diff options
107 files changed, 366 insertions, 548 deletions
diff --git a/nDPId-test.c b/nDPId-test.c index dd5bb97c1..16254ed60 100644 --- a/nDPId-test.c +++ b/nDPId-test.c @@ -571,9 +571,10 @@ static enum nDPIsrvd_callback_return distributor_json_callback(struct nDPIsrvd_s { global_stats->json_message_len_max = sock->buffer.json_message_length; } - global_stats->json_message_len_avg = (global_stats->json_message_len_avg + - (global_stats->json_message_len_max + global_stats->json_message_len_min) / 2) / - 2; + global_stats->json_message_len_avg = + (global_stats->json_message_len_avg + + (global_stats->json_message_len_max + global_stats->json_message_len_min) / 2) / + 2; global_stats->total_events_deserialized++; @@ -2035,9 +2036,9 @@ int main(int argc, char ** argv) return 1; } - if (nDPId_return.total_active_flows > distributor_return.stats.flow_detected_count + - distributor_return.stats.flow_guessed_count + - distributor_return.stats.flow_not_detected_count) + if (nDPId_return.total_active_flows != distributor_return.stats.flow_detected_count + + distributor_return.stats.flow_guessed_count + + distributor_return.stats.flow_not_detected_count) { logger(1, "%s: Amount of total active flows not equal to the amount of received 'detected', 'guessed and " @@ -692,7 +692,8 @@ static int zlib_deflate(const void * const src, int srcLen, void * dst, int dstL int ret = -1; err = deflateInit2(&strm, Z_BEST_COMPRESSION, Z_BINARY, 15, 9, Z_HUFFMAN_ONLY); - if (err != Z_OK) { + if (err != Z_OK) + { err = deflateInit(&strm, Z_BEST_COMPRESSION); } if (err == Z_OK) @@ -1090,6 +1091,9 @@ static int get_ip_netmask_from_pcap_dev(char const * const pcap_dev) if (getifaddrs(&ifaddrs) != 0 || ifaddrs == NULL) { + int saved_errno = errno; + logger_early(1, "Interface retrieval failed with: %s", strerror(saved_errno)); + errno = saved_errno; return 1; } @@ -1113,6 +1117,11 @@ static int get_ip_netmask_from_pcap_dev(char const * const pcap_dev) case AF_INET6: if (ip6_interface_avail == 0 && get_ip6_address_and_netmask(ifa->ifa_name, ifnamelen) != 0) { + int saved_errno = errno; + logger_early(1, + "IPv6 address/netmask retrieval from proc filesystem failed with: %s", + strerror(saved_errno)); + errno = saved_errno; retval = 1; } ip6_interface_avail = 1; @@ -1123,7 +1132,7 @@ static int get_ip_netmask_from_pcap_dev(char const * const pcap_dev) } } - if (found_dev != 0 && + if (retval == 0 && found_dev != 0 && (nDPId_options.process_internal_initial_direction != 0 || nDPId_options.process_external_initial_direction != 0) && ip4_interface_avail == 0 && ip6_interface_avail == 0) @@ -1379,6 +1388,9 @@ static struct nDPId_workflow * init_workflow(char const * const file_or_device) ndpi_finalize_initialization(workflow->ndpi_struct); ndpi_set_detection_preferences(workflow->ndpi_struct, ndpi_pref_enable_tls_block_dissection, 1); + ndpi_set_detection_preferences(workflow->ndpi_struct, + ndpi_pref_max_packets_to_process, + nDPId_options.max_packets_per_flow_to_process); if (ndpi_init_serializer_ll(&workflow->ndpi_serializer, ndpi_serialization_format_json, NETWORK_BUFFER_MAX_SIZE) != 0) @@ -4212,33 +4224,6 @@ static void ndpi_process_packet(uint8_t * const args, return; } - if (flow_to_process->info.detection_data->flow.num_processed_pkts == - nDPId_options.max_packets_per_flow_to_process - 1) - { - if (flow_to_process->info.detection_completed != 0) - { - reader_thread->workflow->total_flow_detection_updates++; - jsonize_flow_detection_event(reader_thread, flow_to_process, FLOW_EVENT_DETECTION_UPDATE); - } - else - { - /* last chance to guess something, better then nothing */ - uint8_t protocol_was_guessed = 0; - flow_to_process->info.detection_data->guessed_l7_protocol = ndpi_detection_giveup( - workflow->ndpi_struct, &flow_to_process->info.detection_data->flow, 1, &protocol_was_guessed); - if (protocol_was_guessed != 0) - { - workflow->total_guessed_flows++; - jsonize_flow_detection_event(reader_thread, flow_to_process, FLOW_EVENT_GUESSED); - } - else - { - reader_thread->workflow->total_not_detected_flows++; - jsonize_flow_detection_event(reader_thread, flow_to_process, FLOW_EVENT_NOT_DETECTED); - } - } - } - flow_to_process->flow_extended.detected_l7_protocol = ndpi_detection_process_packet(workflow->ndpi_struct, &flow_to_process->info.detection_data->flow, @@ -4280,6 +4265,26 @@ static void ndpi_process_packet(uint8_t * const args, } if (flow_to_process->info.detection_data->flow.num_processed_pkts == + nDPId_options.max_packets_per_flow_to_process && + flow_to_process->info.detection_completed == 0) + { + /* last chance to guess something, better then nothing */ + uint8_t protocol_was_guessed = 0; + flow_to_process->info.detection_data->guessed_l7_protocol = ndpi_detection_giveup( + workflow->ndpi_struct, &flow_to_process->info.detection_data->flow, 1, &protocol_was_guessed); + if (protocol_was_guessed != 0) + { + workflow->total_guessed_flows++; + jsonize_flow_detection_event(reader_thread, flow_to_process, FLOW_EVENT_GUESSED); + } + else + { + reader_thread->workflow->total_not_detected_flows++; + jsonize_flow_detection_event(reader_thread, flow_to_process, FLOW_EVENT_NOT_DETECTED); + } + } + + if (flow_to_process->info.detection_data->flow.num_processed_pkts == nDPId_options.max_packets_per_flow_to_process || (ndpi_is_protocol_detected(workflow->ndpi_struct, flow_to_process->flow_extended.detected_l7_protocol) != 0 && ndpi_extra_dissection_possible(workflow->ndpi_struct, &flow_to_process->info.detection_data->flow) == 0)) diff --git a/test/results/caches_cfg/teams.pcap.out b/test/results/caches_cfg/teams.pcap.out index 8344b2dcf..80a19dc6a 100644 --- a/test/results/caches_cfg/teams.pcap.out +++ b/test/results/caches_cfg/teams.pcap.out @@ -38,7 +38,6 @@ 00781{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":37,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":4,"flow_src_last_pkt_time":1587041676499766,"flow_dst_last_pkt_time":1587041676405623,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":240,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":240,"pkt_l4_len":206,"thread_ts_usec":1587041676499766,"pkt":"EBMx8Tl2KDc3AG3ICABFAADiAABAAEAG9tTAqAEGNHJNIex0AbuczSMoSaIgqYAYEAlcWgAAAQEICjCEl\/VhBkyoFgMBAKkBAAClAwNgsc\/zVfk3fJaoeGVjBvcvXHJydxa1mwDEXFImXbQK\/wAAHsAvwCvAMMAszKnMqMAJwBPACsAUAJwAnQAvADUACgEAAF7\/AQABAAAAACMAIQAAHm1vYmlsZS5waXBlLmFyaWEubWljcm9zb2Z0LmNvbQAXAAAAIwAAAA0AFAASBAMIBAQBBQMIBQUBCAYGAQIBAAsAAgEAAAoACAAGAB0AFwAY"} 01244{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":37,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1587041676362386,"flow_src_last_pkt_time":1587041676499766,"flow_dst_last_pkt_time":1587041676405623,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":174,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":174,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041676499766,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60532,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","proto_by_ip":"Azure","proto_by_ip_id":276,"encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud","hostname":"mobile.pipe.aria.microsoft.com","tls": {"version":"TLSv1.2","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 02166{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":47,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1587041676435900,"flow_src_last_pkt_time":1587041676535873,"flow_dst_last_pkt_time":1587041676535853,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":258,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":757,"flow_dst_tot_l4_payload_len":10509,"midstream":0,"thread_ts_usec":1587041676535873,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60533,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":2,"avg":6449.2,"max":29755,"stddev":8827.8,"var":77930416.0,"ent":3.7,"data": [12466,12563,1399,13862,1628,233,14289,254,250,114,2,99,4851,16541,1120,12847,339,301,11408,365,232,23032,26,11077,443,29285,29755,471,122,15,537]},"pktlen": {"min":40,"avg":393.9,"max":1492,"stddev":548.1,"var":300365.6,"ent":3.9,"data": [64,52,40,250,46,1492,1492,40,1492,40,1492,257,40,198,46,366,40,109,40,133,78,298,78,46,40,46,556,40,1492,1492,671,40]},"bins": {"c_to_s": [10,1,1,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,1,0,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,1,0,1,0,0,0,0,1,1,0,1,1,0,1,1,1,0],"entropies": [4.365527153,4.946223736,4.521928787,5.447622776,4.609350681,7.356091499,7.445232391,4.680641174,7.544306755,4.571928501,7.621133804,7.081102371,4.630641460,6.624766827,4.609350681,7.169972897,4.680641174,6.030838013,4.630641460,6.150182247,5.105917454,7.025798798,5.428217888,4.565872192,4.680641174,4.565872192,7.556540489,4.680641174,7.827769756,7.840335846,7.703694820,4.680641174]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","proto_by_ip":"Skype_Teams","proto_by_ip_id":125,"encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}} -01491{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":47,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1587041676435900,"flow_src_last_pkt_time":1587041676535873,"flow_dst_last_pkt_time":1587041676535853,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":258,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":757,"flow_dst_tot_l4_payload_len":10509,"midstream":0,"thread_ts_usec":1587041676535873,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60533,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","proto_by_ip":"Skype_Teams","proto_by_ip_id":125,"encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"teams.microsoft.com","tls": {"version":"TLSv1.2","server_names":"teams.microsoft.com","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"0f14538e1c9070becdad7739c67d6363","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=teams.microsoft.com","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","fingerprint":"68:1E:E8:3C:83:70:6F:E3:86:F4:E8:8C:C4:E6:A0:9A:3E:E0:9C:0E"}}} 02484{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":56,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":5,"flow_src_last_pkt_time":1587041676499766,"flow_dst_last_pkt_time":1587041676545373,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":1506,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1506,"pkt_l4_len":1472,"thread_ts_usec":1587041676545373,"pkt":"KDc3AG3IEBMx8Tl2CABFAAXUL\/9AAGwGleM0ck0hwKgBBgG77HRJoiCpnM0j1oAQBAXctwAAAQEICmEGTTMwhJf1FgMDEGYCAABRAwNemFWMXBNb2F1eIS0NgygX31DvjFSWgfTq\/PXgXBX\/USAORwAAVmOWcPohT0niCo9N4puGGU7iW5AxxYvHQvC098AwAAAJABcAAP8BAAEACwAO3QAO2gAJHDCCCRgwggcAoAMCAQICExYACr2jKIomrOvxeF4AAAAKvaMwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xFTATBgNVBAsTDE1pY3Jvc29mdCBJVDEeMBwGA1UEAxMVTWljcm9zb2Z0IElUIFRMUyBDQSA0MB4XDTE5MTAxMDIxNTUzOFoXDTIxMTAxMDIxNTUzOFowJjEkMCIGA1UEAwwbKi5ldmVudHMuZGF0YS5taWNyb3NvZnQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq8J31SJyCTCkjxtLC8JE7aU56y+0937PcYfrFGWW\/wSL1vxV6UtbY+5UyBq7YUvoZUI+YYWI6FMysHpnkiGQR5h3NLX2it0lgM0JMJXgIYfO+vdhJalxciwWfJHOcY4+eUQwpTmpGeOTzK\/sd1W+VOYbkgWPJ0lAEgTcRXL\/NZZAtyce+Sv4+b4jHwY9pwQxOHJWtnns0bK3jD\/RcAtjLeUisGvBGtt1SItPOQvgD6i2AdvjCkjqVXn0nxT\/yKuGkvtii1i85nrjeMS5pKgL+N2I4goIXeRAaK089dd0KrnNO6kLEhhSHgHwJHnPwfqeXH1Q2p1Zw2r13mOsJdyP7QIDAQABo4IE1zCCBNMwggF\/BgorBgEEAdZ5AgQCBIIBbwSCAWsBaQB2APZclC\/RdzAiFFQYCDCUVo7jTRMZM7\/fDC8gC8xO8WTjAAABbbe0zD0AAAQDAEcwRQIgXUu8wYK\/QqX5unkLcaUv4T8oQWu5yZb6M3RYbUFPJ7sCIQCVvziq+dynpJXSFyAk+ZobbjdMm8Ziuyzc0miXoW9hmQB2AFWB1MIWkDYBSuoLm1c8U\/DA5Dh4cCUIFy+jqh0HE9MMAAABbbe0zTwAAAQDAEcwRQIgOIr7NuYD18H8X6OV\/YdBgg0HoCy47ognD1Etlbp3ZVgCIQCAVAoqvjDqhz4It72mColVOT\/FZuexWjdVPWkvuAPY1AB3AESUZS6w7s6vxEAH2Kj+KMDa5oK+2MsxtT\/TM5a1toGoAAABbbe0zEEAAAQDAEgwRgIhAMLyKXAV0HvPisLX5tlLiDTgtSUtRgffnQWc5h8Pdj8PAiEAo6ENbH0+qORahbVCksBW940dOZQUoTXblsn+bri9ExQwJwYJKwYBBAGCNxUKBBowGDAKBggrBgEFBQcDAjAKBggrBgEFBQcDATA+BgkrBgEEAYI3FQcEMTAvBicrBgEEAYI3FQiH2oZ1g+7ZAYLJhRuBtZ5hhfTrYIFdhNLfQoLnk3oCAWQCAR0wgYUGCCsGAQUFBwEBBHkwdzBRBggrBgEFBQcwAoZFaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvTWljcm9zb2Z0JTIwSVQlMjBUTFMlMjBDQSUyMDQuY3J0MCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC5tc29jc3AuY29tMB0GA1UdDgQWBBQa+kPWU8gwtBlTGMvS3dHpIWlv7TALBgNVHQ8EBAMCBLAwgfIGA1UdEQSB6jCB54IbKi5ldmVudHMuZGF0YS5taWNyb3NvZnQuY29tghlldmVudHMuZGF0YS5taWNyb3NvZnQuY29tghkqLnBpcGUuYXJpYS5taWNyb3NvZnQuY29tgg5waXBl"} 01776{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":59,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1587041676362386,"flow_src_last_pkt_time":1587041676545644,"flow_dst_last_pkt_time":1587041676545713,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":174,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":174,"flow_dst_tot_l4_payload_len":4203,"midstream":0,"thread_ts_usec":1587041676545713,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60532,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","proto_by_ip":"Azure","proto_by_ip_id":276,"encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud","hostname":"mobile.pipe.aria.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"ae4edc6faf64d08308082ad26be60767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}}} 00294{"error_event_id":5,"error_event_name":"Unknown packet type","threshold_n":7,"threshold_n_max":16,"threshold_time":10000000,"threshold_ts_usec":1587041676611249,"packet_id":64,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1587041676611249} @@ -52,7 +51,6 @@ 02499{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":69,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":5,"flow_src_last_pkt_time":1587041676643404,"flow_dst_last_pkt_time":1587041676675374,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":1506,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1506,"pkt_l4_len":1472,"thread_ts_usec":1587041676675374,"pkt":"KDc3AG3IEBMx8Tl2CABFAAXULqZAAG0G5kwofgkFwKgBBgG77HaiQyYcpEtP4IAQBAWIzwAAAQEIClUAvgAwhJiBCxMMTWljcm9zb2Z0IElUMR4wHAYDVQQDExVNaWNyb3NvZnQgSVQgVExTIENBIDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCO8\/GEdXe8vsmk9RalUytQYJnc2H3ZJLXhckk3SP7ahpOjfR2aSxBNd3l+Zal8bjbiR9Q2SdDMJAInFOKucc3ZV3Q8EFYZkkqHYvnjkI1e3tFBGxqmH0CiLB6OVdcm2GhCq+wN3t1eYZWzrGyBzqjgra9fyqbkUWguJ\/1UKnGkzLt+kvH2U1EFMdAZgrDKY9DySgALzfRpS\/RallY5JsmdSwpjNDKApQTl6ii3wQDAbRrwKNRKj4CscxnY9RYvra4Il2IGLP7npfCtQVN\/jSsxwxRzId3jeGOcUYa1okhJwHkIFUMAK5m4S+DHVwdsxLmmVC0BU\/Kj8qTM2cFU84jN5EwT04ozIVitGL++OYFwOWk3+FukY+8JB9+HGmLHmgjF0R1eYnYB3WnmOLtEsC1NOsYugOBgclvyzOaOXDohHl2wOSu96hPLlsu2anSMjrwOEJ8bpUBBj5FcdqcO8ao6h7cMd99xai8oYUItkA9yBatn4MF7y5xAmsQKCESMfD26qQ4esdkivR9fQWpzVPZm4qD5pjne0nfzaQS\/t7s8xJP\/cgQctTadaH\/f+jlPsvaPuRz\/re0OFQjjhnzySEl3lxb2\/QD2T6Zeb+c5wFFlPeuxlzDs6p5z\/B4soN+Lz3NftQ4GQhcmlezYqSfQ0GWUXOI\/yigppSD0yN1dtP\/m3QIDAQABo4IBQjCCAT4wHQYDVR0OBBYEFFiIn9bcnEgitxQ+\/4SI6OaF\/\/p9MB8GA1UdIwQYMBaAFOWdWTCCR1jMrPoIVDaGezq1BE3wMBIGA1UdEwEB\/wQIMAYBAf8CAQAwDgYDVR0PAQH\/BAQDAgGGMCcGA1UdJQQgMB4GCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwkwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL09tbmlyb290MjAyNS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDQYJKoZIhvcNAQELBQADggEBADCaxp1q\/e+TCAy+gnf5dqBtnnswI3uoKVr0aj7HCwyW37hLUuQNnDjteGO1c8AcHzvgp\/9\/SVGVMrjQm6nlz5YDgYDVSmEY\/sRqxt9\/QUYinIBm6w9CoOTzpCGjmNB6dPaM6MPSK6orzhFZGUTnXAcJQuvX\/RVNuW9sRDUmh7qjO2iwgecgyX8TAvPMq58clVDLrmSAu4cKXc6ma7J94z024ilRtyX80AnjsK3EYi4+foUmsvav920xc8YZmKlykwLOygs9POzZcOiA9RareGqHTcaBN6gKdoEGqO8XYHxwEBM8ONczTOQ3ZQj7kbPoFnZhKmX1WJSzRQHvwE8De7gMAAFJAwAXQQTOd4jCuMTh7EYDlmBiiGmTGwexXcFlv\/T2ck50p74cYWIJH\/qL5LjbfCSDp3wqAO8ZZNaw1gxy4Uzbx\/mTFEUoBAEBACuEjKAM1qXUNVaS\/GaC95SQ9vmaMh+jYNW\/golBe81NwxyW1ReEMvroTkbS6BjiR97ixB57SOr\/EVlzcCLlr0XL6vCOvZKaaq3SzHreSfwbGspHUYxwK5i8j23AovUYK4FdR8PK9GkF5j5DZYPL2nmL62KrpTU3AqFF18hKfZ2alq2jaowqtsC3NBCAd6aifgpEBRhB9rZP2x\/YPgDeBGSAHqMX"} 01202{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":69,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1587041676612882,"flow_src_last_pkt_time":1587041676643404,"flow_dst_last_pkt_time":1587041676675374,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":246,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":246,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1587041676675374,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"40.126.9.5","src_port":60534,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Microsoft365","proto_id":"91.219","proto_by_ip":"Azure","proto_by_ip_id":276,"encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative","hostname":"login.microsoftonline.com","tls": {"version":"TLSv1.2","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","advertised_alpns":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}}} 02308{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":109,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1587041676362386,"flow_src_last_pkt_time":1587041676859269,"flow_dst_last_pkt_time":1587041676859222,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":23115,"flow_dst_tot_l4_payload_len":4254,"midstream":0,"thread_ts_usec":1587041676859269,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60532,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":1,"avg":32055.5,"max":221245,"stddev":54144.2,"var":2931591680.0,"ent":3.4,"data": [43237,43341,94039,139750,215,45878,125,102,1406,46781,45438,177198,6,1,221245,44042,6,2,2,21255,21237,4,23005,23005,5,2,3,1223,1159,4,3]},"pktlen": {"min":52,"avg":907.9,"max":1492,"stddev":687.5,"var":472618.5,"ent":4.4,"data": [64,60,52,226,1492,1492,52,1375,52,145,103,52,1480,1480,1480,52,1480,1480,1480,1480,52,1480,1480,52,1480,1480,1480,1480,52,1480,1480,1480]},"bins": {"c_to_s": [5,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0],"s_to_c": [5,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0],"entropies": [4.428027153,5.210652828,4.884933472,5.556665897,7.283374786,7.268235207,4.923395157,7.674625397,4.884933472,5.901349068,5.537203789,4.923394680,7.865010738,7.865353107,7.863998413,5.116508007,7.872262955,7.872727394,7.850155830,7.872891426,5.101991177,7.883207798,7.861774921,5.078046322,7.883695126,7.860937595,7.861885548,7.869150639,5.092563629,7.862890244,7.881820202,7.880939960]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","proto_by_ip":"Azure","proto_by_ip_id":276,"encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud"}} -01781{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":109,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1587041676362386,"flow_src_last_pkt_time":1587041676859269,"flow_dst_last_pkt_time":1587041676859222,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":23115,"flow_dst_tot_l4_payload_len":4254,"midstream":0,"thread_ts_usec":1587041676859269,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60532,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","proto_by_ip":"Azure","proto_by_ip_id":276,"encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud","hostname":"mobile.pipe.aria.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"ae4edc6faf64d08308082ad26be60767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}}} 00774{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":153,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041677042751,"flow_src_last_pkt_time":1587041677042751,"flow_dst_last_pkt_time":1587041677042751,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041677042751,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60535,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00562{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":153,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_src_last_pkt_time":1587041677042751,"flow_dst_last_pkt_time":1587041677042751,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1587041677042751,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAG93bAqAEGNHJNIex3AbvbPWM6AAAAALAC\/\/\/8iwAAAgQFtAEDAwUBAQgKMISaAAAAAAAEAgAA"} 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":156,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_src_last_pkt_time":1587041677042751,"flow_dst_last_pkt_time":1587041677088014,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1587041677088014,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8FwhAAGwGtHI0ck0hwKgBBgG77Hf6fNLR2z1jO6ASIACfvwAAAgQFoAEDAwgEAggKYRMfbzCEmgA="} @@ -222,7 +220,6 @@ 02483{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":451,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":5,"flow_src_last_pkt_time":1587041682744658,"flow_dst_last_pkt_time":1587041682792228,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":1506,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1506,"pkt_l4_len":1472,"thread_ts_usec":1587041682792228,"pkt":"KDc3AG3IEBMx8Tl2CABFAAXU9YZAAGwG0EI0ck06wKgBBgG77IG+FZj3YAjihlAQCAQbpwAAahz3MIwwCwYDVR0PBAQDAgSwMIHfBgNVHREEgdcwgdSCIyoubm9hbS5wcmVzZW5jZS50ZWFtcy5taWNyb3NvZnQuY29tgiMqLmVtZWEucHJlc2VuY2UudGVhbXMubWljcm9zb2Z0LmNvbYIjKi5hcGFjLnByZXNlbmNlLnRlYW1zLm1pY3Jvc29mdC5jb22CJSoubm9hbWRmLnByZXNlbmNlLnRlYW1zLm1pY3Jvc29mdC5jb22CHioucHJlc2VuY2UudGVhbXMubWljcm9zb2Z0LmNvbYIccHJlc2VuY2UudGVhbXMubWljcm9zb2Z0LmNvbTCBrAYDVR0fBIGkMIGhMIGeoIGboIGYhktodHRwOi8vbXNjcmwubWljcm9zb2Z0LmNvbS9wa2kvbXNjb3JwL2NybC9NaWNyb3NvZnQlMjBJVCUyMFRMUyUyMENBJTIwMS5jcmyGSWh0dHA6Ly9jcmwubWljcm9zb2Z0LmNvbS9wa2kvbXNjb3JwL2NybC9NaWNyb3NvZnQlMjBJVCUyMFRMUyUyMENBJTIwMS5jcmwwTQYDVR0gBEYwRDBCBgkrBgEEAYI3KgEwNTAzBggrBgEFBQcCARYnaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvY3BzMB8GA1UdIwQYMBaAFFiIn9bcnEgitxQ+\/4SI6OaF\/\/p9MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAgEAFfJmXOb1G3\/gkDpDClarQB6kon6qcwX4Kh295CbM2AS5Vgj29434HX0cY+Z9iv\/MTbIOmx9325DU4Jkds6+IU\/YaIPC6iJQpcE2e349x3dnDm3opekdQpM9PDa129MKr2YMPfEeN8v0qTyUuQZhGs4n0KhbSGQjx5\/B9gHGSpxe32oG49c+UQMe29vQ918eWYGlRxmosgaDo1O8G3hucKxVwq7wwZImn3rzlX2p3MvbHeLrrJ0NnlDsEaTwHS4Q6zzFHSGKHEGxwFQAn8mD1A4CEULHR5utg70c+5SvpcPBwDRulBAl1YVyuiG0lQXudeFRPjGil0p6dBb5dVHM6sDa+2bhTnT5Xrs6ALFkSOC2eT01f34o0LD\/iYJpYUBbRpunp7qdsCEujVxZR8n0k581k760zp6eOKdldSwGD2zCkU49qbfX71ampz0Sa7apdvaSE3KDX92BVUqVgQf0FXIZml2UETl7GkuJ7ywmJNZy\/VBh5fwF2G5tkeqqgUFl6Pz5ffSKavNMdYdiF0oJdwf95BiDLfhWMFAZ\/Az1Qj25O939c39zHdQmU2Gk65JAtVnlAhmcxyqDVZJv7WCLyYv8x3gCNb27V5dMzb8gu1mMtVqxF0t9OtLhe0ZVbT57TWBzaMHvBs\/e9XYiw9V9PDcm\/ctwDNyy0pJxMD8+96LUABbgwggW0MIIEnKADAgECAhAIuHpQG76c2i0WTT45Ub9VMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNVBAYTAklFMRIwEAYDVQQKEwlCYWx0aW1vcmUxEzARBgNVBAsTCkN5YmVyVHJ1c3QxIjAgBgNVBAMTGUJhbHRpbW9yZSBDeWJlclRydXN0IFJvb3QwHhcNMTYwNTIwMTI1MTI4WhcNMjQwNTIwMTI1MTI4WjCBizELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEVMBMGA1UECxMMTWljcm9zb2Z0IElUMR4wHAYDVQQDExVNaWNyb3NvZnQgSVQgVExTIENBIDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCO8\/GEdXe8vsmk"} 01160{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":451,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1587041682698689,"flow_src_last_pkt_time":1587041682744658,"flow_dst_last_pkt_time":1587041682792228,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":219,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":219,"flow_dst_tot_l4_payload_len":1452,"midstream":0,"thread_ts_usec":1587041682792228,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.58","src_port":60545,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","proto_by_ip":"Azure","proto_by_ip_id":276,"encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"presence.teams.microsoft.com","tls": {"version":"TLSv1.2","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","advertised_alpns":"h2,http\/1.1"}}} 02307{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":467,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1587041682369801,"flow_src_last_pkt_time":1587041682803345,"flow_dst_last_pkt_time":1587041682803309,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":20291,"flow_dst_tot_l4_payload_len":4254,"midstream":0,"thread_ts_usec":1587041682803345,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60543,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":2,"avg":27969.4,"max":152917,"stddev":40324.3,"var":1626047232.0,"ent":3.6,"data": [50532,50647,291,64604,72036,210,136507,124,96,1421,68048,86231,152917,2268,6,3,46387,44112,4,2,3,23630,23615,4,20861,20866,7,7,3,845,765]},"pktlen": {"min":52,"avg":819.7,"max":1492,"stddev":699.2,"var":488828.9,"ent":4.3,"data": [64,60,52,258,52,1492,1492,52,1375,52,145,52,103,52,1480,1480,1480,52,1480,1480,1480,1480,52,1480,1480,52,1480,1480,1480,1480,52,1480]},"bins": {"c_to_s": [5,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0],"s_to_c": [7,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,1,1,0,0,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0],"entropies": [4.384982109,5.323234558,4.961856842,5.939832211,5.116507530,7.288343430,7.267649651,5.000318527,7.662917614,4.961856842,5.882802486,5.193430901,5.624773026,4.961856842,7.851280689,7.841383457,7.873037815,5.154969692,7.851320267,7.856824398,7.856104374,7.863511562,5.154969215,7.862011433,7.862949848,5.154969215,7.888728619,7.861488342,7.847744942,7.865393639,5.193430901,7.879679203]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","proto_by_ip":"Azure","proto_by_ip_id":276,"encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud"}} -01783{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":467,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1587041682369801,"flow_src_last_pkt_time":1587041682803345,"flow_dst_last_pkt_time":1587041682803309,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":20291,"flow_dst_tot_l4_payload_len":4254,"midstream":0,"thread_ts_usec":1587041682803345,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60543,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","proto_by_ip":"Azure","proto_by_ip_id":276,"encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud","hostname":"mobile.pipe.aria.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"ae4edc6faf64d08308082ad26be60767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}}} 00778{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":472,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041682809173,"flow_src_last_pkt_time":1587041682809173,"flow_dst_last_pkt_time":1587041682809173,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041682809173,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"167.99.215.164","src_port":60546,"dst_port":4434,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00562{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":472,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":1,"flow_src_last_pkt_time":1587041682809173,"flow_dst_last_pkt_time":1587041682809173,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1587041682809173,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAG+gHAqAEGp2PXpOyCEVImrEWfAAAAALAC\/\/+rgAAAAgQFtAEDAwUBAQgKMISwIQAAAAAEAgAA"} 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":516,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":2,"flow_src_last_pkt_time":1587041682809173,"flow_dst_last_pkt_time":1587041682862686,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1587041682862686,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADQGBganY9ekwKgBBhFS7ILLfLe3JqxFoKAS\/ogNbwAAAgQFrAQCCAoTeRnVMISwIQEDAwc="} @@ -267,9 +264,7 @@ 00536{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":672,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":35,"flow_packet_id":5,"flow_src_last_pkt_time":1587041684317987,"flow_dst_last_pkt_time":1587041684329497,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1587041684329497,"pkt":"KDc3AG3IEBMx8Tl2CABFAAAoFJtAAHYGDxENaxILwKgBBgG77IU13hw1zZy5bVAQBAEDUQAAAAAAAAAA"} 01999{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":677,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":6,"flow_first_seen":1587041684306115,"flow_src_last_pkt_time":1587041684362150,"flow_dst_last_pkt_time":1587041684362335,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":211,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":211,"flow_dst_tot_l4_payload_len":4396,"midstream":0,"thread_ts_usec":1587041684362335,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"13.107.18.11","src_port":60549,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Microsoft365","proto_id":"91.219","proto_by_ip":"Outlook","proto_by_ip_id":21,"encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative","hostname":"substrate.office.com","tls": {"version":"TLSv1.2","server_names":"outlook.office.com,attachment.outlook.office.net,attachment.outlook.officeppe.net,bookings.office.com,delve.office.com,edge.outlook.office365.com,edgesdf.outlook.com,img.delve.office.com,outlook.live.com,outlook-sdf.live.com,outlook-sdf.office.com,sdfedge-pilot.outlook.com,substrate.office.com,substrate-sdf.office.com,afd-k-acdc-direct.office.com,beta-sdf.yammer.com,teams-sdf.yammer.com,beta.yammer.com,teams.yammer.com,attachments.office.net,attachments-sdf.office.net,afd-k.office.com,afd-k-sdf.office.com","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"a66ea560599a2f5c89eec8c3a0d69cee","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1","subjectDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Outlook.office.com","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","fingerprint":"AA:D3:F5:66:06:48:AA:F8:8E:9B:79:D6:7F:1D:53:EA:3F:97:03:A2"}}} 02183{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":697,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1587041682144166,"flow_src_last_pkt_time":1587041684314927,"flow_dst_last_pkt_time":1587041684501131,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":521,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":1329,"flow_dst_tot_l4_payload_len":7087,"midstream":0,"thread_ts_usec":1587041684501131,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60542,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":3,"avg":146055.7,"max":2009785,"stddev":489503.9,"var":239614050304.0,"ent":1.7,"data": [12667,12766,154,12385,2459,251,14879,502,529,250,3,817,4854,17134,1376,20,13097,4,249,321,136,11841,14,11155,108,621,112917,113684,1998116,2009785,174632]},"pktlen": {"min":40,"avg":305.2,"max":1492,"stddev":468.1,"var":219152.8,"ent":3.8,"data": [64,52,40,257,46,1492,1492,40,1492,40,1492,181,40,198,46,366,109,40,40,133,78,561,46,78,40,46,46,440,40,342,46,345]},"bins": {"c_to_s": [9,1,1,0,1,0,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,1,0,1,0,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,1,1,0,0,0,0,0,1,1,0,1,1,1,0,0,1,1],"entropies": [4.396777153,4.984685421,4.571928501,5.492863178,4.462504387,7.269914627,7.475378990,4.630641460,7.477076530,4.571928501,7.667408466,6.767431736,4.680641174,6.542833328,4.505983353,7.221371651,5.957443714,4.630641460,4.630640984,6.221683502,5.214766979,7.578815937,4.414441109,5.396905422,4.571928501,4.457919598,4.522393703,7.482207775,4.680641174,7.242818356,4.478915691,7.266457558]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","proto_by_ip":"Skype_Teams","proto_by_ip_id":125,"encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}} -01543{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":697,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1587041682144166,"flow_src_last_pkt_time":1587041684314927,"flow_dst_last_pkt_time":1587041684501131,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":521,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":1329,"flow_dst_tot_l4_payload_len":7087,"midstream":0,"thread_ts_usec":1587041684501131,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60542,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","proto_by_ip":"Skype_Teams","proto_by_ip_id":125,"encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"config.teams.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.config.teams.microsoft.com,config.teams.microsoft.com","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"0f14538e1c9070becdad7739c67d6363","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 1","subjectDN":"CN=config.teams.microsoft.com","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","fingerprint":"B9:54:54:12:C9:E9:43:65:10:70:04:7B:AD:B6:0C:46:06:38:A5:FA"}}} 02177{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":702,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1587041684306115,"flow_src_last_pkt_time":1587041684950374,"flow_dst_last_pkt_time":1587041684410372,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":3472,"flow_dst_tot_l4_payload_len":5797,"midstream":0,"thread_ts_usec":1587041684950374,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"13.107.18.11","src_port":60549,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":1,"avg":24145.7,"max":539594,"stddev":94604.1,"var":8949939200.0,"ent":1.9,"data": [11504,11610,262,11878,32500,90,44163,247,1,223,3839,7741,325,72,14634,1492,13,4159,11,266,6513,474,6734,4309,9884,14215,10718,10725,539594,6,314]},"pktlen": {"min":40,"avg":331.5,"max":1492,"stddev":473.5,"var":224192.2,"ent":3.9,"data": [64,52,40,251,46,1492,1492,40,1492,80,40,198,133,578,172,46,366,109,40,40,78,46,78,40,46,689,40,359,40,1480,694,248]},"bins": {"c_to_s": [9,1,1,0,2,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [5,2,1,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,0,1,1,0,0,0,0,0,1,1,1,0,0,0,1,1,0,1,1,0,1,0,0,0,0],"entropies": [4.428027153,4.893245220,4.521928310,5.397158146,4.505983353,6.671830177,7.464404583,4.630641460,7.577803612,5.737496376,4.680641174,6.516131401,6.154890537,7.647973537,6.500202656,4.505983353,7.196300030,5.817581654,4.611769199,4.561769485,5.250086308,4.457919598,5.392898560,4.630641460,4.522393227,7.690679073,4.680641174,7.335716724,4.680641174,7.846065521,7.720572472,6.957527637]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Microsoft365","proto_id":"91.219","proto_by_ip":"Outlook","proto_by_ip_id":21,"encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative"}} -02003{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":702,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1587041684306115,"flow_src_last_pkt_time":1587041684950374,"flow_dst_last_pkt_time":1587041684410372,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":3472,"flow_dst_tot_l4_payload_len":5797,"midstream":0,"thread_ts_usec":1587041684950374,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"13.107.18.11","src_port":60549,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Microsoft365","proto_id":"91.219","proto_by_ip":"Outlook","proto_by_ip_id":21,"encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative","hostname":"substrate.office.com","tls": {"version":"TLSv1.2","server_names":"outlook.office.com,attachment.outlook.office.net,attachment.outlook.officeppe.net,bookings.office.com,delve.office.com,edge.outlook.office365.com,edgesdf.outlook.com,img.delve.office.com,outlook.live.com,outlook-sdf.live.com,outlook-sdf.office.com,sdfedge-pilot.outlook.com,substrate.office.com,substrate-sdf.office.com,afd-k-acdc-direct.office.com,beta-sdf.yammer.com,teams-sdf.yammer.com,beta.yammer.com,teams.yammer.com,attachments.office.net,attachments-sdf.office.net,afd-k.office.com,afd-k-sdf.office.com","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"a66ea560599a2f5c89eec8c3a0d69cee","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1","subjectDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Outlook.office.com","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","fingerprint":"AA:D3:F5:66:06:48:AA:F8:8E:9B:79:D6:7F:1D:53:EA:3F:97:03:A2"}}} 00775{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":714,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041685090830,"flow_src_last_pkt_time":1587041685090830,"flow_dst_last_pkt_time":1587041685090830,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":45,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":45,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":45,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041685090830,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":61245,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5} 00571{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":714,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":36,"flow_packet_id":1,"flow_src_last_pkt_time":1587041685090830,"flow_dst_last_pkt_time":1587041685090830,"flow_idle_time":200000000,"pkt_datalink":1,"pkt_caplen":87,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":87,"pkt_l4_len":53,"thread_ts_usec":1587041685090830,"pkt":"EBMx8Tl2KDc3AG3ICABFAABJHhYAAP8RGjbAqAEGwKgBAe89ADUANcKVVKoBAAABAAAAAAAABGV1YXoCdHIFdGVhbXMJbWljcm9zb2Z0A2NvbQAAAQAB"} 01072{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":714,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041685090830,"flow_src_last_pkt_time":1587041685090830,"flow_dst_last_pkt_time":1587041685090830,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":45,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":45,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":45,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041685090830,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":61245,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Teams","proto_id":"5.250","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Safe","category_id":14,"category":"Network","hostname":"euaz.tr.teams.microsoft.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} @@ -341,7 +336,6 @@ 02486{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":824,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":40,"flow_packet_id":5,"flow_src_last_pkt_time":1587041685262299,"flow_dst_last_pkt_time":1587041685419490,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":1506,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1506,"pkt_l4_len":1472,"thread_ts_usec":1587041685419490,"pkt":"KDc3AG3IEBMx8Tl2CABFAAXUjN5AAG0Gdfg0cg8twKgBBgG77IfA1AaSAv0PYlAQCARVFQAAFgMDF0UCAABVAwNemFWVsa3S0qCCJCKRvR5FvfRm4ku4Wp9dZjR4sGYcKSB2HAAAgvc9nFx0wNSQ+kfvV9B0Mq9ipN+Lt19U\/tPHHsAwAAANAAUAAAAXAAD\/AQABAAsADkgADkUACIcwggiDMIIGa6ADAgECAhMgAA1\/5iyI2CMUD4FHAAAADX\/mMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMRUwEwYDVQQLEwxNaWNyb3NvZnQgSVQxHjAcBgNVBAMTFU1pY3Jvc29mdCBJVCBUTFMgQ0EgMjAeFw0xOTExMjkxNzU3NThaFw0yMTExMjkxNzU3NThaMCgxJjAkBgNVBAMMHSoudHJvdXRlci50ZWFtcy5taWNyb3NvZnQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyKcimDO37qOiITdGLLSgRk4SNqeQiChf5fToMO+7e1Qw4j4NVAURrkRlqOSwosi6x2ool0Qjlt5bANU2A7E0ubHR6fs+J4y2vgrsv41S7Ao\/UxdKklkG0wgp+paNcl2enqs+JFcPVtFPe+T+pnY6IZUpOziGi8NLx\/K2NG5xSvrdawVpY5vXRxXKsvLFIAdaJQozyWf9lCNbt+4C0IVl2Ep7N5bp06LVMZktn1YAjolqeEl3RQ6hM3GKceom5l4hpyP43E\/dTe3eLNBfmO8cDd9p8HlGVSrgjhKz1wuJWFoWgHTgDnVBSZVB7t78lIFlze4qLsPX90PfKUlmjF\/zIQIDAQABo4IEQDCCBDwwggGABgorBgEEAdZ5AgQCBIIBcASCAWwBagB2APZclC\/RdzAiFFQYCDCUVo7jTRMZM7\/fDC8gC8xO8WTjAAABbrhZJv4AAAQDAEcwRQIhALfHXTClbVL1ZG3BQH+fsd9EVlnIhlrRTh9b\/BWQkqOPAiArDlgg99bYekywwY8T40DyNspZOTZKKrpABVWSIcE7CwB3AFzcQ5L+5qtFRLFemtRW5hA3+9X6R9yhc5SyXub2xw7KAAABbrhZJyYAAAQDAEgwRgIhAJuNw4ivK3DXIXmUE+m57QEHF+rXHdB72ZviRwQ9s+0GAiEA9kNgaFnkw8l1xiyZdSGjaIfmqNZ4qpxCiXwbbmlDWu4AdwBElGUusO7Or8RAB9io\/ijA2uaCvtjLMbU\/0zOWtbaBqAAAAW64WScNAAAEAwBIMEYCIQDmc93n7UJEyvvIddsbJMxC7aPmS7n2Z\/C8vjlA2j\/H8AIhAP0Hy\/4XLfkD3pYHuzfG85l40mxoPZVRGXbh3zqAj+miMCcGCSsGAQQBgjcVCgQaMBgwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwEwPgYJKwYBBAGCNxUHBDEwLwYnKwYBBAGCNxUIh9qGdYPu2QGCyYUbgbWeYYX062CBXYTS30KC55N6AgFkAgEdMIGFBggrBgEFBQcBAQR5MHcwUQYIKwYBBQUHMAKGRWh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2kvbXNjb3JwL01pY3Jvc29mdCUyMElUJTIwVExTJTIwQ0ElMjAyLmNydDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AubXNvY3NwLmNvbTAdBgNVHQ4EFgQUdTnCFCgplfnCaQOBNT9YTfK9XfMwCwYDVR0PBAQDAgSwMFsGA1UdEQRUMFKCHSoudHJvdXRlci50ZWFtcy5taWNyb3NvZnQuY29tgg1nby50cm91dGVyLmlvghEqLmRyaXAudHJvdXRlci5pb4IPKi5kYy50cm91dGVyLmlvMIGsBgNVHR8EgaQwgaEw"} 01653{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":830,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":6,"flow_first_seen":1587041685106192,"flow_src_last_pkt_time":1587041685420065,"flow_dst_last_pkt_time":1587041685420103,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":203,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":203,"flow_dst_tot_l4_payload_len":5962,"midstream":0,"thread_ts_usec":1587041685420103,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.15.45","src_port":60551,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","proto_by_ip":"Azure","proto_by_ip_id":276,"encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"trouter2-asse-a.trouter.teams.