen":1620898024056,"flow_last_seen":1620898024120,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":3690,"flow_avg_l4_payload_len":461,"midstream":0,"ts_msec":1620898024120,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55262,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.iit.cnr.it","server_names":"www.iit.cnr.it","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"263c859c5391203d774bc0599793d915","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=NL, ST=Noord-Holland, L=Amsterdam, O=TERENA, CN=TERENA SSL CA 3","issuerDN":"C=IT, ST=Lazio, L=Roma, O=Consiglio Nazionale delle Ricerche, OU=IIT, CN=www.iit.cnr.it","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"C4:F6:98:75:7E:20:5C:B6:33:14:59:3F:CF:26:96:38:D0:4B:73:69"}} +01159{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":8,"source":"safari.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":8,"flow_first_seen":1620898024056,"flow_last_seen":1620898024120,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":3690,"flow_avg_l4_payload_len":461,"midstream":0,"ts_msec":1620898024120,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55262,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.iit.cnr.it","server_names":"www.iit.cnr.it","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"263c859c5391203d774bc0599793d915","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=NL, ST=Noord-Holland, L=Amsterdam, O=TERENA, CN=TERENA SSL CA 3","subjectDN":"C=IT, ST=Lazio, L=Roma, O=Consiglio Nazionale delle Ricerche, OU=IIT, CN=www.iit.cnr.it","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"C4:F6:98:75:7E:20:5C:B6:33:14:59:3F:CF:26:96:38:D0:4B:73:69"}} 00548{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":29,"source":"safari.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1620898025216,"flow_last_seen":1620898025216,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1620898025216,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55265,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00476{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":29,"source":"safari.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_last_seen":1620898025216,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1620898025216,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGrBvAqAGykjA6EtfhAbvK+gqhAAAAALAC\/\/\/8IwAAAgQFtAEDAwUBAQgKMzDJ0wAAAAAEAgAA"} 00548{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":30,"source":"safari.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1620898025216,"flow_last_seen":1620898025216,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1620898025216,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55266,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -36,14 +36,14 @@ 00866{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":71,"source":"safari.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":6,"flow_first_seen":1620898025217,"flow_last_seen":1620898025279,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":211,"flow_tot_l4_payload_len":352,"flow_avg_l4_payload_len":58,"midstream":0,"ts_msec":1620898025279,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55268,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.iit.cnr.it","ja3":"ee4ced3f2d15de4b5cb6fb0a894fec9f","ja3s":"fd4bc6cea4877646ccd62f0792ec0b62","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"}} 00866{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":74,"source":"safari.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":6,"flow_first_seen":1620898025216,"flow_last_seen":1620898025281,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":211,"flow_tot_l4_payload_len":352,"flow_avg_l4_payload_len":58,"midstream":0,"ts_msec":1620898025281,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55266,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.iit.cnr.it","ja3":"ee4ced3f2d15de4b5cb6fb0a894fec9f","ja3s":"fd4bc6cea4877646ccd62f0792ec0b62","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"}} 00866{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":77,"source":"safari.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":6,"flow_first_seen":1620898025217,"flow_last_seen":1620898025284,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":211,"flow_tot_l4_payload_len":352,"flow_avg_l4_payload_len":58,"midstream":0,"ts_msec":1620898025284,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55269,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.iit.cnr.it","ja3":"ee4ced3f2d15de4b5cb6fb0a894fec9f","ja3s":"fd4bc6cea4877646ccd62f0792ec0b62","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"}} -01164{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":923,"source":"safari.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":255,"flow_first_seen":1620898024056,"flow_last_seen":1620898025641,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":205796,"flow_avg_l4_payload_len":807,"midstream":0,"ts_msec":1620898025641,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55262,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.iit.cnr.it","server_names":"www.iit.cnr.it","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"263c859c5391203d774bc0599793d915","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=NL, ST=Noord-Holland, L=Amsterdam, O=TERENA, CN=TERENA SSL CA 3","issuerDN":"C=IT, ST=Lazio, L=Roma, O=Consiglio Nazionale delle Ricerche, OU=IIT, CN=www.iit.cnr.it","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"C4:F6:98:75:7E:20:5C:B6:33:14:59:3F:CF:26:96:38:D0:4B:73:69"}} +01165{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":923,"source":"safari.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":255,"flow_first_seen":1620898024056,"flow_last_seen":1620898025641,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":205796,"flow_avg_l4_payload_len":807,"midstream":0,"ts_msec":1620898025641,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55262,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.iit.cnr.it","server_names":"www.iit.cnr.it","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"263c859c5391203d774bc0599793d915","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=NL, ST=Noord-Holland, L=Amsterdam, O=TERENA, CN=TERENA SSL CA 3","subjectDN":"C=IT, ST=Lazio, L=Roma, O=Consiglio Nazionale delle Ricerche, OU=IIT, CN=www.iit.cnr.it","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"C4:F6:98:75:7E:20:5C:B6:33:14:59:3F:CF:26:96:38:D0:4B:73:69"}} 00550{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":5392,"source":"safari.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":1,"flow_first_seen":1620898027036,"flow_last_seen":1620898027036,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1620898027036,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55285,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00477{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5392,"source":"safari.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_last_seen":1620898027036,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1620898027036,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGrBvAqAGykjA6Etf1AbvGGXtuAAAAALAC\/\/+JoQAAAgQFtAEDAwUBAQgKMzDQVQAAAAAEAgAA"} 00473{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5393,"source":"safari.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_last_seen":1620898027065,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1620898027065,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADQGuB+SMDoSwKgBsgG71\/XZbafoxhl7b6AS\/ogqVAAAAgQFrAQCCAo6VrYRMzDQVQEDAwc="} 00459{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5394,"source":"safari.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_last_seen":1620898027065,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1620898027065,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGrCfAqAGykjA6Etf1AbvGGXtv2W2n6YAQECxHWQAAAQEICjMw0HE6VrYR"} 00816{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":5395,"source":"safari.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":4,"flow_first_seen":1620898027036,"flow_last_seen":1620898027065,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":235,"flow_tot_l4_payload_len":235,"flow_avg_l4_payload_len":58,"midstream":0,"ts_msec":1620898027065,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55285,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.iit.cnr.it","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}} 00873{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":5397,"source":"safari.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":6,"flow_first_seen":1620898027036,"flow_last_seen":1620898027099,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1675,"flow_avg_l4_payload_len":279,"midstream":0,"ts_msec":1620898027099,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55285,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.iit.cnr.it","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"263c859c5391203d774bc0599793d915","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}} -01161{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":5399,"source":"safari.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":8,"flow_first_seen":1620898027036,"flow_last_seen":1620898027099,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":3690,"flow_avg_l4_payload_len":461,"midstream":0,"ts_msec":1620898027099,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55285,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.iit.cnr.it","server_names":"www.iit.cnr.it","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"263c859c5391203d774bc0599793d915","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=NL, ST=Noord-Holland, L=Amsterdam, O=TERENA, CN=TERENA SSL CA 3","issuerDN":"C=IT, ST=Lazio, L=Roma, O=Consiglio Nazionale delle Ricerche, OU=IIT, CN=www.iit.cnr.it","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"C4:F6:98:75:7E:20:5C:B6:33:14:59:3F:CF:26:96:38:D0:4B:73:69"}} +01162{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":5399,"source":"safari.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":8,"flow_first_seen":1620898027036,"flow_last_seen":1620898027099,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":3690,"flow_avg_l4_payload_len":461,"midstream":0,"ts_msec":1620898027099,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55285,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.iit.cnr.it","server_names":"www.iit.cnr.it","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"263c859c5391203d774bc0599793d915","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=NL, ST=Noord-Holland, L=Amsterdam, O=TERENA, CN=TERENA SSL CA 3","subjectDN":"C=IT, ST=Lazio, L=Roma, O=Consiglio Nazionale delle Ricerche, OU=IIT, CN=www.iit.cnr.it","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"C4:F6:98:75:7E:20:5C:B6:33:14:59:3F:CF:26:96:38:D0:4B:73:69"}} 00565{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":6019,"source":"safari.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":2083,"flow_first_seen":1620898024056,"flow_last_seen":1620898029980,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1877633,"flow_avg_l4_payload_len":901,"midstream":0,"ts_msec":1620898029980,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55262,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00563{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":6019,"source":"safari.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":801,"flow_first_seen":1620898025216,"flow_last_seen":1620898026198,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":648336,"flow_avg_l4_payload_len":809,"midstream":0,"ts_msec":1620898029980,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55265,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00563{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":6019,"source":"safari.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":621,"flow_first_seen":1620898025216,"flow_last_seen":1620898026065,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":509563,"flow_avg_l4_payload_len":820,"midstream":0,"ts_msec":1620898029980,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55266,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -60,10 +60,10 @@ ~~ total active/idle flows...: 7/7 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2163303 bytes -~~ total memory freed........: 2163303 bytes -~~ total allocations/frees...: 41398/41398 +~~ total memory allocated....: 4823074 bytes +~~ total memory freed........: 4823074 bytes +~~ total allocations/frees...: 105594/105594 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 162 chars -~~ json string max len.......: 1169 chars -~~ json string avg len.......: 735 chars +~~ json string max len.......: 1170 chars +~~ json string avg len.......: 736 chars diff --git a/test/results/salesforce.pcap.out b/test/results/salesforce.pcap.out new file mode 100644 index 000000000..4478e4dd3 --- /dev/null +++ b/test/results/salesforce.pcap.out @@ -0,0 +1,25 @@ +00444{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"salesforce.pcap","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} +00551{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"salesforce.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1637949675032,"flow_last_seen":1637949675032,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1637949675032,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"85.222.142.6","src_port":54399,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00479{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"salesforce.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1637949675032,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1637949675032,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGlHnAqAGyVd6OBtR\/AbsUUf9OAAAAALAC\/\/85bQAAAgQFtAEDAwUBAQgKBrZmwAAAAAAEAgAA"} +00473{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"salesforce.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1637949675060,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1637949675060,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADEGo31V3o4GwKgBsgG71H+paXwVFFH\/T6AScSBLcQAAAgQFjAQCCAok00OjBrZmwAEDAwc="} +00461{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"salesforce.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1637949675061,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1637949675061,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGlIXAqAGyVd6OBtR\/AbsUUf9PqWl8FoAQECja8QAAAQEICga2Ztwk00Oj"} +00836{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"salesforce.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1637949675032,"flow_last_seen":1637949675061,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1637949675061,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"85.222.142.6","src_port":54399,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Salesforce","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"help.salesforce.com","ja3":"7570245c781d7d7a68e31419177e728d","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}} +00892{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"salesforce.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":1637949675032,"flow_last_seen":1637949675088,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1957,"flow_avg_l4_payload_len":326,"midstream":0,"ts_msec":1637949675088,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"85.222.142.6","src_port":54399,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Salesforce","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"help.salesforce.com","ja3":"7570245c781d7d7a68e31419177e728d","ja3s":"263c859c5391203d774bc0599793d915","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}} +01201{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":8,"source":"salesforce.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":8,"flow_first_seen":1637949675032,"flow_last_seen":1637949675088,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":3982,"flow_avg_l4_payload_len":497,"midstream":0,"ts_msec":1637949675088,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"85.222.142.6","src_port":54399,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Salesforce","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"help.salesforce.com","server_names":"support.salesforce.com,help.salesforce.com","ja3":"7570245c781d7d7a68e31419177e728d","ja3s":"263c859c5391203d774bc0599793d915","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1","subjectDN":"C=US, ST=California, L=San Francisco, O=salesforce.com, inc., CN=support.salesforce.com","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"69:0B:02:F6:58:63:79:69:21:33:61:1A:5C:3D:6A:BD:FC:55:0C:6F"}} +00562{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":15,"source":"salesforce.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":15,"flow_first_seen":1637949675032,"flow_last_seen":1637949675181,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":4195,"flow_avg_l4_payload_len":279,"midstream":0,"ts_msec":1637949675181,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"85.222.142.6","src_port":54399,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00159{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":15,"source":"salesforce.pcap","alias":"nDPId-test","total-events-serialized":10} +~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ +~~ packets captured/processed: 15/15 +~~ skipped flows.............: 0 +~~ total layer4 data length..: 4195 bytes +~~ total detected protocols..: 1 +~~ total active/idle flows...: 1/1 +~~ total timeout flows.......: 0 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ total memory allocated....: 4599305 bytes +~~ total memory freed........: 4599305 bytes +~~ total allocations/frees...: 99557/99557 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ json string min len.......: 164 chars +~~ json string max len.......: 1206 chars +~~ json string avg len.......: 729 chars diff --git a/test/results/selfsigned.pcap.out b/test/results/selfsigned.pcap.out index 36f76af68..c85ce39fa 100644 --- a/test/results/selfsigned.pcap.out +++ b/test/results/selfsigned.pcap.out @@ -48,9 +48,9 @@ ~~ total active/idle flows...: 0/0 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1926508 bytes -~~ total memory freed........: 1926508 bytes -~~ total allocations/frees...: 35335/35335 +~~ total memory allocated....: 4589247 bytes +~~ total memory freed........: 4589247 bytes +~~ total allocations/frees...: 99531/99531 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 164 chars ~~ json string max len.......: 2196 chars diff --git a/test/results/signal.pcap.out b/test/results/signal.pcap.out index 0e445c3c5..eba27461e 100644 --- a/test/results/signal.pcap.out +++ b/test/results/signal.pcap.out @@ -1,7 +1,7 @@ 00440{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"signal.pcap","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} 00547{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"signal.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1569051245838,"flow_last_seen":1569051245838,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1569051245838,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00840{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"signal.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1569051245838,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":342,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":342,"pkt_l4_len":308,"ts_msec":1569051245838,"pkt":"\/\/\/\/\/\/\/\/2DBiVgAcCABFAAFIKS8AAP8RkXYAAAAA\/\/\/\/\/wBEAEMBNJxAAQEGACG6jqoAAQAAAAAAAAAAAAAAAAAAAAAAANgwYlYAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEBNwoBeQMGD3f8XywuOQIF3D0HAdgwYlYAHDMEAHanAAwKTHVjYXMtaU1hY\/8AAAAAAAAAAAAAAAAA"} -00636{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"signal.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1569051245838,"flow_last_seen":1569051245838,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1569051245838,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"fingerprint":"1,121,3,6,15,119,252,95,44,46"}} +00677{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"signal.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1569051245838,"flow_last_seen":1569051245838,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1569051245838,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"hostname":"lucas-imac","fingerprint":"1,121,3,6,15,119,252,95,44,46","class_ident":""}} 00547{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2,"source":"signal.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1569051247593,"flow_last_seen":1569051247593,"flow_idle_time":180000,"flow_min_l4_payload_len":43,"flow_max_l4_payload_len":43,"flow_tot_l4_payload_len":43,"flow_avg_l4_payload_len":43,"midstream":0,"ts_msec":1569051247593,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"192.168.2.1","src_port":60793,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00484{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"signal.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_last_seen":1569051247593,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":85,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":85,"pkt_l4_len":51,"ts_msec":1569051247593,"pkt":"xiwDYGpkxGGLNYKpCABFAABHd8wAAP8RvnbAqAIRwKgCAe15ADUAM\/YJyvgBAAABAAAAAAAABGU2NzMFZHNjZTkKYWthbWFpZWRnZQNuZXQAAAEAAQ=="} 00720{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2,"source":"signal.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1569051247593,"flow_last_seen":1569051247593,"flow_idle_time":180000,"flow_min_l4_payload_len":43,"flow_max_l4_payload_len":43,"flow_tot_l4_payload_len":43,"flow_avg_l4_payload_len":43,"midstream":0,"ts_msec":1569051247593,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"192.168.2.1","src_port":60793,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"e673.dsce9.akamaiedge.net","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} @@ -34,13 +34,13 @@ 00457{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":30,"source":"signal.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_last_seen":1569051247716,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1569051247716,"pkt":"xiwDYGpkxGGLNYKpCABFAAA0AABAAEAGZHzAqAIRIuHwrd68AbvGwW2ECR79gIAQBAtLWAAAAQEICihVUl9kFVbr"} 00853{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":31,"source":"signal.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":4,"flow_first_seen":1569051247601,"flow_last_seen":1569051247716,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1569051247716,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"34.225.240.173","src_port":57020,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Signal","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"textsecure-service.whispersystems.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} 00900{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":59,"source":"signal.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":6,"flow_first_seen":1569051247594,"flow_last_seen":1569051247818,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1637,"flow_avg_l4_payload_len":272,"midstream":0,"ts_msec":1569051247818,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"34.225.240.173","src_port":49226,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Signal","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"textsecure-service.whispersystems.org","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}} -01288{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":60,"source":"signal.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":7,"flow_first_seen":1569051247594,"flow_last_seen":1569051247818,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":2666,"flow_avg_l4_payload_len":380,"midstream":0,"ts_msec":1569051247818,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"34.225.240.173","src_port":49226,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Signal","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"textsecure-service.whispersystems.org","server_names":"textsecure-service.whispersystems.org,service.signal.org","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=California, L=San Francisco, O=Open Whisper Systems, OU=Open Whisper Systems, CN=TextSecure","issuerDN":"C=US, ST=California, O=Open Whisper Systems, OU=Open Whisper Systems, CN=textsecure-service.whispersystems.org","fingerprint":"5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B"}} +01289{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":60,"source":"signal.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":7,"flow_first_seen":1569051247594,"flow_last_seen":1569051247818,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":2666,"flow_avg_l4_payload_len":380,"midstream":0,"ts_msec":1569051247818,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"34.225.240.173","src_port":49226,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Signal","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"textsecure-service.whispersystems.org","server_names":"textsecure-service.whispersystems.org,service.signal.org","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=California, L=San Francisco, O=Open Whisper Systems, OU=Open Whisper Systems, CN=TextSecure","subjectDN":"C=US, ST=California, O=Open Whisper Systems, OU=Open Whisper Systems, CN=textsecure-service.whispersystems.org","fingerprint":"5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B"}} 00909{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":63,"source":"signal.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":6,"flow_first_seen":1569051247600,"flow_last_seen":1569051247822,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1957,"flow_avg_l4_payload_len":326,"midstream":0,"ts_msec":1569051247822,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"34.225.240.173","src_port":57019,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Signal","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"textsecure-service.whispersystems.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"1089ea6f0461a29006cc96dfe7a11d80","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} -01297{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":64,"source":"signal.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":7,"flow_first_seen":1569051247600,"flow_last_seen":1569051247822,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":2995,"flow_avg_l4_payload_len":427,"midstream":0,"ts_msec":1569051247822,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"34.225.240.173","src_port":57019,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Signal","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"textsecure-service.whispersystems.org","server_names":"textsecure-service.whispersystems.org,service.signal.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"1089ea6f0461a29006cc96dfe7a11d80","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=California, L=San Francisco, O=Open Whisper Systems, OU=Open Whisper Systems, CN=TextSecure","issuerDN":"C=US, ST=California, O=Open Whisper Systems, OU=Open Whisper Systems, CN=textsecure-service.whispersystems.org","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","fingerprint":"5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B"}} +01298{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":64,"source":"signal.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":7,"flow_first_seen":1569051247600,"flow_last_seen":1569051247822,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":2995,"flow_avg_l4_payload_len":427,"midstream":0,"ts_msec":1569051247822,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"34.225.240.173","src_port":57019,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Signal","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"textsecure-service.whispersystems.org","server_names":"textsecure-service.whispersystems.org,service.signal.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"1089ea6f0461a29006cc96dfe7a11d80","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=California, L=San Francisco, O=Open Whisper Systems, OU=Open Whisper Systems, CN=TextSecure","subjectDN":"C=US, ST=California, O=Open Whisper Systems, OU=Open Whisper Systems, CN=textsecure-service.whispersystems.org","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","fingerprint":"5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B"}} 00909{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":68,"source":"signal.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":6,"flow_first_seen":1569051247603,"flow_last_seen":1569051247830,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1957,"flow_avg_l4_payload_len":326,"midstream":0,"ts_msec":1569051247830,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"34.225.240.173","src_port":57021,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Signal","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"textsecure-service.whispersystems.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"1089ea6f0461a29006cc96dfe7a11d80","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} -01297{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":69,"source":"signal.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":7,"flow_first_seen":1569051247603,"flow_last_seen":1569051247830,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":2995,"flow_avg_l4_payload_len":427,"midstream":0,"ts_msec":1569051247830,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"34.225.240.173","src_port":57021,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Signal","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"textsecure-service.whispersystems.org","server_names":"textsecure-service.whispersystems.org,service.signal.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"1089ea6f0461a29006cc96dfe7a11d80","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=California, L=San Francisco, O=Open Whisper Systems, OU=Open Whisper Systems, CN=TextSecure","issuerDN":"C=US, ST=California, O=Open Whisper Systems, OU=Open Whisper Systems, CN=textsecure-service.whispersystems.org","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","fingerprint":"5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B"}} +01298{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":69,"source":"signal.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":7,"flow_first_seen":1569051247603,"flow_last_seen":1569051247830,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":2995,"flow_avg_l4_payload_len":427,"midstream":0,"ts_msec":1569051247830,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"34.225.240.173","src_port":57021,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Signal","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"textsecure-service.whispersystems.org","server_names":"textsecure-service.whispersystems.org,service.signal.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"1089ea6f0461a29006cc96dfe7a11d80","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=California, L=San Francisco, O=Open Whisper Systems, OU=Open Whisper Systems, CN=TextSecure","subjectDN":"C=US, ST=California, O=Open Whisper Systems, OU=Open Whisper Systems, CN=textsecure-service.whispersystems.org","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","fingerprint":"5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B"}} 00909{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":71,"source":"signal.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":6,"flow_first_seen":1569051247601,"flow_last_seen":1569051247832,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1957,"flow_avg_l4_payload_len":326,"midstream":0,"ts_msec":1569051247832,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"34.225.240.173","src_port":57020,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Signal","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"textsecure-service.whispersystems.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"1089ea6f0461a29006cc96dfe7a11d80","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} -01297{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":72,"source":"signal.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":7,"flow_first_seen":1569051247601,"flow_last_seen":1569051247832,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":2995,"flow_avg_l4_payload_len":427,"midstream":0,"ts_msec":1569051247832,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"34.225.240.173","src_port":57020,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Signal","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"textsecure-service.whispersystems.org","server_names":"textsecure-service.whispersystems.org,service.signal.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"1089ea6f0461a29006cc96dfe7a11d80","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=California, L=San Francisco, O=Open Whisper Systems, OU=Open Whisper Systems, CN=TextSecure","issuerDN":"C=US, ST=California, O=Open Whisper Systems, OU=Open Whisper Systems, CN=textsecure-service.whispersystems.org","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","fingerprint":"5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B"}} +01298{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":72,"source":"signal.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":7,"flow_first_seen":1569051247601,"flow_last_seen":1569051247832,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":2995,"flow_avg_l4_payload_len":427,"midstream":0,"ts_msec":1569051247832,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"34.225.240.173","src_port":57020,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Signal","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"textsecure-service.whispersystems.org","server_names":"textsecure-service.whispersystems.org,service.signal.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"1089ea6f0461a29006cc96dfe7a11d80","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=California, L=San Francisco, O=Open Whisper Systems, OU=Open Whisper Systems, CN=TextSecure","subjectDN":"C=US, ST=California, O=Open Whisper Systems, OU=Open Whisper Systems, CN=textsecure-service.whispersystems.org","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","fingerprint":"5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B"}} 00842{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":147,"source":"signal.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1569051248547,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":342,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":342,"pkt_l4_len":308,"ts_msec":1569051248547,"pkt":"\/\/\/\/\/\/\/\/2DBiVgAcCABFAAFIKTAAAP8RkXUAAAAA\/\/\/\/\/wBEAEMBNJw9AQEGACG6jqoABAAAAAAAAAAAAAAAAAAAAAAAANgwYlYAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEBNwoBeQMGD3f8XywuOQIF3D0HAdgwYlYAHDMEAHanAAwKTHVjYXMtaU1hY\/8AAAAAAAAAAAAAAAAA"} 00842{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":148,"source":"signal.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1569051253252,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":342,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":342,"pkt_l4_len":308,"ts_msec":1569051253252,"pkt":"\/\/\/\/\/\/\/\/2DBiVgAcCABFAAFIKTEAAP8RkXQAAAAA\/\/\/\/\/wBEAEMBNJw4AQEGACG6jqoACQAAAAAAAAAAAAAAAAAAAAAAANgwYlYAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEBNwoBeQMGD3f8XywuOQIF3D0HAdgwYlYAHDMEAHanAAwKTHVjYXMtaU1hY\/8AAAAAAAAAAAAAAAAA"} 00554{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":149,"source":"signal.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":1,"flow_first_seen":1569051255515,"flow_last_seen":1569051255515,"flow_idle_time":7440000,"flow_min_l4_payload_len":46,"flow_max_l4_payload_len":46,"flow_tot_l4_payload_len":46,"flow_avg_l4_payload_len":46,"midstream":1,"ts_msec":1569051255515,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.146.144","src_port":56996,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -69,7 +69,7 @@ 00749{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":179,"source":"signal.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":2,"flow_first_seen":1569051264088,"flow_last_seen":1569051264113,"flow_idle_time":180000,"flow_min_l4_payload_len":55,"flow_max_l4_payload_len":151,"flow_tot_l4_payload_len":206,"flow_avg_l4_payload_len":103,"midstream":0,"ts_msec":1569051264113,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"192.168.2.1","src_port":56263,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Signal","breed":"Fun","category":"Chat"},"dns": {"query":"textsecure-service.whispersystems.org","num_queries":1,"num_answers":6,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"54.175.47.110"}} 00520{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":180,"source":"signal.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":1,"flow_first_seen":1569051264115,"flow_last_seen":1569051264115,"flow_idle_time":120000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1569051264115,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"192.168.2.1","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} 00466{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":180,"source":"signal.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":1,"flow_last_seen":1569051264115,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"ts_msec":1569051264115,"pkt":"xiwDYGpkxGGLNYKpCABFAAA4YPoAAEABlGjAqAIRwKgCAQMDIGEAAAAARQAAs+K7AABAERIcwKgCAcCoAhEANdvHAJ8AAA=="} -00553{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":180,"source":"signal.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":1,"flow_first_seen":1569051264115,"flow_last_seen":1569051264115,"flow_idle_time":120000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1569051264115,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"192.168.2.1","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"}} +00572{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":180,"source":"signal.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":1,"flow_first_seen":1569051264115,"flow_last_seen":1569051264115,"flow_idle_time":120000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1569051264115,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"192.168.2.1","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"},"entropy":3.664498} 00459{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":181,"source":"signal.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":3,"flow_last_seen":1569051264116,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1569051264116,"pkt":"xiwDYGpkxGGLNYKpCABFAAA0AABAAEAGSMLAqAIRFzkYEN6+AbvH3a+K4DuqGYAQBAvjSwAAAQEICihVknGWTmoX"} 00841{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":182,"source":"signal.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":4,"flow_first_seen":1569051264078,"flow_last_seen":1569051264116,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1569051264116,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"23.57.24.16","src_port":57022,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AppleiTunes","breed":"Fun","category":"Streaming"},"tls": {"version":"TLSv1.2","client_requested_server_name":"itunes.apple.com","ja3":"17305a56a62a10f6b0ee8edcc3b1769c","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} 00882{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":184,"source":"signal.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":6,"flow_first_seen":1569051264078,"flow_last_seen":1569051264151,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1957,"flow_avg_l4_payload_len":326,"midstream":0,"ts_msec":1569051264151,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"23.57.24.16","src_port":57022,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AppleiTunes","breed":"Fun","category":"Streaming"},"tls": {"version":"TLSv1.3","client_requested_server_name":"itunes.apple.com","ja3":"17305a56a62a10f6b0ee8edcc3b1769c","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} @@ -86,20 +86,20 @@ 00459{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":202,"source":"signal.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":3,"flow_last_seen":1569051264259,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1569051264259,"pkt":"xiwDYGpkxGGLNYKpCABFAAA0AABAAEAGUTrAqAIRI6kDKN7BAbuYIIuNFdnORoAQBAtBKQAAAQEICihVkvxkFUBN"} 00852{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":203,"source":"signal.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":4,"flow_first_seen":1569051264093,"flow_last_seen":1569051264259,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1569051264259,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":57025,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Signal","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"textsecure-service.whispersystems.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} 00899{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":228,"source":"signal.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":6,"flow_first_seen":1569051264073,"flow_last_seen":1569051264342,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1637,"flow_avg_l4_payload_len":272,"midstream":0,"ts_msec":1569051264342,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":49227,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Signal","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"textsecure-service.whispersystems.org","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}} -01287{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":229,"source":"signal.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":7,"flow_first_seen":1569051264073,"flow_last_seen":1569051264343,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":2666,"flow_avg_l4_payload_len":380,"midstream":0,"ts_msec":1569051264343,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":49227,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Signal","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"textsecure-service.whispersystems.org","server_names":"textsecure-service.whispersystems.org,service.signal.org","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=California, L=San Francisco, O=Open Whisper Systems, OU=Open Whisper Systems, CN=TextSecure","issuerDN":"C=US, ST=California, O=Open Whisper Systems, OU=Open Whisper Systems, CN=textsecure-service.whispersystems.org","fingerprint":"5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B"}} +01288{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":229,"source":"signal.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":7,"flow_first_seen":1569051264073,"flow_last_seen":1569051264343,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":2666,"flow_avg_l4_payload_len":380,"midstream":0,"ts_msec":1569051264343,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":49227,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Signal","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"textsecure-service.whispersystems.org","server_names":"textsecure-service.whispersystems.org,service.signal.org","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=California, L=San Francisco, O=Open Whisper Systems, OU=Open Whisper Systems, CN=TextSecure","subjectDN":"C=US, ST=California, O=Open Whisper Systems, OU=Open Whisper Systems, CN=textsecure-service.whispersystems.org","fingerprint":"5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B"}} 00908{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":233,"source":"signal.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":6,"flow_first_seen":1569051264090,"flow_last_seen":1569051264369,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1957,"flow_avg_l4_payload_len":326,"midstream":0,"ts_msec":1569051264369,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":57023,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Signal","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"textsecure-service.whispersystems.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"1089ea6f0461a29006cc96dfe7a11d80","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} -01296{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":234,"source":"signal.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":7,"flow_first_seen":1569051264090,"flow_last_seen":1569051264369,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":2995,"flow_avg_l4_payload_len":427,"midstream":0,"ts_msec":1569051264369,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":57023,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Signal","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"textsecure-service.whispersystems.org","server_names":"textsecure-service.whispersystems.org,service.signal.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"1089ea6f0461a29006cc96dfe7a11d80","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=California, L=San Francisco, O=Open Whisper Systems, OU=Open Whisper Systems, CN=TextSecure","issuerDN":"C=US, ST=California, O=Open Whisper Systems, OU=Open Whisper Systems, CN=textsecure-service.whispersystems.org","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","fingerprint":"5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B"}} +01297{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":234,"source":"signal.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":7,"flow_first_seen":1569051264090,"flow_last_seen":1569051264369,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":2995,"flow_avg_l4_payload_len":427,"midstream":0,"ts_msec":1569051264369,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":57023,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Signal","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"textsecure-service.whispersystems.org","server_names":"textsecure-service.whispersystems.org,service.signal.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"1089ea6f0461a29006cc96dfe7a11d80","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=California, L=San Francisco, O=Open Whisper Systems, OU=Open Whisper Systems, CN=TextSecure","subjectDN":"C=US, ST=California, O=Open Whisper Systems, OU=Open Whisper Systems, CN=textsecure-service.whispersystems.org","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","fingerprint":"5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B"}} 00908{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":238,"source":"signal.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":6,"flow_first_seen":1569051264093,"flow_last_seen":1569051264373,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1957,"flow_avg_l4_payload_len":326,"midstream":0,"ts_msec":1569051264373,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":57025,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Signal","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"textsecure-service.whispersystems.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"1089ea6f0461a29006cc96dfe7a11d80","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} -01296{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":239,"source":"signal.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":7,"flow_first_seen":1569051264093,"flow_last_seen":1569051264373,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":2995,"flow_avg_l4_payload_len":427,"midstream":0,"ts_msec":1569051264373,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":57025,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Signal","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"textsecure-service.whispersystems.org","server_names":"textsecure-service.whispersystems.org,service.signal.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"1089ea6f0461a29006cc96dfe7a11d80","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=California, L=San Francisco, O=Open Whisper Systems, OU=Open Whisper Systems, CN=TextSecure","issuerDN":"C=US, ST=California, O=Open Whisper Systems, OU=Open Whisper Systems, CN=textsecure-service.whispersystems.org","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","fingerprint":"5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B"}} +01297{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":239,"source":"signal.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":7,"flow_first_seen":1569051264093,"flow_last_seen":1569051264373,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":2995,"flow_avg_l4_payload_len":427,"midstream":0,"ts_msec":1569051264373,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":57025,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Signal","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"textsecure-service.whispersystems.org","server_names":"textsecure-service.whispersystems.org,service.signal.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"1089ea6f0461a29006cc96dfe7a11d80","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=California, L=San Francisco, O=Open Whisper Systems, OU=Open Whisper Systems, CN=TextSecure","subjectDN":"C=US, ST=California, O=Open Whisper Systems, OU=Open Whisper Systems, CN=textsecure-service.whispersystems.org","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","fingerprint":"5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B"}} 00908{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":240,"source":"signal.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":6,"flow_first_seen":1569051264091,"flow_last_seen":1569051264373,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1957,"flow_avg_l4_payload_len":326,"midstream":0,"ts_msec":1569051264373,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":57024,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Signal","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"textsecure-service.whispersystems.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"1089ea6f0461a29006cc96dfe7a11d80","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} -01296{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":241,"source":"signal.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":7,"flow_first_seen":1569051264091,"flow_last_seen":1569051264374,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":2995,"flow_avg_l4_payload_len":427,"midstream":0,"ts_msec":1569051264374,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":57024,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Signal","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"textsecure-service.whispersystems.org","server_names":"textsecure-service.whispersystems.org,service.signal.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"1089ea6f0461a29006cc96dfe7a11d80","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=California, L=San Francisco, O=Open Whisper Systems, OU=Open Whisper Systems, CN=TextSecure","issuerDN":"C=US, ST=California, O=Open Whisper Systems, OU=Open Whisper Systems, CN=textsecure-service.whispersystems.org","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","fingerprint":"5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B"}} +01297{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":241,"source":"signal.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":7,"flow_first_seen":1569051264091,"flow_last_seen":1569051264374,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":2995,"flow_avg_l4_payload_len":427,"midstream":0,"ts_msec":1569051264374,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":57024,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Signal","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"textsecure-service.whispersystems.org","server_names":"textsecure-service.whispersystems.org,service.signal.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"1089ea6f0461a29006cc96dfe7a11d80","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=California, L=San Francisco, O=Open Whisper Systems, OU=Open Whisper Systems, CN=TextSecure","subjectDN":"C=US, ST=California, O=Open Whisper Systems, OU=Open Whisper Systems, CN=textsecure-service.whispersystems.org","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","fingerprint":"5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B"}} 00548{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":295,"source":"signal.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":1,"flow_first_seen":1569051264666,"flow_last_seen":1569051264666,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1569051264666,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":57026,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00477{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":295,"source":"signal.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":1,"flow_last_seen":1569051264666,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1569051264666,"pkt":"xiwDYGpkxGGLNYKpCABFAABAAABAAEAGUS7AqAIRI6kDKN7CAbvJrSrvAAAAALAC\/\/+7dwAAAgQFtAEDAwcBAQgKKFWUiQAAAAAEAgAA"} 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":319,"source":"signal.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":2,"flow_last_seen":1569051264775,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1569051264775,"pkt":"xGGLNYKpxiwDYGpkCABFAAA8AAAAAO4G4zEjqQMowKgCEQG73sL5Zid4ya0q8KASaN+dwQAAAgQFrAQCCApkFUDdKFWUiQEDAwg="} 00459{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":320,"source":"signal.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":3,"flow_last_seen":1569051264776,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1569051264776,"pkt":"xiwDYGpkxGGLNYKpCABFAAA0AABAAEAGUTrAqAIRI6kDKN7CAbvJrSrw+WYneYAQBAsw7wAAAQEICihVlPVkFUDd"} 00852{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":321,"source":"signal.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":4,"flow_first_seen":1569051264666,"flow_last_seen":1569051264776,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1569051264776,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":57026,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Signal","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"textsecure-service.whispersystems.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} 00908{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":323,"source":"signal.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":6,"flow_first_seen":1569051264666,"flow_last_seen":1569051264887,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1957,"flow_avg_l4_payload_len":326,"midstream":0,"ts_msec":1569051264887,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":57026,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Signal","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"textsecure-service.whispersystems.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"1089ea6f0461a29006cc96dfe7a11d80","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} -01296{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":324,"source":"signal.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":7,"flow_first_seen":1569051264666,"flow_last_seen":1569051264887,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":2995,"flow_avg_l4_payload_len":427,"midstream":0,"ts_msec":1569051264887,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":57026,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Signal","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"textsecure-service.whispersystems.org","server_names":"textsecure-service.whispersystems.org,service.signal.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"1089ea6f0461a29006cc96dfe7a11d80","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=California, L=San Francisco, O=Open Whisper Systems, OU=Open Whisper Systems, CN=TextSecure","issuerDN":"C=US, ST=California, O=Open Whisper Systems, OU=Open Whisper Systems, CN=textsecure-service.whispersystems.org","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","fingerprint":"5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B"}} +01297{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":324,"source":"signal.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":7,"flow_first_seen":1569051264666,"flow_last_seen":1569051264887,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":2995,"flow_avg_l4_payload_len":427,"midstream":0,"ts_msec":1569051264887,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":57026,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Signal","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"textsecure-service.whispersystems.org","server_names":"textsecure-service.whispersystems.org,service.signal.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"1089ea6f0461a29006cc96dfe7a11d80","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=California, L=San Francisco, O=Open Whisper Systems, OU=Open Whisper Systems, CN=TextSecure","subjectDN":"C=US, ST=California, O=Open Whisper Systems, OU=Open Whisper Systems, CN=textsecure-service.whispersystems.org","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","fingerprint":"5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B"}} 00552{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":357,"source":"signal.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":1,"flow_first_seen":1569051266396,"flow_last_seen":1569051266396,"flow_idle_time":7440000,"flow_min_l4_payload_len":24,"flow_max_l4_payload_len":24,"flow_tot_l4_payload_len":24,"flow_avg_l4_payload_len":24,"midstream":1,"ts_msec":1569051266396,"l3_proto":"ip4","src_ip":"23.57.24.16","dst_ip":"192.168.2.17","src_port":443,"dst_port":57016,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00491{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":357,"source":"signal.pcap","alias":"nDPId-test","flow_id":18,"flow_packet_id":1,"flow_last_seen":1569051266396,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"ts_msec":1569051266396,"pkt":"xGGLNYKpxiwDYGpkCABFAABMyV0AADQGy0wXORgQwKgCEQG73rjhiC89LB07wYAYAQKY+AAAAQEICpZOcwIoVP9fFwMDABNN53WS+HQ+OdIkNGbGHI++PaTs"} 00459{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":358,"source":"signal.pcap","alias":"nDPId-test","flow_id":18,"flow_packet_id":2,"flow_last_seen":1569051266396,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1569051266396,"pkt":"xGGLNYKpxiwDYGpkCABFAAA0yV4AADQGy2MXORgQwKgCEQG73rjhiC9VLB07wYARAQL5ggAAAQEICpZOcwIoVP9f"} @@ -110,8 +110,8 @@ 00460{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":375,"source":"signal.pcap","alias":"nDPId-test","flow_id":19,"flow_packet_id":3,"flow_last_seen":1569051267161,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1569051267161,"pkt":"xiwDYGpkxGGLNYKpCABFAAA0AABAAEAGbb3AqAIRDSP9Kt7DAbsjR8rtv8CPNIAQBAsybAAAAQEICihVnjqvNN\/R"} 00830{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":376,"source":"signal.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":4,"flow_first_seen":1569051267121,"flow_last_seen":1569051267161,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1569051267161,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"13.35.253.42","src_port":57027,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Signal","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"cdn.signal.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} 00886{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":378,"source":"signal.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":6,"flow_first_seen":1569051267121,"flow_last_seen":1569051267197,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1957,"flow_avg_l4_payload_len":326,"midstream":0,"ts_msec":1569051267197,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"13.35.253.42","src_port":57027,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Signal","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"cdn.signal.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"c4b2785a87896e19d37eee932070cb22","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}} -01209{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":379,"source":"signal.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":7,"flow_first_seen":1569051267121,"flow_last_seen":1569051267197,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":2900,"flow_avg_l4_payload_len":414,"midstream":0,"ts_msec":1569051267197,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"13.35.253.42","src_port":57027,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Signal","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"cdn.signal.org","server_names":"cdn.signal.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"c4b2785a87896e19d37eee932070cb22","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=California, L=San Francisco, O=Open Whisper Systems, OU=Open Whisper Systems, CN=TextSecure","issuerDN":"C=US, ST=California, O=Open Whisper Systems, OU=Open Whisper Systems, CN=cdn.signal.org","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","fingerprint":"81:3D:8A:2E:EE:B2:E1:F4:1C:2B:6D:20:16:54:B2:C1:87:D0:1E:12"}} -01213{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":627,"source":"signal.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":255,"flow_first_seen":1569051267121,"flow_last_seen":1569051267505,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":198653,"flow_avg_l4_payload_len":779,"midstream":0,"ts_msec":1569051267505,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"13.35.253.42","src_port":57027,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Signal","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"cdn.signal.org","server_names":"cdn.signal.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"c4b2785a87896e19d37eee932070cb22","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=California, L=San Francisco, O=Open Whisper Systems, OU=Open Whisper Systems, CN=TextSecure","issuerDN":"C=US, ST=California, O=Open Whisper Systems, OU=Open Whisper Systems, CN=cdn.signal.org","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","fingerprint":"81:3D:8A:2E:EE:B2:E1:F4:1C:2B:6D:20:16:54:B2:C1:87:D0:1E:12"}} +01210{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":379,"source":"signal.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":7,"flow_first_seen":1569051267121,"flow_last_seen":1569051267197,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":2900,"flow_avg_l4_payload_len":414,"midstream":0,"ts_msec":1569051267197,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"13.35.253.42","src_port":57027,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Signal","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"cdn.signal.org","server_names":"cdn.signal.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"c4b2785a87896e19d37eee932070cb22","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=California, L=San Francisco, O=Open Whisper Systems, OU=Open Whisper Systems, CN=TextSecure","subjectDN":"C=US, ST=California, O=Open Whisper Systems, OU=Open Whisper Systems, CN=cdn.signal.org","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","fingerprint":"81:3D:8A:2E:EE:B2:E1:F4:1C:2B:6D:20:16:54:B2:C1:87:D0:1E:12"}} +01214{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":627,"source":"signal.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":255,"flow_first_seen":1569051267121,"flow_last_seen":1569051267505,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":198653,"flow_avg_l4_payload_len":779,"midstream":0,"ts_msec":1569051267505,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"13.35.253.42","src_port":57027,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Signal","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"cdn.signal.org","server_names":"cdn.signal.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"c4b2785a87896e19d37eee932070cb22","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=California, L=San Francisco, O=Open Whisper Systems, OU=Open Whisper Systems, CN=TextSecure","subjectDN":"C=US, ST=California, O=Open Whisper Systems, OU=Open Whisper Systems, CN=cdn.signal.org","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","fingerprint":"81:3D:8A:2E:EE:B2:E1:F4:1C:2B:6D:20:16:54:B2:C1:87:D0:1E:12"}} 00551{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":637,"source":"signal.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1569051245838,"flow_last_seen":1569051261595,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":1200,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1569051267601,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00579{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":637,"source":"signal.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":8,"flow_first_seen":1569051255515,"flow_last_seen":1569051255541,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":46,"flow_tot_l4_payload_len":77,"flow_avg_l4_payload_len":9,"midstream":1,"ts_msec":1569051267601,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.146.144","src_port":56996,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Apple","breed":"Safe","category":"Web"}} 00552{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":637,"source":"signal.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":8,"flow_first_seen":1569051255515,"flow_last_seen":1569051255541,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":46,"flow_tot_l4_payload_len":77,"flow_avg_l4_payload_len":9,"midstream":1,"ts_msec":1569051267601,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.146.144","src_port":56996,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -143,10 +143,10 @@ ~~ total active/idle flows...: 19/19 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2189511 bytes -~~ total memory freed........: 2189511 bytes -~~ total allocations/frees...: 36139/36139 +~~ total memory allocated....: 4844194 bytes +~~ total memory freed........: 4844194 bytes +~~ total allocations/frees...: 100335/100335 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 162 chars -~~ json string max len.......: 1302 chars -~~ json string avg len.......: 802 chars +~~ json string max len.......: 1303 chars +~~ json string avg len.......: 803 chars diff --git a/test/results/simple-dnscrypt.pcap.out b/test/results/simple-dnscrypt.pcap.out index 58cb3d353..fd25037ad 100644 --- a/test/results/simple-dnscrypt.pcap.out +++ b/test/results/simple-dnscrypt.pcap.out @@ -5,7 +5,7 @@ 00450{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1491813284666,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1491813284666,"pkt":"uFpz9d6dpDTZFrEGCABFAAAoPRZAAIAGMNvAqCunhncaGMQ5Abvf\/XrkwVvO7FAQAEBxlgAA"} 00792{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1491813284555,"flow_last_seen":1491813284694,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":206,"flow_tot_l4_payload_len":206,"flow_avg_l4_payload_len":51,"midstream":0,"ts_msec":1491813284694,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50233,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"simplednscrypt.org","ja3":"b8f81673c0e1d29908346f3bab892b9b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} 00849{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":1491813284555,"flow_last_seen":1491813284804,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1310,"flow_tot_l4_payload_len":1516,"flow_avg_l4_payload_len":252,"midstream":0,"ts_msec":1491813284804,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50233,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"simplednscrypt.org","ja3":"b8f81673c0e1d29908346f3bab892b9b","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01202{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":11,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":11,"flow_first_seen":1491813284555,"flow_last_seen":1491813284819,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1310,"flow_tot_l4_payload_len":6756,"flow_avg_l4_payload_len":614,"midstream":0,"ts_msec":1491813284819,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50233,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.DNScrypt","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"simplednscrypt.org","server_names":"simplednscrypt.org,www.simplednscrypt.org","ja3":"b8f81673c0e1d29908346f3bab892b9b","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA","issuerDN":"OU=Domain Control Validated, OU=PositiveSSL, CN=simplednscrypt.org","alpn":"h2,http\/1.1","fingerprint":"3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41"}} +01203{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":11,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":11,"flow_first_seen":1491813284555,"flow_last_seen":1491813284819,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1310,"flow_tot_l4_payload_len":6756,"flow_avg_l4_payload_len":614,"midstream":0,"ts_msec":1491813284819,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50233,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.DNScrypt","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"simplednscrypt.org","server_names":"simplednscrypt.org,www.simplednscrypt.org","ja3":"b8f81673c0e1d29908346f3bab892b9b","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA","subjectDN":"OU=Domain Control Validated, OU=PositiveSSL, CN=simplednscrypt.org","alpn":"h2,http\/1.1","fingerprint":"3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41"}} 00559{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":40,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1491813286275,"flow_last_seen":1491813286275,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1491813286275,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50253,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00466{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":40,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_last_seen":1491813286275,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1491813286275,"pkt":"uFpz9d6dpDTZFrEGCABFAAA0PSdAAIAGML7AqCunhncaGMRNAbtYb9jbAAAAAIACIADK3QAAAgQFtAEDAwgBAQQC"} 00559{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":41,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1491813286392,"flow_last_seen":1491813286392,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1491813286392,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50258,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -14,19 +14,19 @@ 00466{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":42,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_last_seen":1491813286393,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1491813286393,"pkt":"uFpz9d6dpDTZFrEGCABFAAA0PSlAAIAGMLzAqCunhncaGMRTAbtepcAHAAAAAIACIADddQAAAgQFtAEDAwgBAQQC"} 00468{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":43,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_last_seen":1491813286463,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1491813286463,"pkt":"pDTZFrEGuFpz9d6dCABFAAA0AABAADMGuuWGdxoYwKgrpwG7xE3jDV\/XWG\/Y3IASchA2bgAAAgQFHgEBBAIBAwMH"} 00450{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":44,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_last_seen":1491813286463,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1491813286463,"pkt":"uFpz9d6dpDTZFrEGCABFAAAoPSpAAIAGMMfAqCunhncaGMRNAbtYb9jc4w1f2FAQAEDoegAA"} -00793{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":45,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":4,"flow_first_seen":1491813286275,"flow_last_seen":1491813286464,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":210,"flow_tot_l4_payload_len":210,"flow_avg_l4_payload_len":52,"midstream":0,"ts_msec":1491813286464,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50253,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"simplednscrypt.org","ja3":"83e04bc58d402f9633983cbf22724b02","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} +00806{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":45,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":4,"flow_first_seen":1491813286275,"flow_last_seen":1491813286464,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":210,"flow_tot_l4_payload_len":210,"flow_avg_l4_payload_len":52,"midstream":0,"ts_msec":1491813286464,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50253,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.DNScrypt","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"simplednscrypt.org","ja3":"83e04bc58d402f9633983cbf22724b02","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} 00466{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":46,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_last_seen":1491813286470,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1491813286470,"pkt":"pDTZFrEGuFpz9d6dCABFAAA0AABAADUGuOWGdxoYwKgrpwG7xFOF+CiKXqXACIASchDdaAAAAgQFHgEBBAIBAwMH"} 00450{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":47,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_last_seen":1491813286470,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1491813286470,"pkt":"uFpz9d6dpDTZFrEGCABFAAAoPSxAAIAGMMXAqCunhncaGMRTAbtepcAIhfgoi1AQAECPdQAA"} -00793{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":48,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":4,"flow_first_seen":1491813286393,"flow_last_seen":1491813286470,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":210,"flow_tot_l4_payload_len":210,"flow_avg_l4_payload_len":52,"midstream":0,"ts_msec":1491813286470,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50259,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"simplednscrypt.org","ja3":"83e04bc58d402f9633983cbf22724b02","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} +00806{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":48,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":4,"flow_first_seen":1491813286393,"flow_last_seen":1491813286470,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":210,"flow_tot_l4_payload_len":210,"flow_avg_l4_payload_len":52,"midstream":0,"ts_msec":1491813286470,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50259,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.DNScrypt","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"simplednscrypt.org","ja3":"83e04bc58d402f9633983cbf22724b02","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} 00466{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":49,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_last_seen":1491813286489,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1491813286489,"pkt":"pDTZFrEGuFpz9d6dCABFAAA0AABAADMGuuWGdxoYwKgrpwG7xFKVdKj9XuwOhIASchD+twAAAgQFHgEBBAIBAwMH"} 00451{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":50,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_last_seen":1491813286489,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1491813286489,"pkt":"uFpz9d6dpDTZFrEGCABFAAAoPS5AAIAGMMPAqCunhncaGMRSAbte7A6ElXSo\/lAQAECwxAAA"} -00793{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":51,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":4,"flow_first_seen":1491813286392,"flow_last_seen":1491813286491,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":210,"flow_tot_l4_payload_len":210,"flow_avg_l4_payload_len":52,"midstream":0,"ts_msec":1491813286491,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50258,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"simplednscrypt.org","ja3":"83e04bc58d402f9633983cbf22724b02","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} -00850{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":53,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":6,"flow_first_seen":1491813286393,"flow_last_seen":1491813286573,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1310,"flow_tot_l4_payload_len":1520,"flow_avg_l4_payload_len":253,"midstream":0,"ts_msec":1491813286573,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50259,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"simplednscrypt.org","ja3":"83e04bc58d402f9633983cbf22724b02","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01202{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":59,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":12,"flow_first_seen":1491813286393,"flow_last_seen":1491813286577,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1310,"flow_tot_l4_payload_len":6760,"flow_avg_l4_payload_len":563,"midstream":0,"ts_msec":1491813286577,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50259,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.DNScrypt","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"simplednscrypt.org","server_names":"simplednscrypt.org,www.simplednscrypt.org","ja3":"83e04bc58d402f9633983cbf22724b02","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA","issuerDN":"OU=Domain Control Validated, OU=PositiveSSL, CN=simplednscrypt.org","alpn":"h2,http\/1.1","fingerprint":"3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41"}} -00850{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":67,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":6,"flow_first_seen":1491813286275,"flow_last_seen":1491813286586,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1310,"flow_tot_l4_payload_len":1520,"flow_avg_l4_payload_len":253,"midstream":0,"ts_msec":1491813286586,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50253,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"simplednscrypt.org","ja3":"83e04bc58d402f9633983cbf22724b02","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01202{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":76,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":12,"flow_first_seen":1491813286275,"flow_last_seen":1491813286594,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1310,"flow_tot_l4_payload_len":6760,"flow_avg_l4_payload_len":563,"midstream":0,"ts_msec":1491813286594,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50253,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.DNScrypt","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"simplednscrypt.org","server_names":"simplednscrypt.org,www.simplednscrypt.org","ja3":"83e04bc58d402f9633983cbf22724b02","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA","issuerDN":"OU=Domain Control Validated, OU=PositiveSSL, CN=simplednscrypt.org","alpn":"h2,http\/1.1","fingerprint":"3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41"}} -00850{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":81,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":6,"flow_first_seen":1491813286392,"flow_last_seen":1491813286609,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1310,"flow_tot_l4_payload_len":1520,"flow_avg_l4_payload_len":253,"midstream":0,"ts_msec":1491813286609,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50258,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"simplednscrypt.org","ja3":"83e04bc58d402f9633983cbf22724b02","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01202{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":87,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":12,"flow_first_seen":1491813286392,"flow_last_seen":1491813286612,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1310,"flow_tot_l4_payload_len":6760,"flow_avg_l4_payload_len":563,"midstream":0,"ts_msec":1491813286612,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50258,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.DNScrypt","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"simplednscrypt.org","server_names":"simplednscrypt.org,www.simplednscrypt.org","ja3":"83e04bc58d402f9633983cbf22724b02","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA","issuerDN":"OU=Domain Control Validated, OU=PositiveSSL, CN=simplednscrypt.org","alpn":"h2,http\/1.1","fingerprint":"3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41"}} +00806{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":51,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":4,"flow_first_seen":1491813286392,"flow_last_seen":1491813286491,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":210,"flow_tot_l4_payload_len":210,"flow_avg_l4_payload_len":52,"midstream":0,"ts_msec":1491813286491,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50258,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.DNScrypt","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"simplednscrypt.org","ja3":"83e04bc58d402f9633983cbf22724b02","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} +00863{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":53,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":6,"flow_first_seen":1491813286393,"flow_last_seen":1491813286573,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1310,"flow_tot_l4_payload_len":1520,"flow_avg_l4_payload_len":253,"midstream":0,"ts_msec":1491813286573,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50259,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.DNScrypt","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"simplednscrypt.org","ja3":"83e04bc58d402f9633983cbf22724b02","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} +01203{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":59,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":12,"flow_first_seen":1491813286393,"flow_last_seen":1491813286577,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1310,"flow_tot_l4_payload_len":6760,"flow_avg_l4_payload_len":563,"midstream":0,"ts_msec":1491813286577,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50259,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.DNScrypt","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"simplednscrypt.org","server_names":"simplednscrypt.org,www.simplednscrypt.org","ja3":"83e04bc58d402f9633983cbf22724b02","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA","subjectDN":"OU=Domain Control Validated, OU=PositiveSSL, CN=simplednscrypt.org","alpn":"h2,http\/1.1","fingerprint":"3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41"}} +00863{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":67,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":6,"flow_first_seen":1491813286275,"flow_last_seen":1491813286586,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1310,"flow_tot_l4_payload_len":1520,"flow_avg_l4_payload_len":253,"midstream":0,"ts_msec":1491813286586,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50253,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.DNScrypt","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"simplednscrypt.org","ja3":"83e04bc58d402f9633983cbf22724b02","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} +01203{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":76,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":12,"flow_first_seen":1491813286275,"flow_last_seen":1491813286594,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1310,"flow_tot_l4_payload_len":6760,"flow_avg_l4_payload_len":563,"midstream":0,"ts_msec":1491813286594,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50253,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.DNScrypt","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"simplednscrypt.org","server_names":"simplednscrypt.org,www.simplednscrypt.org","ja3":"83e04bc58d402f9633983cbf22724b02","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA","subjectDN":"OU=Domain Control Validated, OU=PositiveSSL, CN=simplednscrypt.org","alpn":"h2,http\/1.1","fingerprint":"3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41"}} +00863{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":81,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":6,"flow_first_seen":1491813286392,"flow_last_seen":1491813286609,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1310,"flow_tot_l4_payload_len":1520,"flow_avg_l4_payload_len":253,"midstream":0,"ts_msec":1491813286609,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50258,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.DNScrypt","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"simplednscrypt.org","ja3":"83e04bc58d402f9633983cbf22724b02","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} +01203{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":87,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":12,"flow_first_seen":1491813286392,"flow_last_seen":1491813286612,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1310,"flow_tot_l4_payload_len":6760,"flow_avg_l4_payload_len":563,"midstream":0,"ts_msec":1491813286612,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50258,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.DNScrypt","breed":"Safe","category":"Network"},"tls": {"version":"TLSv1.2","client_requested_server_name":"simplednscrypt.org","server_names":"simplednscrypt.org,www.simplednscrypt.org","ja3":"83e04bc58d402f9633983cbf22724b02","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA","subjectDN":"OU=Domain Control Validated, OU=PositiveSSL, CN=simplednscrypt.org","alpn":"h2,http\/1.1","fingerprint":"3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41"}} 00571{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":111,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":39,"flow_first_seen":1491813284555,"flow_last_seen":1491813285262,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1310,"flow_tot_l4_payload_len":14238,"flow_avg_l4_payload_len":365,"midstream":0,"ts_msec":1491813286913,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50233,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00570{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":111,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":18,"flow_first_seen":1491813286275,"flow_last_seen":1491813286718,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1310,"flow_tot_l4_payload_len":7519,"flow_avg_l4_payload_len":417,"midstream":0,"ts_msec":1491813286913,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50253,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00570{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":111,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":18,"flow_first_seen":1491813286392,"flow_last_seen":1491813286753,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1310,"flow_tot_l4_payload_len":7519,"flow_avg_l4_payload_len":417,"midstream":0,"ts_msec":1491813286913,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50258,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -40,10 +40,10 @@ ~~ total active/idle flows...: 4/4 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2025639 bytes -~~ total memory freed........: 2025639 bytes -~~ total allocations/frees...: 35500/35500 +~~ total memory allocated....: 4686682 bytes +~~ total memory freed........: 4686682 bytes +~~ total allocations/frees...: 99696/99696 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 170 chars -~~ json string max len.......: 1207 chars -~~ json string avg len.......: 758 chars +~~ json string max len.......: 1208 chars +~~ json string avg len.......: 759 chars diff --git a/test/results/sip.pcap.out b/test/results/sip.pcap.out index b60299a45..65673ce19 100644 --- a/test/results/sip.pcap.out +++ b/test/results/sip.pcap.out @@ -51,9 +51,9 @@ ~~ total active/idle flows...: 5/5 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1937836 bytes -~~ total memory freed........: 1937836 bytes -~~ total allocations/frees...: 35462/35462 +~~ total memory allocated....: 4598455 bytes +~~ total memory freed........: 4598455 bytes +~~ total allocations/frees...: 99658/99658 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 158 chars ~~ json string max len.......: 1525 chars diff --git a/test/results/skype-conference-call.pcap.out b/test/results/skype-conference-call.pcap.out index be5427c4d..67985bfec 100644 --- a/test/results/skype-conference-call.pcap.out +++ b/test/results/skype-conference-call.pcap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1942132 bytes -~~ total memory freed........: 1942132 bytes -~~ total allocations/frees...: 35540/35540 +~~ total memory allocated....: 4604447 bytes +~~ total memory freed........: 4604447 bytes +~~ total allocations/frees...: 99736/99736 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 175 chars ~~ json string max len.......: 672 chars diff --git a/test/results/skype.pcap.out b/test/results/skype.pcap.out index 5279c3168..42190710a 100644 --- a/test/results/skype.pcap.out +++ b/test/results/skype.pcap.out @@ -53,7 +53,7 @@ 00465{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":29,"source":"skype.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":2,"flow_last_seen":1431969642519,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"ts_msec":1431969642519,"pkt":"PBXCt3IO0NQSxnP1CABFAAA4WGRAAHYGzoWdOH7TwKgBIgG7w2wloWLk7P6B7ZASIACkPAAAAgQFrAQCCAoZLBplPiKLpg=="} 00462{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":30,"source":"skype.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":3,"flow_last_seen":1431969642519,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1431969642519,"pkt":"0NQSxnP1PBXCt3IOCABFAAA00kpAAEAGiqPAqAEinTh+08NsAbvs\/oHtJaFi5YAQ\/\/\/eqAAAAQEICj4ii\/AZLBpl"} 00798{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":31,"source":"skype.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":4,"flow_first_seen":1431969642444,"flow_last_seen":1431969642548,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":94,"flow_tot_l4_payload_len":94,"flow_avg_l4_payload_len":23,"midstream":0,"ts_msec":1431969642548,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.126.211","src_port":50028,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"06207a1730b5deeb207b0556e102ded2","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -01267{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":41,"source":"skype.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":9,"flow_first_seen":1431969642444,"flow_last_seen":1431969642708,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":3792,"flow_avg_l4_payload_len":421,"midstream":0,"ts_msec":1431969642708,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.126.211","src_port":50028,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Skype_Teams","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.gateway.messenger.live.com,*.beta.gateway.edge.messenger.live.com,*.by2.gateway.edge.messenger.live.com,*.sn1.gateway.edge.messenger.live.com","ja3":"06207a1730b5deeb207b0556e102ded2","ja3s":"5e4e5596180ebd0ac0317125ee490707","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT SSL SHA2","issuerDN":"CN=*.gateway.messenger.live.com","fingerprint":"95:C4:07:41:85:D4:EF:AA:D9:1F:0F:1F:3C:08:BF:8E:8B:D0:90:51"}} +01268{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":41,"source":"skype.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":9,"flow_first_seen":1431969642444,"flow_last_seen":1431969642708,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":3792,"flow_avg_l4_payload_len":421,"midstream":0,"ts_msec":1431969642708,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.126.211","src_port":50028,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Skype_Teams","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.gateway.messenger.live.com,*.beta.gateway.edge.messenger.live.com,*.by2.gateway.edge.messenger.live.com,*.sn1.gateway.edge.messenger.live.com","ja3":"06207a1730b5deeb207b0556e102ded2","ja3s":"5e4e5596180ebd0ac0317125ee490707","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT SSL SHA2","subjectDN":"CN=*.gateway.messenger.live.com","fingerprint":"95:C4:07:41:85:D4:EF:AA:D9:1F:0F:1F:3C:08:BF:8E:8B:D0:90:51"}} 00548{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":45,"source":"skype.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":1,"flow_first_seen":1431969642969,"flow_last_seen":1431969642969,"flow_idle_time":180000,"flow_min_l4_payload_len":30,"flow_max_l4_payload_len":30,"flow_tot_l4_payload_len":30,"flow_avg_l4_payload_len":30,"midstream":0,"ts_msec":1431969642969,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"192.168.1.1","src_port":49903,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00464{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":45,"source":"skype.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":1,"flow_last_seen":1431969642969,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":72,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":72,"pkt_l4_len":38,"ts_msec":1431969642969,"pkt":"0NQSxnP1PBXCt3IOCABFAAA6a7MAAEARi4zAqAEiwKgBAcLvADUAJlJY1+QBAAABAAAAAAAAAnVpBXNreXBlA2NvbQAAAQAB"} 00717{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":45,"source":"skype.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":1,"flow_first_seen":1431969642969,"flow_last_seen":1431969642969,"flow_idle_time":180000,"flow_min_l4_payload_len":30,"flow_max_l4_payload_len":30,"flow_tot_l4_payload_len":30,"flow_avg_l4_payload_len":30,"midstream":0,"ts_msec":1431969642969,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"192.168.1.1","src_port":49903,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Skype_Teams","breed":"Acceptable","category":"VoIP"},"dns": {"query":"ui.skype.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} @@ -809,7 +809,7 @@ 00443{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1620,"source":"skype.pcap","alias":"nDPId-test","flow_id":230,"flow_packet_id":1,"flow_last_seen":1431969712913,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1431969712913,"pkt":"0NQSxnP1PBXCt3IOCABFAAAoiaEAAEARbbDAqAEiwKgBAdMzFOcAFCBsAAEAADLdMt0AAA4Q"} 00521{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1621,"source":"skype.pcap","alias":"nDPId-test","flow_id":231,"flow_packets_processed":1,"flow_first_seen":1431969712918,"flow_last_seen":1431969712918,"flow_idle_time":120000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1431969712918,"l3_proto":"ip4","src_ip":"192.168.1.1","dst_ip":"192.168.1.34","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} 00483{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1621,"source":"skype.pcap","alias":"nDPId-test","flow_id":231,"flow_packet_id":1,"flow_last_seen":1431969712918,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"ts_msec":1431969712918,"pkt":"PBXCt3IO0NQSxnP1CABFwABEBYEAAEAB8QTAqAEBwKgBIgMDgJYAAAAARQAAKImhAABAEW2wwKgBIsCoAQHTMxTnABQgbAABAAAy3TLdAAAOEA=="} -00554{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1621,"source":"skype.pcap","alias":"nDPId-test","flow_id":231,"flow_packets_processed":1,"flow_first_seen":1431969712918,"flow_last_seen":1431969712918,"flow_idle_time":120000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1431969712918,"l3_proto":"ip4","src_ip":"192.168.1.1","dst_ip":"192.168.1.34","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"}} +00573{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1621,"source":"skype.pcap","alias":"nDPId-test","flow_id":231,"flow_packets_processed":1,"flow_first_seen":1431969712918,"flow_last_seen":1431969712918,"flow_idle_time":120000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1431969712918,"l3_proto":"ip4","src_ip":"192.168.1.1","dst_ip":"192.168.1.34","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"},"entropy":4.041447} 00554{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1623,"source":"skype.pcap","alias":"nDPId-test","flow_id":232,"flow_packets_processed":1,"flow_first_seen":1431969712931,"flow_last_seen":1431969712931,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1431969712931,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"91.190.216.125","src_port":50109,"dst_port":12350,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00478{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1623,"source":"skype.pcap","alias":"nDPId-test","flow_id":232,"flow_packet_id":1,"flow_last_seen":1431969712931,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1431969712931,"pkt":"0NQSxnP1PBXCt3IOCABFAABAK1RAAEAGGV7AqAEiW77YfcO9MD57jsMsAAAAALAC\/\/8yeAAAAgQFtAEDAwUBAQgKPiOdpAAAAAAEAgAA"} 00461{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1624,"source":"skype.pcap","alias":"nDPId-test","flow_id":232,"flow_packet_id":2,"flow_last_seen":1431969712980,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1431969712980,"pkt":"PBXCt3IO0NQSxnP1CABFCAA0xLRAAPUGywBbvth9wKgBIjA+w71YjgIOe47DLYASH\/7LvwAAAgQFoAEDAwQBAQQC"} @@ -1082,7 +1082,7 @@ 00600{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2700,"source":"skype.pcap","alias":"nDPId-test","flow_id":227,"flow_packets_processed":255,"flow_first_seen":1431969710853,"flow_last_seen":1431969756218,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":79866,"flow_avg_l4_payload_len":313,"midstream":0,"ts_msec":1431969756218,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.52.28","src_port":50108,"dst_port":40009,"l4_proto":"tcp","ndpi": {"proto":"Skype_Teams","breed":"Acceptable","category":"VoIP"}} 00552{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2761,"source":"skype.pcap","alias":"nDPId-test","flow_id":279,"flow_packets_processed":1,"flow_first_seen":1431969759543,"flow_last_seen":1431969759543,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1431969759543,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"17.253.48.245","src_port":123,"dst_port":123,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00494{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2761,"source":"skype.pcap","alias":"nDPId-test","flow_id":279,"flow_packet_id":1,"flow_last_seen":1431969759543,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"ts_msec":1431969759543,"pkt":"0NQSxnP1PBXCt3IOCABFwABMl\/4AAEAR3SbAqAEiEf0w9QB7AHsAOFSa4wIG7AAAChwAAPSnEf0w9dkEndkb+ycx2QSd2Rb0\/7nZBJ3ZG\/snMdkEnl+LA3WC"} -00583{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2761,"source":"skype.pcap","alias":"nDPId-test","flow_id":279,"flow_packets_processed":1,"flow_first_seen":1431969759543,"flow_last_seen":1431969759543,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1431969759543,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"17.253.48.245","src_port":123,"dst_port":123,"l4_proto":"udp","ndpi": {"proto":"NTP.Apple","breed":"Safe","category":"System"}} +00621{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2761,"source":"skype.pcap","alias":"nDPId-test","flow_id":279,"flow_packets_processed":1,"flow_first_seen":1431969759543,"flow_last_seen":1431969759543,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1431969759543,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"17.253.48.245","src_port":123,"dst_port":123,"l4_proto":"udp","ndpi": {"proto":"NTP.Apple","breed":"Safe","category":"System"},"ntp": {"request_code":0,"version":0}} 00492{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2763,"source":"skype.pcap","alias":"nDPId-test","flow_id":279,"flow_packet_id":2,"flow_last_seen":1431969759588,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"ts_msec":1431969759588,"pkt":"PBXCt3IO0NQSxnP1CABFAABMAABAADgRPeUR\/TD1wKgBIgB7AHsAOA1EJAEG7AAAAAAAAAAMR1BTc9kEnl2e8n962QSeX4sDdYLZBJ5fkbdSxdkEnl+RubQR"} 00557{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2792,"source":"skype.pcap","alias":"nDPId-test","flow_id":78,"flow_packets_processed":1,"flow_first_seen":1431969661414,"flow_last_seen":1431969661414,"flow_idle_time":180000,"flow_min_l4_payload_len":35,"flow_max_l4_payload_len":35,"flow_tot_l4_payload_len":35,"flow_avg_l4_payload_len":35,"midstream":0,"ts_msec":1431969761262,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.52.17","src_port":13021,"dst_port":40013,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00558{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2792,"source":"skype.pcap","alias":"nDPId-test","flow_id":108,"flow_packets_processed":1,"flow_first_seen":1431969666429,"flow_last_seen":1431969666429,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1431969761262,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.52.26","src_port":13021,"dst_port":40026,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -1640,9 +1640,9 @@ ~~ total active/idle flows...: 293/293 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2825447 bytes -~~ total memory freed........: 2825447 bytes -~~ total allocations/frees...: 39433/39433 +~~ total memory allocated....: 5363954 bytes +~~ total memory freed........: 5363954 bytes +~~ total allocations/frees...: 103629/103629 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 163 chars ~~ json string max len.......: 1766 chars diff --git a/test/results/skype_no_unknown.pcap.out b/test/results/skype_no_unknown.pcap.out index cab4f939a..6161150d0 100644 --- a/test/results/skype_no_unknown.pcap.out +++ b/test/results/skype_no_unknown.pcap.out @@ -49,7 +49,7 @@ 00809{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":21,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":4,"flow_first_seen":1431970634729,"flow_last_seen":1431970634832,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":94,"flow_tot_l4_payload_len":94,"flow_avg_l4_payload_len":23,"midstream":0,"ts_msec":1431970634832,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.126.211","src_port":51230,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"06207a1730b5deeb207b0556e102ded2","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00480{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":25,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":2,"flow_last_seen":1431970634933,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1431970634933,"pkt":"PBXCt3IO0NQSxnP1CABFAAA8AABAADMGtJ2dODQcwKgBIpxJyB3uE3m5CtkEWaASOJCk1gAAAgQFrAQCCApMX+pXPjGHIQEDAwk="} 00468{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":26,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":3,"flow_last_seen":1431970634934,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1431970634934,"pkt":"0NQSxnP1PBXCt3IOCABFAAA0Qp9AAEAGZQbAqAEinTg0HMgdnEkK2QRZ7hN5uoAQECz7NQAAAQEICj4xh+xMX+pX"} -01278{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":29,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":9,"flow_first_seen":1431970634729,"flow_last_seen":1431970634990,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":3792,"flow_avg_l4_payload_len":421,"midstream":0,"ts_msec":1431970634990,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.126.211","src_port":51230,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Skype_Teams","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.gateway.messenger.live.com,*.beta.gateway.edge.messenger.live.com,*.by2.gateway.edge.messenger.live.com,*.sn1.gateway.edge.messenger.live.com","ja3":"06207a1730b5deeb207b0556e102ded2","ja3s":"5e4e5596180ebd0ac0317125ee490707","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT SSL SHA2","issuerDN":"CN=*.gateway.messenger.live.com","fingerprint":"95:C4:07:41:85:D4:EF:AA:D9:1F:0F:1F:3C:08:BF:8E:8B:D0:90:51"}} +01279{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":29,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":9,"flow_first_seen":1431970634729,"flow_last_seen":1431970634990,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":3792,"flow_avg_l4_payload_len":421,"midstream":0,"ts_msec":1431970634990,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.126.211","src_port":51230,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Skype_Teams","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.gateway.messenger.live.com,*.beta.gateway.edge.messenger.live.com,*.by2.gateway.edge.messenger.live.com,*.sn1.gateway.edge.messenger.live.com","ja3":"06207a1730b5deeb207b0556e102ded2","ja3s":"5e4e5596180ebd0ac0317125ee490707","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT SSL SHA2","subjectDN":"CN=*.gateway.messenger.live.com","fingerprint":"95:C4:07:41:85:D4:EF:AA:D9:1F:0F:1F:3C:08:BF:8E:8B:D0:90:51"}} 00559{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":38,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":1,"flow_first_seen":1431970635325,"flow_last_seen":1431970635325,"flow_idle_time":180000,"flow_min_l4_payload_len":30,"flow_max_l4_payload_len":30,"flow_tot_l4_payload_len":30,"flow_avg_l4_payload_len":30,"midstream":0,"ts_msec":1431970635325,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"192.168.1.1","src_port":63514,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00475{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":38,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":1,"flow_last_seen":1431970635325,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":72,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":72,"pkt_l4_len":38,"ts_msec":1431970635325,"pkt":"0NQSxnP1PBXCt3IOCABFAAA657QAAEARD4vAqAEiwKgBAfgaADUAJptGWcsBAAABAAAAAAAAAnVpBXNreXBlA2NvbQAAAQAB"} 00728{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":38,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":1,"flow_first_seen":1431970635325,"flow_last_seen":1431970635325,"flow_idle_time":180000,"flow_min_l4_payload_len":30,"flow_max_l4_payload_len":30,"flow_tot_l4_payload_len":30,"flow_avg_l4_payload_len":30,"midstream":0,"ts_msec":1431970635325,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"192.168.1.1","src_port":63514,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Skype_Teams","breed":"Acceptable","category":"VoIP"},"dns": {"query":"ui.skype.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} @@ -782,7 +782,7 @@ 00454{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1320,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":225,"flow_packet_id":1,"flow_last_seen":1431970685835,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1431970685835,"pkt":"0NQSxnP1PBXCt3IOCABFAAAo7Q4AAEARCkPAqAEiwKgBAeasFOcAFAzzAAEAADLdMt0AAA4Q"} 00532{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1321,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":226,"flow_packets_processed":1,"flow_first_seen":1431970685839,"flow_last_seen":1431970685839,"flow_idle_time":120000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1431970685839,"l3_proto":"ip4","src_ip":"192.168.1.1","dst_ip":"192.168.1.34","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} 00494{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1321,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":226,"flow_packet_id":1,"flow_last_seen":1431970685839,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"ts_msec":1431970685839,"pkt":"PBXCt3IO0NQSxnP1CABFwABElr0AAEABX8jAqAEBwKgBIgMDgJYAAAAARQAAKO0OAABAEQpDwKgBIsCoAQHmrBTnABQM8wABAAAy3TLdAAAOEA=="} -00565{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1321,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":226,"flow_packets_processed":1,"flow_first_seen":1431970685839,"flow_last_seen":1431970685839,"flow_idle_time":120000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1431970685839,"l3_proto":"ip4","src_ip":"192.168.1.1","dst_ip":"192.168.1.34","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"}} +00584{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1321,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":226,"flow_packets_processed":1,"flow_first_seen":1431970685839,"flow_last_seen":1431970685839,"flow_idle_time":120000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1431970685839,"l3_proto":"ip4","src_ip":"192.168.1.1","dst_ip":"192.168.1.34","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"},"entropy":3.991447} 00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1323,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":227,"flow_packets_processed":1,"flow_first_seen":1431970685852,"flow_last_seen":1431970685852,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1431970685852,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"91.190.218.125","src_port":51284,"dst_port":12350,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00489{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1323,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":227,"flow_packet_id":1,"flow_last_seen":1431970685852,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1431970685852,"pkt":"0NQSxnP1PBXCt3IOCABFAABAXIlAAEAG5ijAqAEiW77afchUMD4lFgKCAAAAALAC\/\/+SwgAAAgQFtAEDAwUBAQgKPjJN1wAAAAAEAgAA"} 00472{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1324,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":227,"flow_packet_id":2,"flow_last_seen":1431970685921,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1431970685921,"pkt":"PBXCt3IO0NQSxnP1CABFAAA0NCRAAPQGWplbvtp9wKgBIjA+yFR61rIKJRYCg4ASH\/4KBwAAAgQFoAEDAwQBAQQC"} @@ -1297,9 +1297,9 @@ ~~ total active/idle flows...: 267/267 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2647513 bytes -~~ total memory freed........: 2647513 bytes -~~ total allocations/frees...: 38321/38321 +~~ total memory allocated....: 5197044 bytes +~~ total memory freed........: 5197044 bytes +~~ total allocations/frees...: 102517/102517 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 161 chars ~~ json string max len.......: 1769 chars diff --git a/test/results/skype_udp.pcap.out b/test/results/skype_udp.pcap.out index 73b086b57..8a06f3a8d 100644 --- a/test/results/skype_udp.pcap.out +++ b/test/results/skype_udp.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1928269 bytes -~~ total memory freed........: 1928269 bytes -~~ total allocations/frees...: 35343/35343 +~~ total memory allocated....: 4590584 bytes +~~ total memory freed........: 4590584 bytes +~~ total allocations/frees...: 99539/99539 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 161 chars ~~ json string max len.......: 605 chars diff --git a/test/results/smb_deletefile.pcap.out b/test/results/smb_deletefile.pcap.out index be3bac5b6..c1238fadf 100644 --- a/test/results/smb_deletefile.pcap.out +++ b/test/results/smb_deletefile.pcap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1931053 bytes -~~ total memory freed........: 1931053 bytes -~~ total allocations/frees...: 35439/35439 +~~ total memory allocated....: 4593368 bytes +~~ total memory freed........: 4593368 bytes +~~ total allocations/frees...: 99635/99635 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 168 chars ~~ json string max len.......: 1132 chars diff --git a/test/results/smbv1.pcap.out b/test/results/smbv1.pcap.out index 27b53081a..103aa4b46 100644 --- a/test/results/smbv1.pcap.out +++ b/test/results/smbv1.pcap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1930375 bytes -~~ total memory freed........: 1930375 bytes -~~ total allocations/frees...: 35346/35346 +~~ total memory allocated....: 4592690 bytes +~~ total memory freed........: 4592690 bytes +~~ total allocations/frees...: 99542/99542 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 157 chars ~~ json string max len.......: 708 chars diff --git a/test/results/smpp_in_general.pcap.out b/test/results/smpp_in_general.pcap.out index 981fcbae0..99a0b32e2 100644 --- a/test/results/smpp_in_general.pcap.out +++ b/test/results/smpp_in_general.pcap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1930665 bytes -~~ total memory freed........: 1930665 bytes -~~ total allocations/frees...: 35356/35356 +~~ total memory allocated....: 4592980 bytes +~~ total memory freed........: 4592980 bytes +~~ total allocations/frees...: 99552/99552 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 168 chars ~~ json string max len.......: 600 chars diff --git a/test/results/smtp-starttls.pcap.out b/test/results/smtp-starttls.pcap.out index 826c272ab..7c0616441 100644 --- a/test/results/smtp-starttls.pcap.out +++ b/test/results/smtp-starttls.pcap.out @@ -3,7 +3,7 @@ 00475{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1388017124762,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1388017124762,"pkt":"AAAMB6wBABNyxPHhCABFAAA8JqtAAEAGeocKAAABrcJEGuA+ABlXuT72AAAAAKACOQgLsAAAAgQFtAQCCAraWRhdAAAAAAEDAwc="} 00475{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1388017124774,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1388017124774,"pkt":"ABNyxPHhANAr0XYACABFAAA8X3cAAC4Gk7utwkQaCgAAAQAZ4D6dvxfqV7k+96ASpiw5gwAAAgQFlgQCCAoS8Zx72lkYXQEDAwY="} 00463{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1388017124774,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1388017124774,"pkt":"AAAMB6wBABNyxPHhCABFAAA0JqxAAEAGeo4KAAABrcJEGuA+ABlXuT73nb8X64AQAHMN3wAAAQEICtpZGGgS8Zx7"} -00624{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1388017124762,"flow_last_seen":1388017124785,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":51,"flow_tot_l4_payload_len":51,"flow_avg_l4_payload_len":12,"midstream":0,"ts_msec":1388017124785,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"173.194.68.26","src_port":57406,"dst_port":25,"l4_proto":"tcp","ndpi": {"proto":"SMTP.Google","breed":"Tracker\/Ads","category":"Web"},"smtp": {"user":"","password":""}} +00622{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1388017124762,"flow_last_seen":1388017124785,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":51,"flow_tot_l4_payload_len":51,"flow_avg_l4_payload_len":12,"midstream":0,"ts_msec":1388017124785,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"173.194.68.26","src_port":57406,"dst_port":25,"l4_proto":"tcp","ndpi": {"proto":"SMTP.Google","breed":"Acceptable","category":"Web"},"smtp": {"user":"","password":""}} 00559{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":36,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":36,"flow_first_seen":1388017124762,"flow_last_seen":1388017125239,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":6011,"flow_avg_l4_payload_len":166,"midstream":0,"ts_msec":1388017125239,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"173.194.68.26","src_port":57406,"dst_port":25,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00161{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":36,"source":"smtp-starttls.pcap","alias":"nDPId-test","total-events-serialized":8} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -14,10 +14,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1929168 bytes -~~ total memory freed........: 1929168 bytes -~~ total allocations/frees...: 35374/35374 +~~ total memory allocated....: 4591483 bytes +~~ total memory freed........: 4591483 bytes +~~ total allocations/frees...: 99570/99570 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 166 chars -~~ json string max len.......: 629 chars -~~ json string avg len.......: 461 chars +~~ json string max len.......: 627 chars +~~ json string avg len.......: 460 chars diff --git a/test/results/smtp.pcap.out b/test/results/smtp.pcap.out new file mode 100644 index 000000000..bf7350178 --- /dev/null +++ b/test/results/smtp.pcap.out @@ -0,0 +1,23 @@ +00438{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"smtp.pcap","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} +00542{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"smtp.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":934028408568,"flow_last_seen":934028408568,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":934028408568,"l3_proto":"ip4","src_ip":"194.7.248.153","dst_ip":"172.16.114.207","src_port":2127,"dst_port":25,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00445{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"smtp.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":934028408568,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"ts_msec":934028408568,"pkt":"AMBPo1fbABB7OEYzCABFAAAsEDMAAD8GkhjCB\/iZrBByzwhPABnlqEITAAAAAGACAgCMgQAAAgQFtAAA"} +00444{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"smtp.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":934028408569,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"ts_msec":934028408569,"pkt":"ABB7OEYzAMBPo1fbCABFAAAsFcQAAEAGi4esEHLPwgf4mQAZCE+jURBm5ahCFGASf+Ba2AAAAgQFtAW0"} +00446{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"smtp.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":934028408570,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"ts_msec":934028408570,"pkt":"AMBPo1fbABB7OEYzCABFAAAoEDRAAD8GUhvCB\/iZrBByzwhPABnlqEIUo1EQZ1AQfXh0\/QAAAAAAAAAA"} +00613{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":10,"source":"smtp.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":10,"flow_first_seen":934028408568,"flow_last_seen":934028408647,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":84,"flow_tot_l4_payload_len":198,"flow_avg_l4_payload_len":19,"midstream":0,"ts_msec":934028408647,"l3_proto":"ip4","src_ip":"194.7.248.153","dst_ip":"172.16.114.207","src_port":2127,"dst_port":25,"l4_proto":"tcp","ndpi": {"proto":"SMTP","breed":"Acceptable","category":"Email"},"smtp": {"user":"","password":""}} +00553{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":95,"source":"smtp.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":95,"flow_first_seen":934028408568,"flow_last_seen":934028408801,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":17955,"flow_avg_l4_payload_len":189,"midstream":0,"ts_msec":934028408801,"l3_proto":"ip4","src_ip":"194.7.248.153","dst_ip":"172.16.114.207","src_port":2127,"dst_port":25,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00152{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":95,"source":"smtp.pcap","alias":"nDPId-test","total-events-serialized":8} +~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ +~~ packets captured/processed: 95/95 +~~ skipped flows.............: 0 +~~ total layer4 data length..: 17955 bytes +~~ total detected protocols..: 1 +~~ total active/idle flows...: 1/1 +~~ total timeout flows.......: 0 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ total memory allocated....: 4595242 bytes +~~ total memory freed........: 4595242 bytes +~~ total allocations/frees...: 99630/99630 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ json string min len.......: 157 chars +~~ json string max len.......: 618 chars +~~ json string avg len.......: 451 chars diff --git a/test/results/snapchat.pcap.out b/test/results/snapchat.pcap.out index fbbd4b628..22c338726 100644 --- a/test/results/snapchat.pcap.out +++ b/test/results/snapchat.pcap.out @@ -3,8 +3,8 @@ 00472{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"snapchat.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1431417993318,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1431417993318,"pkt":"ABoRAAACABoRAAABCABFAAA8f1tAAEAG3k0KCAABSn2IjYHRAbtgYhiTAAAAAKAC\/\/8GegAAAgQFtAQCCAoAKmfIAAAAAAEDAwY="} 00444{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"snapchat.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1431417993319,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1431417993319,"pkt":"ABoRAAACABoRAAABCABFAAAoAalAABAGjBRKfYiNCggAAQG7gdGfnedsYGIYlFAS\/\/9PMgAA"} 00444{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"snapchat.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1431417993322,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1431417993322,"pkt":"ABoRAAACABoRAAABCABFAAAof1xAAEAG3mAKCAABSn2IjYHRAbtgYhiUn53nbVAQ\/\/9PMwAA"} -00848{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"snapchat.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1431417993318,"flow_last_seen":1431417993373,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":226,"flow_tot_l4_payload_len":226,"flow_avg_l4_payload_len":56,"midstream":0,"ts_msec":1431417993373,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"74.125.136.141","src_port":33233,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing"},"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"36e9ceaa96dd810482573844f78a063f","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -00902{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"snapchat.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":1431417993318,"flow_last_seen":1431417993476,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":226,"flow_tot_l4_payload_len":363,"flow_avg_l4_payload_len":60,"midstream":0,"ts_msec":1431417993476,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"74.125.136.141","src_port":33233,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing"},"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"36e9ceaa96dd810482573844f78a063f","ja3s":"fbe78c619e7ea20046131294ad087f05","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}} +00846{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"snapchat.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1431417993318,"flow_last_seen":1431417993373,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":226,"flow_tot_l4_payload_len":226,"flow_avg_l4_payload_len":56,"midstream":0,"ts_msec":1431417993373,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"74.125.136.141","src_port":33233,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing"},"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"36e9ceaa96dd810482573844f78a063f","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} +00900{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"snapchat.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":1431417993318,"flow_last_seen":1431417993476,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":226,"flow_tot_l4_payload_len":363,"flow_avg_l4_payload_len":60,"midstream":0,"ts_msec":1431417993476,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"74.125.136.141","src_port":33233,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing"},"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"36e9ceaa96dd810482573844f78a063f","ja3s":"fbe78c619e7ea20046131294ad087f05","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}} 00547{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":23,"source":"snapchat.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1431418008131,"flow_last_seen":1431418008131,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1431418008131,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"74.125.136.141","src_port":44536,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00473{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":23,"source":"snapchat.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_last_seen":1431418008131,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1431418008131,"pkt":"ABoRAAACABoRAAABCABFAAA8OQ1AAEAGJJwKCAABSn2Ija34AbvuolTmAAAAAKAC\/\/8JnAAAAgQFtAQCCAoAKm3rAAAAAAEDAwY="} 00445{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24,"source":"snapchat.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_last_seen":1431418008132,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1431418008132,"pkt":"ABoRAAACABoRAAABCABFAAAoAeJAABAGi9tKfYiNCggAAQG7rfgRXasZ7qJU51AS\/\/8jCwAA"} @@ -29,10 +29,10 @@ ~~ total active/idle flows...: 3/3 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1939142 bytes -~~ total memory freed........: 1939142 bytes -~~ total allocations/frees...: 35405/35405 +~~ total memory allocated....: 4600609 bytes +~~ total memory freed........: 4600609 bytes +~~ total allocations/frees...: 99601/99601 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 162 chars -~~ json string max len.......: 907 chars -~~ json string avg len.......: 605 chars +~~ json string max len.......: 905 chars +~~ json string avg len.......: 604 chars diff --git a/test/results/snapchat_call.pcapng.out b/test/results/snapchat_call.pcapng.out index c16f7b68e..a43528b8b 100644 --- a/test/results/snapchat_call.pcapng.out +++ b/test/results/snapchat_call.pcapng.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1929574 bytes -~~ total memory freed........: 1929574 bytes -~~ total allocations/frees...: 35388/35388 +~~ total memory allocated....: 4591889 bytes +~~ total memory freed........: 4591889 bytes +~~ total allocations/frees...: 99584/99584 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 168 chars ~~ json string max len.......: 2279 chars diff --git a/test/results/ssdp-m-search.pcap.out b/test/results/ssdp-m-search.pcap.out index 67a3601d9..bb0222254 100644 --- a/test/results/ssdp-m-search.pcap.out +++ b/test/results/ssdp-m-search.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1928675 bytes -~~ total memory freed........: 1928675 bytes -~~ total allocations/frees...: 35357/35357 +~~ total memory allocated....: 4590990 bytes +~~ total memory freed........: 4590990 bytes +~~ total allocations/frees...: 99553/99553 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 166 chars ~~ json string max len.......: 599 chars diff --git a/test/results/ssh.pcap.out b/test/results/ssh.pcap.out index 9017df022..42165611a 100644 --- a/test/results/ssh.pcap.out +++ b/test/results/ssh.pcap.out @@ -17,9 +17,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1937610 bytes -~~ total memory freed........: 1937610 bytes -~~ total allocations/frees...: 35600/35600 +~~ total memory allocated....: 4599925 bytes +~~ total memory freed........: 4599925 bytes +~~ total allocations/frees...: 99796/99796 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 158 chars ~~ json string max len.......: 895 chars diff --git a/test/results/ssl-cert-name-mismatch.pcap.out b/test/results/ssl-cert-name-mismatch.pcap.out index 47fe25163..f6030a801 100644 --- a/test/results/ssl-cert-name-mismatch.pcap.out +++ b/test/results/ssl-cert-name-mismatch.pcap.out @@ -3,9 +3,9 @@ 00485{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"ssl-cert-name-mismatch.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1620643422034,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1620643422034,"pkt":"BBjWBrNaACWQ1Mz5CABFAAA8gCNAAEAGNQ\/AqALeaJpZadX0AbtP8LY3AAAAAKACchCFuAAAAgQFtAQCCAoBlw8kAAAAAAEDAwc="} 00485{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"ssl-cert-name-mismatch.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1620643422162,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1620643422162,"pkt":"ACWQ1Mz5BBjWBrNaCABFAAA8AABAADAGxTJomllpwKgC3gG71fRoLFRgT\/C2OKASbgBjmAAAAgQFjAQCCAqtfZhXAZcPJAEDAwc="} 00472{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"ssl-cert-name-mismatch.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1620643422162,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1620643422162,"pkt":"BBjWBrNaACWQ1Mz5CABFAAA0gCRAAEAGNRbAqALeaJpZadX0AbtP8LY4aCxUYYAQAOWFsAAAAQEICgGXD0StfZhX"} -00814{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"ssl-cert-name-mismatch.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1620643422034,"flow_last_seen":1620643422196,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":245,"flow_tot_l4_payload_len":245,"flow_avg_l4_payload_len":61,"midstream":0,"ts_msec":1620643422196,"l3_proto":"ip4","src_ip":"192.168.2.222","dst_ip":"104.154.89.105","src_port":54772,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"wrong.host.badssl.com","ja3":"4e69e4e5627c5e4c2846ba3e64d23fb9","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}} -00871{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"ssl-cert-name-mismatch.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":1620643422034,"flow_last_seen":1620643422325,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1408,"flow_tot_l4_payload_len":1653,"flow_avg_l4_payload_len":275,"midstream":0,"ts_msec":1620643422325,"l3_proto":"ip4","src_ip":"192.168.2.222","dst_ip":"104.154.89.105","src_port":54772,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"wrong.host.badssl.com","ja3":"4e69e4e5627c5e4c2846ba3e64d23fb9","ja3s":"b898351eb5e266aefd3723d466935494","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"http\/1.1"}} -01195{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":10,"source":"ssl-cert-name-mismatch.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":10,"flow_first_seen":1620643422034,"flow_last_seen":1620643422325,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1408,"flow_tot_l4_payload_len":3579,"flow_avg_l4_payload_len":357,"midstream":0,"ts_msec":1620643422325,"l3_proto":"ip4","src_ip":"192.168.2.222","dst_ip":"104.154.89.105","src_port":54772,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"10":"TLS Certificate Mismatch"},"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"wrong.host.badssl.com","server_names":"*.badssl.com,badssl.com","ja3":"4e69e4e5627c5e4c2846ba3e64d23fb9","ja3s":"b898351eb5e266aefd3723d466935494","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","issuerDN":"C=US, ST=California, L=Walnut Creek, O=Lucas Garron Torres, CN=*.badssl.com","alpn":"http\/1.1","fingerprint":"18:45:B2:16:EF:D0:83:9A:18:51:A9:57:32:5D:A3:36:21:70:49:CB"}} +00812{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"ssl-cert-name-mismatch.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1620643422034,"flow_last_seen":1620643422196,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":245,"flow_tot_l4_payload_len":245,"flow_avg_l4_payload_len":61,"midstream":0,"ts_msec":1620643422196,"l3_proto":"ip4","src_ip":"192.168.2.222","dst_ip":"104.154.89.105","src_port":54772,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"wrong.host.badssl.com","ja3":"4e69e4e5627c5e4c2846ba3e64d23fb9","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}} +00869{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"ssl-cert-name-mismatch.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":1620643422034,"flow_last_seen":1620643422325,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1408,"flow_tot_l4_payload_len":1653,"flow_avg_l4_payload_len":275,"midstream":0,"ts_msec":1620643422325,"l3_proto":"ip4","src_ip":"192.168.2.222","dst_ip":"104.154.89.105","src_port":54772,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"wrong.host.badssl.com","ja3":"4e69e4e5627c5e4c2846ba3e64d23fb9","ja3s":"b898351eb5e266aefd3723d466935494","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"http\/1.1"}} +01147{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":10,"source":"ssl-cert-name-mismatch.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":10,"flow_first_seen":1620643422034,"flow_last_seen":1620643422325,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1408,"flow_tot_l4_payload_len":3579,"flow_avg_l4_payload_len":357,"midstream":0,"ts_msec":1620643422325,"l3_proto":"ip4","src_ip":"192.168.2.222","dst_ip":"104.154.89.105","src_port":54772,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"wrong.host.badssl.com","server_names":"*.badssl.com,badssl.com","ja3":"4e69e4e5627c5e4c2846ba3e64d23fb9","ja3s":"b898351eb5e266aefd3723d466935494","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=Walnut Creek, O=Lucas Garron Torres, CN=*.badssl.com","alpn":"http\/1.1","fingerprint":"18:45:B2:16:EF:D0:83:9A:18:51:A9:57:32:5D:A3:36:21:70:49:CB"}} 00575{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":21,"source":"ssl-cert-name-mismatch.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":21,"flow_first_seen":1620643422034,"flow_last_seen":1620643422754,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1408,"flow_tot_l4_payload_len":4010,"flow_avg_l4_payload_len":190,"midstream":0,"ts_msec":1620643422754,"l3_proto":"ip4","src_ip":"192.168.2.222","dst_ip":"104.154.89.105","src_port":54772,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00171{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":21,"source":"ssl-cert-name-mismatch.pcap","alias":"nDPId-test","total-events-serialized":10} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -16,10 +16,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1936941 bytes -~~ total memory freed........: 1936941 bytes -~~ total allocations/frees...: 35367/35367 +~~ total memory allocated....: 4599256 bytes +~~ total memory freed........: 4599256 bytes +~~ total allocations/frees...: 99563/99563 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 176 chars -~~ json string max len.......: 1200 chars -~~ json string avg len.......: 732 chars +~~ json string max len.......: 1152 chars +~~ json string avg len.......: 711 chars diff --git a/test/results/starcraft_battle.pcap.out b/test/results/starcraft_battle.pcap.out index 9f1e60d99..7f63ea916 100644 --- a/test/results/starcraft_battle.pcap.out +++ b/test/results/starcraft_battle.pcap.out @@ -60,7 +60,7 @@ 00468{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":41,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":1,"flow_last_seen":1437389964518,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1437389964518,"pkt":"hCYVPnXEIImEa8W6CABFAAA0bDFAAIAGrOPAqAFkrcJx4A2yAFD3XxLXAAAAAIACIABVKAAAAgQFtAEDAwgBAQQC"} 00468{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":42,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":2,"flow_last_seen":1437389964552,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1437389964552,"pkt":"IImEa8W6hCYVPnXECABFAAA0QI0AADUGY4itwnHgwKgBZABQDbI8Bg5O918S2IASp5SDTQAAAgQFlgEBBAIBAwMH"} 00452{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":43,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":3,"flow_last_seen":1437389964552,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1437389964552,"pkt":"hCYVPnXEIImEa8W6CABFAAAobDJAAIAGrO7AqAFkrcJx4A2yAFD3XxLYPAYOT1AQAQBqlgAA"} -00758{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":44,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":4,"flow_first_seen":1437389964518,"flow_last_seen":1437389964552,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":350,"flow_tot_l4_payload_len":350,"flow_avg_l4_payload_len":87,"midstream":0,"ts_msec":1437389964552,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"173.194.113.224","src_port":3506,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.Google","breed":"Tracker\/Ads","category":"Web"},"http": {"hostname":"www.google-analytics.com","url":"www.google-analytics.com\/collect","code":0,"content_type":"","user_agent":"Battle.net\/1.3.0.5952"}} +00766{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":44,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":4,"flow_first_seen":1437389964518,"flow_last_seen":1437389964552,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":350,"flow_tot_l4_payload_len":350,"flow_avg_l4_payload_len":87,"midstream":0,"ts_msec":1437389964552,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"173.194.113.224","src_port":3506,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.Google","breed":"Acceptable","category":"Advertisement"},"http": {"hostname":"www.google-analytics.com","url":"www.google-analytics.com\/collect","code":0,"content_type":"","user_agent":"Battle.net\/1.3.0.5952"}} 00562{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":53,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":1,"flow_first_seen":1437389964752,"flow_last_seen":1437389964752,"flow_idle_time":180000,"flow_min_l4_payload_len":35,"flow_max_l4_payload_len":35,"flow_tot_l4_payload_len":35,"flow_avg_l4_payload_len":35,"midstream":0,"ts_msec":1437389964752,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"192.168.1.254","src_port":60026,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00485{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":53,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":1,"flow_last_seen":1437389964752,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":77,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":77,"pkt_l4_len":43,"ts_msec":1437389964752,"pkt":"hCYVPnXEIImEa8W6CABFAAA\/X2UAAIARVpbAqAFkwKgB\/up6ADUAK3heAXYBAAABAAAAAAAABGxsbncIYmxpenphcmQDY29tAAABAAE="} 00727{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":53,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":1,"flow_first_seen":1437389964752,"flow_last_seen":1437389964752,"flow_idle_time":180000,"flow_min_l4_payload_len":35,"flow_max_l4_payload_len":35,"flow_tot_l4_payload_len":35,"flow_avg_l4_payload_len":35,"midstream":0,"ts_msec":1437389964752,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"192.168.1.254","src_port":60026,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"llnw.blizzard.