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.trouter.teams.microsoft.com,go.trouter.io,*.drip.trouter.io,*.dc.trouter.io","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"986571066668055ae9481cb84fda634a","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 2","subjectDN":"CN=*.trouter.teams.microsoft.com","fingerprint":"DD:24:DF:0E:F3:63:CC:10:B5:03:CF:34:EB:A5:14:8B:97:90:9B:D4"}}} 02321{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":855,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1587041685240465,"flow_src_last_pkt_time":1587041685469669,"flow_dst_last_pkt_time":1587041685469973,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1082,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":1426,"flow_dst_tot_l4_payload_len":15976,"midstream":0,"thread_ts_usec":1587041685469973,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60554,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":3,"avg":14797.2,"max":153955,"stddev":35697.7,"var":1274323968.0,"ent":2.8,"data": [12903,12995,473,12371,1988,1502,15362,129,134,115,3,85,21608,33026,11480,11732,109,11784,570,13396,140399,715,153955,248,230,250,250,503,25,129,243]},"pktlen": {"min":40,"avg":585.7,"max":1492,"stddev":671.4,"var":450756.0,"ent":4.0,"data": [64,52,40,226,46,1492,1492,40,1492,40,1492,168,40,147,46,91,46,91,40,1122,46,1492,1492,40,1317,40,1492,1492,40,40,1492,1492]},"bins": {"c_to_s": [10,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,0,1,1,0,0,1,1,1,0,1,0,1,1,0,0,1,1],"entropies": [4.365527153,4.878727913,4.471928596,5.502106190,4.402616024,7.277978420,7.489027023,4.630640984,7.478912354,4.521928310,7.663036823,6.686788082,4.630640984,6.493359089,4.462505341,5.681205750,4.462504864,5.560394764,4.580641270,7.802004814,4.565872192,7.879904747,7.863986492,4.580641270,7.860152721,4.580640793,7.874552727,7.850657463,4.580641270,4.471928596,7.869473934,7.878328800]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","proto_by_ip":"Skype_Teams","proto_by_ip_id":125,"encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}} -01624{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":855,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1587041685240465,"flow_src_last_pkt_time":1587041685469669,"flow_dst_last_pkt_time":1587041685469973,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1082,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":1426,"flow_dst_tot_l4_payload_len":15976,"midstream":0,"thread_ts_usec":1587041685469973,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60554,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","proto_by_ip":"Skype_Teams","proto_by_ip_id":125,"encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"config.teams.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.config.teams.microsoft.com,config.teams.microsoft.com","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"7d8fd34fdb13a7fff30d5a52846b6c4c","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 1","subjectDN":"CN=config.teams.microsoft.com","fingerprint":"B9:54:54:12:C9:E9:43:65:10:70:04:7B:AD:B6:0C:46:06:38:A5:FA"}}} 00777{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":920,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041685984732,"flow_src_last_pkt_time":1587041685984732,"flow_dst_last_pkt_time":1587041685984732,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041685984732,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60557,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00562{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":920,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":47,"flow_packet_id":1,"flow_src_last_pkt_time":1587041685984732,"flow_dst_last_pkt_time":1587041685984732,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1587041685984732,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGghTAqAEGNHHChOyNAbtKVk3bAAAAALAC\/\/8LQAAAAgQFtAEDAwUBAQgKMIS8GgAAAAAEAgAA"} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":921,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":47,"flow_packet_id":2,"flow_src_last_pkt_time":1587041685984732,"flow_dst_last_pkt_time":1587041685996890,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1587041685996890,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA0TQBAAHUGACA0ccKEwKgBBgG77I3LqgPISlZN3IAS\/\/9gggAAAgQFoAEDAwgBAQQC"} @@ -400,7 +394,6 @@ 00778{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1082,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041687745932,"flow_src_last_pkt_time":1587041687745932,"flow_dst_last_pkt_time":1587041687745932,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041687745932,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.169.186.119","src_port":60563,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00563{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1082,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":1,"flow_src_last_pkt_time":1587041687745932,"flow_dst_last_pkt_time":1587041687745932,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1587041687745932,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGienAqAEGNKm6d+yTAbth0wzHAAAAALAC\/\/81+QAAAgQFtAEDAwUBAQgKMITCxwAAAAAEAgAA"} 02313{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1085,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":51,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1587041687245112,"flow_src_last_pkt_time":1587041687718851,"flow_dst_last_pkt_time":1587041687768506,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":17623,"flow_dst_tot_l4_payload_len":4254,"midstream":0,"thread_ts_usec":1587041687768506,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60561,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":2,"avg":32165.6,"max":161774,"stddev":44327.4,"var":1964919296.0,"ent":3.6,"data": [48418,48527,459,88180,136486,113743,249,161774,129,117,1072,74551,73518,1076,4,2,50124,49022,3,3,12,48400,48413,4,15,2,1599,1536,46881,1065,1749]},"pktlen": {"min":52,"avg":736.7,"max":1492,"stddev":694.0,"var":481656.1,"ent":4.2,"data": [64,60,52,258,258,64,1492,1492,52,1375,52,145,103,52,1480,1480,1480,52,1480,1480,1480,1480,52,1480,1480,1480,1480,52,1462,52,52,52]},"bins": {"c_to_s": [5,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0],"s_to_c": [8,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0]},"directions": [0,1,0,0,0,1,1,1,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,0,0,1,0,1,1,1],"entropies": [4.396777153,5.256567478,4.923395157,5.966666698,5.971492767,5.091578960,7.290405750,7.275161743,4.961856842,7.668800354,5.000318527,6.002202988,5.583368301,4.961856842,7.860765934,7.857263088,7.894361019,5.193430901,7.864349842,7.853641510,7.869278908,7.874048233,5.054101944,7.853607655,7.866478443,7.865472317,7.878810406,5.154969692,7.853725433,5.193431377,5.154969692,5.154969692]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","proto_by_ip":"Azure","proto_by_ip_id":276,"encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud"}} -01784{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1085,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":51,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1587041687245112,"flow_src_last_pkt_time":1587041687718851,"flow_dst_last_pkt_time":1587041687768506,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":17623,"flow_dst_tot_l4_payload_len":4254,"midstream":0,"thread_ts_usec":1587041687768506,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60561,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","proto_by_ip":"Azure","proto_by_ip_id":276,"encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud","hostname":"mobile.pipe.aria.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"ae4edc6faf64d08308082ad26be60767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}}} 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1086,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":2,"flow_src_last_pkt_time":1587041687745932,"flow_dst_last_pkt_time":1587041687789261,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1587041687789261,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8GLFAAGwGRTw0qbp3wKgBBgG77JMQ1B2QYdMMyKASIACACgAAAgQFoAEDAwgEAggKASJ3bTCEwsc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1087,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":3,"flow_src_last_pkt_time":1587041687789367,"flow_dst_last_pkt_time":1587041687789261,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1587041687789367,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGifXAqAEGNKm6d+yTAbth0wzIENQdkYAQEAm+kQAAAQEICjCEwvABIndt"} 00845{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1088,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":4,"flow_src_last_pkt_time":1587041687789561,"flow_dst_last_pkt_time":1587041687789261,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":287,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":287,"pkt_l4_len":253,"thread_ts_usec":1587041687789561,"pkt":"EBMx8Tl2KDc3AG3ICABFAAERAABAAEAGiRjAqAEGNKm6d+yTAbth0wzIENQdkYAYEAmMqgAAAQEICjCEwvABIndtFgMBANgBAADUAwN1hCAWlzZVXD7TCb6igB3LJP9WVkluJUaJIbsmWjvyJAAAHCoqzKnMqMArwC\/ALMAwwBPAFACcAJ0ALwA1AAoBAACP6uoAAP8BAAEAAAAAIwAhAAAeZXVuby0xLmFwaS5taWNyb3NvZnRzdHJlYW0uY29tABcAAAAjAAAADQAUABIEAwgEBAEFAwgFBQEIBgYBAgEABQAFAQAAAAAAEgAAABAADgAMAmgyCGh0dHAvMS4xAAsAAgEAAAoACgAI2toAHQAXABgAGwADAgACOjoAAQA="} @@ -678,7 +671,7 @@ 00970{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1540,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":75,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1587041694221137,"flow_src_last_pkt_time":1587041694221137,"flow_dst_last_pkt_time":1587041694234511,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":58,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":58,"flow_dst_max_l4_payload_len":134,"flow_src_tot_l4_payload_len":58,"flow_dst_tot_l4_payload_len":134,"midstream":0,"thread_ts_usec":1587041698021081,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":60837,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Teams","proto_id":"5.250","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} 01002{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1540,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":53,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1587041687436782,"flow_src_last_pkt_time":1587041687725655,"flow_dst_last_pkt_time":1587041687725568,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1313,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2206,"flow_dst_tot_l4_payload_len":7143,"midstream":0,"thread_ts_usec":1587041698021081,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"104.40.187.151","src_port":60562,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"3":"DPI (partial)"},"proto":"TLS.Skype_Teams","proto_id":"91.125","proto_by_ip":"Azure","proto_by_ip_id":276,"encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00970{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1540,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":39,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1587041685093044,"flow_src_last_pkt_time":1587041685093044,"flow_dst_last_pkt_time":1587041685127636,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":53,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":53,"flow_dst_max_l4_payload_len":174,"flow_src_tot_l4_payload_len":53,"flow_dst_tot_l4_payload_len":174,"midstream":0,"thread_ts_usec":1587041698021081,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":50653,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Teams","proto_id":"5.250","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} -00649{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":1540,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":1540,"packets-processed":1498,"total-skipped-flows":0,"total-l4-payload-len":587095,"total-not-detected-flows":1,"total-guessed-flows":2,"total-detected-flows":80,"total-detection-updates":64,"total-updates":0,"current-active-flows":0,"total-active-flows":83,"total-idle-flows":83,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":681,"global_ts_usec":1587041698021081} +00649{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":1540,"source":"cfgs\/caches_cfg\/pcap\/teams.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":1540,"packets-processed":1498,"total-skipped-flows":0,"total-l4-payload-len":587095,"total-not-detected-flows":1,"total-guessed-flows":2,"total-detected-flows":80,"total-detection-updates":57,"total-updates":0,"current-active-flows":0,"total-active-flows":83,"total-idle-flows":83,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":674,"global_ts_usec":1587041698021081} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ ~~ packets captured/processed: 1540/1498 ~~ skipped flows.............: 0 diff --git a/test/results/default/KakaoTalk_chat.pcap.out b/test/results/default/KakaoTalk_chat.pcap.out index ba0844b8f..15ee4cc94 100644 --- a/test/results/default/KakaoTalk_chat.pcap.out +++ b/test/results/default/KakaoTalk_chat.pcap.out @@ -186,7 +186,6 @@ 00791{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":222,"source":"cfgs\/default\/pcap\/KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":4,"flow_src_last_pkt_time":1430069036012946,"flow_dst_last_pkt_time":1430069036008002,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":240,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":240,"pkt_l4_len":204,"thread_ts_usec":1430069036012946,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAAODw10AAPwaKCwoYUrwfDURUsJ0Bu3W4\/fRiGFPCUBg5CMwfAAAWAwEAswEAAK8DAVU9Hy2pPPfpWbhIjMHHKuGu\/26IDUvEFU2avrf56FfmAABGAAQABQAvADXAAsAEwAXADMAOwA\/AB8AJwArAEcATwBQAMwA5ADIAOAAKwAPADcAIwBIAFgATAAkAFQASAAMACAAUABEA\/wEAAEAACwAEAwABAgAKADQAMgAOAA0AGQALAAwAGAAJAAoAFgAXAAgABgAHABQAFQAEAAUAEgATAAEAAgADAA8AEAAR"} 01201{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":222,"source":"cfgs\/default\/pcap\/KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1430069035967627,"flow_src_last_pkt_time":1430069036012946,"flow_dst_last_pkt_time":1430069036008002,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":184,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":184,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1430069036012946,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"31.13.68.84","src_port":45213,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":310,"client":275,"server":35}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Facebook","proto_by_ip_id":119,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1","ja3":"dff8a0aa1c904aaea76c5bf624e88333","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 02370{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":223,"source":"cfgs\/default\/pcap\/KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1430069026370215,"flow_src_last_pkt_time":1430069036014563,"flow_dst_last_pkt_time":1430069032269782,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":654,"flow_dst_max_l4_payload_len":1280,"flow_src_tot_l4_payload_len":1689,"flow_dst_tot_l4_payload_len":3666,"midstream":0,"thread_ts_usec":1430069036014563,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"173.252.97.2","src_port":35503,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":5,"data_analysis": {"iat": {"min":3723,"avg":501416.6,"max":3802978,"stddev":831986.8,"var":692202045440.0,"ent":3.7,"data": [995911,1037903,49316,6684,695526,683563,56000,2329864,2320373,251618,299011,4547,4395,4089,3723,105469,239411,242157,376495,82611,125763,244537,287323,18128,164581,238983,428131,146027,274079,3802978,24719]},"pktlen": {"min":40,"avg":209.0,"max":1320,"stddev":352.3,"var":124085.1,"ent":3.7,"data": [60,60,44,40,224,44,40,44,224,40,1320,40,1320,40,1027,40,162,40,87,40,694,40,69,40,342,40,83,40,180,40,67,116]},"bins": {"c_to_s": [11,0,1,1,1,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,1,0,1,0,1,1,0,1,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,0,0],"entropies": [4.685176849,4.685176849,4.968303204,4.931687355,5.173561573,5.104666710,4.981687546,4.658042908,5.164632797,4.931687355,6.476998329,4.734184265,7.115762234,4.784183979,6.729174137,4.884183884,6.557168484,4.881687164,5.730113029,4.834184170,7.744181156,4.881687164,5.543020725,4.884183884,7.357668877,4.981687546,5.880825043,4.834184170,6.839711666,4.981687546,5.593678474,6.365212917]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":310,"client":275,"server":35}}},"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","proto_by_ip":"Facebook","proto_by_ip_id":119,"encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} -02071{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":223,"source":"cfgs\/default\/pcap\/KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1430069026370215,"flow_src_last_pkt_time":1430069036014563,"flow_dst_last_pkt_time":1430069032269782,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":654,"flow_dst_max_l4_payload_len":1280,"flow_src_tot_l4_payload_len":1689,"flow_dst_tot_l4_payload_len":3666,"midstream":0,"thread_ts_usec":1430069036014563,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"173.252.97.2","src_port":35503,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":310,"client":275,"server":35}}},"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","proto_by_ip":"Facebook","proto_by_ip_id":119,"encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"","tls": {"version":"TLSv1","server_names":"*.facebook.com,facebook.com,*.fbsbx.com,*.fbcdn.net,*.xx.fbcdn.net,*.xy.fbcdn.net,fb.com,*.fb.com,*.facebookcorewwwi.onion,facebookcorewwwi.onion,*.fbcdn23dssr3jqnq.onion,fbcdn23dssr3jqnq.onion,*.fbsbx2q4mvcl63pw.onion,fbsbx2q4mvcl63pw.onion,*.m.facebook.com,*.messenger.com,messenger.com,*.m.facebookcorewwwi.onion,*.xx.fbcdn23dssr3jqnq.onion,xx.fbcdn23dssr3jqnq.onion,*.xy.fbcdn23dssr3jqnq.onion,xy.fbcdn23dssr3jqnq.onion,*.xz.fbcdn.net,xz.fbcdn.net,*.xz.fbcdn23dssr3jqnq.onion,xz.fbcdn23dssr3jqnq.onion,m.facebookcorewwwi.onion","ja3":"dff8a0aa1c904aaea76c5bf624e88333","ja3s":"6c13ac74a6f75099ef2480748e5d94d2","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3","subjectDN":"C=US, ST=CA, L=Menlo Park, O=Facebook, Inc., CN=*.facebook.com","fingerprint":"A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4"}}} 00544{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":225,"source":"cfgs\/default\/pcap\/KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":5,"flow_src_last_pkt_time":1430069036012946,"flow_dst_last_pkt_time":1430069036049811,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":60,"pkt_l4_len":24,"thread_ts_usec":1430069036049811,"pkt":"AAACEgAAAAAAAAAAAAAIAEUAACwAAEAAjgYslx8NRFQKGFK8AbuwnWIYU8J1uP30YBClZFxUAAABAQEB"} 00784{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":228,"source":"cfgs\/default\/pcap\/KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1430069036068122,"flow_src_last_pkt_time":1430069036068122,"flow_dst_last_pkt_time":1430069036068122,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1430069036068122,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"173.252.97.2","src_port":35511,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":5} 00569{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":228,"source":"cfgs\/default\/pcap\/KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":34,"flow_packet_id":1,"flow_src_last_pkt_time":1430069036068122,"flow_dst_last_pkt_time":1430069036068122,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"thread_ts_usec":1430069036068122,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAADwqSkAAPwalnwoYUryt\/GECircBu1PEJ3oAAAAAoAI5CI51AAACBAV4BAIICgALDTAAAAAAAQMDBw=="} @@ -268,7 +267,7 @@ 00937{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":347,"source":"cfgs\/default\/pcap\/KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":9,"flow_dst_packets_processed":9,"flow_first_seen":1430069044758795,"flow_src_last_pkt_time":1430069069274054,"flow_dst_last_pkt_time":1430069069017493,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":247,"flow_dst_max_l4_payload_len":42,"flow_src_tot_l4_payload_len":1233,"flow_dst_tot_l4_payload_len":168,"midstream":1,"thread_ts_usec":1430069073299933,"l3_proto":"ip4","src_ip":"139.150.0.125","dst_ip":"10.24.82.188","src_port":443,"dst_port":46947,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"TLS","proto_id":"91","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00794{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":347,"source":"cfgs\/default\/pcap\/KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":9,"flow_dst_packets_processed":9,"flow_first_seen":1430069044758795,"flow_src_last_pkt_time":1430069069274054,"flow_dst_last_pkt_time":1430069069017493,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":247,"flow_dst_max_l4_payload_len":42,"flow_src_tot_l4_payload_len":1233,"flow_dst_tot_l4_payload_len":168,"midstream":1,"thread_ts_usec":1430069073299933,"l3_proto":"ip4","src_ip":"139.150.0.125","dst_ip":"10.24.82.188","src_port":443,"dst_port":46947,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":5} 00983{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":347,"source":"cfgs\/default\/pcap\/KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1430069022104834,"flow_src_last_pkt_time":1430069022104834,"flow_dst_last_pkt_time":1430069022234626,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":80,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":80,"midstream":0,"thread_ts_usec":1430069073299933,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"10.188.1.1","src_port":9094,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.KakaoTalk","proto_id":"5.193","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} -00651{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":347,"source":"cfgs\/default\/pcap\/KakaoTalk_chat.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":347,"packets-processed":347,"total-skipped-flows":0,"total-l4-payload-len":52012,"total-not-detected-flows":0,"total-guessed-flows":5,"total-detected-flows":33,"total-detection-updates":34,"total-updates":1,"current-active-flows":0,"total-active-flows":38,"total-idle-flows":38,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":271,"global_ts_usec":1430069073299933} +00651{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":347,"source":"cfgs\/default\/pcap\/KakaoTalk_chat.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":347,"packets-processed":347,"total-skipped-flows":0,"total-l4-payload-len":52012,"total-not-detected-flows":0,"total-guessed-flows":5,"total-detected-flows":33,"total-detection-updates":33,"total-updates":1,"current-active-flows":0,"total-active-flows":38,"total-idle-flows":38,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":270,"global_ts_usec":1430069073299933} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ ~~ packets captured/processed: 347/347 ~~ skipped flows.............: 0 diff --git a/test/results/default/alexa-app.pcapng.out b/test/results/default/alexa-app.pcapng.out index 83ef49edb..94bb798ba 100644 --- a/test/results/default/alexa-app.pcapng.out +++ b/test/results/default/alexa-app.pcapng.out @@ -233,7 +233,6 @@ 01706{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":284,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":5,"flow_first_seen":1490976041961796,"flow_src_last_pkt_time":1490976042058395,"flow_dst_last_pkt_time":1490976042150550,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":202,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":202,"flow_dst_tot_l4_payload_len":4344,"midstream":0,"thread_ts_usec":1490976042150550,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54412,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.amazon.com","tls": {"version":"TLSv1.2","server_names":"amazon.com,amzn.com,uedata.amazon.com,us.amazon.com,www.amazon.com,www.amzn.com,corporate.amazon.com,buybox.amazon.com,iphone.amazon.com,yp.amazon.com,home.amazon.com,origin-www.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=www.amazon.com","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"http\/1.1","fingerprint":"EF:14:6C:F1:5C:4A:F8:4D:BA:83:C2:1E:6C:5B:ED:C4:FA:34:1C:3E"}}} 00841{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":296,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":36,"flow_packet_id":5,"flow_src_last_pkt_time":1490976042239996,"flow_dst_last_pkt_time":1490976041952733,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":281,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":281,"pkt_l4_len":247,"thread_ts_usec":1490976042239996,"pkt":"AMDKkaPvePiC0\/vCCABFAAELYD1AAEAGsx6sECrYNu8YuoTjAbvEzS6SzeCOhlAYAVd4ugAAFgMBAN4BAADaAwPrd1S1ddQk7rUlC7xdTTn0up1nnk\/tmx0cHtuMmn3chgAAIOrqzKnMqMwUzBPAK8AvwCzAMMATwBQAnACdAC8ANQAKAQAAkVpaAAD\/AQABAAAAACwAKgAAJ21vYmlsZWFuYWx5dGljcy51cy1lYXN0LTEuYW1hem9uYXdzLmNvbQAXAAAAIwAAAA0AFAASBAMIBAQBBQMIBQUBCAYGAQIBAAUABQEAAAAAABIAAAAQAA4ADAJoMghodHRwLzEuMQALAAIBAAAKAAoACHp6AB0AFwAYuroAAQA="} 02182{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":309,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1490976041942417,"flow_src_last_pkt_time":1490976042286958,"flow_dst_last_pkt_time":1490976042283855,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1030,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1358,"flow_dst_tot_l4_payload_len":15533,"midstream":0,"thread_ts_usec":1490976042286958,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54411,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":47,"avg":22128.4,"max":90510,"stddev":31052.4,"var":964249024.0,"ent":3.6,"data": [46971,52965,277,73178,134,18906,393,341,423,88175,318,744,233,8121,32759,75313,63701,49446,70919,806,90510,2043,419,465,407,524,703,47,5315,294,1129]},"pktlen": {"min":52,"avg":580.3,"max":1500,"stddev":637.0,"var":405792.1,"ent":4.1,"data": [60,60,52,254,52,52,1500,1500,1500,819,52,52,52,52,178,1082,294,52,52,1500,1500,52,1500,1500,1500,450,1500,1112,86,52,52,52]},"bins": {"c_to_s": [11,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,1,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,9,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,0,0,0,0,0,0,1,0,1,1,1,0,1,1,1,1,1,1,1,0,0,0],"entropies": [4.626680851,5.273560524,5.056022167,5.578444004,5.038779736,5.038779736,6.941484451,7.235523224,7.505930424,7.618381500,5.017560482,4.979098797,4.979098797,4.979099274,6.314942837,7.805894852,7.019865036,5.056022167,5.000318527,7.867209435,7.863208771,4.979098797,7.856099606,7.887753487,7.874964714,7.517594337,7.873031139,7.831841469,5.789580822,4.979099274,4.979098797,4.940637589]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01711{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":309,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1490976041942417,"flow_src_last_pkt_time":1490976042286958,"flow_dst_last_pkt_time":1490976042283855,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1030,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1358,"flow_dst_tot_l4_payload_len":15533,"midstream":0,"thread_ts_usec":1490976042286958,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54411,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.amazon.com","tls": {"version":"TLSv1.2","server_names":"amazon.com,amzn.com,uedata.amazon.com,us.amazon.com,www.amazon.com,www.amzn.com,corporate.amazon.com,buybox.amazon.com,iphone.amazon.com,yp.amazon.com,home.amazon.com,origin-www.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=www.amazon.com","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"http\/1.1","fingerprint":"EF:14:6C:F1:5C:4A:F8:4D:BA:83:C2:1E:6C:5B:ED:C4:FA:34:1C:3E"}}} 01259{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":317,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1490976041870965,"flow_src_last_pkt_time":1490976042239996,"flow_dst_last_pkt_time":1490976042302047,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":454,"flow_dst_tot_l4_payload_len":1460,"midstream":0,"thread_ts_usec":1490976042302047,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34019,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"mobileanalytics.us-east-1.amazonaws.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"http\/1.1"}}} 01613{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":319,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":6,"flow_first_seen":1490976041870965,"flow_src_last_pkt_time":1490976042239996,"flow_dst_last_pkt_time":1490976042302667,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":454,"flow_dst_tot_l4_payload_len":4380,"midstream":0,"thread_ts_usec":1490976042302667,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34019,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"mobileanalytics.us-east-1.amazonaws.com","tls": {"version":"TLSv1.2","server_names":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=mobileanalytics.us-east-1.amazonaws.com","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"http\/1.1","fingerprint":"87:AD:E9:2D:E8:42:F0:5C:3A:09:13:00:12:93:59:04:84:C3:E2:2D"}}} 00548{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":331,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":39,"flow_packet_id":4,"flow_src_last_pkt_time":1490976042346204,"flow_dst_last_pkt_time":1490976042099362,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1490976042346204,"pkt":"AMDKkaPvePiC0\/vCCABFAAA0AfVAAEAGW7msECrYNFXR2NSNAbumNE9Ps3pFE4ARAVdxGQAAAQEICgD2TtptF6Xz"} @@ -325,7 +324,6 @@ 01866{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":532,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":45,"flow_packet_id":5,"flow_src_last_pkt_time":1490976044910321,"flow_dst_last_pkt_time":1490976044548899,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":1050,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1050,"pkt_l4_len":1016,"thread_ts_usec":1490976044910321,"pkt":"AMDKkaPvePiC0\/vCCABFAAQMt7pAAEAGi2SsECrYNF7ohsG1AFD+AvgdsHQ7blAYAVc4SwAAR0VUIC9saWIvYm9vdHN0cmFwL2ltZy9nbHlwaGljb25zLWhhbGZsaW5ncy5wbmcgSFRUUC8xLjENCkhvc3Q6IGFsZXhhLmFtYXpvbi5jb20NCkNvbm5lY3Rpb246IGtlZXAtYWxpdmUNClVzZXItQWdlbnQ6IE1vemlsbGEvNS4wIChMaW51eDsgQW5kcm9pZCA1LjEuMTsgTEdMUzc1MSBCdWlsZC9MTVk0N1Y7IHd2KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBWZXJzaW9uLzQuMCBDaHJvbWUvNTYuMC4yOTI0Ljg3IE1vYmlsZSBTYWZhcmkvNTM3LjM2IFBpdGFuZ3VpQnJpZGdlLzEuMTYuNC41LVtNQU5VRkFDVFVSRVI9TEdFXVtSRUxFQVNFPTUuMS4xXVtCUkFORD1sZ2VdW1NESz0yMl1bTU9ERUw9TEdMUzc1MV0NCkFjY2VwdDogaW1hZ2Uvd2VicCxpbWFnZS8qLCovKjtxPTAuOA0KUmVmZXJlcjogaHR0cDovL2FsZXhhLmFtYXpvbi5jb20vbGliL2Jvb3RzdHJhcC9jc3MvYm9vdHN0cmFwLm1pbi5jc3MNCkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQ0KQWNjZXB0LUxhbmd1YWdlOiBlbi1VUw0KQ29va2llOiBjc3JmPS04NDYxMjczODsgc2Vzc2lvbi1pZC10aW1lPTIwODI3ODcyMDFsOyBzZXNzaW9uLXRva2VuPSJlZnRGbVk1RjVyVGd3czduK2VDZFhaU1R5SGNEeWtObDNNMXBjbzNSVktqeW43eW50T2tKNkxMRXlENUR4a3VuMnJaQXd5aVFVTlBKcVZtOG9HWE5xSG1mZjFwTjlZSWtML2lUQy9XQjY1eDc5RWFIWTdQN0JMMWZSS2VIWDNwSFc4ZW03SFJ6Q3ZkcGF1WWtzV0ZZTzBOTWVWclB6MWNYZVpIeldyejM4ZjdxRlhsOTFxaEhZdlRndHVKV2tsRlRkWmdpbHRNYmMvbz0iOyBzZXNzaW9uLWlkPTE1NC0zMTAzMjY1LTI5MzI1MTY7IHgtbWFpbj0idWlUck1lOHdRV3l6ekJsM2s5eUNQbExYUk1TVWFtTXhDWTZRZ1A4azlwd0pmcE1KT0tZWHN5UT9za3JBOEFhTiI7IHViaWQtbWFpbj0xNTItODc2MzUwNS03MzA0OTA0OyBsYy1tYWluPWVuX1VTDQpYLVJlcXVlc3RlZC1XaXRoOiBjb20uYW1hem9uLmRlZS5hcHANCg0K"} 01522{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":544,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":45,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":3,"flow_first_seen":1490976044439648,"flow_src_last_pkt_time":1490976044910321,"flow_dst_last_pkt_time":1490976044998683,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":996,"flow_dst_max_l4_payload_len":183,"flow_src_tot_l4_payload_len":1992,"flow_dst_tot_l4_payload_len":183,"midstream":0,"thread_ts_usec":1490976044998683,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":49589,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"43": {"risk":"Error Code","severity":"Low","risk_score": {"total":360,"client":300,"server":60}}},"confidence": {"6":"DPI"},"proto":"HTTP.AmazonAlexa","proto_id":"7.110","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":0,"breed":"Acceptable","category_id":32,"category":"VirtAssistant","hostname":"alexa.amazon.com","http": {"url":"alexa.amazon.com\/lib\/bootstrap\/img\/glyphicons-halflings.png","code":404,"content_type":"","user_agent":"Mozilla\/5.0 (Linux; Android 5.1.1; LGLS751 Build\/LMY47V; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/56.0.2924.87 Mobile Safari\/537.36 PitanguiBridge\/1.16.4.5-[MANUFACTURER=LGE][RELEASE=5.1.1][BRAND=lge][SDK=22][MODEL=LGLS751]","detected_os":"Android 5.1.1"}}} 02206{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":582,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":42,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976043814984,"flow_src_last_pkt_time":1490976046401041,"flow_dst_last_pkt_time":1490976046398896,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":5245,"flow_dst_tot_l4_payload_len":5794,"midstream":0,"thread_ts_usec":1490976046401041,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.135","src_port":42130,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":38,"avg":166773.2,"max":835939,"stddev":244032.9,"var":59552047104.0,"ent":3.7,"data": [54151,55408,518,50304,258867,520111,785264,3831,152,61,38,60785,290,133,140,52112,10967,286978,223908,2741,139187,177,171943,179936,143,402714,22375,216464,783828,835939,50504]},"pktlen": {"min":40,"avg":387.0,"max":1500,"stddev":534.6,"var":285800.0,"ent":3.9,"data": [60,48,40,245,46,245,245,46,1500,1500,1500,674,40,40,40,40,166,1500,91,468,46,46,466,40,1500,1196,46,343,40,40,46,40]},"bins": {"c_to_s": [10,0,0,1,0,0,3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [7,1,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,1,0,1,1,1,0,0,0,1,1,0,0,1,0],"entropies": [4.639262199,5.093094349,4.881687164,5.568202496,4.549461365,5.554956913,5.568202496,4.565872192,7.128635883,7.312258720,7.415528297,7.604400635,4.781687260,4.881687164,4.831687450,4.781687260,6.335466385,7.875119209,5.923600674,7.493732452,4.609350681,4.565872192,7.514861107,4.781687260,7.858917713,7.840357780,4.609350681,7.350516796,4.881687164,4.931686878,4.609350204,4.881687164]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01604{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":582,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":42,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976043814984,"flow_src_last_pkt_time":1490976046401041,"flow_dst_last_pkt_time":1490976046398896,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":5245,"flow_dst_tot_l4_payload_len":5794,"midstream":0,"thread_ts_usec":1490976046401041,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.135","src_port":42130,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"fls-na.amazon.com","tls": {"version":"TLSv1.2","server_names":"fls-na.amazon.ca,fls-na.amazon.com,fls-na.amazon.com.br,fls-na.amazon.com.mx","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=fls-na.amazon.com","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"http\/1.1","fingerprint":"2F:16:23:0F:F8:49:12:18:49:55:48:DA:E6:59:D9:B3:BB:0E:41:8A"}}} 00781{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":599,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":50,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976046418630,"flow_src_last_pkt_time":1490976046418630,"flow_dst_last_pkt_time":1490976046418630,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976046418630,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45680,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00562{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":599,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":50,"flow_packet_id":1,"flow_src_last_pkt_time":1490976046418630,"flow_dst_last_pkt_time":1490976046418630,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976046418630,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8dehAAEAG0QasECrYNF7ohrJwAbub2CWZAAAAAKAC\/\/+NLQAAAgQFtAQCCAoA9lBxAAAAAAEDAwg="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":600,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":50,"flow_packet_id":2,"flow_src_last_pkt_time":1490976046418630,"flow_dst_last_pkt_time":1490976046475196,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1490976046475196,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAwWCFAAOcGR9k0XuiGrBAq2AG7snCFN7lwm9glmnASH\/679wAAAgQFtAEDAwY="} @@ -457,7 +455,6 @@ 01631{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":909,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":65,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":6,"flow_first_seen":1490976067968666,"flow_src_last_pkt_time":1490976068066460,"flow_dst_last_pkt_time":1490976068174770,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":221,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":221,"flow_dst_tot_l4_payload_len":3330,"midstream":0,"thread_ts_usec":1490976068174770,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.146","src_port":41691,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"api.amazon.com","tls": {"version":"TLSv1.2","server_names":"api.amazon.com,wsync.us-east-1.amazon.com","ja3":"bdf21e38e1f69776df407235625e75e2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=api.amazon.com","fingerprint":"1D:A3:CD:C3:06:9E:9B:A0:61:1E:1A:75:55:C1:A8:B0:DC:F8:75:2D"}}} 02212{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":910,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":63,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1490976064452332,"flow_src_last_pkt_time":1490976068084335,"flow_dst_last_pkt_time":1490976068174801,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":7862,"flow_dst_tot_l4_payload_len":9710,"midstream":0,"thread_ts_usec":1490976068174801,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54434,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":123,"avg":237241.0,"max":2896813,"stddev":560116.6,"var":313730662400.0,"ent":2.8,"data": [52937,67187,1048,63231,9607,59757,285,20918,462,225,155,1078,225,97487,133,7299,15901,484594,178,170,116007,306256,538314,1116565,2896813,279,153,126,123,583169,913790]},"pktlen": {"min":52,"avg":603.1,"max":1500,"stddev":665.4,"var":442821.7,"ent":4.1,"data": [60,60,52,569,52,208,52,103,1500,1500,125,1500,1500,1481,52,52,52,52,1500,1500,1209,1209,1500,1500,1500,52,64,64,64,64,52,52]},"bins": {"c_to_s": [9,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,4,0,0],"s_to_c": [7,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,5,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,1],"entropies": [4.705928802,5.273560047,4.979098797,6.082272053,5.000318527,6.571692467,5.056022167,5.591795921,7.858945847,7.890957355,6.413620949,7.866191387,7.874218941,7.863078117,5.038779736,5.000318050,5.000318050,4.884933472,7.878181458,7.882399559,7.840240955,7.842101574,7.879061222,7.879629612,7.876855850,4.940637112,4.991729736,5.085479736,5.116729736,5.116729736,5.056022167,5.000318050]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 02344{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":934,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":65,"flow_state":"info","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1490976067968666,"flow_src_last_pkt_time":1490976068790465,"flow_dst_last_pkt_time":1490976070313997,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3760,"flow_dst_tot_l4_payload_len":16863,"midstream":0,"thread_ts_usec":1490976070313997,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.146","src_port":41691,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":41,"avg":102165.5,"max":486056,"stddev":138313.6,"var":19130660864.0,"ent":3.7,"data": [92394,95354,2440,97381,1862,14105,301,61,113369,268,157,49644,132555,83310,183928,260,326122,293069,272379,138,443688,400,541,41,276469,199153,505,44,713,486056,423]},"pktlen": {"min":40,"avg":686.3,"max":1500,"stddev":682.0,"var":465082.8,"ent":4.2,"data": [60,48,40,261,46,46,1500,1500,450,40,40,40,166,91,40,1500,533,46,1500,46,46,1500,1500,1500,211,1500,1500,1500,211,1500,1500,1500]},"bins": {"c_to_s": [6,0,0,1,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [6,1,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,1,0,0,0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1],"entropies": [4.672595501,5.134760857,4.731687546,5.428875923,4.609350681,4.609350204,7.207319260,7.309862137,7.406122684,4.781687260,4.831686974,4.831686974,6.560224533,5.827393532,4.734183788,7.885433197,7.643744469,4.652828693,7.886434555,4.522393703,4.462504387,7.848043919,7.856681824,7.865322113,6.980444908,7.848917007,7.856569290,7.864667892,6.965065002,7.849271774,7.848181248,7.856681824]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01636{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":934,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":65,"flow_state":"info","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1490976067968666,"flow_src_last_pkt_time":1490976068790465,"flow_dst_last_pkt_time":1490976070313997,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3760,"flow_dst_tot_l4_payload_len":16863,"midstream":0,"thread_ts_usec":1490976070313997,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.146","src_port":41691,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"api.amazon.com","tls": {"version":"TLSv1.2","server_names":"api.amazon.com,wsync.us-east-1.amazon.com","ja3":"bdf21e38e1f69776df407235625e75e2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=api.amazon.com","fingerprint":"1D:A3:CD:C3:06:9E:9B:A0:61:1E:1A:75:55:C1:A8:B0:DC:F8:75:2D"}}} 00780{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":958,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":66,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976071237623,"flow_src_last_pkt_time":1490976071237623,"flow_dst_last_pkt_time":1490976071237623,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976071237623,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":49606,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00562{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":958,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":66,"flow_packet_id":1,"flow_src_last_pkt_time":1490976071237623,"flow_dst_last_pkt_time":1490976071237623,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976071237623,"pkt":"AMDKkaPvePiC0\/vCCABFAAA870hAAEAGV6asECrYNF7ohsHGAFAgR7VrAAAAAKAC\/\/9hTwAAAgQFtAQCCAoA9lojAAAAAAEDAwg="} 00781{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":959,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":67,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976071286664,"flow_src_last_pkt_time":1490976071286664,"flow_dst_last_pkt_time":1490976071286664,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976071286664,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45693,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} @@ -795,7 +792,6 @@ 00535{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1837,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":106,"flow_packet_id":5,"flow_src_last_pkt_time":1490976109912231,"flow_dst_last_pkt_time":1490976108548394,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1490976109912231,"pkt":"AMDKkaPvePiC0\/vCCABFAAAoyZFAAEAGRWqsECrYNu8d\/Z+XAbtod6HPdPcDJ1ARAVde8AAA"} 02361{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1838,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":88,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1490976088937719,"flow_src_last_pkt_time":1490976109911223,"flow_dst_last_pkt_time":1490976110045165,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":901,"flow_src_tot_l4_payload_len":10414,"flow_dst_tot_l4_payload_len":1844,"midstream":0,"thread_ts_usec":1490976110045165,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45711,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":138,"avg":1357450.1,"max":9247029,"stddev":2197151.2,"var":4827473510400.0,"ent":3.5,"data": [992408,1100523,1068,243574,812,17238,3008616,6019841,9247029,138,67248,300,303,66691,669495,281,275185,528033,1079938,2835215,349963,114629,72089,219293,5051089,276,5193864,64990,174211,2275400,2411210]},"pktlen": {"min":40,"avg":425.8,"max":1500,"stddev":556.2,"var":309356.4,"ent":3.9,"data": [60,60,48,48,40,40,279,279,279,125,93,40,40,99,46,1500,1118,1500,1500,1500,46,1118,46,941,40,1500,222,46,845,40,40,46]},"bins": {"c_to_s": [9,1,0,0,0,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,5,0,0],"s_to_c": [7,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,0,1,0,1,1,0,0,0,1,1,0,0,1],"entropies": [4.705928802,4.705928802,5.160700798,5.077367783,4.881687164,4.881687164,5.840246201,5.847414970,5.847414970,6.003486633,5.947547913,4.693943024,4.831686974,6.024143219,4.609350204,7.869801998,7.823491096,7.871860504,7.870593548,7.871356964,4.565872192,7.822906017,4.609350204,7.791450024,4.681686878,7.872803211,6.941987991,4.652828693,7.739228249,4.881687164,4.931686878,4.544876575]},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":150,"client":135,"server":15}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 02345{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1855,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":99,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1490976093358419,"flow_src_last_pkt_time":1490976114866501,"flow_dst_last_pkt_time":1490976095732113,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3149,"flow_dst_tot_l4_payload_len":4067,"midstream":0,"thread_ts_usec":1490976114866501,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"176.32.101.52","src_port":44001,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":32,"avg":770379.9,"max":19096185,"stddev":3357549.8,"var":11273140961280.0,"ent":1.4,"data": [123577,127990,5388,470526,584,630,42,1232537,1463,5048,697,664,10016,973197,496,53,32,190922,73204,348,171867,142,116971,408177,413652,66693,140934,83299,138,166304,19096185]},"pktlen": {"min":40,"avg":267.5,"max":1500,"stddev":412.9,"var":170449.2,"ent":3.9,"data": [60,48,40,232,46,1500,1500,522,232,232,40,40,40,166,46,46,46,85,40,1500,276,46,198,104,278,233,232,46,46,258,40,342]},"bins": {"c_to_s": [7,0,1,1,0,0,5,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [8,1,0,0,1,0,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,0,0,0,1,1,0,1,0,0,1,1,1,0,0],"entropies": [4.739262104,5.134761333,4.812815189,5.509502888,4.565871716,7.166137695,7.318473339,7.577383041,5.500881672,5.500882149,4.831686974,4.881687164,4.734184265,6.340515137,4.501398087,4.501398087,4.835486889,5.641122818,4.831686974,7.860523701,7.242097378,4.462505341,6.761913776,6.045580387,7.062158108,7.012423515,6.904469013,4.522393703,4.565872192,7.040098190,4.831687450,7.286717415]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01732{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1855,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":99,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1490976093358419,"flow_src_last_pkt_time":1490976114866501,"flow_dst_last_pkt_time":1490976095732113,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3149,"flow_dst_tot_l4_payload_len":4067,"midstream":0,"thread_ts_usec":1490976114866501,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"176.32.101.52","src_port":44001,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"dp-gw-na-js.amazon.com","tls": {"version":"TLSv1.2","server_names":"dp-gw-na.amazon.com,dp-gw-na-js.amazon.com,dp-gw-na.amazon.co.uk,dp-gw-na.amazon.de,dp-gw-na.amazon.co.jp,dp-gw-na.amazon.in","ja3":"731bcada65b0a6f850bada3bdcd716d1","ja3s":"fbe78c619e7ea20046131294ad087f05","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=dp-gw-na.amazon.com","fingerprint":"27:E5:06:34:82:69:BC:97:5E:28:A3:C1:5A:23:81:C7:E3:28:95:8C"}}} 00782{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1856,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":108,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976114879774,"flow_src_last_pkt_time":1490976114879774,"flow_dst_last_pkt_time":1490976114879774,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976114879774,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":20922,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5} 00569{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1856,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":108,"flow_packet_id":1,"flow_src_last_pkt_time":1490976114879774,"flow_dst_last_pkt_time":1490976114879774,"flow_idle_time":200000000,"pkt_datalink":1,"pkt_caplen":79,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":79,"pkt_l4_len":45,"thread_ts_usec":1490976114879774,"pkt":"AMDKkaPvePiC0\/vCCABFAABBWl1AAEARM1WsECrYrBAqAVG6ADUALQ0pp4sBAAABAAAAAAAACHBpdGFuZ3VpBmFtYXpvbgNjb20AAAEAAQ=="} 01078{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1856,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":108,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976114879774,"flow_src_last_pkt_time":1490976114879774,"flow_dst_last_pkt_time":1490976114879774,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976114879774,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":20922,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Amazon","proto_id":"5.178","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"pitangui.amazon.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} @@ -1014,7 +1010,6 @@ 00928{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2517,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1490976022741105,"flow_src_last_pkt_time":1490976022741164,"flow_dst_last_pkt_time":1490976022741105,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":28,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":56,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976150210618,"l3_proto":"ip6","src_ip":"::","dst_ip":"ff02::16","l4_proto":"icmp6","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"ICMPV6","proto_id":"102","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00937{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2517,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1490976022731312,"flow_src_last_pkt_time":1490976022731374,"flow_dst_last_pkt_time":1490976022731312,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":24,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":48,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976150210618,"l3_proto":"ip6","src_ip":"::","dst_ip":"ff02::1:ffd3:fbc2","l4_proto":"icmp6","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"ICMPV6","proto_id":"102","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 02352{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2519,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1490976029248822,"flow_src_last_pkt_time":1490976030758212,"flow_dst_last_pkt_time":1490976150757970,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5474,"flow_dst_tot_l4_payload_len":6814,"midstream":0,"thread_ts_usec":1490976150757970,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.197","src_port":55242,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":33,"avg":3968339.8,"max":120002762,"stddev":21185284.0,"var":448816230694912.0,"ent":0.3,"data": [77142,79508,13198,60889,401,551,135,48584,1797,3570,177758,227426,44512,20026,267154,445550,122636,142,45,33,282451,8709,270484,1626,407007,145,164075,140,290013,120002762,69]},"pktlen": {"min":52,"avg":436.5,"max":1500,"stddev":570.0,"var":324877.8,"ent":3.9,"data": [60,60,52,273,52,1500,1500,626,52,52,52,178,294,52,1416,1416,52,1500,300,96,86,52,52,1500,1003,52,52,1315,86,52,83,52]},"bins": {"c_to_s": [9,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,1,0,0],"s_to_c": [7,3,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,1,0,0,0,1,1,1,1,1,0,0,0,0,1,1,1,1,0,1,1],"entropies": [4.739262104,5.306893826,5.017560959,5.448555946,5.115703583,6.960030556,7.238288403,7.584036827,5.017560959,5.094483852,5.041505337,6.602245331,7.164677143,5.041505337,7.862887383,7.863117218,5.115703106,7.885983467,7.259884357,6.084556580,5.826154709,5.094483852,5.132945538,7.862029552,7.810581207,5.115703106,5.077241421,7.851958752,5.873827457,5.132945538,5.636672497,5.115703106]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01783{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2519,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1490976029248822,"flow_src_last_pkt_time":1490976030758212,"flow_dst_last_pkt_time":1490976150757970,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5474,"flow_dst_tot_l4_payload_len":6814,"midstream":0,"thread_ts_usec":1490976150757970,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.197","src_port":55242,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.amazon.com","tls": {"version":"TLSv1.2","server_names":"amazon.com,amzn.com,uedata.amazon.com,us.amazon.com,www.amazon.com,www.amzn.com,corporate.amazon.com,buybox.amazon.com,iphone.amazon.com,yp.amazon.com,home.amazon.com,origin-www.amazon.com","ja3":"bdf21e38e1f69776df407235625e75e2","ja3s":"389ed42c02ebecc32e73aa31def07e14","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=www.amazon.com","fingerprint":"EF:14:6C:F1:5C:4A:F8:4D:BA:83:C2:1E:6C:5B:ED:C4:FA:34:1C:3E"}}} 00783{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2531,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":134,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976158680003,"flow_src_last_pkt_time":1490976158680003,"flow_dst_last_pkt_time":1490976158680003,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976158680003,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45751,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00565{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2531,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":134,"flow_packet_id":1,"flow_src_last_pkt_time":1490976158680003,"flow_dst_last_pkt_time":1490976158680003,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976158680003,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8\/ohAAEAGSGasECrYNF7ohrK3Abt2joLDAAAAAKAC\/\/8pLAAAAgQFtAQCCAoA9nxLAAAAAAEDAwg="} 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2532,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":134,"flow_packet_id":2,"flow_src_last_pkt_time":1490976158680003,"flow_dst_last_pkt_time":1490976158840127,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1490976158840127,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAwc8dAAOcGLDM0XuiGrBAq2AG7sreYM6oZdo6CxHASH\/6AKwAAAgQFtAEDAwY="} @@ -1159,7 +1154,6 @@ 00564{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2737,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":147,"flow_packet_id":1,"flow_src_last_pkt_time":1490976187511761,"flow_dst_last_pkt_time":1490976187511761,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976187511761,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8IbxAAEAG7nasECrYNu8cspdlAbtMyaYzAAAAAKAC\/\/8I0wAAAgQFtAQCCAoA9oePAAAAAAEDAwg="} 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2739,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":147,"flow_packet_id":2,"flow_src_last_pkt_time":1490976187511761,"flow_dst_last_pkt_time":1490976187571606,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1490976187571606,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAw3K9AAOcGjI427xyyrBAq2AG7l2UCDLyqTMmmNHASH\/7urAAAAgQFtAEDAwY="} 02343{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2741,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":142,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976177276176,"flow_src_last_pkt_time":1490976187574979,"flow_dst_last_pkt_time":1490976187571653,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":8229,"flow_dst_tot_l4_payload_len":4012,"midstream":0,"thread_ts_usec":1490976187574979,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":50799,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":112,"avg":664331.6,"max":8001087,"stddev":1905246.8,"var":3629965115392.0,"ent":2.5,"data": [133822,140403,3233,141605,1309,112,137230,287,136,2714,82197,163,95708,410,359058,405413,633638,688626,100774,373131,50752,202632,7767064,1576,8001087,353783,410110,314766,108314,179,84048]},"pktlen": {"min":40,"avg":424.7,"max":1500,"stddev":584.7,"var":341856.6,"ent":3.8,"data": [60,48,40,247,1500,1500,385,40,40,40,366,46,99,1500,190,46,1500,99,40,1500,46,669,40,1500,286,46,40,46,1500,46,46,40]},"bins": {"c_to_s": [9,0,0,0,1,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0],"s_to_c": [8,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,1,1,0,0,1,0,1,0,0,1,1,0,0,0,1,0,1,0,1,1,0],"entropies": [4.739262104,5.176427841,4.831687450,5.587803364,6.784171104,7.276063442,7.379589558,4.681686878,4.831686974,4.881687164,7.374952793,4.565872192,6.002931595,7.862873554,6.853326321,4.609350204,7.863068104,6.002931595,4.831687450,7.863775730,4.652828693,7.736141205,4.831687450,7.863870144,7.273199081,4.501398087,4.781687260,4.544876099,7.864799976,4.565871716,4.609350204,4.881687164]},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":150,"client":135,"server":15}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01925{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2741,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":142,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976177276176,"flow_src_last_pkt_time":1490976187574979,"flow_dst_last_pkt_time":1490976187571653,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":8229,"flow_dst_tot_l4_payload_len":4012,"midstream":0,"thread_ts_usec":1490976187574979,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":50799,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":150,"client":135,"server":15}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"pitangui.amazon.com","tls": {"version":"TLSv1.2","server_names":"pitangui.amazon.com,guipitan.amazon.com,alexa.amazon.com,echo.amazon.com,alexa.amazon.ca,guipitan.amazon.ca,alexa.amazon.co.jp,guipitan.amazon.co.jp,alexa.amazon.com.mx,guipitan.amazon.com.mx,alexa.amazon.com.br,guipitan.amazon.com.br,alexa.amazon.com.au,guipitan.amazon.com.au,alexa.amazon.cn,guipitan.amazon.cn","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=pitangui.amazon.com","advertised_alpns":"h2,http\/1.1","fingerprint":"13:E9:3B:22:22:61:41:53:CA:B6:3A:AE:C8:B7:23:FB:A5:11:2F:24"}}} 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2742,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":147,"flow_packet_id":3,"flow_src_last_pkt_time":1490976187575232,"flow_dst_last_pkt_time":1490976187571606,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1490976187575232,"pkt":"AMDKkaPvePiC0\/vCCABFAAAoIb1AAEAG7omsECrYNu8cspdlAbtMyaY0Agy8q1AQAVc5HgAA"} 00770{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2743,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":147,"flow_packet_id":4,"flow_src_last_pkt_time":1490976187577439,"flow_dst_last_pkt_time":1490976187571606,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":228,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":228,"pkt_l4_len":194,"thread_ts_usec":1490976187577439,"pkt":"AMDKkaPvePiC0\/vCCABFAADWIb5AAEAG7dqsECrYNu8cspdlAbtMyaY0Agy8q1AYAVf+iAAAFgMBAKkBAAClAwG16AV0b+GAfYYNp1IOTvu8DJ0f7IEfHu7urYszcZFfGCCDPveyl8oknA6Yiw9M10d1fqyNuQQHuX5ZwIOnN4q82wAcwAnACsATwBQAMwA5ADIAOMAHwBEALwA1AAUA\/wEAAEAACwAEAwABAgAKADQAMgAOAA0AGQALAAwAGAAJAAoAFgAXAAgABgAHABQAFQAEAAUAEgATAAEAAgADAA8AEAAR"} 01204{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2743,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":147,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1490976187511761,"flow_src_last_pkt_time":1490976187577439,"flow_dst_last_pkt_time":1490976187571606,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":174,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":174,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976187577439,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":38757,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":310,"client":275,"server":35}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1","ja3":"f8f5b71e02603b283e55b50d17ede861","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} @@ -1195,7 +1189,6 @@ 01328{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2824,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":151,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1490976195633256,"flow_src_last_pkt_time":1490976195724734,"flow_dst_last_pkt_time":1490976195762060,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":185,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":185,"flow_dst_tot_l4_payload_len":1418,"midstream":0,"thread_ts_usec":1490976195762060,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"216.58.194.78","src_port":49067,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.PlayStore","proto_id":"91.228","proto_by_ip":"Google","proto_by_ip_id":126,"encrypted":1,"breed":"Safe","category_id":19,"category":"SoftwareUpdate","hostname":"android.clients.google.com","tls": {"version":"TLSv1.2","ja3":"5bf38a5cbf896cd31eeef4d6ad1503e1","ja3s":"9b1466fd60cadccb848e09c86e284265","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"}}} 02392{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2826,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":151,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":5,"flow_first_seen":1490976195633256,"flow_src_last_pkt_time":1490976195724734,"flow_dst_last_pkt_time":1490976195763002,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":185,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":185,"flow_dst_tot_l4_payload_len":3987,"midstream":0,"thread_ts_usec":1490976195763002,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"216.58.194.78","src_port":49067,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.PlayStore","proto_id":"91.228","proto_by_ip":"Google","proto_by_ip_id":126,"encrypted":1,"breed":"Safe","category_id":19,"category":"SoftwareUpdate","hostname":"android.clients.google.com","tls": {"version":"TLSv1.2","server_names":"*.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.gcp.gvt2.com,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleadapis.com,*.googleapis.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.cn,*.gstatic.com,*.gvt1.com,*.gvt2.com,*.metric.gstatic.com,*.urchin.com,*.url.google.com,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.ytimg.com,android.clients.google.com,android.com,developer.android.google.cn,g.co,goo.gl,google-analytics.com,google.com,googlecommerce.com,urchin.com,www.goo.gl,youtu.be,youtube.com,youtubeeducation.com","ja3":"5bf38a5cbf896cd31eeef4d6ad1503e1","ja3s":"9b1466fd60cadccb848e09c86e284265","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","subjectDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com","fingerprint":"54:A0:1E:03:FF:CB:33:BC:9D:65:DC:D7:BF:6B:04:2B:F9:F3:D5:42"}}} 02189{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2844,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":149,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1490976195529965,"flow_src_last_pkt_time":1490976195874449,"flow_dst_last_pkt_time":1490976195873685,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4065,"flow_dst_tot_l4_payload_len":11044,"midstream":0,"thread_ts_usec":1490976195874449,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.143","src_port":41828,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":49,"avg":22200.1,"max":105973,"stddev":31062.3,"var":964868608.0,"ent":3.6,"data": [42665,43661,659,44970,3982,526,602,251,50626,787,253,1113,7308,12716,306,65597,42616,4166,48889,363,25248,76421,105973,250,551,581,305,49,101959,2918,1893]},"pktlen": {"min":52,"avg":525.8,"max":1500,"stddev":600.4,"var":360465.6,"ent":4.1,"data": [60,60,52,254,52,1500,1500,1500,819,52,52,52,52,178,1500,767,64,178,1500,64,306,52,52,1500,1500,1500,683,594,129,52,149,52]},"bins": {"c_to_s": [9,0,0,2,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [5,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,1,0,0,1,1,1,0,1,1,1,1,1,1,0,1,0],"entropies": [4.672595501,5.194312096,4.986606121,5.562634945,5.014835358,6.943727970,7.231536865,7.504313469,7.550236702,5.056022167,4.926120281,5.003043652,4.940637589,6.271958828,7.856376171,7.737624168,5.206705093,6.298671246,7.856991291,5.133970261,7.098200321,5.000318050,4.979098797,7.871394634,7.857693672,7.882867336,7.672193050,7.592197895,6.342199802,4.986606121,6.480828762,4.846472263]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01713{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2844,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":149,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1490976195529965,"flow_src_last_pkt_time":1490976195874449,"flow_dst_last_pkt_time":1490976195873685,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4065,"flow_dst_tot_l4_payload_len":11044,"midstream":0,"thread_ts_usec":1490976195874449,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.143","src_port":41828,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.amazon.com","tls": {"version":"TLSv1.2","server_names":"amazon.com,amzn.com,uedata.amazon.com,us.amazon.com,www.amazon.com,www.amzn.com,corporate.amazon.com,buybox.amazon.com,iphone.amazon.com,yp.amazon.com,home.amazon.com,origin-www.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=www.amazon.com","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"http\/1.1","fingerprint":"EF:14:6C:F1:5C:4A:F8:4D:BA:83:C2:1E:6C:5B:ED:C4:FA:34:1C:3E"}}} 00781{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2861,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":152,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976195921499,"flow_src_last_pkt_time":1490976195921499,"flow_dst_last_pkt_time":1490976195921499,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":49,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":49,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":49,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976195921499,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":4612,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5} 00586{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2861,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":152,"flow_packet_id":1,"flow_src_last_pkt_time":1490976195921499,"flow_dst_last_pkt_time":1490976195921499,"flow_idle_time":200000000,"pkt_datalink":1,"pkt_caplen":91,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":91,"pkt_l4_len":57,"thread_ts_usec":1490976195921499,"pkt":"AMDKkaPvePiC0\/vCCABFAABNWmZAAEARM0CsECrYrBAqARIEADUAOVP\/iiYBAAABAAAAAAAACWltYWdlcy1uYRFzc2wtaW1hZ2VzLWFtYXpvbgNjb20AAAEAAQ=="} 01089{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2861,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":152,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976195921499,"flow_src_last_pkt_time":1490976195921499,"flow_dst_last_pkt_time":1490976195921499,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":49,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":49,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":49,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976195921499,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":4612,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Amazon","proto_id":"5.178","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"images-na.ssl-images-amazon.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} @@ -1270,7 +1263,6 @@ 00566{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2990,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":158,"flow_packet_id":1,"flow_src_last_pkt_time":1490976196840676,"flow_dst_last_pkt_time":1490976196840676,"flow_idle_time":200000000,"pkt_datalink":1,"pkt_caplen":77,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":77,"pkt_l4_len":43,"thread_ts_usec":1490976196840676,"pkt":"AMDKkaPvePiC0\/vCCABFAAA\/WmdAAEARM02sECrYrBAqAQqTADUAK8ZJ2BYBAAABAAAAAAAABmZscy1uYQZhbWF6b24DY29tAAABAAE="} 01075{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2990,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":158,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976196840676,"flow_src_last_pkt_time":1490976196840676,"flow_dst_last_pkt_time":1490976196840676,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":35,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":35,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":35,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976196840676,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":2707,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Amazon","proto_id":"5.178","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"fls-na.amazon.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} 02197{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3021,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":155,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976195985305,"flow_src_last_pkt_time":1490976196879161,"flow_dst_last_pkt_time":1490976196866304,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1285,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5470,"flow_dst_tot_l4_payload_len":9856,"midstream":0,"thread_ts_usec":1490976196879161,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.62.115","src_port":41914,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":50,"avg":57253.4,"max":264056,"stddev":85984.0,"var":7393244160.0,"ent":3.6,"data": [22841,23998,943,22793,6583,564,615,276,39690,124,146,157,6771,37572,46160,226745,213104,3861,222252,264056,50,55344,103406,128,10396,183950,242536,953,71,38628,142]},"pktlen": {"min":52,"avg":532.2,"max":1500,"stddev":595.2,"var":354289.1,"ent":4.1,"data": [60,60,52,271,52,1500,1500,1500,750,52,52,52,52,178,310,1337,310,64,1337,1337,930,86,86,52,52,64,1322,1500,1500,508,52,52]},"bins": {"c_to_s": [12,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,3,0,0,0,0,0,0,0],"s_to_c": [2,2,0,0,0,0,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,1,0,1,0,0,0,1,1,1,0,0,0,0,1,1,1,0,0],"entropies": [4.705928802,5.306893826,5.094483852,5.740943432,5.077241898,7.061615944,7.289163589,7.495290279,7.599352837,5.094483852,5.017560482,5.094483852,5.017560482,6.445491791,7.218114853,7.854625702,7.211663246,5.042434692,7.851956367,7.855620384,7.792708397,5.812836647,5.812836647,5.056022167,5.132945538,5.093139648,7.841275692,7.859713554,7.867431164,7.510861874,5.094483852,5.094483852]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01671{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3021,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":155,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976195985305,"flow_src_last_pkt_time":1490976196879161,"flow_dst_last_pkt_time":1490976196866304,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1285,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5470,"flow_dst_tot_l4_payload_len":9856,"midstream":0,"thread_ts_usec":1490976196879161,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.62.115","src_port":41914,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"images-na.ssl-images-amazon.com","tls": {"version":"TLSv1.2","server_names":"images-na.ssl-images-amazon.com,images-eu.ssl-images-amazon.com,images-fe.ssl-images-amazon.com,m.media-amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=Images-na.ssl-images-amazon.com","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"http\/1.1","fingerprint":"39:3D:27:B3:4D:FA:B4:04:AB:48:7F:5C:CB:A9:9A:95:F5:22:2A:52"}}} 00585{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3027,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":158,"flow_packet_id":2,"flow_src_last_pkt_time":1490976196840676,"flow_dst_last_pkt_time":1490976196938799,"flow_idle_time":200000000,"pkt_datalink":1,"pkt_caplen":93,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":93,"pkt_l4_len":59,"thread_ts_usec":1490976196938799,"pkt":"ePiC0\/vCAMDKkaPvCABFAABP7ApAAEARoZmsECoBrBAq2AA1CpMAO2jR2BaBgAABAAEAAAAABmZscy1uYQZhbWF6b24DY29tAAABAAHADAABAAEAAAA7AARIFc55"} 01091{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3027,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":158,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1490976196840676,"flow_src_last_pkt_time":1490976196840676,"flow_dst_last_pkt_time":1490976196938799,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":35,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":35,"flow_dst_max_l4_payload_len":51,"flow_src_tot_l4_payload_len":35,"flow_dst_tot_l4_payload_len":51,"midstream":0,"thread_ts_usec":1490976196938799,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":2707,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Amazon","proto_id":"5.178","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"fls-na.amazon.com","dns": {"num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"72.21.206.121"}}} 00783{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3031,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":159,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976196942963,"flow_src_last_pkt_time":1490976196942963,"flow_dst_last_pkt_time":1490976196942963,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976196942963,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.121","src_port":47605,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} @@ -1283,7 +1275,6 @@ 00783{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3037,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":160,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976197297649,"flow_src_last_pkt_time":1490976197297649,"flow_dst_last_pkt_time":1490976197297649,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976197297649,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.121","src_port":47606,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00564{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3037,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":160,"flow_packet_id":1,"flow_src_last_pkt_time":1490976197297649,"flow_dst_last_pkt_time":1490976197297649,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976197297649,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8At9AAEAGSmasECrYSBXOebn2AbvarIm+AAAAAKAC\/\/+uEwAAAgQFtAQCCAoA9othAAAAAAEDAwg="} 02223{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3039,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":145,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976186884448,"flow_src_last_pkt_time":1490976195471370,"flow_dst_last_pkt_time":1490976197346218,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":10437,"flow_dst_tot_l4_payload_len":5046,"midstream":0,"thread_ts_usec":1490976197346218,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.23.94","src_port":44912,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":32,"avg":614473.9,"max":7470598,"stddev":1477715.5,"var":2183643136000.0,"ent":2.8,"data": [168457,171158,1511,108893,4406,1671,697,112679,290,4146,167,6217,127,10389,13091,1079,255,290409,42,32,60,299358,743,529311,1065924,2114234,3665356,7470598,595200,595070,1817122]},"pktlen": {"min":40,"avg":526.2,"max":1500,"stddev":637.5,"var":406420.1,"ent":3.9,"data": [60,48,40,267,46,46,1500,1500,40,40,1500,655,40,40,166,1500,1424,360,46,46,91,46,40,1424,1424,1424,1424,40,46,1424,46,46]},"bins": {"c_to_s": [8,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,1,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,1,1,0,0,0,0,0,0,1,1,1,1,0,0,0,0,0,0,1,0,1,1],"entropies": [4.626680374,5.134761333,4.831686974,5.716956139,4.609350204,4.505982876,7.141723156,7.316176414,4.831687450,4.812815189,7.392494678,7.608505726,4.881687164,4.831687450,6.348018646,7.864303589,7.858262062,7.260771751,4.390829086,4.347350597,5.864610672,4.390829086,4.684184074,7.859017372,7.859235764,7.859332085,7.859507561,4.784183979,4.347350597,7.859881401,4.457920074,4.501398087]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud"}} -01619{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3039,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":145,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976186884448,"flow_src_last_pkt_time":1490976195471370,"flow_dst_last_pkt_time":1490976197346218,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":10437,"flow_dst_tot_l4_payload_len":5046,"midstream":0,"thread_ts_usec":1490976197346218,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.23.94","src_port":44912,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"mobileanalytics.us-east-1.amazonaws.com","tls": {"version":"TLSv1.2","server_names":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=mobileanalytics.us-east-1.amazonaws.com","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"http\/1.1","fingerprint":"87:AD:E9:2D:E8:42:F0:5C:3A:09:13:00:12:93:59:04:84:C3:E2:2D"}}} 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3041,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":160,"flow_packet_id":2,"flow_src_last_pkt_time":1490976197297649,"flow_dst_last_pkt_time":1490976197355099,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1490976197355099,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAw5DlAAOcGwhZIFc55rBAq2AG7ufYaDpo72qyJv3ASH\/6iLAAAAgQFtAEDAwY="} 00535{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3042,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":160,"flow_packet_id":3,"flow_src_last_pkt_time":1490976197356307,"flow_dst_last_pkt_time":1490976197355099,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1490976197356307,"pkt":"AMDKkaPvePiC0\/vCCABFAAAoAuBAAEAGSnmsECrYSBXOebn2AbvarIm\/Gg6aPFAQAVfsnQAA"} 00817{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3043,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":160,"flow_packet_id":4,"flow_src_last_pkt_time":1490976197357234,"flow_dst_last_pkt_time":1490976197355099,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":259,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":259,"pkt_l4_len":225,"thread_ts_usec":1490976197357234,"pkt":"AMDKkaPvePiC0\/vCCABFAAD1AuFAAEAGSausECrYSBXOebn2AbvarIm\/Gg6aPFAYAVf7IAAAFgMBAMgBAADEAwOvXx4qoD9hGvfdVqZ\/Da8Sic0\/mG13oBFGNV7wDdZlEgAAIKqqzKnMqMwUzBPAK8AvwCzAMMATwBQAnACdAC8ANQAKAQAAexoaAAD\/AQABAAAAABYAFAAAEWZscy1uYS5hbWF6b24uY29tABcAAAAjAAAADQAUABIEAwgEBAEFAwgFBQEIBgYBAgEABQAFAQAAAAAAEgAAABAADgAMAmgyCGh0dHAvMS4xAAsAAgEAAAoACgAIWloAHQAXABgqKgABAA=="} @@ -1421,7 +1412,7 @@ 00978{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3103,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":150,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1490976195545666,"flow_src_last_pkt_time":1490976195545666,"flow_dst_last_pkt_time":1490976195628315,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":84,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":84,"midstream":0,"thread_ts_usec":1490976198776068,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":40425,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.PlayStore","proto_id":"5.228","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} 