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} @@ -242,9 +242,9 @@ 00790{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":688,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":51,"flow_packets_processed":4,"flow_first_seen":1437389985925,"flow_last_seen":1437389985962,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":146,"flow_tot_l4_payload_len":146,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1437389985962,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"2.228.46.112","src_port":3533,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP","breed":"Acceptable","category":"Web"},"http": {"hostname":"bnetcmsus-a.akamaihd.net","url":"bnetcmsus-a.akamaihd.net\/cms\/bnet_header\/mf\/MFTH8TS42HKX1430183778319.jpg","code":0,"content_type":"","user_agent":"Battle.net Web Client"}} 00588{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":800,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":35,"flow_packets_processed":2,"flow_first_seen":1437389982769,"flow_last_seen":1437389982825,"flow_idle_time":180000,"flow_min_l4_payload_len":2,"flow_max_l4_payload_len":2,"flow_tot_l4_payload_len":4,"flow_avg_l4_payload_len":2,"midstream":0,"ts_msec":1437389985996,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"62.115.246.51","src_port":53146,"dst_port":1119,"l4_proto":"udp","ndpi": {"proto":"Starcraft","breed":"Fun","category":"Game"}} 00562{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":800,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":35,"flow_packets_processed":2,"flow_first_seen":1437389982769,"flow_last_seen":1437389982825,"flow_idle_time":180000,"flow_min_l4_payload_len":2,"flow_max_l4_payload_len":2,"flow_tot_l4_payload_len":4,"flow_avg_l4_payload_len":2,"midstream":0,"ts_msec":1437389985996,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"62.115.246.51","src_port":53146,"dst_port":1119,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} -00594{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":800,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":2,"flow_first_seen":1437389961548,"flow_last_seen":1437389961598,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1,"flow_tot_l4_payload_len":1,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1437389985996,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"64.233.184.188","src_port":2759,"dst_port":5228,"l4_proto":"tcp","ndpi": {"proto":"Google","breed":"Tracker\/Ads","category":"Web"}} +00592{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":800,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":2,"flow_first_seen":1437389961548,"flow_last_seen":1437389961598,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1,"flow_tot_l4_payload_len":1,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1437389985996,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"64.233.184.188","src_port":2759,"dst_port":5228,"l4_proto":"tcp","ndpi": {"proto":"Google","breed":"Acceptable","category":"Web"}} 00563{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":800,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":2,"flow_first_seen":1437389961548,"flow_last_seen":1437389961598,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1,"flow_tot_l4_payload_len":1,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1437389985996,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"64.233.184.188","src_port":2759,"dst_port":5228,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00596{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":800,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":2,"flow_first_seen":1437389955932,"flow_last_seen":1437389955967,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1,"flow_tot_l4_payload_len":1,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1437389985996,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"216.58.212.110","src_port":3052,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"}} +00594{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":800,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":2,"flow_first_seen":1437389955932,"flow_last_seen":1437389955967,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1,"flow_tot_l4_payload_len":1,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1437389985996,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"216.58.212.110","src_port":3052,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"}} 00561{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":800,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":2,"flow_first_seen":1437389955932,"flow_last_seen":1437389955967,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1,"flow_tot_l4_payload_len":1,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1437389985996,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"216.58.212.110","src_port":3052,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00565{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":800,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":28,"flow_packets_processed":4,"flow_first_seen":1437389981134,"flow_last_seen":1437389981218,"flow_idle_time":180000,"flow_min_l4_payload_len":34,"flow_max_l4_payload_len":50,"flow_tot_l4_payload_len":168,"flow_avg_l4_payload_len":42,"midstream":0,"ts_msec":1437389985996,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"192.168.1.254","src_port":53145,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00566{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":800,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":9,"flow_first_seen":1437389964518,"flow_last_seen":1437389964635,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":427,"flow_tot_l4_payload_len":777,"flow_avg_l4_payload_len":86,"midstream":0,"ts_msec":1437389985996,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"173.194.113.224","src_port":3506,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -252,7 +252,7 @@ 00595{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":800,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":13,"flow_first_seen":1437389958129,"flow_last_seen":1437389968685,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":101,"flow_tot_l4_payload_len":170,"flow_avg_l4_payload_len":13,"midstream":1,"ts_msec":1437389985996,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"80.239.208.193","src_port":3427,"dst_port":1119,"l4_proto":"tcp","ndpi": {"proto":"Starcraft","breed":"Fun","category":"Game"}} 00568{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":800,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":13,"flow_first_seen":1437389958129,"flow_last_seen":1437389968685,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":101,"flow_tot_l4_payload_len":170,"flow_avg_l4_payload_len":13,"midstream":1,"ts_msec":1437389985996,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"80.239.208.193","src_port":3427,"dst_port":1119,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00566{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":800,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":44,"flow_packets_processed":4,"flow_first_seen":1437389985821,"flow_last_seen":1437389985912,"flow_idle_time":180000,"flow_min_l4_payload_len":42,"flow_max_l4_payload_len":152,"flow_tot_l4_payload_len":388,"flow_avg_l4_payload_len":97,"midstream":0,"ts_msec":1437389985996,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"192.168.1.254","src_port":55468,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} -00598{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":800,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":3,"flow_first_seen":1437389968488,"flow_last_seen":1437389968521,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1437389985996,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"173.194.113.224","src_port":3484,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"}} +00596{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":800,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":3,"flow_first_seen":1437389968488,"flow_last_seen":1437389968521,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1437389985996,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"173.194.113.224","src_port":3484,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"}} 00562{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":800,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":3,"flow_first_seen":1437389968488,"flow_last_seen":1437389968521,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1437389985996,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"173.194.113.224","src_port":3484,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00569{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":800,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":45,"flow_packets_processed":41,"flow_first_seen":1437389985891,"flow_last_seen":1437389985996,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":35189,"flow_avg_l4_payload_len":858,"midstream":0,"ts_msec":1437389985996,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"2.228.46.112","src_port":3527,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00569{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":800,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":46,"flow_packets_processed":29,"flow_first_seen":1437389985892,"flow_last_seen":1437389985994,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":23509,"flow_avg_l4_payload_len":810,"midstream":0,"ts_msec":1437389985996,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"2.228.46.112","src_port":3528,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -297,7 +297,7 @@ 00565{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":800,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":41,"flow_packets_processed":10,"flow_first_seen":1437389985320,"flow_last_seen":1437389985635,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":499,"flow_tot_l4_payload_len":644,"flow_avg_l4_payload_len":64,"midstream":0,"ts_msec":1437389985996,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"80.239.186.26","src_port":3524,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00568{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":800,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":42,"flow_packets_processed":12,"flow_first_seen":1437389985434,"flow_last_seen":1437389985610,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":3255,"flow_avg_l4_payload_len":271,"midstream":0,"ts_msec":1437389985996,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"80.239.186.40","src_port":3525,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00568{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":800,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":43,"flow_packets_processed":11,"flow_first_seen":1437389985446,"flow_last_seen":1437389985631,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":3062,"flow_avg_l4_payload_len":278,"midstream":0,"ts_msec":1437389985996,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"80.239.186.40","src_port":3526,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00596{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":800,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":6,"flow_first_seen":1437389955670,"flow_last_seen":1437389984611,"flow_idle_time":180000,"flow_min_l4_payload_len":24,"flow_max_l4_payload_len":41,"flow_tot_l4_payload_len":223,"flow_avg_l4_payload_len":37,"midstream":0,"ts_msec":1437389985996,"l3_proto":"ip4","src_ip":"173.194.40.22","dst_ip":"192.168.1.100","src_port":443,"dst_port":53568,"l4_proto":"udp","ndpi": {"proto":"Google","breed":"Tracker\/Ads","category":"Web"}} +00594{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":800,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":6,"flow_first_seen":1437389955670,"flow_last_seen":1437389984611,"flow_idle_time":180000,"flow_min_l4_payload_len":24,"flow_max_l4_payload_len":41,"flow_tot_l4_payload_len":223,"flow_avg_l4_payload_len":37,"midstream":0,"ts_msec":1437389985996,"l3_proto":"ip4","src_ip":"173.194.40.22","dst_ip":"192.168.1.100","src_port":443,"dst_port":53568,"l4_proto":"udp","ndpi": {"proto":"Google","breed":"Acceptable","category":"Web"}} 00565{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":800,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":6,"flow_first_seen":1437389955670,"flow_last_seen":1437389984611,"flow_idle_time":180000,"flow_min_l4_payload_len":24,"flow_max_l4_payload_len":41,"flow_tot_l4_payload_len":223,"flow_avg_l4_payload_len":37,"midstream":0,"ts_msec":1437389985996,"l3_proto":"ip4","src_ip":"173.194.40.22","dst_ip":"192.168.1.100","src_port":443,"dst_port":53568,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00587{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":800,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":34,"flow_packets_processed":2,"flow_first_seen":1437389982769,"flow_last_seen":1437389982823,"flow_idle_time":180000,"flow_min_l4_payload_len":2,"flow_max_l4_payload_len":2,"flow_tot_l4_payload_len":4,"flow_avg_l4_payload_len":2,"midstream":0,"ts_msec":1437389985996,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"5.42.180.154","src_port":53146,"dst_port":1119,"l4_proto":"udp","ndpi": {"proto":"Starcraft","breed":"Fun","category":"Game"}} 00561{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":800,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":34,"flow_packets_processed":2,"flow_first_seen":1437389982769,"flow_last_seen":1437389982823,"flow_idle_time":180000,"flow_min_l4_payload_len":2,"flow_max_l4_payload_len":2,"flow_tot_l4_payload_len":4,"flow_avg_l4_payload_len":2,"midstream":0,"ts_msec":1437389985996,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"5.42.180.154","src_port":53146,"dst_port":1119,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -323,9 +323,9 @@ ~~ total active/idle flows...: 52/52 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2060182 bytes -~~ total memory freed........: 2060182 bytes -~~ total allocations/frees...: 36357/36357 +~~ total memory allocated....: 4700884 bytes +~~ total memory freed........: 4700884 bytes +~~ total allocations/frees...: 100554/100554 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 163 chars ~~ json string max len.......: 956 chars diff --git a/test/results/steam.pcap.out b/test/results/steam.pcap.out index b5b952d2e..a005a65c4 100644 --- a/test/results/steam.pcap.out +++ b/test/results/steam.pcap.out @@ -269,9 +269,9 @@ ~~ total active/idle flows...: 55/55 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2018404 bytes -~~ total memory freed........: 2018404 bytes -~~ total allocations/frees...: 35604/35604 +~~ total memory allocated....: 4657823 bytes +~~ total memory freed........: 4657823 bytes +~~ total allocations/frees...: 99800/99800 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 161 chars ~~ json string max len.......: 586 chars diff --git a/test/results/steam_datagram_relay_ping.pcapng.out b/test/results/steam_datagram_relay_ping.pcapng.out index f1b664820..85546a96f 100644 --- a/test/results/steam_datagram_relay_ping.pcapng.out +++ b/test/results/steam_datagram_relay_ping.pcapng.out @@ -13,9 +13,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1928182 bytes -~~ total memory freed........: 1928182 bytes -~~ total allocations/frees...: 35340/35340 +~~ total memory allocated....: 4590497 bytes +~~ total memory freed........: 4590497 bytes +~~ total allocations/frees...: 99536/99536 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 179 chars ~~ json string max len.......: 2192 chars diff --git a/test/results/stun_facebook.pcapng.out b/test/results/stun_facebook.pcapng.out index 330ca0fa5..971e0207d 100644 --- a/test/results/stun_facebook.pcapng.out +++ b/test/results/stun_facebook.pcapng.out @@ -2,7 +2,7 @@ 00561{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"stun_facebook.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1629291451242,"flow_last_seen":1629291451242,"flow_idle_time":180000,"flow_min_l4_payload_len":28,"flow_max_l4_payload_len":28,"flow_tot_l4_payload_len":28,"flow_avg_l4_payload_len":28,"midstream":0,"ts_msec":1629291451242,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"31.13.86.54","src_port":38123,"dst_port":40003,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00472{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"stun_facebook.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1629291451242,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"ts_msec":1629291451242,"pkt":"CL6sCxdumt9Y+uvcCABFAAA4VYJAAEARop7AqAypHw1WNpTrnEMAJO1IAAMACCESpEJBSzdRUHlQSzlldVYAGQAEEQAAAA=="} 00575{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"stun_facebook.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1629291451254,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":146,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":146,"pkt_l4_len":112,"ts_msec":1629291451254,"pkt":"mt9Y+uvcCL6sCxduCABFAACER+pAAFURmuofDVY2wKgMqZxDlOsAcMgPARMAVCESpEJBSzdRUHlQSzlldVYACQAQAAAEAXVuYXV0aG9yaXplZAAVAChiYjAzMWQ2MWNjYzFiZTgyZTI0MDE0NDM1ZWQ1MmYyNmZiYTYyNDgzABQAD3R1cm5lci5mYWNlYm9vawA="} -00660{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2,"source":"stun_facebook.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":2,"flow_first_seen":1629291451242,"flow_last_seen":1629291451254,"flow_idle_time":180000,"flow_min_l4_payload_len":28,"flow_max_l4_payload_len":104,"flow_tot_l4_payload_len":132,"flow_avg_l4_payload_len":66,"midstream":0,"ts_msec":1629291451254,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"31.13.86.54","src_port":38123,"dst_port":40003,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"STUN.Messenger","breed":"Acceptable","category":"VoIP"}} +00663{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2,"source":"stun_facebook.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":2,"flow_first_seen":1629291451242,"flow_last_seen":1629291451254,"flow_idle_time":180000,"flow_min_l4_payload_len":28,"flow_max_l4_payload_len":104,"flow_tot_l4_payload_len":132,"flow_avg_l4_payload_len":66,"midstream":0,"ts_msec":1629291451254,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"31.13.86.54","src_port":38123,"dst_port":40003,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"STUN.FacebookVoip","breed":"Acceptable","category":"VoIP"}} 00619{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"stun_facebook.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1629291451258,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":178,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":178,"pkt_l4_len":144,"ts_msec":1629291451258,"pkt":"CL6sCxdumt9Y+uvcCABFAACkVYNAAEARojHAqAypHw1WNpTrnEMAkHyWAAMAdCESpEI1elVqTVhIdmV3K3MAGQAEEQAAAAAGABBNZjJoOUhpNWFQTVJwbEYxABQAD3R1cm5lci5mYWNlYm9vawAAFQAoYmIwMzFkNjFjY2MxYmU4MmUyNDAxNDQzNWVkNTJmMjZmYmE2MjQ4MwAIABSHhqaIN2rgJVJbblyGsNjNga5wAA=="} 00567{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":75,"source":"stun_facebook.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":75,"flow_first_seen":1629291451242,"flow_last_seen":1629291461336,"flow_idle_time":180000,"flow_min_l4_payload_len":26,"flow_max_l4_payload_len":148,"flow_tot_l4_payload_len":7404,"flow_avg_l4_payload_len":98,"midstream":0,"ts_msec":1629291461336,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"31.13.86.54","src_port":38123,"dst_port":40003,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00163{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":75,"source":"stun_facebook.pcapng","alias":"nDPId-test","total-events-serialized":8} @@ -14,10 +14,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1938507 bytes -~~ total memory freed........: 1938507 bytes -~~ total allocations/frees...: 35415/35415 +~~ total memory allocated....: 4600822 bytes +~~ total memory freed........: 4600822 bytes +~~ total allocations/frees...: 99611/99611 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 168 chars -~~ json string max len.......: 665 chars -~~ json string avg len.......: 482 chars +~~ json string max len.......: 668 chars +~~ json string avg len.......: 484 chars diff --git a/test/results/stun_signal.pcapng.out b/test/results/stun_signal.pcapng.out new file mode 100644 index 000000000..30decebc9 --- /dev/null +++ b/test/results/stun_signal.pcapng.out @@ -0,0 +1,156 @@ +00447{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"stun_signal.pcapng","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} +00563{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1636901936040,"flow_last_seen":1636901936040,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":20,"flow_tot_l4_payload_len":20,"flow_avg_l4_payload_len":20,"midstream":0,"ts_msec":1636901936040,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"172.253.121.127","src_port":39518,"dst_port":19302,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1636901936040,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1636901936040,"pkt":"CL6sCxdumt9Y+uvcCABFAAAwdVpAAEAR0ZTAqAyprP15f5peS2YAHHHgAAEAACESpEJTQ2RLNjF0alZXNms="} +00563{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1636901936040,"flow_last_seen":1636901936040,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":20,"flow_tot_l4_payload_len":20,"flow_avg_l4_payload_len":20,"midstream":0,"ts_msec":1636901936040,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"172.253.121.127","src_port":47204,"dst_port":19302,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_last_seen":1636901936040,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1636901936040,"pkt":"CL6sCxdumt9Y+uvcCABFAAAwdVtAAEAR0ZPAqAyprP15f7hkS2YAHGpqAAEAACESpEJ0a0VLMmtzWEZzMm8="} +00560{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1636901936065,"flow_last_seen":1636901936065,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":20,"flow_tot_l4_payload_len":20,"flow_avg_l4_payload_len":20,"midstream":0,"ts_msec":1636901936065,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.183.167","src_port":47204,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_last_seen":1636901936065,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1636901936065,"pkt":"CL6sCxdumt9Y+uvcCABFAAAwnU1AAEAR9NjAqAypI563p7hkAbsAHPPxAAEAACESpEIwTUEzZ2hMNXgrRm4="} +00561{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":4,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1636901936070,"flow_last_seen":1636901936070,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":20,"flow_tot_l4_payload_len":20,"flow_avg_l4_payload_len":20,"midstream":0,"ts_msec":1636901936070,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.183.167","src_port":47204,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_last_seen":1636901936070,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1636901936070,"pkt":"CL6sCxdumt9Y+uvcCABFAAAwnU5AAEAR9NfAqAypI563p7hkDZYAHPweAAEAACESpEJjaDExN25ZQXk2MTA="} +00561{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":5,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1636901936070,"flow_last_seen":1636901936070,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":20,"flow_tot_l4_payload_len":20,"flow_avg_l4_payload_len":20,"midstream":0,"ts_msec":1636901936070,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.183.167","src_port":39518,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_last_seen":1636901936070,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1636901936070,"pkt":"CL6sCxdumt9Y+uvcCABFAAAwnU9AAEAR9NbAqAypI563p5peDZYAHOX3AAEAACESpEJkOSt6R0JMc3JIbis="} +00560{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":6,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":6,"flow_packets_processed":1,"flow_first_seen":1636901936070,"flow_last_seen":1636901936070,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":20,"flow_tot_l4_payload_len":20,"flow_avg_l4_payload_len":20,"midstream":0,"ts_msec":1636901936070,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.183.167","src_port":39518,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_last_seen":1636901936070,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1636901936070,"pkt":"CL6sCxdumt9Y+uvcCABFAAAwnVBAAEAR9NXAqAypI563p5peAbsAHIqqAAEAACESpEJaZmI0ZFV3bVhyejU="} +00529{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":7,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":7,"flow_packets_processed":1,"flow_first_seen":1636901936083,"flow_last_seen":1636901936083,"flow_idle_time":120000,"flow_min_l4_payload_len":56,"flow_max_l4_payload_len":56,"flow_tot_l4_payload_len":56,"flow_avg_l4_payload_len":56,"midstream":0,"ts_msec":1636901936083,"l3_proto":"ip4","src_ip":"35.158.183.167","dst_ip":"192.168.12.169","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} +00494{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_last_seen":1636901936083,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"ts_msec":1636901936083,"pkt":"mt9Y+uvcCL6sCxduCABFAABMbq0AAOABw2wjnrenwKgMqQMDpcEAAAAARQAAMJ1NQAAgERTZwKgMqSOet6e4ZAG7ABzz8QABAAAhEqRCME1BM2doTDV4K0Zu"} +00591{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":7,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":7,"flow_packets_processed":1,"flow_first_seen":1636901936083,"flow_last_seen":1636901936083,"flow_idle_time":120000,"flow_min_l4_payload_len":56,"flow_max_l4_payload_len":56,"flow_tot_l4_payload_len":56,"flow_avg_l4_payload_len":56,"midstream":0,"ts_msec":1636901936083,"l3_proto":"ip4","src_ip":"35.158.183.167","dst_ip":"192.168.12.169","l4_proto":"icmp","ndpi": {"proto":"ICMP.AmazonAWS","breed":"Acceptable","category":"Network"},"entropy":5.050556} +00544{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_last_seen":1636901936087,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":92,"ts_msec":1636901936087,"pkt":"mt9Y+uvcCL6sCxduCABFAABwLztAAOARwqojnrenwKgMqQ2WuGQAXLAaAQEAQCESpEJjaDExN25ZQXk2MTAAIAAIAAEPY3w9RVEAAQAIAAEucV0v4ROAKwAIAAENliOet6eALAAIAAEAUCOet6eAIgAETm9uZYAoAATCHshI"} +00494{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_last_seen":1636901936087,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"ts_msec":1636901936087,"pkt":"mt9Y+uvcCL6sCxduCABFAABMbq4AAOABw2sjnrenwKgMqQMDpcEAAAAARQAAMJ1QQAAdERfWwKgMqSOet6eaXgG7AByKqgABAAAhEqRCWmZiNGRVd21Ycno1"} +00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":10,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_last_seen":1636901936087,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":92,"ts_msec":1636901936087,"pkt":"mt9Y+uvcCL6sCxduCABFAABwLzxAAOMRv6kjnrenwKgMqQ2Wml4AXJaEAQEAQCESpEJkOSt6R0JMc3JIbisAIAAIAAEPYnw9RVEAAQAIAAEucF0v4ROAKwAIAAENliOet6eALAAIAAEAUCOet6eAIgAETm9uZYAoAAT07Zjq"} +00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":11,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_last_seen":1636901936120,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"ts_msec":1636901936120,"pkt":"CL6sCxdumt9Y+uvcCABFAAA4nVJAAEAR9MvAqAypI563p5peDZYAJPVxAAMACCESpEI3Q1lCTmVMaEVzcmUAGQAEEQAAAA=="} +00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":12,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_last_seen":1636901936135,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"ts_msec":1636901936135,"pkt":"CL6sCxdumt9Y+uvcCABFAAA4nVNAAEAR9MrAqAypI563p7hkAbsAJNuCAAMACCESpEI0YTJQbEl4dk1TUisAGQAEEQAAAA=="} +00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":13,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_last_seen":1636901936135,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"ts_msec":1636901936135,"pkt":"CL6sCxdumt9Y+uvcCABFAAA4nVRAAEAR9MnAqAypI563p5peAbsAJPWkAAMACCESpEJKS0hOWUJHNGV5VkoAGQAEEQAAAA=="} +00604{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":14,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":5,"flow_packets_processed":4,"flow_first_seen":1636901936070,"flow_last_seen":1636901936138,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":92,"flow_tot_l4_payload_len":224,"flow_avg_l4_payload_len":56,"midstream":0,"ts_msec":1636901936138,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.183.167","src_port":39518,"dst_port":3478,"l4_proto":"udp","ndpi": {"proto":"STUN.SignalVoip","breed":"Acceptable","category":"VoIP"}} +00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":15,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_last_seen":1636901936144,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"ts_msec":1636901936144,"pkt":"CL6sCxdumt9Y+uvcCABFAAA4nVVAAEAR9MjAqAypI563p7hkDZYAJNmuAAMACCESpEIwWE1VcCtxUS9rUlMAGQAEEQAAAA=="} +00604{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":15,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":4,"flow_packets_processed":3,"flow_first_seen":1636901936070,"flow_last_seen":1636901936144,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":84,"flow_tot_l4_payload_len":132,"flow_avg_l4_payload_len":44,"midstream":0,"ts_msec":1636901936144,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.183.167","src_port":47204,"dst_port":3478,"l4_proto":"udp","ndpi": {"proto":"STUN.SignalVoip","breed":"Acceptable","category":"VoIP"}} +00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":17,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_last_seen":1636901936150,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":98,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":98,"pkt_l4_len":64,"ts_msec":1636901936150,"pkt":"mt9Y+uvcCL6sCxduCABFAABUbrkAAOABw1gjnrenwKgMqQMDpckAAAAARQAAOJ1TQAAgERTLwKgMqSOet6e4ZAG7ACTbggADAAghEqRCNGEyUGxJeHZNU1IrABkABBEAAAA="} +00459{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":23,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1636901936292,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1636901936292,"pkt":"CL6sCxdumt9Y+uvcCABFAAAwdWhAAEAR0YbAqAyprP15f5peS2YAHHHgAAEAACESpEJTQ2RLNjF0alZXNms="} +00662{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":23,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":2,"flow_first_seen":1636901936040,"flow_last_seen":1636901936292,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":20,"flow_tot_l4_payload_len":40,"flow_avg_l4_payload_len":20,"midstream":0,"ts_msec":1636901936292,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"172.253.121.127","src_port":39518,"dst_port":19302,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"STUN.SignalVoip","breed":"Acceptable","category":"VoIP"}} +00459{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_last_seen":1636901936292,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1636901936292,"pkt":"CL6sCxdumt9Y+uvcCABFAAAwdWlAAEAR0YXAqAyprP15f7hkS2YAHGpqAAEAACESpEJ0a0VLMmtzWEZzMm8="} +00459{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":25,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_last_seen":1636901936316,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1636901936316,"pkt":"CL6sCxdumt9Y+uvcCABFAAAwnWJAAEAR9MPAqAypI563p7hkAbsAHPPxAAEAACESpEIwTUEzZ2hMNXgrRm4="} +00459{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":26,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_last_seen":1636901936320,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1636901936320,"pkt":"CL6sCxdumt9Y+uvcCABFAAAwnWNAAEAR9MLAqAypI563p5peAbsAHIqqAAEAACESpEJaZmI0ZFV3bVhyejU="} +00659{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":26,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":6,"flow_packets_processed":3,"flow_first_seen":1636901936070,"flow_last_seen":1636901936320,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":28,"flow_tot_l4_payload_len":68,"flow_avg_l4_payload_len":22,"midstream":0,"ts_msec":1636901936320,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.183.167","src_port":39518,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"STUN.SignalVoip","breed":"Acceptable","category":"VoIP"}} +00477{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":31,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1636901936411,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1636901936411,"pkt":"mt9Y+uvcCL6sCxduCABFgAA80K0AACYRz7Ws\/Xl\/wKgMqUtmml4AKJ+iAQEADCESpEJTQ2RLNjF0alZXNmsAIAAIAAEPYnw9RVE="} +00477{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":32,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_last_seen":1636901936415,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1636901936415,"pkt":"mt9Y+uvcCL6sCxduCABFgAA8TlEAACURUxKs\/Xl\/wKgMqUtmuGQAKJgrAQEADCESpEJ0a0VLMmtzWEZzMm8AIAAIAAEPY3w9RVE="} +00660{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":37,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":3,"flow_packets_processed":6,"flow_first_seen":1636901936065,"flow_last_seen":1636901936889,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":28,"flow_tot_l4_payload_len":144,"flow_avg_l4_payload_len":24,"midstream":0,"ts_msec":1636901936889,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.183.167","src_port":47204,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"STUN.AmazonAWS","breed":"Acceptable","category":"Cloud"}} +00562{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":56,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":8,"flow_packets_processed":1,"flow_first_seen":1636901956886,"flow_last_seen":1636901956886,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":20,"flow_tot_l4_payload_len":20,"flow_avg_l4_payload_len":20,"midstream":0,"ts_msec":1636901956886,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.183.167","src_port":43068,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00459{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":56,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_last_seen":1636901956886,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1636901956886,"pkt":"CL6sCxdumt9Y+uvcCABFAAAwnuBAAEAR80XAqAypI563p6g8DZYAHMrjAAEAACESpEJ3MXhZWGxMSlFtK2Q="} +00603{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":56,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":8,"flow_packets_processed":1,"flow_first_seen":1636901956886,"flow_last_seen":1636901956886,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":20,"flow_tot_l4_payload_len":20,"flow_avg_l4_payload_len":20,"midstream":0,"ts_msec":1636901956886,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.183.167","src_port":43068,"dst_port":3478,"l4_proto":"udp","ndpi": {"proto":"STUN.SignalVoip","breed":"Acceptable","category":"VoIP"}} +00561{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":57,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":9,"flow_packets_processed":1,"flow_first_seen":1636901956899,"flow_last_seen":1636901956899,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":20,"flow_tot_l4_payload_len":20,"flow_avg_l4_payload_len":20,"midstream":0,"ts_msec":1636901956899,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.183.167","src_port":43068,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00459{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":57,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_last_seen":1636901956899,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1636901956899,"pkt":"CL6sCxdumt9Y+uvcCABFAAAwnuFAAEAR80TAqAypI563p6g8AbsAHKfZAAEAACESpEJpNFFIaG51aVlxTjI="} +00659{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":57,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":9,"flow_packets_processed":1,"flow_first_seen":1636901956899,"flow_last_seen":1636901956899,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":20,"flow_tot_l4_payload_len":20,"flow_avg_l4_payload_len":20,"midstream":0,"ts_msec":1636901956899,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.183.167","src_port":43068,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"STUN.AmazonAWS","breed":"Acceptable","category":"Cloud"}} +00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":58,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":10,"flow_packets_processed":1,"flow_first_seen":1636901956900,"flow_last_seen":1636901956900,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":20,"flow_tot_l4_payload_len":20,"flow_avg_l4_payload_len":20,"midstream":0,"ts_msec":1636901956900,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"172.253.121.127","src_port":43068,"dst_port":19302,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00461{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":58,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":10,"flow_packet_id":1,"flow_last_seen":1636901956900,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1636901956900,"pkt":"CL6sCxdumt9Y+uvcCABFAAAwevFAAEARy\/3AqAyprP15f6g8S2YAHDXLAAEAACESpEJuRGJFSkJreUFwVW4="} +00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":59,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":8,"flow_packet_id":2,"flow_last_seen":1636901956903,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":92,"ts_msec":1636901956903,"pkt":"mt9Y+uvcCL6sCxduCABFAABwP61AAOARsjgjnrenwKgMqQ2WqDwAXIeiAQEAQCESpEJ3MXhZWGxMSlFtK2QAIAAIAAEPlHw9RVEAAQAIAAEuhl0v4ROAKwAIAAENliOet6eALAAIAAEAUCOet6eAIgAETm9uZYAoAARTHy4\/"} +00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":61,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":11,"flow_packets_processed":1,"flow_first_seen":1636901956921,"flow_last_seen":1636901956921,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":20,"flow_tot_l4_payload_len":20,"flow_avg_l4_payload_len":20,"midstream":0,"ts_msec":1636901956921,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"172.253.121.127","src_port":39950,"dst_port":19302,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00461{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":61,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":11,"flow_packet_id":1,"flow_last_seen":1636901956921,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1636901956921,"pkt":"CL6sCxdumt9Y+uvcCABFAAAwevJAAEARy\/zAqAyprP15f5wOS2YAHEUhAAEAACESpEJOVFU1cXVJU2dZVFA="} +00562{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":62,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":12,"flow_packets_processed":1,"flow_first_seen":1636901956929,"flow_last_seen":1636901956929,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":20,"flow_tot_l4_payload_len":20,"flow_avg_l4_payload_len":20,"midstream":0,"ts_msec":1636901956929,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.183.167","src_port":39950,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00460{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":62,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":12,"flow_packet_id":1,"flow_last_seen":1636901956929,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1636901956929,"pkt":"CL6sCxdumt9Y+uvcCABFAAAwnuJAAEAR80PAqAypI563p5wOAbsAHAwRAAEAACESpEJneHI1SHRPK0tqKzc="} +00660{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":62,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":12,"flow_packets_processed":1,"flow_first_seen":1636901956929,"flow_last_seen":1636901956929,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":20,"flow_tot_l4_payload_len":20,"flow_avg_l4_payload_len":20,"midstream":0,"ts_msec":1636901956929,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.183.167","src_port":39950,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"STUN.AmazonAWS","breed":"Acceptable","category":"Cloud"}} +00563{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":63,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":13,"flow_packets_processed":1,"flow_first_seen":1636901956930,"flow_last_seen":1636901956930,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":20,"flow_tot_l4_payload_len":20,"flow_avg_l4_payload_len":20,"midstream":0,"ts_msec":1636901956930,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.183.167","src_port":39950,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00460{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":63,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":13,"flow_packet_id":1,"flow_last_seen":1636901956930,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1636901956930,"pkt":"CL6sCxdumt9Y+uvcCABFAAAwnuNAAEAR80LAqAypI563p5wODZYAHNwWAAEAACESpEI1alVGbDBvdmFLRGs="} +00604{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":63,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":13,"flow_packets_processed":1,"flow_first_seen":1636901956930,"flow_last_seen":1636901956930,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":20,"flow_tot_l4_payload_len":20,"flow_avg_l4_payload_len":20,"midstream":0,"ts_msec":1636901956930,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.183.167","src_port":39950,"dst_port":3478,"l4_proto":"udp","ndpi": {"proto":"STUN.SignalVoip","breed":"Acceptable","category":"VoIP"}} +00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":65,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":13,"flow_packet_id":2,"flow_last_seen":1636901956946,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":92,"ts_msec":1636901956946,"pkt":"mt9Y+uvcCL6sCxduCABFAABwP65AAOQRrjcjnrenwKgMqQ2WnA4AXORTAQEAQCESpEI1alVGbDBvdmFLRGsAIAAIAAEPlXw9RVEAAQAIAAEuh10v4ROAKwAIAAENliOet6eALAAIAAEAUCOet6eAIgAETm9uZYAoAAT10UAM"} +00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":66,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":9,"flow_packet_id":2,"flow_last_seen":1636901956960,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"ts_msec":1636901956960,"pkt":"CL6sCxdumt9Y+uvcCABFAAA4nuZAAEAR8zfAqAypI563p6g8AbsAJMHVAAMACCESpEJwYTVMazRiQkhvWTEAGQAEEQAAAA=="} +00472{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":67,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":13,"flow_packet_id":3,"flow_last_seen":1636901956962,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"ts_msec":1636901956962,"pkt":"CL6sCxdumt9Y+uvcCABFAAA4nudAAEAR8zbAqAypI563p5wODZYAJOqGAAMACCESpEJuWjVNSmNUejZrc3YAGQAEEQAAAA=="} +00472{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":68,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":12,"flow_packet_id":2,"flow_last_seen":1636901956969,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"ts_msec":1636901956969,"pkt":"CL6sCxdumt9Y+uvcCABFAAA4nuhAAEAR8zXAqAypI563p5wOAbsAJPaJAAMACCESpEIyY0FuemxRWWpFQmIAGQAEEQAAAA=="} +00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":69,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_last_seen":1636901956971,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"ts_msec":1636901956971,"pkt":"CL6sCxdumt9Y+uvcCABFAAA4nulAAEAR8zTAqAypI563p6g8DZYAJNbdAAMACCESpEJQZE0rWTlGNXNyQ3EAGQAEEQAAAA=="} +00459{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":78,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":9,"flow_packet_id":3,"flow_last_seen":1636901957149,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1636901957149,"pkt":"CL6sCxdumt9Y+uvcCABFAAAwnvtAAEAR8yrAqAypI563p6g8AbsAHKfZAAEAACESpEJpNFFIaG51aVlxTjI="} +00461{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":79,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":10,"flow_packet_id":2,"flow_last_seen":1636901957151,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1636901957151,"pkt":"CL6sCxdumt9Y+uvcCABFAAAwevNAAEARy\/vAqAyprP15f6g8S2YAHDXLAAEAACESpEJuRGJFSkJreUFwVW4="} +00461{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":81,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":11,"flow_packet_id":2,"flow_last_seen":1636901957172,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1636901957172,"pkt":"CL6sCxdumt9Y+uvcCABFAAAwevRAAEARy\/rAqAyprP15f5wOS2YAHEUhAAEAACESpEJOVFU1cXVJU2dZVFA="} +00460{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":82,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":12,"flow_packet_id":3,"flow_last_seen":1636901957180,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1636901957180,"pkt":"CL6sCxdumt9Y+uvcCABFAAAwnvxAAEAR8ynAqAypI563p5wOAbsAHAwRAAEAACESpEJneHI1SHRPK0tqKzc="} +00478{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":86,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":10,"flow_packet_id":3,"flow_last_seen":1636901957274,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1636901957274,"pkt":"mt9Y+uvcCL6sCxduCABFgAA86goAACYRtlis\/Xl\/wKgMqUtmqDwAKGNbAQEADCESpEJuRGJFSkJreUFwVW4AIAAIAAEPlHw9RVE="} +00478{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":87,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":11,"flow_packet_id":3,"flow_last_seen":1636901957301,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1636901957301,"pkt":"mt9Y+uvcCL6sCxduCABFAAA8efYAACURJ+2s\/Xl\/wKgMqUtmnA4AKHKwAQEADCESpEJOVFU1cXVJU2dZVFAAIAAIAAEPlXw9RVE="} +00564{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":96,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":14,"flow_packets_processed":1,"flow_first_seen":1636901958294,"flow_last_seen":1636901958294,"flow_idle_time":180000,"flow_min_l4_payload_len":96,"flow_max_l4_payload_len":96,"flow_tot_l4_payload_len":96,"flow_avg_l4_payload_len":96,"midstream":0,"ts_msec":1636901958294,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"18.195.131.143","src_port":43068,"dst_port":61156,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00566{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":96,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":14,"flow_packet_id":1,"flow_last_seen":1636901958294,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":138,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":138,"pkt_l4_len":104,"ts_msec":1636901958294,"pkt":"CL6sCxdumt9Y+uvcCABFAAB8azVAAEARa5jAqAypEsODj6g87uQAaP5FAAEATCESpEJyRHdyaGtEci8vOWUABgAJV0pzdTptTndxAAAAwFcABAADAAqAKgAIbYcgPZwg8UAAJAAEbn8e\/wAIABR\/b\/AcoEEqLjwzw3SbmvWontQU34AoAARPt0SR"} +00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":100,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":14,"flow_packet_id":2,"flow_last_seen":1636901958378,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":106,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":106,"pkt_l4_len":72,"ts_msec":1636901958378,"pkt":"mt9Y+uvcCL6sCxduCABFSABcrnFAAAMRZTQSw4OPwKgMqe7kqDwASOO3AQEALCESpEJyRHdyaGtEci8vOWUAIAAIAAEPmHw9RVEACAAUZTe+q2TI1x26\/6LLBdUUDVZaZoOAKAAEsQfEQQ=="} +00565{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":101,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":14,"flow_packet_id":3,"flow_last_seen":1636901958378,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":138,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":138,"pkt_l4_len":104,"ts_msec":1636901958378,"pkt":"mt9Y+uvcCL6sCxduCABFSAB8rnJAAAMRZRMSw4OPwKgMqe7kqDwAaODiAAEATCESpEJ2dFg5dWZIQUdCakMABgAJbU53cTpXSnN1AAAAwFcABAADA4SAKQAIQYCdgvFBqWUAJAAEbn8g\/wAIABSzQMYtF7YKfV2BCR2ZgRKFjKrZ7YAoAASRLc2k"} +00656{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":101,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":14,"flow_packets_processed":3,"flow_first_seen":1636901958294,"flow_last_seen":1636901958378,"flow_idle_time":180000,"flow_min_l4_payload_len":64,"flow_max_l4_payload_len":96,"flow_tot_l4_payload_len":256,"flow_avg_l4_payload_len":85,"midstream":0,"ts_msec":1636901958378,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"18.195.131.143","src_port":43068,"dst_port":61156,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"STUN","breed":"Acceptable","category":"Network"}} +00671{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":214,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":10,"flow_packets_processed":7,"flow_first_seen":1636901956900,"flow_last_seen":1636901967653,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":176,"flow_avg_l4_payload_len":25,"midstream":0,"ts_msec":1636901967653,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"172.253.121.127","src_port":43068,"dst_port":19302,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"STUN.GoogleHangoutDuo","breed":"Acceptable","category":"VoIP"}} +00671{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":215,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":11,"flow_packets_processed":7,"flow_first_seen":1636901956921,"flow_last_seen":1636901967684,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":176,"flow_avg_l4_payload_len":25,"midstream":0,"ts_msec":1636901967684,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"172.253.121.127","src_port":39950,"dst_port":19302,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"STUN.GoogleHangoutDuo","breed":"Acceptable","category":"VoIP"}} +00538{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":289,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":7,"flow_packets_processed":34,"flow_first_seen":1636901936083,"flow_last_seen":1636901987911,"flow_idle_time":120000,"flow_min_l4_payload_len":56,"flow_max_l4_payload_len":104,"flow_tot_l4_payload_len":2176,"flow_avg_l4_payload_len":64,"midstream":0,"ts_msec":1636901998588,"l3_proto":"ip4","src_ip":"35.158.183.167","dst_ip":"192.168.12.169","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} +00566{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":289,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":15,"flow_packets_processed":1,"flow_first_seen":1636901998588,"flow_last_seen":1636901998588,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":20,"flow_tot_l4_payload_len":20,"flow_avg_l4_payload_len":20,"midstream":0,"ts_msec":1636901998588,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"172.253.121.127","src_port":47767,"dst_port":19302,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00461{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":289,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":15,"flow_packet_id":1,"flow_last_seen":1636901998588,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1636901998588,"pkt":"CL6sCxdumt9Y+uvcCABFAAAwgdlAAEARxRXAqAyprP15f7qXS2YAHLUpAAEAACESpEJFRDdhYWpCejZ6NGY="} +00670{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":289,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":15,"flow_packets_processed":1,"flow_first_seen":1636901998588,"flow_last_seen":1636901998588,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":20,"flow_tot_l4_payload_len":20,"flow_avg_l4_payload_len":20,"midstream":0,"ts_msec":1636901998588,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"172.253.121.127","src_port":47767,"dst_port":19302,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"STUN.GoogleHangoutDuo","breed":"Acceptable","category":"VoIP"}} +00566{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":290,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":16,"flow_packets_processed":1,"flow_first_seen":1636901998589,"flow_last_seen":1636901998589,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":20,"flow_tot_l4_payload_len":20,"flow_avg_l4_payload_len":20,"midstream":0,"ts_msec":1636901998589,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"172.253.121.127","src_port":37970,"dst_port":19302,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00461{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":290,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":16,"flow_packet_id":1,"flow_last_seen":1636901998589,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1636901998589,"pkt":"CL6sCxdumt9Y+uvcCABFAAAwgdpAAEARxRTAqAyprP15f5RSS2YAHI3jAAEAACESpEJHZko4WW5Ca1ZEVTk="} +00670{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":290,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":16,"flow_packets_processed":1,"flow_first_seen":1636901998589,"flow_last_seen":1636901998589,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":20,"flow_tot_l4_payload_len":20,"flow_avg_l4_payload_len":20,"midstream":0,"ts_msec":1636901998589,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"172.253.121.127","src_port":37970,"dst_port":19302,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"STUN.GoogleHangoutDuo","breed":"Acceptable","category":"VoIP"}} +00563{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":291,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":17,"flow_packets_processed":1,"flow_first_seen":1636901998637,"flow_last_seen":1636901998637,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":20,"flow_tot_l4_payload_len":20,"flow_avg_l4_payload_len":20,"midstream":0,"ts_msec":1636901998637,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.122.211","src_port":47767,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00461{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":291,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":17,"flow_packet_id":1,"flow_last_seen":1636901998637,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1636901998637,"pkt":"CL6sCxdumt9Y+uvcCABFAAAw3EdAAEAR8rLAqAypI55607qXAbsAHB+DAAEAACESpEJDTUpIUUxOenE3VDQ="} +00563{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":292,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":18,"flow_packets_processed":1,"flow_first_seen":1636901998637,"flow_last_seen":1636901998637,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":20,"flow_tot_l4_payload_len":20,"flow_avg_l4_payload_len":20,"midstream":0,"ts_msec":1636901998637,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.122.211","src_port":37970,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00461{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":292,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":18,"flow_packet_id":1,"flow_last_seen":1636901998637,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1636901998637,"pkt":"CL6sCxdumt9Y+uvcCABFAAAw3EhAAEAR8rHAqAypI55605RSAbsAHCWMAAEAACESpEJWNWJyYWFIV0I5bmo="} +00473{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":293,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":17,"flow_packet_id":2,"flow_last_seen":1636901998642,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"ts_msec":1636901998642,"pkt":"CL6sCxdumt9Y+uvcCABFAAA43ElAAEAR8qjAqAypI55607qXAbsAJIeGAAMACCESpEJ0b3RZc3QzdHNudm0AGQAEEQAAAA=="} +00564{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":294,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":19,"flow_packets_processed":1,"flow_first_seen":1636901998644,"flow_last_seen":1636901998644,"flow_idle_time":180000,"flow_min_l4_payload_len":28,"flow_max_l4_payload_len":28,"flow_tot_l4_payload_len":28,"flow_avg_l4_payload_len":28,"midstream":0,"ts_msec":1636901998644,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.122.211","src_port":47767,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00473{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":294,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":19,"flow_packet_id":1,"flow_last_seen":1636901998644,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"ts_msec":1636901998644,"pkt":"CL6sCxdumt9Y+uvcCABFAAA43EpAAEAR8qfAqAypI55607qXDZYAJM8KAAMACCESpEJRck1mY3NySEUrbG4AGQAEEQAAAA=="} +00564{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":295,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":20,"flow_packets_processed":1,"flow_first_seen":1636901998644,"flow_last_seen":1636901998644,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":20,"flow_tot_l4_payload_len":20,"flow_avg_l4_payload_len":20,"midstream":0,"ts_msec":1636901998644,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.122.211","src_port":37970,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00461{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":295,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":20,"flow_packet_id":1,"flow_last_seen":1636901998644,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1636901998644,"pkt":"CL6sCxdumt9Y+uvcCABFAAAw3EtAAEAR8q7AqAypI55605RSDZYAHOlfAAEAACESpEJTRld4cWpibUxkeFo="} +00461{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":296,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":19,"flow_packet_id":2,"flow_last_seen":1636901998645,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1636901998645,"pkt":"CL6sCxdumt9Y+uvcCABFAAAw3ExAAEAR8q3AqAypI55607qXDZYAHAfgAAEAACESpEJsR1ZDTTdDN1dMVEo="} +00473{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":297,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":20,"flow_packet_id":2,"flow_last_seen":1636901998654,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"ts_msec":1636901998654,"pkt":"CL6sCxdumt9Y+uvcCABFAAA43E1AAEAR8qTAqAypI55605RSDZYAJBd3AAMACCESpEJOTG9MWFNjWDdLU3cAGQAEEQAAAA=="} +00532{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":298,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":21,"flow_packets_processed":1,"flow_first_seen":1636901998654,"flow_last_seen":1636901998654,"flow_idle_time":120000,"flow_min_l4_payload_len":56,"flow_max_l4_payload_len":56,"flow_tot_l4_payload_len":56,"flow_avg_l4_payload_len":56,"midstream":0,"ts_msec":1636901998654,"l3_proto":"ip4","src_ip":"35.158.122.211","dst_ip":"192.168.12.169","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} +00497{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":298,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":21,"flow_packet_id":1,"flow_last_seen":1636901998654,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"ts_msec":1636901998654,"pkt":"mt9Y+uvcCL6sCxduCABFAABMVVMAAOMBFpsjnnrTwKgMqQMDaO0AAAAARQAAMNxHQAAgERKzwKgMqSOeetO6lwG7ABwfgwABAAAhEqRCQ01KSFFMTnpxN1Q0"} +00594{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":298,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":21,"flow_packets_processed":1,"flow_first_seen":1636901998654,"flow_last_seen":1636901998654,"flow_idle_time":120000,"flow_min_l4_payload_len":56,"flow_max_l4_payload_len":56,"flow_tot_l4_payload_len":56,"flow_avg_l4_payload_len":56,"midstream":0,"ts_msec":1636901998654,"l3_proto":"ip4","src_ip":"35.158.122.211","dst_ip":"192.168.12.169","l4_proto":"icmp","ndpi": {"proto":"ICMP.AmazonAWS","breed":"Acceptable","category":"Network"},"entropy":5.050556} +00497{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":299,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":21,"flow_packet_id":2,"flow_last_seen":1636901998654,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"ts_msec":1636901998654,"pkt":"mt9Y+uvcCL6sCxduCABFAABMVVQAAOMBFpojnnrTwKgMqQMDaO0AAAAARQAAMNxIQAAgERKywKgMqSOeetOUUgG7ABwljAABAAAhEqRCVjVicmFhSFdCOW5q"} +00509{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":300,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":21,"flow_packet_id":3,"flow_last_seen":1636901998657,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":98,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":98,"pkt_l4_len":64,"ts_msec":1636901998657,"pkt":"mt9Y+uvcCL6sCxduCABFAABUVVUAAOMBFpEjnnrTwKgMqQMDaPUAAAAARQAAONxJQAAgERKpwKgMqSOeetO6lwG7ACSHhgADAAghEqRCdG90WXN0M3RzbnZtABkABBEAAAA="} +00560{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":301,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":19,"flow_packet_id":3,"flow_last_seen":1636901998660,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":134,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":134,"pkt_l4_len":100,"ts_msec":1636901998660,"pkt":"mt9Y+uvcCL6sCxduCABFIAB49klAAOMRNUgjnnrTwKgMqQ2WupcAZEK5ARMASCESpEJRck1mY3NySEUrbG4ACQAQAAAEAVVuYXV0aG9yaXplZAAVABA0YTlmNTljZmZlODk0NGE5ABQACnNpZ25hbC5vcmcAAIAiAAROb25lgCgABLOFpWg="} +00606{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":301,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":19,"flow_packets_processed":3,"flow_first_seen":1636901998644,"flow_last_seen":1636901998660,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":92,"flow_tot_l4_payload_len":140,"flow_avg_l4_payload_len":46,"midstream":0,"ts_msec":1636901998660,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.122.211","src_port":47767,"dst_port":3478,"l4_proto":"udp","ndpi": {"proto":"STUN.SignalVoip","breed":"Acceptable","category":"VoIP"}} +00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":302,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":20,"flow_packet_id":3,"flow_last_seen":1636901998660,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":92,"ts_msec":1636901998660,"pkt":"mt9Y+uvcCL6sCxduCABFIABw9kpAAOQRNE8jnnrTwKgMqQ2WlFIAXFMAAQEAQCESpEJTRld4cWpibUxkeFoAIAAIAAEPi3w9RVEAAQAIAAEumV0v4ROAKwAIAAENliOeetOALAAIAAEAUCOeetOAIgAETm9uZYAoAASDCssQ"} +00606{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":302,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":20,"flow_packets_processed":3,"flow_first_seen":1636901998644,"flow_last_seen":1636901998660,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":84,"flow_tot_l4_payload_len":132,"flow_avg_l4_payload_len":44,"midstream":0,"ts_msec":1636901998660,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.122.211","src_port":37970,"dst_port":3478,"l4_proto":"udp","ndpi": {"proto":"STUN.SignalVoip","breed":"Acceptable","category":"VoIP"}} +00473{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":305,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":18,"flow_packet_id":2,"flow_last_seen":1636901998663,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"ts_msec":1636901998663,"pkt":"CL6sCxdumt9Y+uvcCABFAAA43E9AAEAR8qLAqAypI55605RSAbsAJLdQAAMACCESpEJxcXQycnUyTXoya28AGQAEEQAAAA=="} +00461{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":311,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":15,"flow_packet_id":2,"flow_last_seen":1636901998865,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1636901998865,"pkt":"CL6sCxdumt9Y+uvcCABFAAAwgexAAEARxQLAqAyprP15f7qXS2YAHLUpAAEAACESpEJFRDdhYWpCejZ6NGY="} +00461{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":312,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":16,"flow_packet_id":2,"flow_last_seen":1636901998865,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1636901998865,"pkt":"CL6sCxdumt9Y+uvcCABFAAAwge1AAEARxQHAqAyprP15f5RSS2YAHI3jAAEAACESpEJHZko4WW5Ca1ZEVTk="} +00461{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":313,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":17,"flow_packet_id":3,"flow_last_seen":1636901998885,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1636901998885,"pkt":"CL6sCxdumt9Y+uvcCABFAAAw3FdAAEAR8qLAqAypI55607qXAbsAHB+DAAEAACESpEJDTUpIUUxOenE3VDQ="} +00661{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":313,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":17,"flow_packets_processed":3,"flow_first_seen":1636901998637,"flow_last_seen":1636901998885,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":28,"flow_tot_l4_payload_len":68,"flow_avg_l4_payload_len":22,"midstream":0,"ts_msec":1636901998885,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.122.211","src_port":47767,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"STUN.SignalVoip","breed":"Acceptable","category":"VoIP"}} +00461{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":314,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":18,"flow_packet_id":3,"flow_last_seen":1636901998885,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"ts_msec":1636901998885,"pkt":"CL6sCxdumt9Y+uvcCABFAAAw3FhAAEAR8qHAqAypI55605RSAbsAHCWMAAEAACESpEJWNWJyYWFIV0I5bmo="} +00479{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":319,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":16,"flow_packet_id":3,"flow_last_seen":1636901998967,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1636901998967,"pkt":"mt9Y+uvcCL6sCxduCABFAAA8uXcAACUR6Gus\/Xl\/wKgMqUtmlFIAKLt8AQEADCESpEJHZko4WW5Ca1ZEVTkAIAAIAAEPi3w9RVE="} +00479{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":320,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":15,"flow_packet_id":3,"flow_last_seen":1636901998967,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1636901998967,"pkt":"mt9Y+uvcCL6sCxduCABFgAA8OUIAACYRZyGs\/Xl\/wKgMqUtmupcAKOLDAQEADCESpEJFRDdhYWpCejZ6NGYAIAAIAAEPinw9RVE="} +00662{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":326,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":18,"flow_packets_processed":6,"flow_first_seen":1636901998637,"flow_last_seen":1636901999417,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":28,"flow_tot_l4_payload_len":144,"flow_avg_l4_payload_len":24,"midstream":0,"ts_msec":1636901999417,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.122.211","src_port":37970,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"STUN.AmazonAWS","breed":"Acceptable","category":"Cloud"}} +00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":329,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":22,"flow_packets_processed":1,"flow_first_seen":1636902000024,"flow_last_seen":1636902000024,"flow_idle_time":180000,"flow_min_l4_payload_len":96,"flow_max_l4_payload_len":96,"flow_tot_l4_payload_len":96,"flow_avg_l4_payload_len":96,"midstream":0,"ts_msec":1636902000024,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"18.195.131.143","src_port":47767,"dst_port":54054,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00569{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":329,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":22,"flow_packet_id":1,"flow_last_seen":1636902000024,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":138,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":138,"pkt_l4_len":104,"ts_msec":1636902000024,"pkt":"CL6sCxdumt9Y+uvcCABFAAB8d+5AAEARXt\/AqAypEsODj7qX0yYAaAl7AAEATCESpEJCeElWSlVyQXpFMWUABgAJMUVaczo3a3NzAAAAwFcABAADAAqAKgAINhoW4DAHa9AAJAAEbn8e\/wAIABTJ3jNA\/lTtI\/cIgWHSZfc\/Jdi3xoAoAAQAuGXB"} +00663{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":329,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":22,"flow_packets_processed":1,"flow_first_seen":1636902000024,"flow_last_seen":1636902000024,"flow_idle_time":180000,"flow_min_l4_payload_len":96,"flow_max_l4_payload_len":96,"flow_tot_l4_payload_len":96,"flow_avg_l4_payload_len":96,"midstream":0,"ts_msec":1636902000024,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"18.195.131.143","src_port":47767,"dst_port":54054,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"STUN.SignalVoip","breed":"Acceptable","category":"VoIP"}} +00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":344,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":23,"flow_packets_processed":1,"flow_first_seen":1636902000073,"flow_last_seen":1636902000073,"flow_idle_time":180000,"flow_min_l4_payload_len":96,"flow_max_l4_payload_len":96,"flow_tot_l4_payload_len":96,"flow_avg_l4_payload_len":96,"midstream":0,"ts_msec":1636902000073,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"18.195.131.143","src_port":47767,"dst_port":61498,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00566{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":344,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":23,"flow_packet_id":1,"flow_last_seen":1636902000073,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":138,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":138,"pkt_l4_len":104,"ts_msec":1636902000073,"pkt":"CL6sCxdumt9Y+uvcCABFAAB8d\/NAAEARXtrAqAypEsODj7qX8DoAaE2WAAEATCESpEI3OHB2NXh3VHhSY2IABgAJMUVaczo3a3NzAAAAwFcABAADAAqAKgAINhoW4DAHa9AAJAAEbn8e\/wAIABQCGGRp5dlaWaRPyMCnCJTZLYHOaoAoAATw85Tp"} +00663{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":344,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":23,"flow_packets_processed":1,"flow_first_seen":1636902000073,"flow_last_seen":1636902000073,"flow_idle_time":180000,"flow_min_l4_payload_len":96,"flow_max_l4_payload_len":96,"flow_tot_l4_payload_len":96,"flow_avg_l4_payload_len":96,"midstream":0,"ts_msec":1636902000073,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"18.195.131.143","src_port":47767,"dst_port":61498,"l4_proto":"udp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port"},"proto":"STUN.SignalVoip","breed":"Acceptable","category":"VoIP"}} +00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":345,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":22,"flow_packet_id":2,"flow_last_seen":1636902000102,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":106,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":106,"pkt_l4_len":72,"ts_msec":1636902000102,"pkt":"mt9Y+uvcCL6sCxduCABFSABcw7JAAAYRTPMSw4OPwKgMqdMmupcASMDpAQEALCESpEJCeElWSlVyQXpFMWUAIAAIAAEPinw9RVEACAAUIB3cDwXbxtjdDKqyJ3Jq4xtLsfaAKAAEpnvqQg=="} +00565{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":346,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":22,"flow_packet_id":3,"flow_last_seen":1636902000107,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":138,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":138,"pkt_l4_len":104,"ts_msec":1636902000107,"pkt":"mt9Y+uvcCL6sCxduCABFSAB8w7NAAAYRTNISw4OPwKgMqdMmupcAaK01AAEATCESpEJBbDNpSTF1eStSR1UABgAJN2tzczoxRVpzAAAAwFcABAAAA+eAKQAIiflXHs5q0dMAJAAEbgAg\/wAIABQSmjpLVWLcQ98KImy+h9G3RC6S1IAoAATBitk4"} +00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":349,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":23,"flow_packet_id":2,"flow_last_seen":1636902000142,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":106,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":106,"pkt_l4_len":72,"ts_msec":1636902000142,"pkt":"mt9Y+uvcCL6sCxduCABFAABcw7ZAAAYRTTcSw4OPwKgMqfA6upcASKsWAQEALCESpEI3OHB2NXh3VHhSY2IAIAAIAAEPjnw9RVEACAAUJEyhW79\/NO7EtgfmN47ncd2\/SCyAKAAE6dNIHg=="} +00565{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":350,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":23,"flow_packet_id":3,"flow_last_seen":1636902000142,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":138,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":138,"pkt_l4_len":104,"ts_msec":1636902000142,"pkt":"mt9Y+uvcCL6sCxduCABFAAB8w7dAAAYRTRYSw4OPwKgMqfA6upcAaP5PAAEATCESpEIwbFM2UjdmdjFzOTMABgAJN2tzczoxRVpzAAAAwFcABAADA4SAKQAIiflXHs5q0dMAJAAEbn8g\/wAIABT+u0FmMYg2qxKb1bY78Qe06uM1KoAoAAQrkPMA"} +00569{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":460,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":13,"flow_packets_processed":22,"flow_first_seen":1636901956930,"flow_last_seen":1636901987908,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":120,"flow_tot_l4_payload_len":1648,"flow_avg_l4_payload_len":74,"midstream":0,"ts_msec":1636902021384,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.183.167","src_port":39950,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00569{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":460,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":20,"flow_packets_processed":20,"flow_first_seen":1636901998644,"flow_last_seen":1636902021381,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":116,"flow_tot_l4_payload_len":1520,"flow_avg_l4_payload_len":76,"midstream":0,"ts_msec":1636902021384,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.122.211","src_port":37970,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00565{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":460,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":9,"flow_packets_processed":16,"flow_first_seen":1636901956899,"flow_last_seen":1636901980718,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":28,"flow_tot_l4_payload_len":384,"flow_avg_l4_payload_len":24,"midstream":0,"ts_msec":1636902021384,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.183.167","src_port":43068,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00565{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":460,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":3,"flow_packets_processed":10,"flow_first_seen":1636901936065,"flow_last_seen":1636901939886,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":28,"flow_tot_l4_payload_len":240,"flow_avg_l4_payload_len":24,"midstream":0,"ts_msec":1636902021384,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.183.167","src_port":47204,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00568{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":460,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":22,"flow_packets_processed":6,"flow_first_seen":1636902000024,"flow_last_seen":1636902000208,"flow_idle_time":180000,"flow_min_l4_payload_len":64,"flow_max_l4_payload_len":104,"flow_tot_l4_payload_len":488,"flow_avg_l4_payload_len":81,"midstream":0,"ts_msec":1636902021384,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"18.195.131.143","src_port":47767,"dst_port":54054,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00569{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":460,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":10,"flow_packets_processed":12,"flow_first_seen":1636901956900,"flow_last_seen":1636901978278,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":312,"flow_avg_l4_payload_len":26,"midstream":0,"ts_msec":1636902021384,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"172.253.121.127","src_port":43068,"dst_port":19302,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00612{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":460,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":2,"flow_packets_processed":4,"flow_first_seen":1636901936040,"flow_last_seen":1636901936667,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":104,"flow_avg_l4_payload_len":26,"midstream":0,"ts_msec":1636902021384,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"172.253.121.127","src_port":47204,"dst_port":19302,"l4_proto":"udp","ndpi": {"proto":"STUN.GoogleHangoutDuo","breed":"Acceptable","category":"VoIP"}} +00567{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":460,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":2,"flow_packets_processed":4,"flow_first_seen":1636901936040,"flow_last_seen":1636901936667,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":104,"flow_avg_l4_payload_len":26,"midstream":0,"ts_msec":1636902021384,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"172.253.121.127","src_port":47204,"dst_port":19302,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00571{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":460,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":14,"flow_packets_processed":106,"flow_first_seen":1636901958294,"flow_last_seen":1636901970409,"flow_idle_time":180000,"flow_min_l4_payload_len":28,"flow_max_l4_payload_len":264,"flow_tot_l4_payload_len":7870,"flow_avg_l4_payload_len":74,"midstream":0,"ts_msec":1636902021384,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"18.195.131.143","src_port":43068,"dst_port":61156,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00565{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":460,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":6,"flow_packets_processed":10,"flow_first_seen":1636901936070,"flow_last_seen":1636901939887,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":28,"flow_tot_l4_payload_len":240,"flow_avg_l4_payload_len":24,"midstream":0,"ts_msec":1636902021384,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.183.167","src_port":39518,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00566{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":460,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":17,"flow_packets_processed":14,"flow_first_seen":1636901998637,"flow_last_seen":1636902014416,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":28,"flow_tot_l4_payload_len":336,"flow_avg_l4_payload_len":24,"midstream":0,"ts_msec":1636902021384,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.122.211","src_port":47767,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00567{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":460,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1636901936040,"flow_last_seen":1636901936663,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":104,"flow_avg_l4_payload_len":26,"midstream":0,"ts_msec":1636902021384,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"172.253.121.127","src_port":39518,"dst_port":19302,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00569{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":460,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":15,"flow_packets_processed":12,"flow_first_seen":1636901998588,"flow_last_seen":1636902019979,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":312,"flow_avg_l4_payload_len":26,"midstream":0,"ts_msec":1636902021384,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"172.253.121.127","src_port":47767,"dst_port":19302,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00566{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":460,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":12,"flow_packets_processed":16,"flow_first_seen":1636901956929,"flow_last_seen":1636901980724,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":28,"flow_tot_l4_payload_len":384,"flow_avg_l4_payload_len":24,"midstream":0,"ts_msec":1636902021384,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.183.167","src_port":39950,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00568{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":460,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":8,"flow_packets_processed":26,"flow_first_seen":1636901956886,"flow_last_seen":1636901987907,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":148,"flow_tot_l4_payload_len":2144,"flow_avg_l4_payload_len":82,"midstream":0,"ts_msec":1636902021384,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.183.167","src_port":43068,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00566{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":460,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":4,"flow_packets_processed":8,"flow_first_seen":1636901936070,"flow_last_seen":1636901940923,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":116,"flow_tot_l4_payload_len":616,"flow_avg_l4_payload_len":77,"midstream":0,"ts_msec":1636902021384,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.183.167","src_port":47204,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00566{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":460,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":18,"flow_packets_processed":14,"flow_first_seen":1636901998637,"flow_last_seen":1636902014417,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":28,"flow_tot_l4_payload_len":336,"flow_avg_l4_payload_len":24,"midstream":0,"ts_msec":1636902021384,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.122.211","src_port":37970,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00569{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":460,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":11,"flow_packets_processed":12,"flow_first_seen":1636901956921,"flow_last_seen":1636901978319,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":312,"flow_avg_l4_payload_len":26,"midstream":0,"ts_msec":1636902021384,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"172.253.121.127","src_port":39950,"dst_port":19302,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00569{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":460,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":16,"flow_packets_processed":12,"flow_first_seen":1636901998589,"flow_last_seen":1636902019976,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":312,"flow_avg_l4_payload_len":26,"midstream":0,"ts_msec":1636902021384,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"172.253.121.127","src_port":37970,"dst_port":19302,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00571{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":460,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":23,"flow_packets_processed":53,"flow_first_seen":1636902000073,"flow_last_seen":1636902002742,"flow_idle_time":180000,"flow_min_l4_payload_len":28,"flow_max_l4_payload_len":264,"flow_tot_l4_payload_len":6170,"flow_avg_l4_payload_len":116,"midstream":0,"ts_msec":1636902021384,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"18.195.131.143","src_port":47767,"dst_port":61498,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00537{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":460,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":21,"flow_packets_processed":19,"flow_first_seen":1636901998654,"flow_last_seen":1636902021384,"flow_idle_time":120000,"flow_min_l4_payload_len":56,"flow_max_l4_payload_len":104,"flow_tot_l4_payload_len":1208,"flow_avg_l4_payload_len":63,"midstream":0,"ts_msec":1636902021384,"l3_proto":"ip4","src_ip":"35.158.122.211","dst_ip":"192.168.12.169","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} +00536{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":460,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":7,"flow_packets_processed":34,"flow_first_seen":1636901936083,"flow_last_seen":1636901987911,"flow_idle_time":120000,"flow_min_l4_payload_len":56,"flow_max_l4_payload_len":104,"flow_tot_l4_payload_len":2176,"flow_avg_l4_payload_len":64,"midstream":0,"ts_msec":1636902021384,"l3_proto":"ip4","src_ip":"35.158.183.167","dst_ip":"192.168.12.169","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} +00566{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":460,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":5,"flow_packets_processed":8,"flow_first_seen":1636901936070,"flow_last_seen":1636901940923,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":116,"flow_tot_l4_payload_len":616,"flow_avg_l4_payload_len":77,"midstream":0,"ts_msec":1636902021384,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.183.167","src_port":39518,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00569{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":460,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":19,"flow_packets_processed":22,"flow_first_seen":1636901998644,"flow_last_seen":1636902021381,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":148,"flow_tot_l4_payload_len":1768,"flow_avg_l4_payload_len":80,"midstream":0,"ts_msec":1636902021384,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.122.211","src_port":47767,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00164{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":460,"source":"stun_signal.pcapng","alias":"nDPId-test","total-events-serialized":141} +~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ +~~ packets captured/processed: 460/460 +~~ skipped flows.............: 0 +~~ total layer4 data length..: 29600 bytes +~~ total detected protocols..: 22 +~~ total active/idle flows...: 23/23 +~~ total timeout flows.......: 0 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ total memory allocated....: 4638211 bytes +~~ total memory freed........: 4638211 bytes +~~ total allocations/frees...: 100062/100062 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ json string min len.......: 169 chars +~~ json string max len.......: 676 chars +~~ json string avg len.......: 493 chars diff --git a/test/results/synscan.pcap.out b/test/results/synscan.pcap.out index f0d61d944..7f9f41ebf 100644 --- a/test/results/synscan.pcap.out +++ b/test/results/synscan.pcap.out @@ -4000,11 +4000,11 @@ 00455{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2004,"source":"synscan.pcap","alias":"nDPId-test","flow_id":1993,"flow_packet_id":1,"flow_last_seen":1278275061416,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"ts_msec":1278275061416,"pkt":"ACYLMQczACWzv5HuCABFAAAsALEAADsGDMKsEAAIQA2GNIzTE4rdU4MZAAAAAGACEAAVAgAAAgQFtA=="} 00552{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2005,"source":"synscan.pcap","alias":"nDPId-test","flow_id":1994,"flow_packets_processed":1,"flow_first_seen":1278275061416,"flow_last_seen":1278275061416,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275061416,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36051,"dst_port":4998,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00455{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2005,"source":"synscan.pcap","alias":"nDPId-test","flow_id":1994,"flow_packet_id":1,"flow_last_seen":1278275061416,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"ts_msec":1278275061416,"pkt":"ACYLMQczACWzv5HuCABFAAAs5sAAACYGO7KsEAAIQA2GNIzTE4bdU4MZAAAAAGACDAAZBgAAAgQFtA=="} -00586{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":1,"flow_first_seen":1278275056466,"flow_last_seen":1278275056466,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36050,"dst_port":3389,"l4_proto":"tcp","ndpi": {"proto":"RDP","breed":"Acceptable","category":"RemoteAccess"}} +00638{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":1,"flow_first_seen":1278275056466,"flow_last_seen":1278275056466,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36050,"dst_port":3389,"l4_proto":"tcp","ndpi": {"flow_risk": {"30":"Desktop\/File Sharing Session"},"proto":"RDP","breed":"Acceptable","category":"RemoteAccess"}} 00551{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":1,"flow_first_seen":1278275056466,"flow_last_seen":1278275056466,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36050,"dst_port":3389,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00567{"flow_event_id":8,"flow_event_name":"not-detected","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":716,"flow_packets_processed":1,"flow_first_seen":1278275059626,"flow_last_seen":1278275059626,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36050,"dst_port":3390,"l4_proto":"tcp","ndpi": {"proto":"Unknown","breed":"Unrated"}} 00552{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":716,"flow_packets_processed":1,"flow_first_seen":1278275059626,"flow_last_seen":1278275059626,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36050,"dst_port":3390,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00586{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":1,"flow_first_seen":1278275057477,"flow_last_seen":1278275057477,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36051,"dst_port":3389,"l4_proto":"tcp","ndpi": {"proto":"RDP","breed":"Acceptable","category":"RemoteAccess"}} +00638{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":1,"flow_first_seen":1278275057477,"flow_last_seen":1278275057477,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36051,"dst_port":3389,"l4_proto":"tcp","ndpi": {"flow_risk": {"30":"Desktop\/File Sharing Session"},"proto":"RDP","breed":"Acceptable","category":"RemoteAccess"}} 00551{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":1,"flow_first_seen":1278275057477,"flow_last_seen":1278275057477,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36051,"dst_port":3389,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00568{"flow_event_id":8,"flow_event_name":"not-detected","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":1633,"flow_packets_processed":1,"flow_first_seen":1278275060903,"flow_last_seen":1278275060903,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36050,"dst_port":9535,"l4_proto":"tcp","ndpi": {"proto":"Unknown","breed":"Unrated"}} 00553{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":1633,"flow_packets_processed":1,"flow_first_seen":1278275060903,"flow_last_seen":1278275060903,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36050,"dst_port":9535,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -5528,15 +5528,15 @@ 00553{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":1724,"flow_packets_processed":1,"flow_first_seen":1278275061006,"flow_last_seen":1278275061006,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36051,"dst_port":2068,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00587{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":1425,"flow_packets_processed":1,"flow_first_seen":1278275060597,"flow_last_seen":1278275060597,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36051,"dst_port":20,"l4_proto":"tcp","ndpi": {"proto":"FTP_DATA","breed":"Acceptable","category":"Download"}} 00551{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":1425,"flow_packets_processed":1,"flow_first_seen":1278275060597,"flow_last_seen":1278275060597,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36051,"dst_port":20,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00633{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":1,"flow_first_seen":1278275056340,"flow_last_seen":1278275056340,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36050,"dst_port":21,"l4_proto":"tcp","ndpi": {"proto":"FTP_CONTROL","breed":"Unsafe","category":"Download"},"ftp": {"user":"","password":"","auth_failed":0}} +00671{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":1,"flow_first_seen":1278275056340,"flow_last_seen":1278275056340,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36050,"dst_port":21,"l4_proto":"tcp","ndpi": {"flow_risk": {"22":"Unsafe Protocol"},"proto":"FTP_CONTROL","breed":"Unsafe","category":"Download"},"ftp": {"user":"","password":"","auth_failed":0}} 00549{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":1,"flow_first_seen":1278275056340,"flow_last_seen":1278275056340,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36050,"dst_port":21,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00673{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":40,"flow_packets_processed":5,"flow_first_seen":1278275057678,"flow_last_seen":1278275079360,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36050,"dst_port":22,"l4_proto":"tcp","ndpi": {"proto":"SSH","breed":"Acceptable","category":"RemoteAccess"},"ssh": {"client_signature":"","server_signature":"","hassh_client":"","hassh_server":""}} 00549{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":40,"flow_packets_processed":5,"flow_first_seen":1278275057678,"flow_last_seen":1278275079360,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36050,"dst_port":22,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00633{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":20,"flow_packets_processed":1,"flow_first_seen":1278275057477,"flow_last_seen":1278275057477,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36051,"dst_port":21,"l4_proto":"tcp","ndpi": {"proto":"FTP_CONTROL","breed":"Unsafe","category":"Download"},"ftp": {"user":"","password":"","auth_failed":0}} +00671{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":20,"flow_packets_processed":1,"flow_first_seen":1278275057477,"flow_last_seen":1278275057477,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36051,"dst_port":21,"l4_proto":"tcp","ndpi": {"flow_risk": {"22":"Unsafe Protocol"},"proto":"FTP_CONTROL","breed":"Unsafe","category":"Download"},"ftp": {"user":"","password":"","auth_failed":0}} 00549{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":20,"flow_packets_processed":1,"flow_first_seen":1278275057477,"flow_last_seen":1278275057477,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36051,"dst_port":21,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00569{"flow_event_id":8,"flow_event_name":"not-detected","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":1443,"flow_packets_processed":1,"flow_first_seen":1278275060642,"flow_last_seen":1278275060642,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36050,"dst_port":49175,"l4_proto":"tcp","ndpi": {"proto":"Unknown","breed":"Unrated"}} 00554{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":1443,"flow_packets_processed":1,"flow_first_seen":1278275060642,"flow_last_seen":1278275060642,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36050,"dst_port":49175,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00623{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":1,"flow_first_seen":1278275056466,"flow_last_seen":1278275056466,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36050,"dst_port":23,"l4_proto":"tcp","ndpi": {"proto":"Telnet","breed":"Unsafe","category":"RemoteAccess"},"telnet": {"username":"","password":""}} +00661{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":1,"flow_first_seen":1278275056466,"flow_last_seen":1278275056466,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36050,"dst_port":23,"l4_proto":"tcp","ndpi": {"flow_risk": {"22":"Unsafe Protocol"},"proto":"Telnet","breed":"Unsafe","category":"RemoteAccess"},"telnet": {"username":"","password":""}} 00549{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":1,"flow_first_seen":1278275056466,"flow_last_seen":1278275056466,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36050,"dst_port":23,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00569{"flow_event_id":8,"flow_event_name":"not-detected","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":1503,"flow_packets_processed":1,"flow_first_seen":1278275060743,"flow_last_seen":1278275060743,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36051,"dst_port":49175,"l4_proto":"tcp","ndpi": {"proto":"Unknown","breed":"Unrated"}} 00554{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":1503,"flow_packets_processed":1,"flow_first_seen":1278275060743,"flow_last_seen":1278275060743,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36051,"dst_port":49175,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -5544,7 +5544,7 @@ 00553{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":426,"flow_packets_processed":1,"flow_first_seen":1278275059030,"flow_last_seen":1278275059030,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36050,"dst_port":49176,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00565{"flow_event_id":8,"flow_event_name":"not-detected","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":135,"flow_packets_processed":1,"flow_first_seen":1278275058096,"flow_last_seen":1278275058096,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36050,"dst_port":24,"l4_proto":"tcp","ndpi": {"proto":"Unknown","breed":"Unrated"}} 00550{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":135,"flow_packets_processed":1,"flow_first_seen":1278275058096,"flow_last_seen":1278275058096,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36050,"dst_port":24,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00623{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":1,"flow_first_seen":1278275057477,"flow_last_seen":1278275057477,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36051,"dst_port":23,"l4_proto":"tcp","ndpi": {"proto":"Telnet","breed":"Unsafe","category":"RemoteAccess"},"telnet": {"username":"","password":""}} +00661{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":1,"flow_first_seen":1278275057477,"flow_last_seen":1278275057477,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36051,"dst_port":23,"l4_proto":"tcp","ndpi": {"flow_risk": {"22":"Unsafe Protocol"},"proto":"Telnet","breed":"Unsafe","category":"RemoteAccess"},"telnet": {"username":"","password":""}} 00549{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":1,"flow_first_seen":1278275057477,"flow_last_seen":1278275057477,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36051,"dst_port":23,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00568{"flow_event_id":8,"flow_event_name":"not-detected","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":481,"flow_packets_processed":1,"flow_first_seen":1278275059156,"flow_last_seen":1278275059156,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36051,"dst_port":49176,"l4_proto":"tcp","ndpi": {"proto":"Unknown","breed":"Unrated"}} 00553{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":481,"flow_packets_processed":1,"flow_first_seen":1278275059156,"flow_last_seen":1278275059156,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36051,"dst_port":49176,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -5746,9 +5746,9 @@ 00552{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":284,"flow_packets_processed":1,"flow_first_seen":1278275058595,"flow_last_seen":1278275058595,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36051,"dst_port":8300,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00566{"flow_event_id":8,"flow_event_name":"not-detected","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":834,"flow_packets_processed":1,"flow_first_seen":1278275059785,"flow_last_seen":1278275059785,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36051,"dst_port":109,"l4_proto":"tcp","ndpi": {"proto":"Unknown","breed":"Unrated"}} 00551{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":834,"flow_packets_processed":1,"flow_first_seen":1278275059785,"flow_last_seen":1278275059785,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36051,"dst_port":109,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00608{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":32,"flow_packets_processed":1,"flow_first_seen":1278275057677,"flow_last_seen":1278275057677,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36050,"dst_port":110,"l4_proto":"tcp","ndpi": {"proto":"POP3","breed":"Unsafe","category":"Email"},"pop": {"user":"","password":""}} +00646{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":32,"flow_packets_processed":1,"flow_first_seen":1278275057677,"flow_last_seen":1278275057677,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36050,"dst_port":110,"l4_proto":"tcp","ndpi": {"flow_risk": {"22":"Unsafe Protocol"},"proto":"POP3","breed":"Unsafe","category":"Email"},"pop": {"user":"","password":""}} 00550{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":32,"flow_packets_processed":1,"flow_first_seen":1278275057677,"flow_last_seen":1278275057677,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36050,"dst_port":110,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00608{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":67,"flow_packets_processed":1,"flow_first_seen":1278275057820,"flow_last_seen":1278275057820,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36051,"dst_port":110,"l4_proto":"tcp","ndpi": {"proto":"POP3","breed":"Unsafe","category":"Email"},"pop": {"user":"","password":""}} +00646{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":67,"flow_packets_processed":1,"flow_first_seen":1278275057820,"flow_last_seen":1278275057820,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36051,"dst_port":110,"l4_proto":"tcp","ndpi": {"flow_risk": {"22":"Unsafe Protocol"},"proto":"POP3","breed":"Unsafe","category":"Email"},"pop": {"user":"","password":""}} 00550{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":67,"flow_packets_processed":1,"flow_first_seen":1278275057820,"flow_last_seen":1278275057820,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36051,"dst_port":110,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00564{"flow_event_id":8,"flow_event_name":"not-detected","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1278275056276,"flow_last_seen":1278275056276,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36050,"dst_port":111,"l4_proto":"tcp","ndpi": {"proto":"Unknown","breed":"Unrated"}} 00549{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1278275056276,"flow_last_seen":1278275056276,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36050,"dst_port":111,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -5794,9 +5794,9 @@ 00550{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":1,"flow_first_seen":1278275056403,"flow_last_seen":1278275056403,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36050,"dst_port":139,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00583{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":1,"flow_first_seen":1278275057477,"flow_last_seen":1278275057477,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36051,"dst_port":139,"l4_proto":"tcp","ndpi": {"proto":"NetBIOS","breed":"Acceptable","category":"System"}} 00550{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":1,"flow_first_seen":1278275057477,"flow_last_seen":1278275057477,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36051,"dst_port":139,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00581{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":1788,"flow_packets_processed":1,"flow_first_seen":1278275061108,"flow_last_seen":1278275061108,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36050,"dst_port":8333,"l4_proto":"tcp","ndpi": {"proto":"Mining","breed":"Unsafe","category":"Mining"}} +00619{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":1788,"flow_packets_processed":1,"flow_first_seen":1278275061108,"flow_last_seen":1278275061108,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36050,"dst_port":8333,"l4_proto":"tcp","ndpi": {"flow_risk": {"22":"Unsafe Protocol"},"proto":"Mining","breed":"Unsafe","category":"Mining"}} 00553{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":1788,"flow_packets_processed":1,"flow_first_seen":1278275061108,"flow_last_seen":1278275061108,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36050,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00581{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":1869,"flow_packets_processed":1,"flow_first_seen":1278275061211,"flow_last_seen":1278275061211,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36051,"dst_port":8333,"l4_proto":"tcp","ndpi": {"proto":"Mining","breed":"Unsafe","category":"Mining"}} +00619{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":1869,"flow_packets_processed":1,"flow_first_seen":1278275061211,"flow_last_seen":1278275061211,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36051,"dst_port":8333,"l4_proto":"tcp","ndpi": {"flow_risk": {"22":"Unsafe Protocol"},"proto":"Mining","breed":"Unsafe","category":"Mining"}} 00553{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":1869,"flow_packets_processed":1,"flow_first_seen":1278275061211,"flow_last_seen":1278275061211,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36051,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00567{"flow_event_id":8,"flow_event_name":"not-detected","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":193,"flow_packets_processed":1,"flow_first_seen":1278275058281,"flow_last_seen":1278275058281,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36050,"dst_port":2190,"l4_proto":"tcp","ndpi": {"proto":"Unknown","breed":"Unrated"}} 00552{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":193,"flow_packets_processed":1,"flow_first_seen":1278275058281,"flow_last_seen":1278275058281,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36050,"dst_port":2190,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -5804,13 +5804,13 @@ 00553{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":1327,"flow_packets_processed":1,"flow_first_seen":1278275060491,"flow_last_seen":1278275060491,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36050,"dst_port":2191,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00567{"flow_event_id":8,"flow_event_name":"not-detected","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":222,"flow_packets_processed":1,"flow_first_seen":1278275058405,"flow_last_seen":1278275058405,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36051,"dst_port":2190,"l4_proto":"tcp","ndpi": {"proto":"Unknown","breed":"Unrated"}} 00552{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":222,"flow_packets_processed":1,"flow_first_seen":1278275058405,"flow_last_seen":1278275058405,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36051,"dst_port":2190,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00608{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1278275056276,"flow_last_seen":1278275056276,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36050,"dst_port":143,"l4_proto":"tcp","ndpi": {"proto":"IMAP","breed":"Unsafe","category":"Email"},"imap": {"user":"","password":""}} +00646{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1278275056276,"flow_last_seen":1278275056276,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36050,"dst_port":143,"l4_proto":"tcp","ndpi": {"flow_risk": {"22":"Unsafe Protocol"},"proto":"IMAP","breed":"Unsafe","category":"Email"},"imap": {"user":"","password":""}} 00549{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1278275056276,"flow_last_seen":1278275056276,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36050,"dst_port":143,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00568{"flow_event_id":8,"flow_event_name":"not-detected","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":1418,"flow_packets_processed":1,"flow_first_seen":1278275060596,"flow_last_seen":1278275060596,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36051,"dst_port":2191,"l4_proto":"tcp","ndpi": {"proto":"Unknown","breed":"Unrated"}} 00553{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":1418,"flow_packets_processed":1,"flow_first_seen":1278275060596,"flow_last_seen":1278275060596,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36051,"dst_port":2191,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00567{"flow_event_id":8,"flow_event_name":"not-detected","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":1032,"flow_packets_processed":1,"flow_first_seen":1278275060071,"flow_last_seen":1278275060071,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36050,"dst_port":144,"l4_proto":"tcp","ndpi": {"proto":"Unknown","breed":"Unrated"}} 00552{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":1032,"flow_packets_processed":1,"flow_first_seen":1278275060071,"flow_last_seen":1278275060071,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36050,"dst_port":144,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00609{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":28,"flow_packets_processed":1,"flow_first_seen":1278275057478,"flow_last_seen":1278275057478,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36051,"dst_port":143,"l4_proto":"tcp","ndpi": {"proto":"IMAP","breed":"Unsafe","category":"Email"},"imap": {"user":"","password":""}} +00647{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":28,"flow_packets_processed":1,"flow_first_seen":1278275057478,"flow_last_seen":1278275057478,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36051,"dst_port":143,"l4_proto":"tcp","ndpi": {"flow_risk": {"22":"Unsafe Protocol"},"proto":"IMAP","breed":"Unsafe","category":"Email"},"imap": {"user":"","password":""}} 00550{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":28,"flow_packets_processed":1,"flow_first_seen":1278275057478,"flow_last_seen":1278275057478,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36051,"dst_port":143,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00567{"flow_event_id":8,"flow_event_name":"not-detected","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":1123,"flow_packets_processed":1,"flow_first_seen":1278275060182,"flow_last_seen":1278275060182,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36051,"dst_port":144,"l4_proto":"tcp","ndpi": {"proto":"Unknown","breed":"Unrated"}} 00552{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2011,"source":"synscan.pcap","alias":"nDPId-test","flow_id":1123,"flow_packets_processed":1,"flow_first_seen":1278275060182,"flow_last_seen":1278275060182,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1278275079360,"l3_proto":"ip4","src_ip":"172.16.0.8","dst_ip":"64.13.134.52","src_port":36051,"dst_port":144,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -7995,9 +7995,9 @@ ~~ total active/idle flows...: 1994/1994 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 5207131 bytes -~~ total memory freed........: 5207131 bytes -~~ total allocations/frees...: 43328/43328 +~~ total memory allocated....: 7024414 bytes +~~ total memory freed........: 7024414 bytes +~~ total allocations/frees...: 107524/107524 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 165 chars ~~ json string max len.......: 688 chars diff --git a/test/results/syslog.pcapng.out b/test/results/syslog.pcapng.out new file mode 100644 index 000000000..06680bc9b --- /dev/null +++ b/test/results/syslog.pcapng.out @@ -0,0 +1,58 @@ +00442{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"syslog.pcapng","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} +00553{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1600781689297,"flow_last_seen":1600781689297,"flow_idle_time":180000,"flow_min_l4_payload_len":82,"flow_max_l4_payload_len":82,"flow_tot_l4_payload_len":82,"flow_avg_l4_payload_len":82,"midstream":0,"ts_msec":1600781689297,"l3_proto":"ip4","src_ip":"172.21.251.36","dst_ip":"172.19.196.11","src_port":62679,"dst_port":514,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1600781689297,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":124,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":124,"pkt_l4_len":90,"ts_msec":1600781689297,"pkt":"qrvMbk9eqrvMlgwFCABFAABuAAAAAP8RpCWsFfskrBPEC\/TXAgIAWrkePDE4OT4zMDogKlNlcCAyMiAxMzozNDo0OS4xOTU6ICVTWVMtNS1DT05GSUdfSTogQ29uZmlndXJlZCBmcm9tIGNvbnNvbGUgYnkgY29uc29sZQ=="} +00587{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1600781689297,"flow_last_seen":1600781689297,"flow_idle_time":180000,"flow_min_l4_payload_len":82,"flow_max_l4_payload_len":82,"flow_tot_l4_payload_len":82,"flow_avg_l4_payload_len":82,"midstream":0,"ts_msec":1600781689297,"l3_proto":"ip4","src_ip":"172.21.251.36","dst_ip":"172.19.196.11","src_port":62679,"dst_port":514,"l4_proto":"udp","ndpi": {"proto":"Syslog","breed":"Acceptable","category":"System"}} +00589{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1600781690282,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":160,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":160,"pkt_l4_len":126,"ts_msec":1600781690282,"pkt":"qrvMbk9eqrvMlgwFCABFAACSAAEAAP8RpACsFfskrBPEC\/TXAgIAfpjBPDE5MD4zMTogKlNlcCAyMiAxMzozNDo0OS4yMjA6ICVTWVMtNi1MT0dHSU5HSE9TVF9TVEFSVFNUT1A6IExvZ2dpbmcgdG8gaG9zdCAxMC4xLjIuMiBwb3J0IDUxNCBzdGFydGVkIC0gQ0xJIGluaXRpYXRlZA=="} +00560{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1600781776117,"flow_last_seen":1600781776117,"flow_idle_time":180000,"flow_min_l4_payload_len":116,"flow_max_l4_payload_len":116,"flow_tot_l4_payload_len":116,"flow_avg_l4_payload_len":116,"midstream":0,"ts_msec":1600781776117,"l3_proto":"ip4","src_ip":"192.168.72.140","dst_ip":"192.168.178.148","src_port":62679,"dst_port":514,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00584{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_last_seen":1600781776117,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":158,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":158,"pkt_l4_len":124,"ts_msec":1600781776117,"pkt":"qrvMXnUpqrvMO4StCABFAACQAAMAAP8RPujAqEiMwKiylPTXAgIAfAzhPDE0PjMzOiAqU2VwIDIyIDEzOjM2OjE1LjMwODogJVNZUy02LUxPR0dJTkdIT1NUX1NUQVJUU1RPUDogTG9nZ2luZyB0byBob3N0IDEwLjEuMi4yIHBvcnQgNTE0IHJlc3RvcmVkIENMSSBpbml0aWF0ZWQ="} +00594{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":3,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1600781776117,"flow_last_seen":1600781776117,"flow_idle_time":180000,"flow_min_l4_payload_len":116,"flow_max_l4_payload_len":116,"flow_tot_l4_payload_len":116,"flow_avg_l4_payload_len":116,"midstream":0,"ts_msec":1600781776117,"l3_proto":"ip4","src_ip":"192.168.72.140","dst_ip":"192.168.178.148","src_port":62679,"dst_port":514,"l4_proto":"udp","ndpi": {"proto":"Syslog","breed":"Acceptable","category":"System"}} +00537{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_last_seen":1600781777157,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":123,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":123,"pkt_l4_len":89,"ts_msec":1600781777157,"pkt":"qrvMXnUpqrvMO4StCABFAABtAAQAAP8RPwrAqEiMwKiylPTXAgIAWZ\/\/PDEzPjM0OiAqU2VwIDIyIDEzOjM2OjE2LjA5MTogJVNZUy01LUNPTkZJR19JOiBDb25maWd1cmVkIGZyb20gY29uc29sZSBieSBjb25zb2xl"} +00557{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":5,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":2,"flow_first_seen":1600781689297,"flow_last_seen":1600781690282,"flow_idle_time":180000,"flow_min_l4_payload_len":82,"flow_max_l4_payload_len":118,"flow_tot_l4_payload_len":200,"flow_avg_l4_payload_len":100,"midstream":0,"ts_msec":1600781952293,"l3_proto":"ip4","src_ip":"172.21.251.36","dst_ip":"172.19.196.11","src_port":62679,"dst_port":514,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00559{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":5,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":2,"flow_packets_processed":2,"flow_first_seen":1600781776117,"flow_last_seen":1600781777157,"flow_idle_time":180000,"flow_min_l4_payload_len":81,"flow_max_l4_payload_len":116,"flow_tot_l4_payload_len":197,"flow_avg_l4_payload_len":98,"midstream":0,"ts_msec":1600781952293,"l3_proto":"ip4","src_ip":"192.168.72.140","dst_ip":"192.168.178.148","src_port":62679,"dst_port":514,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00552{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":5,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1600781952293,"flow_last_seen":1600781952293,"flow_idle_time":180000,"flow_min_l4_payload_len":93,"flow_max_l4_payload_len":93,"flow_tot_l4_payload_len":93,"flow_avg_l4_payload_len":93,"midstream":0,"ts_msec":1600781952293,"l3_proto":"ip4","src_ip":"192.168.67.241","dst_ip":"10.193.53.6","src_port":62679,"dst_port":514,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00552{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_last_seen":1600781952293,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":135,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":135,"pkt_l4_len":101,"ts_msec":1600781952293,"pkt":"qrvMySBnqrvMPDqhCABFAAB5AAgAAP8RdwvAqEPxCsE1BvTXAgIAZVTQPDE4Nz4zODogUjE6ICpTZXAgMjIgMTM6Mzk6MTEuMjUwOiAlTElOSy0zLVVQRE9XTjogSW50ZXJmYWNlIEV0aGVybmV0MC8yLCBjaGFuZ2VkIHN0YXRlIHRvIHVw"} +00586{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":5,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1600781952293,"flow_last_seen":1600781952293,"flow_idle_time":180000,"flow_min_l4_payload_len":93,"flow_max_l4_payload_len":93,"flow_tot_l4_payload_len":93,"flow_avg_l4_payload_len":93,"midstream":0,"ts_msec":1600781952293,"l3_proto":"ip4","src_ip":"192.168.67.241","dst_ip":"10.193.53.6","src_port":62679,"dst_port":514,"l4_proto":"udp","ndpi": {"proto":"Syslog","breed":"Acceptable","category":"System"}} +00584{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_last_seen":1600781952293,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":157,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":157,"pkt_l4_len":123,"ts_msec":1600781952293,"pkt":"qrvMySBnqrvMPDqhCABFAACPAAkAAP8RdvTAqEPxCsE1BvTXAgIAe0jbPDE4OT4zOTogUjE6ICpTZXAgMjIgMTM6Mzk6MTIuMjUyOiAlTElORVBST1RPLTUtVVBET1dOOiBMaW5lIHByb3RvY29sIG9uIEludGVyZmFjZSBFdGhlcm5ldDAvMiwgY2hhbmdlZCBzdGF0ZSB0byB1cA=="} +00556{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":7,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":3,"flow_packets_processed":2,"flow_first_seen":1600781952293,"flow_last_seen":1600781952293,"flow_idle_time":180000,"flow_min_l4_payload_len":93,"flow_max_l4_payload_len":115,"flow_tot_l4_payload_len":208,"flow_avg_l4_payload_len":104,"midstream":0,"ts_msec":1600782411853,"l3_proto":"ip4","src_ip":"192.168.67.241","dst_ip":"10.193.53.6","src_port":62679,"dst_port":514,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00560{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":7,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1600782411853,"flow_last_seen":1600782411853,"flow_idle_time":180000,"flow_min_l4_payload_len":304,"flow_max_l4_payload_len":304,"flow_tot_l4_payload_len":304,"flow_avg_l4_payload_len":304,"midstream":0,"ts_msec":1600782411853,"l3_proto":"ip4","src_ip":"192.168.126.102","dst_ip":"172.19.177.230","src_port":57166,"dst_port":514,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00836{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_last_seen":1600782411853,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":346,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":346,"pkt_l4_len":312,"ts_msec":1600782411853,"pkt":"qrvMCetCqrvMS9ZJCABFAAFMAAAAAP8RHZjAqH5mrBOx5t9OAgIBOHsYPDE5MD44MjogUjE6IFtzeXNsb2dAOSBzX3NuPSIxIl06IDxpb3MtbG9nLW1zZz48ZmFjaWxpdHk+U1lTPC9mYWNpbGl0eT48c2V2ZXJpdHk+Njwvc2V2ZXJpdHk+PG1zZy1pZD5MT0dHSU5HSE9TVF9TVEFSVFNUT1A8L21zZy1pZD48dGltZT4qU2VwIDIyIDEzOjQ2OjUwLjgxMjwvdGltZT48YXJncz48YXJnIGlkPSIwIj4xMC4xLjIuMjwvYXJnPjxhcmcgaWQ9IjEiPiBwb3J0IDUxNDwvYXJnPjxhcmcgaWQ9IjIiPjwvYXJnPjxhcmcgaWQ9IjMiPiBzdGFydGVkIC0gQ0xJIGluaXRpYXRlZDwvYXJnPjwvYXJncz48L2lvcy1sb2ctbXNnPg=="} +00594{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":7,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1600782411853,"flow_last_seen":1600782411853,"flow_idle_time":180000,"flow_min_l4_payload_len":304,"flow_max_l4_payload_len":304,"flow_tot_l4_payload_len":304,"flow_avg_l4_payload_len":304,"midstream":0,"ts_msec":1600782411853,"l3_proto":"ip4","src_ip":"192.168.126.102","dst_ip":"172.19.177.230","src_port":57166,"dst_port":514,"l4_proto":"udp","ndpi": {"proto":"Syslog","breed":"Acceptable","category":"System"}} +00732{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_last_seen":1600782437280,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":268,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":268,"pkt_l4_len":234,"ts_msec":1600782437280,"pkt":"qrvMCetCqrvMS9ZJCABFAAD+AAEAAP8RHeXAqH5mrBOx5t9OAgIA6uDbPDE4Nz44MzogUjE6IFtzeXNsb2dAOSBzX3NuPSIyIl06IDxpb3MtbG9nLW1zZz48ZmFjaWxpdHk+TElOSzwvZmFjaWxpdHk+PHNldmVyaXR5PjM8L3NldmVyaXR5Pjxtc2ctaWQ+VVBET1dOPC9tc2ctaWQ+PHRpbWU+KlNlcCAyMiAxMzo0NzoxNi40MDQ8L3RpbWU+PGFyZ3M+PGFyZyBpZD0iMCI+RXRoZXJuZXQwLzM8L2FyZz48YXJnIGlkPSIxIj51cDwvYXJnPjwvYXJncz48L2lvcy1sb2ctbXNnPg=="} +00732{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_last_seen":1600782437466,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":270,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":270,"pkt_l4_len":236,"ts_msec":1600782437466,"pkt":"qrvMCetCqrvMS9ZJCABFAAEAAAIAAP8RHeLAqH5mrBOx5t9OAgIA7NFUPDE4OT44NDogUjE6IFtzeXNsb2dAOSBzX3NuPSIzIl06IDxpb3MtbG9nLW1zZz48ZmFjaWxpdHk+U1lTPC9mYWNpbGl0eT48c2V2ZXJpdHk+NTwvc2V2ZXJpdHk+PG1zZy1pZD5DT05GSUdfSTwvbXNnLWlkPjx0aW1lPipTZXAgMjIgMTM6NDc6MTcuMTk2PC90aW1lPjxhcmdzPjxhcmcgaWQ9IjAiPmNvbnNvbGU8L2FyZz48YXJnIGlkPSIxIj5jb25zb2xlPC9hcmc+PC9hcmdzPjwvaW9zLWxvZy1tc2c+"} +00557{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":11,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1600782466695,"flow_last_seen":1600782466695,"flow_idle_time":180000,"flow_min_l4_payload_len":107,"flow_max_l4_payload_len":107,"flow_tot_l4_payload_len":107,"flow_avg_l4_payload_len":107,"midstream":0,"ts_msec":1600782466695,"l3_proto":"ip4","src_ip":"10.22.179.215","dst_ip":"172.26.54.76","src_port":57166,"dst_port":514,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00573{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":11,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_last_seen":1600782466695,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":149,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":149,"pkt_l4_len":115,"ts_msec":1600782466695,"pkt":"qrvMdK0EqrvMag4ECABFAACHAAQAAP8RGw4KFrPXrBo2TN9OAgIAcw8OPDE4OT44NTogUjE6IFtzeXNsb2dAOSBzX3NuPSI1Il06ICpTZXAgMjIgMTM6NDc6NDUuNjcyOiAlU1lTLTUtQ09ORklHX0k6IENvbmZpZ3VyZWQgZnJvbSBjb25zb2xlIGJ5IGNvbnNvbGU="} +00591{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":11,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1600782466695,"flow_last_seen":1600782466695,"flow_idle_time":180000,"flow_min_l4_payload_len":107,"flow_max_l4_payload_len":107,"flow_tot_l4_payload_len":107,"flow_avg_l4_payload_len":107,"midstream":0,"ts_msec":1600782466695,"l3_proto":"ip4","src_ip":"10.22.179.215","dst_ip":"172.26.54.76","src_port":57166,"dst_port":514,"l4_proto":"udp","ndpi": {"proto":"Syslog","breed":"Acceptable","category":"System"}} +00621{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":12,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_last_seen":1600782475311,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":185,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":185,"pkt_l4_len":151,"ts_msec":1600782475311,"pkt":"qrvMdK0EqrvMag4ECABFAACrAAUAAP8RGukKFrPXrBo2TN9OAgIAl+OwPDE5MD44NjogUjE6IFtzeXNsb2dAOSBzX3NuPSI2Il06ICpTZXAgMjIgMTM6NDc6NTQuMzAzOiAlU1lTLTYtTE9HR0lOR0hPU1RfU1RBUlRTVE9QOiBMb2dnaW5nIHRvIGhvc3QgMTAuMS4yLjIgcG9ydCA1MTQgc3RvcHBlZCAtIENMSSBpbml0aWF0ZWQ="} +00621{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":13,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_last_seen":1600782476392,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":184,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":184,"pkt_l4_len":150,"ts_msec":1600782476392,"pkt":"qrvMdK0EqrvMag4ECABFAACqAAYAAP8RGukKFrPXrBo2TN9OAgIAlm33PDE5MD44NzogUjE6IFtzeXNsb2dAOSBzX3NuPSI3Il06ICpTZXAgMjIgMTM6NDc6NTUuNjk5OiAlU1lTLTYtTE9HR0lOR0hPU1RfU1RBUlRTVE9QOiBMb2dnaW5nIHRvIGhvc3QgMTAuMS4yLjIgcG9ydCA1MTQgcmVzdG9yZWQgQ0xJIGluaXRpYXRlZA=="} +00564{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":16,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":4,"flow_packets_processed":4,"flow_first_seen":1600782411853,"flow_last_seen":1600782438439,"flow_idle_time":180000,"flow_min_l4_payload_len":226,"flow_max_l4_payload_len":304,"flow_tot_l4_payload_len":989,"flow_avg_l4_payload_len":247,"midstream":0,"ts_msec":1600782514222,"l3_proto":"ip4","src_ip":"192.168.126.102","dst_ip":"172.19.177.230","src_port":57166,"dst_port":514,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00559{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":16,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":6,"flow_packets_processed":1,"flow_first_seen":1600782514222,"flow_last_seen":1600782514222,"flow_idle_time":180000,"flow_min_l4_payload_len":207,"flow_max_l4_payload_len":207,"flow_tot_l4_payload_len":207,"flow_avg_l4_payload_len":207,"midstream":0,"ts_msec":1600782514222,"l3_proto":"ip4","src_ip":"192.168.45.162","dst_ip":"10.208.120.95","src_port":57166,"dst_port":514,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00706{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":16,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_last_seen":1600782514222,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":249,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":249,"pkt_l4_len":215,"ts_msec":1600782514222,"pkt":"qrvMkvyHqrvMTZFeCABFAADrAAkAAP8RSX\/AqC2iCtB4X99OAgIA1wa4PDE4OT45MjogUjE6IDxpb3MtbG9nLW1zZz48ZmFjaWxpdHk+U1lTPC9mYWNpbGl0eT48c2V2ZXJpdHk+NTwvc2V2ZXJpdHk+PG1zZy1pZD5DT05GSUdfSTwvbXNnLWlkPjx0aW1lPipTZXAgMjIgMTM6NDg6MzMuOTc4PC90aW1lPjxhcmdzPjxhcmcgaWQ9IjAiPmNvbnNvbGU8L2FyZz48YXJnIGlkPSIxIj5jb25zb2xlPC9hcmc+PC9hcmdzPjwvaW9zLWxvZy1tc2c+"} +00593{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":16,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":6,"flow_packets_processed":1,"flow_first_seen":1600782514222,"flow_last_seen":1600782514222,"flow_idle_time":180000,"flow_min_l4_payload_len":207,"flow_max_l4_payload_len":207,"flow_tot_l4_payload_len":207,"flow_avg_l4_payload_len":207,"midstream":0,"ts_msec":1600782514222,"l3_proto":"ip4","src_ip":"192.168.45.162","dst_ip":"10.208.120.95","src_port":57166,"dst_port":514,"l4_proto":"udp","ndpi": {"proto":"Syslog","breed":"Acceptable","category":"System"}} +00709{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":17,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_last_seen":1600782515213,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":250,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":250,"pkt_l4_len":216,"ts_msec":1600782515213,"pkt":"qrvMkvyHqrvMTZFeCABFAADsAAoAAP8RSX3AqC2iCtB4X99OAgIA2PlAPDE4OT45MzogUjE6IDxpb3MtbG9nLW1zZz48ZmFjaWxpdHk+TElORVBST1RPPC9mYWNpbGl0eT48c2V2ZXJpdHk+NTwvc2V2ZXJpdHk+PG1zZy1pZD5VUERPV048L21zZy1pZD48dGltZT4qU2VwIDIyIDEzOjQ4OjM0LjIwMDwvdGltZT48YXJncz48YXJnIGlkPSIwIj5Mb29wYmFjazE8L2FyZz48YXJnIGlkPSIxIj51cDwvYXJnPjwvYXJncz48L2lvcy1sb2ctbXNnPg=="} +00562{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":18,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":4,"flow_packets_processed":4,"flow_first_seen":1600782411853,"flow_last_seen":1600782438439,"flow_idle_time":180000,"flow_min_l4_payload_len":226,"flow_max_l4_payload_len":304,"flow_tot_l4_payload_len":989,"flow_avg_l4_payload_len":247,"midstream":0,"ts_msec":1600782647886,"l3_proto":"ip4","src_ip":"192.168.126.102","dst_ip":"172.19.177.230","src_port":57166,"dst_port":514,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00560{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":18,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":5,"flow_packets_processed":5,"flow_first_seen":1600782466695,"flow_last_seen":1600782501747,"flow_idle_time":180000,"flow_min_l4_payload_len":107,"flow_max_l4_payload_len":143,"flow_tot_l4_payload_len":642,"flow_avg_l4_payload_len":128,"midstream":0,"ts_msec":1600782647886,"l3_proto":"ip4","src_ip":"10.22.179.215","dst_ip":"172.26.54.76","src_port":57166,"dst_port":514,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00562{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":18,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":6,"flow_packets_processed":2,"flow_first_seen":1600782514222,"flow_last_seen":1600782515213,"flow_idle_time":180000,"flow_min_l4_payload_len":207,"flow_max_l4_payload_len":208,"flow_tot_l4_payload_len":415,"flow_avg_l4_payload_len":207,"midstream":0,"ts_msec":1600782647886,"l3_proto":"ip4","src_ip":"192.168.45.162","dst_ip":"10.208.120.95","src_port":57166,"dst_port":514,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00558{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":18,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":7,"flow_packets_processed":1,"flow_first_seen":1600782647886,"flow_last_seen":1600782647886,"flow_idle_time":180000,"flow_min_l4_payload_len":203,"flow_max_l4_payload_len":203,"flow_tot_l4_payload_len":203,"flow_avg_l4_payload_len":203,"midstream":0,"ts_msec":1600782647886,"l3_proto":"ip4","src_ip":"10.224.43.149","dst_ip":"172.23.243.89","src_port":57166,"dst_port":514,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00702{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":18,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_last_seen":1600782647886,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":245,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":245,"pkt_l4_len":211,"ts_msec":1600782647886,"pkt":"qrvMj6IeqrvMSxtwCABFAADnAAsAAP8R5RQK4CuVrBfzWd9OAgIA0\/DmPDE4OT45NDogPGlvcy1sb2ctbXNnPjxmYWNpbGl0eT5TWVM8L2ZhY2lsaXR5PjxzZXZlcml0eT41PC9zZXZlcml0eT48bXNnLWlkPkNPTkZJR19JPC9tc2ctaWQ+PHRpbWU+KlNlcCAyMiAxMzo1MDo0Ni43Nzc8L3RpbWU+PGFyZ3M+PGFyZyBpZD0iMCI+Y29uc29sZTwvYXJnPjxhcmcgaWQ9IjEiPmNvbnNvbGU8L2FyZz48L2FyZ3M+PC9pb3MtbG9nLW1zZz4="} +00592{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":18,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":7,"flow_packets_processed":1,"flow_first_seen":1600782647886,"flow_last_seen":1600782647886,"flow_idle_time":180000,"flow_min_l4_payload_len":203,"flow_max_l4_payload_len":203,"flow_tot_l4_payload_len":203,"flow_avg_l4_payload_len":203,"midstream":0,"ts_msec":1600782647886,"l3_proto":"ip4","src_ip":"10.224.43.149","dst_ip":"172.23.243.89","src_port":57166,"dst_port":514,"l4_proto":"udp","ndpi": {"proto":"Syslog","breed":"Acceptable","category":"System"}} +00701{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":19,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_last_seen":1600782652384,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":246,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":246,"pkt_l4_len":212,"ts_msec":1600782652384,"pkt":"qrvMj6IeqrvMSxtwCABFAADoAAwAAP8R5RIK4CuVrBfzWd9OAgIA1N5pPDE4OT45NTogPGlvcy1sb2ctbXNnPjxmYWNpbGl0eT5MSU5FUFJPVE88L2ZhY2lsaXR5PjxzZXZlcml0eT41PC9zZXZlcml0eT48bXNnLWlkPlVQRE9XTjwvbXNnLWlkPjx0aW1lPipTZXAgMjIgMTM6NTA6NTEuNzUyPC90aW1lPjxhcmdzPjxhcmcgaWQ9IjAiPkxvb3BiYWNrMjwvYXJnPjxhcmcgaWQ9IjEiPnVwPC9hcmc+PC9hcmdzPjwvaW9zLWxvZy1tc2c+"} +00702{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":20,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_last_seen":1600782653380,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":245,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":245,"pkt_l4_len":211,"ts_msec":1600782653380,"pkt":"qrvMj6IeqrvMSxtwCABFAADnAA0AAP8R5RIK4CuVrBfzWd9OAgIA0\/vrPDE4OT45NjogPGlvcy1sb2ctbXNnPjxmYWNpbGl0eT5TWVM8L2ZhY2lsaXR5PjxzZXZlcml0eT41PC9zZXZlcml0eT48bXNnLWlkPkNPTkZJR19JPC9tc2ctaWQ+PHRpbWU+KlNlcCAyMiAxMzo1MDo1Mi4zMTI8L3RpbWU+PGFyZ3M+PGFyZyBpZD0iMCI+Y29uc29sZTwvYXJnPjxhcmcgaWQ9IjEiPmNvbnNvbGU8L2FyZz48L2FyZ3M+PC9pb3MtbG9nLW1zZz4="} +00559{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":20,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":7,"flow_packets_processed":3,"flow_first_seen":1600782647886,"flow_last_seen":1600782653380,"flow_idle_time":180000,"flow_min_l4_payload_len":203,"flow_max_l4_payload_len":204,"flow_tot_l4_payload_len":610,"flow_avg_l4_payload_len":203,"midstream":0,"ts_msec":1600782653380,"l3_proto":"ip4","src_ip":"10.224.43.149","dst_ip":"172.23.243.89","src_port":57166,"dst_port":514,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00558{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":20,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":5,"flow_packets_processed":5,"flow_first_seen":1600782466695,"flow_last_seen":1600782501747,"flow_idle_time":180000,"flow_min_l4_payload_len":107,"flow_max_l4_payload_len":143,"flow_tot_l4_payload_len":642,"flow_avg_l4_payload_len":128,"midstream":0,"ts_msec":1600782653380,"l3_proto":"ip4","src_ip":"10.22.179.215","dst_ip":"172.26.54.76","src_port":57166,"dst_port":514,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00560{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":20,"source":"syslog.pcapng","alias":"nDPId-test","flow_id":6,"flow_packets_processed":2,"flow_first_seen":1600782514222,"flow_last_seen":1600782515213,"flow_idle_time":180000,"flow_min_l4_payload_len":207,"flow_max_l4_payload_len":208,"flow_tot_l4_payload_len":415,"flow_avg_l4_payload_len":207,"midstream":0,"ts_msec":1600782653380,"l3_proto":"ip4","src_ip":"192.168.45.162","dst_ip":"10.208.120.95","src_port":57166,"dst_port":514,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00157{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":20,"source":"syslog.pcapng","alias":"nDPId-test","total-events-serialized":43} +~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ +~~ packets captured/processed: 20/20 +~~ skipped flows.............: 0 +~~ total layer4 data length..: 3261 bytes +~~ total detected protocols..: 7 +~~ total active/idle flows...: 7/7 +~~ total timeout flows.......: 0 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ total memory allocated....: 4598171 bytes +~~ total memory freed........: 4598171 bytes +~~ total allocations/frees...: 99572/99572 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ json string min len.......: 162 chars +~~ json string max len.......: 841 chars +~~ json string avg len.......: 572 chars diff --git a/test/results/teams.pcap.out b/test/results/teams.pcap.out index 124207356..9f976a641 100644 --- a/test/results/teams.pcap.out +++ b/test/results/teams.pcap.out @@ -1,7 +1,7 @@ 00439{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"teams.pcap","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} 00550{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"teams.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1587041672419,"flow_last_seen":1587041672419,"flow_idle_time":180000,"flow_min_l4_payload_len":279,"flow_max_l4_payload_len":279,"flow_tot_l4_payload_len":279,"flow_avg_l4_payload_len":279,"midstream":0,"ts_msec":1587041672419,"l3_proto":"ip4","src_ip":"192.168.0.1","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00811{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"teams.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1587041672419,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":321,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":321,"pkt_l4_len":287,"ts_msec":1587041672419,"pkt":"\/\/\/\/\/\/\/\/2A0X1lWrCABFAAEzES1AAEARZ+TAqAAB\/\/\/\/\/wBEAEMBHwAAAQEGABgr52AAAIAAAAAAAAAAAAAAAAAAAAAAANgNF9ZVqwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEBNwIBAwwJVEwtU0cxMTZFPAlUTC1TRzExNkU9BwHYDRfWVav\/"} -00613{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"teams.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1587041672419,"flow_last_seen":1587041672419,"flow_idle_time":180000,"flow_min_l4_payload_len":279,"flow_max_l4_payload_len":279,"flow_tot_l4_payload_len":279,"flow_avg_l4_payload_len":279,"midstream":0,"ts_msec":1587041672419,"l3_proto":"ip4","src_ip":"192.168.0.1","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"fingerprint":"1,3"}} +00662{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"teams.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1587041672419,"flow_last_seen":1587041672419,"flow_idle_time":180000,"flow_min_l4_payload_len":279,"flow_max_l4_payload_len":279,"flow_tot_l4_payload_len":279,"flow_avg_l4_payload_len":279,"midstream":0,"ts_msec":1587041672419,"l3_proto":"ip4","src_ip":"192.168.0.1","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"hostname":"tl-sg116e","fingerprint":"1,3","class_ident":"TL-SG116E"}} 00351{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":2,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"ts_msec":1587041672611,"pkt":"AYDCAAAAeCjKBfrMACZCQgMAAAAAAJAAeCjKBfrMAAAAAJAAeCjKBfrMgAEAAAYAAQAEAKWlpaWlpaWl"} 00143{"basic_event_id":5,"basic_event_name":"Unknown packet type","thread_id":0,"packet_id":2,"source":"teams.pcap","alias":"nDPId-test","type":38} 00546{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3,"source":"teams.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1587041673094,"flow_last_seen":1587041673094,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1587041673094,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"149.154.167.91","src_port":58533,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -31,9 +31,9 @@ 00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":16,"source":"teams.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_last_seen":1587041676448,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1587041676448,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA0CixAAHUGQvQ0ccKEwKgBBgG77HWQGjC4LoXCQ4AS\/\/8WpAAAAgQFoAEDAwgBAQQC"} 00440{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":17,"source":"teams.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_last_seen":1587041676448,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1587041676448,"pkt":"EBMx8Tl2KDc3AG3ICABFAAAoAABAAEAGgizAqAEGNHHChOx1AbsuhcJDkBowuVAQIAA3YwAA"} 00798{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":18,"source":"teams.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":4,"flow_first_seen":1587041676435,"flow_last_seen":1587041676449,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":210,"flow_tot_l4_payload_len":210,"flow_avg_l4_payload_len":52,"midstream":0,"ts_msec":1587041676449,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60533,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Teams","breed":"Safe","category":"Collaborative"},"tls": {"version":"TLSv1.2","client_requested_server_name":"teams.microsoft.com","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} -01117{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":26,"source":"teams.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":12,"flow_first_seen":1587041676435,"flow_last_seen":1587041676464,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":6235,"flow_avg_l4_payload_len":519,"midstream":0,"ts_msec":1587041676464,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60533,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Teams","breed":"Safe","category":"Collaborative"},"tls": {"version":"TLSv1.2","client_requested_server_name":"teams.microsoft.com","server_names":"teams.microsoft.com","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"0f14538e1c9070becdad7739c67d6363","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","issuerDN":"CN=teams.microsoft.com","alpn":"h2,http\/1.1","fingerprint":"68:1E:E8:3C:83:70:6F:E3:86:F4:E8:8C:C4:E6:A0:9A:3E:E0:9C:0E"}} +01118{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":26,"source":"teams.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":12,"flow_first_seen":1587041676435,"flow_last_seen":1587041676464,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":6235,"flow_avg_l4_payload_len":519,"midstream":0,"ts_msec":1587041676464,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60533,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Teams","breed":"Safe","category":"Collaborative"},"tls": {"version":"TLSv1.2","client_requested_server_name":"teams.microsoft.com","server_names":"teams.microsoft.com","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"0f14538e1c9070becdad7739c67d6363","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=teams.microsoft.com","alpn":"h2,http\/1.1","fingerprint":"68:1E:E8:3C:83:70:6F:E3:86:F4:E8:8C:C4:E6:A0:9A:3E:E0:9C:0E"}} 00837{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":37,"source":"teams.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":4,"flow_first_seen":1587041676362,"flow_last_seen":1587041676499,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":174,"flow_tot_l4_payload_len":174,"flow_avg_l4_payload_len":43,"midstream":0,"ts_msec":1587041676499,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60532,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobile.pipe.aria.microsoft.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -01365{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":59,"source":"teams.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":8,"flow_first_seen":1587041676362,"flow_last_seen":1587041676545,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":4377,"flow_avg_l4_payload_len":547,"midstream":0,"ts_msec":1587041676545,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60532,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobile.pipe.aria.microsoft.com","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"ae4edc6faf64d08308082ad26be60767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","issuerDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}} +01366{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":59,"source":"teams.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":8,"flow_first_seen":1587041676362,"flow_last_seen":1587041676545,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":4377,"flow_avg_l4_payload_len":547,"midstream":0,"ts_msec":1587041676545,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60532,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobile.pipe.aria.microsoft.com","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"ae4edc6faf64d08308082ad26be60767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}} 00352{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":64,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"ts_msec":1587041676611,"pkt":"AYDCAAAAeCjKBfrMACZCQgMAAAAAAJAAeCjKBfrMAAAAAJAAeCjKBfrMgAEAAAYAAQAEAKWlpaWlpaWl"} 00144{"basic_event_id":5,"basic_event_name":"Unknown packet type","thread_id":0,"packet_id":64,"source":"teams.pcap","alias":"nDPId-test","type":38} 00543{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":65,"source":"teams.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":1,"flow_first_seen":1587041676612,"flow_last_seen":1587041676612,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1587041676612,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"40.126.9.5","src_port":60534,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -46,15 +46,15 @@ 00469{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":156,"source":"teams.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_last_seen":1587041677088,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1587041677088,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8FwhAAGwGtHI0ck0hwKgBBgG77Hf6fNLR2z1jO6ASIACfvwAAAgQFoAEDAwgEAggKYRMfbzCEmgA="} 00457{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":157,"source":"teams.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_last_seen":1587041677088,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1587041677088,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAG94LAqAEGNHJNIex3AbvbPWM7+nzS0oAQEAneQwAAAQEICjCEmixhEx9v"} 00838{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":158,"source":"teams.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":4,"flow_first_seen":1587041677042,"flow_last_seen":1587041677088,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":206,"flow_tot_l4_payload_len":206,"flow_avg_l4_payload_len":51,"midstream":0,"ts_msec":1587041677088,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60535,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobile.pipe.aria.microsoft.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -01367{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":167,"source":"teams.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":13,"flow_first_seen":1587041677042,"flow_last_seen":1587041677186,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":5981,"flow_avg_l4_payload_len":460,"midstream":0,"ts_msec":1587041677186,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60535,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobile.pipe.aria.microsoft.com","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"ae4edc6faf64d08308082ad26be60767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","issuerDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}} +01368{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":167,"source":"teams.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":13,"flow_first_seen":1587041677042,"flow_last_seen":1587041677186,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":5981,"flow_avg_l4_payload_len":460,"midstream":0,"ts_msec":1587041677186,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60535,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobile.pipe.aria.microsoft.com","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"ae4edc6faf64d08308082ad26be60767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}} 00548{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":175,"source":"teams.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":1,"flow_first_seen":1587041677243,"flow_last_seen":1587041677243,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1587041677243,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60536,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00477{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":175,"source":"teams.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_last_seen":1587041677243,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1587041677243,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGghTAqAEGNHHChOx4Abt\/TkvVAAAAALAC\/\/\/5uQAAAgQFtAEDAwUBAQgKMISawwAAAAAEAgAA"} 00459{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":176,"source":"teams.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":2,"flow_last_seen":1587041677255,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1587041677255,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA0wUlAAHUGi9Y0ccKEwKgBBgG77Hiki1UTf05L1oAS\/\/8DeQAAAgQFoAEDAwgBAQQC"} 00442{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":177,"source":"teams.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_last_seen":1587041677255,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1587041677255,"pkt":"EBMx8Tl2KDc3AG3ICABFAAAoAABAAEAGgizAqAEGNHHChOx4Abt\/TkvWpItVFFAQIAAkOAAA"} 00799{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":178,"source":"teams.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":4,"flow_first_seen":1587041677243,"flow_last_seen":1587041677255,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":214,"flow_tot_l4_payload_len":214,"flow_avg_l4_payload_len":53,"midstream":0,"ts_msec":1587041677255,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60536,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Teams","breed":"Safe","category":"Collaborative"},"tls": {"version":"TLSv1.2","client_requested_server_name":"teams.microsoft.com","ja3":"74d5fa154a7fc0a7c655d8eaa34b89bf","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} -01118{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":186,"source":"teams.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":12,"flow_first_seen":1587041677243,"flow_last_seen":1587041677269,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":6239,"flow_avg_l4_payload_len":519,"midstream":0,"ts_msec":1587041677269,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60536,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Teams","breed":"Safe","category":"Collaborative"},"tls": {"version":"TLSv1.2","client_requested_server_name":"teams.microsoft.com","server_names":"teams.microsoft.com","ja3":"74d5fa154a7fc0a7c655d8eaa34b89bf","ja3s":"0f14538e1c9070becdad7739c67d6363","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","issuerDN":"CN=teams.microsoft.com","alpn":"h2,http\/1.1","fingerprint":"68:1E:E8:3C:83:70:6F:E3:86:F4:E8:8C:C4:E6:A0:9A:3E:E0:9C:0E"}} +01119{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":186,"source":"teams.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":12,"flow_first_seen":1587041677243,"flow_last_seen":1587041677269,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":6239,"flow_avg_l4_payload_len":519,"midstream":0,"ts_msec":1587041677269,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60536,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Teams","breed":"Safe","category":"Collaborative"},"tls": {"version":"TLSv1.2","client_requested_server_name":"teams.microsoft.com","server_names":"teams.microsoft.com","ja3":"74d5fa154a7fc0a7c655d8eaa34b89bf","ja3s":"0f14538e1c9070becdad7739c67d6363","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=teams.microsoft.com","alpn":"h2,http\/1.1","fingerprint":"68:1E:E8:3C:83:70:6F:E3:86:F4:E8:8C:C4:E6:A0:9A:3E:E0:9C:0E"}} 00441{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":403,"source":"teams.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_last_seen":1587041677380,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1587041677380,"pkt":"EBMx8Tl2KDc3AG3ICABFAAAoAABAAEAGPCzAqAEGlZqnW+SlAbsZTPC8DAoX91AUECaMmwAA"} -01121{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":444,"source":"teams.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":255,"flow_first_seen":1587041677243,"flow_last_seen":1587041677384,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":185330,"flow_avg_l4_payload_len":726,"midstream":0,"ts_msec":1587041677384,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60536,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Teams","breed":"Safe","category":"Collaborative"},"tls": {"version":"TLSv1.2","client_requested_server_name":"teams.microsoft.com","server_names":"teams.microsoft.com","ja3":"74d5fa154a7fc0a7c655d8eaa34b89bf","ja3s":"0f14538e1c9070becdad7739c67d6363","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","issuerDN":"CN=teams.microsoft.com","alpn":"h2,http\/1.1","fingerprint":"68:1E:E8:3C:83:70:6F:E3:86:F4:E8:8C:C4:E6:A0:9A:3E:E0:9C:0E"}} +01122{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":444,"source":"teams.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":255,"flow_first_seen":1587041677243,"flow_last_seen":1587041677384,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":185330,"flow_avg_l4_payload_len":726,"midstream":0,"ts_msec":1587041677384,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60536,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Teams","breed":"Safe","category":"Collaborative"},"tls": {"version":"TLSv1.2","client_requested_server_name":"teams.microsoft.com","server_names":"teams.microsoft.com","ja3":"74d5fa154a7fc0a7c655d8eaa34b89bf","ja3s":"0f14538e1c9070becdad7739c67d6363","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=teams.microsoft.com","alpn":"h2,http\/1.1","fingerprint":"68:1E:E8:3C:83:70:6F:E3:86:F4:E8:8C:C4:E6:A0:9A:3E:E0:9C:0E"}} 00364{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":607,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":34969,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"ts_msec":1587041677408,"pkt":"\/\/\/\/\/\/\/\/2A0X1lWriJklgAAA2A0X1lWrAACAAADYDRfWVauACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} 00148{"basic_event_id":5,"basic_event_name":"Unknown packet type","thread_id":0,"packet_id":607,"source":"teams.pcap","alias":"nDPId-test","type":34969} 00813{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":608,"source":"teams.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1587041677422,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":321,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":321,"pkt_l4_len":287,"ts_msec":1587041677422,"pkt":"\/\/\/\/\/\/\/\/2A0X1lWrCABFAAEzES5AAEARZ+PAqAAB\/\/\/\/\/wBEAEMBHwAAAQEGADtdrMEAAIAAAAAAAAAAAAAAAAAAAAAAANgNF9ZVqwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEBNwIBAwwJVEwtU0cxMTZFPAlUTC1TRzExNkU9BwHYDRfWVav\/"} @@ -65,7 +65,7 @@ 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":619,"source":"teams.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":2,"flow_last_seen":1587041678074,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1587041678074,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8KlZAAGwGoSQ0ck0hwKgBBgG77Hk7ZXhQ9B\/rj6ASIAAz8QAAAgQFoAEDAwgEAggKYRL\/2zCEncM="} 00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":620,"source":"teams.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":3,"flow_last_seen":1587041678074,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1587041678074,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAG94LAqAEGNHJNIex5Abv0H+uPO2V4UYAQEAlydQAAAQEICjCEne9hEv\/b"} 00838{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":621,"source":"teams.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":4,"flow_first_seen":1587041678029,"flow_last_seen":1587041678074,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":206,"flow_tot_l4_payload_len":206,"flow_avg_l4_payload_len":51,"midstream":0,"ts_msec":1587041678074,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60537,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobile.pipe.aria.microsoft.