00993{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3103,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":77,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":12,"flow_first_seen":1490976080485167,"flow_src_last_pkt_time":1490976081484636,"flow_dst_last_pkt_time":1490976081482994,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":884,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":2154,"flow_dst_tot_l4_payload_len":5486,"midstream":0,"thread_ts_usec":1490976198776068,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"34.199.52.240","src_port":38404,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00980{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":3103,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1490976029669574,"flow_src_last_pkt_time":1490976029669574,"flow_dst_last_pkt_time":1490976029753315,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":42,"flow_dst_max_l4_payload_len":84,"flow_src_tot_l4_payload_len":42,"flow_dst_tot_l4_payload_len":84,"midstream":0,"thread_ts_usec":1490976198776068,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":19967,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Amazon","proto_id":"5.178","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} -00659{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":3103,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":3103,"packets-processed":3074,"total-skipped-flows":0,"total-l4-payload-len":987205,"total-not-detected-flows":0,"total-guessed-flows":14,"total-detected-flows":146,"total-detection-updates":152,"total-updates":77,"current-active-flows":0,"total-active-flows":160,"total-idle-flows":160,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":1424,"global_ts_usec":1490976198776068} +00659{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":3103,"source":"cfgs\/default\/pcap\/alexa-app.pcapng","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":3103,"packets-processed":3074,"total-skipped-flows":0,"total-l4-payload-len":987205,"total-not-detected-flows":0,"total-guessed-flows":14,"total-detected-flows":146,"total-detection-updates":143,"total-updates":77,"current-active-flows":0,"total-active-flows":160,"total-idle-flows":160,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":1415,"global_ts_usec":1490976198776068} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ ~~ packets captured/processed: 3103/3074 ~~ skipped flows.............: 0 diff --git a/test/results/default/anyconnect-vpn.pcap.out b/test/results/default/anyconnect-vpn.pcap.out index 136e0cc41..887fea17c 100644 --- a/test/results/default/anyconnect-vpn.pcap.out +++ b/test/results/default/anyconnect-vpn.pcap.out @@ -72,7 +72,6 @@ 01487{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":62,"source":"cfgs\/default\/pcap\/anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569687245688240,"flow_src_last_pkt_time":1569687245728221,"flow_dst_last_pkt_time":1569687245772680,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":167,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":167,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1569687245772680,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56919,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":150,"client":135,"server":15}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":300,"client":210,"server":90}},"52": {"risk":"ALPN\/SNI Mismatch","severity":"Medium","risk_score": {"total":350,"client":235,"server":115}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"9f1a41f932f274fe47a992310a26a23a","ja3s":"82f0d8a75fa483d1cfe4b7085b784d7e","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","advertised_alpns":"http\/1.1"}}} 01873{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":68,"source":"cfgs\/default\/pcap\/anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":6,"flow_first_seen":1569687245688240,"flow_src_last_pkt_time":1569687245813667,"flow_dst_last_pkt_time":1569687245851826,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":167,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":167,"flow_dst_tot_l4_payload_len":5792,"midstream":0,"thread_ts_usec":1569687245851826,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56919,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":150,"client":135,"server":15}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":300,"client":210,"server":90}},"52": {"risk":"ALPN\/SNI Mismatch","severity":"Medium","risk_score": {"total":350,"client":235,"server":115}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","server_names":"*.pandion.viasat.com,pandion.viasat.com","ja3":"9f1a41f932f274fe47a992310a26a23a","ja3s":"82f0d8a75fa483d1cfe4b7085b784d7e","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Entrust, Inc., OU=See www.entrust.net\/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K","subjectDN":"C=US, ST=California, L=Carlsbad, O=Viasat Inc., CN=*.pandion.viasat.com","advertised_alpns":"http\/1.1","fingerprint":"92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA"}}} 02479{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":88,"source":"cfgs\/default\/pcap\/anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1569687245688240,"flow_src_last_pkt_time":1569687246009851,"flow_dst_last_pkt_time":1569687246009730,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":6050,"flow_dst_tot_l4_payload_len":7973,"midstream":0,"thread_ts_usec":1569687246009851,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56919,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":0,"avg":20745.2,"max":71520,"stddev":21568.3,"var":465190496.0,"ent":4.0,"data": [39490,39550,431,43733,1217,44517,40926,4,40928,1,38216,8,38254,1,33217,1,0,71520,5,38273,6102,35094,41225,217,42300,2869,5,1,44938,0,58]},"pktlen": {"min":52,"avg":490.7,"max":1500,"stddev":597.2,"var":356597.6,"ent":4.0,"data": [64,56,52,219,52,1500,52,1500,1500,52,52,1500,1167,52,52,1500,1500,1319,52,52,663,52,127,52,1161,52,345,697,105,52,52,52]},"bins": {"c_to_s": [11,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,2,0,0],"s_to_c": [6,1,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,1,0,0,0,0,0,1,1,0,1,1,0,0,1,1,1,1,0,0,0],"entropies": [4.277806282,5.056655407,4.776611805,5.499976635,4.815073490,7.340889931,4.829590321,7.117477894,7.208638191,4.868052006,4.829590321,7.407335281,5.918903828,4.829590321,4.829590321,6.806384563,7.188310623,7.472460270,4.685171604,4.791129112,7.602285385,4.714205265,6.163617611,4.752666950,7.823616028,4.868052006,7.252848148,7.725178242,5.773176193,4.906513691,4.829590321,4.829590321]},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":150,"client":135,"server":15}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":300,"client":210,"server":90}},"52": {"risk":"ALPN\/SNI Mismatch","severity":"Medium","risk_score": {"total":350,"client":235,"server":115}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} -01877{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":88,"source":"cfgs\/default\/pcap\/anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1569687245688240,"flow_src_last_pkt_time":1569687246009851,"flow_dst_last_pkt_time":1569687246009730,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":6050,"flow_dst_tot_l4_payload_len":7973,"midstream":0,"thread_ts_usec":1569687246009851,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56919,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":150,"client":135,"server":15}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":300,"client":210,"server":90}},"52": {"risk":"ALPN\/SNI Mismatch","severity":"Medium","risk_score": {"total":350,"client":235,"server":115}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","server_names":"*.pandion.viasat.com,pandion.viasat.com","ja3":"9f1a41f932f274fe47a992310a26a23a","ja3s":"82f0d8a75fa483d1cfe4b7085b784d7e","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Entrust, Inc., OU=See www.entrust.net\/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K","subjectDN":"C=US, ST=California, L=Carlsbad, O=Viasat Inc., CN=*.pandion.viasat.com","advertised_alpns":"http\/1.1","fingerprint":"92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA"}}} 00566{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":89,"source":"cfgs\/default\/pcap\/anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":5,"flow_src_last_pkt_time":1569687246096558,"flow_dst_last_pkt_time":1569687241064503,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1569687246096558,"pkt":"2DE0IHf7NDY7z3UoCABFAABAAABAAEAGJT8KAADjCgAAl95UH0ntZWziAAAAALAC\/\/8wWwAAAgQFtAEDAwUBAQgKHA19NQAAAAAEAgAA"} 00703{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":90,"source":"cfgs\/default\/pcap\/anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":4,"flow_src_last_pkt_time":1569687246426088,"flow_dst_last_pkt_time":1569687241425059,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":176,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":176,"pkt_l4_len":142,"thread_ts_usec":1569687246426088,"pkt":"pHczjPFANDY7z3UoCABFAgCiAABAAEAGJN0KAADjCgAAldwAH0m4VKSqauVqJ4AYEABWlgAAAQEIChwNfn0AIdVKFwMDAGltB4Q9ZE7MwMLqA\/qW5WJXb0PHNtCROrUMkJHw\/OP719Jk7orSFs9TCm756O7SILnP3vnstuJ4xPfpszSDO6LW4XcEaWDlp33D\/dMihM\/bvEZuYHMlrzKnK9TylV815IAQKWsax0+Dp+A="} 00699{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":91,"source":"cfgs\/default\/pcap\/anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":5,"flow_src_last_pkt_time":1569687246426088,"flow_dst_last_pkt_time":1569687246428911,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":176,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":176,"pkt_l4_len":142,"thread_ts_usec":1569687246428911,"pkt":"NDY7z3UopHczjPFACABFAgCiFAJAAEAGENsKAACVCgAA4x9J3ABq5WonuFSlGIAYARXEpwAAAQEICgAh1z8cDX59FwMDAGnSDUBTzxnFH9ckBLkGJJxtZYOnnoJTcPtGWYx7fflTVjXPGvnWJvT5kELd8Dyk7N8gqq17Y91Gw5NO81U2bwcOEaqqMVk4vbp1wYVpe8wc5fgUWL03+X7m6bLc5s5fILREqdmBY0Re1KI="} @@ -214,7 +213,6 @@ 01468{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":303,"source":"cfgs\/default\/pcap\/anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569687267035097,"flow_src_last_pkt_time":1569687267079534,"flow_dst_last_pkt_time":1569687267125585,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":152,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":152,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1569687267125585,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56929,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":150,"client":135,"server":15}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":300,"client":210,"server":90}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"c9f0b47c9805f516e6d3900cb51f7841","ja3s":"82f0d8a75fa483d1cfe4b7085b784d7e","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA"}}} 01854{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":309,"source":"cfgs\/default\/pcap\/anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":6,"flow_first_seen":1569687267035097,"flow_src_last_pkt_time":1569687267166003,"flow_dst_last_pkt_time":1569687267203156,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":152,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":152,"flow_dst_tot_l4_payload_len":5792,"midstream":0,"thread_ts_usec":1569687267203156,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56929,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":150,"client":135,"server":15}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":300,"client":210,"server":90}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","server_names":"*.pandion.viasat.com,pandion.viasat.com","ja3":"c9f0b47c9805f516e6d3900cb51f7841","ja3s":"82f0d8a75fa483d1cfe4b7085b784d7e","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Entrust, Inc., OU=See www.entrust.net\/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K","subjectDN":"C=US, ST=California, L=Carlsbad, O=Viasat Inc., CN=*.pandion.viasat.com","fingerprint":"92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA"}}} 02487{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":333,"source":"cfgs\/default\/pcap\/anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1569687267035097,"flow_src_last_pkt_time":1569687267393587,"flow_dst_last_pkt_time":1569687267393508,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":965,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1471,"flow_dst_tot_l4_payload_len":13402,"midstream":0,"thread_ts_usec":1569687267393587,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56929,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":0,"avg":23125.8,"max":138032,"stddev":32185.7,"var":1035917504.0,"ent":3.6,"data": [42362,42438,1999,46916,1210,46124,40336,4,40344,1,37231,6,37243,1,97159,138032,40854,1159,43270,9027,4,1,1,0,9,1,1,51168,0,0,0]},"pktlen": {"min":52,"avg":517.3,"max":1500,"stddev":619.3,"var":383541.0,"ent":4.0,"data": [64,56,52,204,52,1500,52,1500,1500,52,52,1500,1167,52,52,406,127,52,1017,52,1500,209,1500,209,1500,209,1500,209,52,52,52,52]},"bins": {"c_to_s": [12,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,1,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,8,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,1,0,0,0,1,0,0,1,1,1,1,1,1,1,1,1,0,0,0,0],"entropies": [4.215306282,4.950672150,4.700937271,5.452831745,4.700937271,7.337546349,4.738150120,7.112461567,7.211231709,4.791128635,4.791128635,7.407482147,5.922111034,4.791128635,4.829590321,7.350569248,6.160544395,4.791128635,7.794639587,4.868052006,7.862796307,6.916011810,7.871273518,6.899218082,7.872875214,6.733156681,7.846444607,6.809710979,4.829590321,4.767184258,4.829590321,4.829590321]},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":150,"client":135,"server":15}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":300,"client":210,"server":90}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} -01858{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":333,"source":"cfgs\/default\/pcap\/anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1569687267035097,"flow_src_last_pkt_time":1569687267393587,"flow_dst_last_pkt_time":1569687267393508,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":965,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1471,"flow_dst_tot_l4_payload_len":13402,"midstream":0,"thread_ts_usec":1569687267393587,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56929,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":150,"client":135,"server":15}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":300,"client":210,"server":90}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","server_names":"*.pandion.viasat.com,pandion.viasat.com","ja3":"c9f0b47c9805f516e6d3900cb51f7841","ja3s":"82f0d8a75fa483d1cfe4b7085b784d7e","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Entrust, Inc., OU=See www.entrust.net\/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K","subjectDN":"C=US, ST=California, L=Carlsbad, O=Viasat Inc., CN=*.pandion.viasat.com","fingerprint":"92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA"}}} 00779{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":343,"source":"cfgs\/default\/pcap\/anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":39,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569687267453127,"flow_src_last_pkt_time":1569687267453127,"flow_dst_last_pkt_time":1569687267453127,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1569687267453127,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"10.0.0.149","src_port":56865,"dst_port":8008,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00550{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":343,"source":"cfgs\/default\/pcap\/anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":39,"flow_packet_id":1,"flow_src_last_pkt_time":1569687267453127,"flow_dst_last_pkt_time":1569687267453127,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1569687267453127,"pkt":"pHczjPFANDY7z3UoCABFAAA0AABAAEAGJU0KAADjCgAAld4hH0glPK3eiXsRe4AREAA75QAAAQEIChwN0AsAIb2q"} 00779{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":344,"source":"cfgs\/default\/pcap\/anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569687267453153,"flow_src_last_pkt_time":1569687267453153,"flow_dst_last_pkt_time":1569687267453153,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1569687267453153,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"10.0.0.151","src_port":56866,"dst_port":8060,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} @@ -456,7 +454,7 @@ 00970{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":589,"source":"cfgs\/default\/pcap\/anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":42,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1569687267481295,"flow_src_last_pkt_time":1569687267481295,"flow_dst_last_pkt_time":1569687267500594,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":42,"flow_dst_max_l4_payload_len":200,"flow_src_tot_l4_payload_len":42,"flow_dst_tot_l4_payload_len":200,"midstream":0,"thread_ts_usec":1569687288923007,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"75.75.75.75","src_port":62427,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00933{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":589,"source":"cfgs\/default\/pcap\/anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569687242476020,"flow_src_last_pkt_time":1569687242476020,"flow_dst_last_pkt_time":1569687242476020,"flow_idle_time":620000000,"flow_src_min_l4_payload_len":8,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":8,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":8,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569687288923007,"l3_proto":"ip4","src_ip":"10.0.0.149","dst_ip":"239.255.255.250","l4_proto":2,"flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"IGMP","proto_id":"82","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00930{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":589,"source":"cfgs\/default\/pcap\/anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569687242271196,"flow_src_last_pkt_time":1569687242271196,"flow_dst_last_pkt_time":1569687242271196,"flow_idle_time":620000000,"flow_src_min_l4_payload_len":8,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":8,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":8,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569687288923007,"l3_proto":"ip4","src_ip":"10.0.0.149","dst_ip":"239.255.3.22","l4_proto":2,"flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"IGMP","proto_id":"82","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} -00651{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":589,"source":"cfgs\/default\/pcap\/anyconnect-vpn.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":589,"packets-processed":585,"total-skipped-flows":0,"total-l4-payload-len":95415,"total-not-detected-flows":2,"total-guessed-flows":6,"total-detected-flows":61,"total-detection-updates":36,"total-updates":3,"current-active-flows":0,"total-active-flows":69,"total-idle-flows":69,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":459,"global_ts_usec":1569687288923007} +00651{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":589,"source":"cfgs\/default\/pcap\/anyconnect-vpn.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":589,"packets-processed":585,"total-skipped-flows":0,"total-l4-payload-len":95415,"total-not-detected-flows":2,"total-guessed-flows":6,"total-detected-flows":61,"total-detection-updates":34,"total-updates":3,"current-active-flows":0,"total-active-flows":69,"total-idle-flows":69,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":457,"global_ts_usec":1569687288923007} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ ~~ packets captured/processed: 589/585 ~~ skipped flows.............: 0 diff --git a/test/results/default/anydesk.pcapng.out b/test/results/default/anydesk.pcapng.out index de22b3108..c87fb46d4 100644 --- a/test/results/default/anydesk.pcapng.out +++ b/test/results/default/anydesk.pcapng.out @@ -17,8 +17,7 @@ 01494{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":14,"source":"cfgs\/default\/pcap\/anydesk.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1591342199201196,"flow_src_last_pkt_time":1591342199366725,"flow_dst_last_pkt_time":1591342199532111,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":263,"flow_dst_max_l4_payload_len":1300,"flow_src_tot_l4_payload_len":263,"flow_dst_tot_l4_payload_len":1300,"midstream":0,"thread_ts_usec":1591342199532111,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.238.219","src_port":43535,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":160,"client":140,"server":20}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":300,"client":210,"server":90}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"AnyDesk","proto_by_ip_id":252,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"201999283915cc31cee6b15472ef3332","ja3s":"107030a763c7224285717ff1569a17f3","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"}}} 01835{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":16,"source":"cfgs\/default\/pcap\/anydesk.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1591342199201196,"flow_src_last_pkt_time":1591342199532151,"flow_dst_last_pkt_time":1591342199532596,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":263,"flow_dst_max_l4_payload_len":1300,"flow_src_tot_l4_payload_len":263,"flow_dst_tot_l4_payload_len":2600,"midstream":0,"thread_ts_usec":1591342199532596,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.238.219","src_port":43535,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":160,"client":140,"server":20}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":300,"client":210,"server":90}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":600,"client":480,"server":120}}},"confidence": {"6":"DPI"},"proto":"TLS.AnyDesk","proto_id":"91.252","proto_by_ip":"AnyDesk","proto_by_ip_id":252,"encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess","hostname":"","tls": {"version":"TLSv1.2","ja3":"201999283915cc31cee6b15472ef3332","ja3s":"107030a763c7224285717ff1569a17f3","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","issuerDN":"CN=AnyNet Root CA, O=philandro Software GmbH, C=DE","subjectDN":"C=DE, O=philandro Software GmbH, CN=AnyNet Relay","fingerprint":"9E:08:D2:58:A9:02:CD:4F:E2:4A:26:B8:48:5C:43:0B:81:29:99:E3"}}} 02666{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":40,"source":"cfgs\/default\/pcap\/anydesk.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1591342199201196,"flow_src_last_pkt_time":1591342201135977,"flow_dst_last_pkt_time":1591342202739154,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":5696,"flow_dst_tot_l4_payload_len":5521,"midstream":0,"thread_ts_usec":1591342202739154,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.238.219","src_port":43535,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":2,"avg":176540.0,"max":1602919,"stddev":394272.9,"var":155451113472.0,"ent":2.8,"data": [164805,164917,612,1082,165028,165426,485,455,339,338,1756,2021,164886,165169,210,191,219,307,218569,218677,606,928,1215453,1216321,7,87,855,7,2,1602919,62]},"pktlen": {"min":40,"avg":392.7,"max":1500,"stddev":555.2,"var":308238.0,"ent":3.8,"data": [60,46,40,303,46,1340,40,1340,40,46,40,1134,46,91,40,80,40,186,46,186,40,111,46,119,1500,1500,1242,46,46,46,1500,1180]},"bins": {"c_to_s": [8,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,2,0,0],"s_to_c": [9,2,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,2,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,1,0,0,0,1,1,1,1,1],"entropies": [4.772595406,4.903359890,4.834184170,5.369554996,4.390828609,7.460080147,4.834184170,7.770876408,4.834184170,4.609350204,4.734183788,7.619944096,4.390829086,5.750715733,4.765311718,5.803060055,4.765311718,6.743920803,4.390828609,6.830827713,4.834184170,6.275036812,4.434307098,6.390825272,7.863389492,7.871673107,7.811679363,4.390829086,4.390829086,4.390829086,7.887207985,7.841894150]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":160,"client":140,"server":20}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":300,"client":210,"server":90}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":600,"client":480,"server":120}}},"confidence": {"6":"DPI"},"proto":"TLS.AnyDesk","proto_id":"91.252","proto_by_ip":"AnyDesk","proto_by_ip_id":252,"encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} -01839{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":40,"source":"cfgs\/default\/pcap\/anydesk.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1591342199201196,"flow_src_last_pkt_time":1591342201135977,"flow_dst_last_pkt_time":1591342202739154,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":5696,"flow_dst_tot_l4_payload_len":5521,"midstream":0,"thread_ts_usec":1591342202739154,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.238.219","src_port":43535,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":160,"client":140,"server":20}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":300,"client":210,"server":90}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":600,"client":480,"server":120}}},"confidence": {"6":"DPI"},"proto":"TLS.AnyDesk","proto_id":"91.252","proto_by_ip":"AnyDesk","proto_by_ip_id":252,"encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess","hostname":"","tls": {"version":"TLSv1.2","ja3":"201999283915cc31cee6b15472ef3332","ja3s":"107030a763c7224285717ff1569a17f3","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","issuerDN":"CN=AnyNet Root CA, O=philandro Software GmbH, C=DE","subjectDN":"C=DE, O=philandro Software GmbH, CN=AnyNet Relay","fingerprint":"9E:08:D2:58:A9:02:CD:4F:E2:4A:26:B8:48:5C:43:0B:81:29:99:E3"}}} -00636{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":62,"source":"cfgs\/default\/pcap\/anydesk.pcapng","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":62,"packets-processed":61,"total-skipped-flows":0,"total-l4-payload-len":14319,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":3,"total-updates":0,"current-active-flows":2,"total-active-flows":2,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":21,"global_ts_usec":1613977585247036} +00636{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":62,"source":"cfgs\/default\/pcap\/anydesk.pcapng","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":62,"packets-processed":61,"total-skipped-flows":0,"total-l4-payload-len":14319,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":2,"total-updates":0,"current-active-flows":2,"total-active-flows":2,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":20,"global_ts_usec":1613977585247036} 00776{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":62,"source":"cfgs\/default\/pcap\/anydesk.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1613977585247036,"flow_src_last_pkt_time":1613977585247036,"flow_dst_last_pkt_time":1613977585247036,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":48,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":48,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":48,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1613977585247036,"l3_proto":"ip4","src_ip":"192.168.1.187","dst_ip":"192.168.1.1","src_port":59511,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5} 00574{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":62,"source":"cfgs\/default\/pcap\/anydesk.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1613977585247036,"flow_dst_last_pkt_time":1613977585247036,"flow_idle_time":200000000,"pkt_datalink":1,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"thread_ts_usec":1613977585247036,"pkt":"EBMx8Tl22MuK4S0uCABFAABM5C0AAIARAADAqAG7wKgBAeh3ADUAOIRW7CIBAAABAAAAAAAADnJlbGF5LTMxODVhODQ3A25ldAdhbnlkZXNrA2NvbQAAAQAB"} 01084{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":62,"source":"cfgs\/default\/pcap\/anydesk.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1613977585247036,"flow_src_last_pkt_time":1613977585247036,"flow_dst_last_pkt_time":1613977585247036,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":48,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":48,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":48,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1613977585247036,"l3_proto":"ip4","src_ip":"192.168.1.187","dst_ip":"192.168.1.1","src_port":59511,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.AnyDesk","proto_id":"5.252","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"relay-3185a847.net.anydesk.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} @@ -48,7 +47,7 @@ 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":84,"source":"cfgs\/default\/pcap\/anydesk.pcapng","alias":"nDPId-test","flow_id":6,"flow_packet_id":5,"flow_src_last_pkt_time":1613977595408312,"flow_dst_last_pkt_time":1613977595463648,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1613977595463648,"pkt":"KDc3AG3I2MuK4S0uCABFAAAodEFAAIAGAADAqAG7wKgBshuey0dV\/SLLLSwO5FAQIBSE2AAA"} 01850{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":85,"source":"cfgs\/default\/pcap\/anydesk.pcapng","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1613977595407425,"flow_src_last_pkt_time":1613977595408312,"flow_dst_last_pkt_time":1613977595549041,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":263,"flow_dst_max_l4_payload_len":813,"flow_src_tot_l4_payload_len":263,"flow_dst_tot_l4_payload_len":813,"midstream":0,"thread_ts_usec":1613977595549041,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"192.168.1.187","src_port":52039,"dst_port":7070,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":160,"client":140,"server":20}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":150,"client":135,"server":15}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":300,"client":210,"server":90}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":600,"client":480,"server":120}}},"confidence": {"6":"DPI"},"proto":"TLS.AnyDesk","proto_id":"91.252","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess","hostname":"","tls": {"version":"TLSv1.2","ja3":"201999283915cc31cee6b15472ef3332","ja3s":"4b505adfb4a921c5a3a39d293b0811e1","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_GCM_SHA384","subjectDN":"CN=AnyDesk Client, CN=AnyDesk Client","fingerprint":"86:4F:2A:9F:24:71:FD:0D:6A:35:56:AC:D8:7B:3A:19:E8:03:CA:2E"}}} 02672{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":112,"source":"cfgs\/default\/pcap\/anydesk.pcapng","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1613977595379986,"flow_src_last_pkt_time":1613977601740964,"flow_dst_last_pkt_time":1613977601737415,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":3926,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":5712,"flow_dst_tot_l4_payload_len":2727,"midstream":0,"thread_ts_usec":1613977601740964,"l3_proto":"ip4","src_ip":"192.168.1.187","dst_ip":"192.168.1.178","src_port":54164,"dst_port":7070,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":0,"avg":410271.2,"max":3021750,"stddev":825943.1,"var":682181918720.0,"ent":2.9,"data": [491,529,333,431,328,10474,0,10878,39566,40320,8749,0,9516,516873,517463,1553,27804,26175,2358,56316,902900,957284,0,0,1754245,1753698,16355,71246,2966766,3021750,4006]},"pktlen": {"min":40,"avg":306.3,"max":3966,"stddev":747.4,"var":558552.1,"ent":3.1,"data": [52,52,40,285,46,46,1500,183,40,1326,46,954,80,40,87,46,75,74,46,74,40,3966,46,46,46,79,46,141,40,99,46,116]},"bins": {"c_to_s": [6,4,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1],"s_to_c": [11,3,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,1,1,1,0,0,1,1,0,1,1,0,0,1,1,1,0,1,1,0,0,1,0],"entropies": [4.461627960,4.714205742,4.680641174,5.380415440,4.190888405,4.260394573,7.726966381,6.171197891,4.680641174,7.726874828,4.303872585,7.788730145,5.640313625,4.630640984,5.698182583,4.200505257,5.465894222,5.550601006,4.303872585,5.570474148,4.680640697,7.956365585,4.157026768,4.303872585,4.190888405,5.661315441,4.260394096,6.538077354,4.630641460,6.000421047,4.260393620,6.241518974]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":160,"client":140,"server":20}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":300,"client":210,"server":90}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":600,"client":480,"server":120}}},"confidence": {"6":"DPI"},"proto":"TLS.AnyDesk","proto_id":"91.252","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} -00639{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":121,"source":"cfgs\/default\/pcap\/anydesk.pcapng","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":121,"packets-processed":120,"total-skipped-flows":0,"total-l4-payload-len":26872,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":6,"total-detection-updates":7,"total-updates":0,"current-active-flows":4,"total-active-flows":6,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":51,"global_ts_usec":1663090549161771} +00639{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":121,"source":"cfgs\/default\/pcap\/anydesk.pcapng","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":121,"packets-processed":120,"total-skipped-flows":0,"total-l4-payload-len":26872,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":6,"total-detection-updates":6,"total-updates":0,"current-active-flows":4,"total-active-flows":6,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":50,"global_ts_usec":1663090549161771} 00780{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":121,"source":"cfgs\/default\/pcap\/anydesk.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1663090549161771,"flow_src_last_pkt_time":1663090549161771,"flow_dst_last_pkt_time":1663090549161771,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1663090549161771,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"195.181.174.176","src_port":48260,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":121,"source":"cfgs\/default\/pcap\/anydesk.pcapng","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_src_last_pkt_time":1663090549161771,"flow_dst_last_pkt_time":1663090549161771,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1663090549161771,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA8b6ZAAEAGlofAqAGAw7WusLyEAbsbAqeoAAAAAKAC+vBE2wAAAgQFtAQCCAo49hnFAAAAAAEDAwc="} 00559{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":122,"source":"cfgs\/default\/pcap\/anydesk.pcapng","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_src_last_pkt_time":1663090549161771,"flow_dst_last_pkt_time":1663090549179486,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1663090549179486,"pkt":"PKn0qB\/spJGxgjQ5CABFAAA8AABAADYGEC7Dta6wwKgBgAG7vIT\/L0tlGwKnqaAS\/ogbxgAAAgQFtAQCCAqczD4KOPYZxQEDAwc="} @@ -64,7 +63,7 @@ 00977{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":157,"source":"cfgs\/default\/pcap\/anydesk.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1613977585542630,"flow_src_last_pkt_time":1613977585542630,"flow_dst_last_pkt_time":1613977585553797,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":48,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":48,"flow_dst_max_l4_payload_len":64,"flow_src_tot_l4_payload_len":48,"flow_dst_tot_l4_payload_len":64,"midstream":0,"thread_ts_usec":1663090558383202,"l3_proto":"ip4","src_ip":"192.168.1.187","dst_ip":"192.168.1.1","src_port":55376,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.AnyDesk","proto_id":"5.252","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00977{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":157,"source":"cfgs\/default\/pcap\/anydesk.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1613977585247036,"flow_src_last_pkt_time":1613977585247036,"flow_dst_last_pkt_time":1613977585260893,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":48,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":48,"flow_dst_max_l4_payload_len":64,"flow_src_tot_l4_payload_len":48,"flow_dst_tot_l4_payload_len":64,"midstream":0,"thread_ts_usec":1663090558383202,"l3_proto":"ip4","src_ip":"192.168.1.187","dst_ip":"192.168.1.1","src_port":59511,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.AnyDesk","proto_id":"5.252","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 01343{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":174,"source":"cfgs\/default\/pcap\/anydesk.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":27,"flow_dst_packets_processed":27,"flow_first_seen":1663090549161771,"flow_src_last_pkt_time":1663090607951443,"flow_dst_last_pkt_time":1663090607968067,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5903,"flow_dst_tot_l4_payload_len":3063,"midstream":0,"thread_ts_usec":1663090607968067,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"195.181.174.176","src_port":48260,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":300,"client":210,"server":90}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":600,"client":480,"server":120}},"31": {"risk":"Uncommon TLS ALPN","severity":"Medium","risk_score": {"total":610,"client":485,"server":125}}},"confidence": {"6":"DPI"},"proto":"TLS.AnyDesk","proto_id":"91.252","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} -00641{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":174,"source":"cfgs\/default\/pcap\/anydesk.pcapng","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":174,"packets-processed":174,"total-skipped-flows":0,"total-l4-payload-len":35838,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":7,"total-detection-updates":9,"total-updates":0,"current-active-flows":0,"total-active-flows":7,"total-idle-flows":7,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":67,"global_ts_usec":1663090607968067} +00641{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":174,"source":"cfgs\/default\/pcap\/anydesk.pcapng","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":174,"packets-processed":174,"total-skipped-flows":0,"total-l4-payload-len":35838,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":7,"total-detection-updates":8,"total-updates":0,"current-active-flows":0,"total-active-flows":7,"total-idle-flows":7,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":66,"global_ts_usec":1663090607968067} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ ~~ packets captured/processed: 174/174 ~~ skipped flows.............: 0 diff --git a/test/results/default/bets.pcapng.out b/test/results/default/bets.pcapng.out index 1f78fec6a..de1dfe68b 100644 --- a/test/results/default/bets.pcapng.out +++ b/test/results/default/bets.pcapng.out @@ -9,9 +9,8 @@ 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5,"source":"cfgs\/default\/pcap\/bets.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":5,"flow_src_last_pkt_time":1693252376374043,"flow_dst_last_pkt_time":1693252376419072,"flow_idle_time":7580000000,"pkt_datalink":12,"pkt_caplen":52,"pkt_type":2048,"pkt_l3_offset":0,"pkt_l4_offset":20,"pkt_len":52,"pkt_l4_len":32,"thread_ts_usec":1693252376419072,"pkt":"RQAANHFFAAD1BhTeDeBnFsCoCgIBu+rDfMJDsAPu8l+AEACDyeAAAAEBCApKO\/1lMTNQpQ=="} 01218{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"cfgs\/default\/pcap\/bets.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1693252376328241,"flow_src_last_pkt_time":1693252376374043,"flow_dst_last_pkt_time":1693252376420557,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":328,"flow_dst_max_l4_payload_len":1368,"flow_src_tot_l4_payload_len":328,"flow_dst_tot_l4_payload_len":1368,"midstream":0,"thread_ts_usec":1693252376420557,"l3_proto":"ip4","src_ip":"192.168.10.2","dst_ip":"13.224.103.22","src_port":60099,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.1084bets10.com","tls": {"version":"TLSv1.3","ja3":"375c6162a492dfbf2795909110ce8424","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","advertised_alpns":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 02131{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"cfgs\/default\/pcap\/bets.