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -01366{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":625,"source":"teams.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":8,"flow_first_seen":1587041678029,"flow_last_seen":1587041678120,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":4409,"flow_avg_l4_payload_len":551,"midstream":0,"ts_msec":1587041678120,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60537,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobile.pipe.aria.microsoft.com","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"ae4edc6faf64d08308082ad26be60767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","issuerDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}} +01367{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":625,"source":"teams.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":8,"flow_first_seen":1587041678029,"flow_last_seen":1587041678120,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":4409,"flow_avg_l4_payload_len":551,"midstream":0,"ts_msec":1587041678120,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60537,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobile.pipe.aria.microsoft.com","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"ae4edc6faf64d08308082ad26be60767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}} 00353{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":644,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"ts_msec":1587041678611,"pkt":"AYDCAAAAeCjKBfrMACZCQgMAAAAAAJAAeCjKBfrMAAAAAJAAeCjKBfrMgAEAAAYAAQAEAKWlpaWlpaWl"} 00145{"basic_event_id":5,"basic_event_name":"Unknown packet type","thread_id":0,"packet_id":644,"source":"teams.pcap","alias":"nDPId-test","type":38} 00548{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":645,"source":"teams.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":1,"flow_first_seen":1587041679059,"flow_last_seen":1587041679059,"flow_idle_time":180000,"flow_min_l4_payload_len":41,"flow_max_l4_payload_len":41,"flow_tot_l4_payload_len":41,"flow_avg_l4_payload_len":41,"midstream":0,"ts_msec":1587041679059,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":64046,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -86,7 +86,7 @@ 00728{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":651,"source":"teams.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":3,"flow_first_seen":1587041679059,"flow_last_seen":1587041680074,"flow_idle_time":180000,"flow_min_l4_payload_len":41,"flow_max_l4_payload_len":94,"flow_tot_l4_payload_len":176,"flow_avg_l4_payload_len":58,"midstream":0,"ts_msec":1587041680074,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":64046,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.ntop","breed":"Safe","category":"Network"},"dns": {"query":"b._dns-sd._udp.ntop.org","num_queries":1,"num_answers":1,"reply_code":3,"query_type":12,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00549{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":664,"source":"teams.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":1,"flow_first_seen":1587041680216,"flow_last_seen":1587041680216,"flow_idle_time":180000,"flow_min_l4_payload_len":355,"flow_max_l4_payload_len":355,"flow_tot_l4_payload_len":355,"flow_avg_l4_payload_len":355,"midstream":0,"ts_msec":1587041680216,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00920{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":664,"source":"teams.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":1,"flow_last_seen":1587041680216,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":397,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":397,"pkt_l4_len":363,"ts_msec":1587041680216,"pkt":"\/\/\/\/\/\/\/\/AICPmq69CABFAAF\/44MAAEARlesAAAAA\/\/\/\/\/wBEAEMBa5dnAQEGABWCmMYYtQAAAAAAAAAAAAAAAAAAAAAAAACAj5quvQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEBPRP\/j5quvQABAAEfyzfOuCfrPQjbUAB0AQE5AgXcPC1kaGNwY2QtNi4xMC4xOkxpbnV4LTQuOS41Ny12Nys6YXJtdjdsOkJDTTI4MzUMDHBpMy5udG9wLm9yZ5EBATcPAXkhAwYMDxocKjM2Ojt3\/w=="} -00609{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":664,"source":"teams.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":1,"flow_first_seen":1587041680216,"flow_last_seen":1587041680216,"flow_idle_time":180000,"flow_min_l4_payload_len":355,"flow_max_l4_payload_len":355,"flow_tot_l4_payload_len":355,"flow_avg_l4_payload_len":355,"midstream":0,"ts_msec":1587041680216,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"fingerprint":""}} +00640{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":664,"source":"teams.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":1,"flow_first_seen":1587041680216,"flow_last_seen":1587041680216,"flow_idle_time":180000,"flow_min_l4_payload_len":355,"flow_max_l4_payload_len":355,"flow_tot_l4_payload_len":355,"flow_avg_l4_payload_len":355,"midstream":0,"ts_msec":1587041680216,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"hostname":"","fingerprint":"","class_ident":""}} 00552{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":665,"source":"teams.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":1,"flow_first_seen":1587041680294,"flow_last_seen":1587041680294,"flow_idle_time":7440000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":1,"ts_msec":1587041680294,"l3_proto":"ip4","src_ip":"93.62.150.157","dst_ip":"192.168.1.6","src_port":443,"dst_port":60512,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00512{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":665,"source":"teams.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":1,"flow_last_seen":1587041680294,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":102,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":102,"pkt_l4_len":68,"ts_msec":1587041680294,"pkt":"KDc3AG3IEBMx8Tl2CABFAABYCTNAAHEGSuNdPpadwKgBBgG77GBJd2ZkkI5L3oAY\/\/uUpgAAAQEICsJ1bW4wg\/kbFwMDAB8AAAAAAAAABVYf48xkHJTZ\/YMO7dmv4tC6Gofi60hR"} 00442{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":666,"source":"teams.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":2,"flow_last_seen":1587041680294,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1587041680294,"pkt":"EBMx8Tl2KDc3AG3ICABFAAAoAABAAEAGhUbAqAEGXT6WnexgAbuQjkveAAAAAFAEAAAvzgAA"} @@ -135,7 +135,7 @@ 00548{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":948,"source":"teams.pcap","alias":"nDPId-test","flow_id":22,"flow_packets_processed":1,"flow_first_seen":1587041682129,"flow_last_seen":1587041682129,"flow_idle_time":180000,"flow_min_l4_payload_len":44,"flow_max_l4_payload_len":44,"flow_tot_l4_payload_len":44,"flow_avg_l4_payload_len":44,"midstream":0,"ts_msec":1587041682129,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":49514,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00486{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":948,"source":"teams.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":1,"flow_last_seen":1587041682129,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"ts_msec":1587041682129,"pkt":"EBMx8Tl2KDc3AG3ICABFAABIVE8AAP8R4\/3AqAEGwKgBAcFqADUANJ5TmvIBAAABAAAAAAAABmNvbmZpZwV0ZWFtcwltaWNyb3NvZnQDY29tAAABAAE="} 00728{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":948,"source":"teams.pcap","alias":"nDPId-test","flow_id":22,"flow_packets_processed":1,"flow_first_seen":1587041682129,"flow_last_seen":1587041682129,"flow_idle_time":180000,"flow_min_l4_payload_len":44,"flow_max_l4_payload_len":44,"flow_tot_l4_payload_len":44,"flow_avg_l4_payload_len":44,"midstream":0,"ts_msec":1587041682129,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":49514,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Teams","breed":"Safe","category":"Collaborative"},"dns": {"query":"config.teams.microsoft.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} -01113{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":969,"source":"teams.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":10,"flow_first_seen":1587041682077,"flow_last_seen":1587041682140,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":6185,"flow_avg_l4_payload_len":618,"midstream":0,"ts_msec":1587041682140,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.75.69","src_port":60541,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Skype_Teams","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1.2","client_requested_server_name":"eu-api.asm.skype.com","server_names":"*.asm.skype.com","ja3":"74d5fa154a7fc0a7c655d8eaa34b89bf","ja3s":"986571066668055ae9481cb84fda634a","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 1","issuerDN":"CN=*.asm.skype.com","alpn":"h2,http\/1.1","fingerprint":"B9:41:1D:AE:56:09:68:D2:07:D0:69:E1:68:00:08:2B:EF:63:1E:48"}} +01114{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":969,"source":"teams.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":10,"flow_first_seen":1587041682077,"flow_last_seen":1587041682140,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":6185,"flow_avg_l4_payload_len":618,"midstream":0,"ts_msec":1587041682140,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.75.69","src_port":60541,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Skype_Teams","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1.2","client_requested_server_name":"eu-api.asm.skype.com","server_names":"*.asm.skype.com","ja3":"74d5fa154a7fc0a7c655d8eaa34b89bf","ja3s":"986571066668055ae9481cb84fda634a","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 1","subjectDN":"CN=*.asm.skype.com","alpn":"h2,http\/1.1","fingerprint":"B9:41:1D:AE:56:09:68:D2:07:D0:69:E1:68:00:08:2B:EF:63:1E:48"}} 00646{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":975,"source":"teams.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":2,"flow_last_seen":1587041682143,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":204,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":204,"pkt_l4_len":170,"ts_msec":1587041682143,"pkt":"KDc3AG3IEBMx8Tl2CABFAAC+wIdAADkR\/U\/AqAEBwKgBBgA1wWoAqgAAmvKBgAABAAQAAAAABmNvbmZpZwV0ZWFtcwltaWNyb3NvZnQDY29tAAABAAHADAAFAAEAAAs5ACEGY29uZmlnBXRlYW1zDnRyYWZmaWNtYW5hZ2VyA25ldADAOAAFAAEAAAALAB8MY29uZmlnLXRlYW1zBnMtMDAwNQhzLW1zZWRnZcBUwGUABQABAAAAOgACwHLAcgABAAEAAABoAAQ0ccKE"} 00746{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":975,"source":"teams.pcap","alias":"nDPId-test","flow_id":22,"flow_packets_processed":2,"flow_first_seen":1587041682129,"flow_last_seen":1587041682143,"flow_idle_time":180000,"flow_min_l4_payload_len":44,"flow_max_l4_payload_len":162,"flow_tot_l4_payload_len":206,"flow_avg_l4_payload_len":103,"midstream":0,"ts_msec":1587041682143,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":49514,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Teams","breed":"Safe","category":"Collaborative"},"dns": {"query":"config.teams.microsoft.com","num_queries":1,"num_answers":4,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"52.113.194.132"}} 00549{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":976,"source":"teams.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":1,"flow_first_seen":1587041682144,"flow_last_seen":1587041682144,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1587041682144,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60542,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -143,7 +143,7 @@ 00461{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":977,"source":"teams.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":2,"flow_last_seen":1587041682156,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1587041682156,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA0EIdAAHUGPJk0ccKEwKgBBgG77H5W9rKzh8U6lIAS\/\/\/8MgAAAgQFoAEDAwgBAQQC"} 00442{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":978,"source":"teams.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":3,"flow_last_seen":1587041682156,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1587041682156,"pkt":"EBMx8Tl2KDc3AG3ICABFAAAoAABAAEAGgizAqAEGNHHChOx+AbuHxTqUVvaytFAQIAAc8gAA"} 00807{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":979,"source":"teams.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":4,"flow_first_seen":1587041682144,"flow_last_seen":1587041682157,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":217,"flow_tot_l4_payload_len":217,"flow_avg_l4_payload_len":54,"midstream":0,"ts_msec":1587041682157,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60542,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Teams","breed":"Safe","category":"Collaborative"},"tls": {"version":"TLSv1.2","client_requested_server_name":"config.teams.microsoft.com","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} -01170{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1001,"source":"teams.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":12,"flow_first_seen":1587041682144,"flow_last_seen":1587041682172,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":6166,"flow_avg_l4_payload_len":513,"midstream":0,"ts_msec":1587041682172,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60542,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Teams","breed":"Safe","category":"Collaborative"},"tls": {"version":"TLSv1.2","client_requested_server_name":"config.teams.microsoft.com","server_names":"*.config.teams.microsoft.com,config.teams.microsoft.com","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"0f14538e1c9070becdad7739c67d6363","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 1","issuerDN":"CN=config.teams.microsoft.com","alpn":"h2,http\/1.1","fingerprint":"B9:54:54:12:C9:E9:43:65:10:70:04:7B:AD:B6:0C:46:06:38:A5:FA"}} +01171{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1001,"source":"teams.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":12,"flow_first_seen":1587041682144,"flow_last_seen":1587041682172,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":6166,"flow_avg_l4_payload_len":513,"midstream":0,"ts_msec":1587041682172,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60542,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Teams","breed":"Safe","category":"Collaborative"},"tls": {"version":"TLSv1.2","client_requested_server_name":"config.teams.microsoft.com","server_names":"*.config.teams.microsoft.com,config.teams.microsoft.com","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"0f14538e1c9070becdad7739c67d6363","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 1","subjectDN":"CN=config.teams.microsoft.com","alpn":"h2,http\/1.1","fingerprint":"B9:54:54:12:C9:E9:43:65:10:70:04:7B:AD:B6:0C:46:06:38:A5:FA"}} 00549{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1071,"source":"teams.pcap","alias":"nDPId-test","flow_id":24,"flow_packets_processed":1,"flow_first_seen":1587041682355,"flow_last_seen":1587041682355,"flow_idle_time":180000,"flow_min_l4_payload_len":51,"flow_max_l4_payload_len":51,"flow_tot_l4_payload_len":51,"flow_avg_l4_payload_len":51,"midstream":0,"ts_msec":1587041682355,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":65387,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00494{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1071,"source":"teams.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":1,"flow_last_seen":1587041682355,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":93,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":93,"pkt_l4_len":59,"ts_msec":1587041682355,"pkt":"EBMx8Tl2KDc3AG3ICABFAABPcIEAAP8Rx8TAqAEGwKgBAf9rADUAOydaEDoBAAABAAAAAAAADm5vcnRoZXVyb3BlY25zDnRyYWZmaWNtYW5hZ2VyA25ldAAAAQAB"} 00730{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1071,"source":"teams.pcap","alias":"nDPId-test","flow_id":24,"flow_packets_processed":1,"flow_first_seen":1587041682355,"flow_last_seen":1587041682355,"flow_idle_time":180000,"flow_min_l4_payload_len":51,"flow_max_l4_payload_len":51,"flow_tot_l4_payload_len":51,"flow_avg_l4_payload_len":51,"midstream":0,"ts_msec":1587041682355,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":65387,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"northeuropecns.trafficmanager.net","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} @@ -160,7 +160,7 @@ 00444{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1157,"source":"teams.pcap","alias":"nDPId-test","flow_id":26,"flow_packet_id":3,"flow_last_seen":1587041682423,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1587041682423,"pkt":"EBMx8Tl2KDc3AG3ICABFAAAoAABAAEAG+H\/AqAEGNHJMMOyAAbuusi7tlL44xVAQIAC0JAAA"} 00825{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1158,"source":"teams.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":4,"flow_first_seen":1587041682376,"flow_last_seen":1587041682423,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":236,"flow_tot_l4_payload_len":236,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1587041682423,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.76.48","src_port":60544,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Teams","breed":"Safe","category":"Collaborative"},"tls": {"version":"TLSv1.2","client_requested_server_name":"northeurope.notifications.teams.microsoft.com","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} 00815{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1159,"source":"teams.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1587041682440,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":321,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":321,"pkt_l4_len":287,"ts_msec":1587041682440,"pkt":"\/\/\/\/\/\/\/\/2A0X1lWrCABFAAEzES9AAEARZ+LAqAAB\/\/\/\/\/wBEAEMBHwAAAQEGAHT\/ICoAAIAAAAAAAAAAAAAAAAAAAAAAANgNF9ZVqwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEBNwIBAwwJVEwtU0cxMTZFPAlUTC1TRzExNkU9BwHYDRfWVav\/"} -01368{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1185,"source":"teams.pcap","alias":"nDPId-test","flow_id":25,"flow_packets_processed":9,"flow_first_seen":1587041682369,"flow_last_seen":1587041682557,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":4409,"flow_avg_l4_payload_len":489,"midstream":0,"ts_msec":1587041682557,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60543,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobile.pipe.aria.microsoft.com","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"ae4edc6faf64d08308082ad26be60767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","issuerDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}} +01369{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1185,"source":"teams.pcap","alias":"nDPId-test","flow_id":25,"flow_packets_processed":9,"flow_first_seen":1587041682369,"flow_last_seen":1587041682557,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":4409,"flow_avg_l4_payload_len":489,"midstream":0,"ts_msec":1587041682557,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60543,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobile.pipe.aria.microsoft.com","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"ae4edc6faf64d08308082ad26be60767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}} 00354{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":1189,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"ts_msec":1587041682611,"pkt":"AYDCAAAAeCjKBfrMACZCQgMAAAAAAJAAeCjKBfrMAAAAAJAAeCjKBfrMgAEAAAYAAQAEAKWlpaWlpaWl"} 00146{"basic_event_id":5,"basic_event_name":"Unknown packet type","thread_id":0,"packet_id":1189,"source":"teams.pcap","alias":"nDPId-test","type":38} 00549{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1193,"source":"teams.pcap","alias":"nDPId-test","flow_id":27,"flow_packets_processed":1,"flow_first_seen":1587041682668,"flow_last_seen":1587041682668,"flow_idle_time":180000,"flow_min_l4_payload_len":58,"flow_max_l4_payload_len":58,"flow_tot_l4_payload_len":58,"flow_avg_l4_payload_len":58,"midstream":0,"ts_msec":1587041682668,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":57530,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -200,7 +200,7 @@ 00840{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1495,"source":"teams.pcap","alias":"nDPId-test","flow_id":33,"flow_packets_processed":4,"flow_first_seen":1587041683333,"flow_last_seen":1587041683379,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":206,"flow_tot_l4_payload_len":206,"flow_avg_l4_payload_len":51,"midstream":0,"ts_msec":1587041683379,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60548,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobile.pipe.aria.microsoft.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00365{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":1499,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":34969,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"ts_msec":1587041683406,"pkt":"\/\/\/\/\/\/\/\/2A0X1lWriJklgAAA2A0X1lWrAACAAADYDRfWVauACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} 00149{"basic_event_id":5,"basic_event_name":"Unknown packet type","thread_id":0,"packet_id":1499,"source":"teams.pcap","alias":"nDPId-test","type":34969} -01368{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1503,"source":"teams.pcap","alias":"nDPId-test","flow_id":33,"flow_packets_processed":8,"flow_first_seen":1587041683333,"flow_last_seen":1587041683431,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":4409,"flow_avg_l4_payload_len":551,"midstream":0,"ts_msec":1587041683431,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60548,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobile.pipe.aria.microsoft.com","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"ae4edc6faf64d08308082ad26be60767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","issuerDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}} +01369{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1503,"source":"teams.pcap","alias":"nDPId-test","flow_id":33,"flow_packets_processed":8,"flow_first_seen":1587041683333,"flow_last_seen":1587041683431,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":4409,"flow_avg_l4_payload_len":551,"midstream":0,"ts_msec":1587041683431,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60548,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobile.pipe.aria.microsoft.com","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"ae4edc6faf64d08308082ad26be60767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}} 00354{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":1533,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"ts_msec":1587041683611,"pkt":"AYDCAAAAeCjKBfrMACZCQgMAAAAAAJAAeCjKBfrMAAAAAJAAeCjKBfrMgAEAAAYAAQAEAKWlpaWlpaWl"} 00146{"basic_event_id":5,"basic_event_name":"Unknown packet type","thread_id":0,"packet_id":1533,"source":"teams.pcap","alias":"nDPId-test","type":38} 00549{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1685,"source":"teams.pcap","alias":"nDPId-test","flow_id":34,"flow_packets_processed":1,"flow_first_seen":1587041684291,"flow_last_seen":1587041684291,"flow_idle_time":180000,"flow_min_l4_payload_len":38,"flow_max_l4_payload_len":38,"flow_tot_l4_payload_len":38,"flow_avg_l4_payload_len":38,"midstream":0,"ts_msec":1587041684291,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":59403,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -213,7 +213,7 @@ 00462{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1697,"source":"teams.pcap","alias":"nDPId-test","flow_id":35,"flow_packet_id":2,"flow_last_seen":1587041684317,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1587041684317,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA0FJpAAHUGEAYNaxILwKgBBgG77IU13hw0zZy4moAS\/\/\/HZQAAAgQFoAEDAwgBAQQC"} 00443{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1698,"source":"teams.pcap","alias":"nDPId-test","flow_id":35,"flow_packet_id":3,"flow_last_seen":1587041684317,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1587041684317,"pkt":"EBMx8Tl2KDc3AG3ICABFAAAoAABAAEAGWazAqAEGDWsSC+yFAbvNnLiaNd4cNVAQIADoJAAA"} 00813{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1699,"source":"teams.pcap","alias":"nDPId-test","flow_id":35,"flow_packets_processed":4,"flow_first_seen":1587041684306,"flow_last_seen":1587041684317,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":211,"flow_tot_l4_payload_len":211,"flow_avg_l4_payload_len":52,"midstream":0,"ts_msec":1587041684317,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"13.107.18.11","src_port":60549,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Microsoft365","breed":"Acceptable","category":"Collaborative"},"tls": {"version":"TLSv1.2","client_requested_server_name":"substrate.office.com","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} -01634{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1722,"source":"teams.pcap","alias":"nDPId-test","flow_id":35,"flow_packets_processed":10,"flow_first_seen":1587041684306,"flow_last_seen":1587041684362,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":4607,"flow_avg_l4_payload_len":460,"midstream":0,"ts_msec":1587041684362,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"13.107.18.11","src_port":60549,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Microsoft365","breed":"Acceptable","category":"Collaborative"},"tls": {"version":"TLSv1.2","client_requested_server_name":"substrate.office.com","server_names":"outlook.office.com,attachment.outlook.office.net,attachment.outlook.officeppe.net,bookings.office.com,delve.office.com,edge.outlook.office365.com,edgesdf.outlook.com,img.delve.office.com,outlook.live.com,outlook-sdf.live.com,outlook-sdf.office.com,sdfedge-pilot.outlook.com,substrate.office.com,substrate-sdf.office.com,afd-k-acdc-direct.office.com,beta-sdf.yammer.com,teams-sdf.yammer.com,beta.yammer.com,teams.yammer.com,attachments.office.net,attachments-sdf.office.net,afd-k.office.com,afd-k-sdf.office.com","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"a66ea560599a2f5c89eec8c3a0d69cee","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Outlook.office.com","alpn":"h2,http\/1.1","fingerprint":"AA:D3:F5:66:06:48:AA:F8:8E:9B:79:D6:7F:1D:53:EA:3F:97:03:A2"}} +01635{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1722,"source":"teams.pcap","alias":"nDPId-test","flow_id":35,"flow_packets_processed":10,"flow_first_seen":1587041684306,"flow_last_seen":1587041684362,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":4607,"flow_avg_l4_payload_len":460,"midstream":0,"ts_msec":1587041684362,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"13.107.18.11","src_port":60549,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Microsoft365","breed":"Acceptable","category":"Collaborative"},"tls": {"version":"TLSv1.2","client_requested_server_name":"substrate.office.com","server_names":"outlook.office.com,attachment.outlook.office.net,attachment.outlook.officeppe.net,bookings.office.com,delve.office.com,edge.outlook.office365.com,edgesdf.outlook.com,img.delve.office.com,outlook.live.com,outlook-sdf.live.com,outlook-sdf.office.com,sdfedge-pilot.outlook.com,substrate.office.com,substrate-sdf.office.com,afd-k-acdc-direct.office.com,beta-sdf.yammer.com,teams-sdf.yammer.com,beta.yammer.com,teams.yammer.com,attachments.office.net,attachments-sdf.office.net,afd-k.office.com,afd-k-sdf.office.com","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"a66ea560599a2f5c89eec8c3a0d69cee","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1","subjectDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Outlook.office.com","alpn":"h2,http\/1.1","fingerprint":"AA:D3:F5:66:06:48:AA:F8:8E:9B:79:D6:7F:1D:53:EA:3F:97:03:A2"}} 00354{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":1753,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"ts_msec":1587041684611,"pkt":"AYDCAAAAeCjKBfrMACZCQgMAAAAAAJAAeCjKBfrMAAAAAJAAeCjKBfrMgAEAAAYAAQAEAKWlpaWlpaWl"} 00146{"basic_event_id":5,"basic_event_name":"Unknown packet type","thread_id":0,"packet_id":1753,"source":"teams.pcap","alias":"nDPId-test","type":38} 00549{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1775,"source":"teams.pcap","alias":"nDPId-test","flow_id":36,"flow_packets_processed":1,"flow_first_seen":1587041685090,"flow_last_seen":1587041685090,"flow_idle_time":180000,"flow_min_l4_payload_len":45,"flow_max_l4_payload_len":45,"flow_tot_l4_payload_len":45,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1587041685090,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":61245,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -262,7 +262,7 @@ 00461{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1814,"source":"teams.pcap","alias":"nDPId-test","flow_id":40,"flow_packet_id":2,"flow_last_seen":1587041685261,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1587041685261,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA0jN1AAG0Ge5k0cg8twKgBBgG77IfA1AaRAv0Ol4AS\/\/+iigAAAgQFoAEDAwgBAQQC"} 00444{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1815,"source":"teams.pcap","alias":"nDPId-test","flow_id":40,"flow_packet_id":3,"flow_last_seen":1587041685261,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1587041685261,"pkt":"EBMx8Tl2KDc3AG3ICABFAAAoAABAAEAGNYPAqAEGNHIPLeyHAbsC\/Q6XwNQGklAQIADDSQAA"} 00857{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1816,"source":"teams.pcap","alias":"nDPId-test","flow_id":40,"flow_packets_processed":4,"flow_first_seen":1587041685106,"flow_last_seen":1587041685262,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":203,"flow_tot_l4_payload_len":203,"flow_avg_l4_payload_len":50,"midstream":0,"ts_msec":1587041685262,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.15.45","src_port":60551,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Teams","breed":"Safe","category":"Collaborative"},"tls": {"version":"TLSv1.2","client_requested_server_name":"trouter2-asse-a.trouter.teams.microsoft.com","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -01204{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1824,"source":"teams.pcap","alias":"nDPId-test","flow_id":43,"flow_packets_processed":12,"flow_first_seen":1587041685240,"flow_last_seen":1587041685269,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":6122,"flow_avg_l4_payload_len":510,"midstream":0,"ts_msec":1587041685269,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60554,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Teams","breed":"Safe","category":"Collaborative"},"tls": {"version":"TLSv1.2","client_requested_server_name":"config.teams.microsoft.com","server_names":"*.config.teams.microsoft.com,config.teams.microsoft.com","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"7d8fd34fdb13a7fff30d5a52846b6c4c","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 1","issuerDN":"CN=config.teams.microsoft.com","fingerprint":"B9:54:54:12:C9:E9:43:65:10:70:04:7B:AD:B6:0C:46:06:38:A5:FA"}} +01205{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1824,"source":"teams.pcap","alias":"nDPId-test","flow_id":43,"flow_packets_processed":12,"flow_first_seen":1587041685240,"flow_last_seen":1587041685269,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":6122,"flow_avg_l4_payload_len":510,"midstream":0,"ts_msec":1587041685269,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60554,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Teams","breed":"Safe","category":"Collaborative"},"tls": {"version":"TLSv1.2","client_requested_server_name":"config.teams.microsoft.com","server_names":"*.config.teams.microsoft.com,config.teams.microsoft.com","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"7d8fd34fdb13a7fff30d5a52846b6c4c","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 1","subjectDN":"CN=config.teams.microsoft.com","fingerprint":"B9:54:54:12:C9:E9:43:65:10:70:04:7B:AD:B6:0C:46:06:38:A5:FA"}} 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1828,"source":"teams.pcap","alias":"nDPId-test","flow_id":42,"flow_packet_id":2,"flow_last_seen":1587041685278,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1587041685278,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8aa1AAGwGYc00ck0hwKgBBgG77IgacWa+co2TlKASIABIJQAAAgQFoAEDAwgEAggKYR7cGTCEuUo="} 00459{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1829,"source":"teams.pcap","alias":"nDPId-test","flow_id":42,"flow_packet_id":3,"flow_last_seen":1587041685278,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1587041685278,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAG94LAqAEGNHJNIeyIAbtyjZOUGnFmv4AQEAmGrAAAAQEICjCEuXNhHtwZ"} 00840{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1830,"source":"teams.pcap","alias":"nDPId-test","flow_id":42,"flow_packets_processed":4,"flow_first_seen":1587041685232,"flow_last_seen":1587041685278,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":206,"flow_tot_l4_payload_len":206,"flow_avg_l4_payload_len":51,"midstream":0,"ts_msec":1587041685278,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60552,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobile.pipe.aria.microsoft.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} @@ -272,11 +272,11 @@ 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1841,"source":"teams.pcap","alias":"nDPId-test","flow_id":45,"flow_packet_id":2,"flow_last_seen":1587041685294,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1587041685294,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8VA1AAGwGd200ck0hwKgBBgG77IvHJo2qMLP5JqASIAAqDQAAAgQFoAEDAwgEAggKYR8CxDCEuVo="} 00460{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1842,"source":"teams.pcap","alias":"nDPId-test","flow_id":45,"flow_packet_id":3,"flow_last_seen":1587041685294,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1587041685294,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAG94LAqAEGNHJNIeyLAbsws\/kmxyaNq4AQEAlolwAAAQEICjCEuYBhHwLE"} 00840{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1843,"source":"teams.pcap","alias":"nDPId-test","flow_id":45,"flow_packets_processed":4,"flow_first_seen":1587041685248,"flow_last_seen":1587041685294,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":190,"flow_tot_l4_payload_len":190,"flow_avg_l4_payload_len":47,"midstream":0,"ts_msec":1587041685294,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60555,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobile.pipe.aria.microsoft.com","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -01368{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1864,"source":"teams.pcap","alias":"nDPId-test","flow_id":42,"flow_packets_processed":8,"flow_first_seen":1587041685232,"flow_last_seen":1587041685327,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":4409,"flow_avg_l4_payload_len":551,"midstream":0,"ts_msec":1587041685327,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60552,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobile.pipe.aria.microsoft.com","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"ae4edc6faf64d08308082ad26be60767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","issuerDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}} -01369{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1874,"source":"teams.pcap","alias":"nDPId-test","flow_id":45,"flow_packets_processed":11,"flow_first_seen":1587041685248,"flow_last_seen":1587041685350,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":6269,"flow_avg_l4_payload_len":569,"midstream":0,"ts_msec":1587041685350,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60555,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobile.pipe.aria.microsoft.com","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"986571066668055ae9481cb84fda634a","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","issuerDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}} +01369{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1864,"source":"teams.pcap","alias":"nDPId-test","flow_id":42,"flow_packets_processed":8,"flow_first_seen":1587041685232,"flow_last_seen":1587041685327,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":4409,"flow_avg_l4_payload_len":551,"midstream":0,"ts_msec":1587041685327,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60552,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobile.pipe.aria.microsoft.com","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"ae4edc6faf64d08308082ad26be60767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}} +01370{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1874,"source":"teams.pcap","alias":"nDPId-test","flow_id":45,"flow_packets_processed":11,"flow_first_seen":1587041685248,"flow_last_seen":1587041685350,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":6269,"flow_avg_l4_payload_len":569,"midstream":0,"ts_msec":1587041685350,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60555,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobile.pipe.aria.microsoft.com","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"986571066668055ae9481cb84fda634a","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}} 00365{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":1897,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":34969,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"ts_msec":1587041685406,"pkt":"\/\/\/\/\/\/\/\/2A0X1lWriJklgAAA2A0X1lWrAACAAADYDRfWVauACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} 00149{"basic_event_id":5,"basic_event_name":"Unknown packet type","thread_id":0,"packet_id":1897,"source":"teams.pcap","alias":"nDPId-test","type":34969} -01244{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1908,"source":"teams.pcap","alias":"nDPId-test","flow_id":40,"flow_packets_processed":11,"flow_first_seen":1587041685106,"flow_last_seen":1587041685420,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":6165,"flow_avg_l4_payload_len":560,"midstream":0,"ts_msec":1587041685420,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.15.45","src_port":60551,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Teams","breed":"Safe","category":"Collaborative"},"tls": {"version":"TLSv1.2","client_requested_server_name":"trouter2-asse-a.trouter.teams.microsoft.com","server_names":"*.trouter.teams.microsoft.com,go.trouter.io,*.drip.trouter.io,*.dc.trouter.io","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"986571066668055ae9481cb84fda634a","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 2","issuerDN":"CN=*.trouter.teams.microsoft.com","fingerprint":"DD:24:DF:0E:F3:63:CC:10:B5:03:CF:34:EB:A5:14:8B:97:90:9B:D4"}} +01245{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1908,"source":"teams.pcap","alias":"nDPId-test","flow_id":40,"flow_packets_processed":11,"flow_first_seen":1587041685106,"flow_last_seen":1587041685420,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":6165,"flow_avg_l4_payload_len":560,"midstream":0,"ts_msec":1587041685420,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.15.45","src_port":60551,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Teams","breed":"Safe","category":"Collaborative"},"tls": {"version":"TLSv1.2","client_requested_server_name":"trouter2-asse-a.trouter.teams.microsoft.com","server_names":"*.trouter.teams.microsoft.com,go.trouter.io,*.drip.trouter.io,*.dc.trouter.io","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"986571066668055ae9481cb84fda634a","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 2","subjectDN":"CN=*.trouter.teams.microsoft.com","fingerprint":"DD:24:DF:0E:F3:63:CC:10:B5:03:CF:34:EB:A5:14:8B:97:90:9B:D4"}} 00354{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":1979,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"ts_msec":1587041685611,"pkt":"AYDCAAAAeCjKBfrMACZCQgMAAAAAAJAAeCjKBfrMAAAAAJAAeCjKBfrMgAEAAAYAAQAEAKWlpaWlpaWl"} 00146{"basic_event_id":5,"basic_event_name":"Unknown packet type","thread_id":0,"packet_id":1979,"source":"teams.pcap","alias":"nDPId-test","type":38} 00550{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2018,"source":"teams.pcap","alias":"nDPId-test","flow_id":47,"flow_packets_processed":1,"flow_first_seen":1587041685984,"flow_last_seen":1587041685984,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1587041685984,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60557,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -284,7 +284,7 @@ 00461{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2019,"source":"teams.pcap","alias":"nDPId-test","flow_id":47,"flow_packet_id":2,"flow_last_seen":1587041685996,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1587041685996,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA0TQBAAHUGACA0ccKEwKgBBgG77I3LqgPISlZN3IAS\/\/9gggAAAgQFoAEDAwgBAQQC"} 00443{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2020,"source":"teams.pcap","alias":"nDPId-test","flow_id":47,"flow_packet_id":3,"flow_last_seen":1587041685996,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1587041685996,"pkt":"EBMx8Tl2KDc3AG3ICABFAAAoAABAAEAGgizAqAEGNHHChOyNAbtKVk3cy6oDyVAQIACBQQAA"} 00835{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2021,"source":"teams.pcap","alias":"nDPId-test","flow_id":47,"flow_packets_processed":4,"flow_first_seen":1587041685984,"flow_last_seen":1587041685997,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":179,"flow_tot_l4_payload_len":179,"flow_avg_l4_payload_len":44,"midstream":0,"ts_msec":1587041685997,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60557,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Teams","breed":"Safe","category":"Collaborative"},"tls": {"version":"TLSv1.2","client_requested_server_name":"teams.microsoft.com","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -01154{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2029,"source":"teams.pcap","alias":"nDPId-test","flow_id":47,"flow_packets_processed":12,"flow_first_seen":1587041685984,"flow_last_seen":1587041686010,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":6191,"flow_avg_l4_payload_len":515,"midstream":0,"ts_msec":1587041686010,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60557,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Teams","breed":"Safe","category":"Collaborative"},"tls": {"version":"TLSv1.2","client_requested_server_name":"teams.microsoft.com","server_names":"teams.microsoft.com","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"7d8fd34fdb13a7fff30d5a52846b6c4c","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","issuerDN":"CN=teams.microsoft.com","fingerprint":"68:1E:E8:3C:83:70:6F:E3:86:F4:E8:8C:C4:E6:A0:9A:3E:E0:9C:0E"}} +01155{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2029,"source":"teams.pcap","alias":"nDPId-test","flow_id":47,"flow_packets_processed":12,"flow_first_seen":1587041685984,"flow_last_seen":1587041686010,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":6191,"flow_avg_l4_payload_len":515,"midstream":0,"ts_msec":1587041686010,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60557,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Teams","breed":"Safe","category":"Collaborative"},"tls": {"version":"TLSv1.2","client_requested_server_name":"teams.microsoft.com","server_names":"teams.microsoft.com","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"7d8fd34fdb13a7fff30d5a52846b6c4c","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=teams.microsoft.com","fingerprint":"68:1E:E8:3C:83:70:6F:E3:86:F4:E8:8C:C4:E6:A0:9A:3E:E0:9C:0E"}} 00548{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2043,"source":"teams.pcap","alias":"nDPId-test","flow_id":48,"flow_packets_processed":1,"flow_first_seen":1587041686239,"flow_last_seen":1587041686239,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1587041686239,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60559,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00477{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2043,"source":"teams.pcap","alias":"nDPId-test","flow_id":48,"flow_packet_id":1,"flow_last_seen":1587041686239,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1587041686239,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAG93bAqAEGNHJNIeyPAbtgh2e9AAAAALAC\/\/9PlwAAAgQFtAEDAwUBAQgKMIS9EAAAAAAEAgAA"} 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2044,"source":"teams.pcap","alias":"nDPId-test","flow_id":48,"flow_packet_id":2,"flow_last_seen":1587041686288,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1587041686288,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8YwZAAGwGaHQ0ck0hwKgBBgG77I9T9FE0YIdnvqASIADemAAAAgQFoAEDAwgEAggKYR9buzCEvRA="} @@ -300,7 +300,7 @@ 00473{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2108,"source":"teams.pcap","alias":"nDPId-test","flow_id":50,"flow_packet_id":2,"flow_last_seen":1587041686918,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1587041686918,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8PdhAAGwG3XQofglDwKgBBgG77JCDb8\/fjKXdY6ASIAC\/qwAAAgQFoAEDAwgEAggKUkSG7zCEv4s="} 00460{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2109,"source":"teams.pcap","alias":"nDPId-test","flow_id":50,"flow_packet_id":3,"flow_last_seen":1587041686918,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1587041686918,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGR1XAqAEGKH4JQ+yQAbuMpd1jg2\/P4IAQEAn+PwAAAQEICjCEv6dSRIbv"} 00853{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2110,"source":"teams.pcap","alias":"nDPId-test","flow_id":50,"flow_packets_processed":4,"flow_first_seen":1587041686889,"flow_last_seen":1587041686919,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":246,"flow_tot_l4_payload_len":246,"flow_avg_l4_payload_len":61,"midstream":0,"ts_msec":1587041686919,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"40.126.9.67","src_port":60560,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Microsoft365","breed":"Acceptable","category":"Collaborative"},"tls": {"version":"TLSv1.2","client_requested_server_name":"login.microsoftonline.com","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}} -01436{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2135,"source":"teams.pcap","alias":"nDPId-test","flow_id":50,"flow_packets_processed":9,"flow_first_seen":1587041686889,"flow_last_seen":1587041686950,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":4662,"flow_avg_l4_payload_len":518,"midstream":0,"ts_msec":1587041686950,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"40.126.9.67","src_port":60560,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Microsoft365","breed":"Acceptable","category":"Collaborative"},"tls": {"version":"TLSv1.2","client_requested_server_name":"login.microsoftonline.com","server_names":"login.microsoftonline.com,login.microsoftonline-p.com,loginex.microsoftonline.com,login2.microsoftonline.com,stamp2.login.microsoftonline-int.com,login.microsoftonline-int.com,loginex.microsoftonline-int.com,login2.microsoftonline-int.com,stamp2.login.microsoftonline.com","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"678aeaf909676262acfb913ccb78a126","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 1","issuerDN":"CN=stamp2.login.microsoftonline.com","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"7E:0F:A2:51:8F:FB:49:30:C3:34:07:5E:F8:7C:FD:34:20:A2:96:63"}} +01437{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2135,"source":"teams.pcap","alias":"nDPId-test","flow_id":50,"flow_packets_processed":9,"flow_first_seen":1587041686889,"flow_last_seen":1587041686950,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":4662,"flow_avg_l4_payload_len":518,"midstream":0,"ts_msec":1587041686950,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"40.126.9.67","src_port":60560,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Microsoft365","breed":"Acceptable","category":"Collaborative"},"tls": {"version":"TLSv1.2","client_requested_server_name":"login.microsoftonline.com","server_names":"login.microsoftonline.com,login.microsoftonline-p.com,loginex.microsoftonline.com,login2.microsoftonline.com,stamp2.login.microsoftonline-int.com,login.microsoftonline-int.com,loginex.microsoftonline-int.com,login2.microsoftonline-int.com,stamp2.login.microsoftonline.com","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"678aeaf909676262acfb913ccb78a126","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 1","subjectDN":"CN=stamp2.login.microsoftonline.com","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"7E:0F:A2:51:8F:FB:49:30:C3:34:07:5E:F8:7C:FD:34:20:A2:96:63"}} 00548{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2189,"source":"teams.pcap","alias":"nDPId-test","flow_id":51,"flow_packets_processed":1,"flow_first_seen":1587041687245,"flow_last_seen":1587041687245,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1587041687245,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60561,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00479{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2189,"source":"teams.pcap","alias":"nDPId-test","flow_id":51,"flow_packet_id":1,"flow_last_seen":1587041687245,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1587041687245,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAG93bAqAEGNHJNIeyRAbt4yq\/kAAAAALAC\/\/\/rWgAAAgQFtAEDAwUBAQgKMITA4AAAAAAEAgAA"} 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2193,"source":"teams.pcap","alias":"nDPId-test","flow_id":51,"flow_packet_id":2,"flow_last_seen":1587041687293,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1587041687293,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8EaVAAGwGudU0ck0hwKgBBgG77JHMBk4keMqv5aASIADnTgAAAgQFoAEDAwgEAggKYPR58TCEwOA="} @@ -317,8 +317,8 @@ 00477{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2202,"source":"teams.pcap","alias":"nDPId-test","flow_id":53,"flow_packet_id":1,"flow_last_seen":1587041687436,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1587041687436,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGVUrAqAEGaCi7l+ySAbtvi5oIAAAAALAC\/\/9njAAAAgQFtAEDAwUBAQgKMITBnAAAAAAEAgAA"} 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2203,"source":"teams.pcap","alias":"nDPId-test","flow_id":53,"flow_packet_id":2,"flow_last_seen":1587041687466,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1587041687466,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8OsBAAGwG7o1oKLuXwKgBBgG77JKBluUGb4uaCaASIADVGwAAAgQFoAEDAwgEAggKAbkbHzCEwZw="} 00459{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2204,"source":"teams.pcap","alias":"nDPId-test","flow_id":53,"flow_packet_id":3,"flow_last_seen":1587041687466,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1587041687466,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGVVbAqAEGaCi7l+ySAbtvi5oJgZblB4AQEAkTrwAAAQEICjCEwbkBuRsf"} -00789{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2205,"source":"teams.pcap","alias":"nDPId-test","flow_id":53,"flow_packets_processed":4,"flow_first_seen":1587041687436,"flow_last_seen":1587041687466,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":214,"flow_tot_l4_payload_len":214,"flow_avg_l4_payload_len":53,"midstream":0,"ts_msec":1587041687466,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"104.40.187.151","src_port":60562,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"api.microsoftstream.com","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} -01369{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2226,"source":"teams.pcap","alias":"nDPId-test","flow_id":51,"flow_packets_processed":10,"flow_first_seen":1587041687245,"flow_last_seen":1587041687544,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":4615,"flow_avg_l4_payload_len":461,"midstream":0,"ts_msec":1587041687544,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60561,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobile.pipe.aria.microsoft.com","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"ae4edc6faf64d08308082ad26be60767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","issuerDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}} +00803{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2205,"source":"teams.pcap","alias":"nDPId-test","flow_id":53,"flow_packets_processed":4,"flow_first_seen":1587041687436,"flow_last_seen":1587041687466,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":214,"flow_tot_l4_payload_len":214,"flow_avg_l4_payload_len":53,"midstream":0,"ts_msec":1587041687466,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"104.40.187.151","src_port":60562,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Azure","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"api.microsoftstream.com","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} +01370{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2226,"source":"teams.pcap","alias":"nDPId-test","flow_id":51,"flow_packets_processed":10,"flow_first_seen":1587041687245,"flow_last_seen":1587041687544,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":4615,"flow_avg_l4_payload_len":461,"midstream":0,"ts_msec":1587041687544,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60561,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mobile.pipe.aria.microsoft.com","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"ae4edc6faf64d08308082ad26be60767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}} 00354{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":2238,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"ts_msec":1587041687611,"pkt":"AYDCAAAAeCjKBfrMACZCQgMAAAAAAJAAeCjKBfrMAAAAAJAAeCjKBfrMgAEAAAYAAQAEAKWlpaWlpaWl"} 00146{"basic_event_id":5,"basic_event_name":"Unknown packet type","thread_id":0,"packet_id":2238,"source":"teams.pcap","alias":"nDPId-test","type":38} 00549{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2259,"source":"teams.pcap","alias":"nDPId-test","flow_id":54,"flow_packets_processed":1,"flow_first_seen":1587041687731,"flow_last_seen":1587041687731,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1587041687731,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":62735,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -330,7 +330,7 @@ 00477{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2261,"source":"teams.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":1,"flow_last_seen":1587041687745,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1587041687745,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGienAqAEGNKm6d+yTAbth0wzHAAAAALAC\/\/81+QAAAgQFtAEDAwUBAQgKMITCxwAAAAAEAgAA"} 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2265,"source":"teams.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":2,"flow_last_seen":1587041687789,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1587041687789,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8GLFAAGwGRTw0qbp3wKgBBgG77JMQ1B2QYdMMyKASIACACgAAAgQFoAEDAwgEAggKASJ3bTCEwsc="} 00459{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2266,"source":"teams.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":3,"flow_last_seen":1587041687789,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1587041687789,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGifXAqAEGNKm6d+yTAbth0wzIENQdkYAQEAm+kQAAAQEICjCEwvABIndt"} -00796{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2267,"source":"teams.pcap","alias":"nDPId-test","flow_id":55,"flow_packets_processed":4,"flow_first_seen":1587041687745,"flow_last_seen":1587041687789,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":221,"flow_tot_l4_payload_len":221,"flow_avg_l4_payload_len":55,"midstream":0,"ts_msec":1587041687789,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.169.186.119","src_port":60563,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"euno-1.api.microsoftstream.com","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} +00810{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2267,"source":"teams.pcap","alias":"nDPId-test","flow_id":55,"flow_packets_processed":4,"flow_first_seen":1587041687745,"flow_last_seen":1587041687789,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":221,"flow_tot_l4_payload_len":221,"flow_avg_l4_payload_len":55,"midstream":0,"ts_msec":1587041687789,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.169.186.119","src_port":60563,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Azure","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"euno-1.api.microsoftstream.com","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} 00354{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":2311,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"ts_msec":1587041688611,"pkt":"AYDCAAAAeCjKBfrMACZCQgMAAAAAAJAAeCjKBfrMAAAAAJAAeCjKBfrMgAEAAAYAAQAEAKWlpaWlpaWl"} 00146{"basic_event_id":5,"basic_event_name":"Unknown packet type","thread_id":0,"packet_id":2311,"source":"teams.pcap","alias":"nDPId-test","type":38} 00365{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":2313,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":34969,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"ts_msec":1587041689410,"pkt":"\/\/\/\/\/\/\/\/2A0X1lWriJklgAAA2A0X1lWrAACAAADYDRfWVauACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} @@ -348,7 +348,7 @@ 00477{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2319,"source":"teams.pcap","alias":"nDPId-test","flow_id":57,"flow_packet_id":1,"flow_last_seen":1587041690916,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1587041690916,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGxpHAqAEGKE+KKeyUAbup7MP+AAAAALAC\/\/9nAwAAAgQFtAEDAwUBAQgKMITPEwAAAAAEAgAA"} 00472{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2320,"source":"teams.pcap","alias":"nDPId-test","flow_id":57,"flow_packet_id":2,"flow_last_seen":1587041690946,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1587041690946,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8GwdAAG4GfY4oT4opwKgBBgG77JSCI5UvqezD\/6ASIAArFwAAAgQFoAEDAwgEAggKUvjCpTCEzxM="} 00460{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2321,"source":"teams.pcap","alias":"nDPId-test","flow_id":57,"flow_packet_id":3,"flow_last_seen":1587041690946,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1587041690946,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGxp3AqAEGKE+KKeyUAbup7MP\/giOVMIAQEAlpqQAAAQEICjCEzzFS+MKl"} -00818{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2322,"source":"teams.pcap","alias":"nDPId-test","flow_id":57,"flow_packets_processed":4,"flow_first_seen":1587041690916,"flow_last_seen":1587041690946,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":239,"flow_tot_l4_payload_len":239,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1587041690946,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"40.79.138.41","src_port":60564,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"gate.hockeyapp.net","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}} +00832{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2322,"source":"teams.pcap","alias":"nDPId-test","flow_id":57,"flow_packets_processed":4,"flow_first_seen":1587041690916,"flow_last_seen":1587041690946,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":239,"flow_tot_l4_payload_len":239,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1587041690946,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"40.79.138.41","src_port":60564,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Azure","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"gate.hockeyapp.net","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}} 00549{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2343,"source":"teams.pcap","alias":"nDPId-test","flow_id":58,"flow_packets_processed":1,"flow_first_seen":1587041691075,"flow_last_seen":1587041691075,"flow_idle_time":180000,"flow_min_l4_payload_len":61,"flow_max_l4_payload_len":61,"flow_tot_l4_payload_len":61,"flow_avg_l4_payload_len":61,"midstream":0,"ts_msec":1587041691075,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":62863,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00513{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2343,"source":"teams.pcap","alias":"nDPId-test","flow_id":58,"flow_packet_id":1,"flow_last_seen":1587041691075,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":103,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":103,"pkt_l4_len":69,"ts_msec":1587041691075,"pkt":"EBMx8Tl2KDc3AG3ICABFAABZLy0AAP8RCQ\/AqAEGwKgBAfWPADUARdrUdPIBAAABAAAAAAAABGVtZWECbmcDbXNnDHRlYW1zLW1zZ2FwaQ50cmFmZmljbWFuYWdlcgNuZXQAAAEAAQ=="} 00746{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2343,"source":"teams.pcap","alias":"nDPId-test","flow_id":58,"flow_packets_processed":1,"flow_first_seen":1587041691075,"flow_last_seen":1587041691075,"flow_idle_time":180000,"flow_min_l4_payload_len":61,"flow_max_l4_payload_len":61,"flow_tot_l4_payload_len":61,"flow_avg_l4_payload_len":61,"midstream":0,"ts_msec":1587041691075,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":62863,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Teams","breed":"Safe","category":"Collaborative"},"dns": {"query":"emea.ng.msg.teams-msgapi.trafficmanager.net","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} @@ -388,9 +388,9 @@ 00477{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2483,"source":"teams.pcap","alias":"nDPId-test","flow_id":64,"flow_packet_id":1,"flow_last_seen":1587041693516,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1587041693516,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGShzAqAEGNHL6e8NiAbvwxDFFAAAAALAC\/\/9VoQAAAgQFtAEDAwUBAQgKMITZEwAAAAAEAgAA"} 00549{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2484,"source":"teams.pcap","alias":"nDPId-test","flow_id":65,"flow_packets_processed":1,"flow_first_seen":1587041693517,"flow_last_seen":1587041693517,"flow_idle_time":180000,"flow_min_l4_payload_len":67,"flow_max_l4_payload_len":67,"flow_tot_l4_payload_len":67,"flow_avg_l4_payload_len":67,"midstream":0,"ts_msec":1587041693517,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":55765,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2484,"source":"teams.pcap","alias":"nDPId-test","flow_id":65,"flow_packet_id":1,"flow_last_seen":1587041693517,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":109,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":109,"pkt_l4_len":75,"ts_msec":1587041693517,"pkt":"EBMx8Tl2KDc3AG3ICABFAABfDxsAAP8RKRvAqAEGwKgBAdnVADUASzsZd8IBAAABAAAAAAAAEmItdHItdGVhbXMtZXVuby0wNQtub3J0aGV1cm9wZQhjbG91ZGFwcAVhenVyZQNjb20AABwAAQ=="} -00749{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2484,"source":"teams.pcap","alias":"nDPId-test","flow_id":65,"flow_packets_processed":1,"flow_first_seen":1587041693517,"flow_last_seen":1587041693517,"flow_idle_time":180000,"flow_min_l4_payload_len":67,"flow_max_l4_payload_len":67,"flow_tot_l4_payload_len":67,"flow_avg_l4_payload_len":67,"midstream":0,"ts_msec":1587041693517,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":55765,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Microsoft","breed":"Safe","category":"Cloud"},"dns": {"query":"b-tr-teams-euno-05.northeurope.cloudapp.azure.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":28,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00751{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2484,"source":"teams.pcap","alias":"nDPId-test","flow_id":65,"flow_packets_processed":1,"flow_first_seen":1587041693517,"flow_last_seen":1587041693517,"flow_idle_time":180000,"flow_min_l4_payload_len":67,"flow_max_l4_payload_len":67,"flow_tot_l4_payload_len":67,"flow_avg_l4_payload_len":67,"midstream":0,"ts_msec":1587041693517,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":55765,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Azure","breed":"Acceptable","category":"Cloud"},"dns": {"query":"b-tr-teams-euno-05.northeurope.cloudapp.azure.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":28,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00621{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2485,"source":"teams.pcap","alias":"nDPId-test","flow_id":65,"flow_packet_id":2,"flow_last_seen":1587041693530,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":185,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":185,"pkt_l4_len":151,"ts_msec":1587041693530,"pkt":"KDc3AG3IEBMx8Tl2CABFAACrU5xAADkRak7AqAEBwKgBBgA12dUAlwAAd8KBgAABAAAAAQAAEmItdHItdGVhbXMtZXVuby0wNQtub3J0aGV1cm9wZQhjbG91ZGFwcAVhenVyZQNjb20AABwAAcAfAAYAAQAAAAUAQARwcmQxDmF6dXJlZG5zLWNsb3VkA25ldAAGbXNuaHN0CW1pY3Jvc29mdMA6AAAnEQAAA4QAAAEsAAk6gAAAADw="} -00760{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2485,"source":"teams.pcap","alias":"nDPId-test","flow_id":65,"flow_packets_processed":2,"flow_first_seen":1587041693517,"flow_last_seen":1587041693530,"flow_idle_time":180000,"flow_min_l4_payload_len":67,"flow_max_l4_payload_len":143,"flow_tot_l4_payload_len":210,"flow_avg_l4_payload_len":105,"midstream":0,"ts_msec":1587041693530,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":55765,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Microsoft","breed":"Safe","category":"Cloud"},"dns": {"query":"b-tr-teams-euno-05.northeurope.cloudapp.azure.com","num_queries":1,"num_answers":1,"reply_code":0,"query_type":28,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00762{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2485,"source":"teams.pcap","alias":"nDPId-test","flow_id":65,"flow_packets_processed":2,"flow_first_seen":1587041693517,"flow_last_seen":1587041693530,"flow_idle_time":180000,"flow_min_l4_payload_len":67,"flow_max_l4_payload_len":143,"flow_tot_l4_payload_len":210,"flow_avg_l4_payload_len":105,"midstream":0,"ts_msec":1587041693530,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":55765,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Azure","breed":"Acceptable","category":"Cloud"},"dns": {"query":"b-tr-teams-euno-05.northeurope.cloudapp.azure.com","num_queries":1,"num_answers":1,"reply_code":0,"query_type":28,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00461{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2486,"source":"teams.pcap","alias":"nDPId-test","flow_id":64,"flow_packet_id":2,"flow_last_seen":1587041693561,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1587041693561,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA0nZBAAGwGgJc0cvp7wKgBBgG7w2KOQNor8MQxRoAS\/\/8u4wAAAgQFoAEDAwgBAQQC"} 00443{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2487,"source":"teams.pcap","alias":"nDPId-test","flow_id":64,"flow_packet_id":3,"flow_last_seen":1587041693561,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1587041693561,"pkt":"EBMx8Tl2KDc3AG3ICABFAAAoAABAAEAGSjTAqAEGNHL6e8NiAbvwxDFGjkDaLFAQIABPogAA"} 00843{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2488,"source":"teams.pcap","alias":"nDPId-test","flow_id":64,"flow_packets_processed":4,"flow_first_seen":1587041693516,"flow_last_seen":1587041693561,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":187,"flow_tot_l4_payload_len":187,"flow_avg_l4_payload_len":46,"midstream":0,"ts_msec":1587041693561,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.250.123","src_port":50018,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Teams","breed":"Safe","category":"Collaborative"},"tls": {"version":"TLSv1.2","client_requested_server_name":"euaz.tr.teams.microsoft.com","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} @@ -430,12 +430,12 @@ 00477{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2562,"source":"teams.pcap","alias":"nDPId-test","flow_id":73,"flow_packet_id":1,"flow_last_seen":1587041693849,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1587041693849,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGSf7AqAEGNHL6mcN0AbuMksvlAAAAALAC\/\/8dvwAAAgQFtAEDAwUBAQgKMITaVwAAAAAEAgAA"} 00462{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2564,"source":"teams.pcap","alias":"nDPId-test","flow_id":72,"flow_packet_id":2,"flow_last_seen":1587041693869,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1587041693869,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA0nZxAAGwGgG40cvqYwKgBBgG7w17cXACa3TTJGIAS\/\/81\/QAAAgQFoAEDAwgBAQQC"} 00443{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2565,"source":"teams.pcap","alias":"nDPId-test","flow_id":72,"flow_packet_id":3,"flow_last_seen":1587041693869,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1587041693869,"pkt":"EBMx8Tl2KDc3AG3ICABFAAAoAABAAEAGShfAqAEGNHL6mMNeAbvdNMkY3FwAm1AQIABWvAAA"} -00833{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2566,"source":"teams.pcap","alias":"nDPId-test","flow_id":72,"flow_packets_processed":4,"flow_first_seen":1587041693828,"flow_last_seen":1587041693869,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":174,"flow_tot_l4_payload_len":174,"flow_avg_l4_payload_len":43,"midstream":0,"ts_msec":1587041693869,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.250.152","src_port":50014,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Skype_Teams","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1.2","client_requested_server_name":"52.114.250.152","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} +00828{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2566,"source":"teams.pcap","alias":"nDPId-test","flow_id":72,"flow_packets_processed":4,"flow_first_seen":1587041693828,"flow_last_seen":1587041693869,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":174,"flow_tot_l4_payload_len":174,"flow_avg_l4_payload_len":43,"midstream":0,"ts_msec":1587041693869,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.250.152","src_port":50014,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Azure","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"52.114.250.152","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00461{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2567,"source":"teams.pcap","alias":"nDPId-test","flow_id":73,"flow_packet_id":2,"flow_last_seen":1587041693893,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1587041693893,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA0NypAAGwG5t80cvqZwKgBBgG7w3QJhgXYjJLL5oAS\/\/9RUwAAAgQFoAEDAwgBAQQC"} 00443{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2568,"source":"teams.pcap","alias":"nDPId-test","flow_id":73,"flow_packet_id":3,"flow_last_seen":1587041693893,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1587041693893,"pkt":"EBMx8Tl2KDc3AG3ICABFAAAoAABAAEAGShbAqAEGNHL6mcN0AbuMksvmCYYF2VAQIAByEgAA"} -00833{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2569,"source":"teams.pcap","alias":"nDPId-test","flow_id":73,"flow_packets_processed":4,"flow_first_seen":1587041693849,"flow_last_seen":1587041693893,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":174,"flow_tot_l4_payload_len":174,"flow_avg_l4_payload_len":43,"midstream":0,"ts_msec":1587041693893,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.250.153","src_port":50036,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Skype_Teams","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1.2","client_requested_server_name":"52.114.250.153","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -01292{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2585,"source":"teams.pcap","alias":"nDPId-test","flow_id":72,"flow_packets_processed":14,"flow_first_seen":1587041693828,"flow_last_seen":1587041693913,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":6300,"flow_avg_l4_payload_len":450,"midstream":0,"ts_msec":1587041693913,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.250.152","src_port":50014,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"10":"TLS Certificate Mismatch","15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Teams","breed":"Safe","category":"Collaborative"},"tls": {"version":"TLSv1.2","client_requested_server_name":"52.114.250.152","server_names":"tr.teams.microsoft.com,*.tr.teams.microsoft.com,turn.teams.microsoft.com,*.turn.teams.microsoft.com,*.relay.teams.microsoft.com","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"986571066668055ae9481cb84fda634a","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 5","issuerDN":"CN=tr.teams.microsoft.com","fingerprint":"A7:90:8D:41:ED:24:D2:83:48:95:90:CE:18:D3:A6:C2:62:7A:07:75"}} -01292{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2603,"source":"teams.pcap","alias":"nDPId-test","flow_id":73,"flow_packets_processed":13,"flow_first_seen":1587041693849,"flow_last_seen":1587041693938,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":6300,"flow_avg_l4_payload_len":484,"midstream":0,"ts_msec":1587041693938,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.250.153","src_port":50036,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"10":"TLS Certificate Mismatch","15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Teams","breed":"Safe","category":"Collaborative"},"tls": {"version":"TLSv1.2","client_requested_server_name":"52.114.250.153","server_names":"tr.teams.microsoft.com,*.tr.teams.microsoft.com,turn.teams.microsoft.com,*.turn.teams.microsoft.com,*.relay.teams.microsoft.com","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"986571066668055ae9481cb84fda634a","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 5","issuerDN":"CN=tr.teams.microsoft.com","fingerprint":"A7:90:8D:41:ED:24:D2:83:48:95:90:CE:18:D3:A6:C2:62:7A:07:75"}} +00828{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2569,"source":"teams.pcap","alias":"nDPId-test","flow_id":73,"flow_packets_processed":4,"flow_first_seen":1587041693849,"flow_last_seen":1587041693893,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":174,"flow_tot_l4_payload_len":174,"flow_avg_l4_payload_len":43,"midstream":0,"ts_msec":1587041693893,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.250.153","src_port":50036,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Azure","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"52.114.250.153","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} +01293{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2585,"source":"teams.pcap","alias":"nDPId-test","flow_id":72,"flow_packets_processed":14,"flow_first_seen":1587041693828,"flow_last_seen":1587041693913,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":6300,"flow_avg_l4_payload_len":450,"midstream":0,"ts_msec":1587041693913,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.250.152","src_port":50014,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"10":"TLS Certificate Mismatch","15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Teams","breed":"Safe","category":"Collaborative"},"tls": {"version":"TLSv1.2","client_requested_server_name":"52.114.250.152","server_names":"tr.teams.microsoft.com,*.tr.teams.microsoft.com,turn.teams.microsoft.com,*.turn.teams.microsoft.com,*.relay.teams.microsoft.com","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"986571066668055ae9481cb84fda634a","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 5","subjectDN":"CN=tr.teams.microsoft.com","fingerprint":"A7:90:8D:41:ED:24:D2:83:48:95:90:CE:18:D3:A6:C2:62:7A:07:75"}} +01293{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2603,"source":"teams.pcap","alias":"nDPId-test","flow_id":73,"flow_packets_processed":13,"flow_first_seen":1587041693849,"flow_last_seen":1587041693938,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":6300,"flow_avg_l4_payload_len":484,"midstream":0,"ts_msec":1587041693938,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.250.153","src_port":50036,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"10":"TLS Certificate Mismatch","15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Teams","breed":"Safe","category":"Collaborative"},"tls": {"version":"TLSv1.2","client_requested_server_name":"52.114.250.153","server_names":"tr.teams.microsoft.com,*.tr.teams.microsoft.com,turn.teams.microsoft.com,*.turn.teams.microsoft.com,*.relay.teams.microsoft.com","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"986571066668055ae9481cb84fda634a","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 5","subjectDN":"CN=tr.teams.microsoft.com","fingerprint":"A7:90:8D:41:ED:24:D2:83:48:95:90:CE:18:D3:A6:C2:62:7A:07:75"}} 00549{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2632,"source":"teams.pcap","alias":"nDPId-test","flow_id":74,"flow_packets_processed":1,"flow_first_seen":1587041694219,"flow_last_seen":1587041694219,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1587041694219,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.136","src_port":60567,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00478{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2632,"source":"teams.pcap","alias":"nDPId-test","flow_id":74,"flow_packet_id":1,"flow_last_seen":1587041694219,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1587041694219,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAG9w\/AqAEGNHJNiOyXAbs8mpamAAAAALAC\/\/8lfgAAAgQFtAEDAwUBAQgKMITbvgAAAAAEAgAA"} 00549{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2633,"source":"teams.pcap","alias":"nDPId-test","flow_id":75,"flow_packets_processed":1,"flow_first_seen":1587041694221,"flow_last_seen":1587041694221,"flow_idle_time":180000,"flow_min_l4_payload_len":58,"flow_max_l4_payload_len":58,"flow_tot_l4_payload_len":58,"flow_avg_l4_payload_len":58,"midstream":0,"ts_msec":1587041694221,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":60837,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -490,14 +490,14 @@ 00477{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2730,"source":"teams.pcap","alias":"nDPId-test","flow_id":82,"flow_packet_id":1,"flow_last_seen":1587041697061,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1587041697061,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGxpHAqAEGKE+KKeyYAbtVmTcwAAAAALAC\/\/8wcwAAAgQFtAEDAwUBAQgKMITmwQAAAAAEAgAA"} 00472{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2731,"source":"teams.pcap","alias":"nDPId-test","flow_id":82,"flow_packet_id":2,"flow_last_seen":1587041697091,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1587041697091,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8X+VAAG4GOLAoT4opwKgBBgG77Jhhqm+9VZk3MaASIADeAQAAAgQFoAEDAwgEAggKC\/ZmGDCE5sE="} 00459{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2732,"source":"teams.pcap","alias":"nDPId-test","flow_id":82,"flow_packet_id":3,"flow_last_seen":1587041697091,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1587041697091,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGxp3AqAEGKE+KKeyYAbtVmTcxYapvvoAQEAkclQAAAQEICjCE5t4L9mYY"} -00818{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2733,"source":"teams.pcap","alias":"nDPId-test","flow_id":82,"flow_packets_processed":4,"flow_first_seen":1587041697061,"flow_last_seen":1587041697092,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":239,"flow_tot_l4_payload_len":239,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1587041697092,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"40.79.138.41","src_port":60568,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"gate.hockeyapp.net","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}} +00832{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2733,"source":"teams.pcap","alias":"nDPId-test","flow_id":82,"flow_packets_processed":4,"flow_first_seen":1587041697061,"flow_last_seen":1587041697092,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":239,"flow_tot_l4_payload_len":239,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1587041697092,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"40.79.138.41","src_port":60568,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Azure","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"gate.hockeyapp.net","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}} 00365{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":2753,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":34969,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"ts_msec":1587041697412,"pkt":"\/\/\/\/\/\/\/\/2A0X1lWriJklgAAA2A0X1lWrAACAAADYDRfWVauACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} 00149{"basic_event_id":5,"basic_event_name":"Unknown packet type","thread_id":0,"packet_id":2753,"source":"teams.pcap","alias":"nDPId-test","type":34969} 00354{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":2761,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"ts_msec":1587041697611,"pkt":"AYDCAAAAeCjKBfrMACZCQgMAAAAAAJAAeCjKBfrMAAAAAJAAeCjKBfrMgAEAAAYAAQAEAKWlpaWlpaWl"} 00146{"basic_event_id":5,"basic_event_name":"Unknown packet type","thread_id":0,"packet_id":2761,"source":"teams.pcap","alias":"nDPId-test","type":38} 00521{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2767,"source":"teams.pcap","alias":"nDPId-test","flow_id":83,"flow_packets_processed":1,"flow_first_seen":1587041697660,"flow_last_seen":1587041697660,"flow_idle_time":120000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1587041697660,"l3_proto":"ip4","src_ip":"93.71.110.205","dst_ip":"192.168.1.6","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} 00467{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2767,"source":"teams.pcap","alias":"nDPId-test","flow_id":83,"flow_packet_id":1,"flow_last_seen":1587041697660,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"ts_msec":1587041697660,"pkt":"KDc3AG3IEBMx8Tl2CABFoAA40fgAADUBJWpdR27NwKgBBgMDcCsAAAAARQAASh2AAAAyEd1gwKgBBl1Hbs3DdD\/NADaJWQ=="} -00554{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2767,"source":"teams.pcap","alias":"nDPId-test","flow_id":83,"flow_packets_processed":1,"flow_first_seen":1587041697660,"flow_last_seen":1587041697660,"flow_idle_time":120000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1587041697660,"l3_proto":"ip4","src_ip":"93.71.110.205","dst_ip":"192.168.1.6","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"}} +00573{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2767,"source":"teams.pcap","alias":"nDPId-test","flow_id":83,"flow_packets_processed":1,"flow_first_seen":1587041697660,"flow_last_seen":1587041697660,"flow_idle_time":120000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1587041697660,"l3_proto":"ip4","src_ip":"93.71.110.205","dst_ip":"192.168.1.6","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"},"entropy":4.321296} 00467{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2774,"source":"teams.pcap","alias":"nDPId-test","flow_id":83,"flow_packet_id":2,"flow_last_seen":1587041697673,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"ts_msec":1587041697673,"pkt":"KDc3AG3IEBMx8Tl2CABFoAA4akMAADUBjR9dR27NwKgBBgMDcBsAAAAARQAAWp4wAAAyEVygwKgBBl1Hbs3DdD\/NAEaJWQ=="} 00560{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2817,"source":"teams.pcap","alias":"nDPId-test","flow_id":72,"flow_packets_processed":25,"flow_first_seen":1587041693828,"flow_last_seen":1587041694047,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":6930,"flow_avg_l4_payload_len":277,"midstream":0,"ts_msec":1587041698021,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.250.152","src_port":50014,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00559{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2817,"source":"teams.pcap","alias":"nDPId-test","flow_id":64,"flow_packets_processed":33,"flow_first_seen":1587041693516,"flow_last_seen":1587041695435,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":6838,"flow_avg_l4_payload_len":207,"midstream":0,"ts_msec":1587041698021,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.250.123","src_port":50018,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -548,7 +548,7 @@ 00559{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2817,"source":"teams.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":1,"flow_first_seen":1587041679280,"flow_last_seen":1587041679280,"flow_idle_time":180000,"flow_min_l4_payload_len":485,"flow_max_l4_payload_len":485,"flow_tot_l4_payload_len":485,"flow_avg_l4_payload_len":485,"midstream":0,"ts_msec":1587041698021,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.255","src_port":17500,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00561{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2817,"source":"teams.pcap","alias":"nDPId-test","flow_id":61,"flow_packets_processed":17,"flow_first_seen":1587041692808,"flow_last_seen":1587041695538,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1225,"flow_tot_l4_payload_len":4100,"flow_avg_l4_payload_len":241,"midstream":0,"ts_msec":1587041698021,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"167.99.215.164","src_port":60566,"dst_port":4434,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00553{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2817,"source":"teams.pcap","alias":"nDPId-test","flow_id":31,"flow_packets_processed":2,"flow_first_seen":1587041683142,"flow_last_seen":1587041683184,"flow_idle_time":180000,"flow_min_l4_payload_len":50,"flow_max_l4_payload_len":180,"flow_tot_l4_payload_len":230,"flow_avg_l4_payload_len":115,"midstream":0,"ts_msec":1587041698021,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":57504,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} -00601{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":2817,"source":"teams.pcap","alias":"nDPId-test","flow_id":62,"flow_packets_processed":31,"flow_first_seen":1587041693428,"flow_last_seen":1587041697999,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":1201,"flow_tot_l4_payload_len":12443,"flow_avg_l4_payload_len":401,"midstream":0,"ts_msec":1587041698021,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.136","src_port":51681,"dst_port":3478,"l4_proto":"udp","ndpi": {"proto":"STUN.Skype_Teams","breed":"Acceptable","category":"VoIP"}} +00596{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":2817,"source":"teams.pcap","alias":"nDPId-test","flow_id":62,"flow_packets_processed":31,"flow_first_seen":1587041693428,"flow_last_seen":1587041697999,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":1201,"flow_tot_l4_payload_len":12443,"flow_avg_l4_payload_len":401,"midstream":0,"ts_msec":1587041698021,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.136","src_port":51681,"dst_port":3478,"l4_proto":"udp","ndpi": {"proto":"STUN.Azure","breed":"Acceptable","category":"Cloud"}} 00561{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2817,"source":"teams.pcap","alias":"nDPId-test","flow_id":62,"flow_packets_processed":31,"flow_first_seen":1587041693428,"flow_last_seen":1587041697999,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":1201,"flow_tot_l4_payload_len":12443,"flow_avg_l4_payload_len":401,"midstream":0,"ts_msec":1587041698021,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.136","src_port":51681,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00552{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2817,"source":"teams.pcap","alias":"nDPId-test","flow_id":27,"flow_packets_processed":2,"flow_first_seen":1587041682668,"flow_last_seen":1587041682697,"flow_idle_time":180000,"flow_min_l4_payload_len":58,"flow_max_l4_payload_len":139,"flow_tot_l4_payload_len":197,"flow_avg_l4_payload_len":98,"midstream":0,"ts_msec":1587041698021,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":57530,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00571{"flow_event_id":8,"flow_event_name":"not-detected","thread_id":0,"packet_id":2817,"source":"teams.pcap","alias":"nDPId-test","flow_id":60,"flow_packets_processed":4,"flow_first_seen":1587041692528,"flow_last_seen":1587041692578,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":120,"flow_tot_l4_payload_len":192,"flow_avg_l4_payload_len":48,"midstream":1,"ts_msec":1587041698021,"l3_proto":"ip4","src_ip":"151.11.50.139","dst_ip":"192.168.1.6","src_port":2222,"dst_port":54750,"l4_proto":"tcp","ndpi": {"proto":"Unknown","breed":"Unrated"}} @@ -596,9 +596,9 @@ ~~ total active/idle flows...: 83/83 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 3772917 bytes -~~ total memory freed........: 3772917 bytes -~~ total allocations/frees...: 38843/38843 +~~ total memory allocated....: 6400464 bytes +~~ total memory freed........: 6400464 bytes +~~ total allocations/frees...: 103039/103039 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 148 chars ~~ json string max len.......: 1942 chars diff --git a/test/results/teamspeak3.pcap.out b/test/results/teamspeak3.pcap.out index 27c3b1731..b6a9963d6 100644 --- a/test/results/teamspeak3.pcap.out +++ b/test/results/teamspeak3.pcap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1928501 bytes -~~ total memory freed........: 1928501 bytes -~~ total allocations/frees...: 35351/35351 +~~ total memory allocated....: 4590816 bytes +~~ total memory freed........: 4590816 bytes +~~ total allocations/frees...: 99547/99547 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 163 chars ~~ json string max len.......: 688 chars diff --git a/test/results/telegram.pcap.out b/test/results/telegram.pcap.out index 9c25a30ae..aeca3830f 100644 --- a/test/results/telegram.pcap.out +++ b/test/results/telegram.pcap.out @@ -1,7 +1,7 @@ 00442{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"telegram.pcap","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} 00553{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"telegram.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1588779596451,"flow_last_seen":1588779596451,"flow_idle_time":180000,"flow_min_l4_payload_len":279,"flow_max_l4_payload_len":279,"flow_tot_l4_payload_len":279,"flow_avg_l4_payload_len":279,"midstream":0,"ts_msec":1588779596451,"l3_proto":"ip4","src_ip":"192.168.0.1","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00814{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"telegram.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1588779596451,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":321,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":321,"pkt_l4_len":287,"ts_msec":1588779596451,"pkt":"\/\/\/\/\/\/\/\/2A0X1lWrCABFAAEzGJVAAEARYHzAqAAB\/\/\/\/\/wBEAEMBHwAAAQEGANsCwWgAAIAAAAAAAAAAAAAAAAAAAAAAANgNF9ZVqwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEBNwIBAwwJVEwtU0cxMTZFPAlUTC1TRzExNkU9BwHYDRfWVav\/"} -00616{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"telegram.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1588779596451,"flow_last_seen":1588779596451,"flow_idle_time":180000,"flow_min_l4_payload_len":279,"flow_max_l4_payload_len":279,"flow_tot_l4_payload_len":279,"flow_avg_l4_payload_len":279,"midstream":0,"ts_msec":1588779596451,"l3_proto":"ip4","src_ip":"192.168.0.1","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"fingerprint":"1,3"}} +00665{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"telegram.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1588779596451,"flow_last_seen":1588779596451,"flow_idle_time":180000,"flow_min_l4_payload_len":279,"flow_max_l4_payload_len":279,"flow_tot_l4_payload_len":279,"flow_avg_l4_payload_len":279,"midstream":0,"ts_msec":1588779596451,"l3_proto":"ip4","src_ip":"192.168.0.1","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"hostname":"tl-sg116e","fingerprint":"1,3","class_ident":"TL-SG116E"}} 00559{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2,"source":"telegram.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1588779596464,"flow_last_seen":1588779596464,"flow_idle_time":180000,"flow_min_l4_payload_len":126,"flow_max_l4_payload_len":126,"flow_tot_l4_payload_len":126,"flow_avg_l4_payload_len":126,"midstream":0,"ts_msec":1588779596464,"l3_proto":"ip4","src_ip":"192.168.1.53","dst_ip":"239.255.255.250","src_port":54306,"dst_port":1900,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00601{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"telegram.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_last_seen":1588779596464,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":168,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":168,"pkt_l4_len":134,"ts_msec":1588779596464,"pkt":"AQBef\/\/6wJrQLWJ0CABFAACavyQAAAERSFfAqAE17\/\/\/+tQiB2wAhkPyTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSE9TVDogMjM5LjI1NS4yNTUuMjUwOjE5MDANCk1BTjogInNzZHA6ZGlzY292ZXIiDQpNWDogMQ0KU1Q6IHVybjpkaWFsLW11bHRpc2NyZWVuLW9yZzpzZXJ2aWNlOmRpYWw6MQ0KDQoA"} 00591{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2,"source":"telegram.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1588779596464,"flow_last_seen":1588779596464,"flow_idle_time":180000,"flow_min_l4_payload_len":126,"flow_max_l4_payload_len":126,"flow_tot_l4_payload_len":126,"flow_avg_l4_payload_len":126,"midstream":0,"ts_msec":1588779596464,"l3_proto":"ip4","src_ip":"192.168.1.53","dst_ip":"239.255.255.250","src_port":54306,"dst_port":1900,"l4_proto":"udp","ndpi": {"proto":"SSDP","breed":"Acceptable","category":"System"}} @@ -123,7 +123,7 @@ 00751{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":390,"source":"telegram.pcap","alias":"nDPId-test","flow_id":27,"flow_packets_processed":2,"flow_first_seen":1588779619914,"flow_last_seen":1588779619916,"flow_idle_time":180000,"flow_min_l4_payload_len":43,"flow_max_l4_payload_len":59,"flow_tot_l4_payload_len":102,"flow_avg_l4_payload_len":51,"midstream":0,"ts_msec":1588779619916,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"192.168.1.1","src_port":47127,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.GoogleServices","breed":"Acceptable","category":"Web"},"dns": {"query":"www.googletagservices.com","num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"192.168.1.157"}} 00552{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":597,"source":"telegram.pcap","alias":"nDPId-test","flow_id":28,"flow_packets_processed":1,"flow_first_seen":1588779625981,"flow_last_seen":1588779625981,"flow_idle_time":180000,"flow_min_l4_payload_len":355,"flow_max_l4_payload_len":355,"flow_tot_l4_payload_len":355,"flow_avg_l4_payload_len":355,"midstream":0,"ts_msec":1588779625981,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00924{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":597,"source":"telegram.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":1,"flow_last_seen":1588779625981,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":397,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":397,"pkt_l4_len":363,"ts_msec":1588779625981,"pkt":"\/\/\/\/\/\/\/\/AICPmq69CABFAAF\/jrEAAEAR6r0AAAAA\/\/\/\/\/wBEAEMBa16\/AQEGAN7JmyKFuQAAAAAAAAAAAAAAAAAAAAAAAACAj5quvQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEBPRP\/j5quvQABAAEfyzfOuCfrPQjbUAB0AQE5AgXcPC1kaGNwY2QtNi4xMC4xOkxpbnV4LTQuOS41Ny12Nys6YXJtdjdsOkJDTTI4MzUMDHBpMy5udG9wLm9yZ5EBATcPAXkhAwYMDxocKjM2Ojt3\/w=="} -00612{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":597,"source":"telegram.pcap","alias":"nDPId-test","flow_id":28,"flow_packets_processed":1,"flow_first_seen":1588779625981,"flow_last_seen":1588779625981,"flow_idle_time":180000,"flow_min_l4_payload_len":355,"flow_max_l4_payload_len":355,"flow_tot_l4_payload_len":355,"flow_avg_l4_payload_len":355,"midstream":0,"ts_msec":1588779625981,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"fingerprint":""}} +00643{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":597,"source":"telegram.pcap","alias":"nDPId-test","flow_id":28,"flow_packets_processed":1,"flow_first_seen":1588779625981,"flow_last_seen":1588779625981,"flow_idle_time":180000,"flow_min_l4_payload_len":355,"flow_max_l4_payload_len":355,"flow_tot_l4_payload_len":355,"flow_avg_l4_payload_len":355,"midstream":0,"ts_msec":1588779625981,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"hostname":"","fingerprint":"","class_ident":""}} 00557{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":612,"source":"telegram.pcap","alias":"nDPId-test","flow_id":29,"flow_packets_processed":1,"flow_first_seen":1588779626393,"flow_last_seen":1588779626393,"flow_idle_time":180000,"flow_min_l4_payload_len":201,"flow_max_l4_payload_len":201,"flow_tot_l4_payload_len":201,"flow_avg_l4_payload_len":201,"midstream":0,"ts_msec":1588779626393,"l3_proto":"ip4","src_ip":"192.168.1.43","dst_ip":"192.168.1.255","src_port":138,"dst_port":138,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00709{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":612,"source":"telegram.pcap","alias":"nDPId-test","flow_id":29,"flow_packet_id":1,"flow_last_seen":1588779626393,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":243,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":243,"pkt_l4_len":209,"ts_msec":1588779626393,"pkt":"\/\/\/\/\/\/\/\/BJImXJc1CABFAADlSCQAAIARbWnAqAErwKgB\/wCKAIoA0XdaEQLkXsCoASsAigC7AAAgRUVFRkZERUxGRUVQRkFDTkZDRUNERkZFREJEQ0VIQ0EAIEZIRVBGQ0VMRUhGQ0VQRkZGQUNBQ0FDQUNBQ0FDQUJOAP9TTUIlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEQAAIQAAAAAAAAAAAOgDAAAAAAAAAAAhAFYAAwABAAAAAgAyAFxNQUlMU0xPVFxCUk9XU0UAAQCA\/AoAREVTS1RPUC1SQjVUMTJHAAoAAxAAAA8BVaoA"} 00635{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":612,"source":"telegram.pcap","alias":"nDPId-test","flow_id":29,"flow_packets_processed":1,"flow_first_seen":1588779626393,"flow_last_seen":1588779626393,"flow_idle_time":180000,"flow_min_l4_payload_len":201,"flow_max_l4_payload_len":201,"flow_tot_l4_payload_len":201,"flow_avg_l4_payload_len":201,"midstream":0,"ts_msec":1588779626393,"l3_proto":"ip4","src_ip":"192.168.1.43","dst_ip":"192.168.1.255","src_port":138,"dst_port":138,"l4_proto":"udp","ndpi": {"flow_risk": {"22":"Unsafe Protocol"},"proto":"NetBIOS.SMBv1","breed":"Dangerous","category":"System"}} @@ -152,10 +152,10 @@ 00495{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":723,"source":"telegram.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":3,"flow_last_seen":1588779632315,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"ts_msec":1588779632315,"pkt":"\/\/\/\/\/\/\/\/wJrQLWJ0CABFAABES\/gAAEARqizAqAE1wKgB\/+EV4RUAMNBmU3BvdFVkcDClWtsnvt2XzwABAACyJIr8D\/N2Z9WO7tpCHKgrvJhaBg=="} 00563{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":725,"source":"telegram.pcap","alias":"nDPId-test","flow_id":34,"flow_packets_processed":1,"flow_first_seen":1588779634762,"flow_last_seen":1588779634762,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1588779634762,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"216.58.205.68","src_port":61974,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02236{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":725,"source":"telegram.pcap","alias":"nDPId-test","flow_id":34,"flow_packet_id":1,"flow_last_seen":1588779634762,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1588779634762,"pkt":"EBMx8Tl2KDc3AG3ICABFAAViWJsAAEARtXvAqAFN2DrNRPIWAbsFTgTHw1EwNDZQozVJE19KlwkAAAABdLDg+WGAhzOZu62GoAEEAENITE8ZAAAAUEFEAPUBAABTTkkAAwIAAFNUSwA5AgAAVkVSAD0CAABDQ1MATQIAAE5PTkNtAgAAQUVBRHECAABVQUlEoAIAAFNDSUSwAgAAVENJRLQCAABQRE1EuAIAAFNNSEy8AgAASUNTTMACAABOT05Q4AIAAFBVQlMAAwAATUlEUwQDAABTQ0xTCAMAAEtFWFMMAwAAWExDVBQDAABDU0NUFAMAAENPUFQUAwAAQ0NSVCQDAABJUlRUKAMAAENGQ1csAwAAU0ZDVzADAAAtLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS13d3cuZ29vZ2xlLmNvbfji0b2UKZEBPixRS8R5FV4DZD4i7T\/6B0Z4nKaYTElCcNQLL0+vajT\/QP9tp6wIGReVi8x7NFEwNDYB6IFgkpIa6H7tgIaiFYKRXrLacjAwMDAwMDAwAuVjx2eeSNkn+AhDtSgQn3BeW8lDQzIwYmV0YSBDaHJvbWUvODMuMC40MTAzLjM0IEludGVsIE1hYyBPUyBYIDEwXzEzXzYriYKzggSKpsC6slaoCl0fAAAAAFg1MDkBAAAAHgAAAAuXQLYHE9JIhKrGV8rvXoOxMjFuf2JfKTHXlSKWC8+sAyENtsO94X6K9sux59v7JM7rsrjePubGsEAWqYL7e1xkAAAAAQAAAEMyNTXvR+qpngpSje9H6qmeClKNYDLLkqBBTd8GdwAAAADwAAAAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} -00723{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":725,"source":"telegram.pcap","alias":"nDPId-test","flow_id":34,"flow_packets_processed":1,"flow_first_seen":1588779634762,"flow_last_seen":1588779634762,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1588779634762,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"216.58.205.68","src_port":61974,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Google","breed":"Tracker\/Ads","category":"Web"},"quic": {"client_requested_server_name":"www.google.com","user_agent":"beta Chrome\/83.0.4103.34 Intel Mac OS X 10_13_6"}} +00721{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":725,"source":"telegram.pcap","alias":"nDPId-test","flow_id":34,"flow_packets_processed":1,"flow_first_seen":1588779634762,"flow_last_seen":1588779634762,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1588779634762,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"216.58.205.68","src_port":61974,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Google","breed":"Acceptable","category":"Web"},"quic": {"client_requested_server_name":"www.google.com","user_agent":"beta Chrome\/83.0.4103.34 Intel Mac OS X 10_13_6"}} 00563{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":726,"source":"telegram.pcap","alias":"nDPId-test","flow_id":35,"flow_packets_processed":1,"flow_first_seen":1588779634764,"flow_last_seen":1588779634764,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1588779634764,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"216.58.205.68","src_port":50822,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02236{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":726,"source":"telegram.pcap","alias":"nDPId-test","flow_id":35,"flow_packet_id":1,"flow_last_seen":1588779634764,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1588779634764,"pkt":"EBMx8Tl2KDc3AG3ICABFAAViUS0AAEARvOnAqAFN2DrNRMaGAbsFTkE+w1EwNDZQdSQ0JxgV+\/AAAAABpTtWGWoI4a2O5woGoAEEAENITE8ZAAAAUEFEAPUBAABTTkkAAwIAAFNUSwA5AgAAVkVSAD0CAABDQ1MATQIAAE5PTkNtAgAAQUVBRHECAABVQUlEoAIAAFNDSUSwAgAAVENJRLQCAABQRE1EuAIAAFNNSEy8AgAASUNTTMACAABOT05Q4AIAAFBVQlMAAwAATUlEUwQDAABTQ0xTCAMAAEtFWFMMAwAAWExDVBQDAABDU0NUFAMAAENPUFQUAwAAQ0NSVCQDAABJUlRUKAMAAENGQ1csAwAAU0ZDVzADAAAtLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS13d3cuZ29vZ2xlLmNvbapsx9TSQuPwh8YeJs33Nmze8URvGPZoGeJQWhFImAF+FKGJcZ5Gv+AWggZjhNIH2DzcOgKswVEwNDYB6IFgkpIa6H7tgIaiFYKRXrLacjAwMDAwMDAwTrr3TE8EhubDtCHdJzdVC1d+PPBDQzIwYmV0YSBDaHJvbWUvODMuMC40MTAzLjM0IEludGVsIE1hYyBPUyBYIDEwXzEzXzYriYKzggSKpsC6slaoCl0fAAAAAFg1MDkBAAAAHgAAAIbXL08ZJ3aJ+3OQ3+Rsvbic8DCd31+92QlBmAfJ4ZcgyovDvfnINbPNV9UIgMSv\/oTfYVDM1unv0Eg0xlJTYVZkAAAAAQAAAEMyNTXvR+qpngpSje9H6qmeClKNYDLLkqBBTd8GdwAAAADwAAAAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} -00723{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":726,"source":"telegram.pcap","alias":"nDPId-test","flow_id":35,"flow_packets_processed":1,"flow_first_seen":1588779634764,"flow_last_seen":1588779634764,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1588779634764,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"216.58.205.68","src_port":50822,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Google","breed":"Tracker\/Ads","category":"Web"},"quic": {"client_requested_server_name":"www.google.com","user_agent":"beta Chrome\/83.0.4103.34 Intel Mac OS X 10_13_6"}} +00721{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":726,"source":"telegram.pcap","alias":"nDPId-test","flow_id":35,"flow_packets_processed":1,"flow_first_seen":1588779634764,"flow_last_seen":1588779634764,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1588779634764,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"216.58.205.68","src_port":50822,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Google","breed":"Acceptable","category":"Web"},"quic": {"client_requested_server_name":"www.google.com","user_agent":"beta Chrome\/83.0.4103.34 Intel Mac OS X 10_13_6"}} 02256{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":727,"source":"telegram.pcap","alias":"nDPId-test","flow_id":34,"flow_packet_id":2,"flow_last_seen":1588779634794,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1588779634794,"pkt":"KDc3AG3IEBMx8Tl2CABFAAViAABAADcR1xbYOs1EwKgBTQG78hYFTlCg01EwNDYFozVJE19KlwkAAAABlFnOyl1IE6Kl9p2lJqJe20wr+YJJK3OQaQI+K1yyeZR9yLW3lS\/Tdnt9xcKqAlOjTi1OwA2w6a7+tRtr3KAKpiTPSke9Qgxq9RZuUGOobpscabZyRsqHgng7hPe2XFawQxldFDSjxKnYQdE5FFv9BpDrnq\/TTXf9TFvgw\/QnXVAz5Cyt9UqBUF1hH0e8eHxu6vo8lxkhnIhe5h6hLOoAm1BnioEr9hnRo4ORCSZRNuTGnhroEuVGyj5HhhPz45sTADcZH\/aRhJy7qwSQPpjxKMRjwHfkXW+yFpSOG3Hp5CsHedxutEJhnZDI+4BG1I6mpoDE8Zvk+SOrrxTdABEKpyABqDKs78QbQi9n46y46LF2JTAo36T9cjW0OkfnS1dX8RBGe5tpl\/GX8HAEOsAa\/z+6O4B5WSOIZhf34xGOy\/N3OFC+u9lN+ttVyLf++3WOzpd57ZzPwtC+yE\/BNwbA4eO5JHsp6kPUffzjzL5K4L4obRfRfmFzgUJr2AvlNCCKETOUv9FcgCj+O3Ce2J+FzvWWvPIvOKN37xrUN\/mjFcjn6vrnzc3WHSBHZUUQPgLL9gdUFNa8\/yQjJhbGLlt8bvQA1SJaoWXDVmYJjnjFSJJFF8RWpizfJP35dxquwrjEwUged8l6McoK7qHu4Ld19f6o8UJyTgkxjnhmujMkW40UK64Bo1F6vaXjIzepbsvzrfPs4buhFyCPcm2wLFZq5nMbYvmNgbBAMNYgQ7+Y4Zo47U6dIvcnsHay4b8rdIZC\/Ra4RUg2MEAVMY04nZVwsS9kMvxjw7tWpuLXdlQCjlvuGOf6dZ6k9rHdaI3URstXL6UuWo0Gdj\/NtiaGySmIHVV6i7EbmaJp3uFyYDnUvrIMjfc6ghlolVGsZni+GAZQbXnpWH5ualh+GQk\/IS2IEz0uyBJ6dsYticBr8EFAQR7hHY\/3OyEr27WwpwoLmUJn9UQqUUNET0+qTxL027bZTqGeTGLe2rH0z4qd78Ue12s\/mmitdGeaTOEIB+kN9Oz976ydi7i+SoMBr\/+hKLj5gjHsfiNqAK8opkFFxqyBh0nqOBdwUSl8gZVmShAcuOo649XW2Yut5pCeSZfn3ZoRq+lWx89wdySCjOMW8exEEWunv6bjn3slpy7AmRkw+sPRuDmUtrstSTMggBfN+zYz4kU9msu81pr+IK0y7aQh4mmTipBI3toWvtKGgxtFFCU+90ZF+2e26g7ax+JPhJWCf1aeqV2qjVTswyDUe+X8YVqx5YC7ACn0pIzEQj12x8eSFM60TkG8kXSrR+cBcSE4aaYhrAy3pypcCtMV26Co80JeaaDwDMCwmVAzo0E\/BwpqMknzmJBeyZjvON\/562D3ZU9nDxApe4H14sNeh3KyKanbNvTWcgxWJPs+wQ9X1d9egrD3CNpHov7eGsS9E5PTryqkw6dcr07anAdXKz39OKneC7uTIi2xMN4pi9HDUne9kKxezY6JaiaaEds0Egs5TrKu5MlMzp7QSr1MmDFu7VQLrafQLtQSQLw0f+CkdiOkRSoewADHR7WnRu3Pw\/1y7ALeor+7d7v\/xVkXtV0+u1JaX2B1bUYYuBQruUl0bp5QCHut4tI5G7u+9P1dYnUX\/rSklohEaFv70M62kLeKCl4bX8BdPalaH0yKRZF9q2iCLDdluLwx+pd3G8lRNNpU8gMggNTI9z\/7Pxs0oOqfN32KINp0rOMXmr0ZD6E5U7SeSuShxUVrIQgXkF5QTsc4zAeYQXZrfPFcKANcrPTz3MqQYdpM"} 00470{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":728,"source":"telegram.pcap","alias":"nDPId-test","flow_id":34,"flow_packet_id":3,"flow_last_seen":1588779634795,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"ts_msec":1588779634795,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA4emwAAEARmNTAqAFN2DrNRPIWAbsAJN5oQKM1SRNfSpcJAg\/VJy\/hU5JXfMk208XyiTI7oA=="} 02266{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":729,"source":"telegram.pcap","alias":"nDPId-test","flow_id":35,"flow_packet_id":2,"flow_last_seen":1588779634797,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1588779634797,"pkt":"KDc3AG3IEBMx8Tl2CABFAAViAABAADgR1hbYOs1EwKgBTQG7xoYFTqbf01EwNDYFdSQ0JxgV+\/AAAAAB\/upOH6rH2BIyQSeP5oglrVNRjLzUPYUddHT9m6BsmcKmApdlysrOkxHuxx9vijlyM8wYkq7JvX19IQMhKJZA0U6a8sLp7rHlGFo5nqmm0jMnW7WPHt\/LNpmp9sMej9LIYl7HVWlYuGONw23gJgIuAlpWAO6yh+eVnrhPvfDTj31c6\/L1ooPLrq5NV7Gc7jNhPXAjTc4ZaIElGMpTUieuhBDEobdC\/yRUwhIJac7BNwvPjcF+IDwdoZlLRJw3R5oXAi2b\/NF4EAf1KMRYvNmplcTy11GLuiSvRAmihe5Rh\/orc2nsZbWj+vVmUmzCiWHVssa5KLzmBbkyMh6lJPB3gwNR9L\/Fq9yeGKy0+1JnwE4BdYx5u8HLnX2wgYVFT\/rFfn1Oc62CdMeazmAG7K4pybekkUnanBSVSlDsTtacnk6lBahTKCPl4BKZo41FpeNyrCv6CdLYcTHgeBE4YGrMXUeFT\/ilVEPrTMzFe5kzHIStA3AKnuB\/P+S0D02eLWMotPjv93++mmxST6HP114UWR5QNEIWRxUS8RL0hQeu4zY97Ng6cw4CKN+Csj\/ZvkP4kxD\/Zq7tP6yj9mYvYIO9zExfP9oeGiwS\/4f+6unIp0FdFoZmq8bqYOIOw8QtYVOoNnStryjcigG\/awK2ZaMXV+46Pnbc7phNOyTwsLBxxc\/12QJJ45cSQCeX9fI3HOGC6Lef+EyN3wVq9oB+wBoxI5umm0icT\/zZ2yvFo6UFJ2uDstyecW1AqbCfnn6WWrQLz6eMr+vL\/JleVbbatuBYa5gdk2Yt+67fkdck3Dk3mkph8oGaf+SDkR7Tf9p8ulHM4RwOnQJFlNf4xkSWeQGBLD6wjBE4rkLONEpat+rbynMjiBPAofixsPnISwVDLf0nq9DMrjUvdWlIIMyhGej2e24qnTkMu6p7FC\/huIoB0mRmYhHnBPlCQn\/LUzArFEcNys29X1cxw25iplZFvHkHdOc24AY5G54G00MdsxNdaE\/paJZz93dfFlaEUpxXdsPnTzUS4pfi+tXdLdZlCDSCbcoeLXsZ10o3zvR7bkNwPdSYObv6FtEohnNHd5N8A7GThnHg9zUXltLPSF3xHvq8673iVUYgBtPyG5IX44udpmQI7jeus04VvFTz2gu4npRTD34iJ0hoN0ntT0nFkqcX5\/lL09qWjNDuFP\/S1ls4UAok+2ha5s3PvhtAKIlco7aoWYLrSj95gTSsEvt+vv6BHLLnycSfEmJgy7LNVNyoUK4C4+9WgT1JfWOmVbGaY23xkwzP15QjiTTdKIEkJwiBmgJIruM0dA1J41jJPUcFpH8opFJyrh1InbMhpwrdsem5Er87sEkX0BhYPXkyvKucSZm6W1RMofNDgCdyw5TOBfDKdoqNmc54r82qBE2FvdTks67OsedSUGg\/xIKev6elshEbqcaKfcXRRyuerRJ9Na1ZC85buNS0\/0S8Uk1MnuNcWLIniDOgLmxDYioY8+6ffXPskGoeJ6mpsWIPFN\/ZXPivRS+0hFla3abk42RYHrYiht3fXvADKY3mvEEwWMSzU84L2ho8ij4vLNJYBjTvbpsEkPGMqANA85Spe5XJ9p4g9hQurfHWfSLDKdhStCgrn8jpcM\/\/FkUBZViwdPAW2JLOvsdSXQXeDGKI7nTEgI0kYpnr4frOKaPCHqb3HEqFHSRiARTSD0ufyxhTd6AYnG3WyBQ7hHD\/6lTnreRmZxISZ6q\/gFRJTubvR8\/BO8IvV1XaeMgD55oE\/mi7ALMHyuc8OmMt"} @@ -284,9 +284,9 @@ ~~ total active/idle flows...: 48/48 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2049586 bytes -~~ total memory freed........: 2049586 bytes -~~ total allocations/frees...: 37047/37047 +~~ total memory allocated....: 4691973 bytes +~~ total memory freed........: 4691973 bytes +~~ total allocations/frees...: 101243/101243 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 165 chars ~~ json string max len.......: 2271 chars diff --git a/test/results/teredo.pcap.out b/test/results/teredo.pcap.out index 97051d42e..785c3c9ca 100644 --- a/test/results/teredo.pcap.out +++ b/test/results/teredo.pcap.out @@ -35,9 +35,9 @@ ~~ total active/idle flows...: 5/5 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1935284 bytes -~~ total memory freed........: 1935284 bytes -~~ total allocations/frees...: 35374/35374 +~~ total memory allocated....: 4595903 bytes +~~ total memory freed........: 4595903 bytes +~~ total allocations/frees...: 99570/99570 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 160 chars ~~ json string max len.......: 600 chars diff --git a/test/results/tftp.pcap.out b/test/results/tftp.pcap.out index 846dd54fa..6b28b3ddd 100644 --- a/test/results/tftp.pcap.out +++ b/test/results/tftp.pcap.out @@ -28,9 +28,9 @@ ~~ total active/idle flows...: 4/4 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1935988 bytes -~~ total memory freed........: 1935988 bytes -~~ total allocations/frees...: 35451/35451 +~~ total memory allocated....: 4597031 bytes +~~ total memory freed........: 4597031 bytes +~~ total allocations/frees...: 99647/99647 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 159 chars ~~ json string max len.......: 1206 chars diff --git a/test/results/tinc.pcap.out b/test/results/tinc.pcap.out index c3068bd10..0f48caeba 100644 --- a/test/results/tinc.pcap.out +++ b/test/results/tinc.pcap.out @@ -32,9 +32,9 @@ ~~ total active/idle flows...: 4/4 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1950678 bytes -~~ total memory freed........: 1950678 bytes -~~ total allocations/frees...: 35676/35676 +~~ total memory allocated....: 4611721 bytes +~~ total memory freed........: 4611721 bytes +~~ total allocations/frees...: 99872/99872 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 159 chars ~~ json string max len.......: 2390 chars diff --git a/test/results/tk.pcap.out b/test/results/tk.pcap.out index 77cdd86f0..b6dbb27b6 100644 --- a/test/results/tk.pcap.out +++ b/test/results/tk.pcap.out @@ -26,9 +26,9 @@ ~~ total active/idle flows...: 3/3 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1931530 bytes -~~ total memory freed........: 1931530 bytes -~~ total allocations/frees...: 35350/35350 +~~ total memory allocated....: 4592997 bytes +~~ total memory freed........: 4592997 bytes +~~ total allocations/frees...: 99546/99546 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 155 chars ~~ json string max len.......: 724 chars diff --git a/test/results/tls-esni-fuzzed.pcap.out b/test/results/tls-esni-fuzzed.pcap.out index ae8c8653c..5956d4add 100644 --- a/test/results/tls-esni-fuzzed.pcap.out +++ b/test/results/tls-esni-fuzzed.pcap.out @@ -1,13 +1,13 @@ 00449{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"tls-esni-fuzzed.pcap","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} 00564{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"tls-esni-fuzzed.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1590680386576,"flow_last_seen":1590680386576,"flow_idle_time":7440000,"flow_min_l4_payload_len":716,"flow_max_l4_payload_len":716,"flow_tot_l4_payload_len":716,"flow_avg_l4_payload_len":716,"midstream":1,"ts_msec":1590680386576,"l3_proto":"ip4","src_ip":"192.168.1.12","dst_ip":"104.27.129.77","src_port":49886,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 01417{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"tls-esni-fuzzed.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1590680386576,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":770,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":770,"pkt_l4_len":736,"ts_msec":1590680386576,"pkt":"EBMx8Tl2KDc3AG3ICABFAAL0AABAAEAGjOfAqAEMaBuBTcLeAbt3Q5LX\/48DFVAYIACwHgAAFgMBAscBAALDAwOTwM86TEdZaYZx77QiKeLaOUyI6FPS+J3L+0S3MA31OCDtrXy2AkmiC5EC8aXH8NKs5TG5ofTGvlsmIWUcTFlOhgAkEwETAxMCwCvAL8ypzKjALMAwwArACcATwBQAMwA5AC8ANQAKAQACVgAXAAD\/AQABAAAKAA4ADAAdABcAGAAZAQABAQALAAIBAAAjAAAAEAAOAAwCaDIIaHR0cC8xLjEABQAFAQAAAAAAMwBrAGkAHQAg9C+VXLX0pUAYcvwRMlm2BfjMFL+A2Ha+teHeYm8XszAAFwBBBKhP+5j\/iIqKULsVEv1xkLdgIoxwczB5EVKfTq\/0aLaIOqqUx255GoGIKzaHGdYeWvgG2FTscntynOjMKiH+1xMAKwAJCAMEAwMDAgMBAA0AGAAWBAMFAwYDCAQIBQgGBAEFAQYBAgMCAQAtAAIBAf\/OAW4TAQAdACAoJey8d6KdccaSJO2lCYt20kw0EEYFyldVNE\/b+wVlLQAgHyQSymUyoBaYNvGbjOJlOzPcW4r7yiRdTxErCb+vUsgBJJYkyzxOIwgn94z1v2QNIt6jP8xZjqajLZOZBVhvvpl7nmhmH4lW1IkwcuGd4kzR+4ip9x\/EzAG6tckU\/flqZH1nG16JhZuu6rEiIYaISW303wwyjD1flAsQnOsqJ0PVy+NZQoiiKbjH4viDA+P+GiaonlAB8r2TaJD+948G4F7MBjpovbjBjfrBFM8f7NuL4fwv7ssjFdJ5mNaCsSn9Hj6115hdy9xFKhCCzMA44L9pVw\/vrGvG+5UfibZ5LK2nZAPALOtdzhzm7d0W1ff7a4XSuSSFRI3gCI5CHoPx4osmf747Wa4ElvuEUhPCcdTFrF6efl9qMHJEUwf8zrcwZxBFmZHEDMTcH8MlFUx5dN14A3E5eAVFahmuI+6IR1wd8HaXtmYAHAACQAE="} -00849{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"tls-esni-fuzzed.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1590680386576,"flow_last_seen":1590680386576,"flow_idle_time":7440000,"flow_min_l4_payload_len":716,"flow_max_l4_payload_len":716,"flow_tot_l4_payload_len":716,"flow_avg_l4_payload_len":716,"midstream":1,"ts_msec":1590680386576,"l3_proto":"ip4","src_ip":"192.168.1.12","dst_ip":"104.27.129.77","src_port":49886,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Cloudflare","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"e5ef852e686954ba9fe060fbfa881e15","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00849{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"tls-esni-fuzzed.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1590680386576,"flow_last_seen":1590680386576,"flow_idle_time":7440000,"flow_min_l4_payload_len":716,"flow_max_l4_payload_len":716,"flow_tot_l4_payload_len":716,"flow_avg_l4_payload_len":716,"midstream":1,"ts_msec":1590680386576,"l3_proto":"ip4","src_ip":"192.168.1.12","dst_ip":"104.27.129.77","src_port":49886,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Cloudflare","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"957015a0b1e2500d8777219893a09495","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2,"source":"tls-esni-fuzzed.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1590680387847,"flow_last_seen":1590680387847,"flow_idle_time":7440000,"flow_min_l4_payload_len":716,"flow_max_l4_payload_len":716,"flow_tot_l4_payload_len":716,"flow_avg_l4_payload_len":716,"midstream":1,"ts_msec":1590680387847,"l3_proto":"ip4","src_ip":"192.168.1.12","dst_ip":"104.16.125.175","src_port":49887,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 01421{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"tls-esni-fuzzed.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_last_seen":1590680387847,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":770,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":770,"pkt_l4_len":736,"ts_msec":1590680387847,"pkt":"EBMx8Tl2KDc3AG3ICABFAAL0AABAAEAGkJDAqAEMaBB9r8LfAbu98X4VZuCG7lAYIACqfgAAFgMBAscBAALDAwPZvt6xqK7JiSO2eRBioUk2Uu867QdPWpn6Sv4hYS472iAz8c+AKNafKEsBeorsjdYMXk2HdHvKJL23Af8gga\/qxAAkEwETAxMCwCvAL8ypzKjALMAwwArACcATwBQAMwA5AC8ANQAKAQACVgAXAAD\/AQABAAAKAA4ADAAdABcAGAAZAQABAQALAAIBAAAjAAAAEAAOAAwCaDIIaHR0cC8xLjEABQAFAQAAAAAAMwBrAGkAHQAg0HCVKAanlLS9J1B8hdchDfkoKDxcPc3B5hBZYsZWdz8AFwBBBCakAur\/e3rF+tGl0au7NOTY4DQpBg\/YjV6ew74w8otvaCGiCdoeWGhEGjsldqwZrBxN3o59i8BSdRX+YPQ+GgkAKwAJCAMEAwMDAgMBAA0AGAAWBAMFAwYDCAQIBQgGBAEFAQYBAgMCAQAtAAIBAf\/OAW4TAQAdACAFyK2kXV21yqtAW2T62b\/NDTnJgxOrhECle3qcjynhZQAgHyQSymUyoBaYNvGbjOJlOzPcW4r7yiRdTxErCb+vUsgBJLkAAE456EuY9a6HsKAg7En+2G8rSItqsoven5V2IfJ3Q2bekOZcTKgIZokRYkaF7ExtxsFhqXy+gigbwIQnaXqjvmpA5fAKz4tj4ykxew5OhWQtUKuHkOYZfaYtn1syOdzFlDd5f+dopSDJ1HH+q6E3XfYeSjmwk2PLEJ57JKeThEiW3dFrbufb5XbXZxYdeC179v7EU6Bakj2Njpvv\/Jfo5WxPGqtw\/pm8l4GeHZCKXzswlPS\/Jet6JKlP28PhB6QjuLs0HyKQD3u9h3gOMLbs85P+uPv\/61THn6BnP+Gq0XsiHUv\/ZFCqDNSvUTBmtmCAtgIUfzrLcUWkNsVonaILrLi\/m6vYUQElVuyPe7nXS\/qvJdz0NipXdWB8POXCwp8YOWkAHAACQAE="} -00850{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2,"source":"tls-esni-fuzzed.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1590680387847,"flow_last_seen":1590680387847,"flow_idle_time":7440000,"flow_min_l4_payload_len":716,"flow_max_l4_payload_len":716,"flow_tot_l4_payload_len":716,"flow_avg_l4_payload_len":716,"midstream":1,"ts_msec":1590680387847,"l3_proto":"ip4","src_ip":"192.168.1.12","dst_ip":"104.16.125.175","src_port":49887,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Cloudflare","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"e5ef852e686954ba9fe060fbfa881e15","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00850{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2,"source":"tls-esni-fuzzed.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1590680387847,"flow_last_seen":1590680387847,"flow_idle_time":7440000,"flow_min_l4_payload_len":716,"flow_max_l4_payload_len":716,"flow_tot_l4_payload_len":716,"flow_avg_l4_payload_len":716,"midstream":1,"ts_msec":1590680387847,"l3_proto":"ip4","src_ip":"192.168.1.12","dst_ip":"104.16.125.175","src_port":49887,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Cloudflare","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"957015a0b1e2500d8777219893a09495","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00564{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3,"source":"tls-esni-fuzzed.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1590680391590,"flow_last_seen":1590680391590,"flow_idle_time":7440000,"flow_min_l4_payload_len":716,"flow_max_l4_payload_len":716,"flow_tot_l4_payload_len":716,"flow_avg_l4_payload_len":716,"midstream":1,"ts_msec":1590680391590,"l3_proto":"ip4","src_ip":"192.168.1.12","dst_ip":"104.22.71.197","src_port":49897,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 01415{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"tls-esni-fuzzed.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_last_seen":1590680391590,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":770,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":770,"pkt_l4_len":736,"ts_msec":1590680391590,"pkt":"EBMx8Tl2KDc3AG3ICABFAAL0AABAAEAGxnTAqAEMaBZHxcLpAbsLJg40SW6gUlAYIAANXgAAFgMBAscBAALDAwMJLl9l\/OldUJYbpqd0xOpts3Kv4zg2hroTXcdX9KeB2CBjkfBVUTqX532YPuVZHQd0J5lIK2OZH9nsSRBnWwKDWwAkEwETAxMCwCvAL8ypzKjALMAwwArACcATwBQAMwA5AC8ANQAKAQACVgAXAAD\/AQABAAAKAA4ADAAdABcAGAAZAQABAQALAAIBAAAjAAAAEAAOAAwCaDIIaHR0cC8xLjEABQAFAQAAAAAAMwBrAGkAHQAgsbxhJX9IcnjB7rdgEb2YIBohnnxEhKIToNk1er8CIioAFwBBBLtlLNXLCuP0okhISXwuyj6tgeyLGZ5yaSZ9uT3zAbum2y5l1gYjS6RGBBL9dNcuY2pA4Ze582sOuuo0cAvw2TsAKwAJCAMEAwMDAgMBAA0AGAAWBAMFAwYDCAQIBQgGBAEFAQYBAgMCAQAtAAIBAf\/OAW4TAQAdACCgcq\/jSZGFwhXJHl9nfU84W9RHblecX+XHXi+knd++egAgHyQSymUyoBaYNvGbjOJlOzPcW4r7yiRdTxErCb+vUjmwk2PLEJ57JKeThEiW3dFrbufb5XbXZxYdeC179v7EU6Bakj2Njpvv\/Jfo5WxPGqtwjTPLrxKpdN+3jkm4v5pXmXQY7xTIeDCWHjyEgNKkvyfWHZEc70MAkkqfNhBXSLrthF\/1heQEBlRbs1xtqteJZDPsTf1rb0lyjahdcH23rHhPVaZljcat4wh7Hka7vt+kTz6HVLMaa8+FGdKR02KYBfqCbkN5nqbjMCHPCoPKBXF7APN9aYQZNPW1vyVMZGeIilksOKMAfbO31cu423QrZX+PlzwFC6qBeqVxOTzYpLwLIxJGCnfdBRD0u85D1TvPM05OjHVwJVu9F3FEA\/S2klQ0zWf5b6ngXXAHdoEO61eGscgYik1z+CCLYUuTKEqAk5KVlL4AHAACQAE="} -00901{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":3,"source":"tls-esni-fuzzed.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1590680391590,"flow_last_seen":1590680391590,"flow_idle_time":7440000,"flow_min_l4_payload_len":716,"flow_max_l4_payload_len":716,"flow_tot_l4_payload_len":716,"flow_avg_l4_payload_len":716,"midstream":1,"ts_msec":1590680391590,"l3_proto":"ip4","src_ip":"192.168.1.12","dst_ip":"104.22.71.197","src_port":49897,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"24":"SNI TLS extension was missing"},"proto":"TLS.Cloudflare","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"e5ef852e686954ba9fe060fbfa881e15","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00901{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":3,"source":"tls-esni-fuzzed.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1590680391590,"flow_last_seen":1590680391590,"flow_idle_time":7440000,"flow_min_l4_payload_len":716,"flow_max_l4_payload_len":716,"flow_tot_l4_payload_len":716,"flow_avg_l4_payload_len":716,"midstream":1,"ts_msec":1590680391590,"l3_proto":"ip4","src_ip":"192.168.1.12","dst_ip":"104.22.71.197","src_port":49897,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"24":"SNI TLS extension was missing"},"proto":"TLS.Cloudflare","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"957015a0b1e2500d8777219893a09495","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00565{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3,"source":"tls-esni-fuzzed.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1590680386576,"flow_last_seen":1590680386576,"flow_idle_time":7440000,"flow_min_l4_payload_len":716,"flow_max_l4_payload_len":716,"flow_tot_l4_payload_len":716,"flow_avg_l4_payload_len":716,"midstream":1,"ts_msec":1590680391590,"l3_proto":"ip4","src_ip":"192.168.1.12","dst_ip":"104.27.129.77","src_port":49886,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00565{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3,"source":"tls-esni-fuzzed.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1590680391590,"flow_last_seen":1590680391590,"flow_idle_time":7440000,"flow_min_l4_payload_len":716,"flow_max_l4_payload_len":716,"flow_tot_l4_payload_len":716,"flow_avg_l4_payload_len":716,"midstream":1,"ts_msec":1590680391590,"l3_proto":"ip4","src_ip":"192.168.1.12","dst_ip":"104.22.71.197","src_port":49897,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00566{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3,"source":"tls-esni-fuzzed.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1590680387847,"flow_last_seen":1590680387847,"flow_idle_time":7440000,"flow_min_l4_payload_len":716,"flow_max_l4_payload_len":716,"flow_tot_l4_payload_len":716,"flow_avg_l4_payload_len":716,"midstream":1,"ts_msec":1590680391590,"l3_proto":"ip4","src_ip":"192.168.1.12","dst_ip":"104.16.125.175","src_port":49887,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -20,9 +20,9 @@ ~~ total active/idle flows...: 3/3 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1938883 bytes -~~ total memory freed........: 1938883 bytes -~~ total allocations/frees...: 35358/35358 +~~ total memory allocated....: 4600350 bytes +~~ total memory freed........: 4600350 bytes +~~ total allocations/frees...: 99554/99554 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 168 chars ~~ json string max len.......: 1426 chars diff --git a/test/results/tls-rdn-extract.pcap.out b/test/results/tls-rdn-extract.pcap.out index b9d5776a1..92536b9d2 100644 --- a/test/results/tls-rdn-extract.pcap.out +++ b/test/results/tls-rdn-extract.pcap.out @@ -5,7 +5,7 @@ 02407{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"tls-rdn-extract.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":946681200000,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":1514,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1514,"pkt_l4_len":1480,"ts_msec":946681200000,"pkt":"ERERERERIiIiIiIiCABFAAXc5PJAADUGLVrVx5X7CgAAAQG7emnv2LZrZGeGnVAQGJhAQwAAFgMBAEoCAABGAwEAAAAAWuuHTEcV+akd0cdt\/mCIl2W0D3ZsYen8qlKhhyDexkYNJNvmICdLfXfmBpGxedPIi6ruP\/C4V2lgLy7HPwAvABYDARoFCwAaAQAZ\/gAOyDCCDsQwgg2soAMCAQICCmkXyLYACAACTA8wDQYJKoZIhvcNAQEFBQAwgYsxEzARBgoJkiaJk\/IsZAEZFgNjb20xGTAXBgoJkiaJk\/IsZAEZFgltaWNyb3NvZnQxFDASBgoJkiaJk\/IsZAEZFgRjb3JwMRcwFQYKCZImiZPyLGQBGRYHcmVkbW9uZDEqMCgGA1UEAxMhTWljcm9zb2Z0IFNlY3VyZSBTZXJ2ZXIgQXV0aG9yaXR5MB4XDTExMTAyMTE2NDIwM1oXDTEzMTAyMDE2NDIwM1owggVRMQswCQYDVQQGEwJVUzEQMA4GA1UEBxMHUmVkbW9uZDESMBAGA1UEChMJTWljcm9zb2Z0MQwwCgYDVQQLEwNHRlMxHjAcBgNVBAMMFSoub2ZmaWNlYXBwcy5saXZlLmNvbTEUMBIGA1UEAwwLKi5tc2Fkcy5uZXQxGTAXBgNVBAMMECouYWRzMi5tc2Fkcy5uZXQxGDAWBgNVBAMMDyouc3RjLnMtbXNuLmNvbTEtMCsGA1UEAwwkY2RuLmRjMmZpbGVzLioubGl2ZWZpbGVzdG9yZS1pbnQuY29tMSAwHgYDVQQDDBdjZG4uKi5saXZlZmlsZXN0b3JlLmNvbTEoMCYGA1UEAwwfKi5tYXJrZXRwbGFjZS53aW5kb3dzbW9iaWxlLmNvbTEsMCoGA1UEAwwjKi5tYXJrZXRwbGFjZS53aW5kb3dzbW9iaWxlLWludC5jb20xLTArBgNVBAMMJCoubWFya2V0cGxhY2Uud2luZG93c21vYmlsZS1wZXJmLmNvbTEYMBYGA1UEAwwPKi5zdGoucy1tc24uY29tMRswGQYDVQQDExJhamF4Lm1pY3Jvc29mdC5jb20xJDAiBgNVBAMMGyoubWljcm9zb2Z0LXNicy1kb21haW5zLmNvbTETMBEGA1UEAwwKKi5saXZlLm5ldDESMBAGA1UEAwwJKi5tc24uY29tMRYwFAYDVQQDDA0qLm1zbi1pbnQuY29tMSMwIQYDVQQDDBoqLmYxZHMuc2hhcmVkLmxpdmUtaW50LmNvbTEdMBsGA1UEAwwUKi5mMWRzLndseHJzLWludC5jb20xHjAcBgNVBAMMFSouc2hhcmVkLmxpdmUtaW50LmNvbTEaMBgGA1UEAwwRKi5zaGFyZWQubGl2ZS5jb20xGDAWBgNVBAMMDyoubWljcm9zb2Z0LmNvbTETMBEGA1UEAwwKKi5saXZlLmNvbTEXMBUGA1UEAwwOKi5saXZlLWludC5jb20xFDASBgNVBAMMCyoud2x4cnMuY29tMRgwFgYDVQQDDA8qLndseHJzLWludC5jb20xFzAVBgNVBAMMDiouc3Qucy1tc24uY29tMRgwFgYDVQQDDA8qLnN0Yi5zLW1zbi5jb20xKTAnBgNVBAMTIGltYWdlcy5tb3h5LndpbmRvd3NwaG9uZS1pbnQuY29tMRkwFwYDVQQDDBAqLndseHJzdS1pbnQuY29tMSwwKgYDVQQDEyNpbWFnZXMucGFydG5lci53aW5kb3dzcGhvbmUtaW50LmNvbTEoMCYGA1UEAxMfaW1hZ2VzLnBhcnRuZXIud2luZG93c3Bob25lLmNvbTEVMBMGA1UEAwwMKi5qcC5tc24uY29tMRswGQYDVQQDDBIqLmMzc2NzLmpwLm1zbi5jb20xGDAWBgNVBAMMDyouYXNwbmV0Y2RuLmNvbTEWMBQGA1UEAwwNKi5ob3RtYWlsLmNvbTEqMCgGA1UEAwwhKi5wYXJ0bmVyLWRmLndpbmRvd3NwaG9uZS1pbnQuY28="} 00888{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2,"source":"tls-rdn-extract.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":2,"flow_first_seen":946681200000,"flow_last_seen":946681200000,"flow_idle_time":7440000,"flow_min_l4_payload_len":127,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":1587,"flow_avg_l4_payload_len":793,"midstream":1,"ts_msec":946681200000,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"213.199.149.251","src_port":31337,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"ads1.msads.net","ja3":"2201d8e006f8f005a6b415f61e677532","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA"}} 02404{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"tls-rdn-extract.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":946681200000,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":1514,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1514,"pkt_l4_len":1480,"ts_msec":946681200000,"pkt":"ERERERERIiIiIiIiCABFAAXc5PNAADUGLVnVx5X7CgAAAQG7emnv2LwfZGeGnVAQGJjDXgAAbTEUMBIGA1UEAwwLKi5zLW1zbi5jb20xFzAVBgNVBAMMDioubGl2ZS1pbnQubmV0MR8wHQYDVQQDDBYqLndpbmRvd3NwaG9uZS1pbnQuY29tMRswGQYDVQQDDBIqLndpbmRvd3NwaG9uZS5jb20xKjAoBgNVBAMMISoucGFydG5lci1wYy53aW5kb3dzcGhvbmUtaW50LmNvbTEfMB0GA1UEAwwWKi5tYW5hZ2UubWljcm9zb2Z0LmNvbTEYMBYGA1UEAwwPKi52by5tc2VjbmQubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuX3PkoiInBfw68+6JNH406C4alrEnikcq1FZEZJZj8A0h7uDLWO01R+9CYljtZsYv4E+pfWvi8Z31QoN\/mqJYHgutax6\/UWMDIxFsXaIn1iXAoBA481Pyqa8XbzdmibAvotkEOm0ksJYJlu7VrGuQP+fyz69HW2nTnewmEyTsEy9pTZjqsxFdtBcWm2sS5KQA3Hoj6NzWl54VkXacUcpgQraZZFiSKVJpxhZpAqND3x7NCgSdQvwN2uTFwRCsRagxmCSSaZkQSbYCDh7lvCo6r5wBODibkMqCxrJ4nyg5Uw+J74SsSHhtBMkb6YMlWe5gPOyYSZfIVCby4onZWx45wIDAQABo4IGXzCCBlswDAYDVR0TAQH\/BAIwADALBgNVHQ8EBAMCBLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMIIDowYDVR0RBIIDmjCCA5aCDyoudm8ubXNlY25kLm5ldIIVKi5vZmZpY2VhcHBzLmxpdmUuY29tggsqLm1zYWRzLm5ldIIQKi5hZHMyLm1zYWRzLm5ldIIPKi5zdGMucy1tc24uY29tgiRjZG4uZGMyZmlsZXMuKi5saXZlZmlsZXN0b3JlLWludC5jb22CF2Nkbi4qLmxpdmVmaWxlc3RvcmUuY29tgh8qLm1hcmtldHBsYWNlLndpbmRvd3Ntb2JpbGUuY29tgiMqLm1hcmtldHBsYWNlLndpbmRvd3Ntb2JpbGUtaW50LmNvbYIkKi5tYXJrZXRwbGFjZS53aW5kb3dzbW9iaWxlLXBlcmYuY29tgg8qLnN0ai5zLW1zbi5jb22CEmFqYXgubWljcm9zb2Z0LmNvbYIbKi5taWNyb3NvZnQtc2JzLWRvbWFpbnMuY29tggoqLmxpdmUubmV0ggkqLm1zbi5jb22CDSoubXNuLWludC5jb22CGiouZjFkcy5zaGFyZWQubGl2ZS1pbnQuY29tghQqLmYxZHMud2x4cnMtaW50LmNvbYIVKi5zaGFyZWQubGl2ZS1pbnQuY29tghEqLnNoYXJlZC5saXZlLmNvbYIPKi5taWNyb3NvZnQuY29tggoqLmxpdmUuY29tgg4qLmxpdmUtaW50LmNvbYILKi53bHhycy5jb22CDyoud2x4cnMtaW50LmNvbYIOKi5zdC5zLW1zbi5jb22CDyouc3RiLnMtbXNuLmNvbYIgaW1hZ2VzLm1veHkud2luZG93c3Bob25lLWludC5jb22CECoud2x4cnN1LWludC5jb22CI2ltYWdlcy5wYXJ0bmVyLndpbmRvd3NwaG9uZS1pbnQuY29tgh9pbWFnZXMucGFydG5lci53aW5kb3dzcGhvbmUuY29tggwqLmpwLm1zbi5jb22CEiouYzNzY3MuanAubXNuLmNvbYIPKi5hc3BuZXRjZG4uY29tgg0qLmhvdG1haWwuY29tgiEqLnBhcnRuZXItZGYud2luZG93c3Bob25lLWludC5jb22CCyoucy1tc24uY29tgg4qLmxpdmUtaW50Lm5ldIIWKi53aW5kb3dzcGhvbmUtaW50LmNvbYISKi53aW5kb3dzcGhvbmUuY29tgiEqLnBhcnRuZXI="} -03042{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"tls-rdn-extract.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":946681200000,"flow_last_seen":946681200000,"flow_idle_time":7440000,"flow_min_l4_payload_len":127,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":6881,"flow_avg_l4_payload_len":1146,"midstream":1,"ts_msec":946681200000,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"213.199.149.251","src_port":31337,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher","9":"TLS Expired Certificate"},"proto":"TLS.Microsoft","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"ads1.msads.net","server_names":"*.vo.msecnd.net,*.officeapps.live.com,*.msads.net,*.ads2.msads.net,*.stc.s-msn.com,cdn.dc2files.*.livefilestore-int.com,cdn.*.livefilestore.com,*.marketplace.windowsmobile.com,*.marketplace.windowsmobile-int.com,*.marketplace.windowsmobile-perf.com,*.stj.s-msn.com,ajax.microsoft.com,*.microsoft-sbs-domains.com,*.live.net,*.msn.com,*.msn-int.com,*.f1ds.shared.live-int.com,*.f1ds.wlxrs-int.com,*.shared.live-int.com,*.shared.live.com,*.microsoft.com,*.live.com,*.live-int.com,*.wlxrs.com,*.wlxrs-int.com,*.st.s-msn.com,*.stb.s-msn.com,images.moxy.windowsphone-int.com,*.wlxrsu-int.com,images.partner.windowsphone-int.com,images.partner.windowsphone.com,*.jp.msn.com,*.c3scs.jp.msn.com,*.aspnetcdn.com,*.hotmail.com,*.partner-df.windowsphone-int.com,*.s-msn.com,*.live-int.net,*.windowsphone-int.com,*.windowsphone.com,*.partner-pc.windowsphone-int.com,*.manage.microsoft.com","ja3":"2201d8e006f8f005a6b415f61e677532","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"CN=Microsoft Secure Server Authority","issuerDN":"C=US, L=Redmond, O=Microsoft, OU=GFS, CN=*.officeapps.live.com, CN=*.msads.net, CN=*.ads2.msads.net, CN=*.stc.s-msn.com, CN=cdn.dc2files.*.livefilestore-int.com, CN=cdn.*.livefilestore.com, CN=*.marketplace.windowsmobile.com, CN=*.marketplace.windowsmobile-int.com, CN=*.marketplace.windowsmobile-perf.com, CN=*.stj.s-msn.com, CN=ajax.microsoft.com, CN=*.microsoft-sbs-domains.com, CN=*.live.net, CN=*.msn.com, CN=*.msn-int.com, CN=*.f1ds.shared.live-int.com, CN=*.f1ds.wlxrs-int.com, CN=*.shared.live-int.com, CN=*.shared.live.com, CN=*.microsoft.com, CN=*.live.com, CN=*.live-int.com, CN=*.wlxrs.com, CN=*.wlxrs-int.com, CN=*.st.s-msn.com, CN=*.stb.s-msn.com, CN=images.moxy.windowsphone-int.com, CN=*.wlxrsu-int.com, CN=images.partner.windowsphone-int.com, CN=images.partner.windowsphone.com, CN=*.jp.msn.com, CN=*.c3scs.jp.msn.com, CN=*.aspnetcdn.com, CN=*.hotmail.com, CN=*.partner-df.windowsphone-int.com, CN=*.s-msn.com, CN=*.live-int.net, CN=*.windowsphone-int.com, CN=*.windowsphone.com, CN=*.partner-pc.windowsphone-int.com, CN=*.manage.microsoft.com, CN=*.vo.msecnd.net","fingerprint":"FF:BF:9A:69:8F:C8:44:FF:89:F2:61:49:A7:D1:9A:98:DE:32:84:3B"}} +03043{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"tls-rdn-extract.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":946681200000,"flow_last_seen":946681200000,"flow_idle_time":7440000,"flow_min_l4_payload_len":127,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":6881,"flow_avg_l4_payload_len":1146,"midstream":1,"ts_msec":946681200000,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"213.199.149.251","src_port":31337,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher","9":"TLS Expired Certificate"},"proto":"TLS.Microsoft","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"ads1.msads.net","server_names":"*.vo.msecnd.net,*.officeapps.live.com,*.msads.net,*.ads2.msads.net,*.stc.s-msn.com,cdn.dc2files.*.livefilestore-int.com,cdn.*.livefilestore.com,*.marketplace.windowsmobile.com,*.marketplace.windowsmobile-int.com,*.marketplace.windowsmobile-perf.com,*.stj.s-msn.com,ajax.microsoft.com,*.microsoft-sbs-domains.com,*.live.net,*.msn.com,*.msn-int.com,*.f1ds.shared.live-int.com,*.f1ds.wlxrs-int.com,*.shared.live-int.com,*.shared.live.com,*.microsoft.com,*.live.com,*.live-int.com,*.wlxrs.com,*.wlxrs-int.com,*.st.s-msn.com,*.stb.s-msn.com,images.moxy.windowsphone-int.com,*.wlxrsu-int.com,images.partner.windowsphone-int.com,images.partner.windowsphone.com,*.jp.msn.com,*.c3scs.jp.msn.com,*.aspnetcdn.com,*.hotmail.com,*.partner-df.windowsphone-int.com,*.s-msn.com,*.live-int.net,*.windowsphone-int.com,*.windowsphone.com,*.partner-pc.windowsphone-int.com,*.manage.microsoft.com","ja3":"2201d8e006f8f005a6b415f61e677532","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"CN=Microsoft Secure Server Authority","subjectDN":"C=US, L=Redmond, O=Microsoft, OU=GFS, CN=*.officeapps.live.com, CN=*.msads.net, CN=*.ads2.msads.net, CN=*.stc.s-msn.com, CN=cdn.dc2files.*.livefilestore-int.com, CN=cdn.*.livefilestore.com, CN=*.marketplace.windowsmobile.com, CN=*.marketplace.windowsmobile-int.com, CN=*.marketplace.windowsmobile-perf.com, CN=*.stj.s-msn.com, CN=ajax.microsoft.com, CN=*.microsoft-sbs-domains.com, CN=*.live.net, CN=*.msn.com, CN=*.msn-int.com, CN=*.f1ds.shared.live-int.com, CN=*.f1ds.wlxrs-int.com, CN=*.shared.live-int.com, CN=*.shared.live.com, CN=*.microsoft.com, CN=*.live.com, CN=*.live-int.com, CN=*.wlxrs.com, CN=*.wlxrs-int.com, CN=*.st.s-msn.com, CN=*.stb.s-msn.com, CN=images.moxy.windowsphone-int.com, CN=*.wlxrsu-int.com, CN=images.partner.windowsphone-int.com, CN=images.partner.windowsphone.com, CN=*.jp.msn.com, CN=*.c3scs.jp.msn.com, CN=*.aspnetcdn.com, CN=*.hotmail.com, CN=*.partner-df.windowsphone-int.com, CN=*.s-msn.com, CN=*.live-int.net, CN=*.windowsphone-int.com, CN=*.windowsphone.com, CN=*.partner-pc.windowsphone-int.com, CN=*.manage.microsoft.com, CN=*.vo.msecnd.net","fingerprint":"FF:BF:9A:69:8F:C8:44:FF:89:F2:61:49:A7:D1:9A:98:DE:32:84:3B"}} 00563{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":6,"source":"tls-rdn-extract.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":946681200000,"flow_last_seen":946681200000,"flow_idle_time":7440000,"flow_min_l4_payload_len":127,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":6881,"flow_avg_l4_payload_len":1146,"midstream":1,"ts_msec":946681200000,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"213.199.149.251","src_port":31337,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00163{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":6,"source":"tls-rdn-extract.pcap","alias":"nDPId-test","total-events-serialized":10} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -16,10 +16,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1969965 bytes -~~ total memory freed........: 1969965 bytes -~~ total allocations/frees...: 35393/35393 +~~ total memory allocated....: 4632280 bytes +~~ total memory freed........: 4632280 bytes +~~ total allocations/frees...: 99589/99589 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 168 chars -~~ json string max len.......: 3047 chars +~~ json string max len.......: 3048 chars ~~ json string avg len.......: 1625 chars diff --git a/test/results/tls_alert.pcap.out b/test/results/tls_alert.pcap.out index 40a363d99..4c30e9129 100644 --- a/test/results/tls_alert.pcap.out +++ b/test/results/tls_alert.pcap.out @@ -3,7 +3,7 @@ 00477{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"tls_alert.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1628259176203,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1628259176203,"pkt":"AICPmq69oM7IELEuCABFAABAAABAAEAGtpPAqAHAwKgBFPa2AbvtIEkOAAAAALAC\/\/9MagAAAgQFtAEDAwUBAQgKE9Ij+wAAAAAEAgAA"} 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"tls_alert.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1628259176203,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1628259176203,"pkt":"oM7IELEuAICPmq69CABFAAA8AABAAEAGtpfAqAEUwKgBwAG79rbEoc1F7SBJD6AScSBz9QAAAgQFtAQCCAoAseWtE9Ij+wEDAwc="} 00461{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"tls_alert.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1628259176203,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1628259176203,"pkt":"AICPmq69oM7IELEuCABFAAA0AABAAEAGtp\/AqAHAwKgBFPa2AbvtIEkPxKHNRoAQEBUDzQAAAQEIChPSI\/sAseWt"} -00898{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"tls_alert.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1628259176203,"flow_last_seen":1628259176204,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":199,"flow_tot_l4_payload_len":199,"flow_avg_l4_payload_len":49,"midstream":0,"ts_msec":1628259176204,"l3_proto":"ip4","src_ip":"192.168.1.192","dst_ip":"192.168.1.20","src_port":63158,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"www.google-analytics.com","ja3":"d78489b860c8bf7838a6ff0b4d131541","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}} +00906{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"tls_alert.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1628259176203,"flow_last_seen":1628259176204,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":199,"flow_tot_l4_payload_len":199,"flow_avg_l4_payload_len":49,"midstream":0,"ts_msec":1628259176204,"l3_proto":"ip4","src_ip":"192.168.1.192","dst_ip":"192.168.1.20","src_port":63158,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Google","breed":"Acceptable","category":"Advertisement"},"tls": {"version":"TLSv1","client_requested_server_name":"www.google-analytics.com","ja3":"d78489b860c8bf7838a6ff0b4d131541","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}} 00557{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":11,"source":"tls_alert.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":11,"flow_first_seen":1628259176203,"flow_last_seen":1628259176206,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":199,"flow_tot_l4_payload_len":206,"flow_avg_l4_payload_len":18,"midstream":0,"ts_msec":1628259176206,"l3_proto":"ip4","src_ip":"192.168.1.192","dst_ip":"192.168.1.20","src_port":63158,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00157{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":11,"source":"tls_alert.pcap","alias":"nDPId-test","total-events-serialized":8} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -14,10 +14,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1930537 bytes -~~ total memory freed........: 1930537 bytes -~~ total allocations/frees...: 35351/35351 +~~ total memory allocated....: 4592852 bytes +~~ total memory freed........: 4592852 bytes +~~ total allocations/frees...: 99547/99547 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 162 chars -~~ json string max len.......: 903 chars -~~ json string avg len.......: 579 chars +~~ json string max len.......: 911 chars +~~ json string avg len.......: 583 chars diff --git a/test/results/tls_certificate_too_long.pcap.out b/test/results/tls_certificate_too_long.pcap.out index 939eda28d..19092bd8b 100644 --- a/test/results/tls_certificate_too_long.pcap.out +++ b/test/results/tls_certificate_too_long.pcap.out @@ -8,14 +8,14 @@ 00476{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_last_seen":1626168075586,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1626168075586,"pkt":"8BiYFWV86qnehSPOCABFAAA0AABAAEAGtm\/AqAGLwKgBedhHzfFqV75MQuV5fYAQD\/PHGQAAAQEICszblug90e6F"} 00563{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":12,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1626168075664,"flow_last_seen":1626168075664,"flow_idle_time":180000,"flow_min_l4_payload_len":44,"flow_max_l4_payload_len":44,"flow_tot_l4_payload_len":44,"flow_avg_l4_payload_len":44,"midstream":0,"ts_msec":1626168075664,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":52251,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00502{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":12,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_last_seen":1626168075664,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"ts_msec":1626168075664,"pkt":"WNVuaKQA8BiYFWV8CABFAABI5dsAAEARwpjAqAF5CAgICMwbADUANLpX5f8BAAABAAAAAAAAAzEyMQExAzE2OAMxOTIHaW4tYWRkcgRhcnBhAAAMAAE="} -00743{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":12,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1626168075664,"flow_last_seen":1626168075664,"flow_idle_time":180000,"flow_min_l4_payload_len":44,"flow_max_l4_payload_len":44,"flow_tot_l4_payload_len":44,"flow_avg_l4_payload_len":44,"midstream":0,"ts_msec":1626168075664,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":52251,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"121.1.168.192.in-addr.arpa","num_queries":0,"num_answers":0,"reply_code":0,"query_type":12,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00741{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":12,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1626168075664,"flow_last_seen":1626168075664,"flow_idle_time":180000,"flow_min_l4_payload_len":44,"flow_max_l4_payload_len":44,"flow_tot_l4_payload_len":44,"flow_avg_l4_payload_len":44,"midstream":0,"ts_msec":1626168075664,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":52251,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"121.1.168.192.in-addr.arpa","num_queries":0,"num_answers":0,"reply_code":0,"query_type":12,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00502{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":13,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_last_seen":1626168075665,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":85,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":85,"pkt_l4_len":51,"ts_msec":1626168075665,"pkt":"WNVuaKQA8BiYFWV8CABFAABHYLwAAEARR7nAqAF5CAgICMwbADUAM5mdqksBAAABAAAAAAAAAjYwAjIxAzE0OQI1Mgdpbi1hZGRyBGFycGEAAAwAAQ=="} -00750{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":13,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":2,"flow_first_seen":1626168075664,"flow_last_seen":1626168075665,"flow_idle_time":180000,"flow_min_l4_payload_len":43,"flow_max_l4_payload_len":44,"flow_tot_l4_payload_len":87,"flow_avg_l4_payload_len":43,"midstream":0,"ts_msec":1626168075665,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":52251,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"60.21.149.52.in-addr.arpa","num_queries":0,"num_answers":0,"reply_code":0,"query_type":12,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00748{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":13,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":2,"flow_first_seen":1626168075664,"flow_last_seen":1626168075665,"flow_idle_time":180000,"flow_min_l4_payload_len":43,"flow_max_l4_payload_len":44,"flow_tot_l4_payload_len":87,"flow_avg_l4_payload_len":43,"midstream":0,"ts_msec":1626168075665,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":52251,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"60.21.149.52.in-addr.arpa","num_queries":0,"num_answers":0,"reply_code":0,"query_type":12,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00502{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_last_seen":1626168075665,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"ts_msec":1626168075665,"pkt":"WNVuaKQA8BiYFWV8CABFAABIJLIAAEARg8LAqAF5CAgICMwbADUANFbmSGkBAAABAAAAAAAAAzEzOQExAzE2OAMxOTIHaW4tYWRkcgRhcnBhAAAMAAE="} -00752{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":14,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":3,"flow_first_seen":1626168075664,"flow_last_seen":1626168075665,"flow_idle_time":180000,"flow_min_l4_payload_len":43,"flow_max_l4_payload_len":44,"flow_tot_l4_payload_len":131,"flow_avg_l4_payload_len":43,"midstream":0,"ts_msec":1626168075665,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":52251,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"139.1.168.192.in-addr.arpa","num_queries":0,"num_answers":0,"reply_code":0,"query_type":12,"rsp_type":0,"rsp_addr":"0.0.0.0"}} -00752{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":15,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":4,"flow_first_seen":1626168075664,"flow_last_seen":1626168075675,"flow_idle_time":180000,"flow_min_l4_payload_len":43,"flow_max_l4_payload_len":44,"flow_tot_l4_payload_len":175,"flow_avg_l4_payload_len":43,"midstream":0,"ts_msec":1626168075675,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":52251,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"139.1.168.192.in-addr.arpa","num_queries":1,"num_answers":0,"reply_code":3,"query_type":12,"rsp_type":0,"rsp_addr":"0.0.0.0"}} -00752{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":16,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":5,"flow_first_seen":1626168075664,"flow_last_seen":1626168075681,"flow_idle_time":180000,"flow_min_l4_payload_len":43,"flow_max_l4_payload_len":117,"flow_tot_l4_payload_len":292,"flow_avg_l4_payload_len":58,"midstream":0,"ts_msec":1626168075681,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":52251,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"60.21.149.52.in-addr.arpa","num_queries":1,"num_answers":1,"reply_code":3,"query_type":12,"rsp_type":0,"rsp_addr":"0.0.0.0"}} -00753{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":17,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":6,"flow_first_seen":1626168075664,"flow_last_seen":1626168075684,"flow_idle_time":180000,"flow_min_l4_payload_len":43,"flow_max_l4_payload_len":117,"flow_tot_l4_payload_len":336,"flow_avg_l4_payload_len":56,"midstream":0,"ts_msec":1626168075684,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":52251,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"121.1.168.192.in-addr.arpa","num_queries":1,"num_answers":0,"reply_code":3,"query_type":12,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00750{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":14,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":3,"flow_first_seen":1626168075664,"flow_last_seen":1626168075665,"flow_idle_time":180000,"flow_min_l4_payload_len":43,"flow_max_l4_payload_len":44,"flow_tot_l4_payload_len":131,"flow_avg_l4_payload_len":43,"midstream":0,"ts_msec":1626168075665,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":52251,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"139.1.168.192.in-addr.arpa","num_queries":0,"num_answers":0,"reply_code":0,"query_type":12,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00750{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":15,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":4,"flow_first_seen":1626168075664,"flow_last_seen":1626168075675,"flow_idle_time":180000,"flow_min_l4_payload_len":43,"flow_max_l4_payload_len":44,"flow_tot_l4_payload_len":175,"flow_avg_l4_payload_len":43,"midstream":0,"ts_msec":1626168075675,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":52251,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"139.1.168.192.in-addr.arpa","num_queries":1,"num_answers":0,"reply_code":3,"query_type":12,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00750{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":16,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":5,"flow_first_seen":1626168075664,"flow_last_seen":1626168075681,"flow_idle_time":180000,"flow_min_l4_payload_len":43,"flow_max_l4_payload_len":117,"flow_tot_l4_payload_len":292,"flow_avg_l4_payload_len":58,"midstream":0,"ts_msec":1626168075681,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":52251,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"60.21.149.52.in-addr.arpa","num_queries":1,"num_answers":1,"reply_code":3,"query_type":12,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00751{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":17,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":6,"flow_first_seen":1626168075664,"flow_last_seen":1626168075684,"flow_idle_time":180000,"flow_min_l4_payload_len":43,"flow_max_l4_payload_len":117,"flow_tot_l4_payload_len":336,"flow_avg_l4_payload_len":56,"midstream":0,"ts_msec":1626168075684,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":52251,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"121.1.168.192.in-addr.arpa","num_queries":1,"num_answers":0,"reply_code":3,"query_type":12,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00568{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":18,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1626168075993,"flow_last_seen":1626168075993,"flow_idle_time":180000,"flow_min_l4_payload_len":88,"flow_max_l4_payload_len":88,"flow_tot_l4_payload_len":88,"flow_avg_l4_payload_len":88,"midstream":0,"ts_msec":1626168075993,"l3_proto":"ip4","src_ip":"192.168.1.139","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00566{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":18,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_last_seen":1626168075993,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":130,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":130,"pkt_l4_len":96,"ts_msec":1626168075993,"pkt":"AQBeAAD76qnehSPOCABFAAB0G+EAAP8R\/GjAqAGL4AAA+xTpFOkAYH4FAAAAAAACAAAAAAABD19jb21wYW5pb24tbGluawRfdGNwBWxvY2FsAAAMgAEIX2hvbWVraXTAHAAMgAEAACkFoAAAEZQAEgAEAA4Aumq\/a01YO+qp3oUjzg=="} 00649{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":18,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1626168075993,"flow_last_seen":1626168075993,"flow_idle_time":180000,"flow_min_l4_payload_len":88,"flow_max_l4_payload_len":88,"flow_tot_l4_payload_len":88,"flow_avg_l4_payload_len":88,"midstream":0,"ts_msec":1626168075993,"l3_proto":"ip4","src_ip":"192.168.1.139","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","ndpi": {"proto":"MDNS","breed":"Acceptable","category":"Network"},"mdns": {"answer":"_companion-link._tcp.local"}} @@ -43,7 +43,7 @@ 00747{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":41,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":2,"flow_first_seen":1626168077415,"flow_last_seen":1626168077439,"flow_idle_time":180000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":161,"flow_tot_l4_payload_len":197,"flow_avg_l4_payload_len":98,"midstream":0,"ts_msec":1626168077439,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":53884,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Microsoft","breed":"Safe","category":"Cloud"},"dns": {"query":"wdcp.microsoft.com","num_queries":1,"num_answers":3,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"40.113.10.47"}} 00564{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":42,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":1,"flow_first_seen":1626168077441,"flow_last_seen":1626168077441,"flow_idle_time":180000,"flow_min_l4_payload_len":73,"flow_max_l4_payload_len":73,"flow_tot_l4_payload_len":73,"flow_avg_l4_payload_len":73,"midstream":0,"ts_msec":1626168077441,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":65492,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":42,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":1,"flow_last_seen":1626168077441,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":115,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":115,"pkt_l4_len":81,"ts_msec":1626168077441,"pkt":"WNVuaKQA8BiYFWV8CABFAABlf9gAAEARKH\/AqAF5CAgICP\/UADUAUcNfVk0BAAABAAAAAAAAGHdkLXByb2QtY3AtZXUtbm9ydGgtMi1mZQtub3J0aGV1cm9wZQhjbG91ZGFwcAVhenVyZQNjb20AAEEAAQ=="} -00770{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":42,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":1,"flow_first_seen":1626168077441,"flow_last_seen":1626168077441,"flow_idle_time":180000,"flow_min_l4_payload_len":73,"flow_max_l4_payload_len":73,"flow_tot_l4_payload_len":73,"flow_avg_l4_payload_len":73,"midstream":0,"ts_msec":1626168077441,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":65492,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Microsoft","breed":"Safe","category":"Cloud"},"dns": {"query":"wd-prod-cp-eu-north-2-fe.northeurope.cloudapp.azure.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":65,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00772{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":42,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":1,"flow_first_seen":1626168077441,"flow_last_seen":1626168077441,"flow_idle_time":180000,"flow_min_l4_payload_len":73,"flow_max_l4_payload_len":73,"flow_tot_l4_payload_len":73,"flow_avg_l4_payload_len":73,"midstream":0,"ts_msec":1626168077441,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":65492,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Azure","breed":"Acceptable","category":"Cloud"},"dns": {"query":"wd-prod-cp-eu-north-2-fe.northeurope.cloudapp.azure.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":65,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00567{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":43,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":1,"flow_first_seen":1626168077469,"flow_last_seen":1626168077469,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1626168077469,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"40.113.10.47","src_port":53910,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00495{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":43,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":1,"flow_last_seen":1626168077469,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1626168077469,"pkt":"WNVuaKQA8BiYFWV8CABFAABAAABAAEAGRffAqAF5KHEKL9KWAbtjvPcwAAAAALAC\/\/\/cwgAAAgQFtAEDAwYBAQgKPdH4ZwAAAAAEAgAA"} 00725{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":44,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":2,"flow_last_seen":1626168077486,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":250,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":250,"pkt_l4_len":216,"ts_msec":1626168077486,"pkt":"8BiYFWV8WNVuaKQACABFAADs3EYAAHkRkokICAgIwKgBeQA12Q8A2KuGXeWBgAABAAIAAQAABHdkY3AJbWljcm9zb2Z0A2NvbQAAQQABwAwABQABAAAN4AAfCndkLXByb2QtY3AOdHJhZmZpY21hbmFnZXIDbmV0AMAwAAUAAQAAAG0ANhh3ZC1wcm9kLWNwLWV1LW5vcnRoLTEtZmULbm9ydGhldXJvcGUIY2xvdWRhcHAFYXp1cmXAG8B0AAYAAQAAADsAMwRwcmQxDmF6dXJlZG5zLWNsb3VkwEoGbXNuaHN0wBEAACcRAAADhAAAASwACTqAAAAAPA=="} @@ -51,14 +51,14 @@ 00567{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":45,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":1,"flow_first_seen":1626168077506,"flow_last_seen":1626168077506,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1626168077506,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"40.113.10.47","src_port":53911,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00494{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":45,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":1,"flow_last_seen":1626168077506,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1626168077506,"pkt":"WNVuaKQA8BiYFWV8CABFAABAAABAAEAGRffAqAF5KHEKL9KXAbtENsV0AAAAALAC\/\/8t3wAAAgQFtAEDAwYBAQgKPdH4jAAAAAAEAgAA"} 00647{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":46,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":2,"flow_last_seen":1626168077507,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":191,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":191,"pkt_l4_len":157,"ts_msec":1626168077507,"pkt":"8BiYFWV8WNVuaKQACABFAACx7P0AAHkRgg0ICAgIwKgBeQA1\/9QAnZiFVk2BgAABAAAAAQAAGHdkLXByb2QtY3AtZXUtbm9ydGgtMi1mZQtub3J0aGV1cm9wZQhjbG91ZGFwcAVhenVyZQNjb20AAEEAAcAlAAYAAQAAADsAQARwcmQxDmF6dXJlZG5zLWNsb3VkA25ldAAGbXNuaHN0CW1pY3Jvc29mdMBAAAAnEQAAA4QAAAEsAAk6gAAAADw="} -00781{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":46,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":2,"flow_first_seen":1626168077441,"flow_last_seen":1626168077507,"flow_idle_time":180000,"flow_min_l4_payload_len":73,"flow_max_l4_payload_len":149,"flow_tot_l4_payload_len":222,"flow_avg_l4_payload_len":111,"midstream":0,"ts_msec":1626168077507,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":65492,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Microsoft","breed":"Safe","category":"Cloud"},"dns": {"query":"wd-prod-cp-eu-north-2-fe.northeurope.cloudapp.azure.com","num_queries":1,"num_answers":1,"reply_code":0,"query_type":65,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00783{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":46,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":2,"flow_first_seen":1626168077441,"flow_last_seen":1626168077507,"flow_idle_time":180000,"flow_min_l4_payload_len":73,"flow_max_l4_payload_len":149,"flow_tot_l4_payload_len":222,"flow_avg_l4_payload_len":111,"midstream":0,"ts_msec":1626168077507,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":65492,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Azure","breed":"Acceptable","category":"Cloud"},"dns": {"query":"wd-prod-cp-eu-north-2-fe.northeurope.cloudapp.azure.com","num_queries":1,"num_answers":1,"reply_code":0,"query_type":65,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00479{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":47,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":2,"flow_last_seen":1626168077517,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1626168077517,"pkt":"8BiYFWV8WNVuaKQACABFAAA0QHFAAG0G2JEocQovwKgBeQG70pbavX69Y7z3MYAS\/\/\/xlwAAAgQFoAEDAwgBAQQC"} 00461{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":48,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":3,"flow_last_seen":1626168077517,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1626168077517,"pkt":"WNVuaKQA8BiYFWV8CABFAAAoAABAAEAGRg\/AqAF5KHEKL9KWAbtjvPcx2r1+vlAQEAAiVwAA"} 00878{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":49,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":4,"flow_first_seen":1626168077469,"flow_last_seen":1626168077517,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1626168077517,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"40.113.10.47","src_port":53910,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"wdcp.microsoft.com","ja3":"656b9a2f4de6ed4909e157482860ab3d","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00478{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":50,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":2,"flow_last_seen":1626168077557,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1626168077557,"pkt":"8BiYFWV8WNVuaKQACABFAAA0ihJAAG0GjvAocQovwKgBeQG70pd9bt1TRDbFdYAS\/\/9BkgAAAgQFoAEDAwgBAQQC"} 00461{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":51,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":3,"flow_last_seen":1626168077557,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1626168077557,"pkt":"WNVuaKQA8BiYFWV8CABFAAAoAABAAEAGRg\/AqAF5KHEKL9KXAbtENsV1fW7dVFAQEAByUQAA"} 00878{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":52,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":4,"flow_first_seen":1626168077506,"flow_last_seen":1626168077557,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1626168077557,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"40.113.10.47","src_port":53911,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"wdcp.microsoft.com","ja3":"656b9a2f4de6ed4909e157482860ab3d","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -01428{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":55,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":7,"flow_first_seen":1626168077469,"flow_last_seen":1626168077565,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":4378,"flow_avg_l4_payload_len":625,"midstream":0,"ts_msec":1626168077565,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"40.113.10.47","src_port":53910,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"32":"TLS certificate validity longer than 13 months"},"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"wdcp.microsoft.com","server_names":"wdcp.microsoft.com,spynet2.microsoft.com,wdcpalt.microsoft.com,spynetalt.microsoft.com,*.cp.wd.microsoft.com","ja3":"656b9a2f4de6ed4909e157482860ab3d","ja3s":"17e97216fa7f4ec8c43090c6eed97c25","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Secure Server CA 2011","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=wdcp.microsoft.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"81:41:67:66:7E:A9:1B:AA:61:3D:DE:D1:41:E7:17:13:CE:C4:3B:22"}} +01360{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":55,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":7,"flow_first_seen":1626168077469,"flow_last_seen":1626168077565,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":4378,"flow_avg_l4_payload_len":625,"midstream":0,"ts_msec":1626168077565,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"40.113.10.47","src_port":53910,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"wdcp.microsoft.com","server_names":"wdcp.microsoft.com,spynet2.microsoft.com,wdcpalt.microsoft.com,spynetalt.microsoft.com,*.cp.wd.microsoft.com","ja3":"656b9a2f4de6ed4909e157482860ab3d","ja3s":"17e97216fa7f4ec8c43090c6eed97c25","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Secure Server CA 2011","subjectDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=wdcp.microsoft.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"81:41:67:66:7E:A9:1B:AA:61:3D:DE:D1:41:E7:17:13:CE:C4:3B:22"}} 00564{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":58,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":1,"flow_first_seen":1626168077590,"flow_last_seen":1626168077590,"flow_idle_time":180000,"flow_min_l4_payload_len":35,"flow_max_l4_payload_len":35,"flow_tot_l4_payload_len":35,"flow_avg_l4_payload_len":35,"midstream":0,"ts_msec":1626168077590,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":51364,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00492{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":58,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":1,"flow_last_seen":1626168077590,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":77,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":77,"pkt_l4_len":43,"ts_msec":1626168077590,"pkt":"WNVuaKQA8BiYFWV8CABFAAA\/efAAAEARLo3AqAF5CAgICMikADUAK6rjycUBAAABAAAAAAAAA3d3dwltaWNyb3NvZnQDY29tAABBAAE="} 00732{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":58,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":1,"flow_first_seen":1626168077590,"flow_last_seen":1626168077590,"flow_idle_time":180000,"flow_min_l4_payload_len":35,"flow_max_l4_payload_len":35,"flow_tot_l4_payload_len":35,"flow_avg_l4_payload_len":35,"midstream":0,"ts_msec":1626168077590,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":51364,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Microsoft","breed":"Safe","category":"Cloud"},"dns": {"query":"www.microsoft.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":65,"rsp_type":0,"rsp_addr":"0.0.0.0"}} @@ -69,13 +69,13 @@ 00743{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":60,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":2,"flow_first_seen":1626168077590,"flow_last_seen":1626168077604,"flow_idle_time":180000,"flow_min_l4_payload_len":35,"flow_max_l4_payload_len":247,"flow_tot_l4_payload_len":282,"flow_avg_l4_payload_len":141,"midstream":0,"ts_msec":1626168077604,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":51364,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Microsoft","breed":"Safe","category":"Cloud"},"dns": {"query":"www.microsoft.com","num_queries":1,"num_answers":4,"reply_code":0,"query_type":65,"rsp_type":5,"rsp_addr":"0.0.0.0"}} 00564{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":61,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":1,"flow_first_seen":1626168077604,"flow_last_seen":1626168077604,"flow_idle_time":180000,"flow_min_l4_payload_len":44,"flow_max_l4_payload_len":44,"flow_tot_l4_payload_len":44,"flow_avg_l4_payload_len":44,"midstream":0,"ts_msec":1626168077604,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":55578,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00503{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":61,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":1,"flow_last_seen":1626168077604,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"ts_msec":1626168077604,"pkt":"WNVuaKQA8BiYFWV8CABFAABIwDAAAEAR6EPAqAF5CAgICNkaADUANI8rXZMBAAABAAAAAAAABmUxMzY3OARkc2NiCmFrYW1haWVkZ2UDbmV0AABBAAE="} -00744{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":61,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":1,"flow_first_seen":1626168077604,"flow_last_seen":1626168077604,"flow_idle_time":180000,"flow_min_l4_payload_len":44,"flow_max_l4_payload_len":44,"flow_tot_l4_payload_len":44,"flow_avg_l4_payload_len":44,"midstream":0,"ts_msec":1626168077604,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":55578,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"e13678.dscb.akamaiedge.net","num_queries":0,"num_answers":0,"reply_code":0,"query_type":65,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00742{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":61,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":1,"flow_first_seen":1626168077604,"flow_last_seen":1626168077604,"flow_idle_time":180000,"flow_min_l4_payload_len":44,"flow_max_l4_payload_len":44,"flow_tot_l4_payload_len":44,"flow_avg_l4_payload_len":44,"midstream":0,"ts_msec":1626168077604,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":55578,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"e13678.dscb.akamaiedge.net","num_queries":0,"num_answers":0,"reply_code":0,"query_type":65,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00564{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":62,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":1,"flow_first_seen":1626168077604,"flow_last_seen":1626168077604,"flow_idle_time":180000,"flow_min_l4_payload_len":44,"flow_max_l4_payload_len":44,"flow_tot_l4_payload_len":44,"flow_avg_l4_payload_len":44,"midstream":0,"ts_msec":1626168077604,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":54561,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00504{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":62,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":1,"flow_last_seen":1626168077604,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"ts_msec":1626168077604,"pkt":"WNVuaKQA8BiYFWV8CABFAABIJH8AAEARg\/XAqAF5CAgICNUhADUANLCIQG8BAAABAAAAAAAABmUxMzY3OARkc2NiCmFrYW1haWVkZ2UDbmV0AAABAAE="} -00743{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":62,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":1,"flow_first_seen":1626168077604,"flow_last_seen":1626168077604,"flow_idle_time":180000,"flow_min_l4_payload_len":44,"flow_max_l4_payload_len":44,"flow_tot_l4_payload_len":44,"flow_avg_l4_payload_len":44,"midstream":0,"ts_msec":1626168077604,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":54561,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"e13678.dscb.akamaiedge.net","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} -01428{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":65,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":7,"flow_first_seen":1626168077506,"flow_last_seen":1626168077607,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":4378,"flow_avg_l4_payload_len":625,"midstream":0,"ts_msec":1626168077607,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"40.113.10.47","src_port":53911,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"32":"TLS certificate validity longer than 13 months"},"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"wdcp.microsoft.com","server_names":"wdcp.microsoft.com,spynet2.microsoft.com,wdcpalt.microsoft.com,spynetalt.microsoft.com,*.cp.wd.microsoft.com","ja3":"656b9a2f4de6ed4909e157482860ab3d","ja3s":"17e97216fa7f4ec8c43090c6eed97c25","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Secure Server CA 2011","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=wdcp.microsoft.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"81:41:67:66:7E:A9:1B:AA:61:3D:DE:D1:41:E7:17:13:CE:C4:3B:22"}} +00741{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":62,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":1,"flow_first_seen":1626168077604,"flow_last_seen":1626168077604,"flow_idle_time":180000,"flow_min_l4_payload_len":44,"flow_max_l4_payload_len":44,"flow_tot_l4_payload_len":44,"flow_avg_l4_payload_len":44,"midstream":0,"ts_msec":1626168077604,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":54561,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"e13678.dscb.akamaiedge.net","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +01360{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":65,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":7,"flow_first_seen":1626168077506,"flow_last_seen":1626168077607,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":4378,"flow_avg_l4_payload_len":625,"midstream":0,"ts_msec":1626168077607,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"40.113.10.47","src_port":53911,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"wdcp.microsoft.com","server_names":"wdcp.microsoft.com,spynet2.microsoft.com,wdcpalt.microsoft.com,spynetalt.microsoft.com,*.cp.wd.microsoft.com","ja3":"656b9a2f4de6ed4909e157482860ab3d","ja3s":"17e97216fa7f4ec8c43090c6eed97c25","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Secure Server CA 2011","subjectDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=wdcp.microsoft.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"81:41:67:66:7E:A9:1B:AA:61:3D:DE:D1:41:E7:17:13:CE:C4:3B:22"}} 00590{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":69,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":2,"flow_last_seen":1626168077619,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":150,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":150,"pkt_l4_len":116,"ts_msec":1626168077619,"pkt":"8BiYFWV8WNVuaKQACABFAACITIkAAHkRIqsICAgIwKgBeQA12RoAdB3yXZOBgAABAAAAAQAABmUxMzY3OARkc2NiCmFrYW1haWVkZ2UDbmV0AABBAAHAEwAGAAEAAAKpADQGbjBkc2NiwBgKaG9zdG1hc3RlcgZha2FtYWkDY29tAGDtWc8AAAPoAAAD6AAAA+gAAAcI"} -00754{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":69,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":2,"flow_first_seen":1626168077604,"flow_last_seen":1626168077619,"flow_idle_time":180000,"flow_min_l4_payload_len":44,"flow_max_l4_payload_len":108,"flow_tot_l4_payload_len":152,"flow_avg_l4_payload_len":76,"midstream":0,"ts_msec":1626168077619,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":55578,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"e13678.dscb.akamaiedge.net","num_queries":1,"num_answers":1,"reply_code":0,"query_type":65,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00752{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":69,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":2,"flow_first_seen":1626168077604,"flow_last_seen":1626168077619,"flow_idle_time":180000,"flow_min_l4_payload_len":44,"flow_max_l4_payload_len":108,"flow_tot_l4_payload_len":152,"flow_avg_l4_payload_len":76,"midstream":0,"ts_msec":1626168077619,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":55578,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"e13678.dscb.akamaiedge.net","num_queries":1,"num_answers":1,"reply_code":0,"query_type":65,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":70,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":1,"flow_first_seen":1626168077620,"flow_last_seen":1626168077620,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1626168077620,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"2.22.33.235","src_port":53912,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00496{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":70,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":18,"flow_packet_id":1,"flow_last_seen":1626168077620,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1626168077620,"pkt":"WNVuaKQA8BiYFWV8CABFAABAAABAAEAGVJbAqAF5AhYh69KYAFDHEa2yAAAAALAC\/\/\/SXgAAAgQFtAEDAwYBAQgKPdH4\/AAAAAAEAgAA"} 00718{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":71,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":2,"flow_last_seen":1626168077622,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":244,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":244,"pkt_l4_len":210,"ts_msec":1626168077622,"pkt":"8BiYFWV8WNVuaKQACABFAADmBoMAAHgRaVMICAgIwKgBeQA14zEA0sNDCy+BgAABAAQAAAAAA3d3dwltaWNyb3NvZnQDY29tAAABAAHADAAFAAEAAAosACMDd3d3CW1pY3Jvc29mdAdjb20tYy0zB2VkZ2VrZXkDbmV0AMAvAAUAAQAAAyUANwN3d3cJbWljcm9zb2Z0B2NvbS1jLTMHZWRnZWtleQNuZXQLZ2xvYmFscmVkaXIGYWthZG5zwE3AXgAFAAEAAAMDABkGZTEzNjc4BGRzY2IKYWthbWFpZWRnZcBNwKEAAQABAAAAEwAEAhYh6w=="} @@ -84,7 +84,7 @@ 00476{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":73,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":18,"flow_packet_id":3,"flow_last_seen":1626168077632,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1626168077632,"pkt":"WNVuaKQA8BiYFWV8CABFAAA0AABAAEAGVKLAqAF5AhYh69KYAFDHEa2zFW1yB4AQCArKugAAAQEICj3R+QegBBfW"} 00781{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":74,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":4,"flow_first_seen":1626168077620,"flow_last_seen":1626168077632,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":211,"flow_tot_l4_payload_len":211,"flow_avg_l4_payload_len":52,"midstream":0,"ts_msec":1626168077632,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"2.22.33.235","src_port":53912,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.Microsoft","breed":"Safe","category":"Cloud"},"http": {"hostname":"www.microsoft.com","url":"www.microsoft.com\/pki\/certs\/MicRooCerAut2011_2011_03_22.crt","code":0,"content_type":"","user_agent":"com.apple.trustd\/2.0"}} 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":75,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":2,"flow_last_seen":1626168077633,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":102,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":102,"pkt_l4_len":68,"ts_msec":1626168077633,"pkt":"8BiYFWV8WNVuaKQACABFAABYGXsAAHgRVukICAgIwKgBeQA11SEAREvAQG+BgAABAAEAAAAABmUxMzY3OARkc2NiCmFrYW1haWVkZ2UDbmV0AAABAAHADAABAAEAAAATAAQCFiHr"} -00756{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":75,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":2,"flow_first_seen":1626168077604,"flow_last_seen":1626168077633,"flow_idle_time":180000,"flow_min_l4_payload_len":44,"flow_max_l4_payload_len":60,"flow_tot_l4_payload_len":104,"flow_avg_l4_payload_len":52,"midstream":0,"ts_msec":1626168077633,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":54561,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"e13678.dscb.akamaiedge.net","num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"2.22.33.235"}} +00754{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":75,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":2,"flow_first_seen":1626168077604,"flow_last_seen":1626168077633,"flow_idle_time":180000,"flow_min_l4_payload_len":44,"flow_max_l4_payload_len":60,"flow_tot_l4_payload_len":104,"flow_avg_l4_payload_len":52,"midstream":0,"ts_msec":1626168077633,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":54561,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"e13678.dscb.akamaiedge.net","num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"2.22.33.235"}} 00871{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":77,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":6,"flow_first_seen":1626168077620,"flow_last_seen":1626168077654,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1436,"flow_tot_l4_payload_len":1647,"flow_avg_l4_payload_len":274,"midstream":0,"ts_msec":1626168077654,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"2.22.33.235","src_port":53912,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"4":"Binary application transfer"},"proto":"HTTP.Microsoft","breed":"Safe","category":"Download"},"http": {"hostname":"www.microsoft.com","url":"www.microsoft.com\/pki\/certs\/MicRooCerAut2011_2011_03_22.crt","code":200,"content_type":"application\/octet-stream","user_agent":"com.apple.trustd\/2.0"}} 00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":81,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":1,"flow_first_seen":1626168077660,"flow_last_seen":1626168077660,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1626168077660,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"2.22.33.235","src_port":53913,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00494{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":81,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":19,"flow_packet_id":1,"flow_last_seen":1626168077660,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1626168077660,"pkt":"WNVuaKQA8BiYFWV8CABFAABAAABAAEAGVJbAqAF5AhYh69KZAFBWi1SkAAAAALAC\/\/+bzgAAAgQFtAEDAwYBAQgKPdH5IAAAAAAEAgAA"} @@ -101,15 +101,15 @@ 00744{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":98,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":2,"flow_first_seen":1626168077735,"flow_last_seen":1626168077749,"flow_idle_time":180000,"flow_min_l4_payload_len":38,"flow_max_l4_payload_len":151,"flow_tot_l4_payload_len":189,"flow_avg_l4_payload_len":94,"midstream":0,"ts_msec":1626168077749,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":65213,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Apple","breed":"Safe","category":"Web"},"dns": {"query":"time-macos.apple.com","num_queries":1,"num_answers":6,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"17.253.54.251"}} 00571{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":99,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":22,"flow_packets_processed":1,"flow_first_seen":1626168077750,"flow_last_seen":1626168077750,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1626168077750,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"17.253.54.251","src_port":49216,"dst_port":123,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":99,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":1,"flow_last_seen":1626168077750,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"ts_msec":1626168077750,"pkt":"WNVuaKQA8BiYFWV8CABFAABMdJwAAEAR+uvAqAF5Ef02+8BAAHsAOBCpIwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} -00602{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":99,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":22,"flow_packets_processed":1,"flow_first_seen":1626168077750,"flow_last_seen":1626168077750,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1626168077750,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"17.253.54.251","src_port":49216,"dst_port":123,"l4_proto":"udp","ndpi": {"proto":"NTP.Apple","breed":"Safe","category":"System"}} +00640{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":99,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":22,"flow_packets_processed":1,"flow_first_seen":1626168077750,"flow_last_seen":1626168077750,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1626168077750,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"17.253.54.251","src_port":49216,"dst_port":123,"l4_proto":"udp","ndpi": {"proto":"NTP.Apple","breed":"Safe","category":"System"},"ntp": {"request_code":0,"version":0}} 00509{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":102,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":2,"flow_last_seen":1626168077780,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"ts_msec":1626168077780,"pkt":"8BiYFWV8WNVuaKQACABFAABMU7FAADcR5NYR\/Tb7wKgBeQB7wEAAOB9pJAED6wAAAAAAAAALU0hNAOSX2YmMm6TtAAAAAAAAAADkl9mN1Ssd5+SX2Y3VLRfJ"} 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":103,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":2,"flow_last_seen":1626168077848,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":97,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":97,"pkt_l4_len":63,"ts_msec":1626168077848,"pkt":"8BiYFWV8WNVuaKQACABFAABTEkpAADAGeM2MUnEawKgBeQG70pHkPsMTwD\/s34AYAEWx6wAAAQEICkDJEb890flmFQMDABpqQiSe8lZWsEgoTupah5UnGMUqJn8V431Q+A=="} 00478{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":104,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":3,"flow_last_seen":1626168077848,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1626168077848,"pkt":"8BiYFWV8WNVuaKQACABFAAA0EktAADAGeOuMUnEawKgBeQG70pHkPsMywD\/s34ARAEUESgAAAQEICkDJEcA90flm"} 00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":106,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":1,"flow_first_seen":1626168078653,"flow_last_seen":1626168078653,"flow_idle_time":180000,"flow_min_l4_payload_len":42,"flow_max_l4_payload_len":42,"flow_tot_l4_payload_len":42,"flow_avg_l4_payload_len":42,"midstream":0,"ts_msec":1626168078653,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":51998,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00501{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":106,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":1,"flow_last_seen":1626168078653,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":84,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":84,"pkt_l4_len":50,"ts_msec":1626168078653,"pkt":"WNVuaKQA8BiYFWV8CABFAABGLVcAAEARex\/AqAF5CAgICMseADUAMgvmotEBAAABAAAAAAAAAzIzNQIzMwIyMgEyB2luLWFkZHIEYXJwYQAADAAB"} -00743{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":106,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":1,"flow_first_seen":1626168078653,"flow_last_seen":1626168078653,"flow_idle_time":180000,"flow_min_l4_payload_len":42,"flow_max_l4_payload_len":42,"flow_tot_l4_payload_len":42,"flow_avg_l4_payload_len":42,"midstream":0,"ts_msec":1626168078653,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":51998,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"235.33.22.2.in-addr.arpa","num_queries":0,"num_answers":0,"reply_code":0,"query_type":12,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00741{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":106,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":1,"flow_first_seen":1626168078653,"flow_last_seen":1626168078653,"flow_idle_time":180000,"flow_min_l4_payload_len":42,"flow_max_l4_payload_len":42,"flow_tot_l4_payload_len":42,"flow_avg_l4_payload_len":42,"midstream":0,"ts_msec":1626168078653,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":51998,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"235.33.22.2.in-addr.arpa","num_queries":0,"num_answers":0,"reply_code":0,"query_type":12,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00504{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":107,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":2,"flow_last_seen":1626168078654,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"ts_msec":1626168078654,"pkt":"WNVuaKQA8BiYFWV8CABFAABITn4AAEARWfbAqAF5CAgICMseADUANKzYlN8BAAABAAAAAAAAAjI2AzExMwI4MgMxNDAHaW4tYWRkcgRhcnBhAAAMAAE="} -00753{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":107,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":2,"flow_first_seen":1626168078653,"flow_last_seen":1626168078654,"flow_idle_time":180000,"flow_min_l4_payload_len":42,"flow_max_l4_payload_len":44,"flow_tot_l4_payload_len":86,"flow_avg_l4_payload_len":43,"midstream":0,"ts_msec":1626168078654,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":51998,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"26.113.82.140.in-addr.arpa","num_queries":0,"num_answers":0,"reply_code":0,"query_type":12,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00751{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":107,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":2,"flow_first_seen":1626168078653,"flow_last_seen":1626168078654,"flow_idle_time":180000,"flow_min_l4_payload_len":42,"flow_max_l4_payload_len":44,"flow_tot_l4_payload_len":86,"flow_avg_l4_payload_len":43,"midstream":0,"ts_msec":1626168078654,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":51998,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"26.113.82.140.in-addr.arpa","num_queries":0,"num_answers":0,"reply_code":0,"query_type":12,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00580{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":108,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":24,"flow_packets_processed":1,"flow_first_seen":1626168078673,"flow_last_seen":1626168078673,"flow_idle_time":7440000,"flow_min_l4_payload_len":1448,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1448,"flow_avg_l4_payload_len":1448,"midstream":1,"ts_msec":1626168078673,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"52.98.163.18","src_port":53429,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 02425{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":108,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":1,"flow_last_seen":1626168078673,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":1502,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1502,"pkt_l4_len":1468,"ts_msec":1626168078673,"pkt":"WNVuaKQA8BiYFWV8CABFAgXQAABAAEAGm5DAqAF5NGKjEtC1Absg2aa\/F4bv+FAQEACuIgAAFwMDCRUAAAAAAAAAWfKHBs70qmO4BAxw\/KH76VJthsd+JmhEdw9LbrjkTjI9b3XfM0DMNLKHxmQFc1wZ9+v47IezDEajRVIeCS0iuwLsGsA3YBgKp65J4M20GnYw3QEoWxPt99213+KI1CclXQzaueofFw\/qIILvmneWSh5sBJstqbtZLD2cDfq2tFoUseLZtuSKYL5M6qSNwvarEAmysHZgT7Udi\/a0Qp07Np4WgFkq\/a9MQH22ift7VaKutQa0mJmP19SdWXTILAVbvhO3J6cdL9EqjePIeIkXKca0uVG2cDnC+ogcIBgWiBVq1pQlzG6pgHKD3PRA0vNoda3MJ0atx621R\/WKvfMZJYbQztqn6MP4oCdEaJloUS59wJjijiLCZEHV1oirlnS2nC0LRIMkV0xOr2eStcvbZVXw4nOKDQS6H4Zgv11KltQC1JnlZF3H2hfUzks7VZJ1piCl7JLEyNiXPboWZlWGmZoEaDAEUa\/zJI4IEULQtYV9J4jBVG0LIyT8dLpi5cgu5HSsaKdQTef+rQO01UnLW77pUjM2FuWnb+vOmbNg9vroOAp08oUd4WURirzl+3HYtCcfBI3wOCJwEWivMjawTzc9kqNg6MLXXDVodJ+9u6ySbjGo8wdF8Ujzicfc0DHPbSwSWwzi48Lx1Xv3zlCdNcfYFQi2USvaYTxC82pbJFTcLcjA75y5d4uDzJFLRDQQPcLYiW1zyuRecgn4v\/HoR\/nQn8q3KO2aunXtZjN2Sgwqa9bCj+P70uuLOr7LdCSf95Yuvv83BVkjI8LO\/K2GelZusfiw+ph2AM5v3nVCVFtVClMHt5LBbn90AGigLyLssV8usgvMte9WY2YO5RbaLrRuaQaZXq7xKP6I9rbLNl04xmGTkSwgMCnsYgpwvWgoxVEJKIK81LOzdRyjEIzviQKsdu5zYpaTUYn0gMWLbk8gisL6HsaNyyzZRZny4WG9c8rHaQ0AVF7OZHAfugm1G0Ya+4uTEO06lH0Y0luTPeZbk6BzWyTQN4kkdYJgzbQ\/H4fL96wAxDKYsoN4xb\/dNiL+rBxozbwW3E3YDpgsLBHEYXx\/9T+ZZByNcVhoanUoyeZR4La0nznczRNl0BSSAwop3ffF\/3weBpuyebCHd3nQY06YIOyKfw5o\/8+DIvbWrrftOtndpCOAfM8xK0ncs0qGgNDeHWSGhfqOCu4xsd1D6TNFpi+SoFxZbO162qCP1uQZqSIk3sB4T700Vag3Fmr5zAc2+Cy2sdC\/A9S2zr73WQ2tNqbvUTsm7mAOCy6fHXiJfrCMOm070Q3x\/hDA1F\/ri24teJTcz681Tpyzz98or8aBXhC1tirmfRKLeb1za5S0A5FpvCOErLaYZ7JnA2Hcnep7W9VvnkzVZD\/eh5PJxQTtMHNN3t73y3SocpYzsv4jecsMhINyJMQzKIZyFN7BeOFn3Icd72v79IVYW+OEMLTFGr\/z0a3l6KHAUNHg5OrTZy63kxeuj2oqpuTuGGW5OGR1vga0lB9LeT5DNs1fw4ET+3+xHSDQYEpIQCm73rmKpEzHnGvP6PaZFc3upw\/YvkfAML3GBWjg6BeNxYGhLgBq1U7bw1AAqe3KjEtHWznkCRp0j2b1yA1x473SNIk\/Tl0OU2uF4V2zDlzbygL3UGekyceZ9TOivgWvNEFgm3JDyB1JsgPkE1UA9Mb3RcUv6IS4oUKckZLMvYCqsp6JNk+hSM2SSYrjCpjVhAAYR\/Tw9J3qPbVuQ\/+0boJNNW9SXU3FXb1mu6\/UjowIaOU5yd1Ruw2HgKAG+TcnMQdTBDCV1Fn1s2Gos7GgJFmic+wrwQmUwvry3qcM4QfQn+KkqL+DVzAfZpY3UE5kKkQw09tvvvCnUub+fKLuuHs2xshp8SgWsVHUpe\/eGalaURu9E5+S5ef5NZPTZU4="} 01660{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":109,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":2,"flow_last_seen":1626168078673,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":936,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":936,"pkt_l4_len":902,"ts_msec":1626168078673,"pkt":"WNVuaKQA8BiYFWV8CABFAgOaAABAAEAGncbAqAF5NGKjEtC1Absg2axnF4bv+FAYEAByKgAA8hiRnjTuMaDQEL+CLYj0enfAkHVnXO7nV5IzKiak6sLS6qxgDE4htK9g2bjk3R484+O\/m3LR4RiopAnWolcjfbrpfWVb1lMjRimj35IfoR0InDQcTV+lqM1hnbaRsbPul7kk7yp40mdnMbGeSdokyNlVd+Gc2o9y\/kRGCp\/RqZF8PhlnvFvIilO8yiVaTaBmaNQ2c5Ph9+sPKU5aFL1uQpdr\/lZqIfEq2kVgCrdBeDo4qNeeQzKtJNsLVSSXJNaa5EbU9xA4Gcwa59FEb+z5l5k6kMngz8ZNuAlqyaHzifpWW3O+gJvTHlQKGmobQMi8ii1K+B8azR0rME7gHuYp8j9KIa090V1eZVPAqukxBBhYGnGZkUnr+FDlf1ZK\/6jjt\/FM8rQ\/lbeUUBqVgsa+O\/WxUto3U7xUvYDA5nlmX+JiSIl7TX4qI+Ru0aN0Akmto\/YQCR\/ts7jv1DeYAK5L5Yy2Vh6PLRQ4c+Pa\/92Jj4DNdt3iyKVflpKtt14Zke3huw2c2HHz1srDVPgqGpJqA\/eD7864eDOp49Ft0Yeo1yo62XnCO2MSq34SmUewekOqz3llMeY3SFHNG\/SCIEenKOH+ZLswKCtHaL23XWktzPIAvtiPaUe8OQwJHr\/lbrWuPFkD\/U0II2V8NaPz4AVb17oDlmuZOeHOf8JZ5gjU14hPhQ0t944FAWUouPhqgHpug4J7fVHUyJ1W0HeNumJ7723SardKLRg5P7i3J2r6\/9HqflhjXWWoqO31j\/pyOLWOUftD3uTRP8P11Cr3jlNVHTXBld4hude0v33CDpTR\/mf09FhR1Yz1vcA7zHJhk+Hem4vzglb2dTx3BT6MRYPvgUON2zk99ErenQrEGfd6PyJWO5iWwsY0xU8meKY2Jp0LdAk9BxGhy3LU4uTxR4t614VXg7Le3F2XXuKmjbJsQgbVMUYhVkJ6JBcddg15aCLR+YYoWrYgjp+WThS8gLNpJaxaihLqA77pNdcaI187nN+luEpN2fsVBRr1v588oPOg6ugZIMvvQGM\/932ci9FWgh+Egtrp9jWvgwN6C+x\/6Ul9gPKwr35MQ2L88mYUnXuuDGVnTkJ6VTWgAawJ1AxcwiThWo3unPbjvr6pM+jswTV6XOO7V8+41tsMKM1s8WPQI+YtWq8fuv3wgnLtmndqFCNp"} @@ -119,8 +119,8 @@ 02433{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":112,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":3,"flow_last_seen":1626168078674,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":1502,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1502,"pkt_l4_len":1468,"ts_msec":1626168078674,"pkt":"WNVuaKQA8BiYFWV8CABFAgXQAABAAEAGm5DAqAF5NGKjEtC1Absg2a\/ZF4bv+FAQEAAXNQAAFwMDDxEAAAAAAAAAWp5GeZKPSB7w816DdrEEqHX9aC+YviuGDPWPZX1hWzeJO56tAdFAhHB2CxgaqBUmTp67G7NpRBSOlgFCk7Rz2PSU2RjHkzQN9DEZnqJDnpBJTPsDp7SajTr4PwFG5UIWqi9zReh9EtkjrIng35h3QjPy5pgRGIggIUa\/zHocLpnIHnx2NID0uKUJhEdZqWE4pcslJgdX4YfRKdEPTj3+9rZ3sLr++gXqMzrFGQr9EQgG6\/tRgaivaU0aW0ztmvO3\/qkvcrzeXMhBZCC0bJVz2bEiKKLd+7L5\/eHqmfs1xGLoIVjqoCMrClOzLnCDeSqZPqsY8tiTWubYavu9O8jG+ez+5Hkdw5Zqb5fD9oP0Ibcl2RZkNVM95HmLc4YD76gl\/z1R4Pv\/X+\/YqfzUCuKlbPSA2rgZ1AV5JLooIc7Be\/pYYpsCuIChG0LSB3wA5uDyqmIr57tSP8OI\/758hiFPERZ62qSkcVdehrui9bd5qubE0mTze86LYcawTdiQmMEKmQRBM4+o\/tLRLdTTAHx+8vIwh6AzvixYQvN8Ez8hb+phV92bD5q6hI7M8\/JGEZPjzNU+xKD+ISfZsgEkV2kgA1pedlTeMVuH\/BZclBXFLL5qRfhqeOdjAoZ73FOd8rYWzIde9ssd7E5A+tydX+O9p3kJTnLjhtup7pO1JKqLG8qs7kj4hnoO0t81p9EOSvl36UbBJ\/\/ta9Ym0CAwPBXdG+wAoJE7kndX2G2xUen+Ixk8fIsE2mGGvoV1Us4DqJZlvb5kJ5nWps2iI9sPEuDCreKTajgn6cDATXaCOavuKfFgCBU7JO2xOSJglSq7B7a6Rdhau\/3b0GgchjkVWsL6KTcuabDbsB3hgBi88ZjqfwCY2Nb9XY\/bt2EvOKRb8ymRF+9JboUUDmnm0q\/gX\/KH1nOauqAmFBE3aLfeWKAmW\/ItfqIuivKY+YDdWjc0HTcG1YGSfVrjr6aDU6y2TemMpnTIWRCWpvy7K5WBLe5V6MFlmxWmTIqOmq2cAefJgEppNDtGK3uWqgpEtHWR7rX\/TY7ljVAdLTNKRs1CNLO9YQxubR3nk57cLpnXbrfj+v+Lj4KuWOQnGZWe\/F\/8TM6cKx8vWkZgNLvg7fWbclvvuNbfQRKs6H63c6ZScHSu30WlwdJca10PuaOw6kUS8+8NgGoTM6EEL\/iGpUGKZDRPOSrSaO1EzIgUat4tPz1jNP77yXzl++\/KXlg43EyAlQZOnRr\/NFgfM4gzLfr7lDMDA3E0lRT+v95g78gwDuwXQ7BBPnvAls+NQwZbP7V0m0BvQjEB6p0fzqeSFPDpYbzQ0ZX6GjzMOnlKuf61RRwzVqCy8gfKQUs3skC1gvLgCV41uMUPTEfGnxmlKSMMVedbAmX+sTsKmnVgrA25Xxx44Rnz4aF\/zFkDRBzvExZFLH6OXGMRXTSfsHLF31OKw0QjcHdXKZOHlLQlo\/rph7r52bcX5wKB3t7XosUhaCCO8kIb3nCkluBB+sXwJFoKumEHcqAVe9Z4M3C6DXD1eVQo5daa5wFvH9M6HZwbTveh7JVbvVN9W+ACJJ82iXxyheKmXUZCNDVrtQaESdZ59LGHrlE2HGCg9gGl6VFzZLygZFAEjriuVbNilai2NxLiYx9gUajnBWGV8FEvryyeJFk\/CE6DTkT5\/Kza\/2Cu73O0Rb9icER0MPyduoWRXyUIUkVQogDMSeWnU3q93wChqd9rGdeB4XXoIzzAE+R\/SRKrrCLHUwPWEq20rYRcseqENqusBQFpiEpsgV0CsZ5TY3+f7Z7A3Y\/FdWIGrpWpaXY666wWyBIvkxWFWygO7Vx3zPMA3tnlzCspk3L3LaW0mn2EnnX30PeY5vR3upafUEAXSo6G6QdKCFC0FARyFx\/T+JPasg5u4ToWCOaORH2gHwo="} 02139{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":115,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":3,"flow_last_seen":1626168078674,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":1292,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1292,"pkt_l4_len":1258,"ts_msec":1626168078674,"pkt":"WNVuaKQA8BiYFWV8CABFAgT+AABAAEAGnGLAqAF5NGKjEtC0AbvnBmXsyo5yyVAYEACH9AAAFwMDBNEAAAAAAAAA3P9mE\/WxzRlzhJVvrME7arSt4cc4b80\/fLZ45lg2jTLN+h8OznVOp0v0YJHlvGb6zo1R0y0127nCMLhWICtDPy2FtY028GLgaBdr\/YLaP88jpPC2wcimHwfty2x4WKI+LPeYoEPRAYicmmTAxPlFzZuaf1iKs+Yu1pMdI4311+rTrqclcjjttiygU+MPtoh4rbcQQi4hllQZ9bpYWoVqJ+iSt2BigYH05vsyHmu879GAhVkohrBF89b4NLKyNAMo0\/QxqgG1rqZTGisx7FjNs8y8uxtw5iKWrSpnhwqsK8HdkzdODGF90yeLdn3CCNJgdm3aNHt1MWZ4JOUy5GzAb47y2cy051il96yYxnPjPoqHZ+sb8GqydD+Wdtw8hwTtkDW7xa7mACJTwuWOIU79l2oDnl63ylL8+JOFMkvCyqpvRSJQTp84k5efBKX3KzQjur4Xu79lO0LFF2NRDD6HkdNIzdZ6GrjQ6cfeKSx84X\/NzyeoBGfExOO\/4zYWpKYV5emN2qK2WwFz9V6yUT4FYCEpMENn4zKRUt2gX3+QJ3UggRDfQ8Atlul6XoqofW\/JfCf+PszhgtXLpc9QxVs3UVfeC+BCBsI\/evJsy+X2zvUBACJp1Cao7EAa\/un53A8cu1w+QQ\/3\/qpgFcwuebDk+bTd2XwEmQcRY5ntXb11cm+t6EgiuWMc8LtkZLW4g6Qk7C3exETENqr8qaKtA57iz69EbEaWfUTp590Cm1yhdVWnzQVccpyZRGULka\/D5PTiR6o3UCqpNAg8I43q9sRPGdaOzmk6LqC8kGMMj1N8P2DVYvcwJb3HB14BO5Blfb4kQNaSZCX81P5eekubMcrCkaYeLnnSigA4c2KBCJI0\/apWCuj0F93qKZChgzKT77EQe9PNeEwH9qa2yEnfxe42M9M\/dR+ZqezhwWXFtPpr0H\/z1rdkNoyBVAssfrasWrQx8flrDgnBIYD1460XCzVYLXxrhZgLoJb3EnAJ7vXCxsY0pXppBEZDDdim91oHmoHdPCYl0He7JYRSbPjtQSoUoTzcJp7PxKyOdGVLYBgNJz7zY+ZgHgZgGwjl0V0nqegEjC35a9y8SnKE63ljmDCyN8pWus5ViXGLvQ2Q\/1YgRAjjfufkIFVVjlXa01yHVzB76HDZ1tJk9CCm9ap34gzfAiHToNIXmogCeGqn2CdKyBeaiMSGkpYWcPn2x5217jPoRlFNQrlxxA+bM2VQvFdzsWSjAthvEYT8M0NKxSkvF5fH3eNJZYaUGLIiBrgIGbm4pAM\/x0xPOGKmtUmoLltnDzmkCbUcHYiWy3Y7nJHL865N2SK80a9Zp+7VINzLRf\/Ervx7NR7ytI7hPsERS2gR+t5ngZO4VMBVWlnWrW+Q0k4Q1KqCHh7RRwRxv5sH62zb+RmG6I1XbjkIiH\/fDv5F+LoUplAhBWHtQdc4gcY6R330O9wWahGV3oVm2bRxt8RZJJruLD1DYhwwT99J89GgAfYqHkYbcpYCi6LHqYqrQ6UmOTNERlSpwcXx4Ujj\/ftQuU3MAdSrHpDwvlJG8V3434OyaQQ78dblNHDOqOcIm3UL5vFVeeu11Ar10lwqpNk+NFgn+2DriZe1BIfTkQZAL4Pitnn2QjlLKFQ="} 00587{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":116,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":3,"flow_last_seen":1626168078676,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":147,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":147,"pkt_l4_len":113,"ts_msec":1626168078676,"pkt":"8BiYFWV8WNVuaKQACABFAACFmUUAAHgR1vEICAgIwKgBeQA1yx4AcZEiotGBgAABAAEAAAAAAzIzNQIzMwIyMgEyB2luLWFkZHIEYXJwYQAADAABwAwADAABAABT5QAzDGEyLTIyLTMzLTIzNQZkZXBsb3kGc3RhdGljEmFrYW1haXRlY2hub2xvZ2llcwNjb20A"} -00754{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":116,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":3,"flow_first_seen":1626168078653,"flow_last_seen":1626168078676,"flow_idle_time":180000,"flow_min_l4_payload_len":42,"flow_max_l4_payload_len":105,"flow_tot_l4_payload_len":191,"flow_avg_l4_payload_len":63,"midstream":0,"ts_msec":1626168078676,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":51998,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"235.33.22.2.in-addr.arpa","num_queries":1,"num_answers":1,"reply_code":0,"query_type":12,"rsp_type":12,"rsp_addr":"0.0.0.0"}} -00756{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":117,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":4,"flow_first_seen":1626168078653,"flow_last_seen":1626168078677,"flow_idle_time":180000,"flow_min_l4_payload_len":42,"flow_max_l4_payload_len":105,"flow_tot_l4_payload_len":280,"flow_avg_l4_payload_len":70,"midstream":0,"ts_msec":1626168078677,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":51998,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"26.113.82.140.in-addr.arpa","num_queries":1,"num_answers":1,"reply_code":0,"query_type":12,"rsp_type":12,"rsp_addr":"0.0.0.0"}} +00752{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":116,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":3,"flow_first_seen":1626168078653,"flow_last_seen":1626168078676,"flow_idle_time":180000,"flow_min_l4_payload_len":42,"flow_max_l4_payload_len":105,"flow_tot_l4_payload_len":191,"flow_avg_l4_payload_len":63,"midstream":0,"ts_msec":1626168078676,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":51998,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"235.33.22.2.in-addr.arpa","num_queries":1,"num_answers":1,"reply_code":0,"query_type":12,"rsp_type":12,"rsp_addr":"0.0.0.0"}} +00754{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":117,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":4,"flow_first_seen":1626168078653,"flow_last_seen":1626168078677,"flow_idle_time":180000,"flow_min_l4_payload_len":42,"flow_max_l4_payload_len":105,"flow_tot_l4_payload_len":280,"flow_avg_l4_payload_len":70,"midstream":0,"ts_msec":1626168078677,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":51998,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"26.113.82.140.in-addr.arpa","num_queries":1,"num_answers":1,"reply_code":0,"query_type":12,"rsp_type":12,"rsp_addr":"0.0.0.0"}} 00568{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":236,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":1,"flow_first_seen":1626168079158,"flow_last_seen":1626168079158,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1626168079158,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"40.113.10.47","src_port":53914,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00495{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":236,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":26,"flow_packet_id":1,"flow_last_seen":1626168079158,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1626168079158,"pkt":"WNVuaKQA8BiYFWV8CABFAABAAABAAEAGRffAqAF5KHEKL9KaAbvsuitsAAAAALAC\/\/8ZDgAAAgQFtAEDAwYBAQgKPdH+3gAAAAAEAgAA"} 00568{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":237,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":27,"flow_packets_processed":1,"flow_first_seen":1626168079191,"flow_last_seen":1626168079191,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1626168079191,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"40.113.10.47","src_port":53915,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -131,14 +131,14 @@ 00480{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":241,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":27,"flow_packet_id":2,"flow_last_seen":1626168079243,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1626168079243,"pkt":"8BiYFWV8WNVuaKQACABFAAA0S\/NAAG0GzQ8ocQovwKgBeQG70pvEiS5w0d8i8oAS\/\/++MAAAAgQFoAEDAwgBAQQC"} 00462{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":242,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":27,"flow_packet_id":3,"flow_last_seen":1626168079243,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1626168079243,"pkt":"WNVuaKQA8BiYFWV8CABFAAAoAABAAEAGRg\/AqAF5KHEKL9KbAbvR3yLyxIkucVAQEADu7wAA"} 00879{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":243,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":27,"flow_packets_processed":4,"flow_first_seen":1626168079191,"flow_last_seen":1626168079243,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1626168079243,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"40.113.10.47","src_port":53915,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"wdcp.microsoft.com","ja3":"656b9a2f4de6ed4909e157482860ab3d","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -01429{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":246,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":7,"flow_first_seen":1626168079158,"flow_last_seen":1626168079255,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":4378,"flow_avg_l4_payload_len":625,"midstream":0,"ts_msec":1626168079255,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"40.113.10.47","src_port":53914,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"32":"TLS certificate validity longer than 13 months"},"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"wdcp.microsoft.com","server_names":"wdcp.microsoft.com,spynet2.microsoft.com,wdcpalt.microsoft.com,spynetalt.microsoft.com,*.cp.wd.microsoft.com","ja3":"656b9a2f4de6ed4909e157482860ab3d","ja3s":"17e97216fa7f4ec8c43090c6eed97c25","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Secure Server CA 2011","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=wdcp.microsoft.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"81:41:67:66:7E:A9:1B:AA:61:3D:DE:D1:41:E7:17:13:CE:C4:3B:22"}} -01429{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":253,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":27,"flow_packets_processed":8,"flow_first_seen":1626168079191,"flow_last_seen":1626168079297,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":4378,"flow_avg_l4_payload_len":547,"midstream":0,"ts_msec":1626168079297,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"40.113.10.47","src_port":53915,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"32":"TLS certificate validity longer than 13 months"},"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"wdcp.microsoft.com","server_names":"wdcp.microsoft.com,spynet2.microsoft.com,wdcpalt.microsoft.com,spynetalt.microsoft.com,*.cp.wd.microsoft.com","ja3":"656b9a2f4de6ed4909e157482860ab3d","ja3s":"17e97216fa7f4ec8c43090c6eed97c25","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Secure Server CA 2011","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=wdcp.microsoft.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"81:41:67:66:7E:A9:1B:AA:61:3D:DE:D1:41:E7:17:13:CE:C4:3B:22"}} +01361{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":246,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":7,"flow_first_seen":1626168079158,"flow_last_seen":1626168079255,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":4378,"flow_avg_l4_payload_len":625,"midstream":0,"ts_msec":1626168079255,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"40.113.10.47","src_port":53914,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"wdcp.microsoft.com","server_names":"wdcp.microsoft.com,spynet2.microsoft.com,wdcpalt.microsoft.com,spynetalt.microsoft.com,*.cp.wd.microsoft.com","ja3":"656b9a2f4de6ed4909e157482860ab3d","ja3s":"17e97216fa7f4ec8c43090c6eed97c25","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Secure Server CA 2011","subjectDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=wdcp.microsoft.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"81:41:67:66:7E:A9:1B:AA:61:3D:DE:D1:41:E7:17:13:CE:C4:3B:22"}} +01361{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":253,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":27,"flow_packets_processed":8,"flow_first_seen":1626168079191,"flow_last_seen":1626168079297,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":4378,"flow_avg_l4_payload_len":547,"midstream":0,"ts_msec":1626168079297,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"40.113.10.47","src_port":53915,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"wdcp.microsoft.com","server_names":"wdcp.microsoft.com,spynet2.microsoft.com,wdcpalt.microsoft.com,spynetalt.microsoft.com,*.cp.wd.microsoft.com","ja3":"656b9a2f4de6ed4909e157482860ab3d","ja3s":"17e97216fa7f4ec8c43090c6eed97c25","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Secure Server CA 2011","subjectDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=wdcp.microsoft.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"81:41:67:66:7E:A9:1B:AA:61:3D:DE:D1:41:E7:17:13:CE:C4:3B:22"}} 00572{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":259,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":28,"flow_packets_processed":1,"flow_first_seen":1626168079361,"flow_last_seen":1626168079361,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1626168079361,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"17.253.54.251","src_port":50288,"dst_port":123,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00508{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":259,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":1,"flow_last_seen":1626168079361,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"ts_msec":1626168079361,"pkt":"WNVuaKQA8BiYFWV8CABFAABM2zIAAEARlFXAqAF5Ef02+8RwAHsAOAx5IwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} -00603{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":259,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":28,"flow_packets_processed":1,"flow_first_seen":1626168079361,"flow_last_seen":1626168079361,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1626168079361,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"17.253.54.251","src_port":50288,"dst_port":123,"l4_proto":"udp","ndpi": {"proto":"NTP.Apple","breed":"Safe","category":"System"}} +00641{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":259,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":28,"flow_packets_processed":1,"flow_first_seen":1626168079361,"flow_last_seen":1626168079361,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1626168079361,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"17.253.54.251","src_port":50288,"dst_port":123,"l4_proto":"udp","ndpi": {"proto":"NTP.Apple","breed":"Safe","category":"System"},"ntp": {"request_code":0,"version":0}} 00510{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":260,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":2,"flow_last_seen":1626168079391,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"ts_msec":1626168079391,"pkt":"8BiYFWV8WNVuaKQACABFAABMVlxAADcR4isR\/Tb7wKgBeQB7xHAAOKCnJAED6wAAAAAAAAAMU0hNAOSX2YmMm6TtAAAAAAAAAADkl9mPcazl\/+SX2Y9xr5E6"} -00755{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":261,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":5,"flow_first_seen":1626168078653,"flow_last_seen":1626168079653,"flow_idle_time":180000,"flow_min_l4_payload_len":42,"flow_max_l4_payload_len":105,"flow_tot_l4_payload_len":323,"flow_avg_l4_payload_len":64,"midstream":0,"ts_msec":1626168079653,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":51998,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"18.163.98.52.in-addr.arpa","num_queries":1,"num_answers":1,"reply_code":0,"query_type":12,"rsp_type":12,"rsp_addr":"0.0.0.0"}} -00755{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":262,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":6,"flow_first_seen":1626168078653,"flow_last_seen":1626168079674,"flow_idle_time":180000,"flow_min_l4_payload_len":42,"flow_max_l4_payload_len":129,"flow_tot_l4_payload_len":452,"flow_avg_l4_payload_len":75,"midstream":0,"ts_msec":1626168079674,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":51998,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"18.163.98.52.in-addr.arpa","num_queries":1,"num_answers":1,"reply_code":3,"query_type":12,"rsp_type":12,"rsp_addr":"0.0.0.0"}} +00753{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":261,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":5,"flow_first_seen":1626168078653,"flow_last_seen":1626168079653,"flow_idle_time":180000,"flow_min_l4_payload_len":42,"flow_max_l4_payload_len":105,"flow_tot_l4_payload_len":323,"flow_avg_l4_payload_len":64,"midstream":0,"ts_msec":1626168079653,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":51998,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"18.163.98.52.in-addr.arpa","num_queries":1,"num_answers":1,"reply_code":0,"query_type":12,"rsp_type":12,"rsp_addr":"0.0.0.0"}} +00753{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":262,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":6,"flow_first_seen":1626168078653,"flow_last_seen":1626168079674,"flow_idle_time":180000,"flow_min_l4_payload_len":42,"flow_max_l4_payload_len":129,"flow_tot_l4_payload_len":452,"flow_avg_l4_payload_len":75,"midstream":0,"ts_msec":1626168079674,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":51998,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"18.163.98.52.in-addr.arpa","num_queries":1,"num_answers":1,"reply_code":3,"query_type":12,"rsp_type":12,"rsp_addr":"0.0.0.0"}} 00568{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":263,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":29,"flow_packets_processed":1,"flow_first_seen":1626168079905,"flow_last_seen":1626168079905,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1626168079905,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"40.113.10.47","src_port":53916,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00496{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":263,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":29,"flow_packet_id":1,"flow_last_seen":1626168079905,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1626168079905,"pkt":"WNVuaKQA8BiYFWV8CABFAABAAABAAEAGRffAqAF5KHEKL9KcAbuMyd8CAAAAALAC\/\/\/ChQAAAgQFtAEDAwYBAQgKPdIBvwAAAAAEAgAA"} 00568{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":264,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":30,"flow_packets_processed":1,"flow_first_seen":1626168079937,"flow_last_seen":1626168079937,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1626168079937,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"40.113.10.47","src_port":53917,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -149,11 +149,11 @@ 00480{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":268,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":2,"flow_last_seen":1626168079986,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1626168079986,"pkt":"8BiYFWV8WNVuaKQACABFAAA0TOVAAG0GzB0ocQovwKgBeQG70p13uqY86tbCUoAS\/\/\/a2QAAAgQFoAEDAwgBAQQC"} 00462{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":269,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":3,"flow_last_seen":1626168079986,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1626168079986,"pkt":"WNVuaKQA8BiYFWV8CABFAAAoAABAAEAGRg\/AqAF5KHEKL9KdAbvq1sJSd7qmPVAQEAALmQAA"} 00879{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":270,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":30,"flow_packets_processed":4,"flow_first_seen":1626168079937,"flow_last_seen":1626168079986,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1626168079986,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"40.113.10.47","src_port":53917,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"wdcp.microsoft.com","ja3":"656b9a2f4de6ed4909e157482860ab3d","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -01429{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":275,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":29,"flow_packets_processed":9,"flow_first_seen":1626168079905,"flow_last_seen":1626168080007,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":4378,"flow_avg_l4_payload_len":486,"midstream":0,"ts_msec":1626168080007,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"40.113.10.47","src_port":53916,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"32":"TLS certificate validity longer than 13 months"},"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"wdcp.microsoft.com","server_names":"wdcp.microsoft.com,spynet2.microsoft.com,wdcpalt.microsoft.com,spynetalt.microsoft.com,*.cp.wd.microsoft.com","ja3":"656b9a2f4de6ed4909e157482860ab3d","ja3s":"17e97216fa7f4ec8c43090c6eed97c25","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Secure Server CA 2011","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=wdcp.microsoft.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"81:41:67:66:7E:A9:1B:AA:61:3D:DE:D1:41:E7:17:13:CE:C4:3B:22"}} -01429{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":279,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":30,"flow_packets_processed":7,"flow_first_seen":1626168079937,"flow_last_seen":1626168080036,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":4378,"flow_avg_l4_payload_len":625,"midstream":0,"ts_msec":1626168080036,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"40.113.10.47","src_port":53917,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"32":"TLS certificate validity longer than 13 months"},"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"wdcp.microsoft.com","server_names":"wdcp.microsoft.com,spynet2.microsoft.com,wdcpalt.microsoft.com,spynetalt.microsoft.com,*.cp.wd.microsoft.com","ja3":"656b9a2f4de6ed4909e157482860ab3d","ja3s":"17e97216fa7f4ec8c43090c6eed97c25","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Secure Server CA 2011","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=wdcp.microsoft.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"81:41:67:66:7E:A9:1B:AA:61:3D:DE:D1:41:E7:17:13:CE:C4:3B:22"}} +01361{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":275,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":29,"flow_packets_processed":9,"flow_first_seen":1626168079905,"flow_last_seen":1626168080007,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":4378,"flow_avg_l4_payload_len":486,"midstream":0,"ts_msec":1626168080007,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"40.113.10.47","src_port":53916,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"wdcp.microsoft.com","server_names":"wdcp.microsoft.com,spynet2.microsoft.com,wdcpalt.microsoft.com,spynetalt.microsoft.com,*.cp.wd.microsoft.com","ja3":"656b9a2f4de6ed4909e157482860ab3d","ja3s":"17e97216fa7f4ec8c43090c6eed97c25","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Secure Server CA 2011","subjectDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=wdcp.microsoft.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"81:41:67:66:7E:A9:1B:AA:61:3D:DE:D1:41:E7:17:13:CE:C4:3B:22"}} +01361{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":279,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":30,"flow_packets_processed":7,"flow_first_seen":1626168079937,"flow_last_seen":1626168080036,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":4378,"flow_avg_l4_payload_len":625,"midstream":0,"ts_msec":1626168080036,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"40.113.10.47","src_port":53917,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"wdcp.microsoft.com","server_names":"wdcp.microsoft.com,spynet2.microsoft.com,wdcpalt.microsoft.com,spynetalt.microsoft.com,*.cp.wd.microsoft.com","ja3":"656b9a2f4de6ed4909e157482860ab3d","ja3s":"17e97216fa7f4ec8c43090c6eed97c25","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Secure Server CA 2011","subjectDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=wdcp.microsoft.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"81:41:67:66:7E:A9:1B:AA:61:3D:DE:D1:41:E7:17:13:CE:C4:3B:22"}} 00572{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":284,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":31,"flow_packets_processed":1,"flow_first_seen":1626168080092,"flow_last_seen":1626168080092,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1626168080092,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"17.253.54.251","src_port":65099,"dst_port":123,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00509{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":284,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":1,"flow_last_seen":1626168080092,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"ts_msec":1626168080092,"pkt":"WNVuaKQA8BiYFWV8CABFAABMx3MAAEARqBTAqAF5Ef02+\/5LAHsAONKdIwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} -00603{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":284,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":31,"flow_packets_processed":1,"flow_first_seen":1626168080092,"flow_last_seen":1626168080092,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1626168080092,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"17.253.54.251","src_port":65099,"dst_port":123,"l4_proto":"udp","ndpi": {"proto":"NTP.Apple","breed":"Safe","category":"System"}} +00641{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":284,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":31,"flow_packets_processed":1,"flow_first_seen":1626168080092,"flow_last_seen":1626168080092,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1626168080092,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"17.253.54.251","src_port":65099,"dst_port":123,"l4_proto":"udp","ndpi": {"proto":"NTP.Apple","breed":"Safe","category":"System"},"ntp": {"request_code":0,"version":0}} 00510{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":287,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":2,"flow_last_seen":1626168080122,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"ts_msec":1626168080122,"pkt":"8BiYFWV8WNVuaKQACABFAABMV31AADcR4QoR\/Tb7wKgBeQB7\/ksAOLQqJAED6wAAAAAAAAANU0hNAOSX2YmMm6TtAAAAAAAAAADkl9mQLKsA6OSX2ZAsrLL1"} 00568{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":288,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":32,"flow_packets_processed":1,"flow_first_seen":1626168080539,"flow_last_seen":1626168080539,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1626168080539,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"40.113.10.47","src_port":53918,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00496{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":288,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":32,"flow_packet_id":1,"flow_last_seen":1626168080539,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1626168080539,"pkt":"WNVuaKQA8BiYFWV8CABFAABAAABAAEAGRffAqAF5KHEKL9KeAbvRcN5sAAAAALAC\/\/97\/QAAAgQFtAEDAwYBAQgKPdIENAAAAAAEAgAA"} @@ -165,11 +165,11 @@ 00480{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":293,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":2,"flow_last_seen":1626168080617,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1626168080617,"pkt":"8BiYFWV8WNVuaKQACABFAAA0hXNAAG0Gk48ocQovwKgBeQG70p8W6XtBWEUaioAS\/\/+g\/gAAAgQFoAEDAwgBAQQC"} 00462{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":294,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":3,"flow_last_seen":1626168080617,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1626168080617,"pkt":"WNVuaKQA8BiYFWV8CABFAAAoAABAAEAGRg\/AqAF5KHEKL9KfAbtYRRqKFul7QlAQEADRvQAA"} 00879{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":295,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":33,"flow_packets_processed":4,"flow_first_seen":1626168080569,"flow_last_seen":1626168080617,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1626168080617,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"40.113.10.47","src_port":53919,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"wdcp.microsoft.com","ja3":"656b9a2f4de6ed4909e157482860ab3d","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -01429{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":298,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":32,"flow_packets_processed":7,"flow_first_seen":1626168080539,"flow_last_seen":1626168080639,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":4378,"flow_avg_l4_payload_len":625,"midstream":0,"ts_msec":1626168080639,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"40.113.10.47","src_port":53918,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"32":"TLS certificate validity longer than 13 months"},"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"wdcp.microsoft.com","server_names":"wdcp.microsoft.com,spynet2.microsoft.com,wdcpalt.microsoft.com,spynetalt.microsoft.com,*.cp.wd.microsoft.com","ja3":"656b9a2f4de6ed4909e157482860ab3d","ja3s":"17e97216fa7f4ec8c43090c6eed97c25","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Secure Server CA 2011","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=wdcp.microsoft.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"81:41:67:66:7E:A9:1B:AA:61:3D:DE:D1:41:E7:17:13:CE:C4:3B:22"}} -01429{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":304,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":33,"flow_packets_processed":7,"flow_first_seen":1626168080569,"flow_last_seen":1626168080666,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":4378,"flow_avg_l4_payload_len":625,"midstream":0,"ts_msec":1626168080666,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"40.113.10.47","src_port":53919,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"32":"TLS certificate validity longer than 13 months"},"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"wdcp.microsoft.com","server_names":"wdcp.microsoft.com,spynet2.microsoft.com,wdcpalt.microsoft.com,spynetalt.microsoft.com,*.cp.wd.microsoft.com","ja3":"656b9a2f4de6ed4909e157482860ab3d","ja3s":"17e97216fa7f4ec8c43090c6eed97c25","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Secure Server CA 2011","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=wdcp.microsoft.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"81:41:67:66:7E:A9:1B:AA:61:3D:DE:D1:41:E7:17:13:CE:C4:3B:22"}} +01361{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":298,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":32,"flow_packets_processed":7,"flow_first_seen":1626168080539,"flow_last_seen":1626168080639,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":4378,"flow_avg_l4_payload_len":625,"midstream":0,"ts_msec":1626168080639,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"40.113.10.47","src_port":53918,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"wdcp.microsoft.com","server_names":"wdcp.microsoft.com,spynet2.microsoft.com,wdcpalt.microsoft.com,spynetalt.microsoft.com,*.cp.wd.microsoft.com","ja3":"656b9a2f4de6ed4909e157482860ab3d","ja3s":"17e97216fa7f4ec8c43090c6eed97c25","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Secure Server CA 2011","subjectDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=wdcp.microsoft.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"81:41:67:66:7E:A9:1B:AA:61:3D:DE:D1:41:E7:17:13:CE:C4:3B:22"}} +01361{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":304,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":33,"flow_packets_processed":7,"flow_first_seen":1626168080569,"flow_last_seen":1626168080666,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":4378,"flow_avg_l4_payload_len":625,"midstream":0,"ts_msec":1626168080666,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"40.113.10.47","src_port":53919,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Microsoft","breed":"Safe","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"wdcp.microsoft.com","server_names":"wdcp.microsoft.com,spynet2.microsoft.com,wdcpalt.microsoft.com,spynetalt.microsoft.com,*.cp.wd.microsoft.com","ja3":"656b9a2f4de6ed4909e157482860ab3d","ja3s":"17e97216fa7f4ec8c43090c6eed97c25","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Secure Server CA 2011","subjectDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=wdcp.microsoft.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"81:41:67:66:7E:A9:1B:AA:61:3D:DE:D1:41:E7:17:13:CE:C4:3B:22"}} 00572{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":310,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":34,"flow_packets_processed":1,"flow_first_seen":1626168080732,"flow_last_seen":1626168080732,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1626168080732,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"17.253.54.251","src_port":56865,"dst_port":123,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00508{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":310,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":34,"flow_packet_id":1,"flow_last_seen":1626168080732,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"ts_msec":1626168080732,"pkt":"WNVuaKQA8BiYFWV8CABFAABMaD0AAEARB0vAqAF5Ef02+94hAHsAOPLHIwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} -00603{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":310,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":34,"flow_packets_processed":1,"flow_first_seen":1626168080732,"flow_last_seen":1626168080732,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1626168080732,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"17.253.54.251","src_port":56865,"dst_port":123,"l4_proto":"udp","ndpi": {"proto":"NTP.Apple","breed":"Safe","category":"System"}} +00641{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":310,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":34,"flow_packets_processed":1,"flow_first_seen":1626168080732,"flow_last_seen":1626168080732,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1626168080732,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"17.253.54.251","src_port":56865,"dst_port":123,"l4_proto":"udp","ndpi": {"proto":"NTP.Apple","breed":"Safe","category":"System"},"ntp": {"request_code":0,"version":0}} 00509{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":311,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":34,"flow_packet_id":2,"flow_last_seen":1626168080762,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"ts_msec":1626168080762,"pkt":"8BiYFWV8WNVuaKQACABFAABMWKVAADcR3+IR\/Tb7wKgBeQB73iEAOEmOJAED6wAAAAAAAAAOU0hNAOSX2YmMm6TtAAAAAAAAAADkl9mQ0KMdvOSX2ZDQo9j2"} 00574{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":312,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":35,"flow_packets_processed":1,"flow_first_seen":1626168081935,"flow_last_seen":1626168081935,"flow_idle_time":7440000,"flow_min_l4_payload_len":31,"flow_max_l4_payload_len":31,"flow_tot_l4_payload_len":31,"flow_avg_l4_payload_len":31,"midstream":1,"ts_msec":1626168081935,"l3_proto":"ip4","src_ip":"130.211.33.145","dst_ip":"192.168.1.121","src_port":443,"dst_port":53432,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":312,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":35,"flow_packet_id":1,"flow_last_seen":1626168081935,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":97,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":97,"pkt_l4_len":63,"ts_msec":1626168081935,"pkt":"8BiYFWV8WNVuaKQACABFAgBT\/jUAADoGG+iC0yGRwKgBeQG70LhXNR5OnF8A9oAYAQrx0QAAAQEICrTFhOw90eMiFwMDABoAAAAAAAAALjbyzjKtkrWGo0S+7wFfhufrwQ=="} @@ -196,7 +196,7 @@ 00579{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":315,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":25,"flow_packets_processed":72,"flow_first_seen":1626168078673,"flow_last_seen":1626168079052,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":29308,"flow_avg_l4_payload_len":407,"midstream":1,"ts_msec":1626168081946,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"52.98.163.18","src_port":53428,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00628{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":315,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":24,"flow_packets_processed":54,"flow_first_seen":1626168078673,"flow_last_seen":1626168078826,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":17628,"flow_avg_l4_payload_len":326,"midstream":1,"ts_msec":1626168081946,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"52.98.163.18","src_port":53429,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Microsoft365","breed":"Acceptable","category":"Collaborative"}} 00579{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":315,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":24,"flow_packets_processed":54,"flow_first_seen":1626168078673,"flow_last_seen":1626168078826,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":17628,"flow_avg_l4_payload_len":326,"midstream":1,"ts_msec":1626168081946,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"52.98.163.18","src_port":53429,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00588{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":315,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":2,"flow_first_seen":1626168074745,"flow_last_seen":1626168074928,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1626168081946,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"52.149.21.60","src_port":52746,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"}} +00602{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":315,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":2,"flow_first_seen":1626168074745,"flow_last_seen":1626168074928,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1626168081946,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"52.149.21.60","src_port":52746,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Azure","breed":"Acceptable","category":"Cloud"}} 00568{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":315,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":2,"flow_first_seen":1626168074745,"flow_last_seen":1626168074928,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1626168081946,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"52.149.21.60","src_port":52746,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00567{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":315,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":2,"flow_first_seen":1626168077604,"flow_last_seen":1626168077633,"flow_idle_time":180000,"flow_min_l4_payload_len":44,"flow_max_l4_payload_len":60,"flow_tot_l4_payload_len":104,"flow_avg_l4_payload_len":52,"midstream":0,"ts_msec":1626168081946,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":54561,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00577{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":315,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":11,"flow_first_seen":1626168077469,"flow_last_seen":1626168077750,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":4378,"flow_avg_l4_payload_len":398,"midstream":0,"ts_msec":1626168081946,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"40.113.10.47","src_port":53910,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -208,7 +208,7 @@ 00577{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":315,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":32,"flow_packets_processed":11,"flow_first_seen":1626168080539,"flow_last_seen":1626168080694,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":4378,"flow_avg_l4_payload_len":398,"midstream":0,"ts_msec":1626168081946,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"40.113.10.47","src_port":53918,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00577{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":315,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":33,"flow_packets_processed":11,"flow_first_seen":1626168080569,"flow_last_seen":1626168080730,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":4378,"flow_avg_l4_payload_len":398,"midstream":0,"ts_msec":1626168081946,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"40.113.10.47","src_port":53919,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00573{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":315,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":22,"flow_packets_processed":2,"flow_first_seen":1626168077750,"flow_last_seen":1626168077780,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":96,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1626168081946,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"17.253.54.251","src_port":49216,"dst_port":123,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} -00609{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":315,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":35,"flow_packets_processed":4,"flow_first_seen":1626168081935,"flow_last_seen":1626168081946,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":35,"flow_tot_l4_payload_len":66,"flow_avg_l4_payload_len":16,"midstream":1,"ts_msec":1626168081946,"l3_proto":"ip4","src_ip":"130.211.33.145","dst_ip":"192.168.1.121","src_port":443,"dst_port":53432,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"}} +00607{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":315,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":35,"flow_packets_processed":4,"flow_first_seen":1626168081935,"flow_last_seen":1626168081946,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":35,"flow_tot_l4_payload_len":66,"flow_avg_l4_payload_len":16,"midstream":1,"ts_msec":1626168081946,"l3_proto":"ip4","src_ip":"130.211.33.145","dst_ip":"192.168.1.121","src_port":443,"dst_port":53432,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"}} 00574{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":315,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":35,"flow_packets_processed":4,"flow_first_seen":1626168081935,"flow_last_seen":1626168081946,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":35,"flow_tot_l4_payload_len":66,"flow_avg_l4_payload_len":16,"midstream":1,"ts_msec":1626168081946,"l3_proto":"ip4","src_ip":"130.211.33.145","dst_ip":"192.168.1.121","src_port":443,"dst_port":53432,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00581{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":315,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":2,"flow_first_seen":1626168075993,"flow_last_seen":1626168077017,"flow_idle_time":180000,"flow_min_l4_payload_len":88,"flow_max_l4_payload_len":108,"flow_tot_l4_payload_len":196,"flow_avg_l4_payload_len":98,"midstream":0,"ts_msec":1626168081946,"l3_proto":"ip6","src_ip":"fe80::1059:a858:f9e7:cf94","dst_ip":"ff02::fb","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00592{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":315,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":20,"flow_packets_processed":4,"flow_first_seen":1626168077734,"flow_last_seen":1626168077848,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":31,"flow_tot_l4_payload_len":31,"flow_avg_l4_payload_len":7,"midstream":1,"ts_msec":1626168081946,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"140.82.113.26","src_port":53905,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"}} @@ -225,9 +225,9 @@ ~~ total active/idle flows...: 35/35 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2104087 bytes -~~ total memory freed........: 2104087 bytes -~~ total allocations/frees...: 35870/35870 +~~ total memory allocated....: 4751986 bytes +~~ total memory freed........: 4751986 bytes +~~ total allocations/frees...: 100066/100066 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 180 chars ~~ json string max len.......: 2438 chars diff --git a/test/results/tls_cipher_lens.pcap.out b/test/results/tls_cipher_lens.pcap.out new file mode 100644 index 000000000..7183764da --- /dev/null +++ b/test/results/tls_cipher_lens.pcap.out @@ -0,0 +1,37 @@ +00449{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"tls_cipher_lens.pcap","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} +00566{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"tls_cipher_lens.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1391444859282,"flow_last_seen":1391444859282,"flow_idle_time":7440000,"flow_min_l4_payload_len":179,"flow_max_l4_payload_len":179,"flow_tot_l4_payload_len":179,"flow_avg_l4_payload_len":179,"midstream":1,"ts_msec":1391444859282,"l3_proto":"ip4","src_ip":"192.168.11.11","dst_ip":"173.194.35.191","src_port":51587,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00696{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"tls_cipher_lens.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1391444859282,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":233,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":233,"pkt_l4_len":199,"ts_msec":1391444859282,"pkt":"AAxBruSU1L7ZA8KHCABFAADbL\/VAAIAGLPPAqAsLrcIjv8mDAbt4uQ2cyozKYVAYQTfWXgAAFgMBAK4BAACqAwFS78N7ztpSIkL8KKK08T09+y4UedH3BkkDySiPn3PRIwAASAD\/wArAFACIAIcAOQA4wA\/ABQCEADXACcAHwBPAEQBFAEQAMwAywA7ADMAEwAIAlgBBAC8ABQAEwAjAEgAWABPADcAD\/v8ACgEAADkAAAASABAAAA13d3cuZ29vZ2xlLml0AAoACAAGABcAGAAZAAsAAgEAACMAADN0AAAABQAFAQAAAAA="} +00838{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"tls_cipher_lens.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1391444859282,"flow_last_seen":1391444859282,"flow_idle_time":7440000,"flow_min_l4_payload_len":179,"flow_max_l4_payload_len":179,"flow_tot_l4_payload_len":179,"flow_avg_l4_payload_len":179,"midstream":1,"ts_msec":1391444859282,"l3_proto":"ip4","src_ip":"192.168.11.11","dst_ip":"173.194.35.191","src_port":51587,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"www.google.it","ja3":"755cdaa3496eb8728247a639dee17aad","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} +00566{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2,"source":"tls_cipher_lens.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1391444859282,"flow_last_seen":1391444859282,"flow_idle_time":7440000,"flow_min_l4_payload_len":179,"flow_max_l4_payload_len":179,"flow_tot_l4_payload_len":179,"flow_avg_l4_payload_len":179,"midstream":1,"ts_msec":1391444859282,"l3_proto":"ip4","src_ip":"192.168.11.11","dst_ip":"173.194.35.191","src_port":51590,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00696{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"tls_cipher_lens.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_last_seen":1391444859282,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":233,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":233,"pkt_l4_len":199,"ts_msec":1391444859282,"pkt":"AAxBruSU1L7ZA8KHCABFAADbL\/VAAIAGLPPAqAsLrcIjv8mGAbt4uQ2cyozKYVAYQTfWXgAAFgMBAK4BAACqAwFS78N7ztpSIkL8KKK08T09+y4UedH3BkkDySiPn3PRIwAAhgD\/wArAFACIAIcAOQA4wA\/ABQCEADXACcAHwBPAEQBFAEQAMwAywA7ADMAEwAIAlgBBAC8ABQAEwAjAEgAWABPADcAD\/v8ACgEAADkAAAASABAAAA13d3cuZ29vZ2xlLml0AAoACAAGABcAGAAZAAsAAgEAACMAADN0AAAABQAFAQAAAAA="} +00793{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2,"source":"tls_cipher_lens.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1391444859282,"flow_last_seen":1391444859282,"flow_idle_time":7440000,"flow_min_l4_payload_len":179,"flow_max_l4_payload_len":179,"flow_tot_l4_payload_len":179,"flow_avg_l4_payload_len":179,"midstream":1,"ts_msec":1391444859282,"l3_proto":"ip4","src_ip":"192.168.11.11","dst_ip":"173.194.35.191","src_port":51590,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} +00566{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3,"source":"tls_cipher_lens.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1391444859282,"flow_last_seen":1391444859282,"flow_idle_time":7440000,"flow_min_l4_payload_len":179,"flow_max_l4_payload_len":179,"flow_tot_l4_payload_len":179,"flow_avg_l4_payload_len":179,"midstream":1,"ts_msec":1391444859282,"l3_proto":"ip4","src_ip":"192.168.11.11","dst_ip":"173.194.35.191","src_port":51589,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00696{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"tls_cipher_lens.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_last_seen":1391444859282,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":233,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":233,"pkt_l4_len":199,"ts_msec":1391444859282,"pkt":"AAxBruSU1L7ZA8KHCABFAADbL\/VAAIAGLPPAqAsLrcIjv8mFAbt4uQ2cyozKYVAYQTfWXgAAFgMBAK4BAACqAwFS78N7ztpSIkL8KKK08T09+y4UedH3BkkDySiPn3PRIwAAhQD\/wArAFACIAIcAOQA4wA\/ABQCEADXACcAHwBPAEQBFAEQAMwAywA7ADMAEwAIAlgBBAC8ABQAEwAjAEgAWABPADcAD\/v8ACgEAADkAAAASABAAAA13d3cuZ29vZ2xlLml0AAoACAAGABcAGAAZAAsAAgEAACMAADN0AAAABQAFAQAAAAA="} +00793{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":3,"source":"tls_cipher_lens.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1391444859282,"flow_last_seen":1391444859282,"flow_idle_time":7440000,"flow_min_l4_payload_len":179,"flow_max_l4_payload_len":179,"flow_tot_l4_payload_len":179,"flow_avg_l4_payload_len":179,"midstream":1,"ts_msec":1391444859282,"l3_proto":"ip4","src_ip":"192.168.11.11","dst_ip":"173.194.35.191","src_port":51589,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} +00566{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":4,"source":"tls_cipher_lens.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1391444859282,"flow_last_seen":1391444859282,"flow_idle_time":7440000,"flow_min_l4_payload_len":179,"flow_max_l4_payload_len":179,"flow_tot_l4_payload_len":179,"flow_avg_l4_payload_len":179,"midstream":1,"ts_msec":1391444859282,"l3_proto":"ip4","src_ip":"192.168.11.11","dst_ip":"173.194.35.191","src_port":51588,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00696{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4,"source":"tls_cipher_lens.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_last_seen":1391444859282,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":233,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":233,"pkt_l4_len":199,"ts_msec":1391444859282,"pkt":"AAxBruSU1L7ZA8KHCABFAADbL\/VAAIAGLPPAqAsLrcIjv8mEAbt4uQ2cyozKYVAYQTfWXgAAFgMBAK4BAACqAwFS78N7ztpSIkL8KKK08T09+y4UedH3BkkDySiPn3PRIwAAhAD\/wArAFACIAIcAOQA4wA\/ABQCEADXACcAHwBPAEQBFAEQAMwAywA7ADMAEwAIAlgBBAC8ABQAEwAjAEgAWABPADcAD\/v8ACgEAADkAAAASABAAAA13d3cuZ29vZ2xlLml0AAoACAAGABcAGAAZAAsAAgEAACMAADN0AAAABQAFAQAAAAA="} +00825{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"tls_cipher_lens.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1391444859282,"flow_last_seen":1391444859282,"flow_idle_time":7440000,"flow_min_l4_payload_len":179,"flow_max_l4_payload_len":179,"flow_tot_l4_payload_len":179,"flow_avg_l4_payload_len":179,"midstream":1,"ts_msec":1391444859282,"l3_proto":"ip4","src_ip":"192.168.11.11","dst_ip":"173.194.35.191","src_port":51588,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"8eae3e18d36ce24c4ac6b9eeb84ac762","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} +00566{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":5,"source":"tls_cipher_lens.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1391444859282,"flow_last_seen":1391444859282,"flow_idle_time":7440000,"flow_min_l4_payload_len":179,"flow_max_l4_payload_len":179,"flow_tot_l4_payload_len":179,"flow_avg_l4_payload_len":179,"midstream":1,"ts_msec":1391444859282,"l3_proto":"ip4","src_ip":"192.168.11.11","dst_ip":"173.194.35.191","src_port":51591,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00696{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5,"source":"tls_cipher_lens.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_last_seen":1391444859282,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":233,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":233,"pkt_l4_len":199,"ts_msec":1391444859282,"pkt":"AAxBruSU1L7ZA8KHCABFAADbL\/VAAIAGLPPAqAsLrcIjv8mHAbt4uQ2cyozKYVAYQTfWXgAAFgMBAK4BAACqAwFS78N7ztpSIkL8KKK08T09+y4UedH3BkkDySiPn3PRIwAAAAD\/wArAFACIAIcAOQA4wA\/ABQCEADXACcAHwBPAEQBFAEQAMwAywA7ADMAEwAIAlgBBAC8ABQAEwAjAEgAWABPADcAD\/v8ACgEAADkAAAASABAAAA13d3cuZ29vZ2xlLml0AAoACAAGABcAGAAZAAsAAgEAACMAADN0AAAABQAFAQAAAAA="} +00793{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":5,"source":"tls_cipher_lens.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1391444859282,"flow_last_seen":1391444859282,"flow_idle_time":7440000,"flow_min_l4_payload_len":179,"flow_max_l4_payload_len":179,"flow_tot_l4_payload_len":179,"flow_avg_l4_payload_len":179,"midstream":1,"ts_msec":1391444859282,"l3_proto":"ip4","src_ip":"192.168.11.11","dst_ip":"173.194.35.191","src_port":51591,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} +00567{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":5,"source":"tls_cipher_lens.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1391444859282,"flow_last_seen":1391444859282,"flow_idle_time":7440000,"flow_min_l4_payload_len":179,"flow_max_l4_payload_len":179,"flow_tot_l4_payload_len":179,"flow_avg_l4_payload_len":179,"midstream":1,"ts_msec":1391444859282,"l3_proto":"ip4","src_ip":"192.168.11.11","dst_ip":"173.194.35.191","src_port":51587,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00567{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":5,"source":"tls_cipher_lens.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1391444859282,"flow_last_seen":1391444859282,"flow_idle_time":7440000,"flow_min_l4_payload_len":179,"flow_max_l4_payload_len":179,"flow_tot_l4_payload_len":179,"flow_avg_l4_payload_len":179,"midstream":1,"ts_msec":1391444859282,"l3_proto":"ip4","src_ip":"192.168.11.11","dst_ip":"173.194.35.191","src_port":51588,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00567{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":5,"source":"tls_cipher_lens.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1391444859282,"flow_last_seen":1391444859282,"flow_idle_time":7440000,"flow_min_l4_payload_len":179,"flow_max_l4_payload_len":179,"flow_tot_l4_payload_len":179,"flow_avg_l4_payload_len":179,"midstream":1,"ts_msec":1391444859282,"l3_proto":"ip4","src_ip":"192.168.11.11","dst_ip":"173.194.35.191","src_port":51589,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00567{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":5,"source":"tls_cipher_lens.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1391444859282,"flow_last_seen":1391444859282,"flow_idle_time":7440000,"flow_min_l4_payload_len":179,"flow_max_l4_payload_len":179,"flow_tot_l4_payload_len":179,"flow_avg_l4_payload_len":179,"midstream":1,"ts_msec":1391444859282,"l3_proto":"ip4","src_ip":"192.168.11.11","dst_ip":"173.194.35.191","src_port":51590,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00567{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":5,"source":"tls_cipher_lens.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1391444859282,"flow_last_seen":1391444859282,"flow_idle_time":7440000,"flow_min_l4_payload_len":179,"flow_max_l4_payload_len":179,"flow_tot_l4_payload_len":179,"flow_avg_l4_payload_len":179,"midstream":1,"ts_msec":1391444859282,"l3_proto":"ip4","src_ip":"192.168.11.11","dst_ip":"173.194.35.191","src_port":51591,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00163{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":5,"source":"tls_cipher_lens.pcap","alias":"nDPId-test","total-events-serialized":22} +~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ +~~ packets captured/processed: 5/5 +~~ skipped flows.............: 0 +~~ total layer4 data length..: 895 bytes +~~ total detected protocols..: 5 +~~ total active/idle flows...: 5/5 +~~ total timeout flows.......: 0 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ total memory allocated....: 4605592 bytes +~~ total memory freed........: 4605592 bytes +~~ total allocations/frees...: 99556/99556 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ json string min len.......: 168 chars +~~ json string max len.......: 843 chars +~~ json string avg len.......: 576 chars diff --git a/test/results/tls_esni_sni_both.pcap.out b/test/results/tls_esni_sni_both.pcap.out index d3e72a574..457435dcc 100644 --- a/test/results/tls_esni_sni_both.pcap.out +++ b/test/results/tls_esni_sni_both.pcap.out @@ -22,9 +22,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1949342 bytes -~~ total memory freed........: 1949342 bytes -~~ total allocations/frees...: 35389/35389 +~~ total memory allocated....: 4611233 bytes +~~ total memory freed........: 4611233 bytes +~~ total allocations/frees...: 99585/99585 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 171 chars ~~ json string max len.......: 998 chars diff --git a/test/results/tls_invalid_reads.pcap.out b/test/results/tls_invalid_reads.pcap.out index acb6fd981..0704695ce 100644 --- a/test/results/tls_invalid_reads.pcap.out +++ b/test/results/tls_invalid_reads.pcap.out @@ -27,9 +27,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1934068 bytes -~~ total memory freed........: 1934068 bytes -~~ total allocations/frees...: 35351/35351 +~~ total memory allocated....: 4595959 bytes +~~ total memory freed........: 4595959 bytes +~~ total allocations/frees...: 99547/99547 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 164 chars ~~ json string max len.......: 825 chars diff --git a/test/results/tls_long_cert.pcap.out b/test/results/tls_long_cert.pcap.out index d49348a47..978fce844 100644 --- a/test/results/tls_long_cert.pcap.out +++ b/test/results/tls_long_cert.pcap.out @@ -5,7 +5,7 @@ 00464{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"tls_long_cert.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1553619078058,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1553619078058,"pkt":"BBjWMe9aeDHBvV4kCABFAAA0AABAAEAGN9HAqAJ+aG\/XXesOAbssL+yCMZpGX4AQCAq0dAAAAQEICiSv2Y7Qt2rg"} 00854{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"tls_long_cert.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1553619078033,"flow_last_seen":1553619078058,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1553619078058,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"104.111.215.93","src_port":60174,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.repubblica.it","ja3":"66918128f1b9b03303d77c6f2eefd128","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00910{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"tls_long_cert.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":1553619078033,"flow_last_seen":1553619078091,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1965,"flow_avg_l4_payload_len":327,"midstream":0,"ts_msec":1553619078091,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"104.111.215.93","src_port":60174,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.repubblica.it","ja3":"66918128f1b9b03303d77c6f2eefd128","ja3s":"35af4c8cd9495354f7d701ce8ad7fd2d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -02375{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":9,"source":"tls_long_cert.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":9,"flow_first_seen":1553619078033,"flow_last_seen":1553619078093,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":4613,"flow_avg_l4_payload_len":512,"midstream":0,"ts_msec":1553619078093,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"104.111.215.93","src_port":60174,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.repubblica.it","server_names":"www.repstatic.it,repstatic.it,amp-video.lastampa.it,www.repubblica.it,amp-video.deejay.it,amp-video.d.repubblica.it,www.gelestatic.it,oasjs.kataweb.it,video.d.repubblica.it,www.test.capital.it,napoli.repubblica.it,video.ilsecoloxix.it,genova.repubblica.it,cdn.gelestatic.it,video.gelocal.it,media.deejay.it,media.m2o.it,amp-video.espresso.repubblica.it,download.gelocal.it,amp-video.m2o.it,bologna.repubblica.it,torino.repubblica.it,scripts.kataweb.it,palermo.repubblica.it,roma.repubblica.it,video.xl.repubblica.it,amp-video.gelocal.it,video.espresso.repubblica.it,www.capital.it,video.limesonline.com,media.capital.it,syndication-vod-pro.akamai.media.kataweb.it,test.capital.it,video.deejay.it,video.repubblica.it,milano.repubblica.it,video.lanuovasardegna.it,video.m2o.it,parma.repubblica.it,video.3nz.it,syndication-vod-hds.akamai.media.kataweb.it,amp-video.repubblica.it,video.lastampa.it,webfragments.repubblica.it,amp-video.xl.repubblica.it,amp-video.limesonline.com,media.kataweb.it,bari.repubblica.it,syndication-vod-hls.akamai.media.kataweb.it,amp-video.3nz.it,syndication3rd-vod-pro.akamai.media.kataweb.it,firenze.repubblica.it,amp-video.ilsecoloxix.it,amp-video.lanuovasardegna.it,cdn.flv.kataweb.it","ja3":"66918128f1b9b03303d77c6f2eefd128","ja3s":"35af4c8cd9495354f7d701ce8ad7fd2d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=GeoTrust RSA CA 2018","issuerDN":"C=IT, ST=Roma, L=Roma, O=GEDI Digital S.r.l., CN=www.repstatic.it","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"0C:9F:21:DB:65:A1:BE:EB:D8:89:38:D3:FF:7A:D9:02:8B:F1:60:A1"}} +02376{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":9,"source":"tls_long_cert.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":9,"flow_first_seen":1553619078033,"flow_last_seen":1553619078093,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":4613,"flow_avg_l4_payload_len":512,"midstream":0,"ts_msec":1553619078093,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"104.111.215.93","src_port":60174,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www.repubblica.it","server_names":"www.repstatic.it,repstatic.it,amp-video.lastampa.it,www.repubblica.it,amp-video.deejay.it,amp-video.d.repubblica.it,www.gelestatic.it,oasjs.kataweb.it,video.d.repubblica.it,www.test.capital.it,napoli.repubblica.it,video.ilsecoloxix.it,genova.repubblica.it,cdn.gelestatic.it,video.gelocal.it,media.deejay.it,media.m2o.it,amp-video.espresso.repubblica.it,download.gelocal.it,amp-video.m2o.it,bologna.repubblica.it,torino.repubblica.it,scripts.kataweb.it,palermo.repubblica.it,roma.repubblica.it,video.xl.repubblica.it,amp-video.gelocal.it,video.espresso.repubblica.it,www.capital.it,video.limesonline.com,media.capital.it,syndication-vod-pro.akamai.media.kataweb.it,test.capital.it,video.deejay.it,video.repubblica.it,milano.repubblica.it,video.lanuovasardegna.it,video.m2o.it,parma.repubblica.it,video.3nz.it,syndication-vod-hds.akamai.media.kataweb.it,amp-video.repubblica.it,video.lastampa.it,webfragments.repubblica.it,amp-video.xl.repubblica.it,amp-video.limesonline.com,media.kataweb.it,bari.repubblica.it,syndication-vod-hls.akamai.media.kataweb.it,amp-video.3nz.it,syndication3rd-vod-pro.akamai.media.kataweb.it,firenze.repubblica.it,amp-video.ilsecoloxix.it,amp-video.lanuovasardegna.it,cdn.flv.kataweb.it","ja3":"66918128f1b9b03303d77c6f2eefd128","ja3s":"35af4c8cd9495354f7d701ce8ad7fd2d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=GeoTrust RSA CA 2018","subjectDN":"C=IT, ST=Roma, L=Roma, O=GEDI Digital S.r.l., CN=www.repstatic.it","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"0C:9F:21:DB:65:A1:BE:EB:D8:89:38:D3:FF:7A:D9:02:8B:F1:60:A1"}} 00570{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":182,"source":"tls_long_cert.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":182,"flow_first_seen":1553619078033,"flow_last_seen":1553619149372,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":105569,"flow_avg_l4_payload_len":580,"midstream":0,"ts_msec":1553619149372,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"104.111.215.93","src_port":60174,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00163{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":182,"source":"tls_long_cert.pcap","alias":"nDPId-test","total-events-serialized":10} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -16,10 +16,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1974240 bytes -~~ total memory freed........: 1974240 bytes -~~ total allocations/frees...: 35582/35582 +~~ total memory allocated....: 4636555 bytes +~~ total memory freed........: 4636555 bytes +~~ total allocations/frees...: 99778/99778 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 168 chars -~~ json string max len.......: 2380 chars +~~ json string max len.......: 2381 chars ~~ json string avg len.......: 1246 chars diff --git a/test/results/tls_port_80.pcapng.out b/test/results/tls_port_80.pcapng.out new file mode 100644 index 000000000..dfb88fcad --- /dev/null +++ b/test/results/tls_port_80.pcapng.out @@ -0,0 +1,24 @@ +00447{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"tls_port_80.pcapng","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} +00554{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"tls_port_80.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1618744619257,"flow_last_seen":1618744619257,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1618744619257,"l3_proto":"ip4","src_ip":"57.91.202.194","dst_ip":"132.49.141.56","src_port":50541,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00463{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"tls_port_80.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1618744619257,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1618744619257,"pkt":"AAAAAAAAAAQAaFgECABFAAA062pAAH8G+tE5W8rChDGNOMVtAFCEMAfKAAAAAIAC+vANRAAAAgQFUAEDAwgBAQQC"} +00463{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"tls_port_80.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1618744619383,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1618744619383,"pkt":"AAAAAAAAAAMAlyocCABFAAA0AABAADUGMD2EMY04OVvKwgBQxW2J+2kQhDAHy4AS+vAZxAAAAgQFtAEBBAIBAwMH"} +00463{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"tls_port_80.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1618744620269,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1618744620269,"pkt":"AAAAAAAAAAQAaFgECABFAAA062tAAH8G+tA5W8rChDGNOMVtAFCEMAfKAAAAAIAC+vANRAAAAgQFUAEDAwgBAQQC"} +00885{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":12,"source":"tls_port_80.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":12,"flow_first_seen":1618744619257,"flow_last_seen":1618744633780,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":245,"flow_tot_l4_payload_len":245,"flow_avg_l4_payload_len":20,"midstream":0,"ts_msec":1618744633780,"l3_proto":"ip4","src_ip":"57.91.202.194","dst_ip":"132.49.141.56","src_port":50541,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"3f2fba0262b1a22b739126dfb2fe7a7d","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} +00944{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":13,"source":"tls_port_80.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":13,"flow_first_seen":1618744619257,"flow_last_seen":1618744633908,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1360,"flow_tot_l4_payload_len":1605,"flow_avg_l4_payload_len":123,"midstream":0,"ts_msec":1618744633908,"l3_proto":"ip4","src_ip":"57.91.202.194","dst_ip":"132.49.141.56","src_port":50541,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"3f2fba0262b1a22b739126dfb2fe7a7d","ja3s":"107030a763c7224285717ff1569a17f3","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"}} +00565{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":13,"source":"tls_port_80.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":13,"flow_first_seen":1618744619257,"flow_last_seen":1618744633908,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1360,"flow_tot_l4_payload_len":1605,"flow_avg_l4_payload_len":123,"midstream":0,"ts_msec":1618744633908,"l3_proto":"ip4","src_ip":"57.91.202.194","dst_ip":"132.49.141.56","src_port":50541,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00161{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":13,"source":"tls_port_80.pcapng","alias":"nDPId-test","total-events-serialized":9} +~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ +~~ packets captured/processed: 13/13 +~~ skipped flows.............: 0 +~~ total layer4 data length..: 1605 bytes +~~ total detected protocols..: 1 +~~ total active/idle flows...: 1/1 +~~ total timeout flows.......: 0 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ total memory allocated....: 4592864 bytes +~~ total memory freed........: 4592864 bytes +~~ total allocations/frees...: 99548/99548 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ json string min len.......: 166 chars +~~ json string max len.......: 949 chars +~~ json string avg len.......: 613 chars diff --git a/test/results/tls_torrent.pcapng.out b/test/results/tls_torrent.pcapng.out new file mode 100644 index 000000000..10412ec90 --- /dev/null +++ b/test/results/tls_torrent.pcapng.out @@ -0,0 +1,25 @@ +00447{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"tls_torrent.pcapng","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} +00550{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"tls_torrent.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1639054407415,"flow_last_seen":1639054407415,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1639054407415,"l3_proto":"ip4","src_ip":"10.10.10.1","dst_ip":"192.168.0.1","src_port":443,"dst_port":58842,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00463{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"tls_torrent.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1639054407415,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1639054407415,"pkt":"AAAAAAAAAAcAAh9nCABFAAA0ug0AAOIGSgIKCgoBwKgAAQG75dqEHE30Ee7ob4ASBaDg4gAAAgQFeAEBBAIBAwMJ"} +00463{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"tls_torrent.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1639054407427,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1639054407427,"pkt":"AAAAAAAAAAcAAh9nCABFAAA0ug8AAOIGSgAKCgoBwKgAAQG75dqEHE30Ee7ob4ASBaDg4gAAAgQFeAEBBAIBAwMJ"} +00894{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"tls_torrent.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1639054407443,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":386,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":386,"pkt_l4_len":352,"ts_msec":1639054407443,"pkt":"AAAAAAAAAAgAP8PgCABFAAF07ppAAH8GNzXAqAABCgoKAeXaAbsR7uhvhBxN9VAYAQFi5gAAFgMBAUcBAAFDAwMaHZWwfkF0Un0n60H4DuzdTswHjey14FNv5IuITjtzKgAArMAwwCzAKMAkwBTACgClAKMAoQCfAGsAagBpAGgAOQA4ADcANgCIAIcAhgCFwDLALsAqwCbAD8AFAJ0APQA1AITAL8ArwCfAI8ATwAkApACiAKAAngBnAEAAPwA+ADMAMgAxADAAmgCZAJgAlwBFAEQAQwBCwDHALcApwCXADsAEAJwAPAAvAJYAQQAHwBHAB8AMwAIABQAEwBLACAAWABMAEAANwA3AAwAKAP8BAABuAAAAFQATAAAQd2ViLnV0b3JyZW50LmNvbQALAAQDAAECAAoAHAAaABcAGQAcABsAGAAaABYADgANAAsADAAJAAoAIwAAAA0AIAAeBgEGAgYDBQEFAgUDBAEEAgQDAwEDAgMDAgECAgIDAA8AAQE="} +00817{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":3,"source":"tls_torrent.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":3,"flow_first_seen":1639054407415,"flow_last_seen":1639054407443,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":332,"flow_tot_l4_payload_len":332,"flow_avg_l4_payload_len":110,"midstream":0,"ts_msec":1639054407443,"l3_proto":"ip4","src_ip":"10.10.10.1","dst_ip":"192.168.0.1","src_port":443,"dst_port":58842,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.utorrent.com","ja3":"fd80fa9c6120cdeea8520510f3c644ac","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} +00873{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":4,"source":"tls_torrent.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1639054407415,"flow_last_seen":1639054407574,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1400,"flow_tot_l4_payload_len":1732,"flow_avg_l4_payload_len":433,"midstream":0,"ts_msec":1639054407574,"l3_proto":"ip4","src_ip":"10.10.10.1","dst_ip":"192.168.0.1","src_port":443,"dst_port":58842,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.utorrent.com","ja3":"fd80fa9c6120cdeea8520510f3c644ac","ja3s":"6f84bbe9810ec4ea9061cc1a02eaf83c","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}} +01205{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":7,"source":"tls_torrent.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":7,"flow_first_seen":1639054407415,"flow_last_seen":1639054407576,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1400,"flow_tot_l4_payload_len":5906,"flow_avg_l4_payload_len":843,"midstream":0,"ts_msec":1639054407576,"l3_proto":"ip4","src_ip":"10.10.10.1","dst_ip":"192.168.0.1","src_port":443,"dst_port":58842,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.BitTorrent","breed":"Acceptable","category":"Download"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.utorrent.com","server_names":"*.utorrent.com,utorrent.com","ja3":"fd80fa9c6120cdeea8520510f3c644ac","ja3s":"6f84bbe9810ec4ea9061cc1a02eaf83c","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http:\/\/certs.godaddy.com\/repository\/, CN=Go Daddy Secure Certificate Authority - G2","subjectDN":"CN=*.utorrent.com","fingerprint":"E4:8F:E4:15:C7:D0:B7:EA:E6:F6:B1:B4:40:F0:13:D1:5E:7F:64:E8"}} +00559{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":7,"source":"tls_torrent.pcapng","alias":"nDPId-test","flow_id":1,"flow_packets_processed":7,"flow_first_seen":1639054407415,"flow_last_seen":1639054407576,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1400,"flow_tot_l4_payload_len":5906,"flow_avg_l4_payload_len":843,"midstream":0,"ts_msec":1639054407576,"l3_proto":"ip4","src_ip":"10.10.10.1","dst_ip":"192.168.0.1","src_port":443,"dst_port":58842,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00161{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":7,"source":"tls_torrent.pcapng","alias":"nDPId-test","total-events-serialized":10} +~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ +~~ packets captured/processed: 7/7 +~~ skipped flows.............: 0 +~~ total layer4 data length..: 5906 bytes +~~ total detected protocols..: 1 +~~ total active/idle flows...: 1/1 +~~ total timeout flows.......: 0 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ total memory allocated....: 4605168 bytes +~~ total memory freed........: 4605168 bytes +~~ total allocations/frees...: 99549/99549 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ json string min len.......: 166 chars +~~ json string max len.......: 1210 chars +~~ json string avg len.......: 736 chars diff --git a/test/results/tls_verylong_certificate.pcap.out b/test/results/tls_verylong_certificate.pcap.out index 384de06fa..6c3f4c1c5 100644 --- a/test/results/tls_verylong_certificate.pcap.out +++ b/test/results/tls_verylong_certificate.pcap.out @@ -5,7 +5,7 @@ 00475{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"tls_verylong_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1578254908469,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1578254908469,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGnuXAqAGgl2VCMdYUAbur4+BF2Hadx4AQEAgJrQAAAQEICgG\/txJynbuC"} 00801{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"tls_verylong_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1578254908457,"flow_last_seen":1578254908475,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1578254908475,"l3_proto":"ip4","src_ip":"192.168.1.160","dst_ip":"151.101.66.49","src_port":54804,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"feodotracker.abuse.ch","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}} 00857{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"tls_verylong_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":1578254908457,"flow_last_seen":1578254908490,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1368,"flow_tot_l4_payload_len":1885,"flow_avg_l4_payload_len":314,"midstream":0,"ts_msec":1578254908490,"l3_proto":"ip4","src_ip":"192.168.1.160","dst_ip":"151.101.66.49","src_port":54804,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"feodotracker.abuse.ch","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"ae53107a2e47ea20c72ac44821a728bf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"http\/1.1"}} -03545{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":11,"source":"tls_verylong_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":11,"flow_first_seen":1578254908457,"flow_last_seen":1578254908490,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1368,"flow_tot_l4_payload_len":5989,"flow_avg_l4_payload_len":544,"midstream":0,"ts_msec":1578254908490,"l3_proto":"ip4","src_ip":"192.168.1.160","dst_ip":"151.101.66.49","src_port":54804,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Media"},"tls": {"version":"TLSv1.2","client_requested_server_name":"feodotracker.abuse.ch","server_names":"p2.shared.global.fastly.net,*.12wbt.com,*.2bleacherreport.com,*.3bleacherreport.com,*.4bleacherreport.com,*.8bleacherreport.com,*.abuse.ch,*.acdn-it.ps-pantheon.com,*.cdn.livingmap.com,*.content.plastiq.com,*.dimensions.ai,*.dollarshaveclub.co.uk,*.dollarshaveclub.com,*.dontpayfull.com,*.ebisubook.com,*.foreignaffairs.com,*.fs.jibjab.com,*.fs.unitprints.com,*.ggleap.com,*.goodeggs.com,*.huevosbuenos.com,*.indy.myomnigon.com,*.jwatch.org,*.kingsfordcharcoal.com.au,*.lancenters.com,*.madebywe.com,*.minirodini.com,*.modcloth.net,*.orionlabs.io,*.ps-pantheon.com,*.scodle.com,*.steelseries.com,*.theforeman.org,*.uploads.eversign.com,*.uploads.schoox.com,*.vts.com,*.x.stg1.ebisubook.com,*.yang2020.com,12wbt.com,2bleacherreport.com,3bleacherreport.com,4bleacherreport.com,8bleacherreport.com,abuse.ch,brita.com,cdn.fwupd.org,cdn.livingmap.com,cdn.seated.com,cdn.skillacademy.com,clinicaloptions.com,clorox.com,content-preprod.beaverbrooksweb2.co.uk,content.beaverbrooks.co.uk,content.plastiq.com,coolmathgames.com,copterroyale.coolmathgames.com,d8-dev.coolmathgames.com,deflyio.coolmathgames.com,delivery-api.evadacms.com,dimensions.ai,dollarshaveclub.co.uk,dollarshaveclub.com,dontpayfull.com,eluniverso.com,email.amg-group.co,email.tekoforlife.co.uk,feedmarket.fr,freshstep.com,ggleap.com,goodeggs.com,heap.io,huevosbuenos.com,identity.linuxfoundation.org,joebiden.com,jwatch.org,kingsford.co.nz,kingsfordcharcoal.com.au,lancenters.com,lists.linuxfoundation.org,m-stage.coolmathgames.com,m.coolmathgames.com,madebywe.com,minirodini.com,modcloth.net,orionlabs.io,puritanmedproducts.com,reviews.org,rg-video-staging.ruangguru.com,rg-video.ruangguru.com,ruangguru.com,scodle.com,stage.coolmathgames.com,staging.appblade.com,steelseries.com,stg.platform.eluniverso.com,test.brita.com,test.heap.io,test.joebiden.com,test.ruangguru.com,theforeman.org,video-cdn.quipper.com,videos.calcworkshop.com,vts.com,www.101network.com,www.autos101.com,www.brita.com,www.clorox.com,www.collider.com,www.coolmathgames.com,www.eluniverso.com,www.flinto.com,www.freshstep.com,www.heap.io,www.holagente.com,www.icsydney.com.au,www.joebiden.com,www.kingsford.co.nz,www.mrnatty.com,www.myjewellerystory.com.au,www.myjs.com,www.netacea.com,www.parenting101.com,www.puritanmedproducts.com,www.reviews.org,www.sba.sa,www.shashatcom.sa,www.uat.ontariocolleges.ca,www.vacation101.com,www.walterspeople.co.uk,www.westwayelectricsupply.com","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"ae53107a2e47ea20c72ac44821a728bf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3","issuerDN":"C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=p2.shared.global.fastly.net","alpn":"http\/1.1","fingerprint":"E9:34:DF:E0:C5:31:3C:59:7E:E2:57:44:F2:82:E9:80:F5:5D:05:4B"}} +03546{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":11,"source":"tls_verylong_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":11,"flow_first_seen":1578254908457,"flow_last_seen":1578254908490,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1368,"flow_tot_l4_payload_len":5989,"flow_avg_l4_payload_len":544,"midstream":0,"ts_msec":1578254908490,"l3_proto":"ip4","src_ip":"192.168.1.160","dst_ip":"151.101.66.49","src_port":54804,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Media"},"tls": {"version":"TLSv1.2","client_requested_server_name":"feodotracker.abuse.ch","server_names":"p2.shared.global.fastly.net,*.12wbt.com,*.2bleacherreport.com,*.3bleacherreport.com,*.4bleacherreport.com,*.8bleacherreport.com,*.abuse.ch,*.acdn-it.ps-pantheon.com,*.cdn.livingmap.com,*.content.plastiq.com,*.dimensions.ai,*.dollarshaveclub.co.uk,*.dollarshaveclub.com,*.dontpayfull.com,*.ebisubook.com,*.foreignaffairs.com,*.fs.jibjab.com,*.fs.unitprints.com,*.ggleap.com,*.goodeggs.com,*.huevosbuenos.com,*.indy.myomnigon.com,*.jwatch.org,*.kingsfordcharcoal.com.au,*.lancenters.com,*.madebywe.com,*.minirodini.com,*.modcloth.net,*.orionlabs.io,*.ps-pantheon.com,*.scodle.com,*.steelseries.com,*.theforeman.org,*.uploads.eversign.com,*.uploads.schoox.com,*.vts.com,*.x.stg1.ebisubook.com,*.yang2020.com,12wbt.com,2bleacherreport.com,3bleacherreport.com,4bleacherreport.com,8bleacherreport.com,abuse.ch,brita.com,cdn.fwupd.org,cdn.livingmap.com,cdn.seated.com,cdn.skillacademy.com,clinicaloptions.com,clorox.com,content-preprod.beaverbrooksweb2.co.uk,content.beaverbrooks.co.uk,content.plastiq.com,coolmathgames.com,copterroyale.coolmathgames.com,d8-dev.coolmathgames.com,deflyio.coolmathgames.com,delivery-api.evadacms.com,dimensions.ai,dollarshaveclub.co.uk,dollarshaveclub.com,dontpayfull.com,eluniverso.com,email.amg-group.co,email.tekoforlife.co.uk,feedmarket.fr,freshstep.com,ggleap.com,goodeggs.com,heap.io,huevosbuenos.com,identity.linuxfoundation.org,joebiden.com,jwatch.org,kingsford.co.nz,kingsfordcharcoal.com.au,lancenters.com,lists.linuxfoundation.org,m-stage.coolmathgames.com,m.coolmathgames.com,madebywe.com,minirodini.com,modcloth.net,orionlabs.io,puritanmedproducts.com,reviews.org,rg-video-staging.ruangguru.com,rg-video.ruangguru.com,ruangguru.com,scodle.com,stage.coolmathgames.com,staging.appblade.com,steelseries.com,stg.platform.eluniverso.com,test.brita.com,test.heap.io,test.joebiden.com,test.ruangguru.com,theforeman.org,video-cdn.quipper.com,videos.calcworkshop.com,vts.com,www.101network.com,www.autos101.com,www.brita.com,www.clorox.com,www.collider.com,www.coolmathgames.com,www.eluniverso.com,www.flinto.com,www.freshstep.com,www.heap.io,www.holagente.com,www.icsydney.com.au,www.joebiden.com,www.kingsford.co.nz,www.mrnatty.com,www.myjewellerystory.com.au,www.myjs.com,www.netacea.com,www.parenting101.com,www.puritanmedproducts.com,www.reviews.org,www.sba.sa,www.shashatcom.sa,www.uat.ontariocolleges.ca,www.vacation101.com,www.walterspeople.co.uk,www.westwayelectricsupply.com","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"ae53107a2e47ea20c72ac44821a728bf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3","subjectDN":"C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=p2.shared.global.fastly.net","alpn":"http\/1.1","fingerprint":"E9:34:DF:E0:C5:31:3C:59:7E:E2:57:44:F2:82:E9:80:F5:5D:05:4B"}} 00577{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":48,"source":"tls_verylong_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":48,"flow_first_seen":1578254908457,"flow_last_seen":1578254908551,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1368,"flow_tot_l4_payload_len":19077,"flow_avg_l4_payload_len":397,"midstream":0,"ts_msec":1578254908551,"l3_proto":"ip4","src_ip":"192.168.1.160","dst_ip":"151.101.66.49","src_port":54804,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00173{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":48,"source":"tls_verylong_certificate.pcap","alias":"nDPId-test","total-events-serialized":10} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -16,10 +16,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2101795 bytes -~~ total memory freed........: 2101795 bytes -~~ total allocations/frees...: 35523/35523 +~~ total memory allocated....: 4764110 bytes +~~ total memory freed........: 4764110 bytes +~~ total allocations/frees...: 99719/99719 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 178 chars -~~ json string max len.......: 3550 chars +~~ json string max len.......: 3551 chars ~~ json string avg len.......: 1761 chars diff --git a/test/results/tor.pcap.out b/test/results/tor.pcap.out index 68ad4a502..32359d467 100644 --- a/test/results/tor.pcap.out +++ b/test/results/tor.pcap.out @@ -10,7 +10,7 @@ 00455{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5,"source":"tor.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1383821665491,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1383821665491,"pkt":"UlQAWul3UlQA2EYhCABFAAA0AABAAC4G0J5bj13ywKgB\/AG7x6b4Wbj86f\/J04ASOQiLRwAAAgQFtAEBBAIBAwMH"} 00447{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6,"source":"tor.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1383821665491,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"ts_msec":1383821665491,"pkt":"UlQA2EYhUlQAWul3CABFAAAoA19AAIAGe0vAqAH8W49d8semAbvp\/8nT+Fm4\/VAQAQAEIgAAAAAAAAAA"} 00816{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":7,"source":"tor.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1383821665420,"flow_last_seen":1383821665498,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":215,"flow_tot_l4_payload_len":215,"flow_avg_l4_payload_len":53,"midstream":0,"ts_msec":1383821665498,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"91.143.93.242","src_port":51110,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"www.ct7ctrgb6cr7.com","ja3":"581a3c7f54555512b8cd16e87dfe165b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -01027{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":9,"source":"tor.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":1383821665420,"flow_last_seen":1383821665606,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":748,"flow_tot_l4_payload_len":963,"flow_avg_l4_payload_len":160,"midstream":0,"ts_msec":1383821665606,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"91.143.93.242","src_port":51110,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"www.ct7ctrgb6cr7.com","ja3":"581a3c7f54555512b8cd16e87dfe165b","ja3s":"184d532a16876b78846ae6a03f654890","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","issuerDN":"CN=www.xkgk7fdx362yyyxib.com","issuerDN":"CN=www.g6ghvisevf3ibuu5.net","fingerprint":"94:F9:FF:E2:7F:DB:1F:B8:19:65:20:6F:F6:DE:B6:A5:D5:AF:14:C7"}} +01028{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":9,"source":"tor.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":1383821665420,"flow_last_seen":1383821665606,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":748,"flow_tot_l4_payload_len":963,"flow_avg_l4_payload_len":160,"midstream":0,"ts_msec":1383821665606,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"91.143.93.242","src_port":51110,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"www.ct7ctrgb6cr7.com","ja3":"581a3c7f54555512b8cd16e87dfe165b","ja3s":"184d532a16876b78846ae6a03f654890","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","issuerDN":"CN=www.xkgk7fdx362yyyxib.com","subjectDN":"CN=www.g6ghvisevf3ibuu5.net","fingerprint":"94:F9:FF:E2:7F:DB:1F:B8:19:65:20:6F:F6:DE:B6:A5:D5:AF:14:C7"}} 00351{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":25,"source":"tor.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"ts_msec":1383821666212,"pkt":"AYDCAAAA\/lQA2EYhACZCQgMAAAAAAIAAUlQAwqwfAAAAAIAAUlQAwqwfgAMAABQAAgAAAAAAAAAAAAAA"} 00142{"basic_event_id":5,"basic_event_name":"Unknown packet type","thread_id":0,"packet_id":25,"source":"tor.pcap","alias":"nDPId-test","type":38} 00544{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":26,"source":"tor.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1383821666407,"flow_last_seen":1383821666407,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1383821666407,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"46.59.52.31","src_port":51111,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -18,7 +18,7 @@ 00455{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":27,"source":"tor.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_last_seen":1383821666480,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1383821666480,"pkt":"UlQAWul3UlQA2EYhCABFAAA0AABAACwGKcYuOzQfwKgB\/AG7x6cxNPZ86YyWGYASchBnNQAAAgQFtAEBBAIBAwMK"} 00446{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":28,"source":"tor.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_last_seen":1383821666481,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"ts_msec":1383821666481,"pkt":"UlQA2EYhUlQAWul3CABFAAAoA2lAAIAG0mjAqAH8Ljs0H8enAbvpjJYZMTT2fVAQAQAZGwAAAAAAAAAA"} 00900{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":29,"source":"tor.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":4,"flow_first_seen":1383821666407,"flow_last_seen":1383821666482,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":222,"flow_tot_l4_payload_len":222,"flow_avg_l4_payload_len":55,"midstream":0,"ts_msec":1383821666482,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"46.59.52.31","src_port":51111,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","16":"Suspicious DGA domain name","22":"Unsafe Protocol"},"proto":"TLS.Tor","breed":"Potentially Dangerous","category":"VPN"},"tls": {"version":"TLSv1","client_requested_server_name":"www.e6r5p57kbafwrxj3plz.com","ja3":"581a3c7f54555512b8cd16e87dfe165b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -01111{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"tor.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":6,"flow_first_seen":1383821666407,"flow_last_seen":1383821666558,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":749,"flow_tot_l4_payload_len":971,"flow_avg_l4_payload_len":161,"midstream":0,"ts_msec":1383821666558,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"46.59.52.31","src_port":51111,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","16":"Suspicious DGA domain name","22":"Unsafe Protocol"},"proto":"TLS.Tor","breed":"Potentially Dangerous","category":"VPN"},"tls": {"version":"TLSv1","client_requested_server_name":"www.e6r5p57kbafwrxj3plz.com","ja3":"581a3c7f54555512b8cd16e87dfe165b","ja3s":"184d532a16876b78846ae6a03f654890","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","issuerDN":"CN=www.gmvuy6mtjbxevwo3w.com","issuerDN":"CN=www.bpcau5b3haif5els.net","fingerprint":"3A:B1:8A:6F:C3:F6:41:ED:77:D5:40:C3:85:79:8B:62:46:BC:65:9C"}} +01112{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"tor.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":6,"flow_first_seen":1383821666407,"flow_last_seen":1383821666558,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":749,"flow_tot_l4_payload_len":971,"flow_avg_l4_payload_len":161,"midstream":0,"ts_msec":1383821666558,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"46.59.52.31","src_port":51111,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","16":"Suspicious DGA domain name","22":"Unsafe Protocol"},"proto":"TLS.Tor","breed":"Potentially Dangerous","category":"VPN"},"tls": {"version":"TLSv1","client_requested_server_name":"www.e6r5p57kbafwrxj3plz.com","ja3":"581a3c7f54555512b8cd16e87dfe165b","ja3s":"184d532a16876b78846ae6a03f654890","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","issuerDN":"CN=www.gmvuy6mtjbxevwo3w.com","subjectDN":"CN=www.bpcau5b3haif5els.net","fingerprint":"3A:B1:8A:6F:C3:F6:41:ED:77:D5:40:C3:85:79:8B:62:46:BC:65:9C"}} 00351{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":55,"source":"tor.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"ts_msec":1383821668212,"pkt":"AYDCAAAA\/lQA2EYhACZCQgMAAAAAAIAAUlQAwqwfAAAAAIAAUlQAwqwfgAMAABQAAgAAAAAAAAAAAAAA"} 00142{"basic_event_id":5,"basic_event_name":"Unknown packet type","thread_id":0,"packet_id":55,"source":"tor.pcap","alias":"nDPId-test","type":38} 00545{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":56,"source":"tor.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1383821668403,"flow_last_seen":1383821668403,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1383821668403,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"38.229.70.53","src_port":51112,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -26,7 +26,7 @@ 00455{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":58,"source":"tor.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_last_seen":1383821668547,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1383821668547,"pkt":"UlQAWul3UlQA2EYhCABFAAA0AABAADQGFwYm5UY1wKgB\/AG7x6iEDREglLPWMoASOQg8wAAAAgQFtAEBBAIBAwMK"} 00446{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":59,"source":"tor.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_last_seen":1383821668548,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"ts_msec":1383821668548,"pkt":"UlQA2EYhUlQAWul3CABFAAAoA3ZAAIAGx5vAqAH8JuVGNceoAbuUs9YyhA0RIVAQAQC1nQAAAAAAAAAA"} 00903{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":60,"source":"tor.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":4,"flow_first_seen":1383821668403,"flow_last_seen":1383821668548,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":224,"flow_tot_l4_payload_len":224,"flow_avg_l4_payload_len":56,"midstream":0,"ts_msec":1383821668548,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"38.229.70.53","src_port":51112,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","16":"Suspicious DGA domain name","22":"Unsafe Protocol"},"proto":"TLS.Tor","breed":"Potentially Dangerous","category":"VPN"},"tls": {"version":"TLSv1","client_requested_server_name":"www.q4cyamnc6mtokjurvdclt.com","ja3":"581a3c7f54555512b8cd16e87dfe165b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -01108{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":63,"source":"tor.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":6,"flow_first_seen":1383821668403,"flow_last_seen":1383821668700,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":929,"flow_tot_l4_payload_len":1153,"flow_avg_l4_payload_len":192,"midstream":0,"ts_msec":1383821668700,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"38.229.70.53","src_port":51112,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","16":"Suspicious DGA domain name","22":"Unsafe Protocol"},"proto":"TLS.Tor","breed":"Potentially Dangerous","category":"VPN"},"tls": {"version":"TLSv1","client_requested_server_name":"www.q4cyamnc6mtokjurvdclt.com","ja3":"581a3c7f54555512b8cd16e87dfe165b","ja3s":"e1691a31bfe345d2692da75636ddfb00","unsafe_cipher":0,"cipher":"TLS_DHE_RSA_WITH_AES_256_CBC_SHA","issuerDN":"CN=www.gg562izcxdvqdk.com","issuerDN":"CN=www.fcsyvnlemwxv5p.net","fingerprint":"C1:93:18:2C:A3:1D:AC:5F:C7:DE:17:8A:4E:B1:E8:13:BB:08:73:3A"}} +01109{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":63,"source":"tor.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":6,"flow_first_seen":1383821668403,"flow_last_seen":1383821668700,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":929,"flow_tot_l4_payload_len":1153,"flow_avg_l4_payload_len":192,"midstream":0,"ts_msec":1383821668700,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"38.229.70.53","src_port":51112,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","16":"Suspicious DGA domain name","22":"Unsafe Protocol"},"proto":"TLS.Tor","breed":"Potentially Dangerous","category":"VPN"},"tls": {"version":"TLSv1","client_requested_server_name":"www.q4cyamnc6mtokjurvdclt.com","ja3":"581a3c7f54555512b8cd16e87dfe165b","ja3s":"e1691a31bfe345d2692da75636ddfb00","unsafe_cipher":0,"cipher":"TLS_DHE_RSA_WITH_AES_256_CBC_SHA","issuerDN":"CN=www.gg562izcxdvqdk.com","subjectDN":"CN=www.fcsyvnlemwxv5p.net","fingerprint":"C1:93:18:2C:A3:1D:AC:5F:C7:DE:17:8A:4E:B1:E8:13:BB:08:73:3A"}} 00351{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":80,"source":"tor.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"ts_msec":1383821670213,"pkt":"AYDCAAAA\/lQA2EYhACZCQgMAAAAAAIAAUlQAwqwfAAAAAIAAUlQAwqwfgAMAABQAAgAAAAAAAAAAAAAA"} 00142{"basic_event_id":5,"basic_event_name":"Unknown packet type","thread_id":0,"packet_id":80,"source":"tor.pcap","alias":"nDPId-test","type":38} 00351{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":83,"source":"tor.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"ts_msec":1383821672213,"pkt":"AYDCAAAA\/lQA2EYhACZCQgMAAAAAAIAAUlQAwqwfAAAAAIAAUlQAwqwfgAMAABQAAgAAAAAAAAAAAAAA"} @@ -160,7 +160,7 @@ 00559{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1834,"source":"tor.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":141,"flow_first_seen":1383821665420,"flow_last_seen":1383821774457,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":60720,"flow_avg_l4_payload_len":430,"midstream":0,"ts_msec":1383822123915,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"91.143.93.242","src_port":51110,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00556{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1834,"source":"tor.