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1693252376328241,"flow_src_last_pkt_time":1693252376473051,"flow_dst_last_pkt_time":1693252376516940,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":328,"flow_dst_max_l4_payload_len":1368,"flow_src_tot_l4_payload_len":573,"flow_dst_tot_l4_payload_len":6919,"midstream":0,"thread_ts_usec":1693252376516940,"l3_proto":"ip4","src_ip":"192.168.10.2","dst_ip":"13.224.103.22","src_port":60099,"dst_port":443,"l4_proto":"tcp","flow_datalink":12,"flow_max_packets":5,"data_analysis": {"iat": {"min":1,"avg":10758.4,"max":46532,"stddev":18210.4,"var":331618016.0,"ent":3.2,"data": [45063,45086,716,45768,1485,46532,228,223,359,358,497,1,497,2530,35,126,50,44471,1044,896,1,81,43759,187,180,74,3041,2969,1675,39830,5747]},"pktlen": {"min":52,"avg":286.8,"max":1420,"stddev":477.2,"var":227739.3,"ent":3.6,"data": [64,60,52,380,52,1420,52,1420,52,1420,52,1420,93,52,58,110,138,116,52,52,52,52,198,52,123,52,83,1241,52,52,52,52]},"bins": {"c_to_s": [12,1,2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,4,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,1,0,0,0,0,0,1,1,1,1,1,0,1,0,0,1,0,0,1,1],"entropies": [4.359427452,5.254205704,5.077241421,6.193246841,5.115703106,7.830681801,5.024262905,7.844112873,5.154164791,7.881240845,5.115703106,7.848938465,5.975646019,5.115703106,4.911536217,6.119595051,6.468632221,6.137733459,5.192626476,5.154164791,5.154164791,5.192626476,6.778203011,5.077241421,6.239024639,5.154164791,5.561018467,7.842863560,5.115703106,4.979099274,5.154164791,5.154164791]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} -01221{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"cfgs\/default\/pcap\/bets.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1693252376328241,"flow_src_last_pkt_time":1693252376473051,"flow_dst_last_pkt_time":1693252376516940,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":328,"flow_dst_max_l4_payload_len":1368,"flow_src_tot_l4_payload_len":573,"flow_dst_tot_l4_payload_len":6919,"midstream":0,"thread_ts_usec":1693252376516940,"l3_proto":"ip4","src_ip":"192.168.10.2","dst_ip":"13.224.103.22","src_port":60099,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.1084bets10.com","tls": {"version":"TLSv1.3","ja3":"375c6162a492dfbf2795909110ce8424","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","advertised_alpns":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 00965{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":33,"source":"cfgs\/default\/pcap\/bets.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":16,"flow_first_seen":1693252376328241,"flow_src_last_pkt_time":1693252376516972,"flow_dst_last_pkt_time":1693252376516940,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":328,"flow_dst_max_l4_payload_len":1368,"flow_src_tot_l4_payload_len":573,"flow_dst_tot_l4_payload_len":6919,"midstream":0,"thread_ts_usec":1693252376516972,"l3_proto":"ip4","src_ip":"192.168.10.2","dst_ip":"13.224.103.22","src_port":60099,"dst_port":443,"l4_proto":"tcp","flow_datalink":12,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} -00634{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":33,"source":"cfgs\/default\/pcap\/bets.pcapng","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":33,"packets-processed":33,"total-skipped-flows":0,"total-l4-payload-len":7492,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":2,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":14,"global_ts_usec":1693252376516972} +00634{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":33,"source":"cfgs\/default\/pcap\/bets.pcapng","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":33,"packets-processed":33,"total-skipped-flows":0,"total-l4-payload-len":7492,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":1,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":13,"global_ts_usec":1693252376516972} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ ~~ packets captured/processed: 33/33 ~~ skipped flows.............: 0 @@ -26,4 +25,4 @@ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json message min len.......: 528 chars ~~ json message max len.......: 2136 chars -~~ json message avg len.......: 1301 chars +~~ json message avg len.......: 1271 chars diff --git a/test/results/default/emotet.pcap.out b/test/results/default/emotet.pcap.out index 8cc9c1281..170853532 100644 --- a/test/results/default/emotet.pcap.out +++ b/test/results/default/emotet.pcap.out @@ -49,7 +49,6 @@ 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2232,"source":"cfgs\/default\/pcap\/emotet.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":5,"flow_src_last_pkt_time":1650905467666537,"flow_dst_last_pkt_time":1650905467775917,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1650905467775917,"pkt":"AAgCHEeuIOUqtpPxCABFAAAoRkFAADEGwfuKxZNlCgQZZQG7wotH+MA790NTN1AQAfVVVgAAAAAAAAAA"} 01736{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2233,"source":"cfgs\/default\/pcap\/emotet.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1650905467542773,"flow_src_last_pkt_time":1650905467666537,"flow_dst_last_pkt_time":1650905467789145,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":149,"flow_dst_max_l4_payload_len":1378,"flow_src_tot_l4_payload_len":149,"flow_dst_tot_l4_payload_len":1378,"midstream":0,"thread_ts_usec":1650905467789145,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"138.197.147.101","src_port":49803,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":300,"client":270,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":300,"client":210,"server":90}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"51c64c77e60f3980eea90869b68c58a8","ja3s":"ec74a5c51106f0419184d0dd08fb05bc","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com","subjectDN":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com","fingerprint":"43:A2:39:73:AC:4D:2C:15:7B:D6:4E:32:EA:22:11:B7:97:65:1A:93"}}} 02528{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2259,"source":"cfgs\/default\/pcap\/emotet.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1650905467542773,"flow_src_last_pkt_time":1650905469294827,"flow_dst_last_pkt_time":1650905469297748,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":480,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":722,"flow_dst_tot_l4_payload_len":19664,"midstream":0,"thread_ts_usec":1650905469297748,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"138.197.147.101","src_port":49803,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":0,"avg":113130.0,"max":1262510,"stddev":287859.5,"var":82863079424.0,"ent":2.7,"data": [109372,109625,14139,123772,13228,122858,52674,132935,80275,6518,151937,1117119,71,165,1262510,58,2900,71,3072,96890,117,96947,3054,71,165,71,3262,0,116,2919,118]},"pktlen": {"min":46,"avg":682.0,"max":1428,"stddev":663.2,"var":439900.2,"ent":4.2,"data": [52,52,46,189,46,1418,46,133,282,46,520,46,1428,1428,1428,46,46,1428,1428,52,1428,1428,60,1428,1428,1428,1428,60,60,60,1428,1428]},"bins": {"c_to_s": [11,0,1,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,1,1,1,0,0,1,1,0,1,1,0,1,1,1,1,0,0,0,1,1],"entropies": [4.661227226,4.908878326,4.501398087,5.357971191,4.609350681,7.499943256,4.609350204,5.862740993,7.080684185,4.501398087,7.521671295,4.522393703,7.860427856,7.879212856,7.876828194,4.501398087,4.501398087,7.862761021,7.872880459,4.974009037,7.863744259,7.867939472,5.142321110,7.869549751,7.874364853,7.859346390,7.876013756,5.142321110,5.142321110,5.142320633,7.842814445,7.873933792]},"ndpi": {"flow_risk": {"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":300,"client":270,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":300,"client":210,"server":90}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} -01739{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2259,"source":"cfgs\/default\/pcap\/emotet.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1650905467542773,"flow_src_last_pkt_time":1650905469294827,"flow_dst_last_pkt_time":1650905469297748,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":480,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":722,"flow_dst_tot_l4_payload_len":19664,"midstream":0,"thread_ts_usec":1650905469297748,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"138.197.147.101","src_port":49803,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":300,"client":270,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":300,"client":210,"server":90}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"51c64c77e60f3980eea90869b68c58a8","ja3s":"ec74a5c51106f0419184d0dd08fb05bc","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com","subjectDN":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com","fingerprint":"43:A2:39:73:AC:4D:2C:15:7B:D6:4E:32:EA:22:11:B7:97:65:1A:93"}}} 00776{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2359,"source":"cfgs\/default\/pcap\/emotet.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1650905469778844,"flow_src_last_pkt_time":1650905469778844,"flow_dst_last_pkt_time":1650905469778844,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1650905469778844,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"138.197.147.101","src_port":49804,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00544{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2359,"source":"cfgs\/default\/pcap\/emotet.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_src_last_pkt_time":1650905469778844,"flow_dst_last_pkt_time":1650905469778844,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1650905469778844,"pkt":"IOUqtpPxAAgCHEeuCABFAAA0C9hAAIAGrVgKBBllisWTZcKMAbv+vEuFAAAAAIAC\/\/8e8wAAAgQFtAEDAwgBAQQC"} 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2360,"source":"cfgs\/default\/pcap\/emotet.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_src_last_pkt_time":1650905469778844,"flow_dst_last_pkt_time":1650905469855852,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1650905469855852,"pkt":"AAgCHEeuIOUqtpPxCABFAAA0AABAADAGCTGKxZNlCgQZZQG7woy1bvT7\/rxLhoAS+vB5zwAAAgQFbAEBBAIBAwMH"} @@ -61,7 +60,7 @@ 01208{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2380,"source":"cfgs\/default\/pcap\/emotet.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":169,"flow_dst_packets_processed":395,"flow_first_seen":1650905413858492,"flow_src_last_pkt_time":1650905415845438,"flow_dst_last_pkt_time":1650905415829075,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":152,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":152,"flow_dst_tot_l4_payload_len":544316,"midstream":0,"thread_ts_usec":1650905518385458,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"77.105.36.156","src_port":49797,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":150,"client":135,"server":15}},"11": {"risk":"HTTP Susp User-Agent","severity":"High","risk_score": {"total":310,"client":275,"server":35}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}} 01315{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2380,"source":"cfgs\/default\/pcap\/emotet.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":61,"flow_dst_packets_processed":75,"flow_first_seen":1650905467542773,"flow_src_last_pkt_time":1650905495928769,"flow_dst_last_pkt_time":1650905472737211,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":480,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":722,"flow_dst_tot_l4_payload_len":95735,"midstream":0,"thread_ts_usec":1650905518385458,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"138.197.147.101","src_port":49803,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"flow_risk": {"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":300,"client":270,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":300,"client":210,"server":90}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 01207{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2380,"source":"cfgs\/default\/pcap\/emotet.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":7,"flow_first_seen":1650905469778844,"flow_src_last_pkt_time":1650905518385458,"flow_dst_last_pkt_time":1650905473602816,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":553,"flow_dst_max_l4_payload_len":660,"flow_src_tot_l4_payload_len":929,"flow_dst_tot_l4_payload_len":800,"midstream":0,"thread_ts_usec":1650905518385458,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"138.197.147.101","src_port":49804,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":300,"client":210,"server":90}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} -00643{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":2380,"source":"cfgs\/default\/pcap\/emotet.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":2380,"packets-processed":2380,"total-skipped-flows":0,"total-l4-payload-len":1995225,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":6,"total-detection-updates":5,"total-updates":0,"current-active-flows":0,"total-active-flows":6,"total-idle-flows":6,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":64,"global_ts_usec":1650905518385458} +00643{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":2380,"source":"cfgs\/default\/pcap\/emotet.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":2380,"packets-processed":2380,"total-skipped-flows":0,"total-l4-payload-len":1995225,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":6,"total-detection-updates":4,"total-updates":0,"current-active-flows":0,"total-active-flows":6,"total-idle-flows":6,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":63,"global_ts_usec":1650905518385458} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ ~~ packets captured/processed: 2380/2380 ~~ skipped flows.............: 0 diff --git a/test/results/default/ftp-start-tls.pcap.out b/test/results/default/ftp-start-tls.pcap.out index 65652d9dd..71002ddf6 100644 --- a/test/results/default/ftp-start-tls.pcap.out +++ b/test/results/default/ftp-start-tls.pcap.out @@ -11,9 +11,8 @@ 01395{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":15,"source":"cfgs\/default\/pcap\/ftp-start-tls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":11,"flow_first_seen":1383123629078448,"flow_src_last_pkt_time":1383123629101855,"flow_dst_last_pkt_time":1383123629103318,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":150,"flow_dst_max_l4_payload_len":512,"flow_src_tot_l4_payload_len":160,"flow_dst_tot_l4_payload_len":720,"midstream":0,"thread_ts_usec":1383123629103318,"l3_proto":"ip4","src_ip":"10.238.26.36","dst_ip":"10.220.50.76","src_port":62092,"dst_port":21,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":150,"client":135,"server":15}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":450,"client":345,"server":105}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":300,"client":210,"server":90}}},"confidence": {"6":"DPI"},"proto":"FTPS","proto_id":"311","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Unsafe","category_id":7,"category":"Download"}} 01396{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":17,"source":"cfgs\/default\/pcap\/ftp-start-tls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":13,"flow_first_seen":1383123629078448,"flow_src_last_pkt_time":1383123629101855,"flow_dst_last_pkt_time":1383123629103328,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":150,"flow_dst_max_l4_payload_len":512,"flow_src_tot_l4_payload_len":160,"flow_dst_tot_l4_payload_len":1447,"midstream":0,"thread_ts_usec":1383123629103328,"l3_proto":"ip4","src_ip":"10.238.26.36","dst_ip":"10.220.50.76","src_port":62092,"dst_port":21,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":150,"client":135,"server":15}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":450,"client":345,"server":105}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":300,"client":210,"server":90}}},"confidence": {"6":"DPI"},"proto":"FTPS","proto_id":"311","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Unsafe","category_id":7,"category":"Download"}} 02579{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"cfgs\/default\/pcap\/ftp-start-tls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1383123629078448,"flow_src_last_pkt_time":1383123629152654,"flow_dst_last_pkt_time":1383123629153383,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":330,"flow_dst_max_l4_payload_len":512,"flow_src_tot_l4_payload_len":609,"flow_dst_tot_l4_payload_len":3206,"midstream":0,"thread_ts_usec":1383123629153383,"l3_proto":"ip4","src_ip":"10.238.26.36","dst_ip":"10.220.50.76","src_port":62092,"dst_port":21,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":2,"avg":4811.0,"max":40376,"stddev":9556.7,"var":91331016.0,"ent":3.2,"data": [415,134,1253,15030,72,17807,3947,60,788,5,4347,3279,113,1027,2,8,2,118,3,2582,8520,40376,68,34737,4456,749,2222,1775,305,2738,2203]},"pktlen": {"min":46,"avg":160.9,"max":552,"stddev":164.2,"var":26956.4,"ent":4.4,"data": [46,46,46,46,113,113,50,46,46,71,71,190,46,46,552,552,255,552,552,255,46,370,91,91,77,122,122,77,122,122,85,130]},"bins": {"c_to_s": [4,3,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,7,0,0,0,2,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,1,1,0,1,1,1,1,0,1,1,1,1,1,1,1,1,0,0,1,1,0,1,1,0,1,1,0,1],"entropies": [4.174477577,4.816402912,4.816402912,4.390829086,5.377844810,5.377844810,4.955727100,4.347350597,4.347350597,5.319664001,5.319664001,5.167058468,4.434307098,4.434307098,6.822389126,7.154568672,6.962697506,6.822389126,7.151652813,6.962697029,4.544876099,7.242094517,5.879006863,5.879006863,5.747309208,6.191079140,6.207472801,5.766408920,6.279234409,6.279234409,5.962334156,6.287871361]},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":150,"client":135,"server":15}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":450,"client":345,"server":105}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":300,"client":210,"server":90}}},"confidence": {"6":"DPI"},"proto":"FTPS","proto_id":"311","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Unsafe","category_id":7,"category":"Download"}} -01396{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"cfgs\/default\/pcap\/ftp-start-tls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1383123629078448,"flow_src_last_pkt_time":1383123629152654,"flow_dst_last_pkt_time":1383123629153383,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":330,"flow_dst_max_l4_payload_len":512,"flow_src_tot_l4_payload_len":609,"flow_dst_tot_l4_payload_len":3206,"midstream":0,"thread_ts_usec":1383123629153383,"l3_proto":"ip4","src_ip":"10.238.26.36","dst_ip":"10.220.50.76","src_port":62092,"dst_port":21,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":150,"client":135,"server":15}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":450,"client":345,"server":105}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":300,"client":210,"server":90}}},"confidence": {"6":"DPI"},"proto":"FTPS","proto_id":"311","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Unsafe","category_id":7,"category":"Download"}} 01428{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":51,"source":"cfgs\/default\/pcap\/ftp-start-tls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":35,"flow_first_seen":1383123629078448,"flow_src_last_pkt_time":1383123629412168,"flow_dst_last_pkt_time":1383123629233523,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":330,"flow_dst_max_l4_payload_len":512,"flow_src_tot_l4_payload_len":856,"flow_dst_tot_l4_payload_len":3834,"midstream":0,"thread_ts_usec":1383123629412168,"l3_proto":"ip4","src_ip":"10.238.26.36","dst_ip":"10.220.50.76","src_port":62092,"dst_port":21,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":150,"client":135,"server":15}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":450,"client":345,"server":105}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":300,"client":210,"server":90}}},"confidence": {"6":"DPI"},"proto":"FTPS","proto_id":"311","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Unsafe","category_id":7,"category":"Download"}} -00641{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":51,"source":"cfgs\/default\/pcap\/ftp-start-tls.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":51,"packets-processed":51,"total-skipped-flows":0,"total-l4-payload-len":4690,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":4,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":16,"global_ts_usec":1383123629412168} +00641{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":51,"source":"cfgs\/default\/pcap\/ftp-start-tls.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":51,"packets-processed":51,"total-skipped-flows":0,"total-l4-payload-len":4690,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":3,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":15,"global_ts_usec":1383123629412168} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ ~~ packets captured/processed: 51/51 ~~ skipped flows.............: 0 @@ -28,4 +27,4 @@ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json message min len.......: 543 chars ~~ json message max len.......: 2584 chars -~~ json message avg len.......: 1523 chars +~~ json message avg len.......: 1484 chars diff --git a/test/results/default/geforcenow.pcapng.out b/test/results/default/geforcenow.pcapng.out index 85f5e33f7..5532911de 100644 --- a/test/results/default/geforcenow.pcapng.out +++ b/test/results/default/geforcenow.pcapng.out @@ -10,7 +10,6 @@ 01401{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":5,"source":"cfgs\/default\/pcap\/geforcenow.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1684671871380890,"flow_src_last_pkt_time":1684671871422359,"flow_dst_last_pkt_time":1684671871464824,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":2896,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":2896,"midstream":0,"thread_ts_usec":1684671871464824,"l3_proto":"ip4","src_ip":"192.168.1.245","dst_ip":"80.84.167.206","src_port":57490,"dst_port":49100,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":160,"client":140,"server":20}}},"confidence": {"6":"DPI"},"proto":"TLS.GeForceNow","proto_id":"91.341","proto_by_ip":"Nvidia","proto_by_ip_id":342,"encrypted":1,"breed":"Fun","category_id":8,"category":"Game","hostname":"80-84-167-206.cloudmatchbeta.nvidiagrid.net","tls": {"version":"TLSv1.2","ja3":"021c7413ddeb0d58973451b0e3b19eca","ja3s":"098e26e2609212ac1bfac552fbe04127","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","advertised_alpns":"http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2"}}} 01742{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":7,"source":"cfgs\/default\/pcap\/geforcenow.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":3,"flow_first_seen":1684671871380890,"flow_src_last_pkt_time":1684671871464878,"flow_dst_last_pkt_time":1684671871464878,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":2896,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3419,"midstream":0,"thread_ts_usec":1684671871464878,"l3_proto":"ip4","src_ip":"192.168.1.245","dst_ip":"80.84.167.206","src_port":57490,"dst_port":49100,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":160,"client":140,"server":20}}},"confidence": {"6":"DPI"},"proto":"TLS.GeForceNow","proto_id":"91.341","proto_by_ip":"Nvidia","proto_by_ip_id":342,"encrypted":1,"breed":"Fun","category_id":8,"category":"Game","hostname":"80-84-167-206.cloudmatchbeta.nvidiagrid.net","tls": {"version":"TLSv1.2","server_names":"prod.cloudmatchbeta.nvidiagrid.net,*.cloudmatchbeta.nvidiagrid.net","ja3":"021c7413ddeb0d58973451b0e3b19eca","ja3s":"098e26e2609212ac1bfac552fbe04127","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1","subjectDN":"C=US, ST=California, L=Santa Clara, O=NVIDIA Corporation, CN=prod.cloudmatchbeta.nvidiagrid.net","advertised_alpns":"http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2","fingerprint":"8C:24:BC:2B:01:63:B9:AC:83:90:F3:A9:F9:EA:72:5E:F4:47:A2:77"}}} 02308{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"cfgs\/default\/pcap\/geforcenow.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1684671871380890,"flow_src_last_pkt_time":1684671871611894,"flow_dst_last_pkt_time":1684671871611894,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":669,"flow_dst_max_l4_payload_len":2896,"flow_src_tot_l4_payload_len":1367,"flow_dst_tot_l4_payload_len":31825,"midstream":0,"thread_ts_usec":1684671871611894,"l3_proto":"ip4","src_ip":"192.168.1.245","dst_ip":"80.84.167.206","src_port":57490,"dst_port":49100,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":0,"avg":14903.5,"max":47333,"stddev":17676.6,"var":312463360.0,"ent":3.9,"data": [41203,41243,226,42731,42519,54,16,5947,47333,41968,42407,0,41955,155,4158,2454,15862,0,0,41,9328,25186,0,25245,4217,4258,11750,11667,45,20,20]},"pktlen": {"min":52,"avg":1089.8,"max":2948,"stddev":1283.5,"var":1647314.5,"ent":4.0,"data": [60,60,52,569,2948,52,575,52,145,326,721,324,235,52,217,96,96,2948,2948,2948,1500,52,2948,2948,52,2948,52,2948,52,2948,52,2948]},"bins": {"c_to_s": [10,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,2,0,0,2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,10]},"directions": [0,1,0,0,1,0,1,0,0,1,0,1,1,0,1,0,0,1,1,1,1,0,1,1,0,1,0,1,0,1,0,1],"entropies": [4.825882912,5.279368877,5.207947731,4.797474861,7.333730698,5.169486046,7.591311932,5.169486046,6.138707161,7.168643475,7.677440643,7.274022579,6.973204136,5.207947731,6.943279743,5.763498783,5.664438248,7.941471577,7.933756351,7.935662746,7.862148762,5.207947731,7.936669827,7.942846298,5.207947731,7.941987514,5.169486046,7.928585052,5.270353794,7.943464279,5.217375278,7.941396713]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":160,"client":140,"server":20}}},"confidence": {"6":"DPI"},"proto":"TLS.GeForceNow","proto_id":"91.341","proto_by_ip":"Nvidia","proto_by_ip_id":342,"encrypted":1,"breed":"Fun","category_id":8,"category":"Game"}} -01747{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"cfgs\/default\/pcap\/geforcenow.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1684671871380890,"flow_src_last_pkt_time":1684671871611894,"flow_dst_last_pkt_time":1684671871611894,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":669,"flow_dst_max_l4_payload_len":2896,"flow_src_tot_l4_payload_len":1367,"flow_dst_tot_l4_payload_len":31825,"midstream":0,"thread_ts_usec":1684671871611894,"l3_proto":"ip4","src_ip":"192.168.1.245","dst_ip":"80.84.167.206","src_port":57490,"dst_port":49100,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":160,"client":140,"server":20}}},"confidence": {"6":"DPI"},"proto":"TLS.GeForceNow","proto_id":"91.341","proto_by_ip":"Nvidia","proto_by_ip_id":342,"encrypted":1,"breed":"Fun","category_id":8,"category":"Game","hostname":"80-84-167-206.cloudmatchbeta.nvidiagrid.net","tls": {"version":"TLSv1.2","server_names":"prod.cloudmatchbeta.nvidiagrid.net,*.cloudmatchbeta.nvidiagrid.net","ja3":"021c7413ddeb0d58973451b0e3b19eca","ja3s":"098e26e2609212ac1bfac552fbe04127","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1","subjectDN":"C=US, ST=California, L=Santa Clara, O=NVIDIA Corporation, CN=prod.cloudmatchbeta.nvidiagrid.net","advertised_alpns":"http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2","fingerprint":"8C:24:BC:2B:01:63:B9:AC:83:90:F3:A9:F9:EA:72:5E:F4:47:A2:77"}}} 00784{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":43,"source":"cfgs\/default\/pcap\/geforcenow.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1684671871710618,"flow_src_last_pkt_time":1684671871710618,"flow_dst_last_pkt_time":1684671871710618,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":96,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":96,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1684671871710618,"l3_proto":"ip4","src_ip":"192.168.1.245","dst_ip":"80.84.167.206","src_port":52441,"dst_port":18452,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5} 00646{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":43,"source":"cfgs\/default\/pcap\/geforcenow.pcapng","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1684671871710618,"flow_dst_last_pkt_time":1684671871710618,"flow_idle_time":200000000,"pkt_datalink":1,"pkt_caplen":138,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":138,"pkt_l4_len":104,"thread_ts_usec":1684671871710618,"pkt":"ILAB4IZiNObXAhsnCABFAAB8NTxAAEARSnXAqAH1UFSnzszZSBQAaLs5AAEATCESpEJmZkFURGcvR3owYVkABgAJRWE1YTpKVkRSAAAAwFcABAAAA+eAKgAIwnuZSt3ewSoAJAAEbgAe\/wAIABRbjKTQjvzi9vcKvdFEaoRq\/ONY24AoAAQNZzi7"} 01080{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":43,"source":"cfgs\/default\/pcap\/geforcenow.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1684671871710618,"flow_src_last_pkt_time":1684671871710618,"flow_dst_last_pkt_time":1684671871710618,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":96,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":96,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1684671871710618,"l3_proto":"ip4","src_ip":"192.168.1.245","dst_ip":"80.84.167.206","src_port":52441,"dst_port":18452,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":160,"client":140,"server":20}}},"confidence": {"6":"DPI"},"proto":"STUN","proto_id":"78","proto_by_ip":"Nvidia","proto_by_ip_id":342,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":""}} @@ -25,7 +24,7 @@ 02760{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":85,"source":"cfgs\/default\/pcap\/geforcenow.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1684671871710618,"flow_src_last_pkt_time":1684671872714424,"flow_dst_last_pkt_time":1684671872714517,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":45,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":540,"flow_dst_max_l4_payload_len":661,"flow_src_tot_l4_payload_len":2076,"flow_dst_tot_l4_payload_len":2033,"midstream":0,"thread_ts_usec":1684671872714517,"l3_proto":"ip4","src_ip":"192.168.1.245","dst_ip":"80.84.167.206","src_port":52441,"dst_port":18452,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":0,"avg":64764.7,"max":689508,"stddev":136017.0,"var":18500616192.0,"ent":3.2,"data": [66053,63330,171747,44041,99894,183824,360133,689508,48469,47134,1,0,0,0,4464,1537,52687,37,46039,42295,446,303,157,40,93,42070,315,149,228,42450,261]},"pktlen": {"min":53,"avg":156.4,"max":689,"stddev":133.9,"var":17933.5,"ent":4.7,"data": [124,124,124,92,185,185,185,185,689,568,119,358,164,107,53,95,101,101,141,137,105,109,73,113,113,113,73,85,89,105,85,105]},"bins": {"c_to_s": [0,2,5,4,4,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,3,8,1,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,0,0,0,0,1,0,1,1,1,1,1,1,1,0,0,1,0,1,0,0,0,0,1,1,1,1,0,1],"entropies": [5.798890114,5.760544300,5.760543823,5.699924469,4.958880424,4.982108116,4.979167461,4.994058609,6.462553024,6.717261314,4.840689182,6.641223907,6.248939514,4.353680611,3.764864683,5.258242130,6.006977558,5.841088772,6.408538342,6.349637032,5.904027939,6.047730923,5.421965599,6.049623013,6.169179440,6.109401703,5.448651314,5.635576248,5.804111004,6.095016956,5.717526436,6.095016956]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":160,"client":140,"server":20}},"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":300,"client":270,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":300,"client":210,"server":90}},"32": {"risk":"TLS Cert Validity Too Long","severity":"Medium","risk_score": {"total":50,"client":25,"server":25}}},"confidence": {"6":"DPI"},"proto":"DTLS.GeForceNow","proto_id":"30.341","proto_by_ip":"Nvidia","proto_by_ip_id":342,"encrypted":1,"breed":"Fun","category_id":8,"category":"Game"}} 01573{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":108,"source":"cfgs\/default\/pcap\/geforcenow.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":33,"flow_first_seen":1684671871710618,"flow_src_last_pkt_time":1684671872721652,"flow_dst_last_pkt_time":1684671872745627,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":45,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":540,"flow_dst_max_l4_payload_len":1180,"flow_src_tot_l4_payload_len":2573,"flow_dst_tot_l4_payload_len":15508,"midstream":0,"thread_ts_usec":1684671872745627,"l3_proto":"ip4","src_ip":"192.168.1.245","dst_ip":"80.84.167.206","src_port":52441,"dst_port":18452,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":160,"client":140,"server":20}},"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":300,"client":270,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":300,"client":210,"server":90}},"32": {"risk":"TLS Cert Validity Too Long","severity":"Medium","risk_score": {"total":50,"client":25,"server":25}}},"confidence": {"6":"DPI"},"proto":"DTLS.GeForceNow","proto_id":"30.341","proto_by_ip":"Nvidia","proto_by_ip_id":342,"encrypted":1,"breed":"Fun","category_id":8,"category":"Game"}} 01122{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":108,"source":"cfgs\/default\/pcap\/geforcenow.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":27,"flow_dst_packets_processed":27,"flow_first_seen":1684671871380890,"flow_src_last_pkt_time":1684671872718418,"flow_dst_last_pkt_time":1684671871771400,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":2896,"flow_dst_max_l4_payload_len":2896,"flow_src_tot_l4_payload_len":6969,"flow_dst_tot_l4_payload_len":38102,"midstream":0,"thread_ts_usec":1684671872745627,"l3_proto":"ip4","src_ip":"192.168.1.245","dst_ip":"80.84.167.206","src_port":57490,"dst_port":49100,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":160,"client":140,"server":20}}},"confidence": {"6":"DPI"},"proto":"TLS.GeForceNow","proto_id":"91.341","proto_by_ip":"Nvidia","proto_by_ip_id":342,"encrypted":1,"breed":"Fun","category_id":8,"category":"Game"}} -00644{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":108,"source":"cfgs\/default\/pcap\/geforcenow.pcapng","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":108,"packets-processed":108,"total-skipped-flows":0,"total-l4-payload-len":63152,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":7,"total-updates":0,"current-active-flows":0,"total-active-flows":2,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":28,"global_ts_usec":1684671872745627} +00644{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":108,"source":"cfgs\/default\/pcap\/geforcenow.pcapng","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":108,"packets-processed":108,"total-skipped-flows":0,"total-l4-payload-len":63152,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":6,"total-updates":0,"current-active-flows":0,"total-active-flows":2,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":27,"global_ts_usec":1684671872745627} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ ~~ packets captured/processed: 108/108 ~~ skipped flows.............: 0 diff --git a/test/results/default/imap-starttls.pcap.out b/test/results/default/imap-starttls.pcap.out index ad1e83a71..c33803a79 100644 --- a/test/results/default/imap-starttls.pcap.out +++ b/test/results/default/imap-starttls.pcap.out @@ -11,9 +11,8 @@ 01305{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":15,"source":"cfgs\/default\/pcap\/imap-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":8,"flow_dst_packets_processed":7,"flow_first_seen":1437584567812552,"flow_src_last_pkt_time":1437584568570497,"flow_dst_last_pkt_time":1437584568767274,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":318,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":344,"flow_dst_tot_l4_payload_len":1990,"midstream":0,"thread_ts_usec":1437584568767274,"l3_proto":"ip4","src_ip":"192.168.17.53","dst_ip":"212.227.17.186","src_port":49640,"dst_port":143,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":160,"client":140,"server":20}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":300,"client":210,"server":90}}},"confidence": {"6":"DPI"},"proto":"IMAPS","proto_id":"51","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} 01306{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":19,"source":"cfgs\/default\/pcap\/imap-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":9,"flow_dst_packets_processed":10,"flow_first_seen":1437584567812552,"flow_src_last_pkt_time":1437584568767550,"flow_dst_last_pkt_time":1437584568769690,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":318,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":344,"flow_dst_tot_l4_payload_len":5492,"midstream":0,"thread_ts_usec":1437584568769690,"l3_proto":"ip4","src_ip":"192.168.17.53","dst_ip":"212.227.17.186","src_port":49640,"dst_port":143,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":160,"client":140,"server":20}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":300,"client":210,"server":90}}},"confidence": {"6":"DPI"},"proto":"IMAPS","proto_id":"51","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} 02540{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"cfgs\/default\/pcap\/imap-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1437584567812552,"flow_src_last_pkt_time":1437584570639554,"flow_dst_last_pkt_time":1437584570828629,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":318,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":540,"flow_dst_tot_l4_payload_len":5653,"midstream":0,"thread_ts_usec":1437584570828629,"l3_proto":"ip4","src_ip":"192.168.17.53","dst_ip":"212.227.17.186","src_port":49640,"dst_port":143,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":1,"avg":188486.4,"max":1677753,"stddev":378167.8,"var":143010873344.0,"ent":3.3,"data": [189790,189950,188317,188305,133,192463,259,192553,155,186504,9,186418,431,197380,166,197053,2043,207,2163,90,3747,191586,187876,1486951,1677753,168,190848,49,279,1,189432]},"pktlen": {"min":40,"avg":235.2,"max":1500,"stddev":424.6,"var":180326.2,"ent":3.6,"data": [64,52,40,311,40,54,46,267,40,52,72,46,40,358,1500,1500,40,1500,622,40,40,166,91,40,79,119,71,40,40,71,40,46]},"bins": {"c_to_s": [15,1,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,2,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,1,0,0,0,1,0,0,1,1,0,0,0,0,1],"entropies": [4.577819824,4.737868309,4.461769104,5.374657631,4.734183788,5.080696583,4.457919598,5.160151482,4.684183598,5.024262428,5.301461220,4.501398087,4.784183979,5.382153988,6.856912613,7.178915024,4.665312290,7.104553223,7.666580677,4.403056622,4.684184551,6.516188145,5.466528416,4.684184074,5.702392578,6.104408741,5.134844303,4.665312290,4.734184265,5.452422619,4.492897511,3.926021099]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":160,"client":140,"server":20}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":300,"client":210,"server":90}}},"confidence": {"6":"DPI"},"proto":"IMAPS","proto_id":"51","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} -01307{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"cfgs\/default\/pcap\/imap-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1437584567812552,"flow_src_last_pkt_time":1437584570639554,"flow_dst_last_pkt_time":1437584570828629,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":318,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":540,"flow_dst_tot_l4_payload_len":5653,"midstream":0,"thread_ts_usec":1437584570828629,"l3_proto":"ip4","src_ip":"192.168.17.53","dst_ip":"212.227.17.186","src_port":49640,"dst_port":143,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":160,"client":140,"server":20}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":300,"client":210,"server":90}}},"confidence": {"6":"DPI"},"proto":"IMAPS","proto_id":"51","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} 01337{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":32,"source":"cfgs\/default\/pcap\/imap-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1437584567812552,"flow_src_last_pkt_time":1437584570639554,"flow_dst_last_pkt_time":1437584570828629,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":318,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":540,"flow_dst_tot_l4_payload_len":5653,"midstream":0,"thread_ts_usec":1437584570828629,"l3_proto":"ip4","src_ip":"192.168.17.53","dst_ip":"212.227.17.186","src_port":49640,"dst_port":143,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":160,"client":140,"server":20}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":300,"client":210,"server":90}}},"confidence": {"6":"DPI"},"proto":"IMAPS","proto_id":"51","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} -00641{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":32,"source":"cfgs\/default\/pcap\/imap-starttls.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":32,"packets-processed":32,"total-skipped-flows":0,"total-l4-payload-len":6193,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":4,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":16,"global_ts_usec":1437584570828629} +00641{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":32,"source":"cfgs\/default\/pcap\/imap-starttls.