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":4,"flow_first_seen":1383821673254,"flow_last_seen":1383821763366,"flow_idle_time":180000,"flow_min_l4_payload_len":144,"flow_max_l4_payload_len":144,"flow_tot_l4_payload_len":576,"flow_avg_l4_payload_len":144,"midstream":0,"ts_msec":1383822123915,"l3_proto":"ip4","src_ip":"192.168.1.1","dst_ip":"192.168.1.255","src_port":17500,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00554{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1834,"source":"tor.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1383821693159,"flow_last_seen":1383821693159,"flow_idle_time":180000,"flow_min_l4_payload_len":210,"flow_max_l4_payload_len":210,"flow_tot_l4_payload_len":210,"flow_avg_l4_payload_len":210,"midstream":0,"ts_msec":1383822123915,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"192.168.1.255","src_port":138,"dst_port":138,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} -00568{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1834,"source":"tor.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":1,"flow_first_seen":1383821734359,"flow_last_seen":1383821734359,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1383822123915,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"157.56.30.46","src_port":51104,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"}} +00582{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1834,"source":"tor.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":1,"flow_first_seen":1383821734359,"flow_last_seen":1383821734359,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1383822123915,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"157.56.30.46","src_port":51104,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Azure","breed":"Acceptable","category":"Cloud"}} 00547{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1834,"source":"tor.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":1,"flow_first_seen":1383821734359,"flow_last_seen":1383821734359,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1383822123915,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"157.56.30.46","src_port":51104,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00555{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1834,"source":"tor.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":34,"flow_first_seen":1383821666407,"flow_last_seen":1383821774461,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":9246,"flow_avg_l4_payload_len":271,"midstream":0,"ts_msec":1383822123915,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"46.59.52.31","src_port":51111,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00561{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1834,"source":"tor.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1576,"flow_first_seen":1383821668403,"flow_last_seen":1383821774532,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":1301150,"flow_avg_l4_payload_len":825,"midstream":0,"ts_msec":1383822123915,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"38.229.70.53","src_port":51112,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -183,8 +183,8 @@ 00448{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1845,"source":"tor.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":3,"flow_last_seen":1383822129962,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"ts_msec":1383822129962,"pkt":"UlQA2EYhUlQAWul3CABFAAAoCJpAAIAGdhDAqAH8W49d8sfnAbtnuw7Nw96cNlAQAQCSbgAAAAAAAAAA"} 00814{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1846,"source":"tor.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":4,"flow_first_seen":1383822129889,"flow_last_seen":1383822129965,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":209,"flow_tot_l4_payload_len":209,"flow_avg_l4_payload_len":52,"midstream":0,"ts_msec":1383822129965,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"212.83.155.250","src_port":51174,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"www.t3i3ru.com","ja3":"581a3c7f54555512b8cd16e87dfe165b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00895{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1847,"source":"tor.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":4,"flow_first_seen":1383822129897,"flow_last_seen":1383822129972,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":213,"flow_tot_l4_payload_len":213,"flow_avg_l4_payload_len":53,"midstream":0,"ts_msec":1383822129972,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"91.143.93.242","src_port":51175,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","16":"Suspicious DGA domain name","22":"Unsafe Protocol"},"proto":"TLS.Tor","breed":"Potentially Dangerous","category":"VPN"},"tls": {"version":"TLSv1","client_requested_server_name":"www.gfu7hbxpfp.com","ja3":"581a3c7f54555512b8cd16e87dfe165b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -01020{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1849,"source":"tor.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":6,"flow_first_seen":1383822129889,"flow_last_seen":1383822130023,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":743,"flow_tot_l4_payload_len":952,"flow_avg_l4_payload_len":158,"midstream":0,"ts_msec":1383822130023,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"212.83.155.250","src_port":51174,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"www.t3i3ru.com","ja3":"581a3c7f54555512b8cd16e87dfe165b","ja3s":"184d532a16876b78846ae6a03f654890","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","issuerDN":"CN=www.wohgpas45j6ucw.com","issuerDN":"CN=www.7d43ah2kikrabj.net","fingerprint":"F9:1D:5F:89:8F:D8:58:1E:45:E7:9B:A6:FD:90:95:77:FF:DD:E8:1B"}} -01106{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1852,"source":"tor.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":6,"flow_first_seen":1383822129897,"flow_last_seen":1383822130047,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":748,"flow_tot_l4_payload_len":961,"flow_avg_l4_payload_len":160,"midstream":0,"ts_msec":1383822130047,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"91.143.93.242","src_port":51175,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","16":"Suspicious DGA domain name","22":"Unsafe Protocol"},"proto":"TLS.Tor","breed":"Potentially Dangerous","category":"VPN"},"tls": {"version":"TLSv1","client_requested_server_name":"www.gfu7hbxpfp.com","ja3":"581a3c7f54555512b8cd16e87dfe165b","ja3s":"184d532a16876b78846ae6a03f654890","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","issuerDN":"CN=www.xkgk7fdx362yyyxib.com","issuerDN":"CN=www.g6ghvisevf3ibuu5.net","fingerprint":"94:F9:FF:E2:7F:DB:1F:B8:19:65:20:6F:F6:DE:B6:A5:D5:AF:14:C7"}} +01021{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1849,"source":"tor.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":6,"flow_first_seen":1383822129889,"flow_last_seen":1383822130023,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":743,"flow_tot_l4_payload_len":952,"flow_avg_l4_payload_len":158,"midstream":0,"ts_msec":1383822130023,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"212.83.155.250","src_port":51174,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"www.t3i3ru.com","ja3":"581a3c7f54555512b8cd16e87dfe165b","ja3s":"184d532a16876b78846ae6a03f654890","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","issuerDN":"CN=www.wohgpas45j6ucw.com","subjectDN":"CN=www.7d43ah2kikrabj.net","fingerprint":"F9:1D:5F:89:8F:D8:58:1E:45:E7:9B:A6:FD:90:95:77:FF:DD:E8:1B"}} +01107{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1852,"source":"tor.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":6,"flow_first_seen":1383822129897,"flow_last_seen":1383822130047,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":748,"flow_tot_l4_payload_len":961,"flow_avg_l4_payload_len":160,"midstream":0,"ts_msec":1383822130047,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"91.143.93.242","src_port":51175,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","16":"Suspicious DGA domain name","22":"Unsafe Protocol"},"proto":"TLS.Tor","breed":"Potentially Dangerous","category":"VPN"},"tls": {"version":"TLSv1","client_requested_server_name":"www.gfu7hbxpfp.com","ja3":"581a3c7f54555512b8cd16e87dfe165b","ja3s":"184d532a16876b78846ae6a03f654890","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","issuerDN":"CN=www.xkgk7fdx362yyyxib.com","subjectDN":"CN=www.g6ghvisevf3ibuu5.net","fingerprint":"94:F9:FF:E2:7F:DB:1F:B8:19:65:20:6F:F6:DE:B6:A5:D5:AF:14:C7"}} 00353{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":1862,"source":"tor.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"ts_msec":1383822130216,"pkt":"AYDCAAAA\/lQA2EYhACZCQgMAAAAAAIAAUlQAwqwfAAAAAIAAUlQAwqwfgAMAABQAAgAAAAAAAAAAAAAA"} 00144{"basic_event_id":5,"basic_event_name":"Unknown packet type","thread_id":0,"packet_id":1862,"source":"tor.pcap","alias":"nDPId-test","type":38} 00548{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1888,"source":"tor.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":1,"flow_first_seen":1383822130889,"flow_last_seen":1383822130889,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1383822130889,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"38.229.70.53","src_port":51176,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -192,7 +192,7 @@ 00459{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1891,"source":"tor.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":2,"flow_last_seen":1383822131033,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1383822131033,"pkt":"UlQAWul3UlQA2EYhCABFAAA0AABAADQGFwYm5UY1wKgB\/AG7x+hg0\/cE9LcH4IASOQjoIwAAAgQFtAEBBAIBAwMK"} 00449{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1892,"source":"tor.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":3,"flow_last_seen":1383822131034,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"ts_msec":1383822131034,"pkt":"UlQA2EYhUlQAWul3CABFAAAoCK9AAIAGwmLAqAH8JuVGNcfoAbv0twfgYNP3BVAQAQBhAQAAAAAAAAAA"} 00814{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1893,"source":"tor.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":4,"flow_first_seen":1383822130889,"flow_last_seen":1383822131034,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":210,"flow_tot_l4_payload_len":210,"flow_avg_l4_payload_len":52,"midstream":0,"ts_msec":1383822131034,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"38.229.70.53","src_port":51176,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"www.jmts2id.com","ja3":"581a3c7f54555512b8cd16e87dfe165b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -01019{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1896,"source":"tor.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":6,"flow_first_seen":1383822130889,"flow_last_seen":1383822131220,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":929,"flow_tot_l4_payload_len":1139,"flow_avg_l4_payload_len":189,"midstream":0,"ts_msec":1383822131220,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"38.229.70.53","src_port":51176,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"www.jmts2id.com","ja3":"581a3c7f54555512b8cd16e87dfe165b","ja3s":"e1691a31bfe345d2692da75636ddfb00","unsafe_cipher":0,"cipher":"TLS_DHE_RSA_WITH_AES_256_CBC_SHA","issuerDN":"CN=www.gg562izcxdvqdk.com","issuerDN":"CN=www.fcsyvnlemwxv5p.net","fingerprint":"C1:93:18:2C:A3:1D:AC:5F:C7:DE:17:8A:4E:B1:E8:13:BB:08:73:3A"}} +01020{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1896,"source":"tor.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":6,"flow_first_seen":1383822130889,"flow_last_seen":1383822131220,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":929,"flow_tot_l4_payload_len":1139,"flow_avg_l4_payload_len":189,"midstream":0,"ts_msec":1383822131220,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"38.229.70.53","src_port":51176,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"www.jmts2id.com","ja3":"581a3c7f54555512b8cd16e87dfe165b","ja3s":"e1691a31bfe345d2692da75636ddfb00","unsafe_cipher":0,"cipher":"TLS_DHE_RSA_WITH_AES_256_CBC_SHA","issuerDN":"CN=www.gg562izcxdvqdk.com","subjectDN":"CN=www.fcsyvnlemwxv5p.net","fingerprint":"C1:93:18:2C:A3:1D:AC:5F:C7:DE:17:8A:4E:B1:E8:13:BB:08:73:3A"}} 00353{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":1919,"source":"tor.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"ts_msec":1383822132212,"pkt":"AYDCAAAA\/lQA2EYhACZCQgMAAAAAAIAAUlQAwqwfAAAAAIAAUlQAwqwfgAMAABQAAgAAAAAAAAAAAAAA"} 00144{"basic_event_id":5,"basic_event_name":"Unknown packet type","thread_id":0,"packet_id":1919,"source":"tor.pcap","alias":"nDPId-test","type":38} 00353{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":1937,"source":"tor.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"ts_msec":1383822134212,"pkt":"AYDCAAAA\/lQA2EYhACZCQgMAAAAAAIAAUlQAwqwfAAAAAIAAUlQAwqwfgAMAABQAAgAAAAAAAAAAAAAA"} @@ -260,7 +260,7 @@ 00459{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2073,"source":"tor.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":2,"flow_last_seen":1383822190950,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1383822190950,"pkt":"UlQAWul3UlQA2EYhCABFAAA0AABAADEGvmc+0onmwKgB\/AG7x\/Gvhi1nKbA834ASOQidcgAAAgQFtAEBBAIBAwMH"} 00449{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2074,"source":"tor.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":3,"flow_last_seen":1383822190951,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"ts_msec":1383822190951,"pkt":"UlQA2EYhUlQAWul3CABFAAAoCOxAAIAGZofAqAH8PtKJ5sfxAbspsDzfr4YtaFAQAQAWTQAAAAAAAAAA"} 00824{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2075,"source":"tor.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":4,"flow_first_seen":1383822190886,"flow_last_seen":1383822190951,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":218,"flow_tot_l4_payload_len":218,"flow_avg_l4_payload_len":54,"midstream":0,"ts_msec":1383822190951,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"62.210.137.230","src_port":51185,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"www.6gyip7tqim7sieb.com","ja3":"581a3c7f54555512b8cd16e87dfe165b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -01026{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2077,"source":"tor.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":6,"flow_first_seen":1383822190886,"flow_last_seen":1383822191037,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":740,"flow_tot_l4_payload_len":958,"flow_avg_l4_payload_len":159,"midstream":0,"ts_msec":1383822191037,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"62.210.137.230","src_port":51185,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"www.6gyip7tqim7sieb.com","ja3":"581a3c7f54555512b8cd16e87dfe165b","ja3s":"184d532a16876b78846ae6a03f654890","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","issuerDN":"CN=www.a3uycdf3rn5md.com","issuerDN":"CN=www.l7xvysfnvkb.net","fingerprint":"EE:86:E7:21:36:93:23:30:DB:A0:09:48:55:16:CB:A8:E9:DA:01:D0"}} +01027{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2077,"source":"tor.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":6,"flow_first_seen":1383822190886,"flow_last_seen":1383822191037,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":740,"flow_tot_l4_payload_len":958,"flow_avg_l4_payload_len":159,"midstream":0,"ts_msec":1383822191037,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"62.210.137.230","src_port":51185,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"www.6gyip7tqim7sieb.com","ja3":"581a3c7f54555512b8cd16e87dfe165b","ja3s":"184d532a16876b78846ae6a03f654890","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","issuerDN":"CN=www.a3uycdf3rn5md.com","subjectDN":"CN=www.l7xvysfnvkb.net","fingerprint":"EE:86:E7:21:36:93:23:30:DB:A0:09:48:55:16:CB:A8:E9:DA:01:D0"}} 00353{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":2097,"source":"tor.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"ts_msec":1383822192212,"pkt":"AYDCAAAA\/lQA2EYhACZCQgMAAAAAAIAAUlQAwqwfAAAAAIAAUlQAwqwfgAMAABQAAgAAAAAAAAAAAAAA"} 00144{"basic_event_id":5,"basic_event_name":"Unknown packet type","thread_id":0,"packet_id":2097,"source":"tor.pcap","alias":"nDPId-test","type":38} 00353{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":2107,"source":"tor.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"ts_msec":1383822194212,"pkt":"AYDCAAAA\/lQA2EYhACZCQgMAAAAAAIAAUlQAwqwfAAAAAIAAUlQAwqwfgAMAABQAAgAAAAAAAAAAAAAA"} @@ -368,10 +368,10 @@ ~~ total active/idle flows...: 12/12 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2067737 bytes -~~ total memory freed........: 2067737 bytes -~~ total allocations/frees...: 39086/39086 +~~ total memory allocated....: 4725388 bytes +~~ total memory freed........: 4725388 bytes +~~ total allocations/frees...: 103282/103282 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 146 chars -~~ json string max len.......: 1116 chars +~~ json string max len.......: 1117 chars ~~ json string avg len.......: 631 chars diff --git a/test/results/trickbot.pcap.out b/test/results/trickbot.pcap.out index 0ee0dd6d1..8034a6bb8 100644 --- a/test/results/trickbot.pcap.out +++ b/test/results/trickbot.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1930446 bytes -~~ total memory freed........: 1930446 bytes -~~ total allocations/frees...: 35416/35416 +~~ total memory allocated....: 4592772 bytes +~~ total memory freed........: 4592772 bytes +~~ total allocations/frees...: 99613/99613 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 161 chars ~~ json string max len.......: 955 chars diff --git a/test/results/tumblr.pcap.out b/test/results/tumblr.pcap.out index 716f304bb..d18523986 100644 --- a/test/results/tumblr.pcap.out +++ b/test/results/tumblr.pcap.out @@ -48,11 +48,11 @@ 00500{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":433,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":1,"flow_last_seen":1605292105433,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605292105433,"pkt":"qtsDr8lk5EKm5WPyht1gCUBCACgGQCoBywEgSYsHmR3shSjf9ikgAUmYABQIAAAAAAAAABABuA4Bu2AkF5MAAAAAoAL9IMKvAAACBAWgBAIICr4D0hAAAAAAAQMDBw=="} 00502{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":434,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":2,"flow_last_seen":1605292105447,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605292105447,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPQBk\/5sAAAAAAAAAAGAGB0kqAcsBIEmLB5kd7IUo3\/YpAbuY8Go+Ou0O5ht8oBJXgIDEAAACBAV4AQMDAwQCCArC3Z7YE2bkRg=="} 00488{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":435,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":3,"flow_last_seen":1605292105447,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605292105447,"pkt":"qtsDr8lk5EKm5WPyht1gDBurACAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAABgBgdJmPABuw7mG3xqPjrugBAB+wS5AAABAQgKE2bkY8Ldntg="} -00886{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":436,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":4,"flow_first_seen":1605292105418,"flow_last_seen":1605292105448,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":620,"flow_tot_l4_payload_len":620,"flow_avg_l4_payload_len":155,"midstream":0,"ts_msec":1605292105448,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::6006:749","src_port":39152,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"sb.scorecardresearch.com","ja3":"44d502d471cfdb99c59bdfb0f220e5a8","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00896{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":436,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":4,"flow_first_seen":1605292105418,"flow_last_seen":1605292105448,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":620,"flow_tot_l4_payload_len":620,"flow_avg_l4_payload_len":155,"midstream":0,"ts_msec":1605292105448,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::6006:749","src_port":39152,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Advertisement"},"tls": {"version":"TLSv1.2","client_requested_server_name":"sb.scorecardresearch.com","ja3":"44d502d471cfdb99c59bdfb0f220e5a8","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00501{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":437,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":2,"flow_last_seen":1605292105459,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605292105459,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSABSZgAFAgAAAAAAAAAEAEqAcsBIEmLB5kd7IUo3\/YpAbu4DgNW0a1gJBeUoBJXgDGmAAACBAV4AQMDAwQCCArC3Z7jvgPSEA=="} 00488{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":438,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":3,"flow_last_seen":1605292105459,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605292105459,"pkt":"qtsDr8lk5EKm5WPyht1gCUBCACAGQCoBywEgSYsHmR3shSjf9ikgAUmYABQIAAAAAAAAABABuA4Bu2AkF5QDVtGugBAB+7WdAAABAQgKvgPSKsLdnuM="} 00894{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":439,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":4,"flow_first_seen":1605292105433,"flow_last_seen":1605292105459,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605292105459,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2001:4998:14:800::1001","src_port":47118,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Yahoo","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"cookiex.ngd.yahoo.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -00925{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":442,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":6,"flow_first_seen":1605292105418,"flow_last_seen":1605292105494,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":620,"flow_tot_l4_payload_len":890,"flow_avg_l4_payload_len":148,"midstream":0,"ts_msec":1605292105494,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::6006:749","src_port":39152,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"sb.scorecardresearch.com","ja3":"44d502d471cfdb99c59bdfb0f220e5a8","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00935{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":442,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":6,"flow_first_seen":1605292105418,"flow_last_seen":1605292105494,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":620,"flow_tot_l4_payload_len":890,"flow_avg_l4_payload_len":148,"midstream":0,"ts_msec":1605292105494,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::6006:749","src_port":39152,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Advertisement"},"tls": {"version":"TLSv1.3","client_requested_server_name":"sb.scorecardresearch.com","ja3":"44d502d471cfdb99c59bdfb0f220e5a8","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00590{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":454,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":1,"flow_first_seen":1605292105669,"flow_last_seen":1605292105669,"flow_idle_time":7440000,"flow_min_l4_payload_len":120,"flow_max_l4_payload_len":120,"flow_tot_l4_payload_len":120,"flow_avg_l4_payload_len":120,"midstream":1,"ts_msec":1605292105669,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d03","src_port":56794,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00655{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":454,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":1,"flow_last_seen":1605292105669,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":206,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":206,"pkt_l4_len":152,"ts_msec":1605292105669,"pkt":"qtsDr8lk5EKm5WPyht1gCP\/sAJgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAADAAE0D3doBu3fKOk4W2C\/9gBhA0URlAAABAQgKBcmbq8LdLRcXAwMAcysuUqnNdP5CtlTC2pWvfZyUMV8UFocs8M6W09NnsspPibPhqobMFIm1f0B4kk13U59rzTyXjGQM3JpbSJkQg4GGmBSNMo7KgMloXnt3GygjcT75OOC0YPo3\/MFdKUwkpDu47ubalsF7IwgRDAn\/l0DFoLo="} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":455,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":2,"flow_last_seen":1605292105669,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":125,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":125,"pkt_l4_len":71,"ts_msec":1605292105669,"pkt":"qtsDr8lk5EKm5WPyht1gCP\/sAEcGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAADAAE0D3doBu3fKOsYW2C\/9gBhA0ehRAAABAQgKBcmbrMLdLRcXAwMAIgQb59HIMHYAgoaCAJqbMMjq72ntBt\/\/eGErLyXH34Iczsk="} @@ -154,7 +154,7 @@ 00590{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":23420,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":42,"flow_packets_processed":1,"flow_first_seen":1605292121674,"flow_last_seen":1605292121674,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1605292121674,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:817::200a","src_port":55560,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00491{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":23420,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":42,"flow_packet_id":1,"flow_last_seen":1605292121674,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605292121674,"pkt":"qtsDr8lk5EKm5WPyht1gDKQRACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIFwAAAAAAACAK2QgBu\/13v36ZlfzugBAB9Zh5AAABAQgKG7m2dMLdLYw="} 00963{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":23421,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":41,"flow_packets_processed":6,"flow_first_seen":1605292121486,"flow_last_seen":1605292121697,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1400,"flow_tot_l4_payload_len":1917,"flow_avg_l4_payload_len":319,"midstream":0,"ts_msec":1605292121697,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::4a72:9a16","src_port":43328,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Tumblr","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"catasters.tumblr.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"738f0c3c6e00286f3afac626676d352d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -01232{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":23427,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":41,"flow_packets_processed":12,"flow_first_seen":1605292121486,"flow_last_seen":1605292121698,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1400,"flow_tot_l4_payload_len":5614,"flow_avg_l4_payload_len":467,"midstream":0,"ts_msec":1605292121698,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::4a72:9a16","src_port":43328,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Tumblr","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"catasters.tumblr.com","server_names":"*.tumblr.com,tumblr.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"738f0c3c6e00286f3afac626676d352d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA","issuerDN":"CN=*.tumblr.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"14:78:BA:5B:B5:54:5D:A1:2C:D2:79:4C:42:99:BB:3A:A9:DB:86:C2"}} +01233{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":23427,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":41,"flow_packets_processed":12,"flow_first_seen":1605292121486,"flow_last_seen":1605292121698,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1400,"flow_tot_l4_payload_len":5614,"flow_avg_l4_payload_len":467,"midstream":0,"ts_msec":1605292121698,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::4a72:9a16","src_port":43328,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Tumblr","breed":"Fun","category":"SocialNetwork"},"tls": {"version":"TLSv1.2","client_requested_server_name":"catasters.tumblr.com","server_names":"*.tumblr.com,tumblr.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"738f0c3c6e00286f3afac626676d352d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA","subjectDN":"CN=*.tumblr.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"14:78:BA:5B:B5:54:5D:A1:2C:D2:79:4C:42:99:BB:3A:A9:DB:86:C2"}} 00493{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":23429,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":42,"flow_packet_id":2,"flow_last_seen":1605292121698,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605292121698,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACAGPSoAFFBABwgXAAAAAAAAIAoqAcsBIEmLB5kd7IUo3\/YpAbvZCJmV\/O79d79\/gBALlo7gAAABAQgKwt3eUxu5BaQ="} 00590{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":23631,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":43,"flow_packets_processed":1,"flow_first_seen":1605292122064,"flow_last_seen":1605292122064,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1605292122064,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:809::200e","src_port":49548,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00502{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":23631,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":43,"flow_packet_id":1,"flow_last_seen":1605292122064,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605292122064,"pkt":"qtsDr8lk5EKm5WPyht1gAy+bACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcICQAAAAAAACAOwYwBu0AeaGkAAAAAoAL9IOE8AAACBAWgBAIICthbOh0AAAAAAQMDBw=="} @@ -162,13 +162,13 @@ 00552{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":23634,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_last_seen":1605292122076,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":132,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":132,"pkt_l4_len":78,"ts_msec":1605292122076,"pkt":"qtsDr8lk5EKm5WPyht1gD4BTAE4GQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXidvHABuwi2QjVsejoTgBgk6YPXAAABAQgKJEeQFMLc4vQXAwMAKQAAAAAAAAAQ4G\/3mQ3kGgQra1eBqPYCTvM1QPmaUoG2gBnwdZPdmFLU"} 00505{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":23650,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":43,"flow_packet_id":2,"flow_last_seen":1605292122094,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605292122094,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoAFFBABwgJAAAAAAAAIA4qAcsBIEmLB5kd7IUo3\/YpAbvBjCTTL5FAHmhqoBJXgI\/cAAACBAV4AQMDAwQCCArC3d\/Z2Fs6HQ=="} 00490{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":23654,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":43,"flow_packet_id":3,"flow_last_seen":1605292122094,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605292122094,"pkt":"qtsDr8lk5EKm5WPyht1gAy+bACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcICQAAAAAAACAOwYwBu0AeaGok0y+SgBAB+xPQAAABAQgK2Fs6O8Ld39k="} -00901{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":23657,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":43,"flow_packets_processed":4,"flow_first_seen":1605292122064,"flow_last_seen":1605292122094,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605292122094,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:809::200e","src_port":49548,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"apis.google.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00899{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":23657,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":43,"flow_packets_processed":4,"flow_first_seen":1605292122064,"flow_last_seen":1605292122094,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605292122094,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:809::200e","src_port":49548,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"apis.google.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00590{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":23664,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":44,"flow_packets_processed":1,"flow_first_seen":1605292122095,"flow_last_seen":1605292122095,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1605292122095,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::200a","src_port":38608,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00502{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":23664,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":1,"flow_last_seen":1605292122095,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605292122095,"pkt":"qtsDr8lk5EKm5WPyht1gD2uVACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcICwAAAAAAACAKltABu4i5CzgAAAAAoAL9IPiAAAACBAWgBAIIChLBJ8gAAAAAAQMDBw=="} 00504{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24118,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":2,"flow_last_seen":1605292122163,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605292122163,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoAFFBABwgLAAAAAAAAIAoqAcsBIEmLB5kd7IUo3\/YpAbuW0O3zbp+IuQs5oBJXgJ7NAAACBAV4AQMDAwQCCArC3d\/9EsEnyA=="} 00491{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24126,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":3,"flow_last_seen":1605292122163,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605292122163,"pkt":"qtsDr8lk5EKm5WPyht1gD2uVACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcICwAAAAAAACAKltABu4i5Cznt826ggBAB+yKbAAABAQgKEsEoDMLd3\/0="} 00911{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":24188,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":44,"flow_packets_processed":4,"flow_first_seen":1605292122095,"flow_last_seen":1605292122163,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1605292122163,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::200a","src_port":38608,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.GoogleServices","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ajax.googleapis.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} -00942{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":24239,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":43,"flow_packets_processed":6,"flow_first_seen":1605292122064,"flow_last_seen":1605292122177,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605292122177,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:809::200e","src_port":49548,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"apis.google.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00940{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":24239,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":43,"flow_packets_processed":6,"flow_first_seen":1605292122064,"flow_last_seen":1605292122177,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605292122177,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:809::200e","src_port":49548,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"apis.google.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00616{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":24374,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":255,"flow_first_seen":1605292105170,"flow_last_seen":1605292122188,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1400,"flow_tot_l4_payload_len":154140,"flow_avg_l4_payload_len":604,"midstream":1,"ts_msec":1605292122188,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d28","src_port":43420,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"}} 00617{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":24374,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":255,"flow_first_seen":1605292105170,"flow_last_seen":1605292122188,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1400,"flow_tot_l4_payload_len":154140,"flow_avg_l4_payload_len":604,"midstream":1,"ts_msec":1605292122188,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d28","src_port":43420,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"}} 00952{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":24429,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":44,"flow_packets_processed":6,"flow_first_seen":1605292122095,"flow_last_seen":1605292122212,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1208,"flow_tot_l4_payload_len":1725,"flow_avg_l4_payload_len":287,"midstream":0,"ts_msec":1605292122212,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::200a","src_port":38608,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.GoogleServices","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"ajax.googleapis.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} @@ -178,11 +178,11 @@ 00502{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24688,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":45,"flow_packet_id":1,"flow_last_seen":1605292122674,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605292122674,"pkt":"qtsDr8lk5EKm5WPyht1gD3A1ACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAABgBgdJmPwBuzwV9u8AAAAAoAL9IJXTAAACBAWgBAIIChNnJ60AAAAAAQMDBw=="} 00505{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24691,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":45,"flow_packet_id":2,"flow_last_seen":1605292122697,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"ts_msec":1605292122697,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPQBk\/5sAAAAAAAAAAGAGB0kqAcsBIEmLB5kd7IUo3\/YpAbuY\/FghbGM8FfbwoBJXgNHxAAACBAV4AQMDAwQCCArC3eI6E2cnrQ=="} 00490{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24692,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":45,"flow_packet_id":3,"flow_last_seen":1605292122698,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605292122698,"pkt":"qtsDr8lk5EKm5WPyht1gD3A1ACAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAABgBgdJmPwBuzwV9vBYIWxkgBAB+1XrAAABAQgKE2cnxcLd4jo="} -00888{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":24693,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":45,"flow_packets_processed":4,"flow_first_seen":1605292122674,"flow_last_seen":1605292122698,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":620,"flow_tot_l4_payload_len":620,"flow_avg_l4_payload_len":155,"midstream":0,"ts_msec":1605292122698,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::6006:749","src_port":39164,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"sb.scorecardresearch.com","ja3":"44d502d471cfdb99c59bdfb0f220e5a8","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00898{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":24693,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":45,"flow_packets_processed":4,"flow_first_seen":1605292122674,"flow_last_seen":1605292122698,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":620,"flow_tot_l4_payload_len":620,"flow_avg_l4_payload_len":155,"midstream":0,"ts_msec":1605292122698,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::6006:749","src_port":39164,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Advertisement"},"tls": {"version":"TLSv1.2","client_requested_server_name":"sb.scorecardresearch.com","ja3":"44d502d471cfdb99c59bdfb0f220e5a8","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00584{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":24694,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":46,"flow_packets_processed":1,"flow_first_seen":1605292122698,"flow_last_seen":1605292122698,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1605292122698,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::4a72:9a15","src_port":42674,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00490{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24694,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":1,"flow_last_seen":1605292122698,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605292122698,"pkt":"qtsDr8lk5EKm5WPyht1gCuvGACAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAABKcpoVprIBu3ASIMYXhL6qgBAB9S93AAABAQgKNSTnjcLdLMU="} 00492{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24706,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":2,"flow_last_seen":1605292122741,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605292122741,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACAGPQBk\/5sAAAAAAAAAAEpymhUqAcsBIEmLB5kd7IUo3\/YpAbumsheEvqpwEiDHgBALdyXtAAABAQgKwt3iZjUkMfM="} -00927{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":24707,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":45,"flow_packets_processed":6,"flow_first_seen":1605292122674,"flow_last_seen":1605292122755,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":620,"flow_tot_l4_payload_len":890,"flow_avg_l4_payload_len":148,"midstream":0,"ts_msec":1605292122755,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::6006:749","src_port":39164,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.3","client_requested_server_name":"sb.scorecardresearch.com","ja3":"44d502d471cfdb99c59bdfb0f220e5a8","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00937{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":24707,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":45,"flow_packets_processed":6,"flow_first_seen":1605292122674,"flow_last_seen":1605292122755,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":620,"flow_tot_l4_payload_len":890,"flow_avg_l4_payload_len":148,"midstream":0,"ts_msec":1605292122755,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::6006:749","src_port":39164,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Advertisement"},"tls": {"version":"TLSv1.3","client_requested_server_name":"sb.scorecardresearch.com","ja3":"44d502d471cfdb99c59bdfb0f220e5a8","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} 00590{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":24733,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":47,"flow_packets_processed":1,"flow_first_seen":1605292122874,"flow_last_seen":1605292122874,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1605292122874,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80a::200a","src_port":40190,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00491{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24733,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":47,"flow_packet_id":1,"flow_last_seen":1605292122874,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605292122874,"pkt":"qtsDr8lk5EKm5WPyht1gDJQ7ACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcICgAAAAAAACAKnP4Bu4CgSN\/gvLosgBAB9qrlAAABAQgK1OQQnsLdMvM="} 00492{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24745,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":47,"flow_packet_id":2,"flow_last_seen":1605292122899,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1605292122899,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACAGPSoAFFBABwgKAAAAAAAAIAoqAcsBIEmLB5kd7IUo3\/YpAbuc\/uC8uiyAoEjggBALQrp6AAABAQgKwt3jAtThR68="} @@ -276,9 +276,9 @@ ~~ total active/idle flows...: 47/47 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 3208617 bytes -~~ total memory freed........: 3208617 bytes -~~ total allocations/frees...: 60327/60327 +~~ total memory allocated....: 5851428 bytes +~~ total memory freed........: 5851428 bytes +~~ total allocations/frees...: 124523/124523 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 164 chars ~~ json string max len.......: 1388 chars diff --git a/test/results/ubntac2.pcap.out b/test/results/ubntac2.pcap.out index b17a8fa4f..b8268f837 100644 --- a/test/results/ubntac2.pcap.out +++ b/test/results/ubntac2.pcap.out @@ -40,9 +40,9 @@ ~~ total active/idle flows...: 8/8 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1939668 bytes -~~ total memory freed........: 1939668 bytes -~~ total allocations/frees...: 35367/35367 +~~ total memory allocated....: 4599015 bytes +~~ total memory freed........: 4599015 bytes +~~ total allocations/frees...: 99563/99563 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 160 chars ~~ json string max len.......: 682 chars diff --git a/test/results/upnp.pcap.out b/test/results/upnp.pcap.out index 7e5c4924d..382ab50d3 100644 --- a/test/results/upnp.pcap.out +++ b/test/results/upnp.pcap.out @@ -20,9 +20,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1930146 bytes -~~ total memory freed........: 1930146 bytes -~~ total allocations/frees...: 35355/35355 +~~ total memory allocated....: 4592037 bytes +~~ total memory freed........: 4592037 bytes +~~ total allocations/frees...: 99551/99551 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 158 chars ~~ json string max len.......: 1336 chars diff --git a/test/results/viber.pcap.out b/test/results/viber.pcap.out index 50a0f03a6..dc730a0bf 100644 --- a/test/results/viber.pcap.out +++ b/test/results/viber.pcap.out @@ -10,9 +10,9 @@ 00455{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5,"source":"viber.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1527155638524,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1527155638524,"pkt":"MAdNo1+nAA6OMNv9CABFAAA0M+hAACYGLr00AP1lwKgAERCUgbhNDRRo2B+UZYAQAIxrZwAAAQEICveUYGsAIWBC"} 00548{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":13,"source":"viber.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1527155639005,"flow_last_seen":1527155639005,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1527155639005,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"192.168.0.15","src_port":35283,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00467{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":13,"source":"viber.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_last_seen":1527155639005,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1527155639005,"pkt":"AA6OMNv9MAdNo1+nCABFAAA8HWBAAEARm+DAqAARwKgAD4nTADUAKI8By5wBAAABAAAAAAAAA2FwcAZhZGp1c3QDY29tAAABAAE="} -00710{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":13,"source":"viber.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1527155639005,"flow_last_seen":1527155639005,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1527155639005,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"192.168.0.15","src_port":35283,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"app.adjust.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00716{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":13,"source":"viber.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1527155639005,"flow_last_seen":1527155639005,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1527155639005,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"192.168.0.15","src_port":35283,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Advertisement"},"dns": {"query":"app.adjust.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00774{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14,"source":"viber.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_last_seen":1527155639008,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":303,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":303,"pkt_l4_len":269,"ts_msec":1527155639008,"pkt":"MAdNo1+nAA6OMNv9CABFAAEhW4BAAEARXNvAqAAPwKgAEQA1idMBDcumy5yBgAABAAQABAAEA2FwcAZhZGp1c3QDY29tAAABAAHADAABAAEAAAHMAASyots6wAwAAQABAAABzAAEsqLbmcAMAAEAAQAAAcwABLKi2LPADAABAAEAAAHMAAS5l8wIwBAAAgABAAKIXQATBG5zMDEGYWRqdXN0BXdvcmtzAMAQAAIAAQACiF0AFARkbnMxA3AwOQVuc29uZQNuZXQAwBAAAgABAAKIXQAHBGRuczLAkMAQAAIAAQACiF0ABwRuczAywHHAiwABAAEAAWUPAATGMywJwKsAAQABAAFlDwAExjMtCcBsAAEAAQAAMG8ABC02EQHAvgABAAEAADBvAAQtNhFB"} -00729{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":14,"source":"viber.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":2,"flow_first_seen":1527155639005,"flow_last_seen":1527155639008,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":261,"flow_tot_l4_payload_len":293,"flow_avg_l4_payload_len":146,"midstream":0,"ts_msec":1527155639008,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"192.168.0.15","src_port":35283,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"app.adjust.com","num_queries":1,"num_answers":12,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"178.162.219.58"}} +00735{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":14,"source":"viber.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":2,"flow_first_seen":1527155639005,"flow_last_seen":1527155639008,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":261,"flow_tot_l4_payload_len":293,"flow_avg_l4_payload_len":146,"midstream":0,"ts_msec":1527155639008,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"192.168.0.15","src_port":35283,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Advertisement"},"dns": {"query":"app.adjust.com","num_queries":1,"num_answers":12,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"178.162.219.58"}} 00548{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":15,"source":"viber.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1527155639234,"flow_last_seen":1527155639234,"flow_idle_time":180000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1527155639234,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"192.168.0.15","src_port":62872,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00473{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":15,"source":"viber.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_last_seen":1527155639234,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1527155639234,"pkt":"AA6OMNv9MAdNo1+nCABFAABAHWRAAEARm9jAqAARwKgAD\/WYADUALODJ\/WMBAAABAAAAAAAABG1hcGkJYXBwdGltaXplA2NvbQAAAQAB"} 00714{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":15,"source":"viber.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1527155639234,"flow_last_seen":1527155639234,"flow_idle_time":180000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1527155639234,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"192.168.0.15","src_port":62872,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"mapi.apptimize.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} @@ -22,14 +22,14 @@ 00470{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":17,"source":"viber.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_last_seen":1527155639240,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1527155639240,"pkt":"AA6OMNv9MAdNo1+nCABFAAA8C6FAAEAGkTrAqAARNkWm4pB6Abv8W2quAAAAAKAC\/\/9PrwAAAgQFtAQCCAoAIWEPAAAAAAEDAwc="} 00469{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":18,"source":"viber.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_last_seen":1527155639414,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1527155639414,"pkt":"MAdNo1+nAA6OMNv9CABFAAA8AABAAOYG9to2RabiwKgAEQG7kHpPMSQJ\/Ftqr6ASaN+BOQAAAgQFtAQCCApMsKWZACFhDwEDAwg="} 00456{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":19,"source":"viber.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_last_seen":1527155639417,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1527155639417,"pkt":"AA6OMNv9MAdNo1+nCABFAAA0C6JAAEAGkUHAqAARNkWm4pB6Abv8W2qvTzEkCoAQAq0WDQAAAQEICgAhYTtMsKWZ"} -00791{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":20,"source":"viber.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":4,"flow_first_seen":1527155639240,"flow_last_seen":1527155639419,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":180,"flow_tot_l4_payload_len":180,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1527155639419,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.69.166.226","src_port":36986,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mapi.apptimize.com","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}} -00848{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":22,"source":"viber.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":6,"flow_first_seen":1527155639240,"flow_last_seen":1527155639594,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1628,"flow_avg_l4_payload_len":271,"midstream":0,"ts_msec":1527155639594,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.69.166.226","src_port":36986,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mapi.apptimize.com","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"8d2a028aa94425f76ced7826b1f39039","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"http\/1.1"}} -01204{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":25,"source":"viber.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":9,"flow_first_seen":1527155639240,"flow_last_seen":1527155639594,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":5053,"flow_avg_l4_payload_len":561,"midstream":0,"ts_msec":1527155639594,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.69.166.226","src_port":36986,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mapi.apptimize.com","server_names":"*.apptimize.com,apptimize.com","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"8d2a028aa94425f76ced7826b1f39039","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Organization Validation Secure Server CA","issuerDN":"C=US, ST=CA, L=Mountain View, O=Apptimize, Inc, OU=PremiumSSL Wildcard, CN=*.apptimize.com","alpn":"http\/1.1","fingerprint":"BC:4C:8F:EC:8B:7B:85:BD:54:61:8B:C0:7B:E7:A2:69:0B:F2:49:E5"}} +00796{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":20,"source":"viber.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":4,"flow_first_seen":1527155639240,"flow_last_seen":1527155639419,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":180,"flow_tot_l4_payload_len":180,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1527155639419,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.69.166.226","src_port":36986,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mapi.apptimize.com","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}} +00853{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":22,"source":"viber.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":6,"flow_first_seen":1527155639240,"flow_last_seen":1527155639594,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1628,"flow_avg_l4_payload_len":271,"midstream":0,"ts_msec":1527155639594,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.69.166.226","src_port":36986,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mapi.apptimize.com","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"8d2a028aa94425f76ced7826b1f39039","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"http\/1.1"}} +01210{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":25,"source":"viber.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":9,"flow_first_seen":1527155639240,"flow_last_seen":1527155639594,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":5053,"flow_avg_l4_payload_len":561,"midstream":0,"ts_msec":1527155639594,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.69.166.226","src_port":36986,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mapi.apptimize.com","server_names":"*.apptimize.com,apptimize.com","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"8d2a028aa94425f76ced7826b1f39039","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Organization Validation Secure Server CA","subjectDN":"C=US, ST=CA, L=Mountain View, O=Apptimize, Inc, OU=PremiumSSL Wildcard, CN=*.apptimize.com","alpn":"http\/1.1","fingerprint":"BC:4C:8F:EC:8B:7B:85:BD:54:61:8B:C0:7B:E7:A2:69:0B:F2:49:E5"}} 00547{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":38,"source":"viber.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":1,"flow_first_seen":1527155640085,"flow_last_seen":1527155640085,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1527155640085,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.69.166.226","src_port":36988,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00470{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":38,"source":"viber.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_last_seen":1527155640085,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1527155640085,"pkt":"AA6OMNv9MAdNo1+nCABFAAA8sZJAAEAG60jAqAARNkWm4pB8Abt0c9BwAAAAAKAC\/\/9xAAAAAgQFtAQCCAoAIWHiAAAAAAEDAwc="} 00469{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":40,"source":"viber.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_last_seen":1527155640261,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1527155640261,"pkt":"MAdNo1+nAA6OMNv9CABFAAA8AABAAOYG9to2RabiwKgAEQG7kHz0FjHkdHPQcaASaN\/u9gAAAgQFtAQCCApMsKZsACFh4gEDAwg="} 00457{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":41,"source":"viber.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_last_seen":1527155640264,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1527155640264,"pkt":"AA6OMNv9MAdNo1+nCABFAAA0sZNAAEAG60\/AqAARNkWm4pB8Abt0c9Bx9BYx5YAQAq2DyQAAAQEICgAhYg9MsKZs"} -00791{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":42,"source":"viber.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":4,"flow_first_seen":1527155640085,"flow_last_seen":1527155640275,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":180,"flow_tot_l4_payload_len":180,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1527155640275,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.69.166.226","src_port":36988,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mapi.apptimize.com","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}} +00796{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":42,"source":"viber.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":4,"flow_first_seen":1527155640085,"flow_last_seen":1527155640275,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":180,"flow_tot_l4_payload_len":180,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1527155640275,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.69.166.226","src_port":36988,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mapi.apptimize.com","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}} 00548{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":61,"source":"viber.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":1,"flow_first_seen":1527155641574,"flow_last_seen":1527155641574,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":37,"flow_tot_l4_payload_len":37,"flow_avg_l4_payload_len":37,"midstream":0,"ts_msec":1527155641574,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"192.168.0.15","src_port":37418,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00475{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":61,"source":"viber.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_last_seen":1527155641574,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":79,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":79,"pkt_l4_len":45,"ts_msec":1527155641574,"pkt":"AA6OMNv9MAdNo1+nCABFAABBH3ZAAEARmcXAqAARwKgAD5IqADUALZxVyU0BAAABAAAAAAAABW1lZGlhA2NkbgV2aWJlcgNjb20AAAEAAQ=="} 00718{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":61,"source":"viber.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":1,"flow_first_seen":1527155641574,"flow_last_seen":1527155641574,"flow_idle_time":180000,"flow_min_l4_payload_len":37,"flow_max_l4_payload_len":37,"flow_tot_l4_payload_len":37,"flow_avg_l4_payload_len":37,"midstream":0,"ts_msec":1527155641574,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"192.168.0.15","src_port":37418,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Viber","breed":"Acceptable","category":"Chat"},"dns": {"query":"media.cdn.viber.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} @@ -41,7 +41,7 @@ 00456{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":65,"source":"viber.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_last_seen":1527155641716,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1527155641716,"pkt":"AA6OMNv9MAdNo1+nCABFAAA025JAAEAGCjLAqAARNuZdYOCwAbu7GrjlFg8sv4AQAq0zmAAAAQEICgAhY3p+anA4"} 00794{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":66,"source":"viber.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":4,"flow_first_seen":1527155641697,"flow_last_seen":1527155641717,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":184,"flow_tot_l4_payload_len":184,"flow_avg_l4_payload_len":46,"midstream":0,"ts_msec":1527155641717,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.230.93.96","src_port":57520,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Viber","breed":"Acceptable","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"media.cdn.viber.com","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} 00851{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":68,"source":"viber.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":6,"flow_first_seen":1527155641697,"flow_last_seen":1527155641736,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1632,"flow_avg_l4_payload_len":272,"midstream":0,"ts_msec":1527155641736,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.230.93.96","src_port":57520,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Viber","breed":"Acceptable","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"media.cdn.viber.com","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01111{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":70,"source":"viber.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":8,"flow_first_seen":1527155641697,"flow_last_seen":1527155641736,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":4528,"flow_avg_l4_payload_len":566,"midstream":0,"ts_msec":1527155641736,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.230.93.96","src_port":57520,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Viber","breed":"Acceptable","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"media.cdn.viber.com","server_names":"*.cdn.viber.com","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=thawte, Inc., CN=thawte SSL CA - G2","issuerDN":"C=LU, ST=Luxembourg, L=Luxembourg, O=Viber Media Sarl, OU=IT, CN=*.cdn.viber.com","alpn":"h2,http\/1.1","fingerprint":"B6:30:6F:02:75:A8:08:0A:AE:AA:9C:6C:9F:B5:8E:4C:82:02:3D:39"}} +01112{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":70,"source":"viber.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":8,"flow_first_seen":1527155641697,"flow_last_seen":1527155641736,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":4528,"flow_avg_l4_payload_len":566,"midstream":0,"ts_msec":1527155641736,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.230.93.96","src_port":57520,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Viber","breed":"Acceptable","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"media.cdn.viber.com","server_names":"*.cdn.viber.com","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=thawte, Inc., CN=thawte SSL CA - G2","subjectDN":"C=LU, ST=Luxembourg, L=Luxembourg, O=Viber Media Sarl, OU=IT, CN=*.cdn.viber.com","alpn":"h2,http\/1.1","fingerprint":"B6:30:6F:02:75:A8:08:0A:AE:AA:9C:6C:9F:B5:8E:4C:82:02:3D:39"}} 00548{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":82,"source":"viber.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":1,"flow_first_seen":1527155641813,"flow_last_seen":1527155641813,"flow_idle_time":180000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1527155641813,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"192.168.0.15","src_port":40445,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":82,"source":"viber.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_last_seen":1527155641813,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1527155641813,"pkt":"AA6OMNv9MAdNo1+nCABFAABAH5VAAEARmafAqAARwKgAD539ADUALISKl70BAAABAAAAAAAACGRsLW1lZGlhBXZpYmVyA2NvbQAAAQAB"} 00717{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":82,"source":"viber.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":1,"flow_first_seen":1527155641813,"flow_last_seen":1527155641813,"flow_idle_time":180000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1527155641813,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"192.168.0.15","src_port":40445,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Viber","breed":"Acceptable","category":"Chat"},"dns": {"query":"dl-media.viber.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} @@ -53,7 +53,7 @@ 00457{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":86,"source":"viber.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":3,"flow_last_seen":1527155641867,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1527155641867,"pkt":"AA6OMNv9MAdNo1+nCABFAAA0nX1AAEAGSHLAqAARNuZdNdKuAbvV1v7ndwuRKoAQAq0bCAAAAQEICgAhY59+anCq"} 00794{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":87,"source":"viber.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":4,"flow_first_seen":1527155641845,"flow_last_seen":1527155641868,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":183,"flow_tot_l4_payload_len":183,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1527155641868,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.230.93.53","src_port":53934,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Viber","breed":"Acceptable","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"dl-media.viber.com","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} 00851{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":89,"source":"viber.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":6,"flow_first_seen":1527155641845,"flow_last_seen":1527155641890,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1631,"flow_avg_l4_payload_len":271,"midstream":0,"ts_msec":1527155641890,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.230.93.53","src_port":53934,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Viber","breed":"Acceptable","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"dl-media.viber.com","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01113{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":91,"source":"viber.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":8,"flow_first_seen":1527155641845,"flow_last_seen":1527155641890,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":4527,"flow_avg_l4_payload_len":565,"midstream":0,"ts_msec":1527155641890,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.230.93.53","src_port":53934,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Viber","breed":"Acceptable","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"dl-media.viber.com","server_names":"*.viber.com,viber.com","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=thawte, Inc., CN=thawte SSL CA - G2","issuerDN":"C=LU, ST=Luxembourg, L=Luxembourg, O=Viber Media Sarl, OU=IT, CN=*.viber.com","alpn":"h2,http\/1.1","fingerprint":"E1:11:26:E6:14:A5:E6:F7:F1:CB:68:D1:A6:95:A1:5E:11:48:72:2A"}} +01114{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":91,"source":"viber.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":8,"flow_first_seen":1527155641845,"flow_last_seen":1527155641890,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":4527,"flow_avg_l4_payload_len":565,"midstream":0,"ts_msec":1527155641890,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.230.93.53","src_port":53934,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Viber","breed":"Acceptable","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"dl-media.viber.com","server_names":"*.viber.com,viber.com","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=thawte, Inc., CN=thawte SSL CA - G2","subjectDN":"C=LU, ST=Luxembourg, L=Luxembourg, O=Viber Media Sarl, OU=IT, CN=*.viber.com","alpn":"h2,http\/1.1","fingerprint":"E1:11:26:E6:14:A5:E6:F7:F1:CB:68:D1:A6:95:A1:5E:11:48:72:2A"}} 00553{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":119,"source":"viber.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":1,"flow_first_seen":1527155644240,"flow_last_seen":1527155644240,"flow_idle_time":180000,"flow_min_l4_payload_len":23,"flow_max_l4_payload_len":23,"flow_tot_l4_payload_len":23,"flow_avg_l4_payload_len":23,"midstream":0,"ts_msec":1527155644240,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"172.217.23.106","src_port":41993,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00457{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":119,"source":"viber.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":1,"flow_last_seen":1527155644240,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":65,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":65,"pkt_l4_len":31,"ts_msec":1527155644240,"pkt":"AA6OMNv9MAdNo1+nCABFAAAzV0lAAEARXnTAqAARrNkXaqQJAbsAHwH3DO5PoOHayJNED10MJ0pTvsIOJQ7muOI="} 00457{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":120,"source":"viber.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":2,"flow_last_seen":1527155644243,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":65,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":65,"pkt_l4_len":31,"ts_msec":1527155644243,"pkt":"AA6OMNv9MAdNo1+nCABFAAAzV0pAAEARXnPAqAARrNkXaqQJAbsAH4RqDO5PoOHayJNEEDIopLF1oa8UykhAnf8="} @@ -67,8 +67,8 @@ 00473{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":124,"source":"viber.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":1,"flow_last_seen":1527155646850,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1527155646850,"pkt":"AA6OMNv9MAdNo1+nCABFAAA8QKlAAEAGdTLAqAARrNkXTqq2Abu2kyjUAAAAAKAC\/\/\/OpwAAAgQFtAQCCAoAIWh9AAAAAAEDAwc="} 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":125,"source":"viber.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":2,"flow_last_seen":1527155646851,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1527155646851,"pkt":"MAdNo1+nAA6OMNv9CABFAAA8SUEAADoGspqs2RdOwKgAEQG7qrbgrF\/UtpMo1aASpagYYgAAAgQFZAQCCAqjjizLACFofQEDAwg="} 00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":126,"source":"viber.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":3,"flow_last_seen":1527155646855,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1527155646855,"pkt":"AA6OMNv9MAdNo1+nCABFAAA0QKpAAEAGdTnAqAARrNkXTqq2Abu2kyjV4Kxf1YAQAq3p2QAAAQEICgAhaH6jjizL"} -00797{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":127,"source":"viber.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":4,"flow_first_seen":1527155646850,"flow_last_seen":1527155646860,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1527155646860,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"172.217.23.78","src_port":43702,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"app-measurement.com","ja3":"3967ff2d2c9c4d144e7e30f24f4e9761","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}} -00851{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":129,"source":"viber.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":6,"flow_first_seen":1527155646850,"flow_last_seen":1527155646862,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":679,"flow_avg_l4_payload_len":113,"midstream":0,"ts_msec":1527155646862,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"172.217.23.78","src_port":43702,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"app-measurement.com","ja3":"3967ff2d2c9c4d144e7e30f24f4e9761","ja3s":"67619a80665d7ab92d1041b1d11f9164","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"http\/1.1"}} +00795{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":127,"source":"viber.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":4,"flow_first_seen":1527155646850,"flow_last_seen":1527155646860,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1527155646860,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"172.217.23.78","src_port":43702,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"app-measurement.com","ja3":"3967ff2d2c9c4d144e7e30f24f4e9761","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}} +00849{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":129,"source":"viber.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":6,"flow_first_seen":1527155646850,"flow_last_seen":1527155646862,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":679,"flow_avg_l4_payload_len":113,"midstream":0,"ts_msec":1527155646862,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"172.217.23.78","src_port":43702,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"app-measurement.com","ja3":"3967ff2d2c9c4d144e7e30f24f4e9761","ja3s":"67619a80665d7ab92d1041b1d11f9164","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"http\/1.1"}} 00550{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":136,"source":"viber.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":1,"flow_first_seen":1527155646968,"flow_last_seen":1527155646968,"flow_idle_time":180000,"flow_min_l4_payload_len":61,"flow_max_l4_payload_len":61,"flow_tot_l4_payload_len":61,"flow_avg_l4_payload_len":61,"midstream":0,"ts_msec":1527155646968,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00511{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":136,"source":"viber.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":1,"flow_last_seen":1527155646968,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":103,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":103,"pkt_l4_len":69,"ts_msec":1527155646968,"pkt":"AQBeAAD7MAdNo1+nCABFAABZHwxAAP8RutLAqAAR4AAA+xTpFOkARSvHAAQAAAACAAAAAAAACV84MDU3NDFDOQRfc3ViC19nb29nbGVjYXN0BF90Y3AFbG9jYWwAAAwAAcAbAAwAAQ=="} 00642{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":136,"source":"viber.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":1,"flow_first_seen":1527155646968,"flow_last_seen":1527155646968,"flow_idle_time":180000,"flow_min_l4_payload_len":61,"flow_max_l4_payload_len":61,"flow_tot_l4_payload_len":61,"flow_avg_l4_payload_len":61,"midstream":0,"ts_msec":1527155646968,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","ndpi": {"proto":"MDNS","breed":"Acceptable","category":"Network"},"mdns": {"answer":"_805741c9._sub._googlecast._tcp.local"}} @@ -105,9 +105,9 @@ 00472{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":269,"source":"viber.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":1,"flow_last_seen":1527155671066,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1527155671066,"pkt":"AA6OMNv9MAdNo1+nCABFAAA8FY9AAEAG0gLAqAARNrtbtr+YAbtog5WsAAAAAKAC\/\/+1DQAAAgQFtAQCCAoAIYAjAAAAAAEDAwc="} 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":274,"source":"viber.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":2,"flow_last_seen":1527155671237,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1527155671237,"pkt":"MAdNo1+nAA6OMNv9CABFAAA8AABAAOYGQZE2u1u2wKgAEQG7v5iCE\/ghaIOVraASaN+HqAAAAgQFtAQCCAosBh44ACGAIwEDAwg="} 00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":275,"source":"viber.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":3,"flow_last_seen":1527155671240,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1527155671240,"pkt":"AA6OMNv9MAdNo1+nCABFAAA0FZBAAEAG0gnAqAARNrtbtr+YAbtog5WtghP4IoAQAq0cfAAAAQEICgAhgE8sBh44"} -00794{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":276,"source":"viber.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":4,"flow_first_seen":1527155671066,"flow_last_seen":1527155671250,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":181,"flow_tot_l4_payload_len":181,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1527155671250,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.187.91.182","src_port":49048,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"brahe.apptimize.com","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}} -00851{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":278,"source":"viber.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":6,"flow_first_seen":1527155671066,"flow_last_seen":1527155671423,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1629,"flow_avg_l4_payload_len":271,"midstream":0,"ts_msec":1527155671423,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.187.91.182","src_port":49048,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"brahe.apptimize.com","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"8d2a028aa94425f76ced7826b1f39039","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"http\/1.1"}} -01207{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":281,"source":"viber.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":9,"flow_first_seen":1527155671066,"flow_last_seen":1527155671423,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":5054,"flow_avg_l4_payload_len":561,"midstream":0,"ts_msec":1527155671423,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.187.91.182","src_port":49048,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"brahe.apptimize.com","server_names":"*.apptimize.com,apptimize.com","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"8d2a028aa94425f76ced7826b1f39039","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Organization Validation Secure Server CA","issuerDN":"C=US, ST=CA, L=Mountain View, O=Apptimize, Inc, OU=PremiumSSL Wildcard, CN=*.apptimize.com","alpn":"http\/1.1","fingerprint":"BC:4C:8F:EC:8B:7B:85:BD:54:61:8B:C0:7B:E7:A2:69:0B:F2:49:E5"}} +00799{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":276,"source":"viber.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":4,"flow_first_seen":1527155671066,"flow_last_seen":1527155671250,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":181,"flow_tot_l4_payload_len":181,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1527155671250,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.187.91.182","src_port":49048,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"brahe.apptimize.com","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}} +00856{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":278,"source":"viber.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":6,"flow_first_seen":1527155671066,"flow_last_seen":1527155671423,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":1629,"flow_avg_l4_payload_len":271,"midstream":0,"ts_msec":1527155671423,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.187.91.182","src_port":49048,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"brahe.apptimize.com","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"8d2a028aa94425f76ced7826b1f39039","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"http\/1.1"}} +01213{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":281,"source":"viber.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":9,"flow_first_seen":1527155671066,"flow_last_seen":1527155671423,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":5054,"flow_avg_l4_payload_len":561,"midstream":0,"ts_msec":1527155671423,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.187.91.182","src_port":49048,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1.2","client_requested_server_name":"brahe.apptimize.com","server_names":"*.apptimize.com,apptimize.com","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"8d2a028aa94425f76ced7826b1f39039","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Organization Validation Secure Server CA","subjectDN":"C=US, ST=CA, L=Mountain View, O=Apptimize, Inc, OU=PremiumSSL Wildcard, CN=*.apptimize.com","alpn":"http\/1.1","fingerprint":"BC:4C:8F:EC:8B:7B:85:BD:54:61:8B:C0:7B:E7:A2:69:0B:F2:49:E5"}} 00546{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":357,"source":"viber.pcap","alias":"nDPId-test","flow_id":22,"flow_packets_processed":1,"flow_first_seen":1527155679410,"flow_last_seen":1527155679410,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1527155679410,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"18.201.4.3","src_port":33744,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00472{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":357,"source":"viber.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":1,"flow_last_seen":1527155679410,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1527155679410,"pkt":"AA6OMNv9MAdNo1+nCABFAAA8V2ZAAEAGC9HAqAAREskEA4PQAbvgGt8vAAAAAKAC\/\/+jOgAAAgQFtAQCCAoAIYhJAAAAAAEDAwc="} 00554{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":358,"source":"viber.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":1,"flow_first_seen":1527155679411,"flow_last_seen":1527155679411,"flow_idle_time":180000,"flow_min_l4_payload_len":257,"flow_max_l4_payload_len":257,"flow_tot_l4_payload_len":257,"flow_avg_l4_payload_len":257,"midstream":0,"ts_msec":1527155679411,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"18.201.4.3","src_port":38190,"dst_port":7985,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -123,16 +123,16 @@ 00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":365,"source":"viber.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":3,"flow_last_seen":1527155679444,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1527155679444,"pkt":"AA6OMNv9MAdNo1+nCABFAAA0V2dAAEAGC9jAqAAREskEA4PQAbvgGt8wdKSu+oAQAq1ZEAAAAQEICgAhiFIA5FGt"} 00550{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":421,"source":"viber.pcap","alias":"nDPId-test","flow_id":25,"flow_packets_processed":1,"flow_first_seen":1527155685529,"flow_last_seen":1527155685529,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1527155685529,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"192.168.0.15","src_port":50097,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00469{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":421,"source":"viber.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":1,"flow_last_seen":1527155685529,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1527155685529,"pkt":"AA6OMNv9MAdNo1+nCABFAAA8KqJAAEARjp7AqAARwKgAD8OxADUAKKNciEIBAAABAAAAAAAAA3d3dwZnb29nbGUDY29tAAABAAE="} -00717{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":421,"source":"viber.pcap","alias":"nDPId-test","flow_id":25,"flow_packets_processed":1,"flow_first_seen":1527155685529,"flow_last_seen":1527155685529,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1527155685529,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"192.168.0.15","src_port":50097,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"www.google.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00715{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":421,"source":"viber.pcap","alias":"nDPId-test","flow_id":25,"flow_packets_processed":1,"flow_first_seen":1527155685529,"flow_last_seen":1527155685529,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1527155685529,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"192.168.0.15","src_port":50097,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"www.google.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00489{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":422,"source":"viber.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":2,"flow_last_seen":1527155685530,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"ts_msec":1527155685530,"pkt":"MAdNo1+nAA6OMNv9CABFAABMZZhAAEARU5jAqAAPwKgAEQA1w7EAOLypiEKBgAABAAEAAAAAA3d3dwZnb29nbGUDY29tAAABAAHADAABAAEAAABfAATYOs1k"} -00732{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":422,"source":"viber.pcap","alias":"nDPId-test","flow_id":25,"flow_packets_processed":2,"flow_first_seen":1527155685529,"flow_last_seen":1527155685530,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":80,"flow_avg_l4_payload_len":40,"midstream":0,"ts_msec":1527155685530,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"192.168.0.15","src_port":50097,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"www.google.com","num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"216.58.205.100"}} +00730{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":422,"source":"viber.pcap","alias":"nDPId-test","flow_id":25,"flow_packets_processed":2,"flow_first_seen":1527155685529,"flow_last_seen":1527155685530,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":80,"flow_avg_l4_payload_len":40,"midstream":0,"ts_msec":1527155685530,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"192.168.0.15","src_port":50097,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"www.google.com","num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"216.58.205.100"}} 00528{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":423,"source":"viber.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":1,"flow_first_seen":1527155685757,"flow_last_seen":1527155685757,"flow_idle_time":120000,"flow_min_l4_payload_len":1480,"flow_max_l4_payload_len":1480,"flow_tot_l4_payload_len":1480,"flow_avg_l4_payload_len":1480,"midstream":0,"ts_msec":1527155685757,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"192.168.0.15","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} 02395{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":423,"source":"viber.pcap","alias":"nDPId-test","flow_id":26,"flow_packet_id":1,"flow_last_seen":1527155685757,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":1514,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1514,"pkt_l4_len":1480,"ts_msec":1527155685757,"pkt":"AA6OMNv9MAdNo1+nCABFAAXcfu9AAEABNMHAqAARwKgADwgA3UOrGAABMTIzNDU2Nzg5MEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaX18xMjM0NTY3ODkwQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVpfXzEyMzQ1Njc4OTBBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWl9fMTIzNDU2Nzg5MEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaX18xMjM0NTY3ODkwQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVpfXzEyMzQ1Njc4OTBBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWl9fMTIzNDU2Nzg5MEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaX18xMjM0NTY3ODkwQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVpfXzEyMzQ1Njc4OTBBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWl9fMTIzNDU2Nzg5MEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaX18xMjM0NTY3ODkwQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVpfXzEyMzQ1Njc4OTBBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWl9fMTIzNDU2Nzg5MEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaX18xMjM0NTY3ODkwQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVpfXzEyMzQ1Njc4OTBBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWl9fMTIzNDU2Nzg5MEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaX18xMjM0NTY3ODkwQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVpfXzEyMzQ1Njc4OTBBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWl9fMTIzNDU2Nzg5MEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaX18xMjM0NTY3ODkwQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVpfXzEyMzQ1Njc4OTBBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWl9fMTIzNDU2Nzg5MEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaX18xMjM0NTY3ODkwQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVpfXzEyMzQ1Njc4OTBBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWl9fMTIzNDU2Nzg5MEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaX18xMjM0NTY3ODkwQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVpfXzEyMzQ1Njc4OTBBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWl9fMTIzNDU2Nzg5MEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaX18xMjM0NTY3ODkwQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVpfXzEyMzQ1Njc4OTBBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWl9fMTIzNDU2Nzg5MEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaX18xMjM0NTY3ODkwQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVpfXzEyMzQ1Njc4OTBBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWl9fMTIzNDU2Nzg5MEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaX18xMjM0NTY3ODkwQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVpfXzEyMzQ1Njc4OTBBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWl9fMTIzNDU2Nzg5MEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaX18xMjM0NTY3ODkwQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVpfXzEyMzQ1Njc4OTBBQkNERUZHSElKS0xNTk9QUVI="} -00561{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":423,"source":"viber.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":1,"flow_first_seen":1527155685757,"flow_last_seen":1527155685757,"flow_idle_time":120000,"flow_min_l4_payload_len":1480,"flow_max_l4_payload_len":1480,"flow_tot_l4_payload_len":1480,"flow_avg_l4_payload_len":1480,"midstream":0,"ts_msec":1527155685757,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"192.168.0.15","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"}} +00580{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":423,"source":"viber.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":1,"flow_first_seen":1527155685757,"flow_last_seen":1527155685757,"flow_idle_time":120000,"flow_min_l4_payload_len":1480,"flow_max_l4_payload_len":1480,"flow_tot_l4_payload_len":1480,"flow_avg_l4_payload_len":1480,"midstream":0,"ts_msec":1527155685757,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"192.168.0.15","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"},"entropy":5.196204} 02395{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":424,"source":"viber.pcap","alias":"nDPId-test","flow_id":26,"flow_packet_id":2,"flow_last_seen":1527155685757,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":1514,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1514,"pkt_l4_len":1480,"ts_msec":1527155685757,"pkt":"MAdNo1+nAA6OMNv9CABFAAXcOTwAAEABunTAqAAPwKgAEQAA5UOrGAABMTIzNDU2Nzg5MEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaX18xMjM0NTY3ODkwQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVpfXzEyMzQ1Njc4OTBBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWl9fMTIzNDU2Nzg5MEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaX18xMjM0NTY3ODkwQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVpfXzEyMzQ1Njc4OTBBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWl9fMTIzNDU2Nzg5MEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaX18xMjM0NTY3ODkwQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVpfXzEyMzQ1Njc4OTBBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWl9fMTIzNDU2Nzg5MEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaX18xMjM0NTY3ODkwQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVpfXzEyMzQ1Njc4OTBBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWl9fMTIzNDU2Nzg5MEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaX18xMjM0NTY3ODkwQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVpfXzEyMzQ1Njc4OTBBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWl9fMTIzNDU2Nzg5MEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaX18xMjM0NTY3ODkwQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVpfXzEyMzQ1Njc4OTBBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWl9fMTIzNDU2Nzg5MEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaX18xMjM0NTY3ODkwQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVpfXzEyMzQ1Njc4OTBBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWl9fMTIzNDU2Nzg5MEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaX18xMjM0NTY3ODkwQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVpfXzEyMzQ1Njc4OTBBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWl9fMTIzNDU2Nzg5MEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaX18xMjM0NTY3ODkwQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVpfXzEyMzQ1Njc4OTBBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWl9fMTIzNDU2Nzg5MEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaX18xMjM0NTY3ODkwQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVpfXzEyMzQ1Njc4OTBBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWl9fMTIzNDU2Nzg5MEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaX18xMjM0NTY3ODkwQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVpfXzEyMzQ1Njc4OTBBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWl9fMTIzNDU2Nzg5MEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaX18xMjM0NTY3ODkwQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVpfXzEyMzQ1Njc4OTBBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWl9fMTIzNDU2Nzg5MEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaX18xMjM0NTY3ODkwQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVpfXzEyMzQ1Njc4OTBBQkNERUZHSElKS0xNTk9QUVI="} 00557{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":424,"source":"viber.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":22,"flow_first_seen":1527155639240,"flow_last_seen":1527155640252,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":6393,"flow_avg_l4_payload_len":290,"midstream":0,"ts_msec":1527155685757,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.69.166.226","src_port":36986,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00557{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":424,"source":"viber.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":22,"flow_first_seen":1527155640085,"flow_last_seen":1527155641008,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":6145,"flow_avg_l4_payload_len":279,"midstream":0,"ts_msec":1527155685757,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.69.166.226","src_port":36988,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00585{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":424,"source":"viber.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":3,"flow_first_seen":1527155644240,"flow_last_seen":1527155644244,"flow_idle_time":180000,"flow_min_l4_payload_len":22,"flow_max_l4_payload_len":23,"flow_tot_l4_payload_len":68,"flow_avg_l4_payload_len":22,"midstream":0,"ts_msec":1527155685757,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"172.217.23.106","src_port":41993,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"Google","breed":"Tracker\/Ads","category":"Web"}} +00583{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":424,"source":"viber.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":3,"flow_first_seen":1527155644240,"flow_last_seen":1527155644244,"flow_idle_time":180000,"flow_min_l4_payload_len":22,"flow_max_l4_payload_len":23,"flow_tot_l4_payload_len":68,"flow_avg_l4_payload_len":22,"midstream":0,"ts_msec":1527155685757,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"172.217.23.106","src_port":41993,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"Google","breed":"Acceptable","category":"Web"}} 00554{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":424,"source":"viber.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":3,"flow_first_seen":1527155644240,"flow_last_seen":1527155644244,"flow_idle_time":180000,"flow_min_l4_payload_len":22,"flow_max_l4_payload_len":23,"flow_tot_l4_payload_len":68,"flow_avg_l4_payload_len":22,"midstream":0,"ts_msec":1527155685757,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"172.217.23.106","src_port":41993,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00557{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":424,"source":"viber.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":46,"flow_first_seen":1527155670640,"flow_last_seen":1527155677861,"flow_idle_time":180000,"flow_min_l4_payload_len":12,"flow_max_l4_payload_len":257,"flow_tot_l4_payload_len":5405,"flow_avg_l4_payload_len":117,"midstream":0,"ts_msec":1527155685757,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"18.201.4.32","src_port":47171,"dst_port":7985,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00552{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":424,"source":"viber.pcap","alias":"nDPId-test","flow_id":20,"flow_packets_processed":2,"flow_first_seen":1527155670640,"flow_last_seen":1527155670672,"flow_idle_time":180000,"flow_min_l4_payload_len":20,"flow_max_l4_payload_len":34,"flow_tot_l4_payload_len":54,"flow_avg_l4_payload_len":27,"midstream":0,"ts_msec":1527155685757,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"18.201.4.32","src_port":47171,"dst_port":7987,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -169,9 +169,9 @@ ~~ total active/idle flows...: 26/26 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2168765 bytes -~~ total memory freed........: 2168765 bytes -~~ total allocations/frees...: 35894/35894 +~~ total memory allocated....: 4820480 bytes +~~ total memory freed........: 4820480 bytes +~~ total allocations/frees...: 100090/100090 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 161 chars ~~ json string max len.......: 2400 chars diff --git a/test/results/vnc.pcap.out b/test/results/vnc.pcap.out index 4e2810b2c..f124e0dd4 100644 --- a/test/results/vnc.pcap.out +++ b/test/results/vnc.pcap.out @@ -20,9 +20,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2065815 bytes -~~ total memory freed........: 2065815 bytes -~~ total allocations/frees...: 39894/39894 +~~ total memory allocated....: 4727706 bytes +~~ total memory freed........: 4727706 bytes +~~ total allocations/frees...: 104090/104090 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 159 chars ~~ json string max len.......: 687 chars diff --git a/test/results/wa_video.pcap.out b/test/results/wa_video.pcap.out index 624870b07..547bbf8aa 100644 --- a/test/results/wa_video.pcap.out +++ b/test/results/wa_video.pcap.out @@ -36,7 +36,7 @@ 00592{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":44,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":1,"flow_first_seen":1561455770313,"flow_last_seen":1561455770313,"flow_idle_time":180000,"flow_min_l4_payload_len":137,"flow_max_l4_payload_len":137,"flow_tot_l4_payload_len":137,"flow_avg_l4_payload_len":137,"midstream":0,"ts_msec":1561455770313,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"239.255.255.250","src_port":51277,"dst_port":1900,"l4_proto":"udp","ndpi": {"proto":"SSDP","breed":"Acceptable","category":"System"}} 00551{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":144,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":1,"flow_first_seen":1561455772049,"flow_last_seen":1561455772049,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1561455772049,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00845{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":144,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_last_seen":1561455772049,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":342,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":342,"pkt_l4_len":308,"ts_msec":1561455772049,"pkt":"\/\/\/\/\/\/\/\/2DBiVgAcCABFAAFInqwAAP8RG\/kAAAAA\/\/\/\/\/wBEAEMBNNtQAQEGAH5K8tcAMwAAAAAAAAAAAAAAAAAAAAAAANgwYlYAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEBNwoBeQMGD3f8XywuOQIF3D0HAdgwYlYAHDMEAHanAAwKTHVjYXMtaU1hY\/8AAAAAAAAAAAAAAAAA"} -00640{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":144,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":1,"flow_first_seen":1561455772049,"flow_last_seen":1561455772049,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1561455772049,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"fingerprint":"1,121,3,6,15,119,252,95,44,46"}} +00681{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":144,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":1,"flow_first_seen":1561455772049,"flow_last_seen":1561455772049,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1561455772049,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"hostname":"lucas-imac","fingerprint":"1,121,3,6,15,119,252,95,44,46","class_ident":""}} 00612{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":148,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":2,"flow_last_seen":1561455773318,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":174,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":174,"pkt_l4_len":140,"ts_msec":1561455773318,"pkt":"AQBef\/\/6kLkxKPrKCABFAACgzaAAAAIRN\/7AqAIM7\/\/\/+shNB2wAjBq9TS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSE9TVDogMjM5LjI1NS4yNTUuMjUwOjE5MDANClNUOiB1cm46c2NoZW1hcy11cG5wLW9yZzpzZXJ2aWNlOldBTklQQ29ubmVjdGlvbjoxDQpNQU46ICJzc2RwOmRpc2NvdmVyIg0KTVg6IDMNCg0K"} 00615{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":152,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_last_seen":1561455776326,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":175,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":175,"pkt_l4_len":141,"ts_msec":1561455776326,"pkt":"AQBef\/\/6kLkxKPrKCABFAAChemIAAAIRizvAqAIM7\/\/\/+shNB2wAjbrDTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSE9TVDogMjM5LjI1NS4yNTUuMjUwOjE5MDANClNUOiB1cm46c2NoZW1hcy11cG5wLW9yZzpzZXJ2aWNlOldBTlBQUENvbm5lY3Rpb246MQ0KTUFOOiAic3NkcDpkaXNjb3ZlciINCk1YOiAzDQoNCg=="} 00845{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":250,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":2,"flow_last_seen":1561455780246,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":342,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":342,"pkt_l4_len":308,"ts_msec":1561455780246,"pkt":"\/\/\/\/\/\/\/\/2DBiVgAcCABFAAFInq0AAP8RG\/gAAAAA\/\/\/\/\/wBEAEMBNNtIAQEGAH5K8tcAOwAAAAAAAAAAAAAAAAAAAAAAANgwYlYAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEBNwoBeQMGD3f8XywuOQIF3D0HAdgwYlYAHDMEAHanAAwKTHVjYXMtaU1hY\/8AAAAAAAAAAAAAAAAA"} @@ -86,9 +86,9 @@ ~~ total active/idle flows...: 14/14 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2062548 bytes -~~ total memory freed........: 2062548 bytes -~~ total allocations/frees...: 36962/36962 +~~ total memory allocated....: 4719351 bytes +~~ total memory freed........: 4719351 bytes +~~ total allocations/frees...: 101158/101158 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 164 chars ~~ json string max len.......: 2358 chars diff --git a/test/results/wa_voice.pcap.out b/test/results/wa_voice.pcap.out index db11ca339..79656d3e1 100644 --- a/test/results/wa_voice.pcap.out +++ b/test/results/wa_voice.pcap.out @@ -1,9 +1,9 @@ 00442{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"wa_voice.pcap","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} 00549{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1561455687942,"flow_last_seen":1561455687942,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1561455687942,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"192.168.2.1","src_port":51431,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00469{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1561455687942,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1561455687942,"pkt":"xiwDYGpkkLkxKPrKCABFAAA8VCwAAP8R4ibAqAIMwKgCAcjnADUAKL4MZG8BAAABAAAAAAAAA3d3dwZnb29nbGUDY29tAAABAAE="} -00716{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1561455687942,"flow_last_seen":1561455687942,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1561455687942,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"192.168.2.1","src_port":51431,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"www.google.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00714{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1561455687942,"flow_last_seen":1561455687942,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1561455687942,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"192.168.2.1","src_port":51431,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"www.google.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00489{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1561455687944,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"ts_msec":1561455687944,"pkt":"kLkxKPrKxiwDYGpkCABFAABMq4sAAEARSbjAqAIBwKgCDAA1yOcAOH0WZG+BgAABAAEAAAAAA3d3dwZnb29nbGUDY29tAAABAAHADAABAAEAAADaAATY7yZ4"} -00731{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":2,"flow_first_seen":1561455687942,"flow_last_seen":1561455687944,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":80,"flow_avg_l4_payload_len":40,"midstream":0,"ts_msec":1561455687944,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"192.168.2.1","src_port":51431,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"www.google.com","num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"216.239.38.120"}} +00729{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":2,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":2,"flow_first_seen":1561455687942,"flow_last_seen":1561455687944,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":80,"flow_avg_l4_payload_len":40,"midstream":0,"ts_msec":1561455687944,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"192.168.2.1","src_port":51431,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"www.google.com","num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"216.239.38.120"}} 00549{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1561455687991,"flow_last_seen":1561455687991,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1561455687991,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"192.168.2.1","src_port":60765,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00469{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_last_seen":1561455687991,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1561455687991,"pkt":"xiwDYGpkkLkxKPrKCABFAAA89ksAAP8RQAfAqAIMwKgCAe1dADUAKOSmDHcBAAABAAAAAAAAAWcId2hhdHNhcHADbmV0AAABAAE="} 00717{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":3,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1561455687991,"flow_last_seen":1561455687991,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1561455687991,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"192.168.2.1","src_port":60765,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.WhatsApp","breed":"Acceptable","category":"Chat"},"dns": {"query":"g.whatsapp.net","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} @@ -99,7 +99,7 @@ 00616{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":354,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":19,"flow_packet_id":3,"flow_last_seen":1561455713015,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":175,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":175,"pkt_l4_len":141,"ts_msec":1561455713015,"pkt":"AQBef\/\/6kLkxKPrKCABFAAChffAAAAIRh63AqAIM7\/\/\/+vzMB2wAjYZETS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSE9TVDogMjM5LjI1NS4yNTUuMjUwOjE5MDANClNUOiB1cm46c2NoZW1hcy11cG5wLW9yZzpzZXJ2aWNlOldBTlBQUENvbm5lY3Rpb246MQ0KTUFOOiAic3NkcDpkaXNjb3ZlciINCk1YOiAzDQoNCg=="} 00552{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":427,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":22,"flow_packets_processed":1,"flow_first_seen":1561455721320,"flow_last_seen":1561455721320,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1561455721320,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00845{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":427,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":1,"flow_last_seen":1561455721320,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":342,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":342,"pkt_l4_len":308,"ts_msec":1561455721320,"pkt":"\/\/\/\/\/\/\/\/2DBiVgAcCABFAAFInqQAAP8RHAEAAAAA\/\/\/\/\/wBEAEMBNNuDAQEGAH5K8tcAAAAAAAAAAAAAAAAAAAAAAAAAANgwYlYAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEBNwoBeQMGD3f8XywuOQIF3D0HAdgwYlYAHDMEAHanAAwKTHVjYXMtaU1hY\/8AAAAAAAAAAAAAAAAA"} -00641{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":427,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":22,"flow_packets_processed":1,"flow_first_seen":1561455721320,"flow_last_seen":1561455721320,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1561455721320,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"fingerprint":"1,121,3,6,15,119,252,95,44,46"}} +00682{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":427,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":22,"flow_packets_processed":1,"flow_first_seen":1561455721320,"flow_last_seen":1561455721320,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1561455721320,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"hostname":"lucas-imac","fingerprint":"1,121,3,6,15,119,252,95,44,46","class_ident":""}} 00845{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":430,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":2,"flow_last_seen":1561455722541,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":342,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":342,"pkt_l4_len":308,"ts_msec":1561455722541,"pkt":"\/\/\/\/\/\/\/\/2DBiVgAcCABFAAFInqUAAP8RHAAAAAAA\/\/\/\/\/wBEAEMBNNuCAQEGAH5K8tcAAQAAAAAAAAAAAAAAAAAAAAAAANgwYlYAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEBNwoBeQMGD3f8XywuOQIF3D0HAdgwYlYAHDMEAHanAAwKTHVjYXMtaU1hY\/8AAAAAAAAAAAAAAAAA"} 00846{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":431,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":3,"flow_last_seen":1561455724934,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":342,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":342,"pkt_l4_len":308,"ts_msec":1561455724934,"pkt":"\/\/\/\/\/\/\/\/2DBiVgAcCABFAAFInqYAAP8RG\/8AAAAA\/\/\/\/\/wBEAEMBNNuAAQEGAH5K8tcAAwAAAAAAAAAAAAAAAAAAAAAAANgwYlYAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEBNwoBeQMGD3f8XywuOQIF3D0HAdgwYlYAHDMEAHanAAwKTHVjYXMtaU1hY\/8AAAAAAAAAAAAAAAAA"} 00498{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":434,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_last_seen":1561455726442,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"ts_msec":1561455726442,"pkt":"\/\/\/\/\/\/\/\/xiwDYGpkCABFAABIUlcAAEARof3AqAIBwKgC\/+EV4RUANEtUU3BvdFVkcDC64ScQKi2g\/wABAARIlcIDyUSzc\/3fJAksKuG26pMF0apN5Ek="} @@ -127,7 +127,7 @@ 00594{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":714,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":27,"flow_packets_processed":1,"flow_first_seen":1561455741432,"flow_last_seen":1561455741432,"flow_idle_time":180000,"flow_min_l4_payload_len":137,"flow_max_l4_payload_len":137,"flow_tot_l4_payload_len":137,"flow_avg_l4_payload_len":137,"midstream":0,"ts_msec":1561455741432,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"239.255.255.250","src_port":57546,"dst_port":1900,"l4_proto":"udp","ndpi": {"proto":"SSDP","breed":"Acceptable","category":"System"}} 00523{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":716,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":28,"flow_packets_processed":1,"flow_first_seen":1561455741484,"flow_last_seen":1561455741484,"flow_idle_time":120000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1561455741484,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"91.252.56.51","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} 00472{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":716,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":1,"flow_last_seen":1561455741484,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"ts_msec":1561455741484,"pkt":"xiwDYGpkkLkxKPrKCABFAAA4hv4AAEABnOPAqAIMW\/w4MwMDoFgAAAAARQAA73IeAAAxEb\/8W\/w4M8CoAgx\/wNwIANsAAA=="} -00556{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":716,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":28,"flow_packets_processed":1,"flow_first_seen":1561455741484,"flow_last_seen":1561455741484,"flow_idle_time":120000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1561455741484,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"91.252.56.51","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"}} +00575{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":716,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":28,"flow_packets_processed":1,"flow_first_seen":1561455741484,"flow_last_seen":1561455741484,"flow_idle_time":120000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1561455741484,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"91.252.56.51","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"},"entropy":3.962659} 00595{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":718,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":255,"flow_first_seen":1561455688704,"flow_last_seen":1561455741680,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":20946,"flow_avg_l4_payload_len":82,"midstream":0,"ts_msec":1561455741680,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"157.240.20.53","src_port":49355,"dst_port":5222,"l4_proto":"tcp","ndpi": {"proto":"WhatsApp","breed":"Acceptable","category":"Chat"}} 00596{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":718,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":255,"flow_first_seen":1561455688704,"flow_last_seen":1561455741680,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1388,"flow_tot_l4_payload_len":20946,"flow_avg_l4_payload_len":82,"midstream":0,"ts_msec":1561455741680,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"157.240.20.53","src_port":49355,"dst_port":5222,"l4_proto":"tcp","ndpi": {"proto":"WhatsApp","breed":"Acceptable","category":"Chat"}} 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":726,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":2,"flow_last_seen":1561455742405,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"ts_msec":1561455742405,"pkt":"xiwDYGpkkLkxKPrKCABFAAA4TCgAAEAB17nAqAIMW\/w4MwMDoOEAAAAARQAAZumbAAAxEUkIW\/w4M8CoAgx\/wNwIAFIAAA=="} @@ -171,9 +171,9 @@ ~~ total active/idle flows...: 28/28 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2082962 bytes -~~ total memory freed........: 2082962 bytes -~~ total allocations/frees...: 36176/36176 +~~ total memory allocated....: 4733829 bytes +~~ total memory freed........: 4733829 bytes +~~ total allocations/frees...: 100372/100372 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 164 chars ~~ json string max len.......: 2418 chars diff --git a/test/results/waze.pcap.out b/test/results/waze.pcap.out index 8409e1c1b..40ef92eee 100644 --- a/test/results/waze.pcap.out +++ b/test/results/waze.pcap.out @@ -4,7 +4,7 @@ 00491{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"waze.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1435587867103,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":91,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":91,"pkt_l4_len":57,"ts_msec":1435587867103,"pkt":"ABoRAAACABoRAAABCABFAABNMsJAAEAGQsUKECWdriXnUaUQFGaA18okWhY9doAYAVcoEAAAAQEICgAIa2tBJdw4gAAWBXL2KZLscQ7\/r4Q3YR6R6YsREWIs0w=="} 00544{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3,"source":"waze.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1435587867443,"flow_last_seen":1435587867443,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1435587867443,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"200.89.75.198","src_port":46214,"dst_port":123,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00485{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"waze.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_last_seen":1435587867443,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"ts_msec":1435587867443,"pkt":"ABoRAAACABoRAAABCABFAABMAABAAEARHHkKCAAByFlLxrSGAHsAOIB9GwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANk705txaHKW"} -00575{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":3,"source":"waze.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1435587867443,"flow_last_seen":1435587867443,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1435587867443,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"200.89.75.198","src_port":46214,"dst_port":123,"l4_proto":"udp","ndpi": {"proto":"NTP","breed":"Acceptable","category":"System"}} +00613{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":3,"source":"waze.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1435587867443,"flow_last_seen":1435587867443,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1435587867443,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"200.89.75.198","src_port":46214,"dst_port":123,"l4_proto":"udp","ndpi": {"proto":"NTP","breed":"Acceptable","category":"System"},"ntp": {"request_code":0,"version":0}} 00485{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4,"source":"waze.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_last_seen":1435587867753,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"ts_msec":1435587867753,"pkt":"ABoRAAACABoRAAABCABFAABMdHBAABAR2AjIWUvGCggAAQB7tIYAOEf+HAIA7AAAAUgAAAbvyDaVGNk70ieZS5oL2TvTm3FocpbZO9ObncvLHNk705ud0JHn"} 00540{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":5,"source":"waze.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1435587867755,"flow_last_seen":1435587867755,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1435587867755,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"65.39.128.135","src_port":54915,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00468{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5,"source":"waze.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_last_seen":1435587867755,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1435587867755,"pkt":"ABoRAAACABoRAAABCABFAAA8zNlAAEAGoisKCAABQSeAh9aDAFDjx6dUAAAAAKAC\/\/+uwgAAAgQFtAQCCAoACGuNAAAAAAEDAwg="} @@ -29,18 +29,18 @@ 00470{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24,"source":"waze.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_last_seen":1435587868996,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1435587868996,"pkt":"ABoRAAACABoRAAABCABFAAA8cVdAAEAGm2kKCAABrcJ2MI7pAburox1\/AAAAAKAC\/\/9UDAAAAgQFtAQCCAoACGwoAAAAAAEDAwg="} 00442{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":25,"source":"waze.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_last_seen":1435587868998,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1435587868998,"pkt":"ABoRAAACABoRAAABCABFAAAodHhAABAGyFytwnYwCggAAQG7julUXOKAq6MdgFAS\/\/\/xMQAA"} 00442{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":26,"source":"waze.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_last_seen":1435587869002,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1435587869002,"pkt":"ABoRAAACABoRAAABCABFAAAocVhAAEAGm3wKCAABrcJ2MI7pAburox2AVFzigVAQ\/\/\/xMgAA"} -00806{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":27,"source":"waze.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":4,"flow_first_seen":1435587868634,"flow_last_seen":1435587869002,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":182,"flow_tot_l4_payload_len":182,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1435587869002,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36100,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -00809{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":32,"source":"waze.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":4,"flow_first_seen":1435587868996,"flow_last_seen":1435587869054,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":174,"flow_tot_l4_payload_len":174,"flow_avg_l4_payload_len":43,"midstream":0,"ts_msec":1435587869054,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.194.118.48","src_port":36585,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f8f5b71e02603b283e55b50d17ede861","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -00806{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":36,"source":"waze.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":4,"flow_first_seen":1435587868635,"flow_last_seen":1435587869106,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":182,"flow_tot_l4_payload_len":182,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1435587869106,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36102,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -00856{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":38,"source":"waze.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":6,"flow_first_seen":1435587868996,"flow_last_seen":1435587869107,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":174,"flow_tot_l4_payload_len":307,"flow_avg_l4_payload_len":51,"midstream":0,"ts_msec":1435587869107,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.194.118.48","src_port":36585,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f8f5b71e02603b283e55b50d17ede861","ja3s":"23f1f6e2f0015c166df49fdab4280370","unsafe_cipher":2,"cipher":"TLS_ECDHE_RSA_WITH_RC4_128_SHA"}} +00811{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":27,"source":"waze.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":4,"flow_first_seen":1435587868634,"flow_last_seen":1435587869002,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":182,"flow_tot_l4_payload_len":182,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1435587869002,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36100,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} +00807{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":32,"source":"waze.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":4,"flow_first_seen":1435587868996,"flow_last_seen":1435587869054,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":174,"flow_tot_l4_payload_len":174,"flow_avg_l4_payload_len":43,"midstream":0,"ts_msec":1435587869054,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.194.118.48","src_port":36585,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f8f5b71e02603b283e55b50d17ede861","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} +00811{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":36,"source":"waze.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":4,"flow_first_seen":1435587868635,"flow_last_seen":1435587869106,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":182,"flow_tot_l4_payload_len":182,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1435587869106,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36102,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} +00854{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":38,"source":"waze.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":6,"flow_first_seen":1435587868996,"flow_last_seen":1435587869107,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":174,"flow_tot_l4_payload_len":307,"flow_avg_l4_payload_len":51,"midstream":0,"ts_msec":1435587869107,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.194.118.48","src_port":36585,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f8f5b71e02603b283e55b50d17ede861","ja3s":"23f1f6e2f0015c166df49fdab4280370","unsafe_cipher":2,"cipher":"TLS_ECDHE_RSA_WITH_RC4_128_SHA"}} 00542{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":49,"source":"waze.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":1,"flow_first_seen":1435587869162,"flow_last_seen":1435587869162,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1435587869162,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"54.230.227.172","src_port":45536,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":49,"source":"waze.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_last_seen":1435587869162,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1435587869162,"pkt":"ABoRAAACABoRAAABCABFAAA8XmhAAEAGt7gKCAABNubjrLHgAFDjpDJQAAAAAKAC\/\/\/u\/QAAAgQFtAQCCAoACGw4AAAAAAEDAwg="} 00442{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":50,"source":"waze.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":2,"flow_last_seen":1435587869163,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1435587869163,"pkt":"ABoRAAACABoRAAABCABFAAAodIRAABAG0bA25uOsCggAAQBQseAcW82v46QyUVAS\/\/\/ZBQAA"} 00442{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":51,"source":"waze.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_last_seen":1435587869163,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1435587869163,"pkt":"ABoRAAACABoRAAABCABFAAAoXmlAAEAGt8sKCAABNubjrLHgAFDjpDJRHFvNsFAQ\/\/\/ZBgAA"} 00726{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":52,"source":"waze.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":4,"flow_first_seen":1435587869162,"flow_last_seen":1435587869165,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":140,"flow_tot_l4_payload_len":140,"flow_avg_l4_payload_len":35,"midstream":0,"ts_msec":1435587869165,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"54.230.227.172","src_port":45536,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.Waze","breed":"Acceptable","category":"Web"},"http": {"hostname":"cres.waze.com","url":"cres.waze.com\/lang_asr\/lang.portuguese_br_asr","code":0,"content_type":"","user_agent":"\/3.9.4.0"}} -00876{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":66,"source":"waze.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":6,"flow_first_seen":1435587868635,"flow_last_seen":1435587869425,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1012,"flow_tot_l4_payload_len":1194,"flow_avg_l4_payload_len":199,"midstream":0,"ts_msec":1435587869425,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36102,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"714ac86d50db68420429ca897688f5f3","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA"}} -01134{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":67,"source":"waze.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":6,"flow_first_seen":1435587868634,"flow_last_seen":1435587869476,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3147,"flow_tot_l4_payload_len":3329,"flow_avg_l4_payload_len":554,"midstream":0,"ts_msec":1435587869476,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36100,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Waze","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.world.waze.com","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"714ac86d50db68420429ca897688f5f3","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","issuerDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.world.waze.com","fingerprint":"30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B"}} -01134{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":69,"source":"waze.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":8,"flow_first_seen":1435587868635,"flow_last_seen":1435587869477,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2135,"flow_tot_l4_payload_len":3329,"flow_avg_l4_payload_len":416,"midstream":0,"ts_msec":1435587869477,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36102,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Waze","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.world.waze.com","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"714ac86d50db68420429ca897688f5f3","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","issuerDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.world.waze.com","fingerprint":"30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B"}} +00881{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":66,"source":"waze.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":6,"flow_first_seen":1435587868635,"flow_last_seen":1435587869425,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1012,"flow_tot_l4_payload_len":1194,"flow_avg_l4_payload_len":199,"midstream":0,"ts_msec":1435587869425,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36102,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"714ac86d50db68420429ca897688f5f3","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA"}} +01135{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":67,"source":"waze.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":6,"flow_first_seen":1435587868634,"flow_last_seen":1435587869476,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3147,"flow_tot_l4_payload_len":3329,"flow_avg_l4_payload_len":554,"midstream":0,"ts_msec":1435587869476,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36100,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Waze","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.world.waze.com","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"714ac86d50db68420429ca897688f5f3","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","subjectDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.world.waze.com","fingerprint":"30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B"}} +01135{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":69,"source":"waze.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":8,"flow_first_seen":1435587868635,"flow_last_seen":1435587869477,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2135,"flow_tot_l4_payload_len":3329,"flow_avg_l4_payload_len":416,"midstream":0,"ts_msec":1435587869477,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36102,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Waze","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.world.waze.com","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"714ac86d50db68420429ca897688f5f3","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","subjectDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.world.waze.com","fingerprint":"30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B"}} 00801{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":92,"source":"waze.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":6,"flow_first_seen":1435587867755,"flow_last_seen":1435587871459,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1368,"flow_tot_l4_payload_len":1631,"flow_avg_l4_payload_len":271,"midstream":0,"ts_msec":1435587871459,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"65.39.128.135","src_port":54915,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"4":"Binary application transfer"},"proto":"HTTP","breed":"Acceptable","category":"Download"},"http": {"hostname":"xtra1.gpsonextra.net","url":"xtra1.gpsonextra.net\/xtra2.bin","code":200,"content_type":"application\/octet-stream","user_agent":"Android"}} 00543{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":100,"source":"waze.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":1,"flow_first_seen":1435587871656,"flow_last_seen":1435587871656,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1435587871656,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"54.230.227.172","src_port":45538,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":100,"source":"waze.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_last_seen":1435587871656,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1435587871656,"pkt":"ABoRAAACABoRAAABCABFAAA8\/jRAAEAGF+wKCAABNubjrLHiAFBcJZMGAAAAAKAC\/\/8UywAAAgQFtAQCCAoACG0yAAAAAAEDAwg="} @@ -72,55 +72,55 @@ 00445{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":140,"source":"waze.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":3,"flow_last_seen":1435587871945,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1435587871945,"pkt":"ABoRAAACABoRAAABCABFAAAo\/W1AAEAGG84KCAABsCJnacdrAbsTBZAl7Ppv3FAQ\/\/\/FFwAA"} 00443{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":141,"source":"waze.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":3,"flow_last_seen":1435587871945,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1435587871945,"pkt":"ABoRAAACABoRAAABCABFAAAoxDVAAEAGxaUKCAABNBFy25hiAbudWal9YqZWhFAQ\/\/9kwAAA"} 00445{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":142,"source":"waze.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":3,"flow_last_seen":1435587871945,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1435587871945,"pkt":"ABoRAAACABoRAAABCABFAAAoRGhAAEAG0cwKCAABNubjrLHqAFALhykw9HjW0VAQ\/\/\/Y\/AAA"} -00809{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":145,"source":"waze.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":4,"flow_first_seen":1435587871918,"flow_last_seen":1435587872045,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":182,"flow_tot_l4_payload_len":182,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1435587872045,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.103.105","src_port":51049,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -00809{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":149,"source":"waze.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":4,"flow_first_seen":1435587871929,"flow_last_seen":1435587872139,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":182,"flow_tot_l4_payload_len":182,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1435587872139,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.103.105","src_port":51050,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -00809{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":151,"source":"waze.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":4,"flow_first_seen":1435587871935,"flow_last_seen":1435587872205,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":182,"flow_tot_l4_payload_len":182,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1435587872205,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.103.105","src_port":51051,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -00808{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":153,"source":"waze.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":4,"flow_first_seen":1435587871939,"flow_last_seen":1435587872289,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":182,"flow_tot_l4_payload_len":182,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1435587872289,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"52.17.114.219","src_port":39010,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} +00814{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":145,"source":"waze.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":4,"flow_first_seen":1435587871918,"flow_last_seen":1435587872045,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":182,"flow_tot_l4_payload_len":182,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1435587872045,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.103.105","src_port":51049,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} +00814{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":149,"source":"waze.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":4,"flow_first_seen":1435587871929,"flow_last_seen":1435587872139,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":182,"flow_tot_l4_payload_len":182,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1435587872139,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.103.105","src_port":51050,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} +00814{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":151,"source":"waze.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":4,"flow_first_seen":1435587871935,"flow_last_seen":1435587872205,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":182,"flow_tot_l4_payload_len":182,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1435587872205,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.103.105","src_port":51051,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} +00813{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":153,"source":"waze.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":4,"flow_first_seen":1435587871939,"flow_last_seen":1435587872289,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":182,"flow_tot_l4_payload_len":182,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1435587872289,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"52.17.114.219","src_port":39010,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00747{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":155,"source":"waze.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":4,"flow_first_seen":1435587871941,"flow_last_seen":1435587872340,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":157,"flow_tot_l4_payload_len":157,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1435587872340,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"54.230.227.172","src_port":45546,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.Waze","breed":"Acceptable","category":"Web"},"http": {"hostname":"cres.waze.com","url":"cres.waze.com\/newVconfig\/1.0\/3\/prompts_conf.buf?rtserver-id=15","code":0,"content_type":"","user_agent":"\/3.9.4.0"}} 00544{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":166,"source":"waze.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":1,"flow_first_seen":1435587872476,"flow_last_seen":1435587872476,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1435587872476,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"54.230.227.172","src_port":45552,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00472{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":166,"source":"waze.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":1,"flow_last_seen":1435587872476,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1435587872476,"pkt":"ABoRAAACABoRAAABCABFAAA8WSJAAEAGvP4KCAABNubjrLHwAFDxQTSmAAAAAKAC\/\/\/drgAAAgQFtAQCCAoACG2EAAAAAAEDAwg="} 00444{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":167,"source":"waze.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":2,"flow_last_seen":1435587872477,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1435587872477,"pkt":"ABoRAAACABoRAAABCABFAAAodLxAABAG0Xg25uOsCggAAQBQsfAOvstZ8UE0p1AS\/\/\/Y9QAA"} 00444{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":171,"source":"waze.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":3,"flow_last_seen":1435587872478,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1435587872478,"pkt":"ABoRAAACABoRAAABCABFAAAoWSNAAEAGvREKCAABNubjrLHwAFDxQTSnDr7LWlAQ\/\/\/Y9gAA"} 00741{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":173,"source":"waze.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":4,"flow_first_seen":1435587872476,"flow_last_seen":1435587872479,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":152,"flow_tot_l4_payload_len":152,"flow_avg_l4_payload_len":38,"midstream":0,"ts_msec":1435587872479,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"54.230.227.172","src_port":45552,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.Waze","breed":"Acceptable","category":"Web"},"http": {"hostname":"cres.waze.com","url":"cres.waze.com\/langs\/1.0\/lang.portuguese_br?rtserver-id=15","code":0,"content_type":"","user_agent":"\/3.9.4.0"}} -00863{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":177,"source":"waze.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":6,"flow_first_seen":1435587871935,"flow_last_seen":1435587872515,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1368,"flow_tot_l4_payload_len":1550,"flow_avg_l4_payload_len":258,"midstream":0,"ts_msec":1435587872515,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.103.105","src_port":51051,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"}} -00863{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":179,"source":"waze.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":6,"flow_first_seen":1435587871918,"flow_last_seen":1435587872568,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1368,"flow_tot_l4_payload_len":1550,"flow_avg_l4_payload_len":258,"midstream":0,"ts_msec":1435587872568,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.103.105","src_port":51049,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"}} -01120{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":180,"source":"waze.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":6,"flow_first_seen":1435587871939,"flow_last_seen":1435587872569,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3491,"flow_tot_l4_payload_len":3673,"flow_avg_l4_payload_len":612,"midstream":0,"ts_msec":1435587872569,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"52.17.114.219","src_port":39010,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Waze","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.world.waze.com","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","issuerDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.world.waze.com","fingerprint":"30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B"}} +00868{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":177,"source":"waze.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":6,"flow_first_seen":1435587871935,"flow_last_seen":1435587872515,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1368,"flow_tot_l4_payload_len":1550,"flow_avg_l4_payload_len":258,"midstream":0,"ts_msec":1435587872515,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.103.105","src_port":51051,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"}} +00868{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":179,"source":"waze.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":6,"flow_first_seen":1435587871918,"flow_last_seen":1435587872568,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1368,"flow_tot_l4_payload_len":1550,"flow_avg_l4_payload_len":258,"midstream":0,"ts_msec":1435587872568,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.103.105","src_port":51049,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"}} +01121{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":180,"source":"waze.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":6,"flow_first_seen":1435587871939,"flow_last_seen":1435587872569,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3491,"flow_tot_l4_payload_len":3673,"flow_avg_l4_payload_len":612,"midstream":0,"ts_msec":1435587872569,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"52.17.114.219","src_port":39010,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Waze","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.world.waze.com","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","subjectDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.world.waze.com","fingerprint":"30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B"}} 00544{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":193,"source":"waze.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":1,"flow_first_seen":1435587872702,"flow_last_seen":1435587872702,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1435587872702,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"54.230.227.172","src_port":45554,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00473{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":193,"source":"waze.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":1,"flow_last_seen":1435587872702,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1435587872702,"pkt":"ABoRAAACABoRAAABCABFAAA8Y6lAAEAGsncKCAABNubjrLHyAFAC8Q4\/AAAAAKAC\/\/\/yUgAAAgQFtAQCCAoACG2WAAAAAAEDAwg="} 00444{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":194,"source":"waze.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":2,"flow_last_seen":1435587872704,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1435587872704,"pkt":"ABoRAAACABoRAAABCABFAAAodMpAABAG0Wo25uOsCggAAQBQsfL9DvHAAvEOQFAS\/\/\/Y8wAA"} 00445{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":199,"source":"waze.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":3,"flow_last_seen":1435587872705,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1435587872705,"pkt":"ABoRAAACABoRAAABCABFAAAoY6pAAEAGsooKCAABNubjrLHyAFAC8Q5A\/Q7xwVAQ\/\/\/Y9AAA"} 00740{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":201,"source":"waze.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":4,"flow_first_seen":1435587872702,"flow_last_seen":1435587872706,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":150,"flow_tot_l4_payload_len":150,"flow_avg_l4_payload_len":37,"midstream":0,"ts_msec":1435587872706,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"54.230.227.172","src_port":45554,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.Waze","breed":"Acceptable","category":"Web"},"http": {"hostname":"cres.waze.com","url":"cres.waze.com\/newVconfig\/1.0\/3\/lang.conf?rtserver-id=15","code":0,"content_type":"","user_agent":"\/3.9.4.0"}} -00863{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":247,"source":"waze.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":6,"flow_first_seen":1435587871929,"flow_last_seen":1435587873486,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1368,"flow_tot_l4_payload_len":1550,"flow_avg_l4_payload_len":258,"midstream":0,"ts_msec":1435587873486,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.103.105","src_port":51050,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"}} -01109{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":249,"source":"waze.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":8,"flow_first_seen":1435587871935,"flow_last_seen":1435587873688,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2111,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":457,"midstream":0,"ts_msec":1435587873688,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.103.105","src_port":51051,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Waze","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.waze.com","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","issuerDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.waze.com","fingerprint":"A9:35:F0:16:17:A3:FD:73:EC:0C:03:24:F8:34:5A:8A:B3:D7:8D:57"}} -01109{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":251,"source":"waze.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":8,"flow_first_seen":1435587871929,"flow_last_seen":1435587873741,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2111,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":457,"midstream":0,"ts_msec":1435587873741,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.103.105","src_port":51050,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Waze","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.waze.com","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","issuerDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.waze.com","fingerprint":"A9:35:F0:16:17:A3:FD:73:EC:0C:03:24:F8:34:5A:8A:B3:D7:8D:57"}} -01110{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":262,"source":"waze.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":10,"flow_first_seen":1435587871918,"flow_last_seen":1435587874033,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1368,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":366,"midstream":0,"ts_msec":1435587874033,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.103.105","src_port":51049,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Waze","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.waze.com","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","issuerDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.waze.com","fingerprint":"A9:35:F0:16:17:A3:FD:73:EC:0C:03:24:F8:34:5A:8A:B3:D7:8D:57"}} +00868{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":247,"source":"waze.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":6,"flow_first_seen":1435587871929,"flow_last_seen":1435587873486,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1368,"flow_tot_l4_payload_len":1550,"flow_avg_l4_payload_len":258,"midstream":0,"ts_msec":1435587873486,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.103.105","src_port":51050,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"}} +01110{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":249,"source":"waze.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":8,"flow_first_seen":1435587871935,"flow_last_seen":1435587873688,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2111,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":457,"midstream":0,"ts_msec":1435587873688,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.103.105","src_port":51051,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Waze","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.waze.com","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","subjectDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.waze.com","fingerprint":"A9:35:F0:16:17:A3:FD:73:EC:0C:03:24:F8:34:5A:8A:B3:D7:8D:57"}} +01110{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":251,"source":"waze.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":8,"flow_first_seen":1435587871929,"flow_last_seen":1435587873741,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2111,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":457,"midstream":0,"ts_msec":1435587873741,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.103.105","src_port":51050,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Waze","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.waze.com","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","subjectDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.waze.com","fingerprint":"A9:35:F0:16:17:A3:FD:73:EC:0C:03:24:F8:34:5A:8A:B3:D7:8D:57"}} +01111{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":262,"source":"waze.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":10,"flow_first_seen":1435587871918,"flow_last_seen":1435587874033,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1368,"flow_tot_l4_payload_len":3661,"flow_avg_l4_payload_len":366,"midstream":0,"ts_msec":1435587874033,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.103.105","src_port":51049,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Waze","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.waze.com","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","subjectDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.waze.com","fingerprint":"A9:35:F0:16:17:A3:FD:73:EC:0C:03:24:F8:34:5A:8A:B3:D7:8D:57"}} 00544{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":346,"source":"waze.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":1,"flow_first_seen":1435587878215,"flow_last_seen":1435587878215,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1435587878215,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"52.17.114.219","src_port":39021,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00472{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":346,"source":"waze.pcap","alias":"nDPId-test","flow_id":18,"flow_packet_id":1,"flow_last_seen":1435587878215,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1435587878215,"pkt":"ABoRAAACABoRAAABCABFAAA8EZdAAEAGeDAKCAABNBFy25htAbtopH5VAAAAAKAC\/\/+mHQAAAgQFtAQCCAoACG\/CAAAAAAEDAwg="} 00443{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":347,"source":"waze.pcap","alias":"nDPId-test","flow_id":18,"flow_packet_id":2,"flow_last_seen":1435587878217,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1435587878217,"pkt":"ABoRAAACABoRAAABCABFAAAodRhAABAGRMM0EXLbCggAAQG7mG2XW4GqaKR+VlAS\/\/9ktAAA"} 00443{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":348,"source":"waze.pcap","alias":"nDPId-test","flow_id":18,"flow_packet_id":3,"flow_last_seen":1435587878217,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1435587878217,"pkt":"ABoRAAACABoRAAABCABFAAAoEZhAAEAGeEMKCAABNBFy25htAbtopH5Wl1uBq1AQ\/\/9ktQAA"} -00808{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":353,"source":"waze.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":4,"flow_first_seen":1435587878215,"flow_last_seen":1435587878444,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":182,"flow_tot_l4_payload_len":182,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1435587878444,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"52.17.114.219","src_port":39021,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} +00813{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":353,"source":"waze.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":4,"flow_first_seen":1435587878215,"flow_last_seen":1435587878444,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":182,"flow_tot_l4_payload_len":182,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1435587878444,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"52.17.114.219","src_port":39021,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00545{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":359,"source":"waze.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":1,"flow_first_seen":1435587878606,"flow_last_seen":1435587878606,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1435587878606,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.186.180","src_port":36312,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00472{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":359,"source":"waze.pcap","alias":"nDPId-test","flow_id":19,"flow_packet_id":1,"flow_last_seen":1435587878606,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1435587878606,"pkt":"ABoRAAACABoRAAABCABFAAA8DkFAAEAGt5sKCAABsCK6tI3YAbvsnGGoAAAAAKAC\/\/+FVQAAAgQFtAQCCAoACG\/pAAAAAAEDAwg="} 00443{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":360,"source":"waze.pcap","alias":"nDPId-test","flow_id":19,"flow_packet_id":2,"flow_last_seen":1435587878608,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1435587878608,"pkt":"ABoRAAACABoRAAABCABFAAAodR5AABAGgNKwIrq0CggAAQG7jdgTY55X7JxhqVAS\/\/+rXgAA"} 00443{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":361,"source":"waze.pcap","alias":"nDPId-test","flow_id":19,"flow_packet_id":3,"flow_last_seen":1435587878609,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1435587878609,"pkt":"ABoRAAACABoRAAABCABFAAAoDkJAAEAGt64KCAABsCK6tI3YAbvsnGGpE2OeWFAQ\/\/+rXwAA"} -00862{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":362,"source":"waze.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":6,"flow_first_seen":1435587878215,"flow_last_seen":1435587878781,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1368,"flow_tot_l4_payload_len":1550,"flow_avg_l4_payload_len":258,"midstream":0,"ts_msec":1435587878781,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"52.17.114.219","src_port":39021,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"}} -01120{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":365,"source":"waze.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":8,"flow_first_seen":1435587878215,"flow_last_seen":1435587878832,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2123,"flow_tot_l4_payload_len":3673,"flow_avg_l4_payload_len":459,"midstream":0,"ts_msec":1435587878832,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"52.17.114.219","src_port":39021,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Waze","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.world.waze.com","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","issuerDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.world.waze.com","fingerprint":"30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B"}} -00809{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":368,"source":"waze.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":4,"flow_first_seen":1435587878606,"flow_last_seen":1435587878901,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":182,"flow_tot_l4_payload_len":182,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1435587878901,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.186.180","src_port":36312,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} +00867{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":362,"source":"waze.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":6,"flow_first_seen":1435587878215,"flow_last_seen":1435587878781,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1368,"flow_tot_l4_payload_len":1550,"flow_avg_l4_payload_len":258,"midstream":0,"ts_msec":1435587878781,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"52.17.114.219","src_port":39021,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"}} +01121{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":365,"source":"waze.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":8,"flow_first_seen":1435587878215,"flow_last_seen":1435587878832,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2123,"flow_tot_l4_payload_len":3673,"flow_avg_l4_payload_len":459,"midstream":0,"ts_msec":1435587878832,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"52.17.114.219","src_port":39021,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Waze","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.world.waze.com","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","subjectDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.world.waze.com","fingerprint":"30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B"}} +00814{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":368,"source":"waze.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":4,"flow_first_seen":1435587878606,"flow_last_seen":1435587878901,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":182,"flow_tot_l4_payload_len":182,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1435587878901,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.186.180","src_port":36312,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00545{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":370,"source":"waze.pcap","alias":"nDPId-test","flow_id":20,"flow_packets_processed":1,"flow_first_seen":1435587879018,"flow_last_seen":1435587879018,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1435587879018,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.186.180","src_port":36314,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00472{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":370,"source":"waze.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":1,"flow_last_seen":1435587879018,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1435587879018,"pkt":"ABoRAAACABoRAAABCABFAAA8CjxAAEAGu6AKCAABsCK6tI3aAbtwD3ouAAAAAKAC\/\/\/pMQAAAgQFtAQCCAoACHASAAAAAAEDAwg="} 00443{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":371,"source":"waze.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":2,"flow_last_seen":1435587879020,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1435587879020,"pkt":"ABoRAAACABoRAAABCABFAAAodSNAABAGgM2wIrq0CggAAQG7jdqP8IXRcA96L1AS\/\/+rXAAA"} 00444{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":372,"source":"waze.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":3,"flow_last_seen":1435587879020,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1435587879020,"pkt":"ABoRAAACABoRAAABCABFAAAoCj1AAEAGu7MKCAABsCK6tI3aAbtwD3ovj\/CF0lAQ\/\/+rXQAA"} -00863{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":375,"source":"waze.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":6,"flow_first_seen":1435587878606,"flow_last_seen":1435587879181,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1012,"flow_tot_l4_payload_len":1194,"flow_avg_l4_payload_len":199,"midstream":0,"ts_msec":1435587879181,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.186.180","src_port":36312,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"}} -01121{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":377,"source":"waze.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":8,"flow_first_seen":1435587878606,"flow_last_seen":1435587879233,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2479,"flow_tot_l4_payload_len":3673,"flow_avg_l4_payload_len":459,"midstream":0,"ts_msec":1435587879233,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.186.180","src_port":36312,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Waze","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.world.waze.com","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","issuerDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.world.waze.com","fingerprint":"30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B"}} -00809{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":383,"source":"waze.pcap","alias":"nDPId-test","flow_id":20,"flow_packets_processed":4,"flow_first_seen":1435587879018,"flow_last_seen":1435587879574,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":182,"flow_tot_l4_payload_len":182,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1435587879574,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.186.180","src_port":36314,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} +00868{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":375,"source":"waze.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":6,"flow_first_seen":1435587878606,"flow_last_seen":1435587879181,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1012,"flow_tot_l4_payload_len":1194,"flow_avg_l4_payload_len":199,"midstream":0,"ts_msec":1435587879181,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.186.180","src_port":36312,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"}} +01122{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":377,"source":"waze.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":8,"flow_first_seen":1435587878606,"flow_last_seen":1435587879233,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2479,"flow_tot_l4_payload_len":3673,"flow_avg_l4_payload_len":459,"midstream":0,"ts_msec":1435587879233,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.186.180","src_port":36312,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Waze","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.world.waze.com","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","subjectDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.world.waze.com","fingerprint":"30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B"}} +00814{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":383,"source":"waze.pcap","alias":"nDPId-test","flow_id":20,"flow_packets_processed":4,"flow_first_seen":1435587879018,"flow_last_seen":1435587879574,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":182,"flow_tot_l4_payload_len":182,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1435587879574,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.186.180","src_port":36314,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00545{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":393,"source":"waze.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":1,"flow_first_seen":1435587879850,"flow_last_seen":1435587879850,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1435587879850,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.186.180","src_port":36316,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00472{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":393,"source":"waze.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":1,"flow_last_seen":1435587879850,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1435587879850,"pkt":"ABoRAAACABoRAAABCABFAAA8Fw9AAEAGrs0KCAABsCK6tI3cAbueIGdrAAAAAKAC\/\/\/NjwAAAgQFtAQCCAoACHBkAAAAAAEDAwg="} 00443{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":394,"source":"waze.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":2,"flow_last_seen":1435587879852,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1435587879852,"pkt":"ABoRAAACABoRAAABCABFAAAodS5AABAGgMKwIrq0CggAAQG7jdxh35iUniBnbFAS\/\/+rWgAA"} 00443{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":395,"source":"waze.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":3,"flow_last_seen":1435587879853,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1435587879853,"pkt":"ABoRAAACABoRAAABCABFAAAoFxBAAEAGruAKCAABsCK6tI3cAbueIGdsYd+YlVAQ\/\/+rWwAA"} -00863{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":396,"source":"waze.pcap","alias":"nDPId-test","flow_id":20,"flow_packets_processed":6,"flow_first_seen":1435587879018,"flow_last_seen":1435587879855,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1012,"flow_tot_l4_payload_len":1194,"flow_avg_l4_payload_len":199,"midstream":0,"ts_msec":1435587879855,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.186.180","src_port":36314,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"}} -01121{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":398,"source":"waze.pcap","alias":"nDPId-test","flow_id":20,"flow_packets_processed":8,"flow_first_seen":1435587879018,"flow_last_seen":1435587879907,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2479,"flow_tot_l4_payload_len":3673,"flow_avg_l4_payload_len":459,"midstream":0,"ts_msec":1435587879907,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.186.180","src_port":36314,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Waze","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.world.waze.com","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","issuerDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.world.waze.com","fingerprint":"30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B"}} -00809{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":400,"source":"waze.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":4,"flow_first_seen":1435587879850,"flow_last_seen":1435587879958,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":182,"flow_tot_l4_payload_len":182,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1435587879958,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.186.180","src_port":36316,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -01121{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":428,"source":"waze.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":6,"flow_first_seen":1435587879850,"flow_last_seen":1435587880568,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3491,"flow_tot_l4_payload_len":3673,"flow_avg_l4_payload_len":612,"midstream":0,"ts_msec":1435587880568,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.186.180","src_port":36316,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Waze","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.world.waze.com","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","issuerDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.world.waze.com","fingerprint":"30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B"}} +00868{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":396,"source":"waze.pcap","alias":"nDPId-test","flow_id":20,"flow_packets_processed":6,"flow_first_seen":1435587879018,"flow_last_seen":1435587879855,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1012,"flow_tot_l4_payload_len":1194,"flow_avg_l4_payload_len":199,"midstream":0,"ts_msec":1435587879855,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.186.180","src_port":36314,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"}} +01122{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":398,"source":"waze.pcap","alias":"nDPId-test","flow_id":20,"flow_packets_processed":8,"flow_first_seen":1435587879018,"flow_last_seen":1435587879907,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2479,"flow_tot_l4_payload_len":3673,"flow_avg_l4_payload_len":459,"midstream":0,"ts_msec":1435587879907,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.186.180","src_port":36314,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Waze","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.world.waze.com","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","subjectDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.world.waze.com","fingerprint":"30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B"}} +00814{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":400,"source":"waze.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":4,"flow_first_seen":1435587879850,"flow_last_seen":1435587879958,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":182,"flow_tot_l4_payload_len":182,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1435587879958,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.186.180","src_port":36316,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} +01122{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":428,"source":"waze.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":6,"flow_first_seen":1435587879850,"flow_last_seen":1435587880568,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3491,"flow_tot_l4_payload_len":3673,"flow_avg_l4_payload_len":612,"midstream":0,"ts_msec":1435587880568,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.186.180","src_port":36316,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Waze","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.world.waze.com","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","subjectDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.world.waze.com","fingerprint":"30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B"}} 00546{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":432,"source":"waze.pcap","alias":"nDPId-test","flow_id":22,"flow_packets_processed":1,"flow_first_seen":1435587880576,"flow_last_seen":1435587880576,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1435587880576,"l3_proto":"ip4","src_ip":"10.16.37.157","dst_ip":"200.160.4.31","src_port":43991,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":432,"source":"waze.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":1,"flow_last_seen":1435587880576,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1435587880576,"pkt":"ABoRAAACABoRAAABCABFAAA0U4FAAEAG6tYKECWdyKAEH6vXAFAtnZBdDlnt+YARAVu2DAAAAQEICgAIcK6K\/GDA"} 00443{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":433,"source":"waze.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":2,"flow_last_seen":1435587880577,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1435587880577,"pkt":"ABoRAAACABoRAAABCABFAAAodUFAABAG+SLIoAQfChAlnQBQq9cOWe35LZ2QXlAQ\/\/9M8gAA"} @@ -161,8 +161,8 @@ 00473{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":532,"source":"waze.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":1,"flow_last_seen":1435587894241,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1435587894241,"pkt":"ABoRAAACABoRAAABCABFAAA87+5AAEAGZNsKCAABLjOtto0mAbvDfJnqAAAAAKAC\/\/\/\/twAAAgQFtAQCCAoACHYEAAAAAAEDAwg="} 00444{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":533,"source":"waze.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":2,"flow_last_seen":1435587894244,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1435587894244,"pkt":"ABoRAAACABoRAAABCABFAAAodXFAABAGD20uM622CggAAQG7jSY8g2YVw3yZ61AS\/\/86\/gAA"} 00444{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":534,"source":"waze.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":3,"flow_last_seen":1435587894244,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1435587894244,"pkt":"ABoRAAACABoRAAABCABFAAAo7+9AAEAGZO4KCAABLjOtto0mAbvDfJnrPINmFlAQ\/\/86\/wAA"} -00808{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":535,"source":"waze.pcap","alias":"nDPId-test","flow_id":31,"flow_packets_processed":4,"flow_first_seen":1435587894241,"flow_last_seen":1435587894323,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":182,"flow_tot_l4_payload_len":182,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1435587894323,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36134,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -01136{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":537,"source":"waze.pcap","alias":"nDPId-test","flow_id":31,"flow_packets_processed":6,"flow_first_seen":1435587894241,"flow_last_seen":1435587894759,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3147,"flow_tot_l4_payload_len":3329,"flow_avg_l4_payload_len":554,"midstream":0,"ts_msec":1435587894759,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36134,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Waze","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.world.waze.com","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"714ac86d50db68420429ca897688f5f3","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","issuerDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.world.waze.com","fingerprint":"30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B"}} +00813{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":535,"source":"waze.pcap","alias":"nDPId-test","flow_id":31,"flow_packets_processed":4,"flow_first_seen":1435587894241,"flow_last_seen":1435587894323,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":182,"flow_tot_l4_payload_len":182,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1435587894323,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36134,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} +01137{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":537,"source":"waze.pcap","alias":"nDPId-test","flow_id":31,"flow_packets_processed":6,"flow_first_seen":1435587894241,"flow_last_seen":1435587894759,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3147,"flow_tot_l4_payload_len":3329,"flow_avg_l4_payload_len":554,"midstream":0,"ts_msec":1435587894759,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36134,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Waze","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.world.waze.com","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"714ac86d50db68420429ca897688f5f3","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","subjectDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.world.waze.com","fingerprint":"30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B"}} 00546{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":552,"source":"waze.pcap","alias":"nDPId-test","flow_id":32,"flow_packets_processed":1,"flow_first_seen":1435587898822,"flow_last_seen":1435587898822,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1435587898822,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"108.168.176.228","src_port":50828,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":552,"source":"waze.pcap","alias":"nDPId-test","flow_id":32,"flow_packet_id":1,"flow_last_seen":1435587898822,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1435587898822,"pkt":"ABoRAAACABoRAAABCABFAAA8qMZAAEAGamAKCAABbKiw5MaMAbuJft8IAAAAAKAC\/\/93xAAAAgQFtAQCCAoACHfOAAAAAAEDAwg="} 00444{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":553,"source":"waze.pcap","alias":"nDPId-test","flow_id":32,"flow_packet_id":2,"flow_last_seen":1435587898824,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1435587898824,"pkt":"ABoRAAACABoRAAABCABFAAAodXtAABAGzb9sqLDkCggAAQG7xox2gSD3iX7fCVAS\/\/+\/9AAA"} @@ -171,9 +171,9 @@ 00472{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":575,"source":"waze.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":1,"flow_last_seen":1435587905035,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1435587905035,"pkt":"ABoRAAACABoRAAABCABFAAA82iNAAEAGeqYKCAABLjOtto0pAbvwXaAfAAAAAKAC\/\/\/IZgAAAgQFtAQCCAoACHo8AAAAAAEDAwg="} 00444{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":576,"source":"waze.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":2,"flow_last_seen":1435587905038,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1435587905038,"pkt":"ABoRAAACABoRAAABCABFAAAodYZAABAGD1guM622CggAAQG7jSkPol\/g8F2gIFAS\/\/86+wAA"} 00444{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":577,"source":"waze.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":3,"flow_last_seen":1435587905039,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1435587905039,"pkt":"ABoRAAACABoRAAABCABFAAAo2iRAAEAGerkKCAABLjOtto0pAbvwXaAgD6Jf4VAQ\/\/86\/AAA"} -00808{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":578,"source":"waze.pcap","alias":"nDPId-test","flow_id":33,"flow_packets_processed":4,"flow_first_seen":1435587905035,"flow_last_seen":1435587905111,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":182,"flow_tot_l4_payload_len":182,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1435587905111,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36137,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -00878{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":580,"source":"waze.pcap","alias":"nDPId-test","flow_id":33,"flow_packets_processed":6,"flow_first_seen":1435587905035,"flow_last_seen":1435587905510,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1012,"flow_tot_l4_payload_len":1194,"flow_avg_l4_payload_len":199,"midstream":0,"ts_msec":1435587905510,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36137,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"714ac86d50db68420429ca897688f5f3","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA"}} -01136{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":582,"source":"waze.pcap","alias":"nDPId-test","flow_id":33,"flow_packets_processed":8,"flow_first_seen":1435587905035,"flow_last_seen":1435587905565,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2135,"flow_tot_l4_payload_len":3329,"flow_avg_l4_payload_len":416,"midstream":0,"ts_msec":1435587905565,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36137,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Waze","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.world.waze.com","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"714ac86d50db68420429ca897688f5f3","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","issuerDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.world.waze.com","fingerprint":"30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B"}} +00813{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":578,"source":"waze.pcap","alias":"nDPId-test","flow_id":33,"flow_packets_processed":4,"flow_first_seen":1435587905035,"flow_last_seen":1435587905111,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":182,"flow_tot_l4_payload_len":182,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1435587905111,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36137,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} +00883{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":580,"source":"waze.pcap","alias":"nDPId-test","flow_id":33,"flow_packets_processed":6,"flow_first_seen":1435587905035,"flow_last_seen":1435587905510,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1012,"flow_tot_l4_payload_len":1194,"flow_avg_l4_payload_len":199,"midstream":0,"ts_msec":1435587905510,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36137,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"714ac86d50db68420429ca897688f5f3","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA"}} +01137{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":582,"source":"waze.pcap","alias":"nDPId-test","flow_id":33,"flow_packets_processed":8,"flow_first_seen":1435587905035,"flow_last_seen":1435587905565,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2135,"flow_tot_l4_payload_len":3329,"flow_avg_l4_payload_len":416,"midstream":0,"ts_msec":1435587905565,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36137,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Waze","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.world.waze.com","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"714ac86d50db68420429ca897688f5f3","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","subjectDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.world.waze.com","fingerprint":"30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B"}} 00585{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":597,"source":"waze.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":4,"flow_first_seen":1435587880580,"flow_last_seen":1435587880589,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1435587907392,"l3_proto":"ip4","src_ip":"10.16.37.157","dst_ip":"200.160.4.49","src_port":52953,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP","breed":"Acceptable","category":"Web"},"http": {}} 00546{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":597,"source":"waze.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":4,"flow_first_seen":1435587880580,"flow_last_seen":1435587880589,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1435587907392,"l3_proto":"ip4","src_ip":"10.16.37.157","dst_ip":"200.160.4.49","src_port":52953,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00552{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":597,"source":"waze.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":17,"flow_first_seen":1435587868632,"flow_last_seen":1435587869162,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1624,"flow_tot_l4_payload_len":3077,"flow_avg_l4_payload_len":181,"midstream":0,"ts_msec":1435587907392,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"54.230.227.172","src_port":45529,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -227,10 +227,10 @@ ~~ total active/idle flows...: 33/33 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2262543 bytes -~~ total memory freed........: 2262543 bytes -~~ total allocations/frees...: 36127/36127 +~~ total memory allocated....: 4911290 bytes +~~ total memory freed........: 4911290 bytes +~~ total allocations/frees...: 100323/100323 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 160 chars -~~ json string max len.......: 1141 chars +~~ json string max len.......: 1142 chars ~~ json string avg len.......: 721 chars diff --git a/test/results/webex.pcap.out b/test/results/webex.pcap.out index a7ce2f81c..31d0d9093 100644 --- a/test/results/webex.pcap.out +++ b/test/results/webex.pcap.out @@ -4,7 +4,7 @@ 00441{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"webex.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1444570624860,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1444570624860,"pkt":"ABoRAAACABoRAAABCABFAAAoAQ5AABAGtg5ARGlnCggAAQG7oYKw53jzTxiHDVAS\/\/9Y4AAA"} 00439{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"webex.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1444570624860,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1444570624860,"pkt":"ABoRAAACABoRAAABCABFAAAoOXRAAEAGTagKCAABQERpZ6GCAbtPGIcNsOd49FAQOQgf2QAA"} 00821{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"webex.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1444570624853,"flow_last_seen":1444570624860,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":195,"flow_tot_l4_payload_len":195,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1444570624860,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41346,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1.2","client_requested_server_name":"radcom.webex.com","ja3":"f9010d8c34749bdf7659b52227e6f91b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -01174{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":8,"source":"webex.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":8,"flow_first_seen":1444570624853,"flow_last_seen":1444570625424,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2720,"flow_tot_l4_payload_len":4134,"flow_avg_l4_payload_len":516,"midstream":0,"ts_msec":1444570625424,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41346,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1.2","client_requested_server_name":"radcom.webex.com","server_names":"*.webex.com","ja3":"f9010d8c34749bdf7659b52227e6f91b","ja3s":"c253ec3ad88e42f8da4032682892f9a0","unsafe_cipher":2,"cipher":"TLS_RSA_WITH_RC4_128_MD5","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} +01175{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":8,"source":"webex.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":8,"flow_first_seen":1444570624853,"flow_last_seen":1444570625424,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2720,"flow_tot_l4_payload_len":4134,"flow_avg_l4_payload_len":516,"midstream":0,"ts_msec":1444570625424,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41346,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1.2","client_requested_server_name":"radcom.webex.com","server_names":"*.webex.com","ja3":"f9010d8c34749bdf7659b52227e6f91b","ja3s":"c253ec3ad88e42f8da4032682892f9a0","unsafe_cipher":2,"cipher":"TLS_RSA_WITH_RC4_128_MD5","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} 00543{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":50,"source":"webex.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1444570627404,"flow_last_seen":1444570627404,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1444570627404,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41348,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00469{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":50,"source":"webex.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_last_seen":1444570627404,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1444570627404,"pkt":"ABoRAAACABoRAAABCABFAAA8hnNAAEAGAJUKCAABQERpZ6GEAbuwMDkNAAAAAKACOQgO\/QAAAgQFtAQCCAoATL9+AAAAAAEDAwY="} 00442{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":51,"source":"webex.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_last_seen":1444570627409,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1444570627409,"pkt":"ABoRAAACABoRAAABCABFAAAoASZAABAGtfZARGlnCggAAQG7oYRPz8bysDA5DlAS\/\/9Y3gAA"} @@ -36,19 +36,19 @@ 00443{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":179,"source":"webex.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_last_seen":1444570631726,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1444570631726,"pkt":"ABoRAAACABoRAAABCABFAAAoAWZAABAGtbZARGlnCggAAQG7oYqF2dBpeiYvl1AS\/\/9Y2AAA"} 00441{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":180,"source":"webex.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_last_seen":1444570631726,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1444570631726,"pkt":"ABoRAAACABoRAAABCABFAAAo7rlAAEAGmGIKCAABQERpZ6GKAbt6Ji+XhdnQalAQOQgf0QAA"} 00806{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":181,"source":"webex.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":4,"flow_first_seen":1444570631722,"flow_last_seen":1444570631731,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":63,"flow_tot_l4_payload_len":63,"flow_avg_l4_payload_len":15,"midstream":0,"ts_msec":1444570631731,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41354,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -01187{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":185,"source":"webex.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":8,"flow_first_seen":1444570631722,"flow_last_seen":1444570632251,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2579,"flow_tot_l4_payload_len":4002,"flow_avg_l4_payload_len":500,"midstream":0,"ts_msec":1444570632251,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41354,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} +01188{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":185,"source":"webex.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":8,"flow_first_seen":1444570631722,"flow_last_seen":1444570632251,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2579,"flow_tot_l4_payload_len":4002,"flow_avg_l4_payload_len":500,"midstream":0,"ts_msec":1444570632251,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41354,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} 00544{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":189,"source":"webex.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":1,"flow_first_seen":1444570632436,"flow_last_seen":1444570632436,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1444570632436,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"23.44.253.243","src_port":49048,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00470{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":189,"source":"webex.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_last_seen":1444570632436,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1444570632436,"pkt":"ABoRAAACABoRAAABCABFAAA8E6FAAEAGB\/MKCAABFyz987+YAbs3etLXAAAAAKACOQhiaAAAAgQFtAQCCAoATMF2AAAAAAEDAwY="} 00444{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":190,"source":"webex.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":2,"flow_last_seen":1444570632439,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1444570632439,"pkt":"ABoRAAACABoRAAABCABFAAAoAWtAABAGSj0XLP3zCggAAQG7v5jIhS0oN3rS2FAS\/\/\/PVQAA"} 00441{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":191,"source":"webex.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_last_seen":1444570632470,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1444570632470,"pkt":"ABoRAAACABoRAAABCABFAAAoE6JAAEAGCAYKCAABFyz987+YAbs3etLYyIUtKVAQOQiWTgAA"} 00793{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":192,"source":"webex.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":4,"flow_first_seen":1444570632436,"flow_last_seen":1444570632470,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":63,"flow_tot_l4_payload_len":63,"flow_avg_l4_payload_len":15,"midstream":0,"ts_msec":1444570632470,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"23.44.253.243","src_port":49048,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -01647{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":195,"source":"webex.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":6,"flow_first_seen":1444570632436,"flow_last_seen":1444570632591,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2903,"flow_tot_l4_payload_len":2966,"flow_avg_l4_payload_len":494,"midstream":0,"ts_msec":1444570632591,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"23.44.253.243","src_port":49048,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"www.webex.com.au,www.webex.ca,www.webex.de,www.webex.com.hk,www.webex.co.in,www.webex.co.it,www.webex.co.jp,www.webex.com.mx,www.webex.co.uk,m.webex.com,signup.webex.com,signup.webex.co.uk,signup.webex.de,mytrial.webex.com,mytrial.webex.com.mx,mytrial.webex.co.in,mytrial.webex.com.au,mytrial.webex.co.jp,support.webex.com,howdoi.webex.com,kb.webex.com,myresources.webex.com,invoices.webex.com,try.webex.com,buyonline.webex.com,buyonline.webex.de,buyonline.webex.co.uk,tempbol.webex.com,tempsupport.webex.com,www.webex.com,webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"714ac86d50db68420429ca897688f5f3","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA","issuerDN":"C=US, ST=California, L=San Jose, O=Cisco Systems, OU=IT, CN=www.webex.com","fingerprint":"EE:CE:24:B7:67:4D:F0:3F:16:80:F8:DC:E3:53:45:5F:3E:41:25:CD"}} +01648{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":195,"source":"webex.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":6,"flow_first_seen":1444570632436,"flow_last_seen":1444570632591,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2903,"flow_tot_l4_payload_len":2966,"flow_avg_l4_payload_len":494,"midstream":0,"ts_msec":1444570632591,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"23.44.253.243","src_port":49048,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"www.webex.com.au,www.webex.ca,www.webex.de,www.webex.com.hk,www.webex.co.in,www.webex.co.it,www.webex.co.jp,www.webex.com.mx,www.webex.co.uk,m.webex.com,signup.webex.com,signup.webex.co.uk,signup.webex.de,mytrial.webex.com,mytrial.webex.com.mx,mytrial.webex.co.in,mytrial.webex.com.au,mytrial.webex.co.jp,support.webex.com,howdoi.webex.com,kb.webex.com,myresources.webex.com,invoices.webex.com,try.webex.com,buyonline.webex.com,buyonline.webex.de,buyonline.webex.co.uk,tempbol.webex.com,tempsupport.webex.com,www.webex.com,webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"714ac86d50db68420429ca897688f5f3","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA","subjectDN":"C=US, ST=California, L=San Jose, O=Cisco Systems, OU=IT, CN=www.webex.com","fingerprint":"EE:CE:24:B7:67:4D:F0:3F:16:80:F8:DC:E3:53:45:5F:3E:41:25:CD"}} 00544{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":218,"source":"webex.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":1,"flow_first_seen":1444570633357,"flow_last_seen":1444570633357,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1444570633357,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41358,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00469{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":218,"source":"webex.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_last_seen":1444570633357,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1444570633357,"pkt":"ABoRAAACABoRAAABCABFAAA87DBAAEAGmtcKCAABQERpZ6GOAbtaKC3iAAAAAKACOQht0gAAAgQFtAQCCAoATMHSAAAAAAEDAwY="} 00443{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":219,"source":"webex.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":2,"flow_last_seen":1444570633360,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1444570633360,"pkt":"ABoRAAACABoRAAABCABFAAAoAXpAABAGtaJARGlnCggAAQG7oY6l19IdWigt41AS\/\/9Y1AAA"} 00441{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":220,"source":"webex.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":3,"flow_last_seen":1444570633360,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1444570633360,"pkt":"ABoRAAACABoRAAABCABFAAAo7DFAAEAGmuoKCAABQERpZ6GOAbtaKC3jpdfSHlAQOQgfzQAA"} 00806{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":221,"source":"webex.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":4,"flow_first_seen":1444570633357,"flow_last_seen":1444570633362,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":63,"flow_tot_l4_payload_len":63,"flow_avg_l4_payload_len":15,"midstream":0,"ts_msec":1444570633362,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41358,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -01187{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":225,"source":"webex.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":8,"flow_first_seen":1444570633357,"flow_last_seen":1444570633811,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2579,"flow_tot_l4_payload_len":4002,"flow_avg_l4_payload_len":500,"midstream":0,"ts_msec":1444570633811,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41358,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} +01188{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":225,"source":"webex.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":8,"flow_first_seen":1444570633357,"flow_last_seen":1444570633811,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2579,"flow_tot_l4_payload_len":4002,"flow_avg_l4_payload_len":500,"midstream":0,"ts_msec":1444570633811,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41358,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} 00546{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":256,"source":"webex.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":1,"flow_first_seen":1444570636151,"flow_last_seen":1444570636151,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1444570636151,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"114.29.213.212","src_port":41726,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00470{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":256,"source":"webex.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":1,"flow_last_seen":1444570636151,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1444570636151,"pkt":"ABoRAAACABoRAAABCABFAAA8tbVAAEAGMwwKCAABch3V1KL+AbsYGndcAAAAAKACOQjFmAAAAgQFtAQCCAoATMLpAAAAAAEDAwY="} 00444{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":257,"source":"webex.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":2,"flow_last_seen":1444570636154,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1444570636154,"pkt":"ABoRAAACABoRAAABCABFAAAoAY1AABAGF0lyHdXUCggAAQG7ov7n5YijGBp3XVAS\/\/+5HQAA"} @@ -119,28 +119,28 @@ 00444{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":322,"source":"webex.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":2,"flow_last_seen":1444570636395,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1444570636395,"pkt":"ABoRAAACABoRAAABCABFAAAoAadAABAGtXVARGlnCggAAQG7oar5IuamBt0ZWlAS\/\/9YuAAA"} 00442{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":323,"source":"webex.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":3,"flow_last_seen":1444570636395,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1444570636395,"pkt":"ABoRAAACABoRAAABCABFAAAo2llAAEAGrMIKCAABQERpZ6GqAbsG3Rla+SLmp1AQOQgfsQAA"} 00807{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":324,"source":"webex.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":4,"flow_first_seen":1444570636387,"flow_last_seen":1444570636397,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":63,"flow_tot_l4_payload_len":63,"flow_avg_l4_payload_len":15,"midstream":0,"ts_msec":1444570636397,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41386,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -01187{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":328,"source":"webex.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":8,"flow_first_seen":1444570636180,"flow_last_seen":1444570636471,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2527,"flow_tot_l4_payload_len":3970,"flow_avg_l4_payload_len":496,"midstream":0,"ts_msec":1444570636471,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.231.3","src_port":45814,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} -01190{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":335,"source":"webex.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":6,"flow_first_seen":1444570636160,"flow_last_seen":1444570636701,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3907,"flow_tot_l4_payload_len":3970,"flow_avg_l4_payload_len":661,"midstream":0,"ts_msec":1444570636701,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"209.197.222.159","src_port":47498,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} -01188{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":336,"source":"webex.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":8,"flow_first_seen":1444570636248,"flow_last_seen":1444570636703,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2579,"flow_tot_l4_payload_len":4002,"flow_avg_l4_payload_len":500,"midstream":0,"ts_msec":1444570636703,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.104.140","src_port":44492,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} -01187{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":341,"source":"webex.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":8,"flow_first_seen":1444570636255,"flow_last_seen":1444570636706,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2920,"flow_tot_l4_payload_len":3970,"flow_avg_l4_payload_len":496,"midstream":0,"ts_msec":1444570636706,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.243.4.76","src_port":52730,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} -01188{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":347,"source":"webex.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":6,"flow_first_seen":1444570636170,"flow_last_seen":1444570636773,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3907,"flow_tot_l4_payload_len":3970,"flow_avg_l4_payload_len":661,"midstream":0,"ts_msec":1444570636773,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.121.153","src_port":57647,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} -01187{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":355,"source":"webex.pcap","alias":"nDPId-test","flow_id":22,"flow_packets_processed":6,"flow_first_seen":1444570636364,"flow_last_seen":1444570636827,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3939,"flow_tot_l4_payload_len":4002,"flow_avg_l4_payload_len":667,"midstream":0,"ts_msec":1444570636827,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.98","src_port":37129,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} -01188{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":356,"source":"webex.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":6,"flow_first_seen":1444570636387,"flow_last_seen":1444570636828,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3939,"flow_tot_l4_payload_len":4002,"flow_avg_l4_payload_len":667,"midstream":0,"ts_msec":1444570636828,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41386,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} -01187{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":357,"source":"webex.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":8,"flow_first_seen":1444570636359,"flow_last_seen":1444570636829,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2579,"flow_tot_l4_payload_len":4002,"flow_avg_l4_payload_len":500,"midstream":0,"ts_msec":1444570636829,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.97","src_port":51370,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} -01188{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":365,"source":"webex.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":6,"flow_first_seen":1444570636259,"flow_last_seen":1444570636894,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3939,"flow_tot_l4_payload_len":4002,"flow_avg_l4_payload_len":667,"midstream":0,"ts_msec":1444570636894,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.121.100","src_port":52219,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} -01187{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":368,"source":"webex.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":6,"flow_first_seen":1444570636264,"flow_last_seen":1444570636897,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3939,"flow_tot_l4_payload_len":4002,"flow_avg_l4_payload_len":667,"midstream":0,"ts_msec":1444570636897,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.121.99","src_port":55969,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} -01188{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":381,"source":"webex.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":8,"flow_first_seen":1444570636155,"flow_last_seen":1444570636963,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2527,"flow_tot_l4_payload_len":3970,"flow_avg_l4_payload_len":496,"midstream":0,"ts_msec":1444570636963,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"114.29.204.49","src_port":51646,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} +01188{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":328,"source":"webex.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":8,"flow_first_seen":1444570636180,"flow_last_seen":1444570636471,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2527,"flow_tot_l4_payload_len":3970,"flow_avg_l4_payload_len":496,"midstream":0,"ts_msec":1444570636471,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.231.3","src_port":45814,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} +01191{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":335,"source":"webex.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":6,"flow_first_seen":1444570636160,"flow_last_seen":1444570636701,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3907,"flow_tot_l4_payload_len":3970,"flow_avg_l4_payload_len":661,"midstream":0,"ts_msec":1444570636701,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"209.197.222.159","src_port":47498,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} +01189{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":336,"source":"webex.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":8,"flow_first_seen":1444570636248,"flow_last_seen":1444570636703,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2579,"flow_tot_l4_payload_len":4002,"flow_avg_l4_payload_len":500,"midstream":0,"ts_msec":1444570636703,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.104.140","src_port":44492,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} +01188{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":341,"source":"webex.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":8,"flow_first_seen":1444570636255,"flow_last_seen":1444570636706,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2920,"flow_tot_l4_payload_len":3970,"flow_avg_l4_payload_len":496,"midstream":0,"ts_msec":1444570636706,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.243.4.76","src_port":52730,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} +01189{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":347,"source":"webex.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":6,"flow_first_seen":1444570636170,"flow_last_seen":1444570636773,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3907,"flow_tot_l4_payload_len":3970,"flow_avg_l4_payload_len":661,"midstream":0,"ts_msec":1444570636773,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.121.153","src_port":57647,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} +01188{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":355,"source":"webex.pcap","alias":"nDPId-test","flow_id":22,"flow_packets_processed":6,"flow_first_seen":1444570636364,"flow_last_seen":1444570636827,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3939,"flow_tot_l4_payload_len":4002,"flow_avg_l4_payload_len":667,"midstream":0,"ts_msec":1444570636827,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.98","src_port":37129,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} +01189{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":356,"source":"webex.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":6,"flow_first_seen":1444570636387,"flow_last_seen":1444570636828,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3939,"flow_tot_l4_payload_len":4002,"flow_avg_l4_payload_len":667,"midstream":0,"ts_msec":1444570636828,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41386,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} +01188{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":357,"source":"webex.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":8,"flow_first_seen":1444570636359,"flow_last_seen":1444570636829,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2579,"flow_tot_l4_payload_len":4002,"flow_avg_l4_payload_len":500,"midstream":0,"ts_msec":1444570636829,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.97","src_port":51370,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} +01189{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":365,"source":"webex.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":6,"flow_first_seen":1444570636259,"flow_last_seen":1444570636894,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3939,"flow_tot_l4_payload_len":4002,"flow_avg_l4_payload_len":667,"midstream":0,"ts_msec":1444570636894,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.121.100","src_port":52219,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} +01188{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":368,"source":"webex.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":6,"flow_first_seen":1444570636264,"flow_last_seen":1444570636897,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3939,"flow_tot_l4_payload_len":4002,"flow_avg_l4_payload_len":667,"midstream":0,"ts_msec":1444570636897,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.121.99","src_port":55969,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} +01189{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":381,"source":"webex.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":8,"flow_first_seen":1444570636155,"flow_last_seen":1444570636963,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2527,"flow_tot_l4_payload_len":3970,"flow_avg_l4_payload_len":496,"midstream":0,"ts_msec":1444570636963,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"114.29.204.49","src_port":51646,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} 00551{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":409,"source":"webex.pcap","alias":"nDPId-test","flow_id":24,"flow_packets_processed":1,"flow_first_seen":1444570637191,"flow_last_seen":1444570637191,"flow_idle_time":180000,"flow_min_l4_payload_len":656,"flow_max_l4_payload_len":656,"flow_tot_l4_payload_len":656,"flow_avg_l4_payload_len":656,"midstream":0,"ts_msec":1444570637191,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"172.16.1.75","src_port":64538,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 01305{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":409,"source":"webex.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":1,"flow_last_seen":1444570637191,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":698,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":698,"pkt_l4_len":664,"ts_msec":1444570637191,"pkt":"ABoRAAACABoRAAABCABFAAKsAABAAEARgN0KCAABrBABS\/waE8QCmKnIUkVHSVNURVIgc2lwOjE3Mi4xNi4xLjc1O3RyYW5zcG9ydD1VRFAgU0lQLzIuMA0KVmlhOiBTSVAvMi4wL1VEUCAxMC4xMzMuMjA2LjQ3OjY0NTM4O2JyYW5jaD16OWhHNGJLLTUyNDI4Ny0xLS0tM2U0Njk4NjE4Y2ZiMmI3MztycG9ydA0KTWF4LUZvcndhcmRzOiA3MA0KQ29udGFjdDogPHNpcDo0NTE5MUAxMC4xMzMuMjA2LjQ3OjY0NTM4O3JpbnN0YW5jZT03YTQ2ZjFlMTI3MDJlN2ZiO3RyYW5zcG9ydD1VRFA+DQpUbzogPHNpcDo0NTE5MUAxNzIuMTYuMS43NTt0cmFuc3BvcnQ9VURQPg0KRnJvbTogPHNpcDo0NTE5MUAxNzIuMTYuMS43NTt0cmFuc3BvcnQ9VURQPjt0YWc9ZDM4MzM3NjcNCkNhbGwtSUQ6IEtvcExUdzl4c19sRXBDdGlQYTA3YlEuLg0KQ1NlcTogNCBSRUdJU1RFUg0KRXhwaXJlczogNjANCkFsbG93OiBJTlZJVEUsIEFDSywgQ0FOQ0VMLCBCWUUsIE5PVElGWSwgUkVGRVIsIE1FU1NBR0UsIE9QVElPTlMsIElORk8sIFNVQlNDUklCRQ0KU3VwcG9ydGVkOiByZXBsYWNlcywgbm9yZWZlcnN1YiwgZXh0ZW5kZWQtcmVmZXIsIHRpbWVyLCBvdXRib3VuZCwgcGF0aCwgWC1jaXNjby1zZXJ2aWNldXJpDQpVc2VyLUFnZW50OiBab2lwZXIgcjMzNjg4DQpBbGxvdy1FdmVudHM6IHByZXNlbmNlLCBrcG1sDQpDb250ZW50LUxlbmd0aDogMA0KDQo="} 00580{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":409,"source":"webex.pcap","alias":"nDPId-test","flow_id":24,"flow_packets_processed":1,"flow_first_seen":1444570637191,"flow_last_seen":1444570637191,"flow_idle_time":180000,"flow_min_l4_payload_len":656,"flow_max_l4_payload_len":656,"flow_tot_l4_payload_len":656,"flow_avg_l4_payload_len":656,"midstream":0,"ts_msec":1444570637191,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"172.16.1.75","src_port":64538,"dst_port":5060,"l4_proto":"udp","ndpi": {"proto":"SIP","breed":"Acceptable","category":"VoIP"}} -01189{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":411,"source":"webex.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":8,"flow_first_seen":1444570636252,"flow_last_seen":1444570638198,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2842,"flow_tot_l4_payload_len":3970,"flow_avg_l4_payload_len":496,"midstream":0,"ts_msec":1444570638198,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"114.29.202.139","src_port":47116,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} -01188{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":412,"source":"webex.pcap","alias":"nDPId-test","flow_id":20,"flow_packets_processed":6,"flow_first_seen":1444570636270,"flow_last_seen":1444570638199,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3907,"flow_tot_l4_payload_len":3970,"flow_avg_l4_payload_len":661,"midstream":0,"ts_msec":1444570638199,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"114.29.200.11","src_port":47841,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} +01190{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":411,"source":"webex.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":8,"flow_first_seen":1444570636252,"flow_last_seen":1444570638198,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2842,"flow_tot_l4_payload_len":3970,"flow_avg_l4_payload_len":496,"midstream":0,"ts_msec":1444570638198,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"114.29.202.139","src_port":47116,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} +01189{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":412,"source":"webex.pcap","alias":"nDPId-test","flow_id":20,"flow_packets_processed":6,"flow_first_seen":1444570636270,"flow_last_seen":1444570638199,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3907,"flow_tot_l4_payload_len":3970,"flow_avg_l4_payload_len":661,"midstream":0,"ts_msec":1444570638199,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"114.29.200.11","src_port":47841,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} 00545{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":422,"source":"webex.pcap","alias":"nDPId-test","flow_id":25,"flow_packets_processed":1,"flow_first_seen":1444570638225,"flow_last_seen":1444570638225,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1444570638225,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"216.58.208.40","src_port":43433,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":422,"source":"webex.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":1,"flow_last_seen":1444570638225,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1444570638225,"pkt":"ABoRAAACABoRAAABCABFAAA8UR1AAEAGNzMKCAAB2DrQKKmpAbtoC5J\/AAAAAKACOQjy7gAAAgQFtAQCCAoATMNiAAAAAAEDAwY="} 00444{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":423,"source":"webex.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":2,"flow_last_seen":1444570638234,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1444570638234,"pkt":"ABoRAAACABoRAAABCABFAAAoAeFAABAGtoPYOtAoCggAAQG7qamX9G2AaAuSgFAS\/\/9SAQAA"} 01305{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":430,"source":"webex.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":2,"flow_last_seen":1444570638237,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":698,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":698,"pkt_l4_len":664,"ts_msec":1444570638237,"pkt":"ABoRAAACABoRAAABCABFAAKsAABAAEARgN0KCAABrBABS\/waE8QCmKnIUkVHSVNURVIgc2lwOjE3Mi4xNi4xLjc1O3RyYW5zcG9ydD1VRFAgU0lQLzIuMA0KVmlhOiBTSVAvMi4wL1VEUCAxMC4xMzMuMjA2LjQ3OjY0NTM4O2JyYW5jaD16OWhHNGJLLTUyNDI4Ny0xLS0tM2U0Njk4NjE4Y2ZiMmI3MztycG9ydA0KTWF4LUZvcndhcmRzOiA3MA0KQ29udGFjdDogPHNpcDo0NTE5MUAxMC4xMzMuMjA2LjQ3OjY0NTM4O3JpbnN0YW5jZT03YTQ2ZjFlMTI3MDJlN2ZiO3RyYW5zcG9ydD1VRFA+DQpUbzogPHNpcDo0NTE5MUAxNzIuMTYuMS43NTt0cmFuc3BvcnQ9VURQPg0KRnJvbTogPHNpcDo0NTE5MUAxNzIuMTYuMS43NTt0cmFuc3BvcnQ9VURQPjt0YWc9ZDM4MzM3NjcNCkNhbGwtSUQ6IEtvcExUdzl4c19sRXBDdGlQYTA3YlEuLg0KQ1NlcTogNCBSRUdJU1RFUg0KRXhwaXJlczogNjANCkFsbG93OiBJTlZJVEUsIEFDSywgQ0FOQ0VMLCBCWUUsIE5PVElGWSwgUkVGRVIsIE1FU1NBR0UsIE9QVElPTlMsIElORk8sIFNVQlNDUklCRQ0KU3VwcG9ydGVkOiByZXBsYWNlcywgbm9yZWZlcnN1YiwgZXh0ZW5kZWQtcmVmZXIsIHRpbWVyLCBvdXRib3VuZCwgcGF0aCwgWC1jaXNjby1zZXJ2aWNldXJpDQpVc2VyLUFnZW50OiBab2lwZXIgcjMzNjg4DQpBbGxvdy1FdmVudHM6IHByZXNlbmNlLCBrcG1sDQpDb250ZW50LUxlbmd0aDogMA0KDQo="} 00443{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":449,"source":"webex.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":3,"flow_last_seen":1444570639260,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1444570639260,"pkt":"ABoRAAACABoRAAABCABFAAAoUR5AAEAGN0YKCAAB2DrQKKmpAbtoC5KAl\/RtgVAQOQgY+gAA"} -00834{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":455,"source":"webex.pcap","alias":"nDPId-test","flow_id":25,"flow_packets_processed":4,"flow_first_seen":1444570638225,"flow_last_seen":1444570639266,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":227,"flow_tot_l4_payload_len":227,"flow_avg_l4_payload_len":56,"midstream":0,"ts_msec":1444570639266,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"216.58.208.40","src_port":43433,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ssl.google-analytics.com","ja3":"75edb912bc6f0a222ae3e3e47f5c89b1","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} +00842{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":455,"source":"webex.pcap","alias":"nDPId-test","flow_id":25,"flow_packets_processed":4,"flow_first_seen":1444570638225,"flow_last_seen":1444570639266,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":227,"flow_tot_l4_payload_len":227,"flow_avg_l4_payload_len":56,"midstream":0,"ts_msec":1444570639266,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"216.58.208.40","src_port":43433,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Google","breed":"Acceptable","category":"Advertisement"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ssl.google-analytics.com","ja3":"75edb912bc6f0a222ae3e3e47f5c89b1","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 01305{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":457,"source":"webex.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":3,"flow_last_seen":1444570639266,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":698,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":698,"pkt_l4_len":664,"ts_msec":1444570639266,"pkt":"ABoRAAACABoRAAABCABFAAKsAABAAEARgN0KCAABrBABS\/waE8QCmKnIUkVHSVNURVIgc2lwOjE3Mi4xNi4xLjc1O3RyYW5zcG9ydD1VRFAgU0lQLzIuMA0KVmlhOiBTSVAvMi4wL1VEUCAxMC4xMzMuMjA2LjQ3OjY0NTM4O2JyYW5jaD16OWhHNGJLLTUyNDI4Ny0xLS0tM2U0Njk4NjE4Y2ZiMmI3MztycG9ydA0KTWF4LUZvcndhcmRzOiA3MA0KQ29udGFjdDogPHNpcDo0NTE5MUAxMC4xMzMuMjA2LjQ3OjY0NTM4O3JpbnN0YW5jZT03YTQ2ZjFlMTI3MDJlN2ZiO3RyYW5zcG9ydD1VRFA+DQpUbzogPHNpcDo0NTE5MUAxNzIuMTYuMS43NTt0cmFuc3BvcnQ9VURQPg0KRnJvbTogPHNpcDo0NTE5MUAxNzIuMTYuMS43NTt0cmFuc3BvcnQ9VURQPjt0YWc9ZDM4MzM3NjcNCkNhbGwtSUQ6IEtvcExUdzl4c19sRXBDdGlQYTA3YlEuLg0KQ1NlcTogNCBSRUdJU1RFUg0KRXhwaXJlczogNjANCkFsbG93OiBJTlZJVEUsIEFDSywgQ0FOQ0VMLCBCWUUsIE5PVElGWSwgUkVGRVIsIE1FU1NBR0UsIE9QVElPTlMsIElORk8sIFNVQlNDUklCRQ0KU3VwcG9ydGVkOiByZXBsYWNlcywgbm9yZWZlcnN1YiwgZXh0ZW5kZWQtcmVmZXIsIHRpbWVyLCBvdXRib3VuZCwgcGF0aCwgWC1jaXNjby1zZXJ2aWNldXJpDQpVc2VyLUFnZW50OiBab2lwZXIgcjMzNjg4DQpBbGxvdy1FdmVudHM6IHByZXNlbmNlLCBrcG1sDQpDb250ZW50LUxlbmd0aDogMA0KDQo="} 00546{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":461,"source":"webex.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":1,"flow_first_seen":1444570640269,"flow_last_seen":1444570640269,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1444570640269,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"114.29.202.139","src_port":47135,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00470{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":461,"source":"webex.pcap","alias":"nDPId-test","flow_id":26,"flow_packet_id":1,"flow_last_seen":1444570640269,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1444570640269,"pkt":"ABoRAAACABoRAAABCABFAAA8fMBAAEAGd0oKCAABch3Ki7gfAbudV783AAAAAKACOQjtmQAAAgQFtAQCCAoATMP3AAAAAAEDAwY="} @@ -191,7 +191,7 @@ 00442{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":535,"source":"webex.pcap","alias":"nDPId-test","flow_id":35,"flow_packet_id":3,"flow_last_seen":1444570640408,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1444570640408,"pkt":"ABoRAAACABoRAAABCABFAAAosmNAAEAGv9UKCAABUEpuRILoAbtZhnZApnmJwVAQOQgpkAAA"} 00795{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":536,"source":"webex.pcap","alias":"nDPId-test","flow_id":34,"flow_packets_processed":4,"flow_first_seen":1444570640382,"flow_last_seen":1444570640408,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":216,"flow_tot_l4_payload_len":216,"flow_avg_l4_payload_len":54,"midstream":0,"ts_msec":1444570640408,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"80.74.110.68","src_port":33511,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"dff8a0aa1c904aaea76c5bf624e88333","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00795{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":538,"source":"webex.pcap","alias":"nDPId-test","flow_id":35,"flow_packets_processed":4,"flow_first_seen":1444570640385,"flow_last_seen":1444570640408,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":216,"flow_tot_l4_payload_len":216,"flow_avg_l4_payload_len":54,"midstream":0,"ts_msec":1444570640408,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"80.74.110.68","src_port":33512,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"dff8a0aa1c904aaea76c5bf624e88333","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -01330{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":543,"source":"webex.pcap","alias":"nDPId-test","flow_id":25,"flow_packets_processed":6,"flow_first_seen":1444570638225,"flow_last_seen":1444570640491,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3697,"flow_tot_l4_payload_len":3924,"flow_avg_l4_payload_len":654,"midstream":0,"ts_msec":1444570640491,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"216.58.208.40","src_port":43433,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ssl.google-analytics.com","server_names":"*.google-analytics.com,app-measurement.com,google-analytics.com,googletagmanager.com,service.urchin.com,ssl.google-analytics.com,urchin.com,www.google-analytics.com,www.googletagmanager.com","ja3":"75edb912bc6f0a222ae3e3e47f5c89b1","ja3s":"389ed42c02ebecc32e73aa31def07e14","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","issuerDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google-analytics.com","fingerprint":"E0:F0:1E:71:F2:B5:D9:2D:F7:4E:8F:CB:10:37:17:7C:0C:C4:07:9D"}} +01339{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":543,"source":"webex.pcap","alias":"nDPId-test","flow_id":25,"flow_packets_processed":6,"flow_first_seen":1444570638225,"flow_last_seen":1444570640491,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3697,"flow_tot_l4_payload_len":3924,"flow_avg_l4_payload_len":654,"midstream":0,"ts_msec":1444570640491,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"216.58.208.40","src_port":43433,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Google","breed":"Acceptable","category":"Advertisement"},"tls": {"version":"TLSv1.2","client_requested_server_name":"ssl.google-analytics.com","server_names":"*.google-analytics.com,app-measurement.com,google-analytics.com,googletagmanager.com,service.urchin.com,ssl.google-analytics.com,urchin.com,www.google-analytics.com,www.googletagmanager.com","ja3":"75edb912bc6f0a222ae3e3e47f5c89b1","ja3s":"389ed42c02ebecc32e73aa31def07e14","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","subjectDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google-analytics.com","fingerprint":"E0:F0:1E:71:F2:B5:D9:2D:F7:4E:8F:CB:10:37:17:7C:0C:C4:07:9D"}} 00836{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":547,"source":"webex.pcap","alias":"nDPId-test","flow_id":35,"flow_packets_processed":6,"flow_first_seen":1444570640385,"flow_last_seen":1444570640593,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":216,"flow_tot_l4_payload_len":345,"flow_avg_l4_payload_len":57,"midstream":0,"ts_msec":1444570640593,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"80.74.110.68","src_port":33512,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"dff8a0aa1c904aaea76c5bf624e88333","ja3s":"6dfe5eb347aa509fc445e5628d467a2b","unsafe_cipher":2,"cipher":"TLS_RSA_WITH_RC4_128_MD5"}} 00546{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":586,"source":"webex.pcap","alias":"nDPId-test","flow_id":36,"flow_packets_processed":1,"flow_first_seen":1444570669736,"flow_last_seen":1444570669736,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1444570669736,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.224.120","src_port":51154,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":586,"source":"webex.pcap","alias":"nDPId-test","flow_id":36,"flow_packet_id":1,"flow_last_seen":1444570669736,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1444570669736,"pkt":"ABoRAAACABoRAAABCABFAAA80OhAAEAGQOUKCAABPm3geMfSAbvlsh8HAAAAAKACOQhHhwAAAgQFtAQCCAoATM\/vAAAAAAEDAwY="} @@ -203,20 +203,20 @@ 00808{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":591,"source":"webex.pcap","alias":"nDPId-test","flow_id":36,"flow_packets_processed":4,"flow_first_seen":1444570669736,"flow_last_seen":1444570669760,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":63,"flow_tot_l4_payload_len":63,"flow_avg_l4_payload_len":15,"midstream":0,"ts_msec":1444570669760,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.224.120","src_port":51154,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00442{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":593,"source":"webex.pcap","alias":"nDPId-test","flow_id":37,"flow_packet_id":3,"flow_last_seen":1444570669762,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1444570669762,"pkt":"ABoRAAACABoRAAABCABFAAAoQwNAAEAGzt4KCAABPm3geMfTAbvSW4zuLaRzE1AQOQiETQAA"} 00808{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":594,"source":"webex.pcap","alias":"nDPId-test","flow_id":37,"flow_packets_processed":4,"flow_first_seen":1444570669745,"flow_last_seen":1444570669762,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":63,"flow_tot_l4_payload_len":63,"flow_avg_l4_payload_len":15,"midstream":0,"ts_msec":1444570669762,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.224.120","src_port":51155,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -01189{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":602,"source":"webex.pcap","alias":"nDPId-test","flow_id":36,"flow_packets_processed":6,"flow_first_seen":1444570669736,"flow_last_seen":1444570670676,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3907,"flow_tot_l4_payload_len":3970,"flow_avg_l4_payload_len":661,"midstream":0,"ts_msec":1444570670676,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.224.120","src_port":51154,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} -01189{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":606,"source":"webex.pcap","alias":"nDPId-test","flow_id":37,"flow_packets_processed":6,"flow_first_seen":1444570669745,"flow_last_seen":1444570670730,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3907,"flow_tot_l4_payload_len":3970,"flow_avg_l4_payload_len":661,"midstream":0,"ts_msec":1444570670730,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.224.120","src_port":51155,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} +01190{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":602,"source":"webex.pcap","alias":"nDPId-test","flow_id":36,"flow_packets_processed":6,"flow_first_seen":1444570669736,"flow_last_seen":1444570670676,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3907,"flow_tot_l4_payload_len":3970,"flow_avg_l4_payload_len":661,"midstream":0,"ts_msec":1444570670676,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.224.120","src_port":51154,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} +01190{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":606,"source":"webex.pcap","alias":"nDPId-test","flow_id":37,"flow_packets_processed":6,"flow_first_seen":1444570669745,"flow_last_seen":1444570670730,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3907,"flow_tot_l4_payload_len":3970,"flow_avg_l4_payload_len":661,"midstream":0,"ts_msec":1444570670730,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.224.120","src_port":51155,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} 00545{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":632,"source":"webex.pcap","alias":"nDPId-test","flow_id":38,"flow_packets_processed":1,"flow_first_seen":1444570672215,"flow_last_seen":1444570672215,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1444570672215,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41419,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00470{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":632,"source":"webex.pcap","alias":"nDPId-test","flow_id":38,"flow_packet_id":1,"flow_last_seen":1444570672215,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1444570672215,"pkt":"ABoRAAACABoRAAABCABFAAA8MYhAAEAGVYAKCAABQERpZ6HLAbsAQeF1AAAAAKACOQgEvgAAAgQFtAQCCAoATND9AAAAAAEDAwY="} 00445{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":633,"source":"webex.pcap","alias":"nDPId-test","flow_id":38,"flow_packet_id":2,"flow_last_seen":1444570672219,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1444570672219,"pkt":"ABoRAAACABoRAAABCABFAAAoAjpAABAGtOJARGlnCggAAQG7ocv\/vh6KAEHhdlAS\/\/9YlwAA"} 00443{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":634,"source":"webex.pcap","alias":"nDPId-test","flow_id":38,"flow_packet_id":3,"flow_last_seen":1444570672219,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1444570672219,"pkt":"ABoRAAACABoRAAABCABFAAAoMYlAAEAGVZMKCAABQERpZ6HLAbsAQeF2\/74ei1AQOQgfkAAA"} 00807{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":635,"source":"webex.pcap","alias":"nDPId-test","flow_id":38,"flow_packets_processed":4,"flow_first_seen":1444570672215,"flow_last_seen":1444570672269,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":63,"flow_tot_l4_payload_len":63,"flow_avg_l4_payload_len":15,"midstream":0,"ts_msec":1444570672269,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41419,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -01188{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":643,"source":"webex.pcap","alias":"nDPId-test","flow_id":38,"flow_packets_processed":6,"flow_first_seen":1444570672215,"flow_last_seen":1444570672626,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3939,"flow_tot_l4_payload_len":4002,"flow_avg_l4_payload_len":667,"midstream":0,"ts_msec":1444570672626,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41419,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} +01189{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":643,"source":"webex.pcap","alias":"nDPId-test","flow_id":38,"flow_packets_processed":6,"flow_first_seen":1444570672215,"flow_last_seen":1444570672626,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3939,"flow_tot_l4_payload_len":4002,"flow_avg_l4_payload_len":667,"midstream":0,"ts_msec":1444570672626,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41419,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} 00545{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":662,"source":"webex.pcap","alias":"nDPId-test","flow_id":39,"flow_packets_processed":1,"flow_first_seen":1444570674487,"flow_last_seen":1444570674487,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1444570674487,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.243.0.110","src_port":55665,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00470{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":662,"source":"webex.pcap","alias":"nDPId-test","flow_id":39,"flow_packet_id":1,"flow_last_seen":1444570674487,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1444570674487,"pkt":"ABoRAAACABoRAAABCABFAAA8CB5AAEAGejQKCAABrfMAbtlxAbui3tn8AAAAAKACOQgsWAAAAgQFtAQCCAoATNHiAAAAAAEDAwY="} 00445{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":663,"source":"webex.pcap","alias":"nDPId-test","flow_id":39,"flow_packet_id":2,"flow_last_seen":1444570674499,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1444570674499,"pkt":"ABoRAAACABoRAAABCABFAAAoAklAABAGsB2t8wBuCggAAQG72XFdISYDot7Z\/VAS\/\/8cOwAA"} 00442{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":664,"source":"webex.pcap","alias":"nDPId-test","flow_id":39,"flow_packet_id":3,"flow_last_seen":1444570674500,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1444570674500,"pkt":"ABoRAAACABoRAAABCABFAAAoCB9AAEAGekcKCAABrfMAbtlxAbui3tn9XSEmBFAQOQjjMwAA"} 00809{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":665,"source":"webex.pcap","alias":"nDPId-test","flow_id":39,"flow_packets_processed":4,"flow_first_seen":1444570674487,"flow_last_seen":1444570674600,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":187,"flow_tot_l4_payload_len":187,"flow_avg_l4_payload_len":46,"midstream":0,"ts_msec":1444570674600,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.243.0.110","src_port":55665,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"64ea4359ad4b496db653a3f30f7073e6","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -01188{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":671,"source":"webex.pcap","alias":"nDPId-test","flow_id":39,"flow_packets_processed":6,"flow_first_seen":1444570674487,"flow_last_seen":1444570675110,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3907,"flow_tot_l4_payload_len":4094,"flow_avg_l4_payload_len":682,"midstream":0,"ts_msec":1444570675110,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.243.0.110","src_port":55665,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"64ea4359ad4b496db653a3f30f7073e6","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} +01189{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":671,"source":"webex.pcap","alias":"nDPId-test","flow_id":39,"flow_packets_processed":6,"flow_first_seen":1444570674487,"flow_last_seen":1444570675110,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3907,"flow_tot_l4_payload_len":4094,"flow_avg_l4_payload_len":682,"midstream":0,"ts_msec":1444570675110,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.243.0.110","src_port":55665,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"64ea4359ad4b496db653a3f30f7073e6","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} 00546{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":736,"source":"webex.pcap","alias":"nDPId-test","flow_id":40,"flow_packets_processed":1,"flow_first_seen":1444570675941,"flow_last_seen":1444570675941,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1444570675941,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.229.158","src_port":51833,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00470{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":736,"source":"webex.pcap","alias":"nDPId-test","flow_id":40,"flow_packet_id":1,"flow_last_seen":1444570675941,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1444570675941,"pkt":"ABoRAAACABoRAAABCABFAAA8SaRAAEAGwwMKCAABPm3lnsp5AbteGJvVAAAAAKACOQhIBAAAAgQFtAQCCAoATNJxAAAAAAEDAwY="} 00444{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":737,"source":"webex.pcap","alias":"nDPId-test","flow_id":40,"flow_packet_id":2,"flow_last_seen":1444570675945,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1444570675945,"pkt":"ABoRAAACABoRAAABCABFAAAoAm5AABAGOk4+beWeCggAAQG7ynmh52QqXhib1lAS\/\/+1iAAA"} @@ -227,13 +227,13 @@ 00444{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":822,"source":"webex.pcap","alias":"nDPId-test","flow_id":41,"flow_packet_id":2,"flow_last_seen":1444570679516,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1444570679516,"pkt":"ABoRAAACABoRAAABCABFAAAoAphAABAGr86t8wBuCggAAQG72XVfcFiRoI+nb1AS\/\/8cNwAA"} 00442{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":823,"source":"webex.pcap","alias":"nDPId-test","flow_id":41,"flow_packet_id":3,"flow_last_seen":1444570679516,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1444570679516,"pkt":"ABoRAAACABoRAAABCABFAAAodLhAAEAGDa4KCAABrfMAbtl1Abugj6dvX3BYklAQOQjjLwAA"} 00809{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":824,"source":"webex.pcap","alias":"nDPId-test","flow_id":41,"flow_packets_processed":4,"flow_first_seen":1444570679512,"flow_last_seen":1444570679526,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":187,"flow_tot_l4_payload_len":187,"flow_avg_l4_payload_len":46,"midstream":0,"ts_msec":1444570679526,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.243.0.110","src_port":55669,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"64ea4359ad4b496db653a3f30f7073e6","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -01188{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":846,"source":"webex.pcap","alias":"nDPId-test","flow_id":41,"flow_packets_processed":8,"flow_first_seen":1444570679512,"flow_last_seen":1444570680091,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2527,"flow_tot_l4_payload_len":4094,"flow_avg_l4_payload_len":511,"midstream":0,"ts_msec":1444570680091,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.243.0.110","src_port":55669,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"64ea4359ad4b496db653a3f30f7073e6","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} +01189{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":846,"source":"webex.pcap","alias":"nDPId-test","flow_id":41,"flow_packets_processed":8,"flow_first_seen":1444570679512,"flow_last_seen":1444570680091,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2527,"flow_tot_l4_payload_len":4094,"flow_avg_l4_payload_len":511,"midstream":0,"ts_msec":1444570680091,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.243.0.110","src_port":55669,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"64ea4359ad4b496db653a3f30f7073e6","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} 00546{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1058,"source":"webex.pcap","alias":"nDPId-test","flow_id":42,"flow_packets_processed":1,"flow_first_seen":1444570693238,"flow_last_seen":1444570693238,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1444570693238,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.243.0.110","src_port":55671,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00472{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1058,"source":"webex.pcap","alias":"nDPId-test","flow_id":42,"flow_packet_id":1,"flow_last_seen":1444570693238,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1444570693238,"pkt":"ABoRAAACABoRAAABCABFAAA8LOJAAEAGVXAKCAABrfMAbtl3AbsPD\/XWAAAAAKACOQic9QAAAgQFtAQCCAoATNk0AAAAAAEDAwY="} 00446{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1059,"source":"webex.pcap","alias":"nDPId-test","flow_id":42,"flow_packet_id":2,"flow_last_seen":1444570693244,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1444570693244,"pkt":"ABoRAAACABoRAAABCABFAAAoAxBAABAGr1at8wBuCggAAQG72Xfw8AopDw\/111AS\/\/8cNQAA"} 00444{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1060,"source":"webex.pcap","alias":"nDPId-test","flow_id":42,"flow_packet_id":3,"flow_last_seen":1444570693245,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1444570693245,"pkt":"ABoRAAACABoRAAABCABFAAAoLONAAEAGVYMKCAABrfMAbtl3AbsPD\/XX8PAKKlAQOQjjLQAA"} 00810{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1063,"source":"webex.pcap","alias":"nDPId-test","flow_id":42,"flow_packets_processed":4,"flow_first_seen":1444570693238,"flow_last_seen":1444570693297,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":187,"flow_tot_l4_payload_len":187,"flow_avg_l4_payload_len":46,"midstream":0,"ts_msec":1444570693297,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.243.0.110","src_port":55671,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"64ea4359ad4b496db653a3f30f7073e6","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -01189{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1074,"source":"webex.pcap","alias":"nDPId-test","flow_id":42,"flow_packets_processed":6,"flow_first_seen":1444570693238,"flow_last_seen":1444570693766,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3907,"flow_tot_l4_payload_len":4094,"flow_avg_l4_payload_len":682,"midstream":0,"ts_msec":1444570693766,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.243.0.110","src_port":55671,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"64ea4359ad4b496db653a3f30f7073e6","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} +01190{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1074,"source":"webex.pcap","alias":"nDPId-test","flow_id":42,"flow_packets_processed":6,"flow_first_seen":1444570693238,"flow_last_seen":1444570693766,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3907,"flow_tot_l4_payload_len":4094,"flow_avg_l4_payload_len":682,"midstream":0,"ts_msec":1444570693766,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.243.0.110","src_port":55671,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"64ea4359ad4b496db653a3f30f7073e6","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} 00547{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1112,"source":"webex.pcap","alias":"nDPId-test","flow_id":43,"flow_packets_processed":1,"flow_first_seen":1444570694561,"flow_last_seen":1444570694561,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1444570694561,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.229.158","src_port":51839,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00472{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1112,"source":"webex.pcap","alias":"nDPId-test","flow_id":43,"flow_packet_id":1,"flow_last_seen":1444570694561,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1444570694561,"pkt":"ABoRAAACABoRAAABCABFAAA802lAAEAGOT4KCAABPm3lnsp\/AbubwQrQAAAAAKACOQiUEgAAAgQFtAQCCAoATNm5AAAAAAEDAwY="} 00445{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1113,"source":"webex.pcap","alias":"nDPId-test","flow_id":43,"flow_packet_id":2,"flow_last_seen":1444570694564,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1444570694564,"pkt":"ABoRAAACABoRAAABCABFAAAoAytAABAGOZE+beWeCggAAQG7yn9kPvUvm8EK0VAS\/\/+1ggAA"} @@ -243,7 +243,7 @@ 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1230,"source":"webex.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":1,"flow_last_seen":1444570699074,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1444570699074,"pkt":"ABoRAAACABoRAAABCABFAAA8OjpAAEAGn3oKCAABNvEgDrSDAbvRQeFHAAAAAKACOQhpXwAAAgQFtAQCCAoATNt9AAAAAAEDAwY="} 00445{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1231,"source":"webex.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":2,"flow_last_seen":1444570699077,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1444570699077,"pkt":"ABoRAAACABoRAAABCABFAAAoA2VAABAGBmQ28SAOCggAAQG7tIMuvh640UHhSFAS\/\/+YiwAA"} 00443{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1232,"source":"webex.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":3,"flow_last_seen":1444570699077,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1444570699077,"pkt":"ABoRAAACABoRAAABCABFAAAoOjtAAEAGn40KCAABNvEgDrSDAbvRQeFILr4euVAQOQhfhAAA"} -00828{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1233,"source":"webex.pcap","alias":"nDPId-test","flow_id":44,"flow_packets_processed":4,"flow_first_seen":1444570699074,"flow_last_seen":1444570699079,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":216,"flow_tot_l4_payload_len":216,"flow_avg_l4_payload_len":54,"midstream":0,"ts_msec":1444570699079,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"54.241.32.14","src_port":46211,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"api.crittercism.com","ja3":"54ae5fcb0159e2ddf6a50e149221c7c7","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} +00833{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1233,"source":"webex.pcap","alias":"nDPId-test","flow_id":44,"flow_packets_processed":4,"flow_first_seen":1444570699074,"flow_last_seen":1444570699079,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":216,"flow_tot_l4_payload_len":216,"flow_avg_l4_payload_len":54,"midstream":0,"ts_msec":1444570699079,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"54.241.32.14","src_port":46211,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1","client_requested_server_name":"api.crittercism.com","ja3":"54ae5fcb0159e2ddf6a50e149221c7c7","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00544{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1235,"source":"webex.pcap","alias":"nDPId-test","flow_id":45,"flow_packets_processed":1,"flow_first_seen":1444570699096,"flow_last_seen":1444570699096,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1444570699096,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"78.46.237.91","src_port":59756,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1235,"source":"webex.pcap","alias":"nDPId-test","flow_id":45,"flow_packet_id":1,"flow_last_seen":1444570699096,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1444570699096,"pkt":"ABoRAAACABoRAAABCABFAAA8731AAEAGBawKCAABTi7tW+lsAFBr3TT9AAAAAKACOQhjAgAAAgQFtAQCCAoATNuAAAAAAAEDAwY="} 00446{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1236,"source":"webex.pcap","alias":"nDPId-test","flow_id":45,"flow_packet_id":2,"flow_last_seen":1444570699101,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1444570699101,"pkt":"ABoRAAACABoRAAABCABFAAAoA2dAABAGIddOLu1bCggAAQBQ6WyUIssCa900\/lAS\/\/+AggAA"} @@ -254,8 +254,8 @@ 00443{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1240,"source":"webex.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":3,"flow_last_seen":1444570699107,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1444570699107,"pkt":"ABoRAAACABoRAAABCABFAAAoZg1AAEAGjzAKCAABTi7tW+ltAFASyr2N7TVCdFAQOQhHegAA"} 00788{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1241,"source":"webex.pcap","alias":"nDPId-test","flow_id":45,"flow_packets_processed":4,"flow_first_seen":1444570699096,"flow_last_seen":1444570699201,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":536,"flow_tot_l4_payload_len":536,"flow_avg_l4_payload_len":134,"midstream":0,"ts_msec":1444570699201,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"78.46.237.91","src_port":59756,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP","breed":"Acceptable","category":"Web"},"http": {"hostname":"cp.pushwoosh.com","url":"cp.pushwoosh.com\/json\/1.3\/registerDevice","code":0,"content_type":"","user_agent":"Dalvik\/1.6.0 (Linux; U; Android 4.4.2; LG-D855 Build\/KVT49L.A1412087656)"}} 00788{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1245,"source":"webex.pcap","alias":"nDPId-test","flow_id":46,"flow_packets_processed":4,"flow_first_seen":1444570699101,"flow_last_seen":1444570699212,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":334,"flow_tot_l4_payload_len":334,"flow_avg_l4_payload_len":83,"midstream":0,"ts_msec":1444570699212,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"78.46.237.91","src_port":59757,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP","breed":"Acceptable","category":"Web"},"http": {"hostname":"cp.pushwoosh.com","url":"cp.pushwoosh.com\/json\/1.3\/applicationOpen","code":0,"content_type":"","user_agent":"Dalvik\/1.6.0 (Linux; U; Android 4.4.2; LG-D855 Build\/KVT49L.A1412087656)"}} -00872{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1251,"source":"webex.pcap","alias":"nDPId-test","flow_id":44,"flow_packets_processed":6,"flow_first_seen":1444570699074,"flow_last_seen":1444570699636,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1382,"flow_tot_l4_payload_len":1598,"flow_avg_l4_payload_len":266,"midstream":0,"ts_msec":1444570699636,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"54.241.32.14","src_port":46211,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"api.crittercism.com","ja3":"54ae5fcb0159e2ddf6a50e149221c7c7","ja3s":"c800cea031c10ffe47e1d72c9264577a","unsafe_cipher":2,"cipher":"TLS_RSA_WITH_RC4_128_MD5"}} -01211{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1259,"source":"webex.pcap","alias":"nDPId-test","flow_id":44,"flow_packets_processed":14,"flow_first_seen":1444570699074,"flow_last_seen":1444570699643,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":5712,"flow_avg_l4_payload_len":408,"midstream":0,"ts_msec":1444570699643,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"54.241.32.14","src_port":46211,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"api.crittercism.com","server_names":"*.crittercism.com,crittercism.com","ja3":"54ae5fcb0159e2ddf6a50e149221c7c7","ja3s":"c800cea031c10ffe47e1d72c9264577a","unsafe_cipher":2,"cipher":"TLS_RSA_WITH_RC4_128_MD5","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA","issuerDN":"OU=Domain Control Validated, OU=PositiveSSL Wildcard, CN=*.crittercism.com","fingerprint":"68:8B:FC:77:1E:CA:80:33:0C:A9:0E:29:A6:E4:0D:FC:3A:AE:43:18"}} +00877{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1251,"source":"webex.pcap","alias":"nDPId-test","flow_id":44,"flow_packets_processed":6,"flow_first_seen":1444570699074,"flow_last_seen":1444570699636,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1382,"flow_tot_l4_payload_len":1598,"flow_avg_l4_payload_len":266,"midstream":0,"ts_msec":1444570699636,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"54.241.32.14","src_port":46211,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1","client_requested_server_name":"api.crittercism.com","ja3":"54ae5fcb0159e2ddf6a50e149221c7c7","ja3s":"c800cea031c10ffe47e1d72c9264577a","unsafe_cipher":2,"cipher":"TLS_RSA_WITH_RC4_128_MD5"}} +01217{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1259,"source":"webex.pcap","alias":"nDPId-test","flow_id":44,"flow_packets_processed":14,"flow_first_seen":1444570699074,"flow_last_seen":1444570699643,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1448,"flow_tot_l4_payload_len":5712,"flow_avg_l4_payload_len":408,"midstream":0,"ts_msec":1444570699643,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"54.241.32.14","src_port":46211,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"},"tls": {"version":"TLSv1","client_requested_server_name":"api.crittercism.com","server_names":"*.crittercism.com,crittercism.com","ja3":"54ae5fcb0159e2ddf6a50e149221c7c7","ja3s":"c800cea031c10ffe47e1d72c9264577a","unsafe_cipher":2,"cipher":"TLS_RSA_WITH_RC4_128_MD5","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA","subjectDN":"OU=Domain Control Validated, OU=PositiveSSL Wildcard, CN=*.crittercism.com","fingerprint":"68:8B:FC:77:1E:CA:80:33:0C:A9:0E:29:A6:E4:0D:FC:3A:AE:43:18"}} 00545{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1271,"source":"webex.pcap","alias":"nDPId-test","flow_id":47,"flow_packets_processed":1,"flow_first_seen":1444570699916,"flow_last_seen":1444570699916,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1444570699916,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"80.74.110.68","src_port":33551,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1271,"source":"webex.pcap","alias":"nDPId-test","flow_id":47,"flow_packet_id":1,"flow_last_seen":1444570699916,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1444570699916,"pkt":"ABoRAAACABoRAAABCABFAAA8M+lAAEAGPjwKCAABUEpuRIMPAbsBc+gmAAAAAKACOQj74QAAAgQFtAQCCAoATNvPAAAAAAEDAwY="} 00446{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1272,"source":"webex.pcap","alias":"nDPId-test","flow_id":47,"flow_packet_id":2,"flow_last_seen":1444570699917,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1444570699917,"pkt":"ABoRAAACABoRAAABCABFAAAoA3lAABAGnsBQSm5ECggAAQG7gw\/+jBfZAXPoJ1AS\/\/9icAAA"} @@ -279,7 +279,7 @@ 00445{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1409,"source":"webex.pcap","alias":"nDPId-test","flow_id":50,"flow_packet_id":2,"flow_last_seen":1444570712012,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1444570712012,"pkt":"ABoRAAACABoRAAABCABFAAAoA7pAABAGrqyt8wBuCggAAQG72YePnxuIcGDkeFAS\/\/8cJQAA"} 00443{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1410,"source":"webex.pcap","alias":"nDPId-test","flow_id":50,"flow_packet_id":3,"flow_last_seen":1444570712013,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1444570712013,"pkt":"ABoRAAACABoRAAABCABFAAAoBP1AAEAGfWkKCAABrfMAbtmHAbtwYOR4j58biVAQOQjjHQAA"} 00810{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1411,"source":"webex.pcap","alias":"nDPId-test","flow_id":50,"flow_packets_processed":4,"flow_first_seen":1444570712008,"flow_last_seen":1444570712016,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":187,"flow_tot_l4_payload_len":187,"flow_avg_l4_payload_len":46,"midstream":0,"ts_msec":1444570712016,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.243.0.110","src_port":55687,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"64ea4359ad4b496db653a3f30f7073e6","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -01189{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1416,"source":"webex.pcap","alias":"nDPId-test","flow_id":50,"flow_packets_processed":6,"flow_first_seen":1444570712008,"flow_last_seen":1444570713707,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3907,"flow_tot_l4_payload_len":4094,"flow_avg_l4_payload_len":682,"midstream":0,"ts_msec":1444570713707,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.243.0.110","src_port":55687,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"64ea4359ad4b496db653a3f30f7073e6","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} +01190{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1416,"source":"webex.pcap","alias":"nDPId-test","flow_id":50,"flow_packets_processed":6,"flow_first_seen":1444570712008,"flow_last_seen":1444570713707,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3907,"flow_tot_l4_payload_len":4094,"flow_avg_l4_payload_len":682,"midstream":0,"ts_msec":1444570713707,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.243.0.110","src_port":55687,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"64ea4359ad4b496db653a3f30f7073e6","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} 00545{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1425,"source":"webex.pcap","alias":"nDPId-test","flow_id":51,"flow_packets_processed":1,"flow_first_seen":1444570713719,"flow_last_seen":1444570713719,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1444570713719,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"80.74.110.68","src_port":33559,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00472{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1425,"source":"webex.pcap","alias":"nDPId-test","flow_id":51,"flow_packet_id":1,"flow_last_seen":1444570713719,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1444570713719,"pkt":"ABoRAAACABoRAAABCABFAAA8m55AAEAG1oYKCAABUEpuRIMXAbuTJntGAAAAAKACOQjR\/QAAAgQFtAQCCAoATODYAAAAAAEDAwY="} 00445{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1426,"source":"webex.pcap","alias":"nDPId-test","flow_id":51,"flow_packet_id":2,"flow_last_seen":1444570713727,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1444570713727,"pkt":"ABoRAAACABoRAAABCABFAAAoA8NAABAGnnZQSm5ECggAAQG7gxds2YS5kyZ7R1AS\/\/9iaAAA"} @@ -291,7 +291,7 @@ 00445{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1455,"source":"webex.pcap","alias":"nDPId-test","flow_id":52,"flow_packet_id":2,"flow_last_seen":1444570716603,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1444570716603,"pkt":"ABoRAAACABoRAAABCABFAAAoA9FAABAGOOs+beWeCggAAQG7ypHfq4h9IFR3g1AS\/\/+1cAAA"} 00443{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1456,"source":"webex.pcap","alias":"nDPId-test","flow_id":52,"flow_packet_id":3,"flow_last_seen":1444570716604,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1444570716604,"pkt":"ABoRAAACABoRAAABCABFAAAolddAAEAGduQKCAABPm3lnsqRAbsgVHeD36uIflAQOQh8aQAA"} 00811{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1457,"source":"webex.pcap","alias":"nDPId-test","flow_id":52,"flow_packets_processed":4,"flow_first_seen":1444570716599,"flow_last_seen":1444570716610,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":187,"flow_tot_l4_payload_len":187,"flow_avg_l4_payload_len":46,"midstream":0,"ts_msec":1444570716610,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.229.158","src_port":51857,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"64ea4359ad4b496db653a3f30f7073e6","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -01190{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1460,"source":"webex.pcap","alias":"nDPId-test","flow_id":52,"flow_packets_processed":6,"flow_first_seen":1444570716599,"flow_last_seen":1444570717923,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3907,"flow_tot_l4_payload_len":4094,"flow_avg_l4_payload_len":682,"midstream":0,"ts_msec":1444570717923,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.229.158","src_port":51857,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"64ea4359ad4b496db653a3f30f7073e6","ja3s":"4192c0a946c5bd9b544b4656d9f624a4","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} +01191{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1460,"source":"webex.pcap","alias":"nDPId-test","flow_id":52,"flow_packets_processed":6,"flow_first_seen":1444570716599,"flow_last_seen":1444570717923,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3907,"flow_tot_l4_payload_len":4094,"flow_avg_l4_payload_len":682,"midstream":0,"ts_msec":1444570717923,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.229.158","src_port":51857,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"64ea4359ad4b496db653a3f30f7073e6","ja3s":"4192c0a946c5bd9b544b4656d9f624a4","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} 00547{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1483,"source":"webex.pcap","alias":"nDPId-test","flow_id":53,"flow_packets_processed":1,"flow_first_seen":1444570718801,"flow_last_seen":1444570718801,"flow_idle_time":180000,"flow_min_l4_payload_len":8,"flow_max_l4_payload_len":8,"flow_tot_l4_payload_len":8,"flow_avg_l4_payload_len":8,"midstream":0,"ts_msec":1444570718801,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.229.158","src_port":51772,"dst_port":9000,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00438{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1483,"source":"webex.pcap","alias":"nDPId-test","flow_id":53,"flow_packet_id":1,"flow_last_seen":1444570718801,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":50,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":50,"pkt_l4_len":16,"ts_msec":1444570718801,"pkt":"ABoRAAACABoRAAABCABFAAAk4zFAAEARKYMKCAABPm3lnso8IygAEONTAQAAAAAAAAE="} 00438{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1484,"source":"webex.pcap","alias":"nDPId-test","flow_id":53,"flow_packet_id":2,"flow_last_seen":1444570718921,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":50,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":50,"pkt_l4_len":16,"ts_msec":1444570718921,"pkt":"ABoRAAACABoRAAABCABFAAAkA95AABARONc+beWeCggAASMoyjwAEESbAgAAAAC4nQE="} @@ -316,7 +316,7 @@ 00443{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1549,"source":"webex.pcap","alias":"nDPId-test","flow_id":57,"flow_packet_id":3,"flow_last_seen":1444570738422,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1444570738422,"pkt":"ABoRAAACABoRAAABCABFAAAoeOpAAEAGmPcKCAABPm3geMf7AbvAYZI2P55ty1AQOQiEJQAA"} 00809{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1550,"source":"webex.pcap","alias":"nDPId-test","flow_id":56,"flow_packets_processed":4,"flow_first_seen":1444570738415,"flow_last_seen":1444570738424,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":63,"flow_tot_l4_payload_len":63,"flow_avg_l4_payload_len":15,"midstream":0,"ts_msec":1444570738424,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.224.120","src_port":51194,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00809{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1552,"source":"webex.pcap","alias":"nDPId-test","flow_id":57,"flow_packets_processed":4,"flow_first_seen":1444570738419,"flow_last_seen":1444570738426,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":63,"flow_tot_l4_payload_len":63,"flow_avg_l4_payload_len":15,"midstream":0,"ts_msec":1444570738426,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.224.120","src_port":51195,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} -01190{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1562,"source":"webex.pcap","alias":"nDPId-test","flow_id":56,"flow_packets_processed":6,"flow_first_seen":1444570738415,"flow_last_seen":1444570740300,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3907,"flow_tot_l4_payload_len":3970,"flow_avg_l4_payload_len":661,"midstream":0,"ts_msec":1444570740300,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.224.120","src_port":51194,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","issuerDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} +01191{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1562,"source":"webex.pcap","alias":"nDPId-test","flow_id":56,"flow_packets_processed":6,"flow_first_seen":1444570738415,"flow_last_seen":1444570740300,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3907,"flow_tot_l4_payload_len":3970,"flow_avg_l4_payload_len":661,"midstream":0,"ts_msec":1444570740300,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.224.120","src_port":51194,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)","8":"Weak TLS cipher"},"proto":"TLS.Webex","breed":"Acceptable","category":"VoIP"},"tls": {"version":"TLSv1","client_requested_server_name":"","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}} 00551{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1580,"source":"webex.pcap","alias":"nDPId-test","flow_id":45,"flow_packets_processed":12,"flow_first_seen":1444570699096,"flow_last_seen":1444570740249,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":536,"flow_tot_l4_payload_len":1123,"flow_avg_l4_payload_len":93,"midstream":0,"ts_msec":1444570742172,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"78.46.237.91","src_port":59756,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00550{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1580,"source":"webex.pcap","alias":"nDPId-test","flow_id":46,"flow_packets_processed":10,"flow_first_seen":1444570699101,"flow_last_seen":1444570740248,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":497,"flow_tot_l4_payload_len":831,"flow_avg_l4_payload_len":83,"midstream":0,"ts_msec":1444570742172,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"78.46.237.91","src_port":59757,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00556{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1580,"source":"webex.pcap","alias":"nDPId-test","flow_id":24,"flow_packets_processed":22,"flow_first_seen":1444570637191,"flow_last_seen":1444570733113,"flow_idle_time":180000,"flow_min_l4_payload_len":656,"flow_max_l4_payload_len":656,"flow_tot_l4_payload_len":14432,"flow_avg_l4_payload_len":656,"midstream":0,"ts_msec":1444570742172,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"172.16.1.75","src_port":64538,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -336,7 +336,7 @@ 00550{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1580,"source":"webex.pcap","alias":"nDPId-test","flow_id":27,"flow_packets_processed":11,"flow_first_seen":1444570640284,"flow_last_seen":1444570645701,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":63,"flow_tot_l4_payload_len":63,"flow_avg_l4_payload_len":5,"midstream":0,"ts_msec":1444570742172,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"114.29.213.212","src_port":41757,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00582{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1580,"source":"webex.pcap","alias":"nDPId-test","flow_id":53,"flow_packets_processed":16,"flow_first_seen":1444570718801,"flow_last_seen":1444570739041,"flow_idle_time":180000,"flow_min_l4_payload_len":5,"flow_max_l4_payload_len":42,"flow_tot_l4_payload_len":499,"flow_avg_l4_payload_len":31,"midstream":0,"ts_msec":1444570742172,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.229.158","src_port":51772,"dst_port":9000,"l4_proto":"udp","ndpi": {"proto":"Webex","breed":"Acceptable","category":"VoIP"}} 00553{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1580,"source":"webex.pcap","alias":"nDPId-test","flow_id":53,"flow_packets_processed":16,"flow_first_seen":1444570718801,"flow_last_seen":1444570739041,"flow_idle_time":180000,"flow_min_l4_payload_len":5,"flow_max_l4_payload_len":42,"flow_tot_l4_payload_len":499,"flow_avg_l4_payload_len":31,"midstream":0,"ts_msec":1444570742172,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.229.158","src_port":51772,"dst_port":9000,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} -00584{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1580,"source":"webex.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":3,"flow_first_seen":1444570631058,"flow_last_seen":1444570631059,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1444570742172,"l3_proto":"ip4","src_ip":"10.133.206.47","dst_ip":"107.20.242.44","src_port":59447,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"}} +00589{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1580,"source":"webex.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":3,"flow_first_seen":1444570631058,"flow_last_seen":1444570631059,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1444570742172,"l3_proto":"ip4","src_ip":"10.133.206.47","dst_ip":"107.20.242.44","src_port":59447,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"}} 00550{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1580,"source":"webex.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":3,"flow_first_seen":1444570631058,"flow_last_seen":1444570631059,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1444570742172,"l3_proto":"ip4","src_ip":"10.133.206.47","dst_ip":"107.20.242.44","src_port":59447,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00554{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1580,"source":"webex.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":17,"flow_first_seen":1444570636255,"flow_last_seen":1444570639258,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2920,"flow_tot_l4_payload_len":7052,"flow_avg_l4_payload_len":414,"midstream":0,"ts_msec":1444570742172,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.243.4.76","src_port":52730,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00573{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1580,"source":"webex.pcap","alias":"nDPId-test","flow_id":33,"flow_packets_processed":5,"flow_first_seen":1444570640346,"flow_last_seen":1444570640407,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":23,"flow_tot_l4_payload_len":23,"flow_avg_l4_payload_len":4,"midstream":1,"ts_msec":1444570742172,"l3_proto":"ip4","src_ip":"10.133.206.47","dst_ip":"80.74.110.68","src_port":33459,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"}} @@ -388,10 +388,10 @@ ~~ total active/idle flows...: 57/57 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2367040 bytes -~~ total memory freed........: 2367040 bytes -~~ total allocations/frees...: 37306/37306 +~~ total memory allocated....: 5005611 bytes +~~ total memory freed........: 5005611 bytes +~~ total allocations/frees...: 101502/101502 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 162 chars -~~ json string max len.......: 1652 chars +~~ json string max len.......: 1653 chars ~~ json string avg len.......: 977 chars diff --git a/test/results/websocket.pcap.out b/test/results/websocket.pcap.out index 043ac00ea..b714c3a8c 100644 --- a/test/results/websocket.pcap.out +++ b/test/results/websocket.pcap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1930317 bytes -~~ total memory freed........: 1930317 bytes -~~ total allocations/frees...: 35344/35344 +~~ total memory allocated....: 4592632 bytes +~~ total memory freed........: 4592632 bytes +~~ total allocations/frees...: 99540/99540 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 161 chars ~~ json string max len.......: 596 chars diff --git a/test/results/wechat.pcap.out b/test/results/wechat.pcap.out index 50ca4f1cc..c64fe918c 100644 --- a/test/results/wechat.pcap.out +++ b/test/results/wechat.pcap.out @@ -14,16 +14,16 @@ 00509{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8,"source":"wechat.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_last_seen":1492167339427,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":102,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":102,"pkt_l4_len":48,"ts_msec":1492167339427,"pkt":"MzMAAAD7eJKcD6iOht1gAAAAADARAf6AAAAAAAAAepKc\/\/4PqI7\/AgAAAAAAAAAAAAAAAAD7FOkU6QAwzvQAAAAAAAEAAAAAAAALX2dvb2dsZWNhc3QEX3RjcAVsb2NhbAAADAAB"} 00551{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":11,"source":"wechat.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1492167342857,"flow_last_seen":1492167342857,"flow_idle_time":180000,"flow_min_l4_payload_len":52,"flow_max_l4_payload_len":52,"flow_tot_l4_payload_len":52,"flow_avg_l4_payload_len":52,"midstream":0,"ts_msec":1492167342857,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.254","src_port":53734,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00497{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":11,"source":"wechat.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_last_seen":1492167342857,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":94,"pkt_l4_len":60,"ts_msec":1492167342857,"pkt":"8IQvSpdgeJKcD6iOCABFAABQ0QRAAEAR5OLAqAFnwKgB\/tHmADUAPEQCPBkBAAABAAAAAAAADHNhZmVicm93c2luZxFnb29nbGV1c2VyY29udGVudANjb20AAAEAAQ=="} -00738{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":11,"source":"wechat.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1492167342857,"flow_last_seen":1492167342857,"flow_idle_time":180000,"flow_min_l4_payload_len":52,"flow_max_l4_payload_len":52,"flow_tot_l4_payload_len":52,"flow_avg_l4_payload_len":52,"midstream":0,"ts_msec":1492167342857,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.254","src_port":53734,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"safebrowsing.googleusercontent.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00736{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":11,"source":"wechat.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1492167342857,"flow_last_seen":1492167342857,"flow_idle_time":180000,"flow_min_l4_payload_len":52,"flow_max_l4_payload_len":52,"flow_tot_l4_payload_len":52,"flow_avg_l4_payload_len":52,"midstream":0,"ts_msec":1492167342857,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.254","src_port":53734,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"safebrowsing.googleusercontent.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00735{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":12,"source":"wechat.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_last_seen":1492167342893,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":272,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":272,"pkt_l4_len":238,"ts_msec":1492167342893,"pkt":"eJKcD6iO8IQvSpdgCABFoAECAABAAEARtJXAqAH+wKgBZwA10eYA7qtlPBmBgAABAAIABAAEDHNhZmVicm93c2luZxFnb29nbGV1c2VyY29udGVudANjb20AAAEAAcAMAAUAAQAANssADgJzYgFsBmdvb2dsZcArwEAAAQABAAAAxwAErNkWDsBDAAIAAQAACYwABgNuczHARcBDAAIAAQAACYwABgNuczTARcBDAAIAAQAACYwABgNuczLARcBDAAIAAQAACYwABgNuczPARcBqAAEAAQABNLQABNjvIArAjgABAAEAATS0AATY7yIKwKAAAQABAAE0tAAE2O8kCsB8AAEAAQABNLQABNjvJgo="} -00756{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":12,"source":"wechat.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":2,"flow_first_seen":1492167342857,"flow_last_seen":1492167342893,"flow_idle_time":180000,"flow_min_l4_payload_len":52,"flow_max_l4_payload_len":230,"flow_tot_l4_payload_len":282,"flow_avg_l4_payload_len":141,"midstream":0,"ts_msec":1492167342893,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.254","src_port":53734,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"safebrowsing.googleusercontent.com","num_queries":1,"num_answers":10,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"172.217.22.14"}} +00754{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":12,"source":"wechat.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":2,"flow_first_seen":1492167342857,"flow_last_seen":1492167342893,"flow_idle_time":180000,"flow_min_l4_payload_len":52,"flow_max_l4_payload_len":230,"flow_tot_l4_payload_len":282,"flow_avg_l4_payload_len":141,"midstream":0,"ts_msec":1492167342893,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.254","src_port":53734,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"safebrowsing.googleusercontent.com","num_queries":1,"num_answers":10,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"172.217.22.14"}} 00549{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":13,"source":"wechat.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1492167342893,"flow_last_seen":1492167342893,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1492167342893,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"172.217.22.14","src_port":38657,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00470{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":13,"source":"wechat.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_last_seen":1492167342893,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1492167342893,"pkt":"8IQvSpdgeJKcD6iOCABFAAA8j4ZAAEAGJj\/AqAFnrNkWDpcBAbvnsj+XAAAAAKACchDgsAAAAgQFtAQCCAoAMLARAAAAAAEDAwc="} 00470{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14,"source":"wechat.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_last_seen":1492167342941,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1492167342941,"pkt":"eJKcD6iO8IQvSpdgCABFoAA8xIIAADIGPqOs2RYOwKgBZwG7lwHnJuhS57I\/mKASpajHRwAAAgQFZAQCCApd2bi8ADCwEQEDAwc="} 00457{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":15,"source":"wechat.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_last_seen":1492167342941,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1492167342941,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0j4dAAEAGJkbAqAFnrNkWDpcBAbvnsj+Y5yboU4AQAOWaewAAAQEICgAwsB1d2bi8"} -00814{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":16,"source":"wechat.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":4,"flow_first_seen":1492167342893,"flow_last_seen":1492167342942,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":222,"flow_tot_l4_payload_len":222,"flow_avg_l4_payload_len":55,"midstream":0,"ts_msec":1492167342942,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"172.217.22.14","src_port":38657,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"safebrowsing.googleusercontent.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} -00879{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":18,"source":"wechat.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":6,"flow_first_seen":1492167342893,"flow_last_seen":1492167342995,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":1640,"flow_avg_l4_payload_len":273,"midstream":0,"ts_msec":1492167342995,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"172.217.22.14","src_port":38657,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"safebrowsing.googleusercontent.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"d655f7cd00e93ea8969c3c6e06f0156f","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","alpn":"h2,http\/1.1"}} -01963{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":22,"source":"wechat.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":10,"flow_first_seen":1492167342893,"flow_last_seen":1492167342997,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":4434,"flow_avg_l4_payload_len":443,"midstream":0,"ts_msec":1492167342997,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"172.217.22.14","src_port":38657,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"safebrowsing.googleusercontent.com","server_names":"*.googleusercontent.com,*.apps.googleusercontent.com,*.appspot.com.storage.googleapis.com,*.blogspot.com,*.bp.blogspot.com,*.commondatastorage.googleapis.com,*.content-storage-download.googleapis.com,*.content-storage-upload.googleapis.com,*.content-storage.googleapis.com,*.doubleclickusercontent.com,*.ggpht.com,*.googledrive.com,*.googlesyndication.com,*.googleweblight.com,*.safenup.googleusercontent.com,*.sandbox.googleusercontent.com,*.storage-download.googleapis.com,*.storage-upload.googleapis.com,*.storage.googleapis.com,*.storage.select.googleapis.com,blogspot.com,bp.blogspot.com,commondatastorage.googleapis.com,doubleclickusercontent.com,ggpht.com,googledrive.com,googleusercontent.com,googleweblight.com,static.panoramio.com.storage.googleapis.com,storage.googleapis.com,storage.select.googleapis.com,unfiltered.news","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"d655f7cd00e93ea8969c3c6e06f0156f","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","issuerDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.googleusercontent.com","alpn":"h2,http\/1.1","fingerprint":"8B:36:AF:31:A2:4C:EE:50:CC:6F:34:F7:2C:A3:C5:B6:4B:02:AC:53"}} +00812{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":16,"source":"wechat.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":4,"flow_first_seen":1492167342893,"flow_last_seen":1492167342942,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":222,"flow_tot_l4_payload_len":222,"flow_avg_l4_payload_len":55,"midstream":0,"ts_msec":1492167342942,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"172.217.22.14","src_port":38657,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"safebrowsing.googleusercontent.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} +00877{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":18,"source":"wechat.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":6,"flow_first_seen":1492167342893,"flow_last_seen":1492167342995,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":1640,"flow_avg_l4_payload_len":273,"midstream":0,"ts_msec":1492167342995,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"172.217.22.14","src_port":38657,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"safebrowsing.googleusercontent.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"d655f7cd00e93ea8969c3c6e06f0156f","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","alpn":"h2,http\/1.1"}} +01962{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":22,"source":"wechat.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":10,"flow_first_seen":1492167342893,"flow_last_seen":1492167342997,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":4434,"flow_avg_l4_payload_len":443,"midstream":0,"ts_msec":1492167342997,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"172.217.22.14","src_port":38657,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"safebrowsing.googleusercontent.com","server_names":"*.googleusercontent.com,*.apps.googleusercontent.com,*.appspot.com.storage.googleapis.com,*.blogspot.com,*.bp.blogspot.com,*.commondatastorage.googleapis.com,*.content-storage-download.googleapis.com,*.content-storage-upload.googleapis.com,*.content-storage.googleapis.com,*.doubleclickusercontent.com,*.ggpht.com,*.googledrive.com,*.googlesyndication.com,*.googleweblight.com,*.safenup.googleusercontent.com,*.sandbox.googleusercontent.com,*.storage-download.googleapis.com,*.storage-upload.googleapis.com,*.storage.googleapis.com,*.storage.select.googleapis.com,blogspot.com,bp.blogspot.com,commondatastorage.googleapis.com,doubleclickusercontent.com,ggpht.com,googledrive.com,googleusercontent.com,googleweblight.com,static.panoramio.com.storage.googleapis.com,storage.googleapis.com,storage.select.googleapis.com,unfiltered.news","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"d655f7cd00e93ea8969c3c6e06f0156f","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","subjectDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.googleusercontent.com","alpn":"h2,http\/1.1","fingerprint":"8B:36:AF:31:A2:4C:EE:50:CC:6F:34:F7:2C:A3:C5:B6:4B:02:AC:53"}} 00549{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":41,"source":"wechat.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":1,"flow_first_seen":1492167345896,"flow_last_seen":1492167345896,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1492167345896,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"216.58.205.78","src_port":47627,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00457{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":41,"source":"wechat.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_last_seen":1492167345896,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1492167345896,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0u5hAAEAGF5PAqAFn2DrNTroLAbv4cm+uICz91YAQATUbzAAAAQEICgAwswD2qQZf"} 00549{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":42,"source":"wechat.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":1,"flow_first_seen":1492167345896,"flow_last_seen":1492167345896,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1492167345896,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"172.217.23.78","src_port":53220,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -33,12 +33,12 @@ 00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":45,"source":"wechat.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1492167347435,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1492167347435,"pkt":"eJKcD6iO8IQvSpdgCABFoAA0LFtAACwG\/EnLzZeiwKgBZwG700RsJQ5CFiW5B4ARAQCiIgAAAQEICkXRnm4AMKsW"} 00551{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":47,"source":"wechat.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":1,"flow_first_seen":1492167350333,"flow_last_seen":1492167350333,"flow_idle_time":180000,"flow_min_l4_payload_len":33,"flow_max_l4_payload_len":33,"flow_tot_l4_payload_len":33,"flow_avg_l4_payload_len":33,"midstream":0,"ts_msec":1492167350333,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.254","src_port":46078,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00469{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":47,"source":"wechat.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_last_seen":1492167350333,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":75,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":75,"pkt_l4_len":41,"ts_msec":1492167350333,"pkt":"8IQvSpdgeJKcD6iOCABFAAA92D9AAEAR3brAqAFnwKgB\/rP+ADUAKS5MZgIBAAABAAAAAAAAA3NzbAdnc3RhdGljA2NvbQAAAQAB"} -00719{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":47,"source":"wechat.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":1,"flow_first_seen":1492167350333,"flow_last_seen":1492167350333,"flow_idle_time":180000,"flow_min_l4_payload_len":33,"flow_max_l4_payload_len":33,"flow_tot_l4_payload_len":33,"flow_avg_l4_payload_len":33,"midstream":0,"ts_msec":1492167350333,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.254","src_port":46078,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"ssl.gstatic.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00717{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":47,"source":"wechat.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":1,"flow_first_seen":1492167350333,"flow_last_seen":1492167350333,"flow_idle_time":180000,"flow_min_l4_payload_len":33,"flow_max_l4_payload_len":33,"flow_tot_l4_payload_len":33,"flow_avg_l4_payload_len":33,"midstream":0,"ts_msec":1492167350333,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.254","src_port":46078,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"ssl.gstatic.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00684{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":48,"source":"wechat.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":2,"flow_last_seen":1492167350372,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":234,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":234,"pkt_l4_len":200,"ts_msec":1492167350372,"pkt":"eJKcD6iO8IQvSpdgCABFoADcAABAAEARtLvAqAH+wKgBZwA1s\/4AyDQ0ZgKBgAABAAEABAAEA3NzbAdnc3RhdGljA2NvbQAAAQABwAwAAQABAAAAHQAErNkXQ8AQAAIAAQACiyoADQNuczEGZ29vZ2xlwBjAEAACAAEAAosqAAYDbnMywEHAEAACAAEAAosqAAYDbnM0wEHAEAACAAEAAosqAAYDbnMzwEHAPQABAAEABThHAATY7yAKwFYAAQABAAUudQAE2O8iCsB6AAEAAQAFLnUABNjvJArAaAABAAEABS51AATY7yYK"} -00736{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":48,"source":"wechat.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":2,"flow_first_seen":1492167350333,"flow_last_seen":1492167350372,"flow_idle_time":180000,"flow_min_l4_payload_len":33,"flow_max_l4_payload_len":192,"flow_tot_l4_payload_len":225,"flow_avg_l4_payload_len":112,"midstream":0,"ts_msec":1492167350372,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.254","src_port":46078,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"ssl.gstatic.com","num_queries":1,"num_answers":9,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"172.217.23.67"}} +00734{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":48,"source":"wechat.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":2,"flow_first_seen":1492167350333,"flow_last_seen":1492167350372,"flow_idle_time":180000,"flow_min_l4_payload_len":33,"flow_max_l4_payload_len":192,"flow_tot_l4_payload_len":225,"flow_avg_l4_payload_len":112,"midstream":0,"ts_msec":1492167350372,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.254","src_port":46078,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"ssl.gstatic.com","num_queries":1,"num_answers":9,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"172.217.23.67"}} 00560{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":49,"source":"wechat.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":1,"flow_first_seen":1492167350385,"flow_last_seen":1492167350385,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1492167350385,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"172.217.23.67","src_port":51507,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02236{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":49,"source":"wechat.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_last_seen":1492167350385,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1492167350385,"pkt":"8IQvSpdgeJKcD6iOCABFAAVivyhAAEAR8DbAqAFnrNkXQ8kzAbsFThBpDTHWY7YNkySLUTAzNQEAZRP82mbzhTNOuyagAQAEQ0hMTx0AAABQQUQAIgEAAFNOSQAxAQAAU1RLAGsBAABWRVIAbwEAAENDUwB\/AQAATk9OQ58BAABNU1BDowEAAEFFQUSnAQAAVUFJRMgBAABTQ0lE2AEAAFRDSUTcAQAAUERNROABAABTUkJG5AEAAFNNSEzoAQAASUNTTOwBAABDVElN9AEAAE5PTlAUAgAAUFVCUzQCAABNSURTOAIAAFNDTFM8AgAAS0VYU0ACAABYTENUSAIAAENTQ1RIAgAAQ09QVEgCAABDQ1JUYAIAAElSVFRkAgAAQ0VUVggDAABDRkNXDAMAAFNGQ1cQAwAALS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS1zc2wuZ3N0YXRpYy5jb23DJ9pgKUoswhKlaAfLoi3sQZPhfUFgtpep51u0rkbBgx\/nebVFToqDPqkbsFtGn3MXCPqLWhc6j\/ixUTAzNQHogWCSkhrofu2AhqIVgpFY8Kq2MDAwMDAwMDC6zWefDMewsHm6e\/MeaJgBlt0fDWQAAABDQzIwQ2hyb21lLzU3LjAuMjk4Ny4xMzMgTGludXggeDg2XzY0Jc6XFWD7G7yXYXhVaoxdywAAAABYNTA5AAAQAAEAAAAeAAAAtqrwWAAAAAA5eOlJA3D70ONW2AJf\/ogbdqDz00OrZf\/OgXQcK6rvrAta8o74ustrYp5ItVHeFC1VJKErdNkin676crWgBJJhZAAAAAEAAABDMjU1wgnkHLidnM3CCeQcuJ2czT2t9HxBefiRQAt7kKmuees3ygAAW65hsjHRUCwmcSnHJYniTszHhABKgaojbj7US89crmIZu34dDjUIs9wDqj3f87VRLZoVe0zMx1t+ZFc1SOwYij5LWSM1YcolsQBx9V4iuTevcGsCo1kr3VNCHdz7PtfP9d6GZNrg2+YgXWbXAAnfNe23tKnBUPczWdseoa1PkV+7toc2QUBJDmQV3Doscx5oizBP3jmujZdyIIvaDPKntnnsjC8AAPAAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} -00707{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":49,"source":"wechat.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":1,"flow_first_seen":1492167350385,"flow_last_seen":1492167350385,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1492167350385,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"172.217.23.67","src_port":51507,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Google","breed":"Tracker\/Ads","category":"Web"},"quic": {"client_requested_server_name":"ssl.gstatic.com","user_agent":"Chrome\/57.0.2987.133 Linux x86_64"}} +00705{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":49,"source":"wechat.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":1,"flow_first_seen":1492167350385,"flow_last_seen":1492167350385,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1492167350385,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"172.217.23.67","src_port":51507,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Google","breed":"Acceptable","category":"Web"},"quic": {"client_requested_server_name":"ssl.gstatic.com","user_agent":"Chrome\/57.0.2987.133 Linux x86_64"}} 00911{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":50,"source":"wechat.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":2,"flow_last_seen":1492167350386,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":400,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":400,"pkt_l4_len":366,"ts_msec":1492167350386,"pkt":"8IQvSpdgeJKcD6iOCABFAAGCvylAAEAR9BXAqAFnrNkXQ8kzAbsBbud7DTHWY7YNkySLUTAzNQLvwr0xyGRZ7meDZlovLzVjAbbzC3jR2f2rSyaEQR29GdHUR3g0xdsFTdTip7X1Nnsf4tYU5MBGkSRYowzYqBAgeAEueiV49O5ngVqvp6AacuKzAzgJV3z622EcXJUEyhTJ+nOIANjFkaDTQTI+jdNEu4FfF\/TnyxM++AGJ3to5M6SWYBz2BeCP\/OGMSC7yUukPIe4sRQeIQcXq+IYSj3PAlHKxZT8HDRP7kjwgghqQy0grhbmgn+9HaZmoQLo9gu4ijkDWy6wUW+W8oMWbJ3Ky6wEFXzApvzV\/FZNjJh6PDtkHubM5JHhhh00iIakeLzopZrU7PnZst39suCb9JKpUYtFvmoJnG3+X2ld76667v+kx3ZpHcdgXPlvpm8rm+2k6Em\/vgF23i7kHM9aRW5K+1InNa4QsADwuokzDCUylLbXZYixDaZtGruoPUyaIkf6OjyLbS2SNBQ=="} 02237{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":51,"source":"wechat.