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":32,"packets-processed":32,"total-skipped-flows":0,"total-l4-payload-len":6193,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":3,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":15,"global_ts_usec":1437584570828629} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ ~~ packets captured/processed: 32/32 ~~ skipped flows.............: 0 @@ -28,4 +27,4 @@ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json message min len.......: 535 chars ~~ json message max len.......: 2545 chars -~~ json message avg len.......: 1500 chars +~~ json message avg len.......: 1460 chars diff --git a/test/results/default/instagram.pcap.out b/test/results/default/instagram.pcap.out index 659a48183..417b9ca71 100644 --- a/test/results/default/instagram.pcap.out +++ b/test/results/default/instagram.pcap.out @@ -16,7 +16,6 @@ 01302{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":10,"source":"cfgs\/default\/pcap\/instagram.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1436720898354402,"flow_src_last_pkt_time":1436720898501130,"flow_dst_last_pkt_time":1436720898646669,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":464,"flow_dst_max_l4_payload_len":145,"flow_src_tot_l4_payload_len":464,"flow_dst_tot_l4_payload_len":145,"midstream":0,"thread_ts_usec":1436720898646669,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"173.252.107.4","src_port":56382,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":310,"client":275,"server":35}}},"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","proto_by_ip":"Facebook","proto_by_ip_id":119,"encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"telegraph-ash.instagram.com","tls": {"version":"TLSv1","ja3":"54ae5fcb0159e2ddf6a50e149221c7c7","ja3s":"acb741bcdffb787c5a52654c78645bdf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"}}} 01896{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":22,"source":"cfgs\/default\/pcap\/instagram.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":5,"flow_src_last_pkt_time":1436720900074495,"flow_dst_last_pkt_time":1436720898551576,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":1063,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1063,"pkt_l4_len":1029,"thread_ts_usec":1436720900074495,"pkt":"ABsv8H60QPMIw47hCABFAAQZa5JAAEAGjfzAqABnHw1dNISQAbuIwZOHpNSV\/YAYATACCAAAAQEICgAD6zRaUquVFwMBA+DkDUivvS2eBjkT2Urn2+KTbKUSC66\/qxC\/xD+VJohS0ez2+Xkk+lV7Cay4T3qDmms3u0VgM6A5H+3n7TePnJIVLW9eS+znnQVMaWWcj7eNfDCCii6movZtXtYSdlkSdYe+AV3zuKPoRQe5W8+BL8aUzaU2mxJIwHIuhCp\/wOHHZVlWSX4j0W\/HLVFrJ9+SKhoT3ymYn6vBersE+9\/7sKY+2J2IhMFbr+TBY2rnZnSngLvIZzDfQST7NLriH0JokZzVgg3Ff+3n4QivAvWspXgy0oaU2g3aaDd4f2+JfRt8qI3InhGx76jPbTiLxX9qaNV0iJsMs2R9Zbz45LheHPpmkG0V7bDGgEIpOaqiTMwB5vyiMd\/P54jKSzhcXbkTjVX9JupxlspvQCMzw0zD7LT5v7dAePpfjXlY31iS4F3oERk0vcdtXClQ+kXUQjRXrDfn9G+KdjJsBcQpenUtTCuLGDPpVEgTnSXS+lToADvcPr1rkPRhfbj8IUBcJUIcSlUm5rrXzhJko8lPknZB4TnyuXiKwn+lAlEw7TCskEcsZeQDg7bIBvRlAT+vSZ9c\/hnBukQ3DX+eHXRlNu5QwYmyZQpchItAPD2sjwtp\/oacDnxXBTJxsrxKApeuzP\/F7cUhAz3iRYmA+QEhh8k0MFPh1enJh7Kg+utJPgoLoxjJA75oFbTtLOl56uGfhjMFQHnFTdo3E\/LchZ\/qJhKBdosqvqoH0oDg1hr9cOpebAeBh5WDig+m+zUDnjg0RfFKufLkN8F9SJHwXapjQlt6wf1Hic6HUpgV\/iLxA9EMlB3SfwmMyFembYPapDW4zh2E5uvMtAkfyWhX4TjOep0+g9TfyHFxLf12hCwmMJCcMNg5ZrXrXlWtfXpEKK20uuRmxStID9PEDCx0YdLB1sqMlysgu3FFVUuTE3jBH4Jwvk3aPClCUFz90QKRSdGoGgxY7drYTMj6pGovLyduLCALkBZipLVkKctZ1E7Ahw5sKzGcL6KbFjtVL7X8kSt1FcYBkyXAuypyLFY9275D4SQbnyhaKWjTlx\/V1CS7UCPW3JEUwSje6VUwEW5quscLQyd0gztKVxa3hEEgOJwAV6TViRkF7y8ryi3k2JQ0HOzInxyLgtSoxlQqipvdMVM5Q0wtS4uxyXBjW6c2ixJ9VZqnfjNOGz7U8L44QPKln\/uZVp53Pa7zdtLnKiQSc6vzq4nlYDa2P+ZCCh17L5ayDcf87iSrR1Eolw6s9V29UDAylOQWQYmeknlyQuZCXxbBC54zMyAdL0o9OXP25quGIX+qhLqVNGvteb1pX5mGkXMRqWGnow=="} 02156{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":49,"source":"cfgs\/default\/pcap\/instagram.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1436720898386781,"flow_src_last_pkt_time":1436720900498659,"flow_dst_last_pkt_time":1436720900498598,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1365,"flow_dst_max_l4_payload_len":1398,"flow_src_tot_l4_payload_len":2362,"flow_dst_tot_l4_payload_len":17365,"midstream":1,"thread_ts_usec":1436720900498659,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"31.13.93.52","src_port":33936,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":61,"avg":136248.2,"max":1572479,"stddev":382122.6,"var":146017665024.0,"ent":2.2,"data": [88898,75897,164978,1522736,1572479,340302,390014,2197,2137,122,91,92,92,91,91,61,61,92,92,61,91,91,61,92,92,29907,29999,733,671,702,672]},"pktlen": {"min":52,"avg":668.5,"max":1450,"stddev":663.9,"var":440818.0,"ent":4.2,"data": [1417,52,665,52,1049,52,1450,52,195,52,1450,52,1283,52,1450,52,1450,52,1450,52,1450,52,1450,52,1450,52,1450,52,1450,52,1450,52]},"bins": {"c_to_s": [14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0],"s_to_c": [2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,11,0,0,0,0]},"directions": [0,1,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0],"entropies": [7.861261845,5.070539474,7.656534195,5.014835358,7.778872013,5.017560959,7.868881702,5.053297043,6.745593071,5.053297043,7.855556488,5.091758728,7.839184761,5.091758728,7.864506721,5.038780212,7.844711781,5.115703106,7.864735603,5.077241421,7.847777367,5.077241898,7.868622303,5.077241421,7.866432190,5.115703106,7.875942230,5.115703106,7.870041847,5.115703106,7.866209507,5.077241421]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Facebook","proto_by_ip_id":119,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} -00938{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":49,"source":"cfgs\/default\/pcap\/instagram.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1436720898386781,"flow_src_last_pkt_time":1436720900498659,"flow_dst_last_pkt_time":1436720900498598,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1365,"flow_dst_max_l4_payload_len":1398,"flow_src_tot_l4_payload_len":2362,"flow_dst_tot_l4_payload_len":17365,"midstream":1,"thread_ts_usec":1436720900498659,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"31.13.93.52","src_port":33936,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Facebook","proto_by_ip_id":119,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00781{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":76,"source":"cfgs\/default\/pcap\/instagram.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720900684083,"flow_src_last_pkt_time":1436720900684083,"flow_dst_last_pkt_time":1436720900684083,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":260,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":260,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":260,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720900684083,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"46.33.70.160","src_port":38816,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00895{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":76,"source":"cfgs\/default\/pcap\/instagram.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1436720900684083,"flow_dst_last_pkt_time":1436720900684083,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":326,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":326,"pkt_l4_len":292,"thread_ts_usec":1436720900684083,"pkt":"ABsv8H60QPMIw47hCABFAAE4wXBAAEAGQn\/AqABnLiFGoJegAFCP9SVkp0jV34AYH+olJAAAAQEICgAD63Ga3vWjR0VUIC9ocGhvdG9zLWFrLXhhcDEvdDUxLjI4ODUtMTUvZTM1LzEwODU5OTk0XzEwMDk0MzM3OTI0MzQ0NDdfMTYyNzY0NjA2Ml9uLmpwZz9zZT03IEhUVFAvMS4xDQpIb3N0OiBwaG90b3MtaC5hay5pbnN0YWdyYW0uY29tDQpDb25uZWN0aW9uOiBLZWVwLUFsaXZlDQpVc2VyLUFnZW50OiBJbnN0YWdyYW0gNy4xLjEgQW5kcm9pZCAoMTkvNC40LjI7IDQ4MGRwaTsgMTA4MHgxOTIwOyBzYW1zdW5nOyBHVC1JOTUwNTsgamZsdGU7IHFjb207IGl0X0lUKQ0KDQo="} 01244{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":76,"source":"cfgs\/default\/pcap\/instagram.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720900684083,"flow_src_last_pkt_time":1436720900684083,"flow_dst_last_pkt_time":1436720900684083,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":260,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":260,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":260,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720900684083,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"46.33.70.160","src_port":38816,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Instagram","proto_id":"7.211","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"photos-h.ak.instagram.com","http": {"url":"photos-h.ak.instagram.com\/hphotos-ak-xap1\/t51.2885-15\/e35\/10859994_1009433792434447_1627646062_n.jpg?se=7","code":0,"content_type":"","user_agent":"Instagram 7.1.1 Android (19\/4.4.2; 480dpi; 1080x1920; samsung; GT-I9505; jflte; qcom; it_IT)"}}} @@ -201,7 +200,7 @@ 00979{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":635,"source":"cfgs\/default\/pcap\/instagram.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"finished","flow_src_packets_processed":4,"flow_dst_packets_processed":0,"flow_first_seen":1436720906017091,"flow_src_last_pkt_time":1436720906024293,"flow_dst_last_pkt_time":1436720906017091,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":103,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":103,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":412,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1436720952611635,"l3_proto":"ip4","src_ip":"192.168.0.106","dst_ip":"255.255.255.255","src_port":17500,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00978{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":635,"source":"cfgs\/default\/pcap\/instagram.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720906022462,"flow_src_last_pkt_time":1436720906022462,"flow_dst_last_pkt_time":1436720906022462,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":103,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":103,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":103,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1436720952611635,"l3_proto":"ip4","src_ip":"192.168.0.106","dst_ip":"192.168.0.255","src_port":17500,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00780{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":635,"source":"cfgs\/default\/pcap\/instagram.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720906025422,"flow_src_last_pkt_time":1436720906025422,"flow_dst_last_pkt_time":1436720906025422,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":24,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1436720952611635,"l3_proto":"ip4","src_ip":"192.168.0.1","dst_ip":"192.168.0.255","src_port":520,"dst_port":520,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5} -00645{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":635,"source":"cfgs\/default\/pcap\/instagram.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":635,"packets-processed":633,"total-skipped-flows":0,"total-l4-payload-len":408166,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":24,"total-detection-updates":13,"total-updates":4,"current-active-flows":32,"total-active-flows":32,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":204,"global_ts_usec":1568796253770116} +00645{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":635,"source":"cfgs\/default\/pcap\/instagram.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":635,"packets-processed":633,"total-skipped-flows":0,"total-l4-payload-len":408166,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":24,"total-detection-updates":12,"total-updates":4,"current-active-flows":32,"total-active-flows":32,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":203,"global_ts_usec":1568796253770116} 00776{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":635,"source":"cfgs\/default\/pcap\/instagram.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1568796253770116,"flow_src_last_pkt_time":1568796253770116,"flow_dst_last_pkt_time":1568796253770116,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1568796253770116,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49355,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00563{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":635,"source":"cfgs\/default\/pcap\/instagram.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":1,"flow_src_last_pkt_time":1568796253770116,"flow_dst_last_pkt_time":1568796253770116,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1568796253770116,"pkt":"xiwDYGpkxGGLNYKpCABFAABAAABAAEAGAr7AqAIRHw1WNMDLAbuZigajAAAAALAC\/\/8cPAAAAgQFtAEDAwYBAQgKDXByoQAAAAAEAgAA"} 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":636,"source":"cfgs\/default\/pcap\/instagram.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":2,"flow_src_last_pkt_time":1568796253770116,"flow_dst_last_pkt_time":1568796253782515,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1568796253782515,"pkt":"xGGLNYKpxiwDYGpkCABFAAA8AAAAAFQGLsIfDVY0wKgCEQG7wMv1rwrBmYoGpKASbHB3qgAAAgQFeAQCCAo6Lg6wDXByoQEDAwg="} @@ -297,7 +296,7 @@ 00984{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":847,"source":"cfgs\/default\/pcap\/instagram.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":6,"flow_first_seen":1568796254524506,"flow_src_last_pkt_time":1568796254539348,"flow_dst_last_pkt_time":1568796254552721,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":513,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":932,"flow_dst_tot_l4_payload_len":2243,"midstream":0,"thread_ts_usec":1568796268054084,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49359,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","proto_by_ip":"Facebook","proto_by_ip_id":119,"encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00986{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":847,"source":"cfgs\/default\/pcap\/instagram.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":10,"flow_first_seen":1568796265146962,"flow_src_last_pkt_time":1568796265177487,"flow_dst_last_pkt_time":1568796265178429,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1014,"flow_dst_tot_l4_payload_len":6430,"midstream":0,"thread_ts_usec":1568796268054084,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49360,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","proto_by_ip":"Facebook","proto_by_ip_id":119,"encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00983{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":847,"source":"cfgs\/default\/pcap\/instagram.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":4,"flow_first_seen":1568796265147078,"flow_src_last_pkt_time":1568796265178757,"flow_dst_last_pkt_time":1568796265176036,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":222,"flow_src_tot_l4_payload_len":1014,"flow_dst_tot_l4_payload_len":222,"midstream":0,"thread_ts_usec":1568796268054084,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49361,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","proto_by_ip":"Facebook","proto_by_ip_id":119,"encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} -00647{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":847,"source":"cfgs\/default\/pcap\/instagram.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":847,"packets-processed":846,"total-skipped-flows":0,"total-l4-payload-len":530270,"total-not-detected-flows":1,"total-guessed-flows":7,"total-detected-flows":30,"total-detection-updates":19,"total-updates":4,"current-active-flows":0,"total-active-flows":38,"total-idle-flows":38,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":300,"global_ts_usec":1568796268054084} +00647{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":847,"source":"cfgs\/default\/pcap\/instagram.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":847,"packets-processed":846,"total-skipped-flows":0,"total-l4-payload-len":530270,"total-not-detected-flows":1,"total-guessed-flows":7,"total-detected-flows":30,"total-detection-updates":18,"total-updates":4,"current-active-flows":0,"total-active-flows":38,"total-idle-flows":38,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":299,"global_ts_usec":1568796268054084} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ ~~ packets captured/processed: 847/846 ~~ skipped flows.............: 0 diff --git a/test/results/default/iphone.pcap.out b/test/results/default/iphone.pcap.out index 763bf0da4..eb59742bc 100644 --- a/test/results/default/iphone.pcap.out +++ b/test/results/default/iphone.pcap.out @@ -288,7 +288,6 @@ 02174{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":397,"source":"cfgs\/default\/pcap\/iphone.pcap","alias":"nDPId-test","flow_id":45,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1582454599225110,"flow_src_last_pkt_time":1582454600252426,"flow_dst_last_pkt_time":1582454600287478,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1018,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2233,"flow_dst_tot_l4_payload_len":5676,"midstream":0,"thread_ts_usec":1582454600287478,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.176.75","src_port":50584,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":6,"avg":67409.2,"max":654765,"stddev":146324.1,"var":21410738176.0,"ent":2.9,"data": [34116,36074,120,34743,1609,104,2287,55,140235,397,7279,143339,13,33865,58,1492,19,11,252,423,44,150,34850,6,1213,30,128241,155238,167955,510701,654765]},"pktlen": {"min":40,"avg":299.4,"max":1492,"stddev":449.8,"var":202280.4,"ent":3.8,"data": [64,60,52,569,52,1492,1492,1492,566,52,52,145,103,121,52,52,105,102,94,1070,90,436,90,52,90,52,52,52,736,52,40,52]},"bins": {"c_to_s": [9,5,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,1,1,1,0,1,0,0,1],"entropies": [4.410132408,5.160978794,5.101186275,4.520410061,5.142373085,6.747455597,7.544580936,7.534257412,7.316954136,4.932822704,5.009746075,6.044896126,5.671187878,6.038887501,4.985801220,5.024262905,5.722696304,5.781558990,5.543742657,7.804463387,5.504428864,7.447539806,5.482206821,4.932822704,5.457657814,4.988526344,4.974009514,4.894361019,7.697007179,5.009746075,4.521928787,5.089394093]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AppleiCloud","proto_id":"91.143","proto_by_ip":"Apple","proto_by_ip_id":140,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 02166{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":401,"source":"cfgs\/default\/pcap\/iphone.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1582454599934729,"flow_src_last_pkt_time":1582454600290030,"flow_dst_last_pkt_time":1582454600371223,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3458,"flow_dst_tot_l4_payload_len":5165,"midstream":0,"thread_ts_usec":1582454600371223,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"92.123.77.26","src_port":50587,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":4,"avg":25541.8,"max":147307,"stddev":44603.2,"var":1989448704.0,"ent":3.2,"data": [33256,146084,75,147307,1403,159,73,18,38616,19,50,10855,46914,12516,120151,44,4,168,1146,109,1513,467,107361,13,1221,31041,492,3663,24,4467,82566]},"pktlen": {"min":52,"avg":322.1,"max":1492,"stddev":461.1,"var":212650.1,"ent":3.9,"data": [64,60,52,569,52,1492,1492,1268,442,52,52,52,132,339,339,98,95,87,1492,552,818,52,52,52,122,52,52,83,52,87,52,52]},"bins": {"c_to_s": [10,3,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [6,1,1,0,0,0,0,0,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,1,1,1,0,0,1,1,0,1],"entropies": [4.515677452,5.260978699,5.115703106,4.536097050,5.154164791,7.838258266,7.887313843,7.830554962,7.500537872,5.115703106,5.154164791,5.077241421,6.238309383,7.385308743,7.348131180,6.055991173,6.001430511,5.896850586,7.866535664,7.607725620,7.722208500,5.154164791,5.154164791,5.062724590,6.184679508,5.056022644,5.115703106,5.763531208,5.094483852,5.873862743,5.115703106,5.056022167]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AppleiTunes","proto_id":"91.145","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":17,"category":"Streaming"}} 02207{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":412,"source":"cfgs\/default\/pcap\/iphone.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1582454598721885,"flow_src_last_pkt_time":1582454600432880,"flow_dst_last_pkt_time":1582454600398737,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":13211,"flow_dst_tot_l4_payload_len":8177,"midstream":0,"thread_ts_usec":1582454600432880,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.185.87","src_port":50581,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":19,"avg":109285.4,"max":803512,"stddev":185220.7,"var":34306707456.0,"ent":3.4,"data": [145952,170980,359,171301,2704,133,11131,1277,11157,179655,19,50,112,15556,168247,146405,161443,749,308681,51490,198168,655712,185,186,293,803512,1267,180253,328,297,245]},"pktlen": {"min":52,"avg":721.0,"max":1492,"stddev":667.3,"var":445284.8,"ent":4.3,"data": [64,60,52,569,52,1492,1492,1492,1492,1474,52,52,52,52,145,103,52,1169,344,52,996,52,1164,1492,1492,1492,52,52,1492,1492,1492,1492]},"bins": {"c_to_s": [8,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,7,0,0],"s_to_c": [5,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,4,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,0,0,0,0,0,1,0,0,0,1,1,0,0,0,0,0,1,1,0,0,0,0],"entropies": [4.378882408,5.048397064,4.855899334,4.669833183,5.026988029,6.153114796,4.607729912,7.088045597,7.461877346,7.528841019,4.947339535,4.870416164,4.908878326,4.825253010,6.027275085,5.625993729,4.985801220,7.818661690,7.150210857,5.103910923,7.800937653,4.908877850,7.820833683,7.850773335,7.853681087,7.878564835,4.985801220,4.959492207,7.858905315,7.865253448,7.862413406,7.846001625]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AppleiCloud","proto_id":"91.143","proto_by_ip":"Apple","proto_by_ip_id":140,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -03944{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":412,"source":"cfgs\/default\/pcap\/iphone.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1582454598721885,"flow_src_last_pkt_time":1582454600432880,"flow_dst_last_pkt_time":1582454600398737,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":13211,"flow_dst_tot_l4_payload_len":8177,"midstream":0,"thread_ts_usec":1582454600432880,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.185.87","src_port":50581,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AppleiCloud","proto_id":"91.143","proto_by_ip":"Apple","proto_by_ip_id":140,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"p26-keyvalueservice.icloud.com","tls": {"version":"TLSv1.2","server_names":"p62-keyvalueservice.icloud.com,p41-keyvalueservice.icloud.com,p97-keyvalueservice.icloud.com,p28-keyvalueservice.icloud.com,p32-keyvalueservice.icloud.com,p56-keyvalueservice.icloud.com,p33-keyvalueservice.icloud.com,p37-keyvalueservice.icloud.com,p67-keyvalueservice.icloud.com,p70-keyvalueservice.icloud.com,p63-keyvalueservice.icloud.com,p07-keyvalueservice.icloud.com,p52-keyvalueservice.icloud.com,p18-keyvalueservice.icloud.com,p21-keyvalueservice.icloud.com,p17-keyvalueservice.icloud.com,p36-keyvalueservice.icloud.com,p19-keyvalueservice.icloud.com,p26-keyvalueservice.icloud.com,p55-keyvalueservice.icloud.com,p06-keyvalueservice.icloud.com,p23-keyvalueservice.icloud.com,p65-keyvalueservice.icloud.com,p58-keyvalueservice.icloud.com,p35-keyvalueservice.icloud.com,p42-keyvalueservice.icloud.com,p12-keyvalueservice.icloud.com,p15-keyvalueservice.icloud.com,p16-keyvalueservice.icloud.com,p29-keyvalueservice.icloud.com,p39-keyvalueservice.icloud.com,p71-keyvalueservice.icloud.com,p22-keyvalueservice.icloud.com,p40-keyvalueservice.icloud.com,p11-keyvalueservice.icloud.com,p66-keyvalueservice.icloud.com,p68-keyvalueservice.icloud.com,p201-keyvalueservice.icloud.com,p10-keyvalueservice.icloud.com,p61-keyvalueservice.icloud.com,p30-keyvalueservice.icloud.com,p01-keyvalueservice.icloud.com,p14-keyvalueservice.icloud.com,p50-keyvalueservice.icloud.com,p31-keyvalueservice.icloud.com,p47-keyvalueservice.icloud.com,p48-keyvalueservice.icloud.com,p20-keyvalueservice.icloud.com,p51-keyvalueservice.icloud.com,p27-keyvalueservice.icloud.com,p49-keyvalueservice.icloud.com,p03-keyvalueservice.icloud.com,p24-keyvalueservice.icloud.com,p25-keyvalueservice.icloud.com,p08-keyvalueservice.icloud.com,p13-keyvalueservice.icloud.com,p04-keyvalueservice.icloud.com,p05-keyvalueservice.icloud.com,p02-keyvalueservice.icloud.com,p09-keyvalueservice.icloud.com,p57-keyvalueservice.icloud.com,p59-keyvalueservice.icloud.com,p64-keyvalueservice.icloud.com,p38-keyvalueservice.icloud.com,p54-keyvalueservice.icloud.com,p72-keyvalueservice.icloud.com,keyvalueservice.icloud.com,p69-keyvalueservice.icloud.com,p43-keyvalueservice.icloud.com,p45-keyvalueservice.icloud.com,p202-keyvalueservice.icloud.com,p98-keyvalueservice.icloud.com,p34-keyvalueservice.icloud.com,p44-keyvalueservice.icloud.com,p46-keyvalueservice.icloud.com,p53-keyvalueservice.icloud.com,p60-keyvalueservice.icloud.com","ja3":"6fa3244afc6bb6f9fad207b6b52af26b","ja3s":"1e60202b4001a190621caa963fb76697","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","issuerDN":"CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US","subjectDN":"CN=keyvalueservice.icloud.com, O=Apple Inc., ST=California, C=US","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"D8:84:3B:15:06:49:1C:72:C4:05:C0:F0:82:3B:43:4A:D1:8F:D5:9F"}}} 00774{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":419,"source":"cfgs\/default\/pcap\/iphone.pcap","alias":"nDPId-test","flow_id":50,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1582454600454021,"flow_src_last_pkt_time":1582454600454021,"flow_dst_last_pkt_time":1582454600454021,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1582454600454021,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"192.168.2.1","src_port":63677,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5} 00561{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":419,"source":"cfgs\/default\/pcap\/iphone.pcap","alias":"nDPId-test","flow_id":50,"flow_packet_id":1,"flow_src_last_pkt_time":1582454600454021,"flow_dst_last_pkt_time":1582454600454021,"flow_idle_time":200000000,"pkt_datalink":1,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"thread_ts_usec":1582454600454021,"pkt":"xiwDYGpkxGGLNYKpCABFAABDtJ8AAP8RgafAqAIRwKgCAfi9ADUAL+BtI4YBAAABAAAAAAAABHN5bmMGaXR1bmVzBWFwcGxlA2NvbQAAAQAB"} 01070{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":419,"source":"cfgs\/default\/pcap\/iphone.pcap","alias":"nDPId-test","flow_id":50,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1582454600454021,"flow_src_last_pkt_time":1582454600454021,"flow_dst_last_pkt_time":1582454600454021,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1582454600454021,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"192.168.2.1","src_port":63677,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.AppleiTunes","proto_id":"5.145","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":14,"category":"Network","hostname":"sync.itunes.apple.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} @@ -354,7 +353,7 @@ 00943{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":500,"source":"cfgs\/default\/pcap\/iphone.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1582454595354550,"flow_src_last_pkt_time":1582454599568888,"flow_dst_last_pkt_time":1582454595354550,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":8,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":16,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1582454600748726,"l3_proto":"ip6","src_ip":"fe80::823:3f17:8298:a29c","dst_ip":"ff02::2","l4_proto":"icmp6","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"ICMPV6","proto_id":"102","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00980{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":500,"source":"cfgs\/default\/pcap\/iphone.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1582454598713167,"flow_src_last_pkt_time":1582454598713167,"flow_dst_last_pkt_time":1582454598755439,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":32,"flow_dst_max_l4_payload_len":161,"flow_src_tot_l4_payload_len":32,"flow_dst_tot_l4_payload_len":161,"midstream":0,"thread_ts_usec":1582454600748726,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"192.168.2.1","src_port":52682,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.AppleiCloud","proto_id":"5.143","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00973{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":500,"source":"cfgs\/default\/pcap\/iphone.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1582454599929249,"flow_src_last_pkt_time":1582454599929249,"flow_dst_last_pkt_time":1582454599930239,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":199,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":199,"midstream":0,"thread_ts_usec":1582454600748726,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"192.168.2.1","src_port":65079,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.AppleiTunes","proto_id":"5.145","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":14,"category":"Network"}} -00644{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":500,"source":"cfgs\/default\/pcap\/iphone.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":500,"packets-processed":486,"total-skipped-flows":0,"total-l4-payload-len":190360,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":50,"total-detection-updates":41,"total-updates":0,"current-active-flows":0,"total-active-flows":51,"total-idle-flows":51,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":357,"global_ts_usec":1582454600748726} +00644{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":500,"source":"cfgs\/default\/pcap\/iphone.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":500,"packets-processed":486,"total-skipped-flows":0,"total-l4-payload-len":190360,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":50,"total-detection-updates":40,"total-updates":0,"current-active-flows":0,"total-active-flows":51,"total-idle-flows":51,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":356,"global_ts_usec":1582454600748726} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ ~~ packets captured/processed: 500/486 ~~ skipped flows.............: 0 @@ -368,5 +367,5 @@ ~~ total allocations/frees...: 217941/217941 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json message min len.......: 528 chars -~~ json message max len.......: 3949 chars -~~ json message avg len.......: 2238 chars +~~ json message max len.......: 3944 chars +~~ json message avg len.......: 2236 chars diff --git a/test/results/default/long_tls_certificate.pcap.out b/test/results/default/long_tls_certificate.pcap.out index b714dda50..3797d2742 100644 --- a/test/results/default/long_tls_certificate.pcap.out +++ b/test/results/default/long_tls_certificate.pcap.out @@ -10,9 +10,8 @@ 01237{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"cfgs\/default\/pcap\/long_tls_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1609756181300869,"flow_src_last_pkt_time":1609756181681181,"flow_dst_last_pkt_time":1609756182035428,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1452,"midstream":0,"thread_ts_usec":1609756182035428,"l3_proto":"ip4","src_ip":"192.168.1.60","dst_ip":"106.15.100.123","src_port":55333,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Alibaba","proto_id":"91.274","proto_by_ip":"Alibaba","proto_by_ip_id":274,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"beacon-api.aliyuncs.com","tls": {"version":"TLSv1.2","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"eee3d2bf5f17d17548ac36ba1872951f","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2"}}} 05374{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":12,"source":"cfgs\/default\/pcap\/long_tls_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":7,"flow_first_seen":1609756181300869,"flow_src_last_pkt_time":1609756182035731,"flow_dst_last_pkt_time":1609756182035821,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":6858,"midstream":0,"thread_ts_usec":1609756182035821,"l3_proto":"ip4","src_ip":"192.168.1.60","dst_ip":"106.15.100.123","src_port":55333,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Alibaba","proto_id":"91.274","proto_by_ip":"Alibaba","proto_by_ip_id":274,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"beacon-api.aliyuncs.com","tls": {"version":"TLSv1.2","server_names":"*.aliyun.com,manager.channel.aliyun.com,*.ace.aliyun.com,*.acs-internal.aliyuncs.com,*.acs.aliyun.com,*.aicrowd.aliyun.com,*.alibabacloud.co.in,*.alibabacloud.com,*.alibabacloud.com.au,*.alibabacloud.com.hk,*.alibabacloud.com.my,*.alibabacloud.com.sg,*.alibabacloud.com.tw,*.alicdn.com,*.alicloud.com,*.aligroup.aliyun.com,*.alimei.com,*.alink.aliyun.com,*.alios.aliyuncs.com,*.aliplus.com,*.alitranx.aliyun.com,*.aliyun-iot-share.com,*.aliyuncs.com,*.alyms.cn,*.ap-northeast-1.aliyuncs.com,*.ap-south-1.aliyuncs.com,*.ap-southeast-1.aliyuncs.com,*.ap-southeast-2.aliyuncs.com,*.ap-southeast-3.aliyuncs.com,*.ap-southeast-5.aliyuncs.com,*.api.aliyun.com,*.apm.aliyun.com,*.app.aliyun.com,*.asmlink.cn,*.banma.aliyuncs.com,*.base.shuju.aliyun.com,*.bi.aliyun.com,*.biz.aliyun.com,*.bridge.aliyun.com,*.ccc.aliyuncs.com,*.center.aliyun.com,*.citybrain.aliyun.com,*.cloudapp.aliyun.com,*.cloudeagle.cn,*.cloudgame.aliyun.com,*.cn-beijing.aliyuncs.com,*.cn-chengdu.aliyuncs.com,*.cn-guizhou.aliyuncs.com,*.cn-haidian.aliyuncs.com,*.cn-hangzhou-finance.aliyuncs.com,*.cn-hangzhou.aliyuncs.com,*.cn-hongkong.aliyuncs.com,*.cn-huhehaote.aliyuncs.com,*.cn-ningxia.aliyuncs.com,*.cn-north-2-gov-1.aliyuncs.com,*.cn-qingdao-nebula.aliyuncs.com,*.cn-qingdao.aliyuncs.com,*.cn-shanghai-finance-1.aliyuncs.com,*.cn-shanghai.aliyun.com,*.cn-shanghai.aliyuncs.com,*.cn-shenzhen-cloudstone.aliyuncs.com,*.cn-shenzhen-finance-1.aliyuncs.com,*.cn-shenzhen.aliyuncs.com,*.cn-sichuan.aliyuncs.com,*.cn-zhangjiakou.aliyuncs.com,*.connect.aliyun.com,*.console.alibabacloud.com,*.console.alicloud.com,*.console.aliyun.com,*.cs.aliyun.com,*.cschat-ccs.aliyun.com,*.data.aliyun.com,*.dataapi.aliyun.com,*.dataq.aliyuncs.com,*.datav.aliyun.com,*.datav.aliyuncs.com,*.devlops.aliyun.com,*.devops.aliyun.com,*.ditu.aliyun.com,*.domain.aliyun.com,*.dyiot.aliyun.com,*.ebs.aliyun.com,*.emas.aliyun.com,*.emr.aliyun.com,*.enterprise.aliyun.com,*.env.aliyun.com,*.et-industry.aliyun.com,*.eu-central-1.aliyuncs.com,*.eu-west-1.aliyuncs.com,*.fc.aliyun.com,*.feedback.console.aliyun.com,*.gts-x.aliyun.com,*.gts.aliyun.com,*.help-ccs.aliyun.com,*.ialicdn.com,*.in-mumbai.aliyuncs.com,*.iot.aliyun.com,*.jp-fudao.aliyuncs.com,*.linkedmall.aliyun.com,*.linkwan.aliyun.com,*.living.aliyun.com,*.luban.aliyun.com,*.m.aliyun.com,*.market.aliyun.com,*.maxcompute.aliyun.com,*.me-east-1.aliyuncs.com,*.media.aliyun.com,*.microdingtalk.aliyun.com,*.mit.aliyun.com,*.mobile.aliyun.com,*.msea.aliyun.com,*.mts.aliyun.com,*.mvp.aliyun.com,*.nebula.aliyun.com,*.nls.aliyuncs.com,*.odps.aliyun.com,*.ons.aliyun.com,*.ose.aliyun.com,*.pai.data.aliyun.com,*.pcs-gw-cn-beijing.aliyun.com,*.pcs-gw-cn-shanghai.aliyun.com,*.phpwind.com,*.phpwind.net,*.pre-sg-purchase.aliyun.com,*.prepub.aliyun.com,*.product.center.aliyun.com,*.pts.aliyun.com,*.r-app-cn-beijing-data.aliyun.com,*.r-app-cn-hangzhou-data.aliyun.com,*.r-app-cn-shenzhen-data.aliyun.com,*.r-app-data.aliyun.com,*.rdc.aliyun.com,*.rds.aliyun.com,*.reid.aliyun.com,*.sc-cmdb.aliyuncs.com,*.scsp.aliyun.com,*.sg.aliyuncs.com,*.shuju.aliyun.com,*.smart.aliyun.com,*.soc.aliyun.com,*.soc.aliyuncs.com,*.sparenode.com,*.supet.com,*.tburl.in,*.teambition.com,*.teambition.net,*.teambitionapis.com,*.tianchi.aliyun.com,*.toolkit.aliyun.com,*.tv.aliyun.com,*.tw-gaoxiong.aliyuncs.com,*.us-east-1.aliyuncs.com,*.us-west-1.aliyuncs.com,*.webide.aliyun.com,*.yuntu.aliyun.com,account.www.net.cn,alibabacloud.co.in,alibabacloud.com,alibabacloud.com.au,alibabacloud.com.hk,alibabacloud.com.my,alibabacloud.com.sg,alibabacloud.com.tw,alicdn.com,alicloud.com,alimei.com,aliyun-iot-share.com,aliyuncs.com,dc.www.net.cn,dmp.www.net.cn,dns.www.net.cn,panda.www.net.cn,pandavip.www.net.cn,phpwind.com,phpwind.net,scdnphi6.com,sparenode.com,supet.com,tburl.in,teambition.com,teambition.net,teambitionapis.com,tianchi-global.com,whois.www.net.cn,aliyun.com","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"eee3d2bf5f17d17548ac36ba1872951f","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2","subjectDN":"C=CN, ST=ZheJiang, L=HangZhou, O=Alibaba (China) Technology Co., Ltd., CN=*.aliyun.com","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","fingerprint":"2B:C6:82:22:E9:94:09:24:34:E1:5C:F1:24:76:98:75:45:78:53:DA"}}} 02182{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"cfgs\/default\/pcap\/long_tls_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1609756181300869,"flow_src_last_pkt_time":1609756182512712,"flow_dst_last_pkt_time":1609756182787262,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":906,"flow_dst_tot_l4_payload_len":9549,"midstream":0,"thread_ts_usec":1609756182787262,"l3_proto":"ip4","src_ip":"192.168.1.60","dst_ip":"106.15.100.123","src_port":55333,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":4,"avg":87039.9,"max":370939,"stddev":130477.0,"var":17024251904.0,"ent":3.4,"data": [370788,370939,9373,360927,2844,76,70,354425,123,125,124,131,8073,8089,5763,200299,194564,174299,34,174324,4,2275,71,66,101,117,94097,91476,274609,24,6]},"pktlen": {"min":40,"avg":370.7,"max":1492,"stddev":546.6,"var":298744.2,"ent":3.7,"data": [64,64,40,557,46,1492,1492,1492,40,1492,40,1090,40,1090,52,166,1492,52,91,109,40,40,93,96,82,114,78,109,52,52,52,52]},"bins": {"c_to_s": [10,4,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0]},"directions": [0,1,0,0,1,1,1,1,0,1,0,1,0,1,0,0,1,0,1,1,0,0,0,0,0,0,0,1,0,1,1,1],"entropies": [4.353732109,4.287687778,4.680641651,4.404402256,4.565872192,6.234030724,4.660021305,4.709488392,4.630641460,6.835905075,4.680641651,7.511188984,4.580641747,7.512306690,4.740514278,6.280318737,6.238153934,4.870416164,5.914383888,6.170372486,4.680641651,4.680641651,5.707346439,5.695815086,5.241580486,6.007335186,5.319273472,6.145098209,4.778975964,5.063529015,5.025067329,5.063529015]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Alibaba","proto_id":"91.274","proto_by_ip":"Alibaba","proto_by_ip_id":274,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -05376{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"cfgs\/default\/pcap\/long_tls_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1609756181300869,"flow_src_last_pkt_time":1609756182512712,"flow_dst_last_pkt_time":1609756182787262,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":906,"flow_dst_tot_l4_payload_len":9549,"midstream":0,"thread_ts_usec":1609756182787262,"l3_proto":"ip4","src_ip":"192.168.1.60","dst_ip":"106.15.100.123","src_port":55333,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Alibaba","proto_id":"91.274","proto_by_ip":"Alibaba","proto_by_ip_id":274,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"beacon-api.aliyuncs.com","tls": {"version":"TLSv1.2","server_names":"*.aliyun.com,manager.channel.aliyun.com,*.ace.aliyun.com,*.acs-internal.aliyuncs.com,*.acs.aliyun.com,*.aicrowd.aliyun.com,*.alibabacloud.co.in,*.alibabacloud.com,*.alibabacloud.com.au,*.alibabacloud.com.hk,*.alibabacloud.com.my,*.alibabacloud.com.sg,*.alibabacloud.com.tw,*.alicdn.com,*.alicloud.com,*.aligroup.aliyun.com,*.alimei.com,*.alink.aliyun.com,*.alios.aliyuncs.com,*.aliplus.com,*.alitranx.aliyun.com,*.aliyun-iot-share.com,*.aliyuncs.com,*.alyms.cn,*.ap-northeast-1.aliyuncs.com,*.ap-south-1.aliyuncs.com,*.ap-southeast-1.aliyuncs.com,*.ap-southeast-2.aliyuncs.com,*.ap-southeast-3.aliyuncs.com,*.ap-southeast-5.aliyuncs.com,*.api.aliyun.com,*.apm.aliyun.com,*.app.aliyun.com,*.asmlink.cn,*.banma.aliyuncs.com,*.base.shuju.aliyun.com,*.bi.aliyun.com,*.biz.aliyun.com,*.bridge.aliyun.com,*.ccc.aliyuncs.com,*.center.aliyun.com,*.citybrain.aliyun.com,*.cloudapp.aliyun.com,*.cloudeagle.cn,*.cloudgame.aliyun.com,*.cn-beijing.aliyuncs.com,*.cn-chengdu.aliyuncs.com,*.cn-guizhou.aliyuncs.com,*.cn-haidian.aliyuncs.com,*.cn-hangzhou-finance.aliyuncs.com,*.cn-hangzhou.aliyuncs.com,*.cn-hongkong.aliyuncs.com,*.cn-huhehaote.aliyuncs.com,*.cn-ningxia.aliyuncs.com,*.cn-north-2-gov-1.aliyuncs.com,*.cn-qingdao-nebula.aliyuncs.com,*.cn-qingdao.aliyuncs.com,*.cn-shanghai-finance-1.aliyuncs.com,*.cn-shanghai.aliyun.com,*.cn-shanghai.aliyuncs.com,*.cn-shenzhen-cloudstone.aliyuncs.com,*.cn-shenzhen-finance-1.aliyuncs.com,*.cn-shenzhen.aliyuncs.com,*.cn-sichuan.aliyuncs.com,*.cn-zhangjiakou.aliyuncs.com,*.connect.aliyun.com,*.console.alibabacloud.com,*.console.alicloud.com,*.console.aliyun.com,*.cs.aliyun.com,*.cschat-ccs.aliyun.com,*.data.aliyun.com,*.dataapi.aliyun.com,*.dataq.aliyuncs.com,*.datav.aliyun.com,*.datav.aliyuncs.com,*.devlops.aliyun.com,*.devops.aliyun.com,*.ditu.aliyun.com,*.domain.aliyun.com,*.dyiot.aliyun.com,*.ebs.aliyun.com,*.emas.aliyun.com,*.emr.aliyun.com,*.enterprise.aliyun.com,*.env.aliyun.com,*.et-industry.aliyun.com,*.eu-central-1.aliyuncs.com,*.eu-west-1.aliyuncs.com,*.fc.aliyun.com,*.feedback.console.aliyun.com,*.gts-x.aliyun.com,*.gts.aliyun.com,*.help-ccs.aliyun.com,*.ialicdn.com,*.in-mumbai.aliyuncs.com,*.iot.aliyun.com,*.jp-fudao.aliyuncs.com,*.linkedmall.aliyun.com,*.linkwan.aliyun.com,*.living.aliyun.com,*.luban.aliyun.com,*.m.aliyun.com,*.market.aliyun.com,*.maxcompute.aliyun.com,*.me-east-1.aliyuncs.com,*.media.aliyun.com,*.microdingtalk.aliyun.com,*.mit.aliyun.com,*.mobile.aliyun.com,*.msea.aliyun.com,*.mts.aliyun.com,*.mvp.aliyun.com,*.nebula.aliyun.com,*.nls.aliyuncs.com,*.odps.aliyun.com,*.ons.aliyun.com,*.ose.aliyun.com,*.pai.data.aliyun.com,*.pcs-gw-cn-beijing.aliyun.com,*.pcs-gw-cn-shanghai.aliyun.com,*.phpwind.com,*.phpwind.net,*.pre-sg-purchase.aliyun.com,*.prepub.aliyun.com,*.product.center.aliyun.com,*.pts.aliyun.com,*.r-app-cn-beijing-data.aliyun.com,*.r-app-cn-hangzhou-data.aliyun.com,*.r-app-cn-shenzhen-data.aliyun.com,*.r-app-data.aliyun.com,*.rdc.aliyun.com,*.rds.aliyun.com,*.reid.aliyun.com,*.sc-cmdb.aliyuncs.com,*.scsp.aliyun.com,*.sg.aliyuncs.com,*.shuju.aliyun.com,*.smart.aliyun.com,*.soc.aliyun.com,*.soc.aliyuncs.com,*.sparenode.com,*.supet.com,*.tburl.in,*.teambition.com,*.teambition.net,*.teambitionapis.com,*.tianchi.aliyun.com,*.toolkit.aliyun.com,*.tv.aliyun.com,*.tw-gaoxiong.aliyuncs.com,*.us-east-1.aliyuncs.com,*.us-west-1.aliyuncs.com,*.webide.aliyun.com,*.yuntu.aliyun.com,account.www.net.cn,alibabacloud.co.in,alibabacloud.com,alibabacloud.com.au,alibabacloud.com.hk,alibabacloud.com.my,alibabacloud.com.sg,alibabacloud.com.tw,alicdn.com,alicloud.com,alimei.com,aliyun-iot-share.com,aliyuncs.com,dc.www.net.cn,dmp.www.net.cn,dns.www.net.cn,panda.www.net.cn,pandavip.www.net.cn,phpwind.com,phpwind.net,scdnphi6.com,sparenode.com,supet.com,tburl.in,teambition.com,teambition.net,teambitionapis.com,tianchi-global.com,whois.www.net.cn,aliyun.com","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"eee3d2bf5f17d17548ac36ba1872951f","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2","subjectDN":"C=CN, ST=ZheJiang, L=HangZhou, O=Alibaba (China) Technology Co., Ltd., CN=*.aliyun.com","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","fingerprint":"2B:C6:82:22:E9:94:09:24:34:E1:5C:F1:24:76:98:75:45:78:53:DA"}}} 00997{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":47,"source":"cfgs\/default\/pcap\/long_tls_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":24,"flow_dst_packets_processed":23,"flow_first_seen":1609756181300869,"flow_src_last_pkt_time":1609756183156414,"flow_dst_last_pkt_time":1609756183162351,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":1073,"flow_dst_tot_l4_payload_len":11027,"midstream":0,"thread_ts_usec":1609756183162351,"l3_proto":"ip4","src_ip":"192.168.1.60","dst_ip":"106.15.100.123","src_port":55333,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Alibaba","proto_id":"91.274","proto_by_ip":"Alibaba","proto_by_ip_id":274,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -00649{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":47,"source":"cfgs\/default\/pcap\/long_tls_certificate.