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":3,"flow_last_seen":1492167350462,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1492167350462,"pkt":"8IQvSpdgeJKcD6iOCABFAAVivzBAAEAR8C7AqAFnrNkXQ8kzAbsFTm8mDTHWY7YNkySLUTAzNQMCK\/NUmHquSjxA+X2gAQAEQ0hMTx0AAABQQUQAIgEAAFNOSQAxAQAAU1RLAGsBAABWRVIAbwEAAENDUwB\/AQAATk9OQ58BAABNU1BDowEAAEFFQUSnAQAAVUFJRMgBAABTQ0lE2AEAAFRDSUTcAQAAUERNROABAABTUkJG5AEAAFNNSEzoAQAASUNTTOwBAABDVElN9AEAAE5PTlAUAgAAUFVCUzQCAABNSURTOAIAAFNDTFM8AgAAS0VYU0ACAABYTENUSAIAAENTQ1RIAgAAQ09QVEgCAABDQ1JUYAIAAElSVFRkAgAAQ0VUVggDAABDRkNXDAMAAFNGQ1cQAwAALS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS1zc2wuZ3N0YXRpYy5jb23DJ9pgKUoswhKlaAfLoi3sQZPhfUFgtpep51u0rkbBgx\/nebVFToqDPqkbsFtGn3MXCPqLWhc6j\/ixUTAzNQHogWCSkhrofu2AhqIVgpFY8Kq2MDAwMDAwMDC6zWefDMewsHm6e\/MeaJgBlt0fDWQAAABDQzIwQ2hyb21lLzU3LjAuMjk4Ny4xMzMgTGludXggeDg2XzY0Jc6XFWD7G7yXYXhVaoxdywAAAABYNTA5AAAQAAEAAAAeAAAAtqrwWAAAAAA5eOlJA3D70ONW2AJf\/ogbdqDz00OrZf\/OgXQcK6rvrAta8o74ustrYp5ItVHeFC1VJKErdNkin676crWgBJJhZAAAAAEAAABDMjU1wgnkHLidnM3CCeQcuJ2czT2t9HxBefiRQAt7kKmuees3ygAAW65hsjHRUCwmcSnHJYniTszHhABKgaojbj7US89crmIZu34dDjUIs9wDqj3f87VRLZoVe0zMx1t+ZFc1SOwYij5LWSM1YcolsQBx9V4iuTevcGsCo1kr3VNCHdz7PtfP9d6GZNrg2+YgXWbXAAnfNe23tKnBUPczWdseoa1PkV+7toc2QUBJDmQV3Doscx5oizBP3jmujZdyIIvaDPKntnnsjC8AAPAAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} 00552{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":62,"source":"wechat.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":1,"flow_first_seen":1492167351026,"flow_last_seen":1492167351026,"flow_idle_time":180000,"flow_min_l4_payload_len":33,"flow_max_l4_payload_len":33,"flow_tot_l4_payload_len":33,"flow_avg_l4_payload_len":33,"midstream":0,"ts_msec":1492167351026,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.254","src_port":55862,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -75,18 +75,18 @@ 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":95,"source":"wechat.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":2,"flow_last_seen":1492167354296,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1492167354296,"pkt":"eJKcD6iO8IQvSpdgCABFoAA8AABAAC4GJp3LzZeiwKgBZwG700oogx9AoQ\/Rp6ASN8hHnAAAAgQFoAQCCApF8RKkADC62gEDAwc="} 00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":96,"source":"wechat.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":3,"flow_last_seen":1492167354296,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1492167354296,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0a31AAEAGqcfAqAFny82XotNKAbuhD9GnKIMfQYAQAOWs3QAAAQEICgAwuzRF8RKk"} 00846{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":98,"source":"wechat.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":6,"flow_first_seen":1492167353687,"flow_last_seen":1492167354430,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":1666,"flow_avg_l4_payload_len":277,"midstream":0,"ts_msec":1492167354430,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54089,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01380{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":100,"source":"wechat.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":8,"flow_first_seen":1492167353687,"flow_last_seen":1492167354487,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":3094,"flow_avg_l4_payload_len":386,"midstream":0,"ts_msec":1492167354487,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54089,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","issuerDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} +01381{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":100,"source":"wechat.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":8,"flow_first_seen":1492167353687,"flow_last_seen":1492167354487,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":3094,"flow_avg_l4_payload_len":386,"midstream":0,"ts_msec":1492167354487,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54089,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} 00790{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":114,"source":"wechat.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":4,"flow_first_seen":1492167353937,"flow_last_seen":1492167355372,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":238,"flow_tot_l4_payload_len":238,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1492167355372,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54090,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} 02072{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":115,"source":"wechat.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":3,"flow_last_seen":1492167355388,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":1254,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1254,"pkt_l4_len":1220,"ts_msec":1492167355388,"pkt":"8IQvSpdgeJKcD6iOCABFAATYn8NAAEAGcN3AqAFny82XotMqAbshWCCwT4FL\/oAYAchBqgAAAQEICgAwvEVF0aSGFwMDBJ8AAAAAAAAACSCXh69SRVNj7LxTHyTa29lyIMx5rUn\/Kbsx2RSLcx6h5Rof7MvhSBslxiMA7RM+grN19AFhFkb86ybE4QzYLqZogvxRJjzavJpiSw0h2JHTRLw5hxkIJT93\/hBnX4KXAJggRKu+zDGdqHHdv4fTutm2SVgm7d7YrX77rNoEa49Z7tjdE+lO2DuQkrDWrkIcPj0eYPzI9xDvhacp1zu+uHhR194mvhqvVQzKnG9JQA7M8yc34zhOP58E3OjjXwz3ELzMbE8lsUYni0FdVDzD5AHz2ZXkJTACi6epY43d8swMwJs750LtRYiDdf+30r4284+LeVd8LVUpJU\/rrav+ZKJhyQ9sw9XMWliErx\/Hsl\/5h3MZRKZeqbDE6P8CmhyiQOuweltYgaOp1rsNtfHpo493xewTpz5snn5PbRcKUqFF5M4r7lhwPPhIeVK4WOUH\/33+Sq98q7EPLrHMUFohSF90hiJaXtAj+rHVK1gMf9oOJW2ySdU7MX2DS86yuQ6kfFtJuGuxo1Cz6PJoomwid9YpsbBbTMx6m4z9l\/ny1t10Pd97BylHaTo6YBGXBgtaz8dbyFkkD5Nbk5dwtmaGlM9uIlF\/rv5c1A55dbIdj8naBbyQ7fTwTJFbjISBkJmpaQoU2kc\/zziP44xaoDUxaRt9Ry\/806C0HPovj+JC6hKAJhd7IU3lz1cd2EcOR09Ulbh6GcnGtGoIEgMSnOqlHSHFOvhwMJOgqMdjV4Ts3j6kz4nuUL7P9W38WCZ6Et6v6MCfJC1NHlb+BiknubpqgZZ7mM9\/dQzJwaHAVm1pExnTA0Qtn9u2w0Ob0wTvtwWHLqB8+w1X5lLgz+g0\/KazNnFwZsVC8NJt7gXfJimXlNiQyyoVZPRU5TsryE76p7eJsfK2K3vD+oV2xOy0odJivKdVU9d\/b0lN4vXAAJXGR8apbNgPqwivAZHIvQdWqFgNwio4MLv0L8zBSqiIiaIpEMDbJPlGf3NTa8KHL9KuF0\/XkvPuIqyQ1vikTJWv3M0PfnYGX\/91JwgIycN3X4tfAJPTYU1bJR8H9lqbTS68wW7e8n7Z9kn4BsSK8WdGfSG\/BGchlsNazeLO6dljFOzNH1Nb0yqv79UpRl3Kr1HkZo+mQcyTmdDq73MBTVTodPICJb5JR1YLjVlWLyhlubA3PMAZhd7v493hq7IuxuvrhHldQDGHsYcPZ0+ZYWLqkDletWw1l3zV0GxsjRhJ3s3iffY9XBpGE8EG39zicWNmnu8THVvBYw\/7ASp9iDFLWiJkigPswdmPFhkbbEWproj9M3h6bBS7Z9ohy6yUXPGG6RKTKX45Eg\/Pm2f3Y3bPQ15p4S5E260\/wYzmk6Pco8MZXXOtCrfsbgBU3U\/QFaYJziOi8kV14C9ocoOj7UNbOPlK4JGIThUQC22wBIoO4QcICqfGi12dFi3\/dZawWcVCDgNfdmaRqjA7vn2Ew3dMX8AfiCfUGFCye6yKRfSC\/KcvJGql1sIadq+izTaBp+jfWADKBhJTOB7x6VUd2Bs6qIc6mkvKSj4SxqM+NPNL5GVHDR9qjJ4H5zSi"} 00553{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":122,"source":"wechat.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":1,"flow_first_seen":1492167355723,"flow_last_seen":1492167355723,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1492167355723,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54091,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":122,"source":"wechat.pcap","alias":"nDPId-test","flow_id":18,"flow_packet_id":1,"flow_last_seen":1492167355723,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1492167355723,"pkt":"8IQvSpdgeJKcD6iOCABFAAA8P4ZAAEAG1bbAqAFny82XotNLAbtsCoMeAAAAAKACchAveAAAAgQFtAQCCAoAMLyYAAAAAAEDAwc="} 00847{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":124,"source":"wechat.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":6,"flow_first_seen":1492167353937,"flow_last_seen":1492167355743,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":1666,"flow_avg_l4_payload_len":277,"midstream":0,"ts_msec":1492167355743,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54090,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01380{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":126,"source":"wechat.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":8,"flow_first_seen":1492167353937,"flow_last_seen":1492167355744,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":3094,"flow_avg_l4_payload_len":386,"midstream":0,"ts_msec":1492167355744,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54090,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","issuerDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} +01381{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":126,"source":"wechat.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":8,"flow_first_seen":1492167353937,"flow_last_seen":1492167355744,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":3094,"flow_avg_l4_payload_len":386,"midstream":0,"ts_msec":1492167355744,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54090,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":131,"source":"wechat.pcap","alias":"nDPId-test","flow_id":18,"flow_packet_id":2,"flow_last_seen":1492167356077,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1492167356077,"pkt":"eJKcD6iO8IQvSpdgCABFoAA8AABAAC0GJ53LzZeiwKgBZwG700uz8YPYbAqDH6ASN8iq2QAAAgQFoAQCCApFrUFyADC8mAEDAwc="} 00460{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":132,"source":"wechat.pcap","alias":"nDPId-test","flow_id":18,"flow_packet_id":3,"flow_last_seen":1492167356077,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1492167356077,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0P4dAAEAG1b3AqAFny82XotNLAbtsCoMfs\/GD2YAQAOUQHAAAAQEICgAwvPFFrUFy"} 00790{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":133,"source":"wechat.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":4,"flow_first_seen":1492167355723,"flow_last_seen":1492167356077,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":238,"flow_tot_l4_payload_len":238,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1492167356077,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54091,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} 00847{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":151,"source":"wechat.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":6,"flow_first_seen":1492167355723,"flow_last_seen":1492167356488,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":1666,"flow_avg_l4_payload_len":277,"midstream":0,"ts_msec":1492167356488,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54091,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01380{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":153,"source":"wechat.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":8,"flow_first_seen":1492167355723,"flow_last_seen":1492167356489,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1688,"flow_tot_l4_payload_len":3354,"flow_avg_l4_payload_len":419,"midstream":0,"ts_msec":1492167356489,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54091,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","issuerDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} +01381{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":153,"source":"wechat.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":8,"flow_first_seen":1492167355723,"flow_last_seen":1492167356489,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1688,"flow_tot_l4_payload_len":3354,"flow_avg_l4_payload_len":419,"midstream":0,"ts_msec":1492167356489,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54091,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} 00537{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":167,"source":"wechat.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_last_seen":1492167360622,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":121,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":121,"pkt_l4_len":87,"ts_msec":1492167360622,"pkt":"eJKcD6iO8IQvSpdgCABFoABrfSgAADcGnizYOs1OwKgBZwG7ugsgLP3V+HJvr4AYAV2wggAAAQEICvap78EAL9cAFwMDADI7\/WDixcApjMc4oo49oFJiwuyoshtW5rSqz9ahoHcSOkzcmjO3CkNO6pgK6XLAf2uLNg=="} 00537{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":171,"source":"wechat.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_last_seen":1492167360626,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":121,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":121,"pkt_l4_len":87,"ts_msec":1492167360626,"pkt":"eJKcD6iO8IQvSpdgCABFoABr4O8AADcGG8es2RdOwKgBZwG7z+SKJZg8+z2t2oAYAVTREQAAAQEICn7IL7IAL9cCFwMDADL\/QQeiav2tbjoNjgJzOU4UPNZPR4RzRuOQ+h3eXjLhIIWjbE1Sb3YuyocNPQRCTo9EPA=="} 00553{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":183,"source":"wechat.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":1,"flow_first_seen":1492167366908,"flow_last_seen":1492167366908,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1492167366908,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54092,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -99,7 +99,7 @@ 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":193,"source":"wechat.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":2,"flow_last_seen":1492167367489,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1492167367489,"pkt":"eJKcD6iO8IQvSpdgCABFoAA8AABAACwGKJ3LzZeiwKgBZwG7002nXL3IaYSXp6ASN8hVJQAAAgQFoAQCCApFrUycADDHwwEDAwc="} 00459{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":194,"source":"wechat.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":3,"flow_last_seen":1492167367489,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1492167367489,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0UGZAAEAGxN7AqAFny82XotNNAbtphJenp1y9yYAQAOW6bQAAAQEICgAwyBZFrUyc"} 00847{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":196,"source":"wechat.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":6,"flow_first_seen":1492167366908,"flow_last_seen":1492167367549,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":1666,"flow_avg_l4_payload_len":277,"midstream":0,"ts_msec":1492167367549,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54092,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01380{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":198,"source":"wechat.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":8,"flow_first_seen":1492167366908,"flow_last_seen":1492167367550,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":3094,"flow_avg_l4_payload_len":386,"midstream":0,"ts_msec":1492167367550,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54092,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","issuerDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} +01381{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":198,"source":"wechat.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":8,"flow_first_seen":1492167366908,"flow_last_seen":1492167367550,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":3094,"flow_avg_l4_payload_len":386,"midstream":0,"ts_msec":1492167367550,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54092,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} 00552{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":219,"source":"wechat.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":1,"flow_first_seen":1492167377896,"flow_last_seen":1492167377896,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1492167377896,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"216.58.205.142","src_port":49787,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00459{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":219,"source":"wechat.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":1,"flow_last_seen":1492167377896,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1492167377896,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0KM9AAEAGqhzAqAFn2DrNjsJ7AbvMOVSD1yvysIAQAT1vHQAAAQEICgAw0kAycerX"} 00461{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":220,"source":"wechat.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":2,"flow_last_seen":1492167377936,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1492167377936,"pkt":"eJKcD6iO8IQvSpdgCABFoAA0Fj0AADQGCA\/YOs2OwKgBZwG7wnvXK\/KwzDlUhIAQAVQWugAAAQEICjJymzYAMHos"} @@ -113,17 +113,17 @@ 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":235,"source":"wechat.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":2,"flow_last_seen":1492167379279,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1492167379279,"pkt":"eJKcD6iO8IQvSpdgCABFoAA8AABAAC4GJp3LzZeiwKgBZwG7009k83t+ca2jrKASN8iurAAAAgQFoAQCCApFrVgaADDTQQEDAwc="} 00459{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":236,"source":"wechat.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":3,"flow_last_seen":1492167379279,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1492167379279,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0cOtAAEAGpFnAqAFny82XotNPAbtxraOsZPN7f4AQAOUT8AAAAQEICgAw05lFrVga"} 00847{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":238,"source":"wechat.pcap","alias":"nDPId-test","flow_id":22,"flow_packets_processed":6,"flow_first_seen":1492167378674,"flow_last_seen":1492167379396,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":1666,"flow_avg_l4_payload_len":277,"midstream":0,"ts_msec":1492167379396,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54094,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01380{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":240,"source":"wechat.pcap","alias":"nDPId-test","flow_id":22,"flow_packets_processed":8,"flow_first_seen":1492167378674,"flow_last_seen":1492167379397,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1688,"flow_tot_l4_payload_len":3354,"flow_avg_l4_payload_len":419,"midstream":0,"ts_msec":1492167379397,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54094,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","issuerDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} +01381{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":240,"source":"wechat.pcap","alias":"nDPId-test","flow_id":22,"flow_packets_processed":8,"flow_first_seen":1492167378674,"flow_last_seen":1492167379397,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1688,"flow_tot_l4_payload_len":3354,"flow_avg_l4_payload_len":419,"midstream":0,"ts_msec":1492167379397,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54094,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} 00790{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":252,"source":"wechat.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":4,"flow_first_seen":1492167378926,"flow_last_seen":1492167380233,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":238,"flow_tot_l4_payload_len":238,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1492167380233,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54095,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} 00553{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":261,"source":"wechat.pcap","alias":"nDPId-test","flow_id":24,"flow_packets_processed":1,"flow_first_seen":1492167380581,"flow_last_seen":1492167380581,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1492167380581,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54096,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":261,"source":"wechat.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":1,"flow_last_seen":1492167380581,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1492167380581,"pkt":"8IQvSpdgeJKcD6iOCABFAAA8GvtAAEAG+kHAqAFny82XotNQAbtFV84kAAAAAKACchDy2AAAAgQFtAQCCAoAMNTfAAAAAAEDAwc="} 00847{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":265,"source":"wechat.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":8,"flow_first_seen":1492167378926,"flow_last_seen":1492167380590,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":1666,"flow_avg_l4_payload_len":208,"midstream":0,"ts_msec":1492167380590,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54095,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01381{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":267,"source":"wechat.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":10,"flow_first_seen":1492167378926,"flow_last_seen":1492167380590,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":3094,"flow_avg_l4_payload_len":309,"midstream":0,"ts_msec":1492167380590,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54095,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","issuerDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} +01382{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":267,"source":"wechat.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":10,"flow_first_seen":1492167378926,"flow_last_seen":1492167380590,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":3094,"flow_avg_l4_payload_len":309,"midstream":0,"ts_msec":1492167380590,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54095,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":272,"source":"wechat.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":2,"flow_last_seen":1492167380894,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1492167380894,"pkt":"eJKcD6iO8IQvSpdgCABFoAA8AABAACwGKJ3LzZeiwKgBZwG701DDsQ6LRVfOJaASN8i7gwAAAgQFoAQCCApFrVm2ADDU3wEDAwc="} 00459{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":273,"source":"wechat.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":3,"flow_last_seen":1492167380894,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1492167380894,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0GvxAAEAG+kjAqAFny82XotNQAbtFV84lw7EOjIAQAOUg0QAAAQEICgAw1S1FrVm2"} 00790{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":274,"source":"wechat.pcap","alias":"nDPId-test","flow_id":24,"flow_packets_processed":4,"flow_first_seen":1492167380581,"flow_last_seen":1492167380894,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":238,"flow_tot_l4_payload_len":238,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1492167380894,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54096,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} 00847{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":286,"source":"wechat.pcap","alias":"nDPId-test","flow_id":24,"flow_packets_processed":6,"flow_first_seen":1492167380581,"flow_last_seen":1492167381212,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":1666,"flow_avg_l4_payload_len":277,"midstream":0,"ts_msec":1492167381212,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54096,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01380{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":288,"source":"wechat.pcap","alias":"nDPId-test","flow_id":24,"flow_packets_processed":8,"flow_first_seen":1492167380581,"flow_last_seen":1492167381212,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":3094,"flow_avg_l4_payload_len":386,"midstream":0,"ts_msec":1492167381212,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54096,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","issuerDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} +01381{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":288,"source":"wechat.pcap","alias":"nDPId-test","flow_id":24,"flow_packets_processed":8,"flow_first_seen":1492167380581,"flow_last_seen":1492167381212,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":3094,"flow_avg_l4_payload_len":386,"midstream":0,"ts_msec":1492167381212,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54096,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} 00553{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":303,"source":"wechat.pcap","alias":"nDPId-test","flow_id":25,"flow_packets_processed":1,"flow_first_seen":1492167382020,"flow_last_seen":1492167382020,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1492167382020,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.211","src_port":40740,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00443{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":303,"source":"wechat.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":1,"flow_last_seen":1492167382020,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1492167382020,"pkt":"8IQvSpdgeJKcD6iOCABFAAAokulAAEAGgjbAqAFny82X058kAbutvz98aYB+jlAQAdESKQAA"} 00452{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":304,"source":"wechat.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":2,"flow_last_seen":1492167382374,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"ts_msec":1492167382374,"pkt":"eJKcD6iO8IQvSpdgCABFoAAoL8xAAC4G9rPLzZfTwKgBZwG7nyRpgH6Orb8\/fVAQAIMTdgAAAADZK2u8"} @@ -138,11 +138,11 @@ 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":363,"source":"wechat.pcap","alias":"nDPId-test","flow_id":27,"flow_packet_id":2,"flow_last_seen":1492167401410,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1492167401410,"pkt":"eJKcD6iO8IQvSpdgCABFoAA8AABAAC0GJ53LzZeiwKgBZwG701JpITMTvRkX4aASN8iiggAAAgQFoAQCCApF0dMbADDo3wEDAwc="} 00460{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":364,"source":"wechat.pcap","alias":"nDPId-test","flow_id":27,"flow_packet_id":3,"flow_last_seen":1492167401410,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1492167401410,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0\/0BAAEAGFgTAqAFny82XotNSAbu9GRfhaSEzFIAQAOUHxwAAAQEICgAw6TZF0dMb"} 00847{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":366,"source":"wechat.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":6,"flow_first_seen":1492167400812,"flow_last_seen":1492167401535,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":1666,"flow_avg_l4_payload_len":277,"midstream":0,"ts_msec":1492167401535,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54097,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01380{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":368,"source":"wechat.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":8,"flow_first_seen":1492167400812,"flow_last_seen":1492167401537,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1688,"flow_tot_l4_payload_len":3354,"flow_avg_l4_payload_len":419,"midstream":0,"ts_msec":1492167401537,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54097,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","issuerDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} +01381{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":368,"source":"wechat.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":8,"flow_first_seen":1492167400812,"flow_last_seen":1492167401537,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1688,"flow_tot_l4_payload_len":3354,"flow_avg_l4_payload_len":419,"midstream":0,"ts_msec":1492167401537,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54097,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} 00488{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":374,"source":"wechat.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":3,"flow_last_seen":1492167402013,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":85,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":85,"pkt_l4_len":51,"ts_msec":1492167402013,"pkt":"eJKcD6iO8IQvSpdgCABFoABHL81AAC4G9pPLzZfTwKgBZwG7nyRpgH6Orb8\/fVAYAIMZWAAAFQMDABoY8p0q0Neyx8LzFoDelCtviTdTs0pFnXUR7g=="} 00790{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":382,"source":"wechat.pcap","alias":"nDPId-test","flow_id":27,"flow_packets_processed":4,"flow_first_seen":1492167401063,"flow_last_seen":1492167402310,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":238,"flow_tot_l4_payload_len":238,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1492167402310,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54098,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} 00847{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":389,"source":"wechat.pcap","alias":"nDPId-test","flow_id":27,"flow_packets_processed":8,"flow_first_seen":1492167401063,"flow_last_seen":1492167402665,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":1666,"flow_avg_l4_payload_len":208,"midstream":0,"ts_msec":1492167402665,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54098,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01381{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":391,"source":"wechat.pcap","alias":"nDPId-test","flow_id":27,"flow_packets_processed":10,"flow_first_seen":1492167401063,"flow_last_seen":1492167402666,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1688,"flow_tot_l4_payload_len":3354,"flow_avg_l4_payload_len":335,"midstream":0,"ts_msec":1492167402666,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54098,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","issuerDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} +01382{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":391,"source":"wechat.pcap","alias":"nDPId-test","flow_id":27,"flow_packets_processed":10,"flow_first_seen":1492167401063,"flow_last_seen":1492167402666,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1688,"flow_tot_l4_payload_len":3354,"flow_avg_l4_payload_len":335,"midstream":0,"ts_msec":1492167402666,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54098,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} 00460{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":466,"source":"wechat.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":3,"flow_last_seen":1492167422952,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1492167422952,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0KNBAAEAGqhvAqAFn2DrNjsJ7AbvMOVSD1yvysIAQAT2SvQAAAQEICgAw\/kAycps2"} 00565{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":468,"source":"wechat.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":16,"flow_first_seen":1492167338426,"flow_last_seen":1492167413269,"flow_idle_time":180000,"flow_min_l4_payload_len":40,"flow_max_l4_payload_len":40,"flow_tot_l4_payload_len":640,"flow_avg_l4_payload_len":40,"midstream":0,"ts_msec":1492167432005,"l3_proto":"ip6","src_ip":"fe80::7a92:9cff:fe0f:a88e","dst_ip":"ff02::fb","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00556{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":468,"source":"wechat.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":16,"flow_first_seen":1492167338426,"flow_last_seen":1492167413269,"flow_idle_time":180000,"flow_min_l4_payload_len":40,"flow_max_l4_payload_len":40,"flow_tot_l4_payload_len":640,"flow_avg_l4_payload_len":40,"midstream":0,"ts_msec":1492167432005,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -172,14 +172,14 @@ 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":497,"source":"wechat.pcap","alias":"nDPId-test","flow_id":32,"flow_packet_id":2,"flow_last_seen":1492167453357,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1492167453357,"pkt":"eJKcD6iO8IQvSpdgCABFoAA8AABAAC4GJp3LzZeiwKgBZwG701Rfi5PhohYVUqASN8gDZQAAAgQFoAQCCApF0gXVADEbmgEDAwc="} 00460{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":498,"source":"wechat.pcap","alias":"nDPId-test","flow_id":32,"flow_packet_id":3,"flow_last_seen":1492167453357,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1492167453357,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0DsxAAEAGBnnAqAFny82XotNUAbuiFhVSX4uT4oAQAOVoqQAAAQEICgAxG\/FF0gXV"} 00847{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":500,"source":"wechat.pcap","alias":"nDPId-test","flow_id":31,"flow_packets_processed":6,"flow_first_seen":1492167452759,"flow_last_seen":1492167453494,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":1666,"flow_avg_l4_payload_len":277,"midstream":0,"ts_msec":1492167453494,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54099,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01380{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":502,"source":"wechat.pcap","alias":"nDPId-test","flow_id":31,"flow_packets_processed":8,"flow_first_seen":1492167452759,"flow_last_seen":1492167453503,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1688,"flow_tot_l4_payload_len":3354,"flow_avg_l4_payload_len":419,"midstream":0,"ts_msec":1492167453503,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54099,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","issuerDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} +01381{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":502,"source":"wechat.pcap","alias":"nDPId-test","flow_id":31,"flow_packets_processed":8,"flow_first_seen":1492167452759,"flow_last_seen":1492167453503,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1688,"flow_tot_l4_payload_len":3354,"flow_avg_l4_payload_len":419,"midstream":0,"ts_msec":1492167453503,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54099,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} 00790{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":513,"source":"wechat.pcap","alias":"nDPId-test","flow_id":32,"flow_packets_processed":4,"flow_first_seen":1492167453010,"flow_last_seen":1492167454373,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":238,"flow_tot_l4_payload_len":238,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1492167454373,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54100,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} 00553{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":515,"source":"wechat.pcap","alias":"nDPId-test","flow_id":33,"flow_packets_processed":1,"flow_first_seen":1492167454457,"flow_last_seen":1492167454457,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1492167454457,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54101,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":515,"source":"wechat.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":1,"flow_last_seen":1492167454457,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1492167454457,"pkt":"8IQvSpdgeJKcD6iOCABFAAA86XpAAEAGK8LAqAFny82XotNVAbue7PR+AAAAAKACchAqvwAAAgQFtAQCCAoAMR0EAAAAAAEDAwc="} 00553{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":516,"source":"wechat.pcap","alias":"nDPId-test","flow_id":34,"flow_packets_processed":1,"flow_first_seen":1492167454458,"flow_last_seen":1492167454458,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1492167454458,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54102,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":516,"source":"wechat.pcap","alias":"nDPId-test","flow_id":34,"flow_packet_id":1,"flow_last_seen":1492167454458,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1492167454458,"pkt":"8IQvSpdgeJKcD6iOCABFAAA8cSZAAEAGpBbAqAFny82XotNWAbsdO2wiAAAAAKACchA0zAAAAgQFtAQCCAoAMR0EAAAAAAEDAwc="} 00847{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":521,"source":"wechat.pcap","alias":"nDPId-test","flow_id":32,"flow_packets_processed":8,"flow_first_seen":1492167453010,"flow_last_seen":1492167454734,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":1666,"flow_avg_l4_payload_len":208,"midstream":0,"ts_msec":1492167454734,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54100,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01381{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":523,"source":"wechat.pcap","alias":"nDPId-test","flow_id":32,"flow_packets_processed":10,"flow_first_seen":1492167453010,"flow_last_seen":1492167454734,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1688,"flow_tot_l4_payload_len":3354,"flow_avg_l4_payload_len":335,"midstream":0,"ts_msec":1492167454734,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54100,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","issuerDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} +01382{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":523,"source":"wechat.pcap","alias":"nDPId-test","flow_id":32,"flow_packets_processed":10,"flow_first_seen":1492167453010,"flow_last_seen":1492167454734,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1688,"flow_tot_l4_payload_len":3354,"flow_avg_l4_payload_len":335,"midstream":0,"ts_msec":1492167454734,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54100,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":530,"source":"wechat.pcap","alias":"nDPId-test","flow_id":34,"flow_packet_id":2,"flow_last_seen":1492167454801,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1492167454801,"pkt":"eJKcD6iO8IQvSpdgCABFoAA8AABAACwGKJ3LzZeiwKgBZwG701bGHEoeHTtsI6ASN8gRwgAAAgQFoAQCCApF0gdIADEdBAEDAwc="} 00459{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":531,"source":"wechat.pcap","alias":"nDPId-test","flow_id":34,"flow_packet_id":3,"flow_last_seen":1492167454802,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1492167454802,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0cSdAAEAGpB3AqAFny82XotNWAbsdO2wjxhxKH4AQAOV3BwAAAQEICgAxHVpF0gdI"} 00790{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":532,"source":"wechat.pcap","alias":"nDPId-test","flow_id":34,"flow_packets_processed":4,"flow_first_seen":1492167454458,"flow_last_seen":1492167454802,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":238,"flow_tot_l4_payload_len":238,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1492167454802,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54102,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} @@ -188,21 +188,21 @@ 00472{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":537,"source":"wechat.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":2,"flow_last_seen":1492167454836,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1492167454836,"pkt":"eJKcD6iO8IQvSpdgCABFoAA8AABAAC4GJp3LzZeiwKgBZwG701XgAvN\/nuz0f6ASN8ip9gAAAgQFoAQCCApFraHjADEdBAEDAwc="} 00460{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":538,"source":"wechat.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":3,"flow_last_seen":1492167454836,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1492167454836,"pkt":"8IQvSpdgeJKcD6iOCABFAAA06XtAAEAGK8nAqAFny82XotNVAbue7PR\/4ALzgIAQAOUPMwAAAQEICgAxHWNFraHj"} 00790{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":539,"source":"wechat.pcap","alias":"nDPId-test","flow_id":33,"flow_packets_processed":4,"flow_first_seen":1492167454457,"flow_last_seen":1492167454837,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":238,"flow_tot_l4_payload_len":238,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1492167454837,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54101,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} -01380{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":544,"source":"wechat.pcap","alias":"nDPId-test","flow_id":34,"flow_packets_processed":6,"flow_first_seen":1492167454458,"flow_last_seen":1492167455179,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3116,"flow_tot_l4_payload_len":3354,"flow_avg_l4_payload_len":559,"midstream":0,"ts_msec":1492167455179,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54102,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","issuerDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} +01381{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":544,"source":"wechat.pcap","alias":"nDPId-test","flow_id":34,"flow_packets_processed":6,"flow_first_seen":1492167454458,"flow_last_seen":1492167455179,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3116,"flow_tot_l4_payload_len":3354,"flow_avg_l4_payload_len":559,"midstream":0,"ts_msec":1492167455179,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54102,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} 00473{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":546,"source":"wechat.pcap","alias":"nDPId-test","flow_id":35,"flow_packet_id":2,"flow_last_seen":1492167455179,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1492167455179,"pkt":"eJKcD6iO8IQvSpdgCABFoAA8AABAACwGKJ3LzZeiwKgBZwG701d\/O17O5\/QrvaASN8geewAAAgQFoAQCCApFraI2ADEdXgEDAwc="} 00459{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":547,"source":"wechat.pcap","alias":"nDPId-test","flow_id":35,"flow_packet_id":3,"flow_last_seen":1492167455179,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1492167455179,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0NuNAAEAG3mHAqAFny82XotNXAbvn9Cu9fztez4AQAOWDvAAAAQEICgAxHbhFraI2"} 00790{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":550,"source":"wechat.pcap","alias":"nDPId-test","flow_id":35,"flow_packets_processed":4,"flow_first_seen":1492167454818,"flow_last_seen":1492167455180,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":238,"flow_tot_l4_payload_len":238,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1492167455180,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54103,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} 00847{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":558,"source":"wechat.pcap","alias":"nDPId-test","flow_id":33,"flow_packets_processed":6,"flow_first_seen":1492167454457,"flow_last_seen":1492167455193,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":1666,"flow_avg_l4_payload_len":277,"midstream":0,"ts_msec":1492167455193,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54101,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01380{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":560,"source":"wechat.pcap","alias":"nDPId-test","flow_id":33,"flow_packets_processed":8,"flow_first_seen":1492167454457,"flow_last_seen":1492167455196,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1688,"flow_tot_l4_payload_len":3354,"flow_avg_l4_payload_len":419,"midstream":0,"ts_msec":1492167455196,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54101,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","issuerDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} +01381{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":560,"source":"wechat.pcap","alias":"nDPId-test","flow_id":33,"flow_packets_processed":8,"flow_first_seen":1492167454457,"flow_last_seen":1492167455196,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1688,"flow_tot_l4_payload_len":3354,"flow_avg_l4_payload_len":419,"midstream":0,"ts_msec":1492167455196,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54101,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} 00847{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":567,"source":"wechat.pcap","alias":"nDPId-test","flow_id":35,"flow_packets_processed":6,"flow_first_seen":1492167454818,"flow_last_seen":1492167455501,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":1666,"flow_avg_l4_payload_len":277,"midstream":0,"ts_msec":1492167455501,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54103,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01380{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":569,"source":"wechat.pcap","alias":"nDPId-test","flow_id":35,"flow_packets_processed":8,"flow_first_seen":1492167454818,"flow_last_seen":1492167455502,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":3094,"flow_avg_l4_payload_len":386,"midstream":0,"ts_msec":1492167455502,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54103,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","issuerDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} +01381{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":569,"source":"wechat.pcap","alias":"nDPId-test","flow_id":35,"flow_packets_processed":8,"flow_first_seen":1492167454818,"flow_last_seen":1492167455502,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":3094,"flow_avg_l4_payload_len":386,"midstream":0,"ts_msec":1492167455502,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54103,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} 00553{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":577,"source":"wechat.pcap","alias":"nDPId-test","flow_id":36,"flow_packets_processed":1,"flow_first_seen":1492167455528,"flow_last_seen":1492167455528,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1492167455528,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54104,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":577,"source":"wechat.pcap","alias":"nDPId-test","flow_id":36,"flow_packet_id":1,"flow_last_seen":1492167455528,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1492167455528,"pkt":"8IQvSpdgeJKcD6iOCABFAAA8kudAAEAGglXAqAFny82XotNYAbvneYz3AAAAAKACchBIqgAAAgQFtAQCCAoAMR4QAAAAAAEDAwc="} 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":613,"source":"wechat.pcap","alias":"nDPId-test","flow_id":36,"flow_packet_id":2,"flow_last_seen":1492167455891,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1492167455891,"pkt":"eJKcD6iO8IQvSpdgCABFoAA8AABAAC0GJ53LzZeiwKgBZwG701iyhnqT53mM+KASN8htQwAAAgQFoAQCCApFraLqADEeEAEDAwc="} 00459{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":614,"source":"wechat.pcap","alias":"nDPId-test","flow_id":36,"flow_packet_id":3,"flow_last_seen":1492167455891,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1492167455891,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0kuhAAEAGglzAqAFny82XotNYAbvneYz4soZ6lIAQAOXShAAAAQEICgAxHmpFraLq"} 00790{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":615,"source":"wechat.pcap","alias":"nDPId-test","flow_id":36,"flow_packets_processed":4,"flow_first_seen":1492167455528,"flow_last_seen":1492167455891,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":238,"flow_tot_l4_payload_len":238,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1492167455891,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54104,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} 00847{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":648,"source":"wechat.pcap","alias":"nDPId-test","flow_id":36,"flow_packets_processed":6,"flow_first_seen":1492167455528,"flow_last_seen":1492167456251,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":1666,"flow_avg_l4_payload_len":277,"midstream":0,"ts_msec":1492167456251,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54104,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01380{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":650,"source":"wechat.pcap","alias":"nDPId-test","flow_id":36,"flow_packets_processed":8,"flow_first_seen":1492167455528,"flow_last_seen":1492167456251,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":3094,"flow_avg_l4_payload_len":386,"midstream":0,"ts_msec":1492167456251,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54104,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","issuerDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} +01381{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":650,"source":"wechat.pcap","alias":"nDPId-test","flow_id":36,"flow_packets_processed":8,"flow_first_seen":1492167455528,"flow_last_seen":1492167456251,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":3094,"flow_avg_l4_payload_len":386,"midstream":0,"ts_msec":1492167456251,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54104,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} 00586{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":836,"source":"wechat.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":1492167337792,"flow_last_seen":1492167353998,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":604,"flow_tot_l4_payload_len":604,"flow_avg_l4_payload_len":100,"midstream":1,"ts_msec":1492167477895,"l3_proto":"ip4","src_ip":"203.205.151.162","dst_ip":"192.168.1.103","src_port":443,"dst_port":54084,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"}} 00558{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":836,"source":"wechat.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":1492167337792,"flow_last_seen":1492167353998,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":604,"flow_tot_l4_payload_len":604,"flow_avg_l4_payload_len":100,"midstream":1,"ts_msec":1492167477895,"l3_proto":"ip4","src_ip":"203.205.151.162","dst_ip":"192.168.1.103","src_port":443,"dst_port":54084,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00581{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":836,"source":"wechat.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":3,"flow_first_seen":1492167353687,"flow_last_seen":1492167354015,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1492167477895,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54085,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"}} @@ -228,12 +228,12 @@ 00562{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":840,"source":"wechat.pcap","alias":"nDPId-test","flow_id":36,"flow_packets_processed":17,"flow_first_seen":1492167455528,"flow_last_seen":1492167467498,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":3531,"flow_avg_l4_payload_len":207,"midstream":0,"ts_msec":1492167617247,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54104,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00556{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":840,"source":"wechat.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":2,"flow_first_seen":1492167342857,"flow_last_seen":1492167342893,"flow_idle_time":180000,"flow_min_l4_payload_len":52,"flow_max_l4_payload_len":230,"flow_tot_l4_payload_len":282,"flow_avg_l4_payload_len":141,"midstream":0,"ts_msec":1492167617247,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.254","src_port":53734,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00557{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":840,"source":"wechat.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":2,"flow_first_seen":1492167351026,"flow_last_seen":1492167351061,"flow_idle_time":180000,"flow_min_l4_payload_len":33,"flow_max_l4_payload_len":185,"flow_tot_l4_payload_len":218,"flow_avg_l4_payload_len":109,"midstream":0,"ts_msec":1492167617247,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.254","src_port":55862,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} -00588{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":840,"source":"wechat.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":8,"flow_first_seen":1492167345896,"flow_last_seen":1492167360666,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":55,"flow_tot_l4_payload_len":55,"flow_avg_l4_payload_len":6,"midstream":1,"ts_msec":1492167617247,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"172.217.23.78","src_port":53220,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"}} +00586{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":840,"source":"wechat.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":8,"flow_first_seen":1492167345896,"flow_last_seen":1492167360666,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":55,"flow_tot_l4_payload_len":55,"flow_avg_l4_payload_len":6,"midstream":1,"ts_msec":1492167617247,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"172.217.23.78","src_port":53220,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"}} 00552{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":840,"source":"wechat.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":8,"flow_first_seen":1492167345896,"flow_last_seen":1492167360666,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":55,"flow_tot_l4_payload_len":55,"flow_avg_l4_payload_len":6,"midstream":1,"ts_msec":1492167617247,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"172.217.23.78","src_port":53220,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00560{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":840,"source":"wechat.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":13,"flow_first_seen":1492167350385,"flow_last_seen":1492167350562,"flow_idle_time":180000,"flow_min_l4_payload_len":30,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":6290,"flow_avg_l4_payload_len":483,"midstream":0,"ts_msec":1492167617247,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"172.217.23.67","src_port":51507,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00556{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":840,"source":"wechat.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":2,"flow_first_seen":1492167350333,"flow_last_seen":1492167350372,"flow_idle_time":180000,"flow_min_l4_payload_len":33,"flow_max_l4_payload_len":192,"flow_tot_l4_payload_len":225,"flow_avg_l4_payload_len":112,"midstream":0,"ts_msec":1492167617247,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.254","src_port":46078,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00561{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":840,"source":"wechat.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":13,"flow_first_seen":1492167351067,"flow_last_seen":1492167352398,"flow_idle_time":180000,"flow_min_l4_payload_len":28,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":4266,"flow_avg_l4_payload_len":328,"midstream":0,"ts_msec":1492167617247,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"216.58.198.46","src_port":57591,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} -00588{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":840,"source":"wechat.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":7,"flow_first_seen":1492167345896,"flow_last_seen":1492167360663,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":55,"flow_tot_l4_payload_len":55,"flow_avg_l4_payload_len":7,"midstream":1,"ts_msec":1492167617247,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"216.58.205.78","src_port":47627,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"}} +00586{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":840,"source":"wechat.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":7,"flow_first_seen":1492167345896,"flow_last_seen":1492167360663,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":55,"flow_tot_l4_payload_len":55,"flow_avg_l4_payload_len":7,"midstream":1,"ts_msec":1492167617247,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"216.58.205.78","src_port":47627,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"}} 00552{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":840,"source":"wechat.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":7,"flow_first_seen":1492167345896,"flow_last_seen":1492167360663,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":55,"flow_tot_l4_payload_len":55,"flow_avg_l4_payload_len":7,"midstream":1,"ts_msec":1492167617247,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"216.58.205.78","src_port":47627,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00576{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":840,"source":"wechat.pcap","alias":"nDPId-test","flow_id":25,"flow_packets_processed":8,"flow_first_seen":1492167382020,"flow_last_seen":1492167402666,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":31,"flow_tot_l4_payload_len":31,"flow_avg_l4_payload_len":3,"midstream":1,"ts_msec":1492167617247,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.211","src_port":40740,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"}} 00555{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":840,"source":"wechat.pcap","alias":"nDPId-test","flow_id":25,"flow_packets_processed":8,"flow_first_seen":1492167382020,"flow_last_seen":1492167402666,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":31,"flow_tot_l4_payload_len":31,"flow_avg_l4_payload_len":3,"midstream":1,"ts_msec":1492167617247,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.211","src_port":40740,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -255,7 +255,7 @@ 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":849,"source":"wechat.pcap","alias":"nDPId-test","flow_id":40,"flow_packet_id":2,"flow_last_seen":1492167617850,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1492167617850,"pkt":"eJKcD6iO8IQvSpdgCABFoAA8AABAACwGKJ3LzZeiwKgBZwG702Andsj9g29laaASN8iTkQAAAgQFoAQCCApF0qaCADG8PAEDAwc="} 00461{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":850,"source":"wechat.pcap","alias":"nDPId-test","flow_id":40,"flow_packet_id":3,"flow_last_seen":1492167617850,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1492167617850,"pkt":"8IQvSpdgeJKcD6iOCABFAAA02VVAAEAGO+\/AqAFny82XotNgAbuDb2VpJ3bI\/oAQAOX41AAAAQEICgAxvJRF0qaC"} 00847{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":852,"source":"wechat.pcap","alias":"nDPId-test","flow_id":39,"flow_packets_processed":6,"flow_first_seen":1492167617248,"flow_last_seen":1492167617881,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":1666,"flow_avg_l4_payload_len":277,"midstream":0,"ts_msec":1492167617881,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54111,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01380{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":854,"source":"wechat.pcap","alias":"nDPId-test","flow_id":39,"flow_packets_processed":8,"flow_first_seen":1492167617248,"flow_last_seen":1492167617883,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":3094,"flow_avg_l4_payload_len":386,"midstream":0,"ts_msec":1492167617883,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54111,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","issuerDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} +01381{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":854,"source":"wechat.pcap","alias":"nDPId-test","flow_id":39,"flow_packets_processed":8,"flow_first_seen":1492167617248,"flow_last_seen":1492167617883,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":3094,"flow_avg_l4_payload_len":386,"midstream":0,"ts_msec":1492167617883,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54111,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} 00553{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":874,"source":"wechat.pcap","alias":"nDPId-test","flow_id":41,"flow_packets_processed":1,"flow_first_seen":1492167619048,"flow_last_seen":1492167619048,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1492167619048,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54106,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00459{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":874,"source":"wechat.pcap","alias":"nDPId-test","flow_id":41,"flow_packet_id":1,"flow_last_seen":1492167619048,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1492167619048,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0Dr9AAEAGBobAqAFny82XotNaAbub+DW+SvgsEIARAOUtjAAAAQEICgAxvcBFrgFX"} 00563{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":880,"source":"wechat.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":20,"flow_first_seen":1492167338426,"flow_last_seen":1492167458187,"flow_idle_time":180000,"flow_min_l4_payload_len":40,"flow_max_l4_payload_len":40,"flow_tot_l4_payload_len":800,"flow_avg_l4_payload_len":40,"midstream":0,"ts_msec":1492167639304,"l3_proto":"ip6","src_ip":"fe80::7a92:9cff:fe0f:a88e","dst_ip":"ff02::fb","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -270,7 +270,7 @@ 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":893,"source":"wechat.pcap","alias":"nDPId-test","flow_id":43,"flow_packet_id":2,"flow_last_seen":1492167640450,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1492167640450,"pkt":"eJKcD6iO8IQvSpdgCABFoAA8AABAACwGKJ3LzZeiwKgBZwG702LyUvm4GyuHH6ASN8hErAAAAgQFoAQCCApF8iogADHSWAEDAwc="} 00460{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":894,"source":"wechat.pcap","alias":"nDPId-test","flow_id":43,"flow_packet_id":3,"flow_last_seen":1492167640450,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1492167640450,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0VUdAAEAGv\/3AqAFny82XotNiAbsbK4cf8lL5uYAQAOWp+QAAAQEICgAx0qZF8iog"} 00847{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":896,"source":"wechat.pcap","alias":"nDPId-test","flow_id":42,"flow_packets_processed":6,"flow_first_seen":1492167639887,"flow_last_seen":1492167640523,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":1666,"flow_avg_l4_payload_len":277,"midstream":0,"ts_msec":1492167640523,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54113,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01380{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":898,"source":"wechat.pcap","alias":"nDPId-test","flow_id":42,"flow_packets_processed":8,"flow_first_seen":1492167639887,"flow_last_seen":1492167640523,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":3094,"flow_avg_l4_payload_len":386,"midstream":0,"ts_msec":1492167640523,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54113,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","issuerDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} +01381{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":898,"source":"wechat.pcap","alias":"nDPId-test","flow_id":42,"flow_packets_processed":8,"flow_first_seen":1492167639887,"flow_last_seen":1492167640523,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":3094,"flow_avg_l4_payload_len":386,"midstream":0,"ts_msec":1492167640523,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54113,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} 00552{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":924,"source":"wechat.pcap","alias":"nDPId-test","flow_id":44,"flow_packets_processed":1,"flow_first_seen":1492167641988,"flow_last_seen":1492167641988,"flow_idle_time":180000,"flow_min_l4_payload_len":40,"flow_max_l4_payload_len":40,"flow_tot_l4_payload_len":40,"flow_avg_l4_payload_len":40,"midstream":0,"ts_msec":1492167641988,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00482{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":924,"source":"wechat.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":1,"flow_last_seen":1492167641988,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"ts_msec":1492167641988,"pkt":"AQBeAAD7eJKcD6iOCABFAABEonJAAAERNCzAqAFn4AAA+xTpFOkAMOiYAAAAAAABAAAAAAAAC19nb29nbGVjYXN0BF90Y3AFbG9jYWwAAAwAAQ=="} 00629{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":924,"source":"wechat.pcap","alias":"nDPId-test","flow_id":44,"flow_packets_processed":1,"flow_first_seen":1492167641988,"flow_last_seen":1492167641988,"flow_idle_time":180000,"flow_min_l4_payload_len":40,"flow_max_l4_payload_len":40,"flow_tot_l4_payload_len":40,"flow_avg_l4_payload_len":40,"midstream":0,"ts_msec":1492167641988,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","ndpi": {"proto":"MDNS","breed":"Acceptable","category":"Network"},"mdns": {"answer":"_googlecast._tcp.local"}} @@ -296,15 +296,15 @@ 00460{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":945,"source":"wechat.pcap","alias":"nDPId-test","flow_id":48,"flow_packet_id":2,"flow_last_seen":1492167648873,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1492167648873,"pkt":"eJKcD6iO8IQvSpdgCABFoAA0AABAADEGHSXLzZ4iwKgBZwG7q0tO\/rLJEoYlf4ASOQgjJgAAAgQFtAEBBAIBAwMH"} 00444{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":946,"source":"wechat.pcap","alias":"nDPId-test","flow_id":48,"flow_packet_id":3,"flow_last_seen":1492167648873,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1492167648873,"pkt":"8IQvSpdgeJKcD6iOCABFAAAoAABAAEAGDtHAqAFny82eIqtLAbsShiV\/Tv6yylAQAOWcGwAA"} 00872{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":968,"source":"wechat.pcap","alias":"nDPId-test","flow_id":47,"flow_packets_processed":6,"flow_first_seen":1492167648277,"flow_last_seen":1492167648902,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":1977,"flow_avg_l4_payload_len":329,"midstream":0,"ts_msec":1492167648902,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.158.34","src_port":43850,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8":"Weak TLS cipher"},"proto":"TLS.QQ","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"res.wx.qq.com","ja3":"550dce18de1bb143e69d6dd9413b8355","ja3s":"290adf098a54ade688d1df074dbecbf2","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_GCM_SHA384","alpn":"h2,http\/1.1"}} -01435{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":970,"source":"wechat.pcap","alias":"nDPId-test","flow_id":47,"flow_packets_processed":8,"flow_first_seen":1492167648277,"flow_last_seen":1492167648903,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3430,"flow_tot_l4_payload_len":5407,"flow_avg_l4_payload_len":675,"midstream":0,"ts_msec":1492167648903,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.158.34","src_port":43850,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8":"Weak TLS cipher"},"proto":"TLS.QQ","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"res.wx.qq.com","server_names":"wx1.qq.com,webpush.wx.qq.com,webpush1.weixin.qq.com,loginpoll.weixin.qq.com,login.wx.qq.com,file.wx2.qq.com,wx2.qq.com,login.wx2.qq.com,wxitil.qq.com,file.wx.qq.com,login.weixin.qq.com,webpush2.weixin.qq.com,webpush.wx2.qq.com,webpush.weixin.qq.com,web.weixin.qq.com,res.wx.qq.com,wx.qq.com","ja3":"550dce18de1bb143e69d6dd9413b8355","ja3s":"290adf098a54ade688d1df074dbecbf2","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","issuerDN":"C=CN, ST=Guangdong, L=Shenzhen, O=Shenzhen Tencent Computer Systems Company Limited, OU=R&D, CN=wx.qq.com","alpn":"h2,http\/1.1","fingerprint":"67:53:57:7F:22:BB:D0:A6:D4:5F:A6:D4:B3:0A:13:73:29:23:D0:C9"}} +01436{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":970,"source":"wechat.pcap","alias":"nDPId-test","flow_id":47,"flow_packets_processed":8,"flow_first_seen":1492167648277,"flow_last_seen":1492167648903,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":3430,"flow_tot_l4_payload_len":5407,"flow_avg_l4_payload_len":675,"midstream":0,"ts_msec":1492167648903,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.158.34","src_port":43850,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8":"Weak TLS cipher"},"proto":"TLS.QQ","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"res.wx.qq.com","server_names":"wx1.qq.com,webpush.wx.qq.com,webpush1.weixin.qq.com,loginpoll.weixin.qq.com,login.wx.qq.com,file.wx2.qq.com,wx2.qq.com,login.wx2.qq.com,wxitil.qq.com,file.wx.qq.com,login.weixin.qq.com,webpush2.weixin.qq.com,webpush.wx2.qq.com,webpush.weixin.qq.com,web.weixin.qq.com,res.wx.qq.com,wx.qq.com","ja3":"550dce18de1bb143e69d6dd9413b8355","ja3s":"290adf098a54ade688d1df074dbecbf2","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=CN, ST=Guangdong, L=Shenzhen, O=Shenzhen Tencent Computer Systems Company Limited, OU=R&D, CN=wx.qq.com","alpn":"h2,http\/1.1","fingerprint":"67:53:57:7F:22:BB:D0:A6:D4:5F:A6:D4:B3:0A:13:73:29:23:D0:C9"}} 00553{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":997,"source":"wechat.pcap","alias":"nDPId-test","flow_id":49,"flow_packets_processed":1,"flow_first_seen":1492167650311,"flow_last_seen":1492167650311,"flow_idle_time":180000,"flow_min_l4_payload_len":33,"flow_max_l4_payload_len":33,"flow_tot_l4_payload_len":33,"flow_avg_l4_payload_len":33,"midstream":0,"ts_msec":1492167650311,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.254","src_port":60562,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":997,"source":"wechat.pcap","alias":"nDPId-test","flow_id":49,"flow_packet_id":1,"flow_last_seen":1492167650311,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":75,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":75,"pkt_l4_len":41,"ts_msec":1492167650311,"pkt":"8IQvSpdgeJKcD6iOCABFAAA916xAAEAR3k3AqAFnwKgB\/uySADUAKTCBKzkBAAABAAAAAAAAA3NzbAdnc3RhdGljA2NvbQAAAQAB"} -00721{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":997,"source":"wechat.pcap","alias":"nDPId-test","flow_id":49,"flow_packets_processed":1,"flow_first_seen":1492167650311,"flow_last_seen":1492167650311,"flow_idle_time":180000,"flow_min_l4_payload_len":33,"flow_max_l4_payload_len":33,"flow_tot_l4_payload_len":33,"flow_avg_l4_payload_len":33,"midstream":0,"ts_msec":1492167650311,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.254","src_port":60562,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"ssl.gstatic.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00719{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":997,"source":"wechat.pcap","alias":"nDPId-test","flow_id":49,"flow_packets_processed":1,"flow_first_seen":1492167650311,"flow_last_seen":1492167650311,"flow_idle_time":180000,"flow_min_l4_payload_len":33,"flow_max_l4_payload_len":33,"flow_tot_l4_payload_len":33,"flow_avg_l4_payload_len":33,"midstream":0,"ts_msec":1492167650311,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.254","src_port":60562,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"ssl.gstatic.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00685{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":998,"source":"wechat.pcap","alias":"nDPId-test","flow_id":49,"flow_packet_id":2,"flow_last_seen":1492167650345,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":234,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":234,"pkt_l4_len":200,"ts_msec":1492167650345,"pkt":"eJKcD6iO8IQvSpdgCABFoADcAABAAEARtLvAqAH+wKgBZwA17JIAyGqeKzmBgAABAAEABAAEA3NzbAdnc3RhdGljA2NvbQAAAQABwAwAAQABAAAAHQAErNkXQ8AQAAIAAQACif4ADQNuczEGZ29vZ2xlwBjAEAACAAEAAon+AAYDbnM0wEHAEAACAAEAAon+AAYDbnMywEHAEAACAAEAAon+AAYDbnMzwEHAPQABAAEABTcbAATY7yAKwGgAAQABAAUtSQAE2O8iCsB6AAEAAQAFLUkABNjvJArAVgABAAEABS1JAATY7yYK"} -00738{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":998,"source":"wechat.pcap","alias":"nDPId-test","flow_id":49,"flow_packets_processed":2,"flow_first_seen":1492167650311,"flow_last_seen":1492167650345,"flow_idle_time":180000,"flow_min_l4_payload_len":33,"flow_max_l4_payload_len":192,"flow_tot_l4_payload_len":225,"flow_avg_l4_payload_len":112,"midstream":0,"ts_msec":1492167650345,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.254","src_port":60562,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"ssl.gstatic.com","num_queries":1,"num_answers":9,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"172.217.23.67"}} +00736{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":998,"source":"wechat.pcap","alias":"nDPId-test","flow_id":49,"flow_packets_processed":2,"flow_first_seen":1492167650311,"flow_last_seen":1492167650345,"flow_idle_time":180000,"flow_min_l4_payload_len":33,"flow_max_l4_payload_len":192,"flow_tot_l4_payload_len":225,"flow_avg_l4_payload_len":112,"midstream":0,"ts_msec":1492167650345,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.254","src_port":60562,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"ssl.gstatic.com","num_queries":1,"num_answers":9,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"172.217.23.67"}} 00562{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":999,"source":"wechat.pcap","alias":"nDPId-test","flow_id":50,"flow_packets_processed":1,"flow_first_seen":1492167650348,"flow_last_seen":1492167650348,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1492167650348,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"172.217.23.67","src_port":35601,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02239{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":999,"source":"wechat.pcap","alias":"nDPId-test","flow_id":50,"flow_packet_id":1,"flow_last_seen":1492167650348,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1492167650348,"pkt":"8IQvSpdgeJKcD6iOCABFAAVibiVAAEARQTrAqAFnrNkXQ4sRAbsFTiZlDSoBZwIONIO7UTAzNQGbgwNlLywtCSgLtCegAQAEQ0hMTx0AAABQQUQAIgEAAFNOSQAxAQAAU1RLAGsBAABWRVIAbwEAAENDUwB\/AQAATk9OQ58BAABNU1BDowEAAEFFQUSnAQAAVUFJRMgBAABTQ0lE2AEAAFRDSUTcAQAAUERNROABAABTUkJG5AEAAFNNSEzoAQAASUNTTOwBAABDVElN9AEAAE5PTlAUAgAAUFVCUzQCAABNSURTOAIAAFNDTFM8AgAAS0VYU0ACAABYTENUSAIAAENTQ1RIAgAAQ09QVEgCAABDQ1JUYAIAAElSVFRkAgAAQ0VUVggDAABDRkNXDAMAAFNGQ1cQAwAALS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS1zc2wuZ3N0YXRpYy5jb227JKt8ARxJVGRWJtplczZ+Y0Ub6N9qmKgMLrSZKyo986eVN4hLCQ8XNjFEbipb4AqXbG2doRLcUxXPUTAzNQHogWCSkhrofu2AhqIVgpFY8KviMDAwMDAwMDA5UDTgFLbVCW\/cQ8zfwllNkC+Y3GQAAABDQzIwQ2hyb21lLzU3LjAuMjk4Ny4xMzMgTGludXggeDg2XzY0Jc6XFWD7G7yXYXhVaoxdywAAAABYNTA5AAAQAAEAAAAeAAAA4qvwWAAAAABQ8MfjcV\/rNPz9nE7SSiHC6cDht5RKlsv0JChHgsKm0olGM4pgTHU2HYUvFhtNkOqQx\/75FAQP87Et+xOmGXIhZAAAAAEAAABDMjU1wgnkHLidnM3CCeQcuJ2czT2t9HxBefiRQAt7kKmuees8hQEA9eDJxrTnigGUXAfpWeAkSroNTkBs4scsx1Ra2LSNreNDFvpSDuqq6UeKpHg6NTM40g2RnXl5QzirTperKCTKzWwn+4\/bmuO2uGlriSPr4ExcTigYtlruN8fxdgnsCAuRhi2\/JFjFnbJqpKvDwpzJerd7H8C9zsxPzgMehsK4\/vItkCcZuwJmgaicPHLBf9M3RGKygCyV25zBdoSYTv7XUf5XBhgAAPAAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} -00709{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":999,"source":"wechat.pcap","alias":"nDPId-test","flow_id":50,"flow_packets_processed":1,"flow_first_seen":1492167650348,"flow_last_seen":1492167650348,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1492167650348,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"172.217.23.67","src_port":35601,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Google","breed":"Tracker\/Ads","category":"Web"},"quic": {"client_requested_server_name":"ssl.gstatic.com","user_agent":"Chrome\/57.0.2987.133 Linux x86_64"}} +00707{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":999,"source":"wechat.pcap","alias":"nDPId-test","flow_id":50,"flow_packets_processed":1,"flow_first_seen":1492167650348,"flow_last_seen":1492167650348,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1492167650348,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"172.217.23.67","src_port":35601,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Google","breed":"Acceptable","category":"Web"},"quic": {"client_requested_server_name":"ssl.gstatic.com","user_agent":"Chrome\/57.0.2987.133 Linux x86_64"}} 00915{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1000,"source":"wechat.pcap","alias":"nDPId-test","flow_id":50,"flow_packet_id":2,"flow_last_seen":1492167650348,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":400,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":400,"pkt_l4_len":366,"ts_msec":1492167650348,"pkt":"8IQvSpdgeJKcD6iOCABFAAGCbiZAAEARRRnAqAFnrNkXQ4sRAbsBbnP9DSoBZwIONIO7UTAzNQLoUPe6\/kTOTlflPotTtybyc+JAmHNEvZwUaT+Y9MqSJDNXVlUHwBVN0wAQzobHU4rvOkVihYNG2ScjXRicw6QFTtMMe25DwzQ7F0UKP\/Y\/8HMbQmw9b+v7cjBNs8yLamuYyeUaQ6lA73AshAIuQPhL6IslIuIHWs+l0MLo2wd57CZSUFbeEQQGDWtD8b5mwEuaZ88hm8yA3WeZQ9Zu4UUro5Belh+M9DB8RCMbVDEQZk6oJR+FSwF3TriZCorpIzSRESc2crvu7FP1Tb9g0NyoL87e9cFlDFVypNQfdhNO+iEyVuMUtOGb6OQn1vrWvB\/icrLc4DopKhApNyBIG\/+MQmYuPalP+mCA4FXxaPeMi1RdjyuuqxJb39HK+6wmJsCzWDR6cvDTk6ywHmETP0AOjEu+QTifJk6chcMbgKmp0ErfBPvocLYD7Yj8Qw2lL48a1tEWZIz4lw=="} 02257{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1001,"source":"wechat.pcap","alias":"nDPId-test","flow_id":50,"flow_packet_id":3,"flow_last_seen":1492167650401,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1492167650401,"pkt":"eJKcD6iO8IQvSpdgCABFoAViAABAADcRt7+s2RdDwKgBZwG7ixEFTkCsBPCmO80d\/CW5IJoqjbn6lzjr5TC1v3d2foeU3jLNcA4IAV35th92JTinR3E92La4uW3lsByHG3R1axVDDHGrIc2Dhs2S+7aBzkyVbwcuUK77hYdmfJ4TJuEFhTaYjceo9r51oYeJqOHOCc1BBmB5E+A58P\/H55fRg4dxRA9v1f2aVQ6I67HK4M7mS7147fzZ170E12rNhRLBsPAWwZ8U93ZWKjAcVK9waq7ihKZ\/GTyfNPuOCQnhcxCFRMVEx2xx65NSFauaw3a1qVgRV428j6Bchcyom0cvPgxBbWJUmObxkeqmQAFmTPCN6igcJnamWF5CRIXtlRtvIVi8G3Rds0EdWXNYvxaTSkwCziFaIH6mAaz9hCwjxATLUAdqd1Yo+wN5ikpGmpiBzh3Coj125lb7YXMKgdIF\/8K12iKaeICQ1ArpMEt9vvWxk35P363XmPN9SjUjvFqh8rl+ETiuGHzQwTYDZUwFRT8Tnc90FuuWkSHrjLuI78eE0u2MPArYDWbkXnAkM9f\/B1mpEGpwrQCQA0PHuwaHNDaEcqfk+htDhYfF2k76y25VNuFHeOfHnAe8W\/L6MSq0NvvJdxpclRqAM5S2hcBrDwho6FgiBa0XuPrQx61q\/3nmcTSWb0DXXos+FWaLGj1Jg4cyk4xSeKoZfxTTY8qOxPxWcSNcXXGMVMwz3NtJzwB28A6uPq8NBF+APnNiUzkLELf20sskbghw4Wvw2P5GvZ6Z0iUqrAzGSGc0IroovL34w3TMmjBnTPzAWKnwYJxIrcFH65r\/43AXULA7mwVKw7TuryWaAn8PVofDMn5VL+m8Bc4anaE3270Gx7DXXa3CWGylYl6IhspD51Ji7UqD6pJpDanmkxF7QRS0mZz7M+VCAuE5+TvKpba5WKwmCrXKMkHXnBfHSx4yC\/BngUmyj5AqU\/35FBtHK2MhZhT3uv3ixGib\/DhROgxNj\/fCIDmyLmZy6LuI15IWBQr2uiGWD15jLW9srpQ3r\/cpXrjFWrIOILP7BDqFX16AVMtIyhn8QUmpyMBzWR3rPBVnAwwCQUSi7lOuHYSBa2JAApapl8ibPeq+IESORJ2WC1jpiGlKVsyKHvCUxM4DB9CDGl+VMCLfBwTUsv9jC9A0oISxfI+skno\/pMiMhfE+1+tVpq0kVbytQk5I14sgZgoXLliJYkFCOr3ikDyMImPkBDegikF\/nhKUricS6KkRKOBVEDYofUgm6hebzs7TAwbIX0LHGrieMSNYdiZ\/RaP9BKZ7WUS7z8Jvlw3DtdXYHHGY\/9m62j8jgUA89FYp2sdoaRFheoQUmxEE6EpSZHWMo5+AT1rvxDTcNLYyAF\/NKlyP79gaAWae04vlwFQ4Bupkoby3AV8qNrlb42pc54gLBwr2\/V8SfP1Jf8GHKLnbnMMGzz8c8g08IQe\/1e7EH9oyogw0WeUU2ddyxaRPwa4eLAdObHTP\/jn7fsHAYVorRI56TLQ62d12KS2GZw3\/dElBm43NGOyNU1Hp381LUrTlDOWD2CkkP1QCRN+zezQnIAdftR9GtZfdliGgi4n+DRQuugUUjAENUiyLbjua9o3CfXKyGh5RlHt3r219Xp7bzpU2Sa3x2tOlotON5hkk2pmORaeO3NrbIHwpGOzFl20\/4Mhk6xhdUZeHJoEN7V1+kqNLH9CANDu7wpMSMlhqJfpnckBvaCh9BXX3VOJErUyDwJ\/yEG1ZNKGdvcDhAfCDrZsIbxElU8wBdoFg5g3GjSgWUZyHIUdESjz3nA05zyGh0UQ5UNTBZNmAzAGEZvPJPDUf"} 00460{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1009,"source":"wechat.pcap","alias":"nDPId-test","flow_id":41,"flow_packet_id":2,"flow_last_seen":1492167654504,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1492167654504,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0DsBAAEAGBoXAqAFny82XotNaAbub+DW+SvgsEIARAOUK7AAAAQEICgAx4GBFrgFX"} @@ -322,10 +322,10 @@ 00472{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1054,"source":"wechat.pcap","alias":"nDPId-test","flow_id":53,"flow_packet_id":2,"flow_last_seen":1492167695854,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1492167695854,"pkt":"eJKcD6iO8IQvSpdgCABFoAA8AABAAC0GJ53LzZeiwKgBZwG702aaLHzgCK7Og6ASN8jmSwAAAgQFoAQCCApF0vKlADIIZgEDAwc="} 00461{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1055,"source":"wechat.pcap","alias":"nDPId-test","flow_id":53,"flow_packet_id":3,"flow_last_seen":1492167695854,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1492167695854,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0xuVAAEAGTl\/AqAFny82XotNmAbsIrs6Dmix84YAQAOVLjAAAAQEICgAyCMFF0vKl"} 00848{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1057,"source":"wechat.pcap","alias":"nDPId-test","flow_id":52,"flow_packets_processed":6,"flow_first_seen":1492167695237,"flow_last_seen":1492167695891,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":1666,"flow_avg_l4_payload_len":277,"midstream":0,"ts_msec":1492167695891,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54117,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01381{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1059,"source":"wechat.pcap","alias":"nDPId-test","flow_id":52,"flow_packets_processed":8,"flow_first_seen":1492167695237,"flow_last_seen":1492167695891,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":3094,"flow_avg_l4_payload_len":386,"midstream":0,"ts_msec":1492167695891,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54117,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","issuerDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} +01382{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1059,"source":"wechat.pcap","alias":"nDPId-test","flow_id":52,"flow_packets_processed":8,"flow_first_seen":1492167695237,"flow_last_seen":1492167695891,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":3094,"flow_avg_l4_payload_len":386,"midstream":0,"ts_msec":1492167695891,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54117,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} 00791{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1070,"source":"wechat.pcap","alias":"nDPId-test","flow_id":53,"flow_packets_processed":4,"flow_first_seen":1492167695488,"flow_last_seen":1492167696636,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":238,"flow_tot_l4_payload_len":238,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1492167696636,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54118,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} 00848{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1077,"source":"wechat.pcap","alias":"nDPId-test","flow_id":53,"flow_packets_processed":6,"flow_first_seen":1492167695488,"flow_last_seen":1492167697005,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":1666,"flow_avg_l4_payload_len":277,"midstream":0,"ts_msec":1492167697005,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54118,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01381{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1079,"source":"wechat.pcap","alias":"nDPId-test","flow_id":53,"flow_packets_processed":8,"flow_first_seen":1492167695488,"flow_last_seen":1492167697006,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":3094,"flow_avg_l4_payload_len":386,"midstream":0,"ts_msec":1492167697006,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54118,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","issuerDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} +01382{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1079,"source":"wechat.pcap","alias":"nDPId-test","flow_id":53,"flow_packets_processed":8,"flow_first_seen":1492167695488,"flow_last_seen":1492167697006,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":3094,"flow_avg_l4_payload_len":386,"midstream":0,"ts_msec":1492167697006,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54118,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} 00443{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1088,"source":"wechat.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":2,"flow_last_seen":1492167697384,"flow_idle_time":600000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":38,"pkt_len":54,"pkt_l4_len":16,"ts_msec":1492167697384,"pkt":"AQBeAAAWeJKcD6iOCABGwAAoAABAAAECQerAqAFn4AAAFpQEAAAiAPsCAAAAAQIAAADgAAD7"} 00554{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1127,"source":"wechat.pcap","alias":"nDPId-test","flow_id":54,"flow_packets_processed":1,"flow_first_seen":1492167720101,"flow_last_seen":1492167720101,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1492167720101,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54119,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00472{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1127,"source":"wechat.pcap","alias":"nDPId-test","flow_id":54,"flow_packet_id":1,"flow_last_seen":1492167720101,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1492167720101,"pkt":"8IQvSpdgeJKcD6iOCABFAAA8R8JAAEAGzXrAqAFny82XotNnAbsR+WetAAAAAKACchBBBgAAAgQFtAQCCAoAMiBvAAAAAAEDAwc="} @@ -337,10 +337,10 @@ 00473{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1135,"source":"wechat.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":2,"flow_last_seen":1492167720700,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1492167720700,"pkt":"eJKcD6iO8IQvSpdgCABFoAA8AABAAC0GJ53LzZeiwKgBZwG702hvZooej\/ZuD6ASN8iscAAAAgQFoAQCCApF0wrqADIgrgEDAwc="} 00460{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1136,"source":"wechat.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":3,"flow_last_seen":1492167720700,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1492167720700,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0TqFAAEAGxqPAqAFny82XotNoAbuP9m4Pb2aKH4AQAOURtQAAAQEICgAyIQVF0wrq"} 00848{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1138,"source":"wechat.pcap","alias":"nDPId-test","flow_id":54,"flow_packets_processed":6,"flow_first_seen":1492167720101,"flow_last_seen":1492167720812,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":1666,"flow_avg_l4_payload_len":277,"midstream":0,"ts_msec":1492167720812,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54119,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01381{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1140,"source":"wechat.pcap","alias":"nDPId-test","flow_id":54,"flow_packets_processed":8,"flow_first_seen":1492167720101,"flow_last_seen":1492167720812,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":3094,"flow_avg_l4_payload_len":386,"midstream":0,"ts_msec":1492167720812,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54119,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","issuerDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} +01382{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1140,"source":"wechat.pcap","alias":"nDPId-test","flow_id":54,"flow_packets_processed":8,"flow_first_seen":1492167720101,"flow_last_seen":1492167720812,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":3094,"flow_avg_l4_payload_len":386,"midstream":0,"ts_msec":1492167720812,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54119,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} 00791{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1159,"source":"wechat.pcap","alias":"nDPId-test","flow_id":55,"flow_packets_processed":4,"flow_first_seen":1492167720353,"flow_last_seen":1492167722010,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":238,"flow_tot_l4_payload_len":238,"flow_avg_l4_payload_len":59,"midstream":0,"ts_msec":1492167722010,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54120,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} 00848{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1166,"source":"wechat.pcap","alias":"nDPId-test","flow_id":55,"flow_packets_processed":8,"flow_first_seen":1492167720353,"flow_last_seen":1492167722364,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":1666,"flow_avg_l4_payload_len":208,"midstream":0,"ts_msec":1492167722364,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54120,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01382{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1168,"source":"wechat.pcap","alias":"nDPId-test","flow_id":55,"flow_packets_processed":10,"flow_first_seen":1492167720353,"flow_last_seen":1492167722365,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1688,"flow_tot_l4_payload_len":3354,"flow_avg_l4_payload_len":335,"midstream":0,"ts_msec":1492167722365,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54120,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","issuerDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} +01383{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1168,"source":"wechat.pcap","alias":"nDPId-test","flow_id":55,"flow_packets_processed":10,"flow_first_seen":1492167720353,"flow_last_seen":1492167722365,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1688,"flow_tot_l4_payload_len":3354,"flow_avg_l4_payload_len":335,"midstream":0,"ts_msec":1492167722365,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54120,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} 00582{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1196,"source":"wechat.pcap","alias":"nDPId-test","flow_id":37,"flow_packets_processed":2,"flow_first_seen":1492167617247,"flow_last_seen":1492167617598,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1492167739709,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54109,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"}} 00554{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1196,"source":"wechat.pcap","alias":"nDPId-test","flow_id":37,"flow_packets_processed":2,"flow_first_seen":1492167617247,"flow_last_seen":1492167617598,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1492167739709,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54109,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00582{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1196,"source":"wechat.pcap","alias":"nDPId-test","flow_id":38,"flow_packets_processed":2,"flow_first_seen":1492167617247,"flow_last_seen":1492167617562,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1492167739709,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54110,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"}} @@ -368,7 +368,7 @@ 00472{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1225,"source":"wechat.pcap","alias":"nDPId-test","flow_id":58,"flow_packet_id":2,"flow_last_seen":1492167765933,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1492167765933,"pkt":"eJKcD6iO8IQvSpdgCABFoAA8AABAAC8GKZTLzZOrwKgBZwG74rU+QocNNwsr8KASN8h9cwAAAgQFoAQCCApFrtG3ADJM7AEDAwc="} 00460{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1226,"source":"wechat.pcap","alias":"nDPId-test","flow_id":58,"flow_packet_id":3,"flow_last_seen":1492167765933,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1492167765933,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0ZwRAAEAGsjfAqAFny82Tq+K1Abs3CyvwPkKHDoAQAOXiyQAAAQEICgAyTTFFrtG3"} 00848{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1228,"source":"wechat.pcap","alias":"nDPId-test","flow_id":57,"flow_packets_processed":6,"flow_first_seen":1492167765433,"flow_last_seen":1492167765976,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":1666,"flow_avg_l4_payload_len":277,"midstream":0,"ts_msec":1492167765976,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58036,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01381{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1230,"source":"wechat.pcap","alias":"nDPId-test","flow_id":57,"flow_packets_processed":8,"flow_first_seen":1492167765433,"flow_last_seen":1492167765976,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":3094,"flow_avg_l4_payload_len":386,"midstream":0,"ts_msec":1492167765976,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58036,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","issuerDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} +01382{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1230,"source":"wechat.pcap","alias":"nDPId-test","flow_id":57,"flow_packets_processed":8,"flow_first_seen":1492167765433,"flow_last_seen":1492167765976,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":3094,"flow_avg_l4_payload_len":386,"midstream":0,"ts_msec":1492167765976,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58036,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} 00582{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1251,"source":"wechat.pcap","alias":"nDPId-test","flow_id":41,"flow_packets_processed":2,"flow_first_seen":1492167619048,"flow_last_seen":1492167654504,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1492167776783,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54106,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"}} 00554{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1251,"source":"wechat.pcap","alias":"nDPId-test","flow_id":41,"flow_packets_processed":2,"flow_first_seen":1492167619048,"flow_last_seen":1492167654504,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1492167776783,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54106,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00563{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1251,"source":"wechat.pcap","alias":"nDPId-test","flow_id":39,"flow_packets_processed":26,"flow_first_seen":1492167617248,"flow_last_seen":1492167640200,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":8029,"flow_avg_l4_payload_len":308,"midstream":0,"ts_msec":1492167776783,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54111,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -385,7 +385,7 @@ 00473{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1265,"source":"wechat.pcap","alias":"nDPId-test","flow_id":60,"flow_packet_id":2,"flow_last_seen":1492167777476,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1492167777476,"pkt":"eJKcD6iO8IQvSpdgCABFoAA8AABAAC8GKZTLzZOrwKgBZwG74reza+A99PEGyqASN8j\/yAAAAgQFoAQCCApFrtz+ADJYMwEDAwc="} 00460{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1266,"source":"wechat.pcap","alias":"nDPId-test","flow_id":60,"flow_packet_id":3,"flow_last_seen":1492167777476,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1492167777476,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0XvtAAEAGukDAqAFny82Tq+K3Abv08QbKs2vgPoAQAOVlIAAAAQEICgAyWHdFrtz+"} 00848{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1268,"source":"wechat.pcap","alias":"nDPId-test","flow_id":59,"flow_packets_processed":6,"flow_first_seen":1492167776953,"flow_last_seen":1492167777494,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":1666,"flow_avg_l4_payload_len":277,"midstream":0,"ts_msec":1492167777494,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58038,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01381{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1270,"source":"wechat.pcap","alias":"nDPId-test","flow_id":59,"flow_packets_processed":8,"flow_first_seen":1492167776953,"flow_last_seen":1492167777494,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1688,"flow_tot_l4_payload_len":3354,"flow_avg_l4_payload_len":419,"midstream":0,"ts_msec":1492167777494,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58038,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","issuerDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} +01382{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1270,"source":"wechat.pcap","alias":"nDPId-test","flow_id":59,"flow_packets_processed":8,"flow_first_seen":1492167776953,"flow_last_seen":1492167777494,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1688,"flow_tot_l4_payload_len":3354,"flow_avg_l4_payload_len":419,"midstream":0,"ts_msec":1492167777494,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58038,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} 00564{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1327,"source":"wechat.pcap","alias":"nDPId-test","flow_id":42,"flow_packets_processed":73,"flow_first_seen":1492167639887,"flow_last_seen":1492167667658,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":39199,"flow_avg_l4_payload_len":536,"midstream":0,"ts_msec":1492167788126,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54113,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00553{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1327,"source":"wechat.pcap","alias":"nDPId-test","flow_id":61,"flow_packets_processed":1,"flow_first_seen":1492167788126,"flow_last_seen":1492167788126,"flow_idle_time":180000,"flow_min_l4_payload_len":40,"flow_max_l4_payload_len":40,"flow_tot_l4_payload_len":40,"flow_avg_l4_payload_len":40,"midstream":0,"ts_msec":1492167788126,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00483{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1327,"source":"wechat.pcap","alias":"nDPId-test","flow_id":61,"flow_packet_id":1,"flow_last_seen":1492167788126,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"ts_msec":1492167788126,"pkt":"AQBeAAD70CeIF3AECABFoABEPYcAAAER2HrAqAFk4AAA+xTpFOkAMOibAAAAAAABAAAAAAAAC19nb29nbGVjYXN0BF90Y3AFbG9jYWwAAAwAAQ=="} @@ -449,7 +449,7 @@ 00565{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1417,"source":"wechat.pcap","alias":"nDPId-test","flow_id":71,"flow_packets_processed":1,"flow_first_seen":1492167849769,"flow_last_seen":1492167849769,"flow_idle_time":120000,"flow_min_l4_payload_len":16,"flow_max_l4_payload_len":16,"flow_tot_l4_payload_len":16,"flow_avg_l4_payload_len":16,"midstream":0,"ts_msec":1492167849769,"l3_proto":"ip6","src_ip":"fe80::842:a3f3:a286:6c5b","dst_ip":"ff02::2","l4_proto":"icmp6","ndpi": {"proto":"ICMPV6","breed":"Acceptable","category":"Network"}} 00551{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1418,"source":"wechat.pcap","alias":"nDPId-test","flow_id":72,"flow_packets_processed":1,"flow_first_seen":1492167851002,"flow_last_seen":1492167851002,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1492167851002,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00844{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1418,"source":"wechat.pcap","alias":"nDPId-test","flow_id":72,"flow_packet_id":1,"flow_last_seen":1492167851002,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":342,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":342,"pkt_l4_len":308,"ts_msec":1492167851002,"pkt":"\/\/\/\/\/\/\/\/uHgu4toHCABFAAFI3+EAAP8R2sMAAAAA\/\/\/\/\/wBEAEMBNOAUAQEGADPq6ioAAAAAAAAAAAAAAAAAAAAAAAAAALh4LuLaBwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEDNwcBeQMGD3f8OQIF3D0HAbh4LuLaBzIEwKgBajMEAHanAAwOaVBob25lZGlNb25pY2H\/AAAAAAAA"} -00631{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1418,"source":"wechat.pcap","alias":"nDPId-test","flow_id":72,"flow_packets_processed":1,"flow_first_seen":1492167851002,"flow_last_seen":1492167851002,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1492167851002,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"fingerprint":"1,121,3,6,15,119,252"}} +00676{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1418,"source":"wechat.pcap","alias":"nDPId-test","flow_id":72,"flow_packets_processed":1,"flow_first_seen":1492167851002,"flow_last_seen":1492167851002,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1492167851002,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"hostname":"iphonedimonica","fingerprint":"1,121,3,6,15,119,252","class_ident":""}} 00518{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1419,"source":"wechat.pcap","alias":"nDPId-test","flow_id":73,"flow_packets_processed":1,"flow_first_seen":1492167851203,"flow_last_seen":1492167851203,"flow_idle_time":120000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1492167851203,"l3_proto":"ip6","src_ip":"::","dst_ip":"ff02::1:ff86:6c5b","l4_proto":"icmp6","flow_datalink":1,"flow_max_packets":3} 00493{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1419,"source":"wechat.pcap","alias":"nDPId-test","flow_id":73,"flow_packet_id":1,"flow_last_seen":1492167851203,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"ts_msec":1492167851203,"pkt":"MzP\/hmxbuHgu4toHht1gAAAAACA6\/wAAAAAAAAAAAAAAAAAAAAD\/AgAAAAAAAAAAAAH\/hmxbhwDa5wAAAAD+gAAAAAAAAAhCo\/OihmxbDgE+iVJ12j4="} 00553{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1419,"source":"wechat.pcap","alias":"nDPId-test","flow_id":73,"flow_packets_processed":1,"flow_first_seen":1492167851203,"flow_last_seen":1492167851203,"flow_idle_time":120000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1492167851203,"l3_proto":"ip6","src_ip":"::","dst_ip":"ff02::1:ff86:6c5b","l4_proto":"icmp6","ndpi": {"proto":"ICMPV6","breed":"Acceptable","category":"Network"}} @@ -470,10 +470,10 @@ 00472{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1431,"source":"wechat.pcap","alias":"nDPId-test","flow_id":76,"flow_packet_id":2,"flow_last_seen":1492167866495,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1492167866495,"pkt":"eJKcD6iO8IQvSpdgCABFoAA8AABAAC8GKZTLzZOrwKgBZwG74rl6NAw+rnErxqASN8iAowAAAgQFoAQCCApFrzPtADKvIgEDAwc="} 00460{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1432,"source":"wechat.pcap","alias":"nDPId-test","flow_id":76,"flow_packet_id":3,"flow_last_seen":1492167866495,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1492167866495,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0hOhAAEAGlFPAqAFny82Tq+K5AbuucSvGejQMP4AQAOXl+wAAAQEICgAyr2VFrzPt"} 00848{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1434,"source":"wechat.pcap","alias":"nDPId-test","flow_id":75,"flow_packets_processed":6,"flow_first_seen":1492167865975,"flow_last_seen":1492167866514,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":1666,"flow_avg_l4_payload_len":277,"midstream":0,"ts_msec":1492167866514,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58040,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01381{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1436,"source":"wechat.pcap","alias":"nDPId-test","flow_id":75,"flow_packets_processed":8,"flow_first_seen":1492167865975,"flow_last_seen":1492167866514,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":3094,"flow_avg_l4_payload_len":386,"midstream":0,"ts_msec":1492167866514,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58040,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","issuerDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} +01382{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1436,"source":"wechat.pcap","alias":"nDPId-test","flow_id":75,"flow_packets_processed":8,"flow_first_seen":1492167865975,"flow_last_seen":1492167866514,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":3094,"flow_avg_l4_payload_len":386,"midstream":0,"ts_msec":1492167866514,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58040,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} 00791{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1478,"source":"wechat.pcap","alias":"nDPId-test","flow_id":76,"flow_packets_processed":6,"flow_first_seen":1492167866226,"flow_last_seen":1492167871050,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":238,"flow_tot_l4_payload_len":238,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1492167871050,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58041,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} 00848{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1484,"source":"wechat.pcap","alias":"nDPId-test","flow_id":76,"flow_packets_processed":8,"flow_first_seen":1492167866226,"flow_last_seen":1492167871323,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":1666,"flow_avg_l4_payload_len":208,"midstream":0,"ts_msec":1492167871323,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58041,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01382{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1486,"source":"wechat.pcap","alias":"nDPId-test","flow_id":76,"flow_packets_processed":10,"flow_first_seen":1492167866226,"flow_last_seen":1492167871323,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1688,"flow_tot_l4_payload_len":3354,"flow_avg_l4_payload_len":335,"midstream":0,"ts_msec":1492167871323,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58041,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","issuerDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} +01383{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1486,"source":"wechat.pcap","alias":"nDPId-test","flow_id":76,"flow_packets_processed":10,"flow_first_seen":1492167866226,"flow_last_seen":1492167871323,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1688,"flow_tot_l4_payload_len":3354,"flow_avg_l4_payload_len":335,"midstream":0,"ts_msec":1492167871323,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58041,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} 00558{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1497,"source":"wechat.pcap","alias":"nDPId-test","flow_id":61,"flow_packets_processed":10,"flow_first_seen":1492167788126,"flow_last_seen":1492167840351,"flow_idle_time":180000,"flow_min_l4_payload_len":40,"flow_max_l4_payload_len":40,"flow_tot_l4_payload_len":400,"flow_avg_l4_payload_len":40,"midstream":0,"ts_msec":1492167878856,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00567{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1497,"source":"wechat.pcap","alias":"nDPId-test","flow_id":62,"flow_packets_processed":10,"flow_first_seen":1492167788128,"flow_last_seen":1492167840352,"flow_idle_time":180000,"flow_min_l4_payload_len":40,"flow_max_l4_payload_len":40,"flow_tot_l4_payload_len":400,"flow_avg_l4_payload_len":40,"midstream":0,"ts_msec":1492167878856,"l3_proto":"ip6","src_ip":"fe80::91f9:3df3:7436:6cd6","dst_ip":"ff02::fb","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00563{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1500,"source":"wechat.pcap","alias":"nDPId-test","flow_id":57,"flow_packets_processed":26,"flow_first_seen":1492167765433,"flow_last_seen":1492167776953,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":9786,"flow_avg_l4_payload_len":376,"midstream":0,"ts_msec":1492167891596,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58036,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -496,7 +496,7 @@ 00473{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1518,"source":"wechat.pcap","alias":"nDPId-test","flow_id":78,"flow_packet_id":2,"flow_last_seen":1492167905858,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1492167905858,"pkt":"eJKcD6iO8IQvSpdgCABFoAA8AABAAC8GKZTLzZOrwKgBZwG74rtG\/8zAAfpXW6ASN8gnXAAAAgQFoAQCCApFr1pdADLVjAEDAwc="} 00461{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1519,"source":"wechat.pcap","alias":"nDPId-test","flow_id":78,"flow_packet_id":3,"flow_last_seen":1492167905858,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1492167905858,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0gtdAAEAGlmTAqAFny82Tq+K7AbsB+ldbRv\/MwYAQAOWMrQAAAQEICgAy1dZFr1pd"} 00848{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1521,"source":"wechat.pcap","alias":"nDPId-test","flow_id":77,"flow_packets_processed":6,"flow_first_seen":1492167905310,"flow_last_seen":1492167905866,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1428,"flow_tot_l4_payload_len":1666,"flow_avg_l4_payload_len":277,"midstream":0,"ts_msec":1492167905866,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58042,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01381{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1523,"source":"wechat.pcap","alias":"nDPId-test","flow_id":77,"flow_packets_processed":8,"flow_first_seen":1492167905310,"flow_last_seen":1492167905866,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1688,"flow_tot_l4_payload_len":3354,"flow_avg_l4_payload_len":419,"midstream":0,"ts_msec":1492167905866,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58042,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","issuerDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} +01382{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":1523,"source":"wechat.pcap","alias":"nDPId-test","flow_id":77,"flow_packets_processed":8,"flow_first_seen":1492167905310,"flow_last_seen":1492167905866,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1688,"flow_tot_l4_payload_len":3354,"flow_avg_l4_payload_len":419,"midstream":0,"ts_msec":1492167905866,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58042,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"},"tls": {"version":"TLSv1.2","client_requested_server_name":"web.wechat.com","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}} 00521{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1550,"source":"wechat.pcap","alias":"nDPId-test","flow_id":73,"flow_packets_processed":1,"flow_first_seen":1492167851203,"flow_last_seen":1492167851203,"flow_idle_time":120000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1492167916810,"l3_proto":"ip6","src_ip":"::","dst_ip":"ff02::1:ff86:6c5b","l4_proto":"icmp6","flow_datalink":1,"flow_max_packets":3} 00532{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1550,"source":"wechat.pcap","alias":"nDPId-test","flow_id":71,"flow_packets_processed":2,"flow_first_seen":1492167849769,"flow_last_seen":1492167851204,"flow_idle_time":120000,"flow_min_l4_payload_len":8,"flow_max_l4_payload_len":16,"flow_tot_l4_payload_len":24,"flow_avg_l4_payload_len":12,"midstream":0,"ts_msec":1492167916810,"l3_proto":"ip6","src_ip":"fe80::842:a3f3:a286:6c5b","dst_ip":"ff02::2","l4_proto":"icmp6","flow_datalink":1,"flow_max_packets":3} 00534{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1550,"source":"wechat.pcap","alias":"nDPId-test","flow_id":74,"flow_packets_processed":1,"flow_first_seen":1492167852023,"flow_last_seen":1492167852023,"flow_idle_time":120000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1492167916810,"l3_proto":"ip6","src_ip":"fe80::842:a3f3:a286:6c5b","dst_ip":"ff02::16","l4_proto":"icmp6","flow_datalink":1,"flow_max_packets":3} @@ -548,7 +548,7 @@ 00461{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1560,"source":"wechat.pcap","alias":"nDPId-test","flow_id":86,"flow_packet_id":1,"flow_last_seen":1492171168104,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1492171168104,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0JkNAAEAG0OvAqAFnX2UiIYilAFA23DHngeAL9oAQBaSDAQAAAQEICgA\/R6Br6Xcq"} 00557{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1561,"source":"wechat.pcap","alias":"nDPId-test","flow_id":87,"flow_packets_processed":1,"flow_first_seen":1492171169377,"flow_last_seen":1492171169377,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1492171169377,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"193.204.114.233","src_port":37578,"dst_port":123,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00491{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1561,"source":"wechat.pcap","alias":"nDPId-test","flow_id":87,"flow_packet_id":1,"flow_last_seen":1492171169377,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"ts_msec":1492171169377,"pkt":"8IQvSpdgeJKcD6iOCABFEABMYzZAAEAR4JXAqAFnwcxy6ZLKAHsAOA7KIwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANybOCEWgBhs"} -00588{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1561,"source":"wechat.pcap","alias":"nDPId-test","flow_id":87,"flow_packets_processed":1,"flow_first_seen":1492171169377,"flow_last_seen":1492171169377,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1492171169377,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"193.204.114.233","src_port":37578,"dst_port":123,"l4_proto":"udp","ndpi": {"proto":"NTP","breed":"Acceptable","category":"System"}} +00626{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1561,"source":"wechat.pcap","alias":"nDPId-test","flow_id":87,"flow_packets_processed":1,"flow_first_seen":1492171169377,"flow_last_seen":1492171169377,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1492171169377,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"193.204.114.233","src_port":37578,"dst_port":123,"l4_proto":"udp","ndpi": {"proto":"NTP","breed":"Acceptable","category":"System"},"ntp": {"request_code":0,"version":0}} 02079{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1562,"source":"wechat.pcap","alias":"nDPId-test","flow_id":79,"flow_packet_id":2,"flow_last_seen":1492171171688,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":1254,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1254,"pkt_l4_len":1220,"ts_msec":1492171171688,"pkt":"8IQvSpdgeJKcD6iOCABFAATYpo1AAEAGahPAqAFny82XotOnAbtQhl2xjWp\/PoAYBaR4aAAAAQEICgA\/SyBF4BL0FwMDBJ8AAAAAAAAAk06IK7tTPaQ0tnXGeqHKil75lMj6OyIERVlvQ89pkJ\/5uFrYubJHeJqSrynvitkot5qunWtMUvVbyI8vjd8zycM9IsUAAB\/fKHCxwAngzbmC6gdk\/UoKTL4MIPiK4NVVPRz1DsYhuoql6sqmFMKJKaM6NXpyBkCtYpvlazDCWxllWCP\/i12XdKQQMbcGYN2wvAB3a6vg6oJPIx+XXkk4cY\/+EENsi+PDerl+pB2IlJMObTfaJBhM\/rJFUKMd1xriphMBzgM9PCE+gKKP\/k+AYg8NddY\/gnJX\/+unfAflhC1NZ1nFt2\/\/Y9gesYC0uhG0uLLlbtLmKF2MPjllgxHAEeq6L2rXw2szIJL4yllp+t9tcKCYfzVRzCQkgUtQQaP0YiRh1NQtDTvnuPpM8CS6YfFOx17PkSNzepokWNsrLXMtr9p2nc9zczirZ\/D9H9Xey3Xx0qFAN\/MVzWUXfWpSlTWrXzNWP5kDdvTYBf19VGMPfxtzLKYTLOd\/rVswJ6OAUsAdfTYAu7j6c4KJubGecouom8T9brd1TJm6pyXignKkiQR+nvp0U\/G\/NxhEcnKV91SvFM0mQxh+hfK10svoh9dj1Bq8+PvXaAQljscptiwRlr+X\/V1zPyapTZcrW9A2fGrnzKqVYJASiCPQWyYD8Mn6pda0e6knRW3Ae28WpLnmyjMKx4\/7dOqugSoKa3q7BQRxbcpbcOXlPFfrjt+CwbA3KCTzFvdocE4QeSDn8FuJ85HFummmQOxK7tDtjljV+L\/2nbiMgjTy6jJzYFwXGw6xLdoXOupF5XjIfHUSMeB+R0BhUmtVxXEWPPHfAVdVJcBt8uO5QMhp9jxrSrOX54VXB+P7Qj0VmSag75Jhz20k8Z3uI27cFcp7OjdlKhlEBtlzESNSQ8FGkqCxygPJSf0REdvr2uQA0ApTgzzF+s6YbdeH3vy1SJOH2fQsH4IeYeRjAPrh1RmlhN066XBLLeGtIiz1LEJx17TCB8c1JpUan\/1+JYoV0SCzXlaZWYybCxcBBIz\/2EdpG8hJzN4rtTVwf\/3OYFkhRTMbe1PHW9T5IfuTuKU76wWlDp+aujzjWp1vvFdq4bUrI6AdEquAU5C3BTnuLB9tqzlOb5nzcQjb4fPQCkUUcvHBPPLW9qrLyB05aTRG1W9ShnsibG\/AerW39YgPMVulkynnwtbGsYcGZs7KelCQXCLt3D6RU08N5SulLgw+o5aYItue0wJaW5VDEXxAVhsE4KU4+QsEuXkbd9rTsMt9Gf+Td49H8NzJEXxlYX\/ThtsZsn5doQpcdUcGVMiJrwpHQzTDWZLiBcd51axsLca9fP61xaeKb48j0Kb0TeXy0DcAfEDH4Sy29YAuNi7N4uKdxMrzHsqaQhCFI\/jmx6CqCWjy1zA6Ijzjpx6KTEeNxn3m7OTzuxckZQeS0ArKR7BX7UnCFIAenlvKt7e\/DzO9W1DndidXP+Qwf3XzvB+qvenTl6HWA0XtGBky3MCwBE5b++HXnyFlygjOvbY7LPZovuQtASvUqwAHPkuONuar\/2ZEP2TwCB+AOJYrpZq+HLOc"} 00553{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1563,"source":"wechat.pcap","alias":"nDPId-test","flow_id":88,"flow_packets_processed":1,"flow_first_seen":1492171175912,"flow_last_seen":1492171175912,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1492171175912,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"216.58.205.131","src_port":58143,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00461{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1563,"source":"wechat.pcap","alias":"nDPId-test","flow_id":88,"flow_packet_id":1,"flow_last_seen":1492171175912,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1492171175912,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0iE1AAEAGSqnAqAFn2DrNg+MfAbtA+v0fFZsbqIAQAT54MgAAAQEICgA\/T0Ay2r7t"} @@ -640,7 +640,7 @@ 00485{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1660,"source":"wechat.pcap","alias":"nDPId-test","flow_id":102,"flow_packet_id":2,"flow_last_seen":1492171269750,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"ts_msec":1492171269750,"pkt":"8IQvSpdgeJKcD6iOCABFAABEJttAAEARjxjAqAFnwKgB\/rE2ADUAMGKHk6IBAAABAAAAAAAAB3dlYnB1c2gDd2ViBndlY2hhdANjb20AAAEAAQ=="} 00555{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1661,"source":"wechat.pcap","alias":"nDPId-test","flow_id":108,"flow_packets_processed":1,"flow_first_seen":1492171270418,"flow_last_seen":1492171270418,"flow_idle_time":180000,"flow_min_l4_payload_len":33,"flow_max_l4_payload_len":33,"flow_tot_l4_payload_len":33,"flow_avg_l4_payload_len":33,"midstream":0,"ts_msec":1492171270418,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.254","src_port":42589,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00473{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1661,"source":"wechat.pcap","alias":"nDPId-test","flow_id":108,"flow_packet_id":1,"flow_last_seen":1492171270418,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":75,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":75,"pkt_l4_len":41,"ts_msec":1492171270418,"pkt":"8IQvSpdgeJKcD6iOCABFAAA9Ju1AAEARjw3AqAFnwKgB\/qZdADUAKRuahlUBAAABAAAAAAAAA3NzbAdnc3RhdGljA2NvbQAAAQAB"} -00723{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1661,"source":"wechat.pcap","alias":"nDPId-test","flow_id":108,"flow_packets_processed":1,"flow_first_seen":1492171270418,"flow_last_seen":1492171270418,"flow_idle_time":180000,"flow_min_l4_payload_len":33,"flow_max_l4_payload_len":33,"flow_tot_l4_payload_len":33,"flow_avg_l4_payload_len":33,"midstream":0,"ts_msec":1492171270418,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.254","src_port":42589,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Tracker\/Ads","category":"Web"},"dns": {"query":"ssl.gstatic.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00721{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1661,"source":"wechat.pcap","alias":"nDPId-test","flow_id":108,"flow_packets_processed":1,"flow_first_seen":1492171270418,"flow_last_seen":1492171270418,"flow_idle_time":180000,"flow_min_l4_payload_len":33,"flow_max_l4_payload_len":33,"flow_tot_l4_payload_len":33,"flow_avg_l4_payload_len":33,"midstream":0,"ts_msec":1492171270418,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.254","src_port":42589,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Google","breed":"Acceptable","category":"Web"},"dns": {"query":"ssl.gstatic.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00481{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1664,"source":"wechat.pcap","alias":"nDPId-test","flow_id":104,"flow_packet_id":2,"flow_last_seen":1492171273433,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":79,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":79,"pkt_l4_len":45,"ts_msec":1492171273433,"pkt":"8IQvSpdgeJKcD6iOCABFAABBJ9JAAEARjiTAqAFnwKgB\/qRaADUALSfRFz8BAAABAAAAAAAAA3NzbAdnc3RhdGljA2NvbQNsYW4AAAEAAQ=="} 00489{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1665,"source":"wechat.pcap","alias":"nDPId-test","flow_id":105,"flow_packet_id":2,"flow_last_seen":1492171273759,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"ts_msec":1492171273759,"pkt":"8IQvSpdgeJKcD6iOCABFAABIKB1AAEARjdLAqAFnwKgB\/qq5ADUANAzJFXEBAAABAAAAAAAAB3dlYnB1c2gDd2ViBndlY2hhdANjb20DbGFuAAABAAE="} 00555{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1666,"source":"wechat.pcap","alias":"nDPId-test","flow_id":109,"flow_packets_processed":1,"flow_first_seen":1492171274388,"flow_last_seen":1492171274388,"flow_idle_time":180000,"flow_min_l4_payload_len":43,"flow_max_l4_payload_len":43,"flow_tot_l4_payload_len":43,"flow_avg_l4_payload_len":43,"midstream":0,"ts_msec":1492171274388,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.254","src_port":42856,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -665,7 +665,7 @@ 00729{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1672,"source":"wechat.pcap","alias":"nDPId-test","flow_id":112,"flow_packets_processed":1,"flow_first_seen":1492171291761,"flow_last_seen":1492171291761,"flow_idle_time":180000,"flow_min_l4_payload_len":44,"flow_max_l4_payload_len":44,"flow_tot_l4_payload_len":44,"flow_avg_l4_payload_len":44,"midstream":0,"ts_msec":1492171291761,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.254","src_port":53515,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"webpush.web.wechat.com.lan","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00556{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1672,"source":"wechat.pcap","alias":"nDPId-test","flow_id":108,"flow_packets_processed":1,"flow_first_seen":1492171270418,"flow_last_seen":1492171270418,"flow_idle_time":180000,"flow_min_l4_payload_len":33,"flow_max_l4_payload_len":33,"flow_tot_l4_payload_len":33,"flow_avg_l4_payload_len":33,"midstream":0,"ts_msec":1492171291761,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.254","src_port":42589,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00565{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1672,"source":"wechat.pcap","alias":"nDPId-test","flow_id":101,"flow_packets_processed":4,"flow_first_seen":1492171250302,"flow_last_seen":1492171253304,"flow_idle_time":180000,"flow_min_l4_payload_len":40,"flow_max_l4_payload_len":40,"flow_tot_l4_payload_len":160,"flow_avg_l4_payload_len":40,"midstream":0,"ts_msec":1492171291761,"l3_proto":"ip6","src_ip":"fe80::7a92:9cff:fe0f:a88e","dst_ip":"ff02::fb","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} -00595{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1672,"source":"wechat.pcap","alias":"nDPId-test","flow_id":88,"flow_packets_processed":3,"flow_first_seen":1492171175912,"flow_last_seen":1492171268600,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":440,"flow_tot_l4_payload_len":880,"flow_avg_l4_payload_len":293,"midstream":1,"ts_msec":1492171291761,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"216.58.205.131","src_port":58143,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"}} +00593{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1672,"source":"wechat.pcap","alias":"nDPId-test","flow_id":88,"flow_packets_processed":3,"flow_first_seen":1492171175912,"flow_last_seen":1492171268600,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":440,"flow_tot_l4_payload_len":880,"flow_avg_l4_payload_len":293,"midstream":1,"ts_msec":1492171291761,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"216.58.205.131","src_port":58143,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"}} 00559{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1672,"source":"wechat.pcap","alias":"nDPId-test","flow_id":88,"flow_packets_processed":3,"flow_first_seen":1492171175912,"flow_last_seen":1492171268600,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":440,"flow_tot_l4_payload_len":880,"flow_avg_l4_payload_len":293,"midstream":1,"ts_msec":1492171291761,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"216.58.205.131","src_port":58143,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00558{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1672,"source":"wechat.pcap","alias":"nDPId-test","flow_id":87,"flow_packets_processed":1,"flow_first_seen":1492171169377,"flow_last_seen":1492171169377,"flow_idle_time":180000,"flow_min_l4_payload_len":48,"flow_max_l4_payload_len":48,"flow_tot_l4_payload_len":48,"flow_avg_l4_payload_len":48,"midstream":0,"ts_msec":1492171291761,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"193.204.114.233","src_port":37578,"dst_port":123,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00556{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1672,"source":"wechat.pcap","alias":"nDPId-test","flow_id":109,"flow_packets_processed":2,"flow_first_seen":1492171274388,"flow_last_seen":1492171274388,"flow_idle_time":180000,"flow_min_l4_payload_len":43,"flow_max_l4_payload_len":43,"flow_tot_l4_payload_len":86,"flow_avg_l4_payload_len":43,"midstream":0,"ts_msec":1492171291761,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.254","src_port":42856,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -682,7 +682,7 @@ 00556{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1672,"source":"wechat.pcap","alias":"nDPId-test","flow_id":102,"flow_packets_processed":2,"flow_first_seen":1492171267294,"flow_last_seen":1492171269750,"flow_idle_time":180000,"flow_min_l4_payload_len":40,"flow_max_l4_payload_len":40,"flow_tot_l4_payload_len":80,"flow_avg_l4_payload_len":40,"midstream":0,"ts_msec":1492171291761,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.254","src_port":45366,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00582{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1672,"source":"wechat.pcap","alias":"nDPId-test","flow_id":78,"flow_packets_processed":5,"flow_first_seen":1492167905561,"flow_last_seen":1492167907207,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1492171291761,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58043,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"}} 00555{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1672,"source":"wechat.pcap","alias":"nDPId-test","flow_id":78,"flow_packets_processed":5,"flow_first_seen":1492167905561,"flow_last_seen":1492167907207,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1492171291761,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58043,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00587{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1672,"source":"wechat.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":20,"flow_first_seen":1492167352068,"flow_last_seen":1492167892851,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1492171291761,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"64.233.167.188","src_port":36017,"dst_port":5228,"l4_proto":"tcp","ndpi": {"proto":"Google","breed":"Tracker\/Ads","category":"Web"}} +00585{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1672,"source":"wechat.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":20,"flow_first_seen":1492167352068,"flow_last_seen":1492167892851,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1492171291761,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"64.233.167.188","src_port":36017,"dst_port":5228,"l4_proto":"tcp","ndpi": {"proto":"Google","breed":"Acceptable","category":"Web"}} 00556{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1672,"source":"wechat.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":20,"flow_first_seen":1492167352068,"flow_last_seen":1492167892851,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1492171291761,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"64.233.167.188","src_port":36017,"dst_port":5228,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00561{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1672,"source":"wechat.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":34,"flow_first_seen":1492167342893,"flow_last_seen":1492167478295,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":6421,"flow_avg_l4_payload_len":188,"midstream":0,"ts_msec":1492171291761,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"172.217.22.14","src_port":38657,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00593{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1672,"source":"wechat.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":179,"flow_first_seen":1492167353674,"flow_last_seen":1492167907140,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1188,"flow_tot_l4_payload_len":65142,"flow_avg_l4_payload_len":363,"midstream":1,"ts_msec":1492171291761,"l3_proto":"ip4","src_ip":"203.205.151.162","dst_ip":"192.168.1.103","src_port":443,"dst_port":54058,"l4_proto":"tcp","ndpi": {"proto":"TLS.WeChat","breed":"Fun","category":"Chat"}} @@ -708,7 +708,7 @@ 00550{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1672,"source":"wechat.pcap","alias":"nDPId-test","flow_id":83,"flow_packets_processed":9,"flow_first_seen":1492171166440,"flow_last_seen":1492171271288,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1492171291761,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"95.101.34.33","src_port":34999,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00589{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1672,"source":"wechat.pcap","alias":"nDPId-test","flow_id":84,"flow_packets_processed":9,"flow_first_seen":1492171166696,"flow_last_seen":1492171267294,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1492171291761,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"95.101.34.33","src_port":35000,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP","breed":"Acceptable","category":"Web"},"http": {}} 00550{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1672,"source":"wechat.pcap","alias":"nDPId-test","flow_id":84,"flow_packets_processed":9,"flow_first_seen":1492171166696,"flow_last_seen":1492171267294,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1492171291761,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"95.101.34.33","src_port":35000,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00589{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1672,"source":"wechat.pcap","alias":"nDPId-test","flow_id":80,"flow_packets_processed":2,"flow_first_seen":1492171154792,"flow_last_seen":1492171290232,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1492171291761,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"64.233.167.188","src_port":54205,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"}} +00587{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1672,"source":"wechat.pcap","alias":"nDPId-test","flow_id":80,"flow_packets_processed":2,"flow_first_seen":1492171154792,"flow_last_seen":1492171290232,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1492171291761,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"64.233.167.188","src_port":54205,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"}} 00554{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1672,"source":"wechat.pcap","alias":"nDPId-test","flow_id":80,"flow_packets_processed":2,"flow_first_seen":1492171154792,"flow_last_seen":1492171290232,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1492171291761,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"64.233.167.188","src_port":54205,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00589{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1672,"source":"wechat.pcap","alias":"nDPId-test","flow_id":89,"flow_packets_processed":8,"flow_first_seen":1492171176772,"flow_last_seen":1492171267576,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1492171291761,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"95.101.34.34","src_port":39195,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP","breed":"Acceptable","category":"Web"},"http": {}} 00550{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1672,"source":"wechat.pcap","alias":"nDPId-test","flow_id":89,"flow_packets_processed":8,"flow_first_seen":1492171176772,"flow_last_seen":1492171267576,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1492171291761,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"95.101.34.34","src_port":39195,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -716,7 +716,7 @@ 00550{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1672,"source":"wechat.pcap","alias":"nDPId-test","flow_id":81,"flow_packets_processed":9,"flow_first_seen":1492171164904,"flow_last_seen":1492171269128,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1492171291761,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"95.101.34.34","src_port":39207,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00589{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1672,"source":"wechat.pcap","alias":"nDPId-test","flow_id":85,"flow_packets_processed":9,"flow_first_seen":1492171168104,"flow_last_seen":1492171267294,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1492171291761,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"95.101.34.34","src_port":39231,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP","breed":"Acceptable","category":"Web"},"http": {}} 00550{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1672,"source":"wechat.pcap","alias":"nDPId-test","flow_id":85,"flow_packets_processed":9,"flow_first_seen":1492171168104,"flow_last_seen":1492171267294,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1492171291761,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"95.101.34.34","src_port":39231,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00589{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1672,"source":"wechat.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":6,"flow_first_seen":1492167377896,"flow_last_seen":1492167468048,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1492171291761,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"216.58.205.142","src_port":49787,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"}} +00587{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":1672,"source":"wechat.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":6,"flow_first_seen":1492167377896,"flow_last_seen":1492167468048,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1492171291761,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"216.58.205.142","src_port":49787,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"}} 00554{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1672,"source":"wechat.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":6,"flow_first_seen":1492167377896,"flow_last_seen":1492167468048,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1492171291761,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"216.58.205.142","src_port":49787,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00158{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":1672,"source":"wechat.pcap","alias":"nDPId-test","total-events-serialized":721} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -727,9 +727,9 @@ ~~ total active/idle flows...: 112/112 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2555044 bytes -~~ total memory freed........: 2555044 bytes -~~ total allocations/frees...: 37956/37956 +~~ total memory allocated....: 5170295 bytes +~~ total memory freed........: 5170295 bytes +~~ total allocations/frees...: 102152/102152 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 163 chars ~~ json string max len.......: 2268 chars diff --git a/test/results/weibo.pcap.out b/test/results/weibo.pcap.out index 749ca4cb9..9f29a6c61 100644 --- a/test/results/weibo.pcap.out +++ b/test/results/weibo.pcap.out @@ -84,10 +84,10 @@ 00764{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":253,"source":"weibo.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":1,"flow_first_seen":1463089073287,"flow_last_seen":1463089073287,"flow_idle_time":180000,"flow_min_l4_payload_len":35,"flow_max_l4_payload_len":35,"flow_tot_l4_payload_len":35,"flow_avg_l4_payload_len":35,"midstream":0,"ts_msec":1463089073287,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":50640,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"16":"Suspicious DGA domain name"},"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"acjstb.aliyun.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00550{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":254,"source":"weibo.pcap","alias":"nDPId-test","flow_id":22,"flow_packets_processed":1,"flow_first_seen":1463089073287,"flow_last_seen":1463089073287,"flow_idle_time":180000,"flow_min_l4_payload_len":30,"flow_max_l4_payload_len":30,"flow_tot_l4_payload_len":30,"flow_avg_l4_payload_len":30,"midstream":0,"ts_msec":1463089073287,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":51440,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00465{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":254,"source":"weibo.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":1,"flow_last_seen":1463089073287,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":72,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":72,"pkt_l4_len":38,"ts_msec":1463089073287,"pkt":"kDVu60UQeJKcD6iOCABFAAA6KCNAAEARjtXAqAFpwKgBAcjwADUAJqqk8RABAAABAAAAAAAAAWcGYWxpY2RuA2NvbQAAAQAB"} -00710{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":254,"source":"weibo.pcap","alias":"nDPId-test","flow_id":22,"flow_packets_processed":1,"flow_first_seen":1463089073287,"flow_last_seen":1463089073287,"flow_idle_time":180000,"flow_min_l4_payload_len":30,"flow_max_l4_payload_len":30,"flow_tot_l4_payload_len":30,"flow_avg_l4_payload_len":30,"midstream":0,"ts_msec":1463089073287,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":51440,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"g.alicdn.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00714{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":254,"source":"weibo.pcap","alias":"nDPId-test","flow_id":22,"flow_packets_processed":1,"flow_first_seen":1463089073287,"flow_last_seen":1463089073287,"flow_idle_time":180000,"flow_min_l4_payload_len":30,"flow_max_l4_payload_len":30,"flow_tot_l4_payload_len":30,"flow_avg_l4_payload_len":30,"midstream":0,"ts_msec":1463089073287,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":51440,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Alibaba","breed":"Acceptable","category":"Web"},"dns": {"query":"g.alicdn.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00550{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":255,"source":"weibo.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":1,"flow_first_seen":1463089073287,"flow_last_seen":1463089073287,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1463089073287,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":53466,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00469{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":255,"source":"weibo.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":1,"flow_last_seen":1463089073287,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1463089073287,"pkt":"kDVu60UQeJKcD6iOCABFAAA8KCRAAEARjtLAqAFpwKgBAdDaADUAKHiskZsBAAABAAAAAAAAA2xvZwZtbXN0YXQDY29tAAABAAE="} -00712{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":255,"source":"weibo.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":1,"flow_first_seen":1463089073287,"flow_last_seen":1463089073287,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1463089073287,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":53466,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"log.mmstat.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} +00716{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":255,"source":"weibo.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":1,"flow_first_seen":1463089073287,"flow_last_seen":1463089073287,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1463089073287,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":53466,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Alibaba","breed":"Acceptable","category":"Web"},"dns": {"query":"log.mmstat.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00550{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":257,"source":"weibo.pcap","alias":"nDPId-test","flow_id":24,"flow_packets_processed":1,"flow_first_seen":1463089073289,"flow_last_seen":1463089073289,"flow_idle_time":180000,"flow_min_l4_payload_len":34,"flow_max_l4_payload_len":34,"flow_tot_l4_payload_len":34,"flow_avg_l4_payload_len":34,"midstream":0,"ts_msec":1463089073289,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":33822,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00474{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":257,"source":"weibo.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":1,"flow_last_seen":1463089073289,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":76,"pkt_l4_len":42,"ts_msec":1463089073289,"pkt":"kDVu60UQeJKcD6iOCABFAAA+KCVAAEARjs\/AqAFpwKgBAYQeADUAKn2XkPcBAAABAAAAAAAABWxvZ2luBnRhb2JhbwNjb20AAAEAAQ=="} 00714{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":257,"source":"weibo.pcap","alias":"nDPId-test","flow_id":24,"flow_packets_processed":1,"flow_first_seen":1463089073289,"flow_last_seen":1463089073289,"flow_idle_time":180000,"flow_min_l4_payload_len":34,"flow_max_l4_payload_len":34,"flow_tot_l4_payload_len":34,"flow_avg_l4_payload_len":34,"midstream":0,"ts_msec":1463089073289,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":33822,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"login.taobao.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} @@ -125,14 +125,14 @@ 00550{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":305,"source":"weibo.pcap","alias":"nDPId-test","flow_id":32,"flow_packets_processed":1,"flow_first_seen":1463089073424,"flow_last_seen":1463089073424,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1463089073424,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.246","src_port":35811,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00470{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":305,"source":"weibo.pcap","alias":"nDPId-test","flow_id":32,"flow_packet_id":1,"flow_last_seen":1463089073424,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1463089073424,"pkt":"kDVu60UQeJKcD6iOCABFAAA8dN1AAEAGHxvAqAFpXbyG9ovjAFD5+n7QAAAAAKACchAf3wAAAgQFtAQCCAoAQQoNAAAAAAEDAwc="} 00600{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":306,"source":"weibo.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":2,"flow_last_seen":1463089073478,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":171,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":171,"pkt_l4_len":137,"ts_msec":1463089073478,"pkt":"eJKcD6iOkDVu60UQCABFAACdAABAAEARtpXAqAEBwKgBaQA1yPAAiVtu8RCBgAABAAUAAAAAAWcGYWxpY2RuA2NvbQAAAQABwAwABQABAADy0wAXAWcGYWxpY2RuA2NvbQdkYW51b3lpwA7AKgABAAEAAAGzAAQvWUHlwCoAAQABAAABswAEL1lBx8AqAAEAAQAAAbMABC9ZQcbAKgABAAEAAAGzAAQvWUHk"} -00725{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":306,"source":"weibo.pcap","alias":"nDPId-test","flow_id":22,"flow_packets_processed":2,"flow_first_seen":1463089073287,"flow_last_seen":1463089073478,"flow_idle_time":180000,"flow_min_l4_payload_len":30,"flow_max_l4_payload_len":129,"flow_tot_l4_payload_len":159,"flow_avg_l4_payload_len":79,"midstream":0,"ts_msec":1463089073478,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":51440,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"g.alicdn.com","num_queries":1,"num_answers":5,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"47.89.65.229"}} +00729{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":306,"source":"weibo.pcap","alias":"nDPId-test","flow_id":22,"flow_packets_processed":2,"flow_first_seen":1463089073287,"flow_last_seen":1463089073478,"flow_idle_time":180000,"flow_min_l4_payload_len":30,"flow_max_l4_payload_len":129,"flow_tot_l4_payload_len":159,"flow_avg_l4_payload_len":79,"midstream":0,"ts_msec":1463089073478,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":51440,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Alibaba","breed":"Acceptable","category":"Web"},"dns": {"query":"g.alicdn.com","num_queries":1,"num_answers":5,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"47.89.65.229"}} 00550{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":307,"source":"weibo.pcap","alias":"nDPId-test","flow_id":33,"flow_packets_processed":1,"flow_first_seen":1463089073479,"flow_last_seen":1463089073479,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1463089073479,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":50533,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00469{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":307,"source":"weibo.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":1,"flow_last_seen":1463089073479,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1463089073479,"pkt":"kDVu60UQeJKcD6iOCABFAAA8KD5AAEARjrjAqAFpwKgBAcVlADUAKPnf1EwBAAABAAAAAAAABGRhdGEFd2VpYm8DY29tAAABAAE="} 00723{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":307,"source":"weibo.pcap","alias":"nDPId-test","flow_id":33,"flow_packets_processed":1,"flow_first_seen":1463089073479,"flow_last_seen":1463089073479,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1463089073479,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":50533,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Sina(Weibo)","breed":"Fun","category":"SocialNetwork"},"dns": {"query":"data.weibo.com","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00549{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":308,"source":"weibo.pcap","alias":"nDPId-test","flow_id":34,"flow_packets_processed":1,"flow_first_seen":1463089073479,"flow_last_seen":1463089073479,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1463089073479,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"47.89.65.229","src_port":50827,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00470{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":308,"source":"weibo.pcap","alias":"nDPId-test","flow_id":34,"flow_packet_id":1,"flow_last_seen":1463089073479,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1463089073479,"pkt":"kDVu60UQeJKcD6iOCABFAAA8PQxAAEAGymDAqAFpL1lB5caLAbuG5TcXAAAAAKACchASAQAAAgQFtAQCCAoAQQobAAAAAAEDAwc="} 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":309,"source":"weibo.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":2,"flow_last_seen":1463089073488,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":112,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":112,"pkt_l4_len":78,"ts_msec":1463089073488,"pkt":"eJKcD6iOkDVu60UQCABFAABiAABAAEARttDAqAEBwKgBaQA10NoATp++kZuBgAABAAIAAAAAA2xvZwZtbXN0YXQDY29tAAABAAHADAAFAAEAAAIfAAoDbG9nA2dkc8AQwCwAAQABAAAAIwAEjM2uAQ=="} -00727{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":309,"source":"weibo.