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":47,"packets-processed":47,"total-skipped-flows":0,"total-l4-payload-len":12100,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":3,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":15,"global_ts_usec":1609756183162351} +00649{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":47,"source":"cfgs\/default\/pcap\/long_tls_certificate.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":47,"packets-processed":47,"total-skipped-flows":0,"total-l4-payload-len":12100,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":2,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":14,"global_ts_usec":1609756183162351} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ ~~ packets captured/processed: 47/47 ~~ skipped flows.............: 0 @@ -26,5 +25,5 @@ ~~ total allocations/frees...: 216867/216867 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json message min len.......: 544 chars -~~ json message max len.......: 5381 chars -~~ json message avg len.......: 2896 chars +~~ json message max len.......: 5379 chars +~~ json message avg len.......: 2830 chars diff --git a/test/results/default/nest_log_sink.pcap.out b/test/results/default/nest_log_sink.pcap.out index 3bff64448..5e7840c50 100644 --- a/test/results/default/nest_log_sink.pcap.out +++ b/test/results/default/nest_log_sink.pcap.out @@ -9,8 +9,7 @@ 00635{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":51,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":51,"packets-processed":30,"total-skipped-flows":0,"total-l4-payload-len":0,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":0,"total-detection-updates":0,"total-updates":0,"current-active-flows":1,"total-active-flows":1,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":9,"global_ts_usec":1536713593921755} 02069{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":52,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1536712992228658,"flow_src_last_pkt_time":1536713593921755,"flow_dst_last_pkt_time":1536713593982239,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1536713593982239,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63340,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":60807,"avg":38820860.0,"max":60122070,"stddev":28558074.0,"var":815563555209216.0,"ent":4.3,"data": [60807,60066531,60070988,444607,512208,60052382,60122070,60064103,60058548,139368,204086,59876012,59944753,60065849,60071735,305546,379257,59710128,59782330,60066153,60065042,470660,541865,60021230,60097006,60071977,60059874,163527,227320,59833996,59896720]},"pktlen": {"min":40,"avg":43.0,"max":46,"stddev":3.0,"var":9.0,"ent":5.0,"data": [46,40,46,40,40,46,46,40,46,40,40,46,46,40,46,40,40,46,46,40,46,40,40,46,46,40,46,40,40,46,46,40]},"bins": {"c_to_s": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,1,0,0,1,0,1,1,0,0,1,0,1,1,0,0,1,0,1,1,0,0,1,0,1,1,0,0,1],"entropies": [4.501398087,4.881687164,4.457920074,4.881687164,4.881687164,4.501398087,4.457919598,4.881687164,4.501398087,4.881687164,4.881687164,4.501398087,4.501398087,4.881687164,4.501398087,4.881687164,4.881687164,4.501398087,4.501398087,4.881687164,4.414441586,4.881687164,4.881687164,4.441509247,4.501398087,4.881687164,4.501398087,4.881687164,4.881687164,4.501398087,4.501398087,4.881687164]}} 00953{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":52,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1536712992228658,"flow_src_last_pkt_time":1536713593921755,"flow_dst_last_pkt_time":1536713593982239,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1536713593982239,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63340,"dst_port":11095,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"NestLogSink","proto_id":"43","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} -00954{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":52,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1536712992228658,"flow_src_last_pkt_time":1536713593921755,"flow_dst_last_pkt_time":1536713593982239,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1536713593982239,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63340,"dst_port":11095,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"NestLogSink","proto_id":"43","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} -00638{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":101,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":101,"packets-processed":60,"total-skipped-flows":0,"total-l4-payload-len":0,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":1,"total-active-flows":1,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":13,"global_ts_usec":1536714195599741} +00638{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":101,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":101,"packets-processed":60,"total-skipped-flows":0,"total-l4-payload-len":0,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":0,"total-detection-updates":0,"total-updates":0,"current-active-flows":1,"total-active-flows":1,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":12,"global_ts_usec":1536714195599741} 00784{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":133,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1536714602587299,"flow_src_last_pkt_time":1536714602587299,"flow_dst_last_pkt_time":1536714602587299,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1536714602587299,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"192.168.242.1","src_port":52849,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5} 00571{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":133,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1536714602587299,"flow_dst_last_pkt_time":1536714602587299,"flow_idle_time":200000000,"pkt_datalink":1,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"thread_ts_usec":1536714602587299,"pkt":"AJD7JidrGLQwJjRACABFAABEL4kAAP8RJr3AqPIPwKjyAc5xADUAMKk+CwgBAAABAAAAAAAADXdlYXZlLWxvZ3NpbmsEbmVzdANjb20AAAEAAQ=="} 01072{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":133,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1536714602587299,"flow_src_last_pkt_time":1536714602587299,"flow_dst_last_pkt_time":1536714602587299,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1536714602587299,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"192.168.242.1","src_port":52849,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"weave-logsink.nest.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} @@ -46,10 +45,10 @@ 00997{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":274,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":37,"flow_dst_packets_processed":35,"flow_first_seen":1536714602612148,"flow_src_last_pkt_time":1536714607322501,"flow_dst_last_pkt_time":1536714607319686,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":679,"flow_src_tot_l4_payload_len":12610,"flow_dst_tot_l4_payload_len":2221,"midstream":0,"thread_ts_usec":1536714735752625,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63342,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","proto_by_ip":"GoogleCloud","proto_by_ip_id":284,"encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00995{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":274,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":10,"flow_first_seen":1536714610253460,"flow_src_last_pkt_time":1536714615546363,"flow_dst_last_pkt_time":1536714615544009,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":1941,"flow_dst_tot_l4_payload_len":845,"midstream":0,"thread_ts_usec":1536714735752625,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63344,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","proto_by_ip":"GoogleCloud","proto_by_ip_id":284,"encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00976{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":274,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1536714602587299,"flow_src_last_pkt_time":1536714607328073,"flow_dst_last_pkt_time":1536714607527675,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":59,"flow_dst_max_l4_payload_len":127,"flow_src_tot_l4_payload_len":99,"flow_dst_tot_l4_payload_len":183,"midstream":0,"thread_ts_usec":1536714735752625,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"192.168.242.1","src_port":52849,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} -00643{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":276,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":276,"packets-processed":215,"total-skipped-flows":0,"total-l4-payload-len":21968,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":5,"total-detection-updates":1,"total-updates":2,"current-active-flows":2,"total-active-flows":5,"total-idle-flows":3,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":49,"global_ts_usec":1536714800447381} +00643{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":276,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":276,"packets-processed":215,"total-skipped-flows":0,"total-l4-payload-len":21968,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":4,"total-detection-updates":1,"total-updates":2,"current-active-flows":2,"total-active-flows":5,"total-idle-flows":3,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":48,"global_ts_usec":1536714800447381} 00974{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":278,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1536714602587299,"flow_src_last_pkt_time":1536714607328073,"flow_dst_last_pkt_time":1536714607527675,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":59,"flow_dst_max_l4_payload_len":127,"flow_src_tot_l4_payload_len":99,"flow_dst_tot_l4_payload_len":183,"midstream":0,"thread_ts_usec":1536714795433354,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"192.168.242.1","src_port":52849,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} -00643{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":326,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":326,"packets-processed":245,"total-skipped-flows":0,"total-l4-payload-len":21968,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":5,"total-detection-updates":1,"total-updates":2,"current-active-flows":1,"total-active-flows":5,"total-idle-flows":4,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":51,"global_ts_usec":1536715402175361} -00643{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":376,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":376,"packets-processed":275,"total-skipped-flows":0,"total-l4-payload-len":21968,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":5,"total-detection-updates":1,"total-updates":2,"current-active-flows":1,"total-active-flows":5,"total-idle-flows":4,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":52,"global_ts_usec":1536716003807368} +00643{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":326,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":326,"packets-processed":245,"total-skipped-flows":0,"total-l4-payload-len":21968,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":4,"total-detection-updates":1,"total-updates":2,"current-active-flows":1,"total-active-flows":5,"total-idle-flows":4,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":50,"global_ts_usec":1536715402175361} +00643{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":376,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":376,"packets-processed":275,"total-skipped-flows":0,"total-l4-payload-len":21968,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":4,"total-detection-updates":1,"total-updates":2,"current-active-flows":1,"total-active-flows":5,"total-idle-flows":4,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":51,"global_ts_usec":1536716003807368} 00784{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":406,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1536716402804764,"flow_src_last_pkt_time":1536716402804764,"flow_dst_last_pkt_time":1536716402804764,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1536716402804764,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"192.168.242.1","src_port":52849,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5} 00573{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":406,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_src_last_pkt_time":1536716402804764,"flow_dst_last_pkt_time":1536716402804764,"flow_idle_time":200000000,"pkt_datalink":1,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"thread_ts_usec":1536716402804764,"pkt":"AJD7JidrGLQwJjRACABFAABEL\/cAAP8RJk\/AqPIPwKjyAc5xADUAMDxpd90BAAABAAAAAAAADXdlYXZlLWxvZ3NpbmsEbmVzdANjb20AAAEAAQ=="} 01072{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":406,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1536716402804764,"flow_src_last_pkt_time":1536716402804764,"flow_dst_last_pkt_time":1536716402804764,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1536716402804764,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"192.168.242.1","src_port":52849,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"weave-logsink.nest.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} @@ -86,8 +85,8 @@ 00976{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":543,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1536716402804764,"flow_src_last_pkt_time":1536716407003782,"flow_dst_last_pkt_time":1536716407116756,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":59,"flow_dst_max_l4_payload_len":127,"flow_src_tot_l4_payload_len":99,"flow_dst_tot_l4_payload_len":183,"midstream":0,"thread_ts_usec":1536716532891336,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"192.168.242.1","src_port":52849,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 02255{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":543,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1536716407119984,"flow_src_last_pkt_time":1536716592513963,"flow_dst_last_pkt_time":1536716532889304,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":677,"flow_src_tot_l4_payload_len":1941,"flow_dst_tot_l4_payload_len":1905,"midstream":0,"thread_ts_usec":1536716592513963,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63346,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":6654,"avg":10037526.0,"max":60065954,"stddev":21842106.0,"var":477077551710208.0,"ent":2.6,"data": [66203,68921,634989,702416,15391,245970,1210603,1481601,108755,76207,16822,97423,70982,72827,6654,85865,79238,75829,75050,77170,97357,2619475,2881135,371772,59569035,59778516,60065954,60063694,377489,447329,59622627]},"pktlen": {"min":40,"avg":162.2,"max":717,"stddev":185.8,"var":34538.8,"ent":4.3,"data": [46,44,46,571,40,717,46,92,40,444,40,100,162,669,46,220,206,220,190,220,201,46,332,102,46,46,40,46,40,40,46,46]},"bins": {"c_to_s": [10,1,0,1,0,3,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,2,0,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,0,1,0,0,1,0,0,1,0,1,1,0,0],"entropies": [4.390829086,5.012806416,4.434307098,6.960905552,4.931687355,7.109922409,4.501398087,5.422218800,4.931687355,7.525271416,4.762814999,5.747631550,6.463061810,7.686710835,4.434307098,6.746978760,6.772123814,6.796743393,6.668047905,6.846702099,6.720046520,4.457919121,7.263835907,5.855727196,4.441509247,4.501398087,4.981687546,4.501398087,4.981687546,4.981687546,4.501398087,4.501398087]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00974{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":547,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1536716402804764,"flow_src_last_pkt_time":1536716407003782,"flow_dst_last_pkt_time":1536716407116756,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":59,"flow_dst_max_l4_payload_len":127,"flow_src_tot_l4_payload_len":99,"flow_dst_tot_l4_payload_len":183,"midstream":0,"thread_ts_usec":1536716592575967,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"192.168.242.1","src_port":52849,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} -00643{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":547,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":547,"packets-processed":424,"total-skipped-flows":0,"total-l4-payload-len":43270,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":9,"total-detection-updates":2,"total-updates":4,"current-active-flows":1,"total-active-flows":9,"total-idle-flows":8,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":89,"global_ts_usec":1536716652586979} -00643{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":595,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":595,"packets-processed":452,"total-skipped-flows":0,"total-l4-payload-len":43270,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":9,"total-detection-updates":2,"total-updates":4,"current-active-flows":1,"total-active-flows":9,"total-idle-flows":8,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":90,"global_ts_usec":1536717254253428} +00643{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":547,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":547,"packets-processed":424,"total-skipped-flows":0,"total-l4-payload-len":43270,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":8,"total-detection-updates":2,"total-updates":4,"current-active-flows":1,"total-active-flows":9,"total-idle-flows":8,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":88,"global_ts_usec":1536716652586979} +00643{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":595,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":595,"packets-processed":452,"total-skipped-flows":0,"total-l4-payload-len":43270,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":8,"total-detection-updates":2,"total-updates":4,"current-active-flows":1,"total-active-flows":9,"total-idle-flows":8,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":89,"global_ts_usec":1536717254253428} 00785{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":611,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1536717427961883,"flow_src_last_pkt_time":1536717427961883,"flow_dst_last_pkt_time":1536717427961883,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1536717427961883,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"192.168.242.1","src_port":52849,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5} 00572{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":611,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":1,"flow_src_last_pkt_time":1536717427961883,"flow_dst_last_pkt_time":1536717427961883,"flow_idle_time":200000000,"pkt_datalink":1,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"thread_ts_usec":1536717427961883,"pkt":"AJD7JidrGLQwJjRACABFAABEME8AAP8RJffAqPIPwKjyAc5xADUAMGWoTp4BAAABAAAAAAAADXdlYXZlLWxvZ3NpbmsEbmVzdANjb20AAAEAAQ=="} 01073{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":611,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1536717427961883,"flow_src_last_pkt_time":1536717427961883,"flow_dst_last_pkt_time":1536717427961883,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1536717427961883,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"192.168.242.1","src_port":52849,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"weave-logsink.nest.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} @@ -118,7 +117,7 @@ 00978{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":707,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1536717427961883,"flow_src_last_pkt_time":1536717449934587,"flow_dst_last_pkt_time":1536717450088270,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":59,"flow_dst_max_l4_payload_len":127,"flow_src_tot_l4_payload_len":139,"flow_dst_tot_l4_payload_len":183,"midstream":0,"thread_ts_usec":1536717572672015,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"192.168.242.1","src_port":52849,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00976{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":711,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1536717427961883,"flow_src_last_pkt_time":1536717449934587,"flow_dst_last_pkt_time":1536717450088270,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":59,"flow_dst_max_l4_payload_len":127,"flow_src_tot_l4_payload_len":139,"flow_dst_tot_l4_payload_len":183,"midstream":0,"thread_ts_usec":1536717632764427,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"192.168.242.1","src_port":52849,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 02258{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":713,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1536717450091191,"flow_src_last_pkt_time":1536717692809761,"flow_dst_last_pkt_time":1536717693064770,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":1560,"flow_dst_tot_l4_payload_len":1740,"midstream":0,"thread_ts_usec":1536717693064770,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63349,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":4297,"avg":15667489.0,"max":60116188,"stddev":26141992.0,"var":683403720523776.0,"ent":3.1,"data": [65118,68086,678411,747347,17507,94704,1396423,1507704,104371,70568,14503,87690,68949,72988,7038,83601,72569,4297,74338,110547,112155,137112,59606094,59757940,60076789,60061094,60093385,60092412,60108066,60116188,184155]},"pktlen": {"min":40,"avg":145.1,"max":718,"stddev":181.0,"var":32752.9,"ent":4.2,"data": [46,44,46,570,40,718,46,92,40,244,40,100,162,669,46,220,190,46,220,201,332,102,46,46,40,46,40,46,40,46,40,40]},"bins": {"c_to_s": [10,1,0,1,0,2,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,2,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,0,1,0,1,0,0,1,0,1,0,1,0,1,1],"entropies": [4.303872585,4.967351913,4.390829086,7.000074863,4.931686878,7.083823204,4.501398087,5.370536327,4.981687069,6.850469589,4.881687164,5.621728897,6.422999859,7.639559269,4.347350597,6.781757832,6.666656017,4.544876099,6.837507248,6.783583164,7.269664764,5.833524227,4.501398087,4.390829086,4.931686878,4.457919598,4.931686878,4.501398087,4.931686878,4.501398087,4.931686878,4.981687069]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} -00647{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":727,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":727,"packets-processed":562,"total-skipped-flows":0,"total-l4-payload-len":56297,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":12,"total-detection-updates":4,"total-updates":6,"current-active-flows":1,"total-active-flows":12,"total-idle-flows":11,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":121,"global_ts_usec":1536717873194026} +00647{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":727,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":727,"packets-processed":562,"total-skipped-flows":0,"total-l4-payload-len":56297,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":11,"total-detection-updates":4,"total-updates":6,"current-active-flows":1,"total-active-flows":12,"total-idle-flows":11,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":120,"global_ts_usec":1536717873194026} 00786{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":745,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1536718052990525,"flow_src_last_pkt_time":1536718052990525,"flow_dst_last_pkt_time":1536718052990525,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1536718052990525,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63350,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":745,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":1,"flow_src_last_pkt_time":1536718052990525,"flow_dst_last_pkt_time":1536718052990525,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"thread_ts_usec":1536718052990525,"pkt":"AJD7JidrGLQwJjRACABFAAAsMIsAAP8GYe3AqPIPI65S7fd2K1cJGivXAAAAAGACEgAGSAAAAgQEgAAA"} 00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":747,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":2,"flow_src_last_pkt_time":1536718052990525,"flow_dst_last_pkt_time":1536718053059160,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"thread_ts_usec":1536718053059160,"pkt":"GLQwJjRAAJD7JidrCABFAAAsAABAAC0GJHkjrlLtwKjyDytX93aQyd5SCRor2GASaQM+4wAAAgQFtA=="} @@ -162,16 +161,16 @@ 00975{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":892,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1536718202959606,"flow_src_last_pkt_time":1536718202959606,"flow_dst_last_pkt_time":1536718202959785,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":56,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":56,"midstream":0,"thread_ts_usec":1536718332214337,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"192.168.242.1","src_port":52849,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 02254{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":892,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1536718206572751,"flow_src_last_pkt_time":1536718392321066,"flow_dst_last_pkt_time":1536718332214337,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":532,"flow_dst_max_l4_payload_len":676,"flow_src_tot_l4_payload_len":1942,"flow_dst_tot_l4_payload_len":1904,"midstream":0,"thread_ts_usec":1536718392321066,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63352,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":4658,"avg":10044835.0,"max":60173109,"stddev":21953530.0,"var":481957439864832.0,"ent":2.6,"data": [65322,67761,637540,709814,18708,293379,1174542,1481999,109107,72201,17976,90820,70287,73214,8669,96471,87696,75885,78977,77415,126677,2595650,2731016,150399,59910787,60056830,60173109,60107028,4658,60634,60165330]},"pktlen": {"min":40,"avg":162.2,"max":716,"stddev":185.8,"var":34529.8,"ent":4.3,"data": [46,44,46,572,40,716,46,92,40,444,40,100,162,669,46,220,206,220,190,220,201,46,332,102,46,46,40,46,40,46,40,46]},"bins": {"c_to_s": [10,1,0,1,0,3,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,2,0,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,0,1,0,0,1,0,0,1,0,1,0,1,0],"entropies": [4.347350597,4.967352390,4.434307098,6.920494080,4.981687546,7.105970383,4.544876099,5.378740311,4.881687164,7.440455914,4.812814713,5.615177631,6.437895298,7.618911266,4.434307098,6.860777378,6.737969398,6.892507076,6.603207111,6.959574699,6.884947777,4.457919598,7.273610592,5.848325729,4.414441586,4.501398087,4.831686974,4.544876099,4.881687164,4.501398087,4.881687164,4.544876099]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00973{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":896,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1536718202959606,"flow_src_last_pkt_time":1536718202959606,"flow_dst_last_pkt_time":1536718202959785,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":56,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":56,"midstream":0,"thread_ts_usec":1536718392405835,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"192.168.242.1","src_port":52849,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} -00647{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":900,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":900,"packets-processed":713,"total-skipped-flows":0,"total-l4-payload-len":75380,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":17,"total-detection-updates":5,"total-updates":8,"current-active-flows":1,"total-active-flows":17,"total-idle-flows":16,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":165,"global_ts_usec":1536718512170528} -00647{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":950,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":950,"packets-processed":743,"total-skipped-flows":0,"total-l4-payload-len":75380,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":17,"total-detection-updates":5,"total-updates":8,"current-active-flows":1,"total-active-flows":17,"total-idle-flows":16,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":166,"global_ts_usec":1536719113902134} -00649{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":1000,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":1000,"packets-processed":773,"total-skipped-flows":0,"total-l4-payload-len":75380,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":17,"total-detection-updates":5,"total-updates":8,"current-active-flows":1,"total-active-flows":17,"total-idle-flows":16,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":167,"global_ts_usec":1536719715232392} +00647{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":900,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":900,"packets-processed":713,"total-skipped-flows":0,"total-l4-payload-len":75380,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":16,"total-detection-updates":5,"total-updates":8,"current-active-flows":1,"total-active-flows":17,"total-idle-flows":16,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":164,"global_ts_usec":1536718512170528} +00647{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":950,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":950,"packets-processed":743,"total-skipped-flows":0,"total-l4-payload-len":75380,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":16,"total-detection-updates":5,"total-updates":8,"current-active-flows":1,"total-active-flows":17,"total-idle-flows":16,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":165,"global_ts_usec":1536719113902134} +00649{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":1000,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":1000,"packets-processed":773,"total-skipped-flows":0,"total-l4-payload-len":75380,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":16,"total-detection-updates":5,"total-updates":8,"current-active-flows":1,"total-active-flows":17,"total-idle-flows":16,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":166,"global_ts_usec":1536719715232392} 00996{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1000,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"finished","flow_src_packets_processed":50,"flow_dst_packets_processed":46,"flow_first_seen":1536718206572751,"flow_src_last_pkt_time":1536719715232392,"flow_dst_last_pkt_time":1536719655557559,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":532,"flow_dst_max_l4_payload_len":676,"flow_src_tot_l4_payload_len":1942,"flow_dst_tot_l4_payload_len":1904,"midstream":0,"thread_ts_usec":1536719715232392,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63352,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} -00651{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":1000,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":1000,"packets-processed":774,"total-skipped-flows":0,"total-l4-payload-len":75380,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":17,"total-detection-updates":5,"total-updates":8,"current-active-flows":0,"total-active-flows":17,"total-idle-flows":17,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":169,"global_ts_usec":1536719715232392} +00651{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":1000,"source":"cfgs\/default\/pcap\/nest_log_sink.