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":2,"flow_first_seen":1463089073287,"flow_last_seen":1463089073488,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":70,"flow_tot_l4_payload_len":102,"flow_avg_l4_payload_len":51,"midstream":0,"ts_msec":1463089073488,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":53466,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"log.mmstat.com","num_queries":1,"num_answers":2,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"140.205.174.1"}} +00731{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":309,"source":"weibo.pcap","alias":"nDPId-test","flow_id":23,"flow_packets_processed":2,"flow_first_seen":1463089073287,"flow_last_seen":1463089073488,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":70,"flow_tot_l4_payload_len":102,"flow_avg_l4_payload_len":51,"midstream":0,"ts_msec":1463089073488,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":53466,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Alibaba","breed":"Acceptable","category":"Web"},"dns": {"query":"log.mmstat.com","num_queries":1,"num_answers":2,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"140.205.174.1"}} 00550{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":310,"source":"weibo.pcap","alias":"nDPId-test","flow_id":35,"flow_packets_processed":1,"flow_first_seen":1463089073488,"flow_last_seen":1463089073488,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1463089073488,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"140.205.174.1","src_port":48352,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00471{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":310,"source":"weibo.pcap","alias":"nDPId-test","flow_id":35,"flow_packet_id":1,"flow_last_seen":1463089073488,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1463089073488,"pkt":"kDVu60UQeJKcD6iOCABFAAA8K\/hAAEAGEeTAqAFpjM2uAbzgAbtP+SHlAAAAAKACchCeNwAAAgQFtAQCCAoAQQodAAAAAAEDAwc="} 00550{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":311,"source":"weibo.pcap","alias":"nDPId-test","flow_id":36,"flow_packets_processed":1,"flow_first_seen":1463089073488,"flow_last_seen":1463089073488,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1463089073488,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"140.205.174.1","src_port":48353,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -148,7 +148,7 @@ 00868{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":376,"source":"weibo.pcap","alias":"nDPId-test","flow_id":32,"flow_packets_processed":4,"flow_first_seen":1463089073424,"flow_last_seen":1463089073616,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":398,"flow_tot_l4_payload_len":398,"flow_avg_l4_payload_len":99,"midstream":0,"ts_msec":1463089073616,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.246","src_port":35811,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.Sina(Weibo)","breed":"Fun","category":"SocialNetwork"},"http": {"hostname":"js.t.sinajs.cn","url":"js.t.sinajs.cn\/t5\/register\/js\/v6\/pl\/base.js?version=201605130537","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/50.0.2661.102 Safari\/537.36"}} 00458{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":384,"source":"weibo.pcap","alias":"nDPId-test","flow_id":34,"flow_packet_id":2,"flow_last_seen":1463089073635,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1463089073635,"pkt":"eJKcD6iOkDVu60UQCABFAAA0AABAADEGFnUvWUHlwKgBaQG7xos8arg3huU3GIASOQiHzQAAAgQFqAEBBAIBAwMJ"} 00442{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":385,"source":"weibo.pcap","alias":"nDPId-test","flow_id":34,"flow_packet_id":3,"flow_last_seen":1463089073635,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1463089073635,"pkt":"kDVu60UQeJKcD6iOCABFAAAoPQ1AAEAGynPAqAFpL1lB5caLAbuG5TcYPGq4OFAQAOUAuQAA"} -00787{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":386,"source":"weibo.pcap","alias":"nDPId-test","flow_id":34,"flow_packets_processed":4,"flow_first_seen":1463089073479,"flow_last_seen":1463089073635,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":200,"flow_tot_l4_payload_len":200,"flow_avg_l4_payload_len":50,"midstream":0,"ts_msec":1463089073635,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"47.89.65.229","src_port":50827,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"g.alicdn.com","ja3":"58e7f64db6e4fe4941dd9691d421196c","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,spdy\/3.1,http\/1.1"}} +00801{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":386,"source":"weibo.pcap","alias":"nDPId-test","flow_id":34,"flow_packets_processed":4,"flow_first_seen":1463089073479,"flow_last_seen":1463089073635,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":200,"flow_tot_l4_payload_len":200,"flow_avg_l4_payload_len":50,"midstream":0,"ts_msec":1463089073635,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"47.89.65.229","src_port":50827,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Alibaba","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"g.alicdn.com","ja3":"58e7f64db6e4fe4941dd9691d421196c","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,spdy\/3.1,http\/1.1"}} 00459{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":422,"source":"weibo.pcap","alias":"nDPId-test","flow_id":38,"flow_packet_id":2,"flow_last_seen":1463089073759,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1463089073759,"pkt":"eJKcD6iOkDVu60UQCABFAAA0AABAADEGFnUvWUHlwKgBaQG7xo+u1rhnnywRAoASOQgi\/AAAAgQFqAEBBAIBAwMJ"} 00442{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":423,"source":"weibo.pcap","alias":"nDPId-test","flow_id":38,"flow_packet_id":3,"flow_last_seen":1463089073759,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1463089073759,"pkt":"kDVu60UQeJKcD6iOCABFAAAoGylAAEAG7FfAqAFpL1lB5caPAbufLBECrta4aFAQAOWb5wAA"} 00584{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":424,"source":"weibo.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":2,"flow_last_seen":1463089073760,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":157,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":157,"pkt_l4_len":123,"ts_msec":1463089073760,"pkt":"eJKcD6iOkDVu60UQCABFAACPAABAAEARtqPAqAEBwKgBaQA1xdAAe7w5O9aBgAABAAMAAAAABmFjanN0YgZhbGl5dW4DY29tAAABAAHADAAFAAEAAAJYAAcEYWNqc8ATwC8ABQABAAABAAAhBGFjanMGYWxpeXVuA2NvbQNnZHMKYWxpYmFiYWRuc8AawEIAAQABAAAAbAAEKpy4Ew=="} @@ -173,7 +173,7 @@ 00549{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":37,"flow_packets_processed":1,"flow_first_seen":1463089073537,"flow_last_seen":1463089073537,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"222.73.28.96","src_port":42280,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00553{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":20,"flow_packets_processed":2,"flow_first_seen":1463089073286,"flow_last_seen":1463089073393,"flow_idle_time":180000,"flow_min_l4_payload_len":39,"flow_max_l4_payload_len":117,"flow_tot_l4_payload_len":156,"flow_avg_l4_payload_len":78,"midstream":0,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":18035,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00550{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":2,"flow_first_seen":1463089070757,"flow_last_seen":1463089070841,"flow_idle_time":180000,"flow_min_l4_payload_len":27,"flow_max_l4_payload_len":43,"flow_tot_l4_payload_len":70,"flow_avg_l4_payload_len":35,"midstream":0,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":54988,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} -00586{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":2,"flow_first_seen":1463089071730,"flow_last_seen":1463089071755,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"216.58.212.69","src_port":37802,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"}} +00584{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":2,"flow_first_seen":1463089071730,"flow_last_seen":1463089071755,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"216.58.212.69","src_port":37802,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"}} 00551{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":2,"flow_first_seen":1463089071730,"flow_last_seen":1463089071755,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"216.58.212.69","src_port":37802,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00562{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":106,"flow_first_seen":1463089072445,"flow_last_seen":1463089073885,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":4308,"flow_tot_l4_payload_len":69723,"flow_avg_l4_payload_len":657,"midstream":0,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.246","src_port":35803,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00561{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":72,"flow_first_seen":1463089072445,"flow_last_seen":1463089073773,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2872,"flow_tot_l4_payload_len":49381,"flow_avg_l4_payload_len":685,"midstream":0,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.246","src_port":35804,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -184,11 +184,11 @@ 00551{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":27,"flow_packets_processed":3,"flow_first_seen":1463089073322,"flow_last_seen":1463089073383,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.246","src_port":35808,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00561{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":28,"flow_packets_processed":35,"flow_first_seen":1463089073334,"flow_last_seen":1463089073893,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1436,"flow_tot_l4_payload_len":20023,"flow_avg_l4_payload_len":572,"midstream":0,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.246","src_port":35809,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00556{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":32,"flow_packets_processed":5,"flow_first_seen":1463089073424,"flow_last_seen":1463089073885,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":398,"flow_tot_l4_payload_len":398,"flow_avg_l4_payload_len":79,"midstream":0,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.246","src_port":35811,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00585{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":2,"flow_first_seen":1463089071994,"flow_last_seen":1463089072138,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"54.225.163.210","src_port":40440,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Amazon","breed":"Acceptable","category":"Web"}} +00590{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":2,"flow_first_seen":1463089071994,"flow_last_seen":1463089072138,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"54.225.163.210","src_port":40440,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.AmazonAWS","breed":"Acceptable","category":"Cloud"}} 00552{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":2,"flow_first_seen":1463089071994,"flow_last_seen":1463089072138,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"54.225.163.210","src_port":40440,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00585{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":2,"flow_first_seen":1463089069330,"flow_last_seen":1463089069374,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"216.58.214.78","src_port":58480,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"}} +00583{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":2,"flow_first_seen":1463089069330,"flow_last_seen":1463089069374,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"216.58.214.78","src_port":58480,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"}} 00550{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":2,"flow_first_seen":1463089069330,"flow_last_seen":1463089069374,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"216.58.214.78","src_port":58480,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00585{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":2,"flow_first_seen":1463089070086,"flow_last_seen":1463089070131,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"216.58.214.78","src_port":58481,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"}} +00583{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":2,"flow_first_seen":1463089070086,"flow_last_seen":1463089070131,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"216.58.214.78","src_port":58481,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"}} 00550{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":2,"flow_first_seen":1463089070086,"flow_last_seen":1463089070131,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"216.58.214.78","src_port":58481,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00555{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":34,"flow_packets_processed":4,"flow_first_seen":1463089073479,"flow_last_seen":1463089073635,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":200,"flow_tot_l4_payload_len":200,"flow_avg_l4_payload_len":50,"midstream":0,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"47.89.65.229","src_port":50827,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00570{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":38,"flow_packets_processed":3,"flow_first_seen":1463089073537,"flow_last_seen":1463089073759,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"47.89.65.229","src_port":50831,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"}} @@ -208,7 +208,7 @@ 00553{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":2,"flow_first_seen":1463089072333,"flow_last_seen":1463089072444,"flow_idle_time":180000,"flow_min_l4_payload_len":33,"flow_max_l4_payload_len":149,"flow_tot_l4_payload_len":182,"flow_avg_l4_payload_len":91,"midstream":0,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":53543,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00553{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":2,"flow_first_seen":1463089072885,"flow_last_seen":1463089073423,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":148,"flow_tot_l4_payload_len":180,"flow_avg_l4_payload_len":90,"midstream":0,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":41352,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00551{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":31,"flow_packets_processed":1,"flow_first_seen":1463089073424,"flow_last_seen":1463089073424,"flow_idle_time":180000,"flow_min_l4_payload_len":28,"flow_max_l4_payload_len":28,"flow_tot_l4_payload_len":28,"flow_avg_l4_payload_len":28,"midstream":0,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":16804,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} -00586{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":2,"flow_first_seen":1463089072046,"flow_last_seen":1463089072070,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"216.58.212.65","src_port":34699,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"}} +00584{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":2,"flow_first_seen":1463089072046,"flow_last_seen":1463089072070,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"216.58.212.65","src_port":34699,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"}} 00551{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":14,"flow_packets_processed":2,"flow_first_seen":1463089072046,"flow_last_seen":1463089072070,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"216.58.212.65","src_port":34699,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00571{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":35,"flow_packets_processed":1,"flow_first_seen":1463089073488,"flow_last_seen":1463089073488,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"140.205.174.1","src_port":48352,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS","breed":"Safe","category":"Web"}} 00551{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":35,"flow_packets_processed":1,"flow_first_seen":1463089073488,"flow_last_seen":1463089073488,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"140.205.174.1","src_port":48352,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -218,16 +218,16 @@ 00551{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":39,"flow_packets_processed":1,"flow_first_seen":1463089073537,"flow_last_seen":1463089073537,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"140.205.174.1","src_port":48356,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00552{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":2,"flow_first_seen":1463089071551,"flow_last_seen":1463089071612,"flow_idle_time":180000,"flow_min_l4_payload_len":31,"flow_max_l4_payload_len":100,"flow_tot_l4_payload_len":131,"flow_avg_l4_payload_len":65,"midstream":0,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":7148,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00553{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":24,"flow_packets_processed":2,"flow_first_seen":1463089073289,"flow_last_seen":1463089073763,"flow_idle_time":180000,"flow_min_l4_payload_len":34,"flow_max_l4_payload_len":124,"flow_tot_l4_payload_len":158,"flow_avg_l4_payload_len":79,"midstream":0,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":33822,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} -00588{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":9,"flow_first_seen":1463089067804,"flow_last_seen":1463089068491,"flow_idle_time":180000,"flow_min_l4_payload_len":35,"flow_max_l4_payload_len":618,"flow_tot_l4_payload_len":1566,"flow_avg_l4_payload_len":174,"midstream":0,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"216.58.210.14","dst_ip":"192.168.1.105","src_port":443,"dst_port":49361,"l4_proto":"udp","ndpi": {"proto":"Google","breed":"Tracker\/Ads","category":"Web"}} +00586{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":9,"flow_first_seen":1463089067804,"flow_last_seen":1463089068491,"flow_idle_time":180000,"flow_min_l4_payload_len":35,"flow_max_l4_payload_len":618,"flow_tot_l4_payload_len":1566,"flow_avg_l4_payload_len":174,"midstream":0,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"216.58.210.14","dst_ip":"192.168.1.105","src_port":443,"dst_port":49361,"l4_proto":"udp","ndpi": {"proto":"Google","breed":"Acceptable","category":"Web"}} 00557{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":9,"flow_first_seen":1463089067804,"flow_last_seen":1463089068491,"flow_idle_time":180000,"flow_min_l4_payload_len":35,"flow_max_l4_payload_len":618,"flow_tot_l4_payload_len":1566,"flow_avg_l4_payload_len":174,"midstream":0,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"216.58.210.14","dst_ip":"192.168.1.105","src_port":443,"dst_port":49361,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00556{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":9,"flow_first_seen":1463089070841,"flow_last_seen":1463089071891,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":635,"flow_tot_l4_payload_len":1081,"flow_avg_l4_payload_len":120,"midstream":0,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"114.134.80.162","src_port":59119,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00588{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":3,"flow_first_seen":1463089070841,"flow_last_seen":1463089071198,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"114.134.80.162","src_port":59120,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP","breed":"Acceptable","category":"Web"},"http": {}} 00550{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":3,"flow_first_seen":1463089070841,"flow_last_seen":1463089071198,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"114.134.80.162","src_port":59120,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00588{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":3,"flow_first_seen":1463089071008,"flow_last_seen":1463089071348,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"114.134.80.162","src_port":59121,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP","breed":"Acceptable","category":"Web"},"http": {}} 00550{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":3,"flow_first_seen":1463089071008,"flow_last_seen":1463089071348,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"114.134.80.162","src_port":59121,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00586{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":2,"flow_first_seen":1463089071046,"flow_last_seen":1463089071094,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"216.58.210.206","src_port":35154,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"}} +00584{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":2,"flow_first_seen":1463089071046,"flow_last_seen":1463089071094,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"216.58.210.206","src_port":35154,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"}} 00551{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":2,"flow_first_seen":1463089071046,"flow_last_seen":1463089071094,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"216.58.210.206","src_port":35154,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -00590{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":14,"flow_first_seen":1463089070755,"flow_last_seen":1463089072356,"flow_idle_time":180000,"flow_min_l4_payload_len":25,"flow_max_l4_payload_len":391,"flow_tot_l4_payload_len":1586,"flow_avg_l4_payload_len":113,"midstream":0,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"216.58.210.227","src_port":53656,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"Google","breed":"Tracker\/Ads","category":"Web"}} +00588{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":14,"flow_first_seen":1463089070755,"flow_last_seen":1463089072356,"flow_idle_time":180000,"flow_min_l4_payload_len":25,"flow_max_l4_payload_len":391,"flow_tot_l4_payload_len":1586,"flow_avg_l4_payload_len":113,"midstream":0,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"216.58.210.227","src_port":53656,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"Google","breed":"Acceptable","category":"Web"}} 00559{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":14,"flow_first_seen":1463089070755,"flow_last_seen":1463089072356,"flow_idle_time":180000,"flow_min_l4_payload_len":25,"flow_max_l4_payload_len":391,"flow_tot_l4_payload_len":1586,"flow_avg_l4_payload_len":113,"midstream":0,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"216.58.210.227","src_port":53656,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00551{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":33,"flow_packets_processed":1,"flow_first_seen":1463089073479,"flow_last_seen":1463089073479,"flow_idle_time":180000,"flow_min_l4_payload_len":32,"flow_max_l4_payload_len":32,"flow_tot_l4_payload_len":32,"flow_avg_l4_payload_len":32,"midstream":0,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":50533,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00561{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":79,"flow_first_seen":1463089071613,"flow_last_seen":1463089072438,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":2872,"flow_tot_l4_payload_len":31898,"flow_avg_l4_payload_len":403,"midstream":0,"ts_msec":1463089073893,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.137","src_port":51698,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -242,9 +242,9 @@ ~~ total active/idle flows...: 44/44 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2015890 bytes -~~ total memory freed........: 2015890 bytes -~~ total allocations/frees...: 35994/35994 +~~ total memory allocated....: 4660103 bytes +~~ total memory freed........: 4660103 bytes +~~ total allocations/frees...: 100200/100200 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 161 chars ~~ json string max len.......: 925 chars diff --git a/test/results/whatsapp_login_call.pcap.out b/test/results/whatsapp_login_call.pcap.out index 815fa50e0..3ab27ffa1 100644 --- a/test/results/whatsapp_login_call.pcap.out +++ b/test/results/whatsapp_login_call.pcap.out @@ -62,7 +62,7 @@ 00836{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":58,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":4,"flow_first_seen":1432582227604,"flow_last_seen":1432582227896,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":190,"flow_tot_l4_payload_len":190,"flow_avg_l4_payload_len":47,"midstream":0,"ts_msec":1432582227896,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.178.104.12","src_port":49201,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Apple","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"query.ess.apple.com","ja3":"799135475da362592a4be9199d258726","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00472{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":60,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":2,"flow_last_seen":1432582228152,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1432582228152,"pkt":"APS5Jrv0xiwDYGpkCABFAAA0UDkAAO4GQB4RsmgOwKgCBAG7wDON4auhp3wzpIASH\/48GwAAAgQFoAEDAwQBAQQC"} 00455{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":61,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":3,"flow_last_seen":1432582228167,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1432582228167,"pkt":"xiwDYGpkAPS5Jrv0CABFAAAoC8AAAEAGMqTAqAIEEbJoDsAzAbunfDOkAAAAAFAEAADWZAAA"} -01157{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":64,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":7,"flow_first_seen":1432582227604,"flow_last_seen":1432582228181,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":3601,"flow_avg_l4_payload_len":514,"midstream":0,"ts_msec":1432582228181,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.178.104.12","src_port":49201,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Apple","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"query.ess.apple.com","server_names":"*.ess.apple.com","ja3":"799135475da362592a4be9199d258726","ja3s":"c253ec3ad88e42f8da4032682892f9a0","unsafe_cipher":2,"cipher":"TLS_RSA_WITH_RC4_128_MD5","issuerDN":"CN=Apple Server Authentication CA, OU=Certification Authority, O=Apple Inc., C=US","issuerDN":"CN=*.ess.apple.com, OU=ISG Delivery Ops, O=Apple Inc., C=US","fingerprint":"BD:E0:62:C3:F2:9D:09:5D:52:D4:AA:60:11:1B:36:1B:03:24:F1:9B"}} +01158{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":64,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":7,"flow_first_seen":1432582227604,"flow_last_seen":1432582228181,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":3601,"flow_avg_l4_payload_len":514,"midstream":0,"ts_msec":1432582228181,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.178.104.12","src_port":49201,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Apple","breed":"Safe","category":"Web"},"tls": {"version":"TLSv1.2","client_requested_server_name":"query.ess.apple.com","server_names":"*.ess.apple.com","ja3":"799135475da362592a4be9199d258726","ja3s":"c253ec3ad88e42f8da4032682892f9a0","unsafe_cipher":2,"cipher":"TLS_RSA_WITH_RC4_128_MD5","issuerDN":"CN=Apple Server Authentication CA, OU=Certification Authority, O=Apple Inc., C=US","subjectDN":"CN=*.ess.apple.com, OU=ISG Delivery Ops, O=Apple Inc., C=US","fingerprint":"BD:E0:62:C3:F2:9D:09:5D:52:D4:AA:60:11:1B:36:1B:03:24:F1:9B"}} 00574{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":72,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":1,"flow_first_seen":1432582228503,"flow_last_seen":1432582228503,"flow_idle_time":7440000,"flow_min_l4_payload_len":1440,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1440,"flow_avg_l4_payload_len":1440,"midstream":1,"ts_msec":1432582228503,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.110.229.14","src_port":49193,"dst_port":5223,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 02425{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":72,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":1,"flow_last_seen":1432582228503,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":1506,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1506,"pkt_l4_len":1472,"ts_msec":1432582228503,"pkt":"xiwDYGpkAPS5Jrv0CABFAAXUnXJAAEAG3ojAqAIEEW7lDsApFGe4aEuG1IsaTIAQIAA3PgAAAQEICi36MxJvhmvfFwMBACDgnfLWgV8g\/pw7jjX\/\/3ZDH1tB+gK1jE9k\/rmu6RmKPhcDAQdQwvKiQZwynx6ML8uHDg8WgbZIBNPdSiBPAiHm7VZMSxjHJ7BGJ8hRCNCOXC6LyliytHBkvL\/WQAE0iyMMgIlOMed9vHW1FQrPwtxifubqT35jWP9Nwm9hOQ2sUXPF6J6ZcqeRRxjts4LAxUp+ZVHbqO88UycvtArFRoKmsjwuTsOHFL0h\/BX9z3nWEUxaS9mVyhudzOuBlhf3aNgcppeJ3Mr6DsSPYDWrJ1Ko6GUQ6Mz7WhKyRp+OhCR+8vNcJ+2CIpa9aPiStGZvZFFuJ5eoJiBK6lrgPDyxxPa\/Z82Zx7iZHY+\/ajmPTXvQU4j7rC5OlL\/ZO1JkHVVmXmK1\/n5cUDYPvmxuWKEEWDx8eNxgRC58OMj0i5sHQHDG+ZLwIW4R3Ebyfp++7DjTwhy7uHM9lVzOAa6qgVVbeWZWLm5Zp4udgSHyIGs6plbNOhN8Lb7TTV3BFKBjCbwxtnCR+8lPTlOVAewtoM48Z0qRSJODl9LDmyJOnkTl+LQlbM7hWhZq\/VVyYDivHB+RnYZFdt7ZvWbMsFi9dXD6LjMsdLkj0RU\/SFA5gXvUGWy9x04Yo\/WqRH7ng0WIs\/oAxdVKAH0RL\/egfgAwRrcRgu3dPMqb8b19+PmNfa+WFGFnW0JLuexKCM9POmeD5yw6nk\/ac9Raq2rKcykqXxndrastmOjTbplC4qeRqr0LASV9tRAtG4WvYwC\/dfTiBawq859mBNGrglJvult9KPMKQPFULDG6x+KBv4eYpxjRc54qoabZQMWqqc+\/C0Emvy+eYJXsquvu+83ilyZ2N5sYlJ92HKH8JfE8JTIg5o3c9zLm5ZWhw8+NmQMwd0i5bU9vg06cROWuAG\/JN1YaR0pdUTITubm5mlduwzPQc2BVmXII2GZu105+s7qlJpQzMmRVjoqYtbOeWHJKIQ4UQdZCqzpz4AcWUN7LNHzsfvI5B8mXgc+B7aL8Y8jc2YqBmFk1dHfnjKeYCxGmRBZHJy7WbY9uViabjXvTq6pmYIGh+8lsYGwBwhWNapwWuc8Bw0b65ZKVGVcMKolOabscbWi+EYPJjuvFKgqZscrMC1dXZUtfdGPsPdXUlxbBMQ2Kup7KMqRXjqDlL2rJPpRC\/J6FfjQ+IKNfM\/RVAKV8teQWPRPthAH1FIrtEy51cDQixMgza8uftMRBKRfqEYXF7XVD5164o\/Mck2RudrQlyQmifMkcXuuW1kb2sTQoTz3p0Ox09YvEjxH+5SXf2MqAQ5cwiqd8fGHwSVuprE4y5B+B+0nEsRucTP\/97X6ZaOAcSRCuPQgdHN1NHCSQ8002IEFsPCRXQaWhb\/8KMjfJXXs1I3Eouoy5fGg9Eon7zV6InzJDOtmcVxRzUBgfDR1DGBIMOusKSnnAX1htfNBhCsM31KRySVA9BnU7p8tKS\/3BfJCTQQBoGTP2MoOxAiFKkSgXEh3w0kC\/x4kpimxmzxtGXOOQBZWNBgxyNTYgb0Sf9nOE+sqmGbSG7xueIM5u7Dd864xcMPmVsE1VcOkz2PMHbXIHe+roLyX2aqyb6Yu22cChJiPbSlY+mRr9siD+E7u3KnznXJcpEJBSd3utMm4QryOQBR9FCdalU2IyjVmAb148IpK6Ghgjmw7oVrHdCZXaVw+zfL1FhqC9Bd1VFHiBGm211UlGgrjedJW7mv5NM2z0cPLUMCaZycFw6G4KQN6aDAE1rL1eqhrIxxsuhCw0HsrKiJLLdGsa1+3Rf\/uEKt1c0Ng9dAzkrCJEwEwHx3trkLyhj9\/ja7mEqYBSp5Sx0mCtwBbfi6wnI8gTgb3WlgH0Ha3ke8bRCbeKw4dCUR0GSPUQYm4lO6VKKERImy3aoUDOHbtquSKZKUtb1hVt"} 00610{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":72,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":1,"flow_first_seen":1432582228503,"flow_last_seen":1432582228503,"flow_idle_time":7440000,"flow_min_l4_payload_len":1440,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1440,"flow_avg_l4_payload_len":1440,"midstream":1,"ts_msec":1432582228503,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.110.229.14","src_port":49193,"dst_port":5223,"l4_proto":"tcp","ndpi": {"proto":"ApplePush.Apple","breed":"Safe","category":"Cloud"}} @@ -172,12 +172,12 @@ 00500{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":362,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":38,"flow_packet_id":3,"flow_last_seen":1432582259886,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"ts_msec":1432582259886,"pkt":"xiwDYGpkAPS5Jrv0CABFwABI77MAAEARawTAqAIEAcJav8k+65gANKqSAAEAGCESpEK30Ms3\/7rzJdDOeSQACAAUjiMqFpbreAaLOXedI1Eon++y9eE="} 00534{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":826,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":40,"flow_packets_processed":1,"flow_first_seen":1432582267983,"flow_last_seen":1432582267983,"flow_idle_time":120000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1432582267983,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"91.253.176.65","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} 00481{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":826,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":40,"flow_packet_id":1,"flow_last_seen":1432582267983,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"ts_msec":1432582267983,"pkt":"xiwDYGpkAPS5Jrv0CABFAAA44FwAAEABy33AqAIEW\/2wQQMDDx4AAAAARQAANHIMAAAvEUrCW\/2wQcCoAgQkgMk+ACAAAA=="} -00567{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":826,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":40,"flow_packets_processed":1,"flow_first_seen":1432582267983,"flow_last_seen":1432582267983,"flow_idle_time":120000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1432582267983,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"91.253.176.65","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"}} +00586{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":826,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":40,"flow_packets_processed":1,"flow_first_seen":1432582267983,"flow_last_seen":1432582267983,"flow_idle_time":120000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1432582267983,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"91.253.176.65","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"},"entropy":4.105516} 00481{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":828,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":40,"flow_packet_id":2,"flow_last_seen":1432582267990,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"ts_msec":1432582267990,"pkt":"xiwDYGpkAPS5Jrv0CABFAAA4yYsAAEAB4k7AqAIEW\/2wQQMDDx8AAAAARQAAM4K1AAAvEToaW\/2wQcCoAgQkgMk+AB8AAA=="} 00481{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":830,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":40,"flow_packet_id":3,"flow_last_seen":1432582267992,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"ts_msec":1432582267992,"pkt":"xiwDYGpkAPS5Jrv0CABFAAA4J2kAAEABhHHAqAIEW\/2wQQMDDx8AAAAARQAAM6fUAAAvERT7W\/2wQcCoAgQkgMk+AB8AAA=="} 00563{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":852,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":41,"flow_packets_processed":1,"flow_first_seen":1432582271840,"flow_last_seen":1432582271840,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1432582271840,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00857{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":852,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":41,"flow_packet_id":1,"flow_last_seen":1432582271840,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":342,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":342,"pkt_l4_len":308,"ts_msec":1432582271840,"pkt":"\/\/\/\/\/\/\/\/2DBiVgAcCABFAAFIREwAAP8RdlkAAAAA\/\/\/\/\/wBEAEMBNOdgAQEGALYzLg0AAAAAAAAAAAAAAAAAAAAAAAAAANgwYlYAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEBNwkBAwYPd1\/8LC45AgXcPQcB2DBiVgAcMwQAdqcADApMdWNhcy1pTWFj\/wAAAAAAAAAAAAAAAAAA"} -00648{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":852,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":41,"flow_packets_processed":1,"flow_first_seen":1432582271840,"flow_last_seen":1432582271840,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1432582271840,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"fingerprint":"1,3,6,15,119,95,252,44,46"}} +00689{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":852,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":41,"flow_packets_processed":1,"flow_first_seen":1432582271840,"flow_last_seen":1432582271840,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1432582271840,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"hostname":"lucas-imac","fingerprint":"1,3,6,15,119,95,252,44,46","class_ident":""}} 00857{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":853,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":41,"flow_packet_id":2,"flow_last_seen":1432582273095,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":342,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":342,"pkt_l4_len":308,"ts_msec":1432582273095,"pkt":"\/\/\/\/\/\/\/\/2DBiVgAcCABFAAFIRE0AAP8RdlgAAAAA\/\/\/\/\/wBEAEMBNOdeAQEGALYzLg0AAgAAAAAAAAAAAAAAAAAAAAAAANgwYlYAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEBNwkBAwYPd1\/8LC45AgXcPQcB2DBiVgAcMwQAdqcADApMdWNhcy1pTWFj\/wAAAAAAAAAAAAAAAAAA"} 00857{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":854,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":41,"flow_packet_id":3,"flow_last_seen":1432582275776,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":342,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":342,"pkt_l4_len":308,"ts_msec":1432582275776,"pkt":"\/\/\/\/\/\/\/\/2DBiVgAcCABFAAFIRE4AAP8RdlcAAAAA\/\/\/\/\/wBEAEMBNOdcAQEGALYzLg0ABAAAAAAAAAAAAAAAAAAAAAAAANgwYlYAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEBNwkBAwYPd1\/8LC45AgXcPQcB2DBiVgAcMwQAdqcADApMdWNhcy1pTWFj\/wAAAAAAAAAAAAAAAAAA"} 01124{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":855,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":2,"flow_last_seen":1432582276331,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":544,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":544,"pkt_l4_len":510,"ts_msec":1432582276331,"pkt":"\/\/\/\/\/\/\/\/xiwDYGpkCABFAAISQGwAAEARsh7AqAIBwKgC\/0RcRFwB\/jsJeyJob3N0X2ludCI6IDMzNzUzNTk1OTMsICJ2ZXJzaW9uIjogWzEsIDhdLCAiZGlzcGxheW5hbWUiOiAiIiwgInBvcnQiOiAxNzUwMCwgIm5hbWVzcGFjZXMiOiBbMTQ4MTkzMzcsIDE3NjA5OTYzLCAyMDY0OTM0OSwgMjg1MjE2MDcsIDU4MzQ0OTk2LCA2MDU5NDk4MywgNjQ0MzYwOTksIDk2ODUzMjI0LCA5OTQ2OTc3MywgMTAxMDQ3OTk2LCAxMDgxNTkxMDIsIDEyNTU0MDU2NiwgMTc2OTY0MzA3LCAyNDM2ODI5ODYsIDI0NzkyNTA4NSwgMjYwNDY1MjYxLCAyNzA0MDQ3NDIsIDI4Mzg2MTQ1NywgNDI0NTQwMTk3LCA0NDgzOTczOTMsIDQ1MTQ3MjY1OCwgNTExNzA2NjQyLCA1NjgzOTU4MzMsIDU5NDI0Njk1NCwgNTk4MDYxMDY2LCA2MTU5ODMzNzksIDcyMDA1ODM2MSwgNzM1MDUxODMwLCA3MzYzNDE1MjgsIDc0MTI1NTYxMywgNzc2MDg3MjQ3LCA3ODA4NzA1ODEsIDc4Mjk4MTk0OSwgNzg1MjY2MTc3LCA4MTg3NTI3MTAsIDg1NTY4MjM5MCwgODg0MTIwMTMyLCA5MDg5MTQ4NjhdfQ=="} @@ -368,9 +368,9 @@ ~~ total active/idle flows...: 57/57 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2083894 bytes -~~ total memory freed........: 2083894 bytes -~~ total allocations/frees...: 36771/36771 +~~ total memory allocated....: 4722465 bytes +~~ total memory freed........: 4722465 bytes +~~ total allocations/frees...: 100967/100967 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 176 chars ~~ json string max len.......: 2430 chars diff --git a/test/results/whatsapp_login_chat.pcap.out b/test/results/whatsapp_login_chat.pcap.out index 91b34f089..78f533c80 100644 --- a/test/results/whatsapp_login_chat.pcap.out +++ b/test/results/whatsapp_login_chat.pcap.out @@ -20,7 +20,7 @@ 00603{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":73,"source":"whatsapp_login_chat.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1432582396509,"flow_last_seen":1432582396509,"flow_idle_time":180000,"flow_min_l4_payload_len":502,"flow_max_l4_payload_len":502,"flow_tot_l4_payload_len":502,"flow_avg_l4_payload_len":502,"midstream":0,"ts_msec":1432582396509,"l3_proto":"ip4","src_ip":"192.168.2.1","dst_ip":"192.168.2.255","src_port":17500,"dst_port":17500,"l4_proto":"udp","ndpi": {"proto":"Dropbox","breed":"Acceptable","category":"Cloud"}} 00561{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":79,"source":"whatsapp_login_chat.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":1,"flow_first_seen":1432582399902,"flow_last_seen":1432582399902,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1432582399902,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00855{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":79,"source":"whatsapp_login_chat.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_last_seen":1432582399902,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":342,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":342,"pkt_l4_len":308,"ts_msec":1432582399902,"pkt":"\/\/\/\/\/\/\/\/2DBiVgAcCABFAAFIRFYAAP8Rdk8AAAAA\/\/\/\/\/wBEAEMBNOdfAQEGALYzLg4AAAAAAAAAAAAAAAAAAAAAAAAAANgwYlYAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEBNwkBAwYPd1\/8LC45AgXcPQcB2DBiVgAcMwQAdqcADApMdWNhcy1pTWFj\/wAAAAAAAAAAAAAAAAAA"} -00646{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":79,"source":"whatsapp_login_chat.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":1,"flow_first_seen":1432582399902,"flow_last_seen":1432582399902,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1432582399902,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"fingerprint":"1,3,6,15,119,95,252,44,46"}} +00687{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":79,"source":"whatsapp_login_chat.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":1,"flow_first_seen":1432582399902,"flow_last_seen":1432582399902,"flow_idle_time":180000,"flow_min_l4_payload_len":300,"flow_max_l4_payload_len":300,"flow_tot_l4_payload_len":300,"flow_avg_l4_payload_len":300,"midstream":0,"ts_msec":1432582399902,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"hostname":"lucas-imac","fingerprint":"1,3,6,15,119,95,252,44,46","class_ident":""}} 00855{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":80,"source":"whatsapp_login_chat.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_last_seen":1432582401886,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":342,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":342,"pkt_l4_len":308,"ts_msec":1432582401886,"pkt":"\/\/\/\/\/\/\/\/2DBiVgAcCABFAAFIRFcAAP8Rdk4AAAAA\/\/\/\/\/wBEAEMBNOddAQEGALYzLg4AAgAAAAAAAAAAAAAAAAAAAAAAANgwYlYAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEBNwkBAwYPd1\/8LC45AgXcPQcB2DBiVgAcMwQAdqcADApMdWNhcy1pTWFj\/wAAAAAAAAAAAAAAAAAA"} 00561{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":81,"source":"whatsapp_login_chat.pcap","alias":"nDPId-test","flow_id":7,"flow_packets_processed":1,"flow_first_seen":1432582402666,"flow_last_seen":1432582402666,"flow_idle_time":180000,"flow_min_l4_payload_len":49,"flow_max_l4_payload_len":49,"flow_tot_l4_payload_len":49,"flow_avg_l4_payload_len":49,"midstream":0,"ts_msec":1432582402666,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00505{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":81,"source":"whatsapp_login_chat.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_last_seen":1432582402666,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":91,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":91,"pkt_l4_len":57,"ts_msec":1432582402666,"pkt":"AQBeAAD7APS5Jrv0CABFAABNW6AAAP8RvFfAqAIE4AAA+xTpFOkAOcRNAAAAAAACAAAAAAAABV9yYW9wBF90Y3AFbG9jYWwAAAyAAQhfYWlycGxhecASAAyAAQ=="} @@ -55,9 +55,9 @@ ~~ total active/idle flows...: 9/9 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1949893 bytes -~~ total memory freed........: 1949893 bytes -~~ total allocations/frees...: 35458/35458 +~~ total memory allocated....: 4608816 bytes +~~ total memory freed........: 4608816 bytes +~~ total allocations/frees...: 99654/99654 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 173 chars ~~ json string max len.......: 2413 chars diff --git a/test/results/whatsapp_voice_and_message.pcap.out b/test/results/whatsapp_voice_and_message.pcap.out index 140c53de1..bc9e948bf 100644 --- a/test/results/whatsapp_voice_and_message.pcap.out +++ b/test/results/whatsapp_voice_and_message.pcap.out @@ -94,9 +94,9 @@ ~~ total active/idle flows...: 13/13 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1973533 bytes -~~ total memory freed........: 1973533 bytes -~~ total allocations/frees...: 35642/35642 +~~ total memory allocated....: 4630760 bytes +~~ total memory freed........: 4630760 bytes +~~ total allocations/frees...: 99838/99838 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 181 chars ~~ json string max len.......: 623 chars diff --git a/test/results/whatsappfiles.pcap.out b/test/results/whatsappfiles.pcap.out index 32de1ad98..0d4285639 100644 --- a/test/results/whatsappfiles.pcap.out +++ b/test/results/whatsappfiles.pcap.out @@ -5,7 +5,7 @@ 00463{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1519924083503,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1519924083503,"pkt":"XEl5dU5qkLkxKPrKCABFAAA0AABAAEAG5ozAqAIduTzYNcIKAbs8JoRwJzRhWoAQCAWMQgAAAQEICijlFlQJITj5"} 00851{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1519924083411,"flow_last_seen":1519924083506,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":243,"flow_tot_l4_payload_len":243,"flow_avg_l4_payload_len":60,"midstream":0,"ts_msec":1519924083506,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49674,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WhatsAppFiles","breed":"Acceptable","category":"Download"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mmg-fna.whatsapp.net","ja3":"107144b88827da5da9ed42d8776ccdc5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}} 00910{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":1519924083411,"flow_last_seen":1519924083598,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1398,"flow_tot_l4_payload_len":1641,"flow_avg_l4_payload_len":273,"midstream":0,"ts_msec":1519924083598,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49674,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WhatsAppFiles","breed":"Acceptable","category":"Download"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mmg-fna.whatsapp.net","ja3":"107144b88827da5da9ed42d8776ccdc5","ja3s":"2d1eb5817ece335c24904f516ad5da12","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}} -01279{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":8,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":8,"flow_first_seen":1519924083411,"flow_last_seen":1519924083599,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1398,"flow_tot_l4_payload_len":3451,"flow_avg_l4_payload_len":431,"midstream":0,"ts_msec":1519924083599,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49674,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WhatsAppFiles","breed":"Acceptable","category":"Download"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mmg-fna.whatsapp.net","server_names":"*.cdn.whatsapp.net,*.snr.whatsapp.net,*.whatsapp.com,*.whatsapp.net,whatsapp.com,whatsapp.net","ja3":"107144b88827da5da9ed42d8776ccdc5","ja3s":"2d1eb5817ece335c24904f516ad5da12","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","issuerDN":"C=US, ST=California, L=Menlo Park, O=Facebook, Inc., CN=*.whatsapp.net","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"10:54:EB:4A:A2:2A:42:2F:A6:1C:E7:9C:F4:84:10:7E:30:2E:56:BB"}} +01280{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":8,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":8,"flow_first_seen":1519924083411,"flow_last_seen":1519924083599,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1398,"flow_tot_l4_payload_len":3451,"flow_avg_l4_payload_len":431,"midstream":0,"ts_msec":1519924083599,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49674,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.WhatsAppFiles","breed":"Acceptable","category":"Download"},"tls": {"version":"TLSv1.2","client_requested_server_name":"mmg-fna.whatsapp.net","server_names":"*.cdn.whatsapp.net,*.snr.whatsapp.net,*.whatsapp.com,*.whatsapp.net,whatsapp.com,whatsapp.net","ja3":"107144b88827da5da9ed42d8776ccdc5","ja3s":"2d1eb5817ece335c24904f516ad5da12","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=Menlo Park, O=Facebook, Inc., CN=*.whatsapp.net","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"10:54:EB:4A:A2:2A:42:2F:A6:1C:E7:9C:F4:84:10:7E:30:2E:56:BB"}} 00556{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":311,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1519924240121,"flow_last_seen":1519924240121,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1519924240121,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49698,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00483{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":311,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_last_seen":1519924240121,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1519924240121,"pkt":"XEl5dU5qkLkxKPrKCABFAABAAABAAEAG5oDAqAIduTzYNcIiAbuCj0EnAAAAALDC\/\/+6MAAAAgQFtAEDAwYBAQgKKOd3WAAAAAAEAgAA"} 00477{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":312,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_last_seen":1519924240177,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1519924240177,"pkt":"kLkxKPrKXEl5dU5qCABFAAA8AABAAFUG0YS5PNg1wKgCHQG7wiLPr2ypgo9BKKASbTgw1AAAAgQFggQCCAq3hjooKOd3WAEDAwg="} @@ -23,10 +23,10 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1958265 bytes -~~ total memory freed........: 1958265 bytes -~~ total allocations/frees...: 35975/35975 +~~ total memory allocated....: 4620156 bytes +~~ total memory freed........: 4620156 bytes +~~ total allocations/frees...: 100171/100171 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 168 chars -~~ json string max len.......: 1284 chars +~~ json string max len.......: 1285 chars ~~ json string avg len.......: 796 chars diff --git a/test/results/whois.pcapng.out b/test/results/whois.pcapng.out index 20cb9b8e1..7dfe782d2 100644 --- a/test/results/whois.pcapng.out +++ b/test/results/whois.pcapng.out @@ -38,9 +38,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1928443 bytes -~~ total memory freed........: 1928443 bytes -~~ total allocations/frees...: 35349/35349 +~~ total memory allocated....: 4590758 bytes +~~ total memory freed........: 4590758 bytes +~~ total allocations/frees...: 99545/99545 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 154 chars ~~ json string max len.......: 2019 chars diff --git a/test/results/wireguard.pcap.out b/test/results/wireguard.pcap.out index 01f3ad9ec..1848da397 100644 --- a/test/results/wireguard.pcap.out +++ b/test/results/wireguard.pcap.out @@ -18,9 +18,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1997695 bytes -~~ total memory freed........: 1997695 bytes -~~ total allocations/frees...: 37737/37737 +~~ total memory allocated....: 4660010 bytes +~~ total memory freed........: 4660010 bytes +~~ total allocations/frees...: 101933/101933 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 165 chars ~~ json string max len.......: 1526 chars diff --git a/test/results/youtube_quic.pcap.out b/test/results/youtube_quic.pcap.out index 3bc6d7839..0b766e0e7 100644 --- a/test/results/youtube_quic.pcap.out +++ b/test/results/youtube_quic.pcap.out @@ -1,7 +1,7 @@ 00446{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"youtube_quic.pcap","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} 00563{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"youtube_quic.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1489363823466,"flow_last_seen":1489363823466,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1489363823466,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"216.58.205.66","src_port":54997,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02247{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"youtube_quic.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1489363823466,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1489363823466,"pkt":"gCqojWksxCwDBkn+CABFAAViKp8AAEARAADAqAEH2DrNQtbVAbsFTmyMDZNw4V58RG0IUTAzNQHEx\/Yat8K2lJx\/xfCgAQAEQ0hMTx0AAABQQUQABgEAAFNOSQAjAQAAU1RLAF0BAABWRVIAYQEAAENDUwBxAQAATk9OQ5EBAABNU1BDlQEAAEFFQUSZAQAAVUFJRMgBAABTQ0lE2AEAAFRDSUTcAQAAUERNROABAABTUkJG5AEAAFNNSEzoAQAASUNTTOwBAABDVElN9AEAAE5PTlAUAgAAUFVCUzQCAABNSURTOAIAAFNDTFM8AgAAS0VYU0ACAABYTENUSAIAAENTQ1RIAgAAQ09QVEgCAABDQ1JUYAIAAElSVFRkAgAAQ0VUVggDAABDRkNXDAMAAFNGQ1cQAwAALS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLXBhZ2VhZDIuZ29vZ2xlc3luZGljYXRpb24uY29tfyKC9MwN17piZVNU\/QkmmE3zDBRwXexEviTXtQHZlZT\/o0M3FJ3WOBZp5lL5RXIaTAX\/iszgW7Ui51EwMzUB6IFgkpIa6H7tgIaiFYKRWMXjbzAwMDAwMDAwAGp0dp4RQa9ev39thoVizX7vQxRkAAAAQ0MyMGJldGEgQ2hyb21lLzU3LjAuMjk4Ny45OCBJbnRlbCBNYWMgT1MgWCAxMF8xMl8za3Zj9RsCsgRL78LWSY4+jwAAAABYNTA5AAAQAAEAAAAeAAAAb+PFWAAAAABoJX9SS1LMMIZlh9cGt32w74KlkbfLCJvYbB6phUnjYtV\/J7+3T+WICkKGmxl0apInEplRSWcqg\/3qI+CqJwNXZAAAAAEAAABDMjU1HvdI4XZwU8Me90jhdnBTwz2t9HxBefiRQAt7kKmuees2jgEAnGVpdpNkhQuOQ0r1tyTPo1k8IEM71wOV+MDwud\/WmN8O\/bZt8M5S76zS6GQgUAsZfJUzhYMLh2DzCj0s2UxZDpdWlDQ\/KBiEO80tVmE+bGp5czdFQGnhi\/134fgolaoUotcrvEChNXZdSQ7ze+ZsVxVgDQIPLJn5KItVO0bNTbdFJlK9ck\/6gUes9AlK+Lowm7raNBTPfJpo34tpsNA3toSRqnAAAPAAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} -00738{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"youtube_quic.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1489363823466,"flow_last_seen":1489363823466,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1489363823466,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"216.58.205.66","src_port":54997,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Google","breed":"Tracker\/Ads","category":"Web"},"quic": {"client_requested_server_name":"pagead2.googlesyndication.com","user_agent":"beta Chrome\/57.0.2987.98 Intel Mac OS X 10_12_3"}} +00746{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"youtube_quic.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1489363823466,"flow_last_seen":1489363823466,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1489363823466,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"216.58.205.66","src_port":54997,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Google","breed":"Acceptable","category":"Advertisement"},"quic": {"client_requested_server_name":"pagead2.googlesyndication.com","user_agent":"beta Chrome\/57.0.2987.98 Intel Mac OS X 10_12_3"}} 00957{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"youtube_quic.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1489363823467,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":427,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":427,"pkt_l4_len":393,"ts_msec":1489363823467,"pkt":"gCqojWksxCwDBkn+CABFAAGdQ1YAAEARAADAqAEH2DrNQtbVAbsBiWjHDZNw4V58RG0IUTAzNQIjOTX0HE3l5Scr7Fgx2f\/r+qyKcH\/8LtiyPftQGYB9rCN29+bVRC8cQk9\/xGvEd6aBS8oqh8NZIxXxQWKlTa8RiJV0BMsIA0J2xai1sihftSstpiUm4Hfb5ePoNWBO9sfumkF4vn\/9w\/9icDJdGccA4OzurorhUAKZSZXQ2C+f4aKf6nX2PELscDc2K8rYtLquJGdtKf4c79ur+nT\/zIZbwAI5FHcm2kTejfWn+vqhJAD0GuZjr1fez\/qk2C34VbRcKzU+r3sMaPUtMdGtgzscnCkXVApYI9m9bd3dzj+CzxW8qOJ7mCU2emBxJ\/DIq4W6MZVOQ8P1s290Mflqj2Ld8WgZbVsDG+nGkhewE4Z8dkUPa+UkVgjTddS58Gokmrg9Z3Adl+QFItNyGTCZv48hVxEemek454JnWb6oZl4ujKpXhQA0CaX5LNroX5y5o\/Wny9SJ17j8aIxrDR0s65vzthwadNOZLJ62NA+MTWY0IQjOuA=="} 02261{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"youtube_quic.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1489363823527,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1489363823527,"pkt":"xCwDBkn+gCqojWksCABFAAViAABAADcR117YOs1CwKgBBwG71tUFTuocBCh3B7XiTuKXN4LFlWznTXqPOMTIP1YB45lXi+l5CF8JASyEKKaDONFN5YR3rA\/p9CKVXhUMWNxz3dKUg1yQftOAuLAuCFZHEo433jmLn2X4f\/Owuck2m9UesvdXoxzwq4xDpUXHvNH9PzNMS1XtEZ0KDZ904pHEN+ZkjUiA2jK\/AWrBBVjEsqHcAMngSVXjIyTLuIfTfT50KGoQr9mSm5SWUDtU4w+2DwTLde4slXrVb5tsrZJ9hx6FXeBCOwNcjEoeHA7do276\/9KH1k58X3zu+PQcEwnHQBIs5Nvjxz0m7lZ\/e4WfsWAx90HOH6likwa4aRKygVjLaiXObj1BRuaQFXdbITUHeb\/v1Bb0ex9qIwx0kcogAUVq6KGcRlImR2VCET7Q2UPfBF1HkA3bAqvJ6t1BP07HS8IKIEm70QgionKkRzGiFzdUhT09R6zdeXllUpiA63fBrBRfZD4ih6nX4zo\/yc\/lz+z\/tYWWCPtitjIx3R+MsYy6evVwKHmKh4xLbNgtf6Bu5FREacax96iyQP2\/vuAdKPy+I6gMbTz04jy4zg2nTKOKHNa3aAGNL9B3Uh5t6mqJXuzsLfLLTPDw3wrJPan+M\/0XoefuuxvaucM7CeSe1bcynXGH+VeCKK3X6BEjxAIAyaIH3WN4GasKfIjmi2abIP71bMldE4Rrc0QpuysWWFnpQQt9pN2sP40R1CWaJEjWn2UIOe0P10GgnLa0xDEY45T4mm1G5cRaybTY1lDhwEfyXyWZ9AZfiHELWMCRxQrjRsfwPjDlL6jHi\/zHIUWOI\/T4jgDqU2KclKtGJHvbzyipTcTSry1Z9gmEkVPVvz\/8EjMnwGHjnltQ6Dn6FOkOgVFgA2iD5qiIgNLtjkUfH1GBvC5KbT9MfqpK2j2k4rSt9zbnBWSsgHnKyvlhVlk4OSMFjMkESHpv2MoP7kPpHn9hYZR+DGSK3WZiE2JTywLeaTFpsQZ3daTQq1Vr04zxtlC9vRWSZgVtzp+73FUoayEpGTdeO3UERRAep7Gz6OHwglh0vTs4C4cI3glPhuREbf69JIx21MPWU3j5sPCPzg7nPp1rI9ewTvRn38IUIjcvV1KuUH4IRVmz5W6wsHwHFtnkwFNuxtYxLxpK0EDIngGp5d6ht7210ydmiQr6O0ON8qJtc3t5+jXn6ntXD+RhEqv4GCaMWHbVrUNZALDxj9JvSEzyroxEuoApEO8TL\/ZdVC\/slwR1pM3JdbAsWN2rxIFLM5krFwOakRgi754xhdBEry7MgvTwiHsgDJ3Rg3jSdB9jubcVT3HICTRmj1vR\/GLDAyPIFAzuuaVmpolrsQwDxFuyNGOcjHVBUbeP6bnCaCs1JfK35oan09836\/37ZWojhkKHAUoDUCP0eOYnRmUhbwOggCe7+p8hW83\/lILFNK1NDMAm7qAsqoccxqNT61ke0qmot69NhPXpwpGUt\/gK3nyvFne4lsK7S7r1eMvI29rlDBY0L\/e2MX+l+NFFonVbYbxqlVZxk5h57Py0nXsSE5q43RZq\/Ab5Ljnrfv\/qOWasfLkVsR95Ih7otWzubnTYoOB5dgkPlalnkY+ZT0ynhrpD6iNCVYd4popCzZS+uE59ZqtbLuU6i6Oh3yTkUuBN6l4rJS\/6y1YL+YBtywlzVVi2gqoBTO6RyHcXMeDc6anBpSJn+Y11FC9lfnd1ZBuVxPW\/4cBKWMy9IKMGLXE8iIH1zC\/mEqW8ZtRWLvviks2j2E9BFu9ovslgURdyPBgw2o0Whiqb07OoUWWMBoSXHynCDs+gbza+6qUl"} 00564{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":11,"source":"youtube_quic.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1489363823738,"flow_last_seen":1489363823738,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1489363823738,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"216.58.198.33","src_port":56074,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -11,7 +11,7 @@ 02247{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":13,"source":"youtube_quic.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_last_seen":1489363823783,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1489363823783,"pkt":"xCwDBkn+gCqojWksCABFAAViAABAADUR4H\/YOsYhwKgBBwG72woFTtjVCGI\/o1o3gkQjAl1iY1+IPhyu0ittLaQBLgUZARLyTw62Xo9mQ7Tn55dir+alTNnl+EuTXetgrtU\/li3WZUF3t3EtPfqBg1nJrPp7bar7qdPHbjH8jwhk+pimkWuq6rVs4cviafuTL\/pWbDvkJD1zwixjdUFbM0aGipe63\/v0luly7P6xK4d1\/V35zVlHfZnq9OpLDbRdp3F95Wn77GK+6cqsr8cEfY77RjhzSh7Unhdryl2mU\/IhTPRZgsMXhZ65ayI6rm07a3GnaGsF6wp\/3rLVzcqh63smBXkUr5RrfvOpMsbbX\/13ZPXcymfXdeZ+LWmcELGYmfOd+prGpXeZdtiyB0ssnuZwNOYGp72hD8PxC2ds8mZMXnnvqd7Gb2w82Yw3Hn\/6nvVjXthRi\/UnDQF+1X0RAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} 00565{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":134,"source":"youtube_quic.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1489363824401,"flow_last_seen":1489363824401,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1489363824401,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"216.58.205.66","src_port":53859,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02246{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":134,"source":"youtube_quic.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_last_seen":1489363824401,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1489363824401,"pkt":"gCqojWksxCwDBkn+CABFAAVisIYAAEARAADAqAEH2DrNQtJjAbsFTmyMDXhX73QJ\/9nIUTAzNQGC9mpeAxq6QsMNjNmgAQAEQ0hMTx0AAABQQUQACAEAAFNOSQAjAQAAU1RLAF0BAABWRVIAYQEAAENDUwBxAQAATk9OQ5EBAABNU1BDlQEAAEFFQUSZAQAAVUFJRMgBAABTQ0lE2AEAAFRDSUTcAQAAUERNROABAABTUkJG5AEAAFNNSEzoAQAASUNTTOwBAABDVElN9AEAAE5PTlAUAgAAUFVCUzQCAABNSURTOAIAAFNDTFM8AgAAS0VYU0ACAABYTENUSAIAAENTQ1RIAgAAQ09QVEgCAABDQ1JUYAIAAElSVFRkAgAAQ0VUVggDAABDRkNXDAMAAFNGQ1cQAwAALS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tZ29vZ2xlYWRzLmcuZG91YmxlY2xpY2submV0gCa63gfstks25NXDBda+jRe1AwMuFIPOgLr8Vdt88WUvAddL7KVg5kyrPLEzz5PxZEMuEuhwybaZ0VEwMzUB6IFgkpIa6H7tgIaiFYKRWMXjcDAwMDAwMDAwQoHc+xZQMEvJrifGGZTcfUn5aXxkAAAAQ0MyMGJldGEgQ2hyb21lLzU3LjAuMjk4Ny45OCBJbnRlbCBNYWMgT1MgWCAxMF8xMl8za3Zj9RsCsgRL78LWSY4+jwAAAABYNTA5AAAQAAEAAAAeAAAAcOPFWAAAAACN\/AA7IChJw\/uFk6rkJtT8KHam\/zP1YJxL1R6PGerdhviM0jsqfVXK1sMGRgIfu1Gw5yjD\/\/Q\/fKW3aZLxbK0ZZAAAAAEAAABDMjU1qvorPqjeOwuq+is+qN47Cz2t9HxBefiRQAt7kKmueet+NAEAgygqfGXu0L2syT5vA8mDxoSqG087cDiVovZ6s0ywmTUWtgw5lXy+Ac4T6qWEMJOPvUqVQrabfhIiKh6bU4h\/Diu+B3D3YFOkHFOA3JEmhpJ\/3PZn9DncBSC36LdWvsJ8Uwgl2IG2lc1SfhMotW8c5gE3wCT8YVfQJL1vCNMKzgZWBrzkDiYZ7cTxYUMsLfK1F7K2mD1WVm4PU008ujahjZ6t1bAAAPAAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} -00738{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":134,"source":"youtube_quic.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1489363824401,"flow_last_seen":1489363824401,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1489363824401,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"216.58.205.66","src_port":53859,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Google","breed":"Tracker\/Ads","category":"Web"},"quic": {"client_requested_server_name":"googleads.g.doubleclick.net","user_agent":"beta Chrome\/57.0.2987.98 Intel Mac OS X 10_12_3"}} +00746{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":134,"source":"youtube_quic.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1489363824401,"flow_last_seen":1489363824401,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1489363824401,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"216.58.205.66","src_port":53859,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.Google","breed":"Acceptable","category":"Advertisement"},"quic": {"client_requested_server_name":"googleads.g.doubleclick.net","user_agent":"beta Chrome\/57.0.2987.98 Intel Mac OS X 10_12_3"}} 02261{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":135,"source":"youtube_quic.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_last_seen":1489363824401,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1489363824401,"pkt":"gCqojWksxCwDBkn+CABFAAViiX4AAEARAADAqAEH2DrNQtJjAbsFTmyMDXhX73QJ\/9nIUTAzNQL3N20WC4prgrlnEEXpdg0UiWbXJhn9rrqPsD7nypSAi6kAnw8WQDgk9WvHBUMq3ztLT3UfD0gz+me7oBLVs9bjXCdM3vfRP04sqX92qJrBMWJiq3+eKjCNhyA3dhTNbGSGyKI7\/jcHFMipWf2f2NsuOihlYKhTPSCEE\/3dxQ5VpSOD4BfoNhUiG4SLXDgBvtHLX5RXQiz6BGmJPkfw0Dv35AvtRBL6UAIgkl\/K+oTxY08q1VHTawdG6K3aOXtZN79Qa45uh7pT1oVWMplxpgw8JT2Arpn6WXMTVuz7IIjcMmVGkmTbz31c16ROCt97FgLzWLKXSjlRTCuInYAnb8OLy7A3ZgiVpjlf24uxYYBETmSsYE22pkbiA3KDPQJQySgTeBTaSmM7bUYZKVC0sqnRUOvf3ZY91A7qJZn\/ba900D1Z+aCkzIM+N0cL4OdjAPHVbjoNNBPob96VT7KYOqrcxvdgiQK4z8YyO7qPdy3wkVPEp8S1cfxO0GcnNc57dkkmdplcftLswiLsyuSbEUEIvemACkZhnlX++EeQWxNqo5pgetjas2fIO3OoczlGrqEelJ1yoqALFrNOoHHqiCTaPzG9Vq6SC5ccc+y0eJXHfhIMNqRedbbXK4yLYwqtZ9myh7TSQTMNDNtNNcokuMoYRffKy+Hilx9blgPA+kxeACnNv8k+XoHbLejLn53fsVGrfJ27oHLpBxd0gpX8C1SWMyy3mXnpEVSzUrkvObuxIcI1iIIRkXe4ha0xa6JvFSR1XvxPQ5uBs1VZvBiRzdozCrjMOEc9HhPIaepumDcavW6RkKdtpFOTOABhKPB+xTF+tw5twgZvOB6spOi3XFDCLlgZYRUP2AglByKCpQdxHum5b0xn6Bxg+gulV7DAa4F6bq\/phQubcSVFzDkjjddAVTq8Ke7Bcb2PIaw4POMGF8i+3Ejx3gConV0\/n9f+1mrX6y1TPQ+529up7M7aIJBqu\/KbECK4GCmg+69dFQcqMdvDDodT0LicyE6jgNHVr3Xxl9T9WRp\/ZEkID0WaSc8lamVKWuAoEej6VLe9Xsojacxjt0L1ZkVNCdZBeOWPV\/2r27Cc0KxFG00xU+mkL6oc\/P+4mp1vjwqej4OpJO4H7X\/bD1uR+eKFP96VSf8gVXiQ3DmEGxcfGruXncj9yz32x4yvvKzg03pwZiXXTtpaX0N3ObUthGwiiBr3OqJCsJVke4\/DSc35dh+HTeY+td+Oc4jCcwuV2lOoS0dT73DkKXYTbuBravYDZhjPNKQNF+6bWKCm8kZsYuCZUcPzccjiAYkhk0zhBSnaWNqdI6hOWVUghH2pIeRl1S8CHH23kuVsWd8GixiV6+GG7ClvWoVE8MrCJVfuDBih03bB7tpS\/HVKC2E9e6YR1Im8\/dzl\/GrYBeLaQJMx6dvF2cWrBFw9TxwkKIBGesF7P4zSSZnZmPB\/8T0n45nH26wWJrG9slMatMUMQF1ah+pPdZ8x+tlROoO4fF2yjn4px+eRlie\/MHUCbhkcAUhlXdTBiPNIvr7yc+xKglTelzU+igEYMaYRT7qb8rNLbLWFex\/imDEBTq6nYSPvkTgwNxYJA65n\/p6p8VPjqErPaqpEUd07O9wbQiW9G2X\/qbV3yLCPMbA96flDvOZN+LC6\/DnJyMwZn5lo+SBoTbwt518b7bgUS1UA82oVmCGe8vFKQu9\/05aE1OZbqUSUoFxZX0RxFiFxGsclnNnAvgLNexJFieDNVkLIeVZwsdn1VKuKE5NTKqEm\/iO1n+rmnQA3"} 00861{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":136,"source":"youtube_quic.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_last_seen":1489363824402,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":356,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":356,"pkt_l4_len":322,"ts_msec":1489363824402,"pkt":"gCqojWksxCwDBkn+CABFAAFWgV8AAEARAADAqAEH2DrNQtJjAbsBQmiADXhX73QJ\/9nIUTAzNQNN4EYmtc8pzVIIOlw5wUUTViVod6Y0+1HgA3vBxmFBB9XdzPolT4EuSqVTYDWG+BQf0+uutBG1cIb1StnXne22+Sa3VBkmnkxHzdhhHTq5RFHE1DzOC1OWyujit50aD9fovXbwARSedQlPJ7gjdJSVfTm6O3nF2k42pradZvrpU1ech4qBDDCfAnmOfCXqI5NXsD3jyb4bcNfoTf5ko+c96L+Kv0ngIjlmGgFFf6vJ8QwUVroovQmrUV9bPxW9NYlbZzDQO3\/aocbUP2HxCiVbIwPbD2Jd4G+p\/+kRB\/3zN\/cBW\/zgsZhwNASU8TEuM0gATTjCn+DvX6KA+8RurPRChvD1WnZ\/ZRI9q2M84tMzgiUjvDAoLSC7i0dr41HUDnzmJH+mr0XOTEoxFNo="} 00567{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":289,"source":"youtube_quic.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":258,"flow_first_seen":1489363823738,"flow_last_seen":1489363826862,"flow_idle_time":180000,"flow_min_l4_payload_len":31,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":167659,"flow_avg_l4_payload_len":649,"midstream":0,"ts_msec":1489363826862,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"216.58.198.33","src_port":56074,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -26,9 +26,9 @@ ~~ total active/idle flows...: 3/3 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1939881 bytes -~~ total memory freed........: 1939881 bytes -~~ total allocations/frees...: 35636/35636 +~~ total memory allocated....: 4601348 bytes +~~ total memory freed........: 4601348 bytes +~~ total allocations/frees...: 99832/99832 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 167 chars ~~ json string max len.......: 2266 chars diff --git a/test/results/youtubeupload.pcap.out b/test/results/youtubeupload.pcap.out index 5ea6b91bc..4d216d8f7 100644 --- a/test/results/youtubeupload.pcap.out +++ b/test/results/youtubeupload.pcap.out @@ -10,7 +10,7 @@ 00455{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9,"source":"youtubeupload.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_last_seen":1511102576863,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"ts_msec":1511102576863,"pkt":"XEl5dU5q2MuK4S0uCABFAAAoAUhAAIAGcnzAqAIbrNkXb+BsAbtWAw9LcaLjP1AQAQKLbgAAAAAAAAAA"} 00805{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":10,"source":"youtubeupload.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":4,"flow_first_seen":1511102576835,"flow_last_seen":1511102576864,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":202,"flow_tot_l4_payload_len":202,"flow_avg_l4_payload_len":50,"midstream":0,"ts_msec":1511102576864,"l3_proto":"ip4","src_ip":"192.168.2.27","dst_ip":"172.217.23.111","src_port":57452,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.YouTubeUpload","breed":"Fun","category":"Media"},"tls": {"version":"TLSv1.2","client_requested_server_name":"upload.youtube.com","ja3":"bc6c386f480ee97b9d9e52d472b772d8","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}} 00862{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":16,"source":"youtubeupload.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":6,"flow_first_seen":1511102576835,"flow_last_seen":1511102576919,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1430,"flow_tot_l4_payload_len":1632,"flow_avg_l4_payload_len":272,"midstream":0,"ts_msec":1511102576919,"l3_proto":"ip4","src_ip":"192.168.2.27","dst_ip":"172.217.23.111","src_port":57452,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.YouTubeUpload","breed":"Fun","category":"Media"},"tls": {"version":"TLSv1.2","client_requested_server_name":"upload.youtube.com","ja3":"bc6c386f480ee97b9d9e52d472b772d8","ja3s":"b26c652e0a402a24b5ca2a660e84f9d5","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}} -01385{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":18,"source":"youtubeupload.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":8,"flow_first_seen":1511102576835,"flow_last_seen":1511102576921,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1430,"flow_tot_l4_payload_len":4258,"flow_avg_l4_payload_len":532,"midstream":0,"ts_msec":1511102576921,"l3_proto":"ip4","src_ip":"192.168.2.27","dst_ip":"172.217.23.111","src_port":57452,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.YouTubeUpload","breed":"Fun","category":"Media"},"tls": {"version":"TLSv1.2","client_requested_server_name":"upload.youtube.com","server_names":"upload.video.google.com,*.clients.google.com,*.docs.google.com,*.drive.google.com,*.gdata.youtube.com,*.googleapis.com,*.photos.google.com,*.upload.google.com,*.upload.youtube.com,*.youtube-3rd-party.com,upload.google.com,upload.youtube.com,uploads.stage.gdata.youtube.com","ja3":"bc6c386f480ee97b9d9e52d472b772d8","ja3s":"b26c652e0a402a24b5ca2a660e84f9d5","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","issuerDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=upload.video.google.com","alpn":"h2,http\/1.1","fingerprint":"EE:3E:32:FB:B1:2E:82:EE:DF:FF:C0:1B:27:CD:BF:D8:8A:CB:BD:63"}} +01386{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":18,"source":"youtubeupload.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":8,"flow_first_seen":1511102576835,"flow_last_seen":1511102576921,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1430,"flow_tot_l4_payload_len":4258,"flow_avg_l4_payload_len":532,"midstream":0,"ts_msec":1511102576921,"l3_proto":"ip4","src_ip":"192.168.2.27","dst_ip":"172.217.23.111","src_port":57452,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.YouTubeUpload","breed":"Fun","category":"Media"},"tls": {"version":"TLSv1.2","client_requested_server_name":"upload.youtube.com","server_names":"upload.video.google.com,*.clients.google.com,*.docs.google.com,*.drive.google.com,*.gdata.youtube.com,*.googleapis.com,*.photos.google.com,*.upload.google.com,*.upload.youtube.com,*.youtube-3rd-party.com,upload.google.com,upload.youtube.com,uploads.stage.gdata.youtube.com","ja3":"bc6c386f480ee97b9d9e52d472b772d8","ja3s":"b26c652e0a402a24b5ca2a660e84f9d5","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","subjectDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=upload.video.google.com","alpn":"h2,http\/1.1","fingerprint":"EE:3E:32:FB:B1:2E:82:EE:DF:FF:C0:1B:27:CD:BF:D8:8A:CB:BD:63"}} 00567{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":29,"source":"youtubeupload.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1511102578051,"flow_last_seen":1511102578051,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1511102578051,"l3_proto":"ip4","src_ip":"192.168.2.27","dst_ip":"172.217.23.111","src_port":62232,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02238{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":29,"source":"youtubeupload.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_last_seen":1511102578051,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"ts_msec":1511102578051,"pkt":"XEl5dU5q2MuK4S0uCABFAAViAV5AAIARbSHAqAIbrNkXb\/MYAbsFTi5hDQjRAddSQpCnUTAzOQGXrkR+sB0UFtwM1LigAQUUQ0hMTxMAAABQQUQAywMAAFNOSQDdAwAAVkVSAOEDAABDQ1MA8QMAAE1TUEP1AwAAVUFJRCQEAABUQ0lEKAQAAFBETUQsBAAAU01ITDAEAABJQ1NMNAQAAENUSU08BAAATk9OUFwEAABNSURTYAQAAFNDTFNkBAAAQ1NDVGQEAABDT1BUaAQAAElSVFRsBAAAQ0ZDV3AEAABTRkNXdAQAAC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tdXBsb2FkLnlvdXR1YmUuY29tUTAzOQHogWCSkhrofu2AhqIVgpFkAAAAQ2hyb21lLzYyLjAuMzIwMi45NCBXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQAAAAAWDUwOQEAAAAeAAAAdZgRWgAAAAA2Qv7BjobCVSSNm3vqxisDs2cBNiW7yusCpyOOCMJF82QAAAABAAAANVJUT5jAAAAAAPAAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} 00731{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":29,"source":"youtubeupload.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1511102578051,"flow_last_seen":1511102578051,"flow_idle_time":180000,"flow_min_l4_payload_len":1350,"flow_max_l4_payload_len":1350,"flow_tot_l4_payload_len":1350,"flow_avg_l4_payload_len":1350,"midstream":0,"ts_msec":1511102578051,"l3_proto":"ip4","src_ip":"192.168.2.27","dst_ip":"172.217.23.111","src_port":62232,"dst_port":443,"l4_proto":"udp","ndpi": {"proto":"QUIC.YouTubeUpload","breed":"Fun","category":"Media"},"quic": {"client_requested_server_name":"upload.youtube.com","user_agent":"Chrome\/62.0.3202.94 Windows NT 10.0; Win64; x64"}} @@ -28,9 +28,9 @@ ~~ total active/idle flows...: 3/3 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1945737 bytes -~~ total memory freed........: 1945737 bytes -~~ total allocations/frees...: 35502/35502 +~~ total memory allocated....: 4607204 bytes +~~ total memory freed........: 4607204 bytes +~~ total allocations/frees...: 99698/99698 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 168 chars ~~ json string max len.......: 2272 chars diff --git a/test/results/z3950.pcapng.out b/test/results/z3950.pcapng.out index 7b5773906..c1c1995c1 100644 --- a/test/results/z3950.pcapng.out +++ b/test/results/z3950.pcapng.out @@ -20,9 +20,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1941096 bytes -~~ total memory freed........: 1941096 bytes -~~ total allocations/frees...: 35376/35376 +~~ total memory allocated....: 4602987 bytes +~~ total memory freed........: 4602987 bytes +~~ total allocations/frees...: 99572/99572 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 161 chars ~~ json string max len.......: 654 chars diff --git a/test/results/zabbix.pcap.out b/test/results/zabbix.pcap.out index 77cd817ec..52bd7f26a 100644 --- a/test/results/zabbix.pcap.out +++ b/test/results/zabbix.pcap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1928414 bytes -~~ total memory freed........: 1928414 bytes -~~ total allocations/frees...: 35348/35348 +~~ total memory allocated....: 4590729 bytes +~~ total memory freed........: 4590729 bytes +~~ total allocations/frees...: 99544/99544 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 159 chars ~~ json string max len.......: 592 chars diff --git a/test/results/zcash.pcap.out b/test/results/zcash.pcap.out index 582dfed50..9dcf038c6 100644 --- a/test/results/zcash.pcap.out +++ b/test/results/zcash.pcap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 1942585 bytes -~~ total memory freed........: 1942585 bytes -~~ total allocations/frees...: 35486/35486 +~~ total memory allocated....: 4604900 bytes +~~ total memory freed........: 4604900 bytes +~~ total allocations/frees...: 99682/99682 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 159 chars ~~ json string max len.......: 668 chars diff --git a/test/results/zoom.pcap.out b/test/results/zoom.pcap.out index 1008ec584..48a4b5cf8 100644 --- a/test/results/zoom.pcap.out +++ b/test/results/zoom.pcap.out @@ -1,7 +1,7 @@ 00438{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"zoom.pcap","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} 00554{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"zoom.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1569520466080,"flow_last_seen":1569520466080,"flow_idle_time":7440000,"flow_min_l4_payload_len":199,"flow_max_l4_payload_len":199,"flow_tot_l4_payload_len":199,"flow_avg_l4_payload_len":199,"midstream":1,"ts_msec":1569520466080,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"172.217.21.72","src_port":54854,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00728{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"zoom.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1569520466080,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":265,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":265,"pkt_l4_len":231,"ts_msec":1569520466080,"pkt":"EBMx8Tl2KDc3AG3ICABFAAD7AABAAEAGtb7AqAF1rNkVSNZGAbt9MLg2pduNV4AYEAjbcQAAAQEICiWcznNwmChtFgMBAMIBAAC+AwE5BEH329R9hgOe6JDNh5Do5\/IyBg\/qLeMPj9mOGNz+swAAEgAvADMANQA5wAnACsATwBRWAAEAAIP\/AQABAAAAAB0AGwAAGHd3dy5nb29nbGV0YWdtYW5hZ2VyLmNvbQAXAAAABQAFAQAAAAAzdAAAABIAAAAQADAALgJoMgVoMi0xNgVoMi0xNQVoMi0xNAhzcGR5LzMuMQZzcGR5LzMIaHR0cC8xLjEACwACAQAACgAKAAgAHQAXABgAGQ=="} -00897{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"zoom.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1569520466080,"flow_last_seen":1569520466080,"flow_idle_time":7440000,"flow_min_l4_payload_len":199,"flow_max_l4_payload_len":199,"flow_tot_l4_payload_len":199,"flow_avg_l4_payload_len":199,"midstream":1,"ts_msec":1569520466080,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"172.217.21.72","src_port":54854,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"www.googletagmanager.com","ja3":"d78489b860c8bf7838a6ff0b4d131541","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}} +00903{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"zoom.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1569520466080,"flow_last_seen":1569520466080,"flow_idle_time":7440000,"flow_min_l4_payload_len":199,"flow_max_l4_payload_len":199,"flow_tot_l4_payload_len":199,"flow_avg_l4_payload_len":199,"midstream":1,"ts_msec":1569520466080,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"172.217.21.72","src_port":54854,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7":"Obsolete TLS version (older than 1.2)"},"proto":"TLS.GoogleServices","breed":"Acceptable","category":"Web"},"tls": {"version":"TLSv1","client_requested_server_name":"www.googletagmanager.com","ja3":"d78489b860c8bf7838a6ff0b4d131541","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}} 00547{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2,"source":"zoom.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1569520466209,"flow_last_seen":1569520466209,"flow_idle_time":180000,"flow_min_l4_payload_len":45,"flow_max_l4_payload_len":45,"flow_tot_l4_payload_len":45,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1569520466209,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00481{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"zoom.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_last_seen":1569520466209,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":87,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":87,"pkt_l4_len":53,"ts_msec":1569520466209,"pkt":"AQBeAAD7KDc3AG3ICABFAABJ4i8AAAERNFzAqAF14AAA+xTpFOkANQtaAAAAAAABAAAAAAAAEF9zcG90aWZ5LWNvbm5lY3QEX3RjcAVsb2NhbAAADAAB"} 00629{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":2,"source":"zoom.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1569520466209,"flow_last_seen":1569520466209,"flow_idle_time":180000,"flow_min_l4_payload_len":45,"flow_max_l4_payload_len":45,"flow_tot_l4_payload_len":45,"flow_avg_l4_payload_len":45,"midstream":0,"ts_msec":1569520466209,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","ndpi": {"proto":"MDNS","breed":"Acceptable","category":"Network"},"mdns": {"answer":"_spotify-connect._tcp.local"}} @@ -40,7 +40,7 @@ 00709{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":29,"source":"zoom.pcap","alias":"nDPId-test","flow_id":9,"flow_packets_processed":2,"flow_first_seen":1569520469036,"flow_last_seen":1569520469072,"flow_idle_time":180000,"flow_min_l4_payload_len":23,"flow_max_l4_payload_len":98,"flow_tot_l4_payload_len":121,"flow_avg_l4_payload_len":60,"midstream":0,"ts_msec":1569520469072,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"192.168.1.1","src_port":65394,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS","breed":"Acceptable","category":"Network"},"dns": {"query":"local","num_queries":1,"num_answers":1,"reply_code":3,"query_type":6,"rsp_type":0,"rsp_addr":"0.0.0.0"}} 00518{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":30,"source":"zoom.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":1,"flow_first_seen":1569520469072,"flow_last_seen":1569520469072,"flow_idle_time":120000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1569520469072,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"192.168.1.1","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} 00464{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":30,"source":"zoom.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":1,"flow_last_seen":1569520469072,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"ts_msec":1569520469072,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA4d+0AAEABfxHAqAF1wKgBAQMD\/OoAAAAARQAAfg+aAAA3EfAOwKgBAcCoAXUANf9yAGoAAA=="} -00551{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":30,"source":"zoom.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":1,"flow_first_seen":1569520469072,"flow_last_seen":1569520469072,"flow_idle_time":120000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1569520469072,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"192.168.1.1","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"}} +00570{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":30,"source":"zoom.pcap","alias":"nDPId-test","flow_id":10,"flow_packets_processed":1,"flow_first_seen":1569520469072,"flow_last_seen":1569520469072,"flow_idle_time":120000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1569520469072,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"192.168.1.1","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"},"entropy":3.637537} 00548{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":31,"source":"zoom.pcap","alias":"nDPId-test","flow_id":11,"flow_packets_processed":1,"flow_first_seen":1569520469081,"flow_last_seen":1569520469081,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":1,"ts_msec":1569520469081,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"13.225.84.182","src_port":54798,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00441{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":31,"source":"zoom.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":1,"flow_last_seen":1569520469081,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1569520469081,"pkt":"EBMx8Tl2KDc3AG3ICABFAAAog\/0AAEAG0h7AqAF1DeFUttYOAbuSOQajVAdu1VAQECZHdwAA"} 00785{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":32,"source":"zoom.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":4,"flow_first_seen":1569520468959,"flow_last_seen":1569520469090,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1569520469090,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"52.202.62.238","src_port":54864,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Zoom","breed":"Acceptable","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"log.zoom.us","ja3":"535aca3d99fc247509cd50933cd71d37","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}} @@ -49,7 +49,7 @@ 00483{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":34,"source":"zoom.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":1,"flow_last_seen":1569520469189,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"ts_msec":1569520469189,"pkt":"EBMx8Tl2KDc3AG3ICABFAABICu4AAEAR5YzAqAF1ov8lDl1fDZYANPtTAAEAGMFdrmNYXRQ5LlgsJgQDvzABAQAUMTIzNDU2Nzg5MDEyMzQ1Njc4OQA="} 00483{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":36,"source":"zoom.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":2,"flow_last_seen":1569520469200,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"ts_msec":1569520469200,"pkt":"EBMx8Tl2KDc3AG3ICABFAABISukAAEARpZHAqAF1ov8lDl1fDZYANPtTAAEAGMFdrmNYXRQ5LlgsJgQDvzABAQAUMTIzNDU2Nzg5MDEyMzQ1Njc4OQA="} 00841{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":37,"source":"zoom.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":6,"flow_first_seen":1569520468959,"flow_last_seen":1569520469200,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":1969,"flow_avg_l4_payload_len":328,"midstream":0,"ts_msec":1569520469200,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"52.202.62.238","src_port":54864,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Zoom","breed":"Acceptable","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"log.zoom.us","ja3":"535aca3d99fc247509cd50933cd71d37","ja3s":"3c30f2c064a3aed8cd95de8d68c726a6","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"http\/1.1"}} -01165{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":41,"source":"zoom.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":10,"flow_first_seen":1569520468959,"flow_last_seen":1569520469201,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":6125,"flow_avg_l4_payload_len":612,"midstream":0,"ts_msec":1569520469201,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"52.202.62.238","src_port":54864,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Zoom","breed":"Acceptable","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"log.zoom.us","server_names":"*.zoom.us,zoom.us","ja3":"535aca3d99fc247509cd50933cd71d37","ja3s":"3c30f2c064a3aed8cd95de8d68c726a6","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http:\/\/certs.godaddy.com\/repository\/, CN=Go Daddy Secure Certificate Authority - G2","issuerDN":"OU=Domain Control Validated, CN=*.zoom.us","alpn":"http\/1.1","fingerprint":"F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8"}} +01166{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":41,"source":"zoom.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":10,"flow_first_seen":1569520468959,"flow_last_seen":1569520469201,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":6125,"flow_avg_l4_payload_len":612,"midstream":0,"ts_msec":1569520469201,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"52.202.62.238","src_port":54864,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Zoom","breed":"Acceptable","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"log.zoom.us","server_names":"*.zoom.us,zoom.us","ja3":"535aca3d99fc247509cd50933cd71d37","ja3s":"3c30f2c064a3aed8cd95de8d68c726a6","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http:\/\/certs.godaddy.com\/repository\/, CN=Go Daddy Secure Certificate Authority - G2","subjectDN":"OU=Domain Control Validated, CN=*.zoom.us","alpn":"http\/1.1","fingerprint":"F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8"}} 00483{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":44,"source":"zoom.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":3,"flow_last_seen":1569520469210,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"ts_msec":1569520469210,"pkt":"EBMx8Tl2KDc3AG3ICABFAABIjkkAAEARYjHAqAF1ov8lDl1fDZYANPtTAAEAGMFdrmNYXRQ5LlgsJgQDvzABAQAUMTIzNDU2Nzg5MDEyMzQ1Njc4OQA="} 00589{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":44,"source":"zoom.pcap","alias":"nDPId-test","flow_id":12,"flow_packets_processed":3,"flow_first_seen":1569520469189,"flow_last_seen":1569520469210,"flow_idle_time":180000,"flow_min_l4_payload_len":44,"flow_max_l4_payload_len":44,"flow_tot_l4_payload_len":132,"flow_avg_l4_payload_len":44,"midstream":0,"ts_msec":1569520469210,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"162.255.37.14","src_port":23903,"dst_port":3478,"l4_proto":"udp","ndpi": {"proto":"STUN.Zoom","breed":"Acceptable","category":"Video"}} 00552{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":46,"source":"zoom.pcap","alias":"nDPId-test","flow_id":13,"flow_packets_processed":1,"flow_first_seen":1569520469221,"flow_last_seen":1569520469221,"flow_idle_time":180000,"flow_min_l4_payload_len":44,"flow_max_l4_payload_len":44,"flow_tot_l4_payload_len":44,"flow_avg_l4_payload_len":44,"midstream":0,"ts_msec":1569520469221,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"162.255.38.14","src_port":23903,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -72,13 +72,13 @@ 00457{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":63,"source":"zoom.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":3,"flow_last_seen":1569520469370,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1569520469370,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGzrXAqAF1aMdBKtJrAFCnuOsgVolceIAQD\/4OlAAAAQEICiWc2z+z1h7T"} 00520{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":83,"source":"zoom.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":1,"flow_first_seen":1569520469423,"flow_last_seen":1569520469423,"flow_idle_time":120000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1569520469423,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"162.255.38.14","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} 00464{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":83,"source":"zoom.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":1,"flow_last_seen":1569520469423,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"ts_msec":1569520469423,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA4WycAAEABlHPAqAF1ov8mDgMDkd4AAAAARQAAPMGVQAAuEf\/wov8mDsCoAXUNl11fACgAAA=="} -00577{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":83,"source":"zoom.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":1,"flow_first_seen":1569520469423,"flow_last_seen":1569520469423,"flow_idle_time":120000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1569520469423,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"162.255.38.14","l4_proto":"icmp","ndpi": {"entropy":4.182005,"proto":"ICMP.Zoom","breed":"Acceptable","category":"Network"}} +00577{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":83,"source":"zoom.pcap","alias":"nDPId-test","flow_id":17,"flow_packets_processed":1,"flow_first_seen":1569520469423,"flow_last_seen":1569520469423,"flow_idle_time":120000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1569520469423,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"162.255.38.14","l4_proto":"icmp","ndpi": {"proto":"ICMP.Zoom","breed":"Acceptable","category":"Network"},"entropy":4.182005} 00464{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":87,"source":"zoom.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":2,"flow_last_seen":1569520469433,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"ts_msec":1569520469433,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA4ZPoAAEABiqDAqAF1ov8mDgMDkd4AAAAARQAAPMGZQAAuEf\/sov8mDsCoAXUNl11fACgAAA=="} 00362{"packet_event_id":1,"packet_event_name":"packet","thread_id":0,"packet_id":90,"source":"zoom.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":34969,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"ts_msec":1569520469782,"pkt":"\/\/\/\/\/\/\/\/2A0X1lWriJklgAAA2A0X1lWrAACAAADYDRfWVauACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} 00146{"basic_event_id":5,"basic_event_name":"Unknown packet type","thread_id":0,"packet_id":90,"source":"zoom.pcap","alias":"nDPId-test","type":34969} 00551{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":91,"source":"zoom.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":1,"flow_first_seen":1569520469797,"flow_last_seen":1569520469797,"flow_idle_time":180000,"flow_min_l4_payload_len":279,"flow_max_l4_payload_len":279,"flow_tot_l4_payload_len":279,"flow_avg_l4_payload_len":279,"midstream":0,"ts_msec":1569520469797,"l3_proto":"ip4","src_ip":"192.168.0.1","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00812{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":91,"source":"zoom.pcap","alias":"nDPId-test","flow_id":18,"flow_packet_id":1,"flow_last_seen":1569520469797,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":321,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":321,"pkt_l4_len":287,"ts_msec":1569520469797,"pkt":"\/\/\/\/\/\/\/\/2A0X1lWrCABFAAEzBkxAAEARcsXAqAAB\/\/\/\/\/wBEAEMBHwAAAQEGABIog9sAAIAAAAAAAAAAAAAAAAAAAAAAANgNF9ZVqwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEBNwIBAwwJVEwtU0cxMTZFPAlUTC1TRzExNkU9BwHYDRfWVav\/"} -00614{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":91,"source":"zoom.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":1,"flow_first_seen":1569520469797,"flow_last_seen":1569520469797,"flow_idle_time":180000,"flow_min_l4_payload_len":279,"flow_max_l4_payload_len":279,"flow_tot_l4_payload_len":279,"flow_avg_l4_payload_len":279,"midstream":0,"ts_msec":1569520469797,"l3_proto":"ip4","src_ip":"192.168.0.1","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"fingerprint":"1,3"}} +00663{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":91,"source":"zoom.pcap","alias":"nDPId-test","flow_id":18,"flow_packets_processed":1,"flow_first_seen":1569520469797,"flow_last_seen":1569520469797,"flow_idle_time":180000,"flow_min_l4_payload_len":279,"flow_max_l4_payload_len":279,"flow_tot_l4_payload_len":279,"flow_avg_l4_payload_len":279,"midstream":0,"ts_msec":1569520469797,"l3_proto":"ip4","src_ip":"192.168.0.1","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","ndpi": {"proto":"DHCP","breed":"Acceptable","category":"Network"},"dhcp": {"hostname":"tl-sg116e","fingerprint":"1,3","class_ident":"TL-SG116E"}} 00548{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":92,"source":"zoom.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":1,"flow_first_seen":1569520469950,"flow_last_seen":1569520469950,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1569520469950,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"52.202.62.196","src_port":54865,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00474{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":92,"source":"zoom.pcap","alias":"nDPId-test","flow_id":19,"flow_packet_id":1,"flow_last_seen":1569520469950,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1569520469950,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGBQ3AqAF1NMo+xNZRAbvXiDKIAAAAALAC\/\/8cGAAAAgQFtAEDAwUBAQgKJZzdfwAAAAAEAgAA"} 00548{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":93,"source":"zoom.pcap","alias":"nDPId-test","flow_id":20,"flow_packets_processed":1,"flow_first_seen":1569520469984,"flow_last_seen":1569520469984,"flow_idle_time":180000,"flow_min_l4_payload_len":30,"flow_max_l4_payload_len":30,"flow_tot_l4_payload_len":30,"flow_avg_l4_payload_len":30,"midstream":0,"ts_msec":1569520469984,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"192.168.1.1","src_port":62988,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -95,9 +95,9 @@ 00441{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":100,"source":"zoom.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":3,"flow_last_seen":1569520470134,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"ts_msec":1569520470134,"pkt":"EBMx8Tl2KDc3AG3ICABFAAAoAABAAEAGBP3AqAF1NMo+7NZSAbv67hZuvPb3MFAQIAC8bgAA"} 00788{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":101,"source":"zoom.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":4,"flow_first_seen":1569520470022,"flow_last_seen":1569520470165,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1569520470165,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"52.202.62.236","src_port":54866,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Zoom","breed":"Acceptable","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www3.zoom.us","ja3":"535aca3d99fc247509cd50933cd71d37","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}} 00839{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":103,"source":"zoom.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":6,"flow_first_seen":1569520469950,"flow_last_seen":1569520470199,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":1969,"flow_avg_l4_payload_len":328,"midstream":0,"ts_msec":1569520470199,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"52.202.62.196","src_port":54865,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Zoom","breed":"Acceptable","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"zoom.us","ja3":"535aca3d99fc247509cd50933cd71d37","ja3s":"3c30f2c064a3aed8cd95de8d68c726a6","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"http\/1.1"}} -01163{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":107,"source":"zoom.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":10,"flow_first_seen":1569520469950,"flow_last_seen":1569520470199,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":6125,"flow_avg_l4_payload_len":612,"midstream":0,"ts_msec":1569520470199,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"52.202.62.196","src_port":54865,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Zoom","breed":"Acceptable","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"zoom.us","server_names":"*.zoom.us,zoom.us","ja3":"535aca3d99fc247509cd50933cd71d37","ja3s":"3c30f2c064a3aed8cd95de8d68c726a6","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http:\/\/certs.godaddy.com\/repository\/, CN=Go Daddy Secure Certificate Authority - G2","issuerDN":"OU=Domain Control Validated, CN=*.zoom.us","alpn":"http\/1.1","fingerprint":"F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8"}} +01164{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":107,"source":"zoom.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":10,"flow_first_seen":1569520469950,"flow_last_seen":1569520470199,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":6125,"flow_avg_l4_payload_len":612,"midstream":0,"ts_msec":1569520470199,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"52.202.62.196","src_port":54865,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Zoom","breed":"Acceptable","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"zoom.us","server_names":"*.zoom.us,zoom.us","ja3":"535aca3d99fc247509cd50933cd71d37","ja3s":"3c30f2c064a3aed8cd95de8d68c726a6","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http:\/\/certs.godaddy.com\/repository\/, CN=Go Daddy Secure Certificate Authority - G2","subjectDN":"OU=Domain Control Validated, CN=*.zoom.us","alpn":"http\/1.1","fingerprint":"F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8"}} 00844{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":112,"source":"zoom.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":6,"flow_first_seen":1569520470022,"flow_last_seen":1569520470280,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":1969,"flow_avg_l4_payload_len":328,"midstream":0,"ts_msec":1569520470280,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"52.202.62.236","src_port":54866,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Zoom","breed":"Acceptable","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www3.zoom.us","ja3":"535aca3d99fc247509cd50933cd71d37","ja3s":"3c30f2c064a3aed8cd95de8d68c726a6","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"http\/1.1"}} -01168{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":116,"source":"zoom.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":10,"flow_first_seen":1569520470022,"flow_last_seen":1569520470280,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":6125,"flow_avg_l4_payload_len":612,"midstream":0,"ts_msec":1569520470280,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"52.202.62.236","src_port":54866,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Zoom","breed":"Acceptable","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www3.zoom.us","server_names":"*.zoom.us,zoom.us","ja3":"535aca3d99fc247509cd50933cd71d37","ja3s":"3c30f2c064a3aed8cd95de8d68c726a6","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http:\/\/certs.godaddy.com\/repository\/, CN=Go Daddy Secure Certificate Authority - G2","issuerDN":"OU=Domain Control Validated, CN=*.zoom.us","alpn":"http\/1.1","fingerprint":"F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8"}} +01169{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":116,"source":"zoom.pcap","alias":"nDPId-test","flow_id":21,"flow_packets_processed":10,"flow_first_seen":1569520470022,"flow_last_seen":1569520470280,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":6125,"flow_avg_l4_payload_len":612,"midstream":0,"ts_msec":1569520470280,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"52.202.62.236","src_port":54866,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Zoom","breed":"Acceptable","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"www3.zoom.us","server_names":"*.zoom.us,zoom.us","ja3":"535aca3d99fc247509cd50933cd71d37","ja3s":"3c30f2c064a3aed8cd95de8d68c726a6","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http:\/\/certs.godaddy.com\/repository\/, CN=Go Daddy Secure Certificate Authority - G2","subjectDN":"OU=Domain Control Validated, CN=*.zoom.us","alpn":"http\/1.1","fingerprint":"F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8"}} 00730{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":124,"source":"zoom.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1569520470350,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":265,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":265,"pkt_l4_len":231,"ts_msec":1569520470350,"pkt":"EBMx8Tl2KDc3AG3ICABFAAD7AABAAEAGtb7AqAF1rNkVSNZGAbt9MLg2pduNV4AYEAjK4AAAAQEICiWc3wRwmChtFgMBAMIBAAC+AwE5BEH329R9hgOe6JDNh5Do5\/IyBg\/qLeMPj9mOGNz+swAAEgAvADMANQA5wAnACsATwBRWAAEAAIP\/AQABAAAAAB0AGwAAGHd3dy5nb29nbGV0YWdtYW5hZ2VyLmNvbQAXAAAABQAFAQAAAAAzdAAAABIAAAAQADAALgJoMgVoMi0xNgVoMi0xNQVoMi0xNAhzcGR5LzMuMQZzcGR5LzMIaHR0cC8xLjEACwACAQAACgAKAAgAHQAXABgAGQ=="} 00554{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":158,"source":"zoom.pcap","alias":"nDPId-test","flow_id":22,"flow_packets_processed":1,"flow_first_seen":1569520470666,"flow_last_seen":1569520470666,"flow_idle_time":180000,"flow_min_l4_payload_len":44,"flow_max_l4_payload_len":44,"flow_tot_l4_payload_len":44,"flow_avg_l4_payload_len":44,"midstream":0,"ts_msec":1569520470666,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"192.168.1.255","src_port":57621,"dst_port":57621,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00493{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":158,"source":"zoom.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":1,"flow_last_seen":1569520470666,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"ts_msec":1569520470666,"pkt":"\/\/\/\/\/\/\/\/KDc3AG3ICABFAABI4PAAAEARFPDAqAF1wKgB\/+EV4RUANLyaU3BvdFVkcDAJFTOWktM6lAABAARIlcIDDi3QR5gZLZgtSkZtNr91y8rdz4k="} @@ -134,12 +134,12 @@ 00832{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":178,"source":"zoom.pcap","alias":"nDPId-test","flow_id":28,"flow_packets_processed":4,"flow_first_seen":1569520470776,"flow_last_seen":1569520470801,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1569520470801,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"213.244.140.84","src_port":54870,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Zoom","breed":"Acceptable","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"zoomfr84zc.zoom.us","ja3":"c51de225944b7d58d48c0f99f86ba8e6","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00889{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":180,"source":"zoom.pcap","alias":"nDPId-test","flow_id":25,"flow_packets_processed":6,"flow_first_seen":1569520470742,"flow_last_seen":1569520470810,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1957,"flow_avg_l4_payload_len":326,"midstream":0,"ts_msec":1569520470810,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"213.19.144.105","src_port":54867,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Zoom","breed":"Acceptable","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"zoomam105zc.zoom.us","ja3":"c51de225944b7d58d48c0f99f86ba8e6","ja3s":"ada793d0f02b028a6c840504edccb652","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}} 00888{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":186,"source":"zoom.pcap","alias":"nDPId-test","flow_id":27,"flow_packets_processed":6,"flow_first_seen":1569520470769,"flow_last_seen":1569520470814,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1957,"flow_avg_l4_payload_len":326,"midstream":0,"ts_msec":1569520470814,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"213.244.140.85","src_port":54869,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Zoom","breed":"Acceptable","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"zoomfr85zc.zoom.us","ja3":"c51de225944b7d58d48c0f99f86ba8e6","ja3s":"ada793d0f02b028a6c840504edccb652","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}} -01213{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":192,"source":"zoom.pcap","alias":"nDPId-test","flow_id":25,"flow_packets_processed":11,"flow_first_seen":1569520470742,"flow_last_seen":1569520470820,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":6053,"flow_avg_l4_payload_len":550,"midstream":0,"ts_msec":1569520470820,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"213.19.144.105","src_port":54867,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Zoom","breed":"Acceptable","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"zoomam105zc.zoom.us","server_names":"*.zoom.us,zoom.us","ja3":"c51de225944b7d58d48c0f99f86ba8e6","ja3s":"ada793d0f02b028a6c840504edccb652","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http:\/\/certs.godaddy.com\/repository\/, CN=Go Daddy Secure Certificate Authority - G2","issuerDN":"OU=Domain Control Validated, CN=*.zoom.us","fingerprint":"F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8"}} +01214{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":192,"source":"zoom.pcap","alias":"nDPId-test","flow_id":25,"flow_packets_processed":11,"flow_first_seen":1569520470742,"flow_last_seen":1569520470820,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":6053,"flow_avg_l4_payload_len":550,"midstream":0,"ts_msec":1569520470820,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"213.19.144.105","src_port":54867,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Zoom","breed":"Acceptable","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"zoomam105zc.zoom.us","server_names":"*.zoom.us,zoom.us","ja3":"c51de225944b7d58d48c0f99f86ba8e6","ja3s":"ada793d0f02b028a6c840504edccb652","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http:\/\/certs.godaddy.com\/repository\/, CN=Go Daddy Secure Certificate Authority - G2","subjectDN":"OU=Domain Control Validated, CN=*.zoom.us","fingerprint":"F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8"}} 00889{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":195,"source":"zoom.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":6,"flow_first_seen":1569520470755,"flow_last_seen":1569520470822,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1957,"flow_avg_l4_payload_len":326,"midstream":0,"ts_msec":1569520470822,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"213.19.144.104","src_port":54868,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Zoom","breed":"Acceptable","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"zoomam104zc.zoom.us","ja3":"c51de225944b7d58d48c0f99f86ba8e6","ja3s":"ada793d0f02b028a6c840504edccb652","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}} -01212{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":200,"source":"zoom.pcap","alias":"nDPId-test","flow_id":27,"flow_packets_processed":11,"flow_first_seen":1569520470769,"flow_last_seen":1569520470822,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":6053,"flow_avg_l4_payload_len":550,"midstream":0,"ts_msec":1569520470822,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"213.244.140.85","src_port":54869,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Zoom","breed":"Acceptable","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"zoomfr85zc.zoom.us","server_names":"*.zoom.us,zoom.us","ja3":"c51de225944b7d58d48c0f99f86ba8e6","ja3s":"ada793d0f02b028a6c840504edccb652","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http:\/\/certs.godaddy.com\/repository\/, CN=Go Daddy Secure Certificate Authority - G2","issuerDN":"OU=Domain Control Validated, CN=*.zoom.us","fingerprint":"F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8"}} +01213{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":200,"source":"zoom.pcap","alias":"nDPId-test","flow_id":27,"flow_packets_processed":11,"flow_first_seen":1569520470769,"flow_last_seen":1569520470822,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":6053,"flow_avg_l4_payload_len":550,"midstream":0,"ts_msec":1569520470822,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"213.244.140.85","src_port":54869,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Zoom","breed":"Acceptable","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"zoomfr85zc.zoom.us","server_names":"*.zoom.us,zoom.us","ja3":"c51de225944b7d58d48c0f99f86ba8e6","ja3s":"ada793d0f02b028a6c840504edccb652","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http:\/\/certs.godaddy.com\/repository\/, CN=Go Daddy Secure Certificate Authority - G2","subjectDN":"OU=Domain Control Validated, CN=*.zoom.us","fingerprint":"F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8"}} 00888{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":204,"source":"zoom.pcap","alias":"nDPId-test","flow_id":28,"flow_packets_processed":6,"flow_first_seen":1569520470776,"flow_last_seen":1569520470828,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1957,"flow_avg_l4_payload_len":326,"midstream":0,"ts_msec":1569520470828,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"213.244.140.84","src_port":54870,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Zoom","breed":"Acceptable","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"zoomfr84zc.zoom.us","ja3":"c51de225944b7d58d48c0f99f86ba8e6","ja3s":"ada793d0f02b028a6c840504edccb652","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}} -01213{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":209,"source":"zoom.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":11,"flow_first_seen":1569520470755,"flow_last_seen":1569520470829,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":6053,"flow_avg_l4_payload_len":550,"midstream":0,"ts_msec":1569520470829,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"213.19.144.104","src_port":54868,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Zoom","breed":"Acceptable","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"zoomam104zc.zoom.us","server_names":"*.zoom.us,zoom.us","ja3":"c51de225944b7d58d48c0f99f86ba8e6","ja3s":"ada793d0f02b028a6c840504edccb652","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http:\/\/certs.godaddy.com\/repository\/, CN=Go Daddy Secure Certificate Authority - G2","issuerDN":"OU=Domain Control Validated, CN=*.zoom.us","fingerprint":"F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8"}} -01212{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":212,"source":"zoom.pcap","alias":"nDPId-test","flow_id":28,"flow_packets_processed":11,"flow_first_seen":1569520470776,"flow_last_seen":1569520470837,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":6053,"flow_avg_l4_payload_len":550,"midstream":0,"ts_msec":1569520470837,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"213.244.140.84","src_port":54870,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Zoom","breed":"Acceptable","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"zoomfr84zc.zoom.us","server_names":"*.zoom.us,zoom.us","ja3":"c51de225944b7d58d48c0f99f86ba8e6","ja3s":"ada793d0f02b028a6c840504edccb652","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http:\/\/certs.godaddy.com\/repository\/, CN=Go Daddy Secure Certificate Authority - G2","issuerDN":"OU=Domain Control Validated, CN=*.zoom.us","fingerprint":"F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8"}} +01214{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":209,"source":"zoom.pcap","alias":"nDPId-test","flow_id":26,"flow_packets_processed":11,"flow_first_seen":1569520470755,"flow_last_seen":1569520470829,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":6053,"flow_avg_l4_payload_len":550,"midstream":0,"ts_msec":1569520470829,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"213.19.144.104","src_port":54868,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Zoom","breed":"Acceptable","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"zoomam104zc.zoom.us","server_names":"*.zoom.us,zoom.us","ja3":"c51de225944b7d58d48c0f99f86ba8e6","ja3s":"ada793d0f02b028a6c840504edccb652","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http:\/\/certs.godaddy.com\/repository\/, CN=Go Daddy Secure Certificate Authority - G2","subjectDN":"OU=Domain Control Validated, CN=*.zoom.us","fingerprint":"F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8"}} +01213{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":212,"source":"zoom.pcap","alias":"nDPId-test","flow_id":28,"flow_packets_processed":11,"flow_first_seen":1569520470776,"flow_last_seen":1569520470837,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":6053,"flow_avg_l4_payload_len":550,"midstream":0,"ts_msec":1569520470837,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"213.244.140.84","src_port":54870,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Zoom","breed":"Acceptable","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"zoomfr84zc.zoom.us","server_names":"*.zoom.us,zoom.us","ja3":"c51de225944b7d58d48c0f99f86ba8e6","ja3s":"ada793d0f02b028a6c840504edccb652","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http:\/\/certs.godaddy.com\/repository\/, CN=Go Daddy Secure Certificate Authority - G2","subjectDN":"OU=Domain Control Validated, CN=*.zoom.us","fingerprint":"F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8"}} 00549{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":257,"source":"zoom.pcap","alias":"nDPId-test","flow_id":29,"flow_packets_processed":1,"flow_first_seen":1569520471147,"flow_last_seen":1569520471147,"flow_idle_time":180000,"flow_min_l4_payload_len":38,"flow_max_l4_payload_len":38,"flow_tot_l4_payload_len":38,"flow_avg_l4_payload_len":38,"midstream":0,"ts_msec":1569520471147,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"192.168.1.1","src_port":51185,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00476{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":257,"source":"zoom.pcap","alias":"nDPId-test","flow_id":29,"flow_packet_id":1,"flow_last_seen":1569520471147,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":80,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":80,"pkt_l4_len":46,"ts_msec":1569520471147,"pkt":"EBMx8Tl2KDc3AG3ICABFAABCtGEAAP8Rg4LAqAF1wKgBAcfxADUALsLBHCQBAAABAAAAAAAADHpvb21mcm45OW1tcgR6b29tAnVzAAABAAE="} 00720{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":257,"source":"zoom.pcap","alias":"nDPId-test","flow_id":29,"flow_packets_processed":1,"flow_first_seen":1569520471147,"flow_last_seen":1569520471147,"flow_idle_time":180000,"flow_min_l4_payload_len":38,"flow_max_l4_payload_len":38,"flow_tot_l4_payload_len":38,"flow_avg_l4_payload_len":38,"midstream":0,"ts_msec":1569520471147,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"192.168.1.1","src_port":51185,"dst_port":53,"l4_proto":"udp","ndpi": {"proto":"DNS.Zoom","breed":"Acceptable","category":"Video"},"dns": {"query":"zoomfrn99mmr.zoom.us","num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}} @@ -151,7 +151,7 @@ 00457{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":283,"source":"zoom.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":3,"flow_last_seen":1569520471220,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1569520471220,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGauXAqAF1bV6gY9ZXAbsw+fmXh4XXdIAQECwrtgAAAQEICiWc4kt2KotL"} 00833{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":284,"source":"zoom.pcap","alias":"nDPId-test","flow_id":30,"flow_packets_processed":4,"flow_first_seen":1569520471189,"flow_last_seen":1569520471221,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1569520471221,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":54871,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Zoom","breed":"Acceptable","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"zoomfrn99mmr.zoom.us","ja3":"c51de225944b7d58d48c0f99f86ba8e6","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}} 00889{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":286,"source":"zoom.pcap","alias":"nDPId-test","flow_id":30,"flow_packets_processed":6,"flow_first_seen":1569520471189,"flow_last_seen":1569520471255,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1957,"flow_avg_l4_payload_len":326,"midstream":0,"ts_msec":1569520471255,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":54871,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Zoom","breed":"Acceptable","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"zoomfrn99mmr.zoom.us","ja3":"c51de225944b7d58d48c0f99f86ba8e6","ja3s":"ada793d0f02b028a6c840504edccb652","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}} -01213{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":291,"source":"zoom.pcap","alias":"nDPId-test","flow_id":30,"flow_packets_processed":11,"flow_first_seen":1569520471189,"flow_last_seen":1569520471266,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":6053,"flow_avg_l4_payload_len":550,"midstream":0,"ts_msec":1569520471266,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":54871,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Zoom","breed":"Acceptable","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"zoomfrn99mmr.zoom.us","server_names":"*.zoom.us,zoom.us","ja3":"c51de225944b7d58d48c0f99f86ba8e6","ja3s":"ada793d0f02b028a6c840504edccb652","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http:\/\/certs.godaddy.com\/repository\/, CN=Go Daddy Secure Certificate Authority - G2","issuerDN":"OU=Domain Control Validated, CN=*.zoom.us","fingerprint":"F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8"}} +01214{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":291,"source":"zoom.pcap","alias":"nDPId-test","flow_id":30,"flow_packets_processed":11,"flow_first_seen":1569520471189,"flow_last_seen":1569520471266,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":6053,"flow_avg_l4_payload_len":550,"midstream":0,"ts_msec":1569520471266,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":54871,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Zoom","breed":"Acceptable","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"zoomfrn99mmr.zoom.us","server_names":"*.zoom.us,zoom.us","ja3":"c51de225944b7d58d48c0f99f86ba8e6","ja3s":"ada793d0f02b028a6c840504edccb652","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http:\/\/certs.godaddy.com\/repository\/, CN=Go Daddy Secure Certificate Authority - G2","subjectDN":"OU=Domain Control Validated, CN=*.zoom.us","fingerprint":"F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8"}} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":302,"source":"zoom.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_last_seen":1569520471399,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":113,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":113,"pkt_l4_len":79,"ts_msec":1569520471399,"pkt":"EBMx8Tl2KDc3AG3ICABFAABjAABAAEAGoUnAqAF1PpWYmdRFA+E5lpAkp\/QQcoAYEAA2VgAAAQEICiWc4viZh0dJFwMDACpAXTQxH2s8yyXvpDmREm16+\/VcNt\/x\/vlsIce1k7D8R+clMelpc+AJPCA="} 00557{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":386,"source":"zoom.pcap","alias":"nDPId-test","flow_id":31,"flow_packets_processed":1,"flow_first_seen":1569520471748,"flow_last_seen":1569520471748,"flow_idle_time":180000,"flow_min_l4_payload_len":107,"flow_max_l4_payload_len":107,"flow_tot_l4_payload_len":107,"flow_avg_l4_payload_len":107,"midstream":0,"ts_msec":1569520471748,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":58327,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00574{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":386,"source":"zoom.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":1,"flow_last_seen":1569520471748,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":149,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":149,"pkt_l4_len":115,"ts_msec":1569520471748,"pkt":"EBMx8Tl2KDc3AG3ICABFAACHYY4AAEARSPnAqAF1bV6gY+PXImEAcwEfAQACfUZNNf\/9ojRJXQ1tO1HolgAAAAAAAAACAHoAKgB6ACoAAABADhc935YCXvuVxCQMI1O\/y\/Bgvpncu9jEece5cy1sdfpDYvCDXrg+TanGp+bzCbMeQN8Pa7V1aoQPcx2bwfanLQAAAAA="} @@ -180,7 +180,7 @@ 00557{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":700,"source":"zoom.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1569520466080,"flow_last_seen":1569520472536,"flow_idle_time":7440000,"flow_min_l4_payload_len":199,"flow_max_l4_payload_len":199,"flow_tot_l4_payload_len":796,"flow_avg_l4_payload_len":199,"midstream":1,"ts_msec":1569520473198,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"172.217.21.72","src_port":54854,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00551{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":700,"source":"zoom.pcap","alias":"nDPId-test","flow_id":6,"flow_packets_processed":3,"flow_first_seen":1569520468399,"flow_last_seen":1569520468399,"flow_idle_time":180000,"flow_min_l4_payload_len":68,"flow_max_l4_payload_len":68,"flow_tot_l4_payload_len":204,"flow_avg_l4_payload_len":68,"midstream":0,"ts_msec":1569520473198,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"192.168.1.255","src_port":137,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00556{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":700,"source":"zoom.pcap","alias":"nDPId-test","flow_id":33,"flow_packets_processed":8,"flow_first_seen":1569520473084,"flow_last_seen":1569520473198,"flow_idle_time":180000,"flow_min_l4_payload_len":13,"flow_max_l4_payload_len":109,"flow_tot_l4_payload_len":318,"flow_avg_l4_payload_len":39,"midstream":0,"ts_msec":1569520473198,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":61731,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} -00601{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":700,"source":"zoom.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":6,"flow_first_seen":1569520469340,"flow_last_seen":1569520469435,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":263,"flow_tot_l4_payload_len":556,"flow_avg_l4_payload_len":92,"midstream":1,"ts_msec":1569520473198,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"104.199.65.42","src_port":53867,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.Google","breed":"Tracker\/Ads","category":"Web"},"http": {}} +00599{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":700,"source":"zoom.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":6,"flow_first_seen":1569520469340,"flow_last_seen":1569520469435,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":263,"flow_tot_l4_payload_len":556,"flow_avg_l4_payload_len":92,"midstream":1,"ts_msec":1569520473198,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"104.199.65.42","src_port":53867,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.Google","breed":"Acceptable","category":"Web"},"http": {}} 00554{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":700,"source":"zoom.pcap","alias":"nDPId-test","flow_id":15,"flow_packets_processed":6,"flow_first_seen":1569520469340,"flow_last_seen":1569520469435,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":263,"flow_tot_l4_payload_len":556,"flow_avg_l4_payload_len":92,"midstream":1,"ts_msec":1569520473198,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"104.199.65.42","src_port":53867,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00558{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":700,"source":"zoom.pcap","alias":"nDPId-test","flow_id":8,"flow_packets_processed":18,"flow_first_seen":1569520468959,"flow_last_seen":1569520469430,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":7299,"flow_avg_l4_payload_len":405,"midstream":0,"ts_msec":1569520473198,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"52.202.62.238","src_port":54864,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00560{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":700,"source":"zoom.pcap","alias":"nDPId-test","flow_id":19,"flow_packets_processed":30,"flow_first_seen":1569520469950,"flow_last_seen":1569520470454,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1452,"flow_tot_l4_payload_len":17285,"flow_avg_l4_payload_len":576,"midstream":0,"ts_msec":1569520473198,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"52.202.62.196","src_port":54865,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -203,7 +203,7 @@ 00554{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":700,"source":"zoom.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":2,"flow_first_seen":1569520467811,"flow_last_seen":1569520471399,"flow_idle_time":7440000,"flow_min_l4_payload_len":47,"flow_max_l4_payload_len":47,"flow_tot_l4_payload_len":94,"flow_avg_l4_payload_len":47,"midstream":1,"ts_msec":1569520473198,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"62.149.152.153","src_port":54341,"dst_port":993,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00556{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":700,"source":"zoom.pcap","alias":"nDPId-test","flow_id":32,"flow_packets_processed":7,"flow_first_seen":1569520471915,"flow_last_seen":1569520473157,"flow_idle_time":180000,"flow_min_l4_payload_len":13,"flow_max_l4_payload_len":107,"flow_tot_l4_payload_len":331,"flow_avg_l4_payload_len":47,"midstream":0,"ts_msec":1569520473198,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":60620,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00559{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":700,"source":"zoom.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1569520468207,"flow_last_seen":1569520468207,"flow_idle_time":180000,"flow_min_l4_payload_len":126,"flow_max_l4_payload_len":126,"flow_tot_l4_payload_len":126,"flow_avg_l4_payload_len":126,"midstream":0,"ts_msec":1569520473198,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"239.255.255.250","src_port":57025,"dst_port":1900,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} -00594{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":700,"source":"zoom.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":16,"flow_first_seen":1569520469341,"flow_last_seen":1569520469413,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":5783,"flow_avg_l4_payload_len":361,"midstream":1,"ts_msec":1569520473198,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"35.186.224.53","src_port":53872,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Tracker\/Ads","category":"Web"}} +00592{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":700,"source":"zoom.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":16,"flow_first_seen":1569520469341,"flow_last_seen":1569520469413,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":5783,"flow_avg_l4_payload_len":361,"midstream":1,"ts_msec":1569520473198,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"35.186.224.53","src_port":53872,"dst_port":443,"l4_proto":"tcp","ndpi": {"proto":"TLS.Google","breed":"Acceptable","category":"Web"}} 00559{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":700,"source":"zoom.pcap","alias":"nDPId-test","flow_id":16,"flow_packets_processed":16,"flow_first_seen":1569520469341,"flow_last_seen":1569520469413,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1418,"flow_tot_l4_payload_len":5783,"flow_avg_l4_payload_len":361,"midstream":1,"ts_msec":1569520473198,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"35.186.224.53","src_port":53872,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00561{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":700,"source":"zoom.pcap","alias":"nDPId-test","flow_id":30,"flow_packets_processed":210,"flow_first_seen":1569520471189,"flow_last_seen":1569520473190,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":57752,"flow_avg_l4_payload_len":275,"midstream":0,"ts_msec":1569520473198,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":54871,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00550{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":700,"source":"zoom.pcap","alias":"nDPId-test","flow_id":20,"flow_packets_processed":2,"flow_first_seen":1569520469984,"flow_last_seen":1569520470021,"flow_idle_time":180000,"flow_min_l4_payload_len":30,"flow_max_l4_payload_len":46,"flow_tot_l4_payload_len":76,"flow_avg_l4_payload_len":38,"midstream":0,"ts_msec":1569520473198,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"192.168.1.1","src_port":62988,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -216,9 +216,9 @@ ~~ total active/idle flows...: 33/33 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 2223096 bytes -~~ total memory freed........: 2223096 bytes -~~ total allocations/frees...: 36216/36216 +~~ total memory allocated....: 4875955 bytes +~~ total memory freed........: 4875955 bytes +~~ total allocations/frees...: 100414/100414 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 151 chars ~~ json string max len.......: 2321 chars diff --git a/test/results/zoom2.pcap.out b/test/results/zoom2.pcap.out new file mode 100644 index 000000000..7c4c76df9 --- /dev/null +++ b/test/results/zoom2.pcap.out @@ -0,0 +1,51 @@ +00439{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"zoom2.pcap","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"flow-scan-interval":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":120000,"udp-max-idle-time":180000,"tcp-max-idle-time":7560000,"max-packets-per-flow-to-send":3,"max-packets-per-flow-to-process":255} +00548{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":1,"flow_first_seen":1642965458402,"flow_last_seen":1642965458402,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"ts_msec":1642965458402,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":50076,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00474{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_last_seen":1642965458402,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"ts_msec":1642965458402,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGngDAqAGykMNJmsOcAbton\/9jAAAAALAC\/\/+GrAAAAgQFtAEDAwUBAQgKBNjhZQAAAAAEAgAA"} +00469{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_last_seen":1642965458577,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"ts_msec":1642965458577,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADEGrQSQw0mawKgBsgG7w5wp5A9SaJ\/\/ZKASqbBcNQAAAgQFrAQCCApc+vuKBNjhZQEDAww="} +00456{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_last_seen":1642965458577,"flow_idle_time":7440000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"ts_msec":1642965458577,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGngzAqAGykMNJmsOcAbton\/9kKeQPU4AQECwj1wAAAQEICgTY4hFc+vuK"} +00896{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":4,"flow_first_seen":1642965458402,"flow_last_seen":1642965458578,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":517,"flow_tot_l4_payload_len":517,"flow_avg_l4_payload_len":129,"midstream":0,"ts_msec":1642965458578,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":50076,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Zoom","breed":"Acceptable","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"zoomsjccv154mmr.sjc.zoom.us","ja3":"832952db10f1453442636675bed2702b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +00952{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":6,"flow_first_seen":1642965458402,"flow_last_seen":1642965458752,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":1957,"flow_avg_l4_payload_len":326,"midstream":0,"ts_msec":1642965458752,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":50076,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Zoom","breed":"Acceptable","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"zoomsjccv154mmr.sjc.zoom.us","ja3":"832952db10f1453442636675bed2702b","ja3s":"8aca82d60194883e764ab2743e60c380","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}} +01229{"flow_event_id":7,"flow_event_name":"detection-update","thread_id":0,"packet_id":8,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":8,"flow_first_seen":1642965458402,"flow_last_seen":1642965458752,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":4613,"flow_avg_l4_payload_len":576,"midstream":0,"ts_msec":1642965458752,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":50076,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15":"TLS (probably) not carrying HTTPS"},"proto":"TLS.Zoom","breed":"Acceptable","category":"Video"},"tls": {"version":"TLSv1.2","client_requested_server_name":"zoomsjccv154mmr.sjc.zoom.us","server_names":"*.sjc.zoom.us","ja3":"832952db10f1453442636675bed2702b","ja3s":"8aca82d60194883e764ab2743e60c380","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1","subjectDN":"C=US, ST=California, L=San Jose, O=Zoom Video Communications, Inc., CN=*.sjc.zoom.us","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"43:42:0A:34:FD:F6:7A:FC:E9:C1:95:D8:E0:79:7E:17:B9:65:B0:A7"}} +00557{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":95,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":1,"flow_first_seen":1642965459595,"flow_last_seen":1642965459595,"flow_idle_time":180000,"flow_min_l4_payload_len":123,"flow_max_l4_payload_len":123,"flow_tot_l4_payload_len":123,"flow_avg_l4_payload_len":123,"midstream":0,"ts_msec":1642965459595,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":60653,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00591{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":95,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_last_seen":1642965459595,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":165,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":165,"pkt_l4_len":131,"ts_msec":1642965459595,"pkt":"EBMx8Tl2KDc3AG3ICABFAACXeHsAAEARZSPAqAGykMNJmuztImEAgzNnAQADyErEUocYzaK4R3obiZ8zgwAAAAAAAAACAG9hPwBvYT8AAABA5tdm9ZTyTIyTAkYLAufeKJLgneU8bl8DozakMMlr\/JDYAlm5+8RxsTcW0dGDYHnKojsP3MD2C2S9PgF8PPhtdgAAAAAAQABAAAB1MAABAAMAAiAA"} +00591{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":104,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_last_seen":1642965459696,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":165,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":165,"pkt_l4_len":131,"ts_msec":1642965459696,"pkt":"EBMx8Tl2KDc3AG3ICABFAACXZlQAAEARd0rAqAGykMNJmuztImEAg30SAQADyErEUocYzaK4R3obiZ8zgwAAAAAAAAACAG9hpABvYaQAAABASNx7XNkhaVV2TkWPa7HXWfzTaegL7lyuofS42ADMsef1ZS+nG51oqDil0vt0Fn4zbdXfyiCV8oAbYGEn4LlcKwAAAAAAQABAAAB1MAABAAMAAiAA"} +00485{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":114,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_last_seen":1642965459762,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"ts_msec":1642965459762,"pkt":"KDc3AG3IEBMx8Tl2CABFAABIvJFAADER8FuQw0mawKgBsiJh7O0ANHLoAgADyErEUocYzaK4R3obiZ8zgwBPg3gAb2E\/AAAAAAAAAAAAQABAAAPgAwA="} +00558{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":207,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":1,"flow_first_seen":1642965460219,"flow_last_seen":1642965460219,"flow_idle_time":180000,"flow_min_l4_payload_len":123,"flow_max_l4_payload_len":123,"flow_tot_l4_payload_len":123,"flow_avg_l4_payload_len":123,"midstream":0,"ts_msec":1642965460219,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":58117,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00594{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":207,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_last_seen":1642965460219,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":165,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":165,"pkt_l4_len":131,"ts_msec":1642965460219,"pkt":"EBMx8Tl2KDc3AG3ICABFAACXHkIAAEARv1zAqAGykMNJmuMFImEAg0sbAQADlUCX4nL8uBw5x1bMJMqfpQAAAAAAAAACAG9jrwBvY68AAABAl22YpdImmjxXhx5z1M7uHC\/xx4xLX\/xo6rKtN3WTuu3glztmqi13Dg3+OBrijJCCvcHGEhZr6j9A\/GzgvpreMAAAAAAAQABAAAB1MAABAAMAAiAA"} +00594{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":225,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_last_seen":1642965460317,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":165,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":165,"pkt_l4_len":131,"ts_msec":1642965460317,"pkt":"EBMx8Tl2KDc3AG3ICABFAACXuuwAAEARIrLAqAGykMNJmuMFImEAg\/g7AQADlUCX4nL8uBw5x1bMJMqfpQAAAAAAAAACAG9kEQBvZBEAAABAYCF6J0n\/WNesLuhly3GilJRpD8dJ+KbseJYiXUvXdBy1BvwwVV6C\/wnkDo4q0xg18raEv1VcZUiYfPp+4+eDYQAAAAAAQABAAAB1MAABAAMAAiAA"} +00558{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":257,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":1,"flow_first_seen":1642965460359,"flow_last_seen":1642965460359,"flow_idle_time":180000,"flow_min_l4_payload_len":125,"flow_max_l4_payload_len":125,"flow_tot_l4_payload_len":125,"flow_avg_l4_payload_len":125,"midstream":0,"ts_msec":1642965460359,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":57953,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00600{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":257,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_last_seen":1642965460359,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":167,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":167,"pkt_l4_len":133,"ts_msec":1642965460359,"pkt":"EBMx8Tl2KDc3AG3ICABFAACZRuYAAEARlrbAqAGykMNJmuJhImEAhZWQAQADwkJYttycXaTnsMPEsai0ugAAAAAAAAACAG9kOwBvZDsAAABApVhZIZOkPdPcglYaSbgpBjDk\/MvSG2goKbIYnvwwI7Hk5hukCNUa7y2hxCyksMeoW3RGKeDuDF4Y532DNkXq3f\/\/\/\/8AQABAAAB1MAABAAMAAiAACgA="} +00484{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":274,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_last_seen":1642965460395,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"ts_msec":1642965460395,"pkt":"KDc3AG3IEBMx8Tl2CABFAABIvbFAADER7zuQw0mawKgBsiJh4wUANKrxAgADlUCX4nL8uBw5x1bMJMqfpQBPg3kAb2OvAAAAAAAAAAAAQABAAAPgAwA="} +00599{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":299,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_last_seen":1642965460461,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":167,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":167,"pkt_l4_len":133,"ts_msec":1642965460461,"pkt":"EBMx8Tl2KDc3AG3ICABFAACZ6kAAAEAR81vAqAGykMNJmuJhImEAhaEiAQADwkJYttycXaTnsMPEsai0ugAAAAAAAAACAG9koQBvZKEAAABA6DEQatkP0ZiaMugg0SFSq6JqmaXOleBRM3eRUGv0uLvPr6CL4g3oVryKRdoOzve7SJqEd+2jwB1vjsn7k5LMNv\/\/\/\/8AQABAAAB1MAABAAMAAiAACgA="} +00484{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":348,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_last_seen":1642965460546,"flow_idle_time":180000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"ts_msec":1642965460546,"pkt":"KDc3AG3IEBMx8Tl2CABFAABIvg1AAC8R8N+Qw0mawKgBsiJh4mEANErbAgADwkJYttycXaTnsMPEsai0ugBPg3oAb2Q7AAAAAAAAAAAAQABAAAPgAwA="} +00593{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":644,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":255,"flow_first_seen":1642965459595,"flow_last_seen":1642965461322,"flow_idle_time":180000,"flow_min_l4_payload_len":14,"flow_max_l4_payload_len":1237,"flow_tot_l4_payload_len":251743,"flow_avg_l4_payload_len":987,"midstream":0,"ts_msec":1642965461322,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":60653,"dst_port":8801,"l4_proto":"udp","ndpi": {"proto":"Zoom","breed":"Acceptable","category":"Video"}} +00594{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":644,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":255,"flow_first_seen":1642965459595,"flow_last_seen":1642965461322,"flow_idle_time":180000,"flow_min_l4_payload_len":14,"flow_max_l4_payload_len":1237,"flow_tot_l4_payload_len":251743,"flow_avg_l4_payload_len":987,"midstream":0,"ts_msec":1642965461322,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":60653,"dst_port":8801,"l4_proto":"udp","ndpi": {"proto":"Unknown","breed":"Unrated","category":"Video"}} +00592{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":3189,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":255,"flow_first_seen":1642965460219,"flow_last_seen":1642965467891,"flow_idle_time":180000,"flow_min_l4_payload_len":14,"flow_max_l4_payload_len":326,"flow_tot_l4_payload_len":28820,"flow_avg_l4_payload_len":113,"midstream":0,"ts_msec":1642965467891,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":58117,"dst_port":8801,"l4_proto":"udp","ndpi": {"proto":"Zoom","breed":"Acceptable","category":"Video"}} +00593{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":3189,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":255,"flow_first_seen":1642965460219,"flow_last_seen":1642965467891,"flow_idle_time":180000,"flow_min_l4_payload_len":14,"flow_max_l4_payload_len":326,"flow_tot_l4_payload_len":28820,"flow_avg_l4_payload_len":113,"midstream":0,"ts_msec":1642965467891,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":58117,"dst_port":8801,"l4_proto":"udp","ndpi": {"proto":"Unknown","breed":"Unrated","category":"Video"}} +00524{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":11804,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1642965500049,"flow_last_seen":1642965500049,"flow_idle_time":120000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1642965500049,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} +00468{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":11804,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_last_seen":1642965500049,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"ts_msec":1642965500049,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA4064AAEABCl\/AqAGykMNJmgMD9zUAAAAARQAAdCt\/QAAxEYFCkMNJmsCoAbIiYeMFAGAAAA=="} +00576{"flow_event_id":6,"flow_event_name":"detected","thread_id":0,"packet_id":11804,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":1,"flow_first_seen":1642965500049,"flow_last_seen":1642965500049,"flow_idle_time":120000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":36,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1642965500049,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","l4_proto":"icmp","ndpi": {"proto":"ICMP","breed":"Acceptable","category":"Network"},"entropy":4.253434} +00466{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":11812,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_last_seen":1642965500053,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"ts_msec":1642965500053,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA48ZAAAEAB7HzAqAGykMNJmgMD6XYAAAAARQAESyuFQAAxEX1lkMNJmsCoAbIiYeztBDcAAA=="} +00466{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":11815,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_last_seen":1642965500054,"flow_idle_time":120000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"ts_msec":1642965500054,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA4fvIAAEABXxvAqAGykMNJmgMD6XYAAAAARQAESyuHQAAxEX1jkMNJmsCoAbIiYeztBDcAAA=="} +00590{"flow_event_id":5,"flow_event_name":"guessed","thread_id":0,"packet_id":11977,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":87,"flow_first_seen":1642965460359,"flow_last_seen":1642965500043,"flow_idle_time":180000,"flow_min_l4_payload_len":14,"flow_max_l4_payload_len":143,"flow_tot_l4_payload_len":6087,"flow_avg_l4_payload_len":69,"midstream":0,"ts_msec":1642965502810,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":57953,"dst_port":8801,"l4_proto":"udp","ndpi": {"proto":"Zoom","breed":"Acceptable","category":"Video"}} +00561{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":11977,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":4,"flow_packets_processed":87,"flow_first_seen":1642965460359,"flow_last_seen":1642965500043,"flow_idle_time":180000,"flow_min_l4_payload_len":14,"flow_max_l4_payload_len":143,"flow_tot_l4_payload_len":6087,"flow_avg_l4_payload_len":69,"midstream":0,"ts_msec":1642965502810,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":57953,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00564{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":11977,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":1,"flow_packets_processed":902,"flow_first_seen":1642965458402,"flow_last_seen":1642965502810,"flow_idle_time":7440000,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1440,"flow_tot_l4_payload_len":107730,"flow_avg_l4_payload_len":119,"midstream":0,"ts_msec":1642965502810,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":50076,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} +00566{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":11977,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":3,"flow_packets_processed":2230,"flow_first_seen":1642965460219,"flow_last_seen":1642965500203,"flow_idle_time":180000,"flow_min_l4_payload_len":14,"flow_max_l4_payload_len":334,"flow_tot_l4_payload_len":368542,"flow_avg_l4_payload_len":165,"midstream":0,"ts_msec":1642965502810,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":58117,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00568{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":11977,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":2,"flow_packets_processed":8731,"flow_first_seen":1642965459595,"flow_last_seen":1642965500185,"flow_idle_time":180000,"flow_min_l4_payload_len":14,"flow_max_l4_payload_len":1297,"flow_tot_l4_payload_len":7999131,"flow_avg_l4_payload_len":916,"midstream":0,"ts_msec":1642965502810,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":60653,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} +00527{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":11977,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":5,"flow_packets_processed":27,"flow_first_seen":1642965500049,"flow_last_seen":1642965500203,"flow_idle_time":120000,"flow_min_l4_payload_len":36,"flow_max_l4_payload_len":36,"flow_tot_l4_payload_len":972,"flow_avg_l4_payload_len":36,"midstream":0,"ts_msec":1642965502810,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} +00157{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":11977,"source":"zoom2.pcap","alias":"nDPId-test","total-events-serialized":36} +~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ +~~ packets captured/processed: 11977/11977 +~~ skipped flows.............: 0 +~~ total layer4 data length..: 8482462 bytes +~~ total detected protocols..: 4 +~~ total active/idle flows...: 5/5 +~~ total timeout flows.......: 0 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ total memory allocated....: 4955725 bytes +~~ total memory freed........: 4955725 bytes +~~ total allocations/frees...: 111532/111532 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ json string min len.......: 162 chars +~~ json string max len.......: 1234 chars +~~ json string avg len.......: 768 chars |