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":1000,"packets-processed":774,"total-skipped-flows":0,"total-l4-payload-len":75380,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":16,"total-detection-updates":5,"total-updates":8,"current-active-flows":0,"total-active-flows":17,"total-idle-flows":17,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":168,"global_ts_usec":1536719715232392} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ ~~ packets captured/processed: 1000/774 ~~ skipped flows.............: 0 ~~ total layer4 data length..: 75380 bytes -~~ total detected protocols..: 17 +~~ total detected protocols..: 16 ~~ total active/idle flows...: 17/17 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/test/results/default/netflix.pcap.out b/test/results/default/netflix.pcap.out index 82893cc2f..bb63de849 100644 --- a/test/results/default/netflix.pcap.out +++ b/test/results/default/netflix.pcap.out @@ -117,7 +117,6 @@ 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":239,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":5,"flow_src_last_pkt_time":1484319035401110,"flow_dst_last_pkt_time":1484319035449002,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1484319035449002,"pkt":"5JjWH70UgCqoTGHMCABFIAA07K5AACoGRmI0WSeLwKgBBwG7z47YAyXk0X+VToAQAEvLBgAAAQEICq2IyUwfZMGe"} 01296{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":240,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1484319035342783,"flow_src_last_pkt_time":1484319035401110,"flow_dst_last_pkt_time":1484319035449894,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":208,"flow_dst_max_l4_payload_len":145,"flow_src_tot_l4_payload_len":208,"flow_dst_tot_l4_payload_len":145,"midstream":0,"thread_ts_usec":1484319035449894,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53134,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"api-global.netflix.com","tls": {"version":"TLSv1.2","ja3":"7e72698146290dd68239f788a452e7d8","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}} 02334{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":267,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1484319035080111,"flow_src_last_pkt_time":1484319035720714,"flow_dst_last_pkt_time":1484319035719060,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":2402,"flow_dst_tot_l4_payload_len":12882,"midstream":0,"thread_ts_usec":1484319035720714,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53133,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":143,"avg":41275.9,"max":350146,"stddev":77246.2,"var":5966969856.0,"ent":3.5,"data": [50833,52103,3892,68860,549,14675,80527,16948,16635,16128,355,222,66675,773,50716,3176,284,61420,291182,143,350146,11846,12750,24110,12460,12309,13854,13662,2679,13302,16338]},"pktlen": {"min":52,"avg":530.2,"max":1500,"stddev":630.5,"var":397553.6,"ent":4.0,"data": [64,60,52,260,52,1500,1500,52,245,52,127,58,97,52,103,52,1500,672,52,1500,1500,52,1500,1402,52,1500,52,237,52,1500,1019,52]},"bins": {"c_to_s": [11,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [4,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,7,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,1,1,1,0,1,1,0,1,0,1,0,1,1,0],"entropies": [4.598081589,5.235815525,5.131024837,6.023412704,5.154969215,7.255973339,7.303249359,5.092563152,7.001137733,5.056022167,6.255658627,5.007929802,6.001976490,5.169486523,5.942530632,5.054101467,7.891292572,7.683557510,5.169486523,7.859122753,7.883965492,5.131024837,7.876591682,7.866814137,5.092563152,7.900776386,4.979098797,7.052536488,5.054101467,7.870380402,7.793371201,5.131024361]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Fun","category_id":26,"category":"Video"}} -01760{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":267,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1484319035080111,"flow_src_last_pkt_time":1484319035720714,"flow_dst_last_pkt_time":1484319035719060,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":2402,"flow_dst_tot_l4_payload_len":12882,"midstream":0,"thread_ts_usec":1484319035720714,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53133,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"api-global.netflix.com","tls": {"version":"TLSv1.2","server_names":"api-latam.netflix.com,htmltvui.netflix.com,api-eu.netflix.com,uiboot.netflix.com,api-global.netflix.com,api-user.netflix.com,api-us.netflix.com,api.netflix.com","ja3":"7e72698146290dd68239f788a452e7d8","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=api.netflix.com","fingerprint":"FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C"}}} 00682{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":282,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":3,"flow_src_last_pkt_time":1484319035889509,"flow_dst_last_pkt_time":1484319033886061,"flow_idle_time":200000000,"pkt_datalink":1,"pkt_caplen":164,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":164,"pkt_l4_len":130,"thread_ts_usec":1484319035889509,"pkt":"AQBef\/\/65JjWH70UCABFAACW0KMAAAERNwrAqAEH7\/\/\/+tIQB2wAggqVTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSE9TVDogMjM5LjI1NS4yNTUuMjUwOjE5MDANCk1BTjogInNzZHA6ZGlzY292ZXIiDQpNWDogMg0KU1Q6IHVybjptZHgtbmV0ZmxpeC1jb206c2VydmljZTp0YXJnZXQ6MA0KDQo="} 00686{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":283,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":4,"flow_src_last_pkt_time":1484319035997063,"flow_dst_last_pkt_time":1484319033886061,"flow_idle_time":200000000,"pkt_datalink":1,"pkt_caplen":167,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":167,"pkt_l4_len":133,"thread_ts_usec":1484319035997063,"pkt":"AQBef\/\/65JjWH70UCABFAACZwp8AAAERRQvAqAEH7\/\/\/+tIQB2wAhUYzTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSE9TVDogMjM5LjI1NS4yNTUuMjUwOjE5MDANCk1BTjogInNzZHA6ZGlzY292ZXIiDQpNWDogMg0KU1Q6IHVybjpkaWFsLW11bHRpc2NyZWVuLW9yZzpzZXJ2aWNlOmRpYWw6MQ0KDQo="} 00774{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":284,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319036827113,"flow_src_last_pkt_time":1484319036827113,"flow_dst_last_pkt_time":1484319036827113,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":43,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":43,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":43,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319036827113,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":57719,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5} @@ -136,7 +135,6 @@ 01677{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":294,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":5,"flow_first_seen":1484319036854344,"flow_src_last_pkt_time":1484319036894463,"flow_dst_last_pkt_time":1484319036900382,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":227,"flow_dst_tot_l4_payload_len":3414,"midstream":0,"thread_ts_usec":1484319036900382,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"104.86.97.179","src_port":53141,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"art-s.nflximg.net","tls": {"version":"TLSv1.2","server_names":"secure.cdn.nflximg.net,*.nflxext.com,*.nflxvideo.net,*.nflxsearch.net,*.nrd.nflximg.net,*.nflximg.net","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"ef6b224ce027c8e21e5a25d8a58255a3","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=Los Gatos, O=Netflix, Inc., OU=Content Delivery Operations, CN=secure.cdn.nflximg.net","advertised_alpns":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","negotiated_alpn":"h2","fingerprint":"0D:EF:D1:E6:29:11:1A:A5:88:B3:2F:04:65:D6:D7:AD:84:A2:52:26"}}} 00682{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":313,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":5,"flow_src_last_pkt_time":1484319037897807,"flow_dst_last_pkt_time":1484319033886061,"flow_idle_time":200000000,"pkt_datalink":1,"pkt_caplen":164,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":164,"pkt_l4_len":130,"thread_ts_usec":1484319037897807,"pkt":"AQBef\/\/65JjWH70UCABFAACWcF0AAAERl1DAqAEH7\/\/\/+tIQB2wAggqVTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSE9TVDogMjM5LjI1NS4yNTUuMjUwOjE5MDANCk1BTjogInNzZHA6ZGlzY292ZXIiDQpNWDogMg0KU1Q6IHVybjptZHgtbmV0ZmxpeC1jb206c2VydmljZTp0YXJnZXQ6MA0KDQo="} 02324{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":324,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319035079531,"flow_src_last_pkt_time":1484319042786338,"flow_dst_last_pkt_time":1484319042922798,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4576,"flow_dst_tot_l4_payload_len":5220,"midstream":0,"thread_ts_usec":1484319042922798,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53132,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":147,"avg":501615.3,"max":7507819,"stddev":1826252.6,"var":3335198867456.0,"ent":1.4,"data": [49499,50871,4368,54319,2439,996,53513,42973,42827,12725,273,205,57417,5098,49336,4198,388,49955,75766,32147,2030,911,5107,4712,147,7402221,150,7507819,929,35745,990]},"pktlen": {"min":52,"avg":358.8,"max":1500,"stddev":520.7,"var":271128.8,"ent":3.8,"data": [64,60,52,260,52,1500,1500,52,245,52,127,58,97,52,103,52,1500,661,52,52,184,96,86,52,52,52,1500,789,52,52,1500,474]},"bins": {"c_to_s": [10,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [6,3,0,0,1,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,1,0,1,1,1,0,0,0,0,0,1,1,1,1],"entropies": [4.566831589,5.335815907,5.094483852,6.025682926,5.169486523,7.256491661,7.325493813,5.092563152,7.129077435,5.092563152,6.393805504,5.100806713,6.014647961,5.169486523,5.965332508,5.169486523,7.872792244,7.651345730,5.207947731,5.207948208,6.796521664,6.094137192,5.926040173,5.169486523,5.207948208,5.169486046,7.868273258,7.747731686,5.169486046,5.169486523,7.861037254,7.536938190]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Fun","category_id":26,"category":"Video"}} -01759{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":324,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319035079531,"flow_src_last_pkt_time":1484319042786338,"flow_dst_last_pkt_time":1484319042922798,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4576,"flow_dst_tot_l4_payload_len":5220,"midstream":0,"thread_ts_usec":1484319042922798,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53132,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"api-global.netflix.com","tls": {"version":"TLSv1.2","server_names":"api-latam.netflix.com,htmltvui.netflix.com,api-eu.netflix.com,uiboot.netflix.com,api-global.netflix.com,api-user.netflix.com,api-us.netflix.com,api.netflix.com","ja3":"7e72698146290dd68239f788a452e7d8","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=api.netflix.com","fingerprint":"FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C"}}} 00774{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":328,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319042988806,"flow_src_last_pkt_time":1484319042988806,"flow_dst_last_pkt_time":1484319042988806,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":42,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":42,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319042988806,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":59180,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5} 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":328,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":19,"flow_packet_id":1,"flow_src_last_pkt_time":1484319042988806,"flow_dst_last_pkt_time":1484319042988806,"flow_idle_time":200000000,"pkt_datalink":1,"pkt_caplen":84,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":84,"pkt_l4_len":50,"thread_ts_usec":1484319042988806,"pkt":"gCqoTGHM5JjWH70UCABFAABGkh4AAP8Rpi\/AqAEHwKgBAecsADUAMtLh8roBAAABAAAAAAAAB2FydHdvcmsEYWthbQduZmx4aW1nA25ldAAAAQAB"} 01069{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":328,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319042988806,"flow_src_last_pkt_time":1484319042988806,"flow_dst_last_pkt_time":1484319042988806,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":42,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":42,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319042988806,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":59180,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.NetFlix","proto_id":"5.133","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":14,"category":"Network","hostname":"artwork.akam.nflximg.net","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} @@ -338,7 +336,6 @@ 02472{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1131,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1484319056234960,"flow_src_last_pkt_time":1484319062638948,"flow_dst_last_pkt_time":1484319062680623,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":14998,"midstream":0,"thread_ts_usec":1484319062680623,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53179,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":72,"avg":414504.9,"max":4457097,"stddev":811357.3,"var":658300731392.0,"ent":3.6,"data": [41445,43452,2932,82082,72,78739,1252127,77707,132171,828,525346,100674,510044,513013,40289,4457097,87034,1392951,522404,574888,39602,91204,57625,58127,138968,449063,380142,69915,139503,473414,516793]},"pktlen": {"min":52,"avg":538.1,"max":1500,"stddev":656.8,"var":431419.8,"ent":3.9,"data": [64,60,52,410,570,1500,52,80,80,72,72,72,72,72,64,64,1500,1500,52,52,1500,1500,52,1500,52,1500,52,1500,1500,52,52,1500]},"bins": {"c_to_s": [19,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,1,1,0,0,1,1,0,1,0,1,0,1,1,0,0,1],"entropies": [4.538909912,5.312702179,5.026988029,6.353898048,5.812767506,4.447575092,5.118428230,5.316649437,5.391650200,5.387441635,5.387441635,5.361050606,5.333272934,5.331886292,5.228374004,5.228374004,4.410194397,4.460495949,5.079966545,5.195351124,4.415517807,4.454523087,5.195351601,4.441005707,5.077241421,4.548726559,5.156889915,4.299219608,4.319707394,5.195351601,5.156889439,4.440834999]},"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":150,"client":135,"server":15}},"12": {"risk":"HTTP\/TLS\/QUIC Numeric Hostname\/SNI","severity":"Low","risk_score": {"total":300,"client":270,"server":30}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","proto_by_ip":"NetFlix","proto_by_ip_id":133,"encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}} 02467{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1162,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"finished","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1484319056232857,"flow_src_last_pkt_time":1484319062946776,"flow_dst_last_pkt_time":1484319063015567,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":10653,"midstream":0,"thread_ts_usec":1484319063015567,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53176,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":682,"avg":435375.1,"max":4431980,"stddev":814478.7,"var":663375511552.0,"ent":3.6,"data": [43856,45826,13429,88623,4898,81946,1250769,92472,118428,682,544165,69196,495457,501654,62886,1143862,28583,39116,4431980,82976,87813,169881,586445,795488,292945,509017,501170,1203523,55860,83014,70669]},"pktlen": {"min":52,"avg":404.2,"max":1500,"stddev":589.2,"var":347103.4,"ent":3.7,"data": [64,60,52,410,569,1500,52,80,80,72,72,72,72,72,64,64,64,64,64,1500,52,1500,64,52,1500,64,52,52,1500,1500,52,1500]},"bins": {"c_to_s": [22,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,1,0,0,0,1,1,0,1],"entropies": [4.570159912,5.166786671,4.974009037,6.366189480,5.841994762,4.452114582,5.079966545,5.252857208,5.332214355,5.359663963,5.387441635,5.293623924,5.359663486,5.276330948,5.290874004,5.144205093,5.290874004,5.259624004,5.154078960,4.322241306,5.038779736,4.343337059,5.163660049,5.156889439,4.373079300,5.208919048,5.180834293,5.195351124,4.324346066,4.345085144,5.195351124,4.404635906]},"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":150,"client":135,"server":15}},"12": {"risk":"HTTP\/TLS\/QUIC Numeric Hostname\/SNI","severity":"Low","risk_score": {"total":300,"client":270,"server":30}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","proto_by_ip":"NetFlix","proto_by_ip_id":133,"encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}} 02193{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1269,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319033631945,"flow_src_last_pkt_time":1484319063959877,"flow_dst_last_pkt_time":1484319064010312,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":6334,"flow_dst_tot_l4_payload_len":4142,"midstream":0,"thread_ts_usec":1484319064010312,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53118,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":136,"avg":1958267.8,"max":30086001,"stddev":7379834.5,"var":54461959503872.0,"ent":1.1,"data": [47011,48359,1676,53080,2562,989,62283,11050,5991,10798,261,350,60341,3416,50128,4429,893,563,55944,50485,306,42722,3984,5077,5232,136,57719,311,30033380,30086001,822]},"pktlen": {"min":52,"avg":380.0,"max":1500,"stddev":556.9,"var":310128.2,"ent":3.8,"data": [64,60,52,281,52,1500,1500,52,215,52,127,58,97,52,103,52,1402,1500,1500,52,1500,337,52,52,52,993,112,52,52,52,83,52]},"bins": {"c_to_s": [9,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,3,0,0],"s_to_c": [9,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,0,1,0,0,1,1,1,1,1,0,0,0,1,1],"entropies": [4.484876633,5.289900780,5.078045845,5.808425426,5.131024837,7.255376339,7.317865372,5.092562675,6.901146412,5.131024361,6.124006748,5.004364967,6.039024830,5.169486046,6.007705688,5.169486046,7.873569965,7.881214619,7.864243507,5.169486046,7.845795155,7.405421257,5.116507530,5.078045845,5.131024361,7.806305885,6.290623188,5.169486046,5.092563152,5.094483852,5.825018406,5.132945538]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Fun","category_id":26,"category":"Video"}} -01664{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1269,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319033631945,"flow_src_last_pkt_time":1484319063959877,"flow_dst_last_pkt_time":1484319064010312,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":6334,"flow_dst_tot_l4_payload_len":4142,"midstream":0,"thread_ts_usec":1484319064010312,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53118,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"ichnaea.netflix.com","tls": {"version":"TLSv1.2","server_names":"ichnaea.netflix.com,beacon.netflix.com,presentationtracking.netflix.com,nmtracking.netflix.com,customerevents.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=customerevents.netflix.com","advertised_alpns":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F"}}} 00774{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1294,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319064590230,"flow_src_last_pkt_time":1484319064590230,"flow_dst_last_pkt_time":1484319064590230,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319064590230,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.3.140","src_port":53183,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00564{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1294,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":1,"flow_src_last_pkt_time":1484319064590230,"flow_dst_last_pkt_time":1484319064590230,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1484319064590230,"pkt":"gCqoTGHM5JjWH70UCABFAABAVptAAEAGBuzAqAEHF\/YDjM+\/AFBrAzOSAAAAALAC\/\/+cMAAAAgQFtAEDAwUBAQgKH2UvkQAAAAAEAgAA"} 00775{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1295,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":45,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319064593980,"flow_src_last_pkt_time":1484319064593980,"flow_dst_last_pkt_time":1484319064593980,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319064593980,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53184,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} @@ -367,7 +364,6 @@ 00775{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1316,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319064711690,"flow_src_last_pkt_time":1484319064711690,"flow_dst_last_pkt_time":1484319064711690,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319064711690,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.37.36.252","src_port":53203,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00564{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1316,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":49,"flow_packet_id":1,"flow_src_last_pkt_time":1484319064711690,"flow_dst_last_pkt_time":1484319064711690,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1484319064711690,"pkt":"gCqoTGHM5JjWH70UCABFAABAfOpAAEAGov3AqAEHNCUk\/M\/TAbvE99WSAAAAALAC\/\/9grAAAAgQFtAEDAwUBAQgKH2UwAgAAAAAEAgAA"} 02188{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1317,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1484319033943762,"flow_src_last_pkt_time":1484319064712006,"flow_dst_last_pkt_time":1484319034278653,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":6319,"flow_dst_tot_l4_payload_len":4140,"midstream":0,"thread_ts_usec":1484319064712006,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53119,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":74,"avg":1003326.9,"max":30431499,"stddev":5372888.5,"var":28867930619904.0,"ent":0.2,"data": [44924,46321,7446,58250,1844,979,55802,12140,9904,9342,287,206,60460,132,50780,11459,460,157,72134,60865,339,50757,444,15673,16944,136,74,82928,303,146,30431499]},"pktlen": {"min":52,"avg":379.5,"max":1500,"stddev":557.0,"var":310204.4,"ent":3.8,"data": [64,60,52,281,52,1500,1500,52,215,52,127,58,97,52,103,52,1402,1500,1500,52,1500,322,52,52,52,993,107,86,52,52,52,52]},"bins": {"c_to_s": [10,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,3,0,0],"s_to_c": [7,3,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,0,1,0,0,1,1,1,1,1,1,0,0,0,0],"entropies": [4.598081589,5.256567001,5.131024837,5.819132805,5.246409416,7.227420330,7.332920074,5.092563152,6.984497547,5.169486046,6.274277210,5.113821983,5.948767662,5.284871101,6.050486565,5.246409416,7.870395660,7.873335838,7.867392540,5.246409416,7.876014709,7.339691162,5.169486046,5.284871101,5.284871101,7.775086403,6.215628147,5.873826027,5.246409416,5.169486046,5.154969215,5.003043175]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Fun","category_id":26,"category":"Video"}} -01665{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1317,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1484319033943762,"flow_src_last_pkt_time":1484319064712006,"flow_dst_last_pkt_time":1484319034278653,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":6319,"flow_dst_tot_l4_payload_len":4140,"midstream":0,"thread_ts_usec":1484319064712006,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53119,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"ichnaea.netflix.com","tls": {"version":"TLSv1.2","server_names":"ichnaea.netflix.com,beacon.netflix.com,presentationtracking.netflix.com,nmtracking.netflix.com,customerevents.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=customerevents.netflix.com","advertised_alpns":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F"}}} 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1318,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":47,"flow_packet_id":2,"flow_src_last_pkt_time":1484319064671268,"flow_dst_last_pkt_time":1484319064722112,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1484319064722112,"pkt":"5JjWH70UgCqoTGHMCABFIAA8AABAACoGRvs2vxEzwKgBBwG7z9JcNkhzU8YNlaASOJDYrwAAAgQFtAQCCAqtilitH2Uv3gEDAwg="} 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1319,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":2,"flow_src_last_pkt_time":1484319064669455,"flow_dst_last_pkt_time":1484319064722814,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1484319064722814,"pkt":"5JjWH70UgCqoTGHMCABFIAA8AABAACkGR\/s2vxEzwKgBBwG7z8mqa43KKbVWHqASOJAmtQAAAgQFtAQCCAqtilitH2Uv3QEDAwg="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1320,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":47,"flow_packet_id":3,"flow_src_last_pkt_time":1484319064723412,"flow_dst_last_pkt_time":1484319064722112,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1484319064723412,"pkt":"gCqoTGHM5JjWH70UCABFAAA06mxAAEAGRrbAqAEHNr8RM8\/SAbtTxg2VXDZIdIAQEBUvyAAAAQEICh9lMA6tilit"} @@ -390,9 +386,7 @@ 01637{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1349,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1484319064671268,"flow_src_last_pkt_time":1484319064729673,"flow_dst_last_pkt_time":1484319064898548,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":2528,"midstream":0,"thread_ts_usec":1484319064898548,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53202,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"ios.nccp.netflix.com","tls": {"version":"TLSv1.2","server_names":"*.nccp.netflix.com","ja3":"dc67ac8aaf8d7f69ecd6598135448f24","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"CN=Primary Certificate Authority (2009), ST=California, C=US, O=Netflix Inc, OU=Electronic Delivery, L=Los Gatos","subjectDN":"CN=*.nccp.netflix.com, O=Netflix, Inc., OU=Operations, C=US, ST=California, L=Los Gatos","fingerprint":"97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33"}}} 01660{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1356,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1484319064711690,"flow_src_last_pkt_time":1484319064785302,"flow_dst_last_pkt_time":1484319064950196,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":229,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":229,"flow_dst_tot_l4_payload_len":2896,"midstream":0,"thread_ts_usec":1484319064950196,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.37.36.252","src_port":53203,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"ichnaea.netflix.com","tls": {"version":"TLSv1.2","server_names":"ichnaea.netflix.com,beacon.netflix.com,presentationtracking.netflix.com,nmtracking.netflix.com,customerevents.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=customerevents.netflix.com","advertised_alpns":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F"}}} 02338{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1408,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1484319064671268,"flow_src_last_pkt_time":1484319065492035,"flow_dst_last_pkt_time":1484319065478679,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":9240,"flow_dst_tot_l4_payload_len":6755,"midstream":0,"thread_ts_usec":1484319065492035,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53202,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":182,"avg":52521.9,"max":282465,"stddev":58168.2,"var":3383536896.0,"ent":4.2,"data": [50844,52144,6261,61059,40719,74658,170395,11813,79420,67625,2032,57431,55801,1745,844,219,182,82546,79700,249,94600,127478,60574,282465,10583,27617,37968,39882,42871,7730,723]},"pktlen": {"min":52,"avg":552.5,"max":1500,"stddev":629.7,"var":396553.7,"ent":4.0,"data": [64,60,52,569,52,1500,1132,52,178,103,52,1043,106,52,1500,1500,1500,1500,52,1500,387,52,52,1243,52,1500,1486,52,101,52,83,52]},"bins": {"c_to_s": [10,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0],"s_to_c": [5,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,1,2,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,1,0,0,0,0,0,1,0,0,1,1,1,0,1,1,0,1,0,0,0],"entropies": [4.598081589,5.369149208,5.169486046,4.365832806,5.154969215,7.171761036,7.662086964,5.169486523,6.518167496,5.984750271,5.100070000,7.782325745,6.202902317,5.246409416,7.867114544,7.871539593,7.857532978,7.870780945,5.078046322,7.856834412,7.434062958,5.154969215,5.154969215,7.833981991,5.246409416,7.884502411,7.878024578,5.246409416,6.160539627,5.207947731,5.791826725,5.094483852]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Fun","category_id":26,"category":"Video"}} -01641{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1408,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1484319064671268,"flow_src_last_pkt_time":1484319065492035,"flow_dst_last_pkt_time":1484319065478679,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":9240,"flow_dst_tot_l4_payload_len":6755,"midstream":0,"thread_ts_usec":1484319065492035,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53202,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"ios.nccp.netflix.com","tls": {"version":"TLSv1.2","server_names":"*.nccp.netflix.com","ja3":"dc67ac8aaf8d7f69ecd6598135448f24","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"CN=Primary Certificate Authority (2009), ST=California, C=US, O=Netflix Inc, OU=Electronic Delivery, L=Los Gatos","subjectDN":"CN=*.nccp.netflix.com, O=Netflix, Inc., OU=Operations, C=US, ST=California, L=Los Gatos","fingerprint":"97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33"}}} 02201{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1428,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1484319064711690,"flow_src_last_pkt_time":1484319065635020,"flow_dst_last_pkt_time":1484319065630720,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":19082,"flow_dst_tot_l4_payload_len":3110,"midstream":0,"thread_ts_usec":1484319065635020,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.37.36.252","src_port":53203,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":105,"avg":59431.0,"max":332646,"stddev":83335.9,"var":6944879104.0,"ent":3.8,"data": [69450,70962,2650,55568,49103,64385,167918,331939,332646,26549,653,732,87677,534,60709,8817,7117,449,81078,62803,767,160,105,68135,67101,803,163,105,111161,109572,2549]},"pktlen": {"min":52,"avg":746.1,"max":1500,"stddev":703.8,"var":495333.0,"ent":4.2,"data": [64,60,52,281,52,1500,1500,52,215,52,127,58,97,52,103,52,1403,1500,1500,52,1500,1500,1500,1500,52,1500,1500,1500,1500,52,1500,1500]},"bins": {"c_to_s": [6,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,12,0,0],"s_to_c": [6,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0],"entropies": [4.578626633,5.323234081,5.169486046,5.810972691,5.131024837,7.231025219,7.326107502,5.154969215,6.940334797,5.169486523,6.230382919,5.079339504,6.149899960,5.207948208,5.992234230,5.193430901,7.859437466,7.874912739,7.853219032,5.207947731,7.901949883,7.848706245,7.875315189,7.851129055,5.207947731,7.874441147,7.863263607,7.860793114,7.870314598,5.207947731,7.870880127,7.866354465]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Fun","category_id":26,"category":"Video"}} -01665{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1428,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1484319064711690,"flow_src_last_pkt_time":1484319065635020,"flow_dst_last_pkt_time":1484319065630720,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":19082,"flow_dst_tot_l4_payload_len":3110,"midstream":0,"thread_ts_usec":1484319065635020,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.37.36.252","src_port":53203,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"ichnaea.netflix.com","tls": {"version":"TLSv1.2","server_names":"ichnaea.netflix.com,beacon.netflix.com,presentationtracking.netflix.com,nmtracking.netflix.com,customerevents.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=customerevents.netflix.com","advertised_alpns":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F"}}} 02467{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1450,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319064590230,"flow_src_last_pkt_time":1484319066598421,"flow_dst_last_pkt_time":1484319065741809,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":512,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1017,"flow_dst_tot_l4_payload_len":17969,"midstream":0,"thread_ts_usec":1484319066598421,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.3.140","src_port":53183,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":5292,"avg":101928.1,"max":730898,"stddev":155663.8,"var":24231225344.0,"ent":4.0,"data": [30477,31515,13216,64005,5292,56409,6142,68156,5406,71534,109518,202677,164827,560321,47319,78954,279545,27696,94465,26601,26144,15824,70512,85885,39451,39774,41592,84438,730898,41457,39720]},"pktlen": {"min":52,"avg":648.3,"max":1500,"stddev":653.4,"var":426995.3,"ent":4.2,"data": [64,60,52,557,618,951,52,564,628,1500,52,1500,1500,1500,72,64,52,1500,1500,52,1500,52,1500,1500,52,1500,52,1500,64,72,64,52]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,0,1,1,1,0,0,0,1,1,0,1,0,1,1,0,1,0,1,0,0,0,0],"entropies": [4.476409912,5.212701797,5.156889915,6.230133057,5.778679371,3.867035151,5.079966545,6.195135117,5.745929718,3.167200804,5.094483852,7.856627464,7.824065208,7.816611290,5.331886292,5.165874004,5.118428230,7.781126976,7.831735134,5.118428230,7.778219700,4.961856365,5.882567406,7.827349663,5.103910923,7.794489861,4.961856365,7.814080238,4.958919048,5.244518280,5.083919048,5.079966545]},"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":150,"client":135,"server":15}},"12": {"risk":"HTTP\/TLS\/QUIC Numeric Hostname\/SNI","severity":"Low","risk_score": {"total":300,"client":270,"server":30}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","proto_by_ip":"NetFlix","proto_by_ip_id":133,"encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}} 00775{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1454,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":50,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319070636683,"flow_src_last_pkt_time":1484319070636683,"flow_dst_last_pkt_time":1484319070636683,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319070636683,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.133","src_port":53210,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00565{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1454,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":50,"flow_packet_id":1,"flow_src_last_pkt_time":1484319070636683,"flow_dst_last_pkt_time":1484319070636683,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1484319070636683,"pkt":"gCqoTGHM5JjWH70UCABFAABAs25AAEAGoh\/AqAEHF\/YLhc\/aAFBx1HGxAAAAALAC\/\/84uwAAAgQFtAEDAwUBAQgKH2VGAgAAAAAEAgAA"} @@ -496,7 +490,6 @@ 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1703,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":60,"flow_packet_id":5,"flow_src_last_pkt_time":1484319118676250,"flow_dst_last_pkt_time":1484319118700093,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1484319118700093,"pkt":"5JjWH70UgCqoTGHMCABFIAA0blRAADwGiny4GcwKwKgBBwBQ0APyPQT9JksT84AQA6unowAAAQEICv\/9aqkfZfnB"} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1707,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":61,"flow_packet_id":5,"flow_src_last_pkt_time":1484319118687774,"flow_dst_last_pkt_time":1484319118713206,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1484319118713206,"pkt":"5JjWH70UgCqoTGHMCABFIAA0l79AADwGYRG4GcwKwKgBBwBQ0ASr4P0MxYJHF4AQA6sjgwAAAQEICv\/9arMfZfnI"} 02186{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1715,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319117605859,"flow_src_last_pkt_time":1484319118414034,"flow_dst_last_pkt_time":1484319118767393,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4896,"flow_dst_tot_l4_payload_len":7589,"midstream":0,"thread_ts_usec":1484319118767393,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.41.30.5","src_port":53239,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":95,"avg":63539.0,"max":500942,"stddev":121518.7,"var":14766798848.0,"ent":3.3,"data": [58292,61223,1798,70566,2939,1016,71265,11570,12325,13054,147,95,65707,781,52265,3649,191,91649,51753,301,140150,3732,3446,3903,5462,6438,5030,437212,863,500942,291945]},"pktlen": {"min":52,"avg":442.8,"max":1500,"stddev":552.3,"var":305076.8,"ent":4.0,"data": [64,60,52,569,52,1500,1500,52,245,52,127,58,97,52,103,52,1500,789,52,1500,476,52,448,52,751,52,86,52,1500,672,52,1500]},"bins": {"c_to_s": [10,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [5,2,0,0,0,0,1,0,0,0,0,0,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,1,1,1,0,1,0,1,0,1,0,0,0,1,1],"entropies": [4.586286545,5.335815430,5.169486523,4.098951340,5.025067329,7.251211166,7.301212311,5.207947731,7.012731075,5.246409416,6.273766041,5.113821983,5.990005016,5.132945538,5.992234230,5.246409893,7.870625973,7.755266190,5.171407223,7.853860855,7.522392750,5.169486046,7.574260712,5.131024361,7.742949009,5.207947731,5.956426620,5.207947731,7.856410503,7.668289185,5.038780212,7.883280277]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Fun","category_id":26,"category":"Video"}} -01692{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1715,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319117605859,"flow_src_last_pkt_time":1484319118414034,"flow_dst_last_pkt_time":1484319118767393,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4896,"flow_dst_tot_l4_payload_len":7589,"midstream":0,"thread_ts_usec":1484319118767393,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.41.30.5","src_port":53239,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"api-global.netflix.com","tls": {"version":"TLSv1.2","server_names":"api-latam.netflix.com,htmltvui.netflix.com,api-eu.netflix.com,uiboot.netflix.com,api-global.netflix.com,api-user.netflix.com,api-us.netflix.com,api.netflix.com","ja3":"d8bfad189bd26664e04570c104ee8418","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=api.netflix.com","advertised_alpns":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C"}}} 02229{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1759,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":61,"flow_state":"finished","flow_src_packets_processed":6,"flow_dst_packets_processed":26,"flow_first_seen":1484319118658049,"flow_src_last_pkt_time":1484319118854817,"flow_dst_last_pkt_time":1484319119584735,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":245,"flow_dst_tot_l4_payload_len":34752,"midstream":0,"thread_ts_usec":1484319119584735,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.10","src_port":53252,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":508,"avg":36240.5,"max":99830,"stddev":21554.2,"var":464585632.0,"ent":4.7,"data": [16679,17740,11985,38478,508,12702,40101,27115,27112,58536,99830,81106,33879,23672,53768,53762,65076,48010,65429,13865,30914,13324,28733,40448,54528,28786,29443,29431,27518,25487,25489]},"pktlen": {"min":52,"avg":1146.7,"max":1500,"stddev":613.3,"var":376142.5,"ent":4.7,"data": [64,60,52,297,52,1500,1500,52,1500,52,1500,64,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500]},"bins": {"c_to_s": [5,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1],"entropies": [4.495864868,5.233453751,5.156889915,5.883365631,5.270353794,7.005603790,7.481070995,5.118428230,7.677317619,5.077241421,7.654481411,5.151865005,7.832942486,7.813632965,7.788673401,7.782803535,7.834435940,7.821334362,7.827250957,7.843655586,7.828696728,7.842951298,7.865435123,7.847778320,7.855163097,7.835734844,7.856423378,7.842322826,7.854029179,7.863353252,7.834544182,7.849704266]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} 02221{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1784,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":60,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1484319118657433,"flow_src_last_pkt_time":1484319120611345,"flow_dst_last_pkt_time":1484319120609765,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":490,"flow_dst_tot_l4_payload_len":22387,"midstream":0,"thread_ts_usec":1484319120611345,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.10","src_port":53251,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":241,"avg":126007.9,"max":1416280,"stddev":340787.6,"var":116136157184.0,"ent":2.6,"data": [15432,16762,2055,27228,957,1055,27336,38112,39355,39938,44658,83445,40664,236734,277719,1389753,1416280,268,12835,48683,241,12768,12757,15934,13837,16300,12778,12746,23173,13285,13156]},"pktlen": {"min":52,"avg":767.5,"max":1500,"stddev":698.9,"var":488505.9,"ent":4.3,"data": [64,60,52,297,52,1500,1500,52,1500,52,1500,1500,52,1500,719,52,297,1500,1500,1500,52,52,1500,1500,52,1500,52,1500,1500,52,1500,52]},"bins": {"c_to_s": [12,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,1,0,1,1,0,0,1,1,1,0,0,1,1,0,1,0,1,1,0,1,0],"entropies": [4.464614868,5.187539101,5.079966545,5.914007187,5.270354271,7.264070511,7.801600933,5.195351601,7.847749710,5.032077789,7.834869862,7.811845303,5.118427753,7.846868038,7.676549435,5.195351124,5.834331989,6.944043159,7.534036636,7.785680771,5.062724590,4.993616104,7.810704231,7.840629101,5.024262428,7.853393078,4.863714218,7.836608410,7.849914551,5.062724113,7.841484547,5.053297043]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} 00978{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1793,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":8,"flow_first_seen":1484319036854344,"flow_src_last_pkt_time":1484319036977437,"flow_dst_last_pkt_time":1484319036976156,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1090,"flow_dst_tot_l4_payload_len":3533,"midstream":0,"thread_ts_usec":1484319120726362,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"104.86.97.179","src_port":53141,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":26,"category":"Video"}} @@ -561,7 +554,7 @@ 00983{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1793,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":16,"flow_first_seen":1484319033943762,"flow_src_last_pkt_time":1484319064790823,"flow_dst_last_pkt_time":1484319064782569,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":6319,"flow_dst_tot_l4_payload_len":4171,"midstream":0,"thread_ts_usec":1484319120726362,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53119,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Fun","category_id":26,"category":"Video"}} 00983{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1793,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"finished","flow_src_packets_processed":28,"flow_dst_packets_processed":17,"flow_first_seen":1484319064711690,"flow_src_last_pkt_time":1484319096924088,"flow_dst_last_pkt_time":1484319096921856,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":20856,"flow_dst_tot_l4_payload_len":4094,"midstream":0,"thread_ts_usec":1484319120726362,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.37.36.252","src_port":53203,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Fun","category_id":26,"category":"Video"}} 00970{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1793,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1484319064683828,"flow_src_last_pkt_time":1484319064683828,"flow_dst_last_pkt_time":1484319064699948,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":41,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":41,"flow_dst_max_l4_payload_len":206,"flow_src_tot_l4_payload_len":41,"flow_dst_tot_l4_payload_len":206,"midstream":0,"thread_ts_usec":1484319120726362,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":60962,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.NetFlix","proto_id":"5.133","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":14,"category":"Network"}} -00648{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":1793,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":1793,"packets-processed":1793,"total-skipped-flows":0,"total-l4-payload-len":885344,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":60,"total-detection-updates":76,"total-updates":9,"current-active-flows":0,"total-active-flows":61,"total-idle-flows":61,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":564,"global_ts_usec":1484319120726362} +00648{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":1793,"source":"cfgs\/default\/pcap\/netflix.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":1793,"packets-processed":1793,"total-skipped-flows":0,"total-l4-payload-len":885344,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":60,"total-detection-updates":69,"total-updates":9,"current-active-flows":0,"total-active-flows":61,"total-idle-flows":61,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":557,"global_ts_usec":1484319120726362} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ ~~ packets captured/processed: 1793/1793 ~~ skipped flows.............: 0 diff --git a/test/results/default/pinterest.pcap.out b/test/results/default/pinterest.pcap.out index 33bb0e566..50d69612a 100644 --- a/test/results/default/pinterest.pcap.out +++ b/test/results/default/pinterest.pcap.out @@ -16,7 +16,6 @@ 01316{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":10,"source":"cfgs\/default\/pcap\/pinterest.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605289713743557,"flow_src_last_pkt_time":1605289713761745,"flow_dst_last_pkt_time":1605289713802900,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1048,"midstream":0,"thread_ts_usec":1605289713802900,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33262,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"www.pinterest.fr","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 03096{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":17,"source":"cfgs\/default\/pcap\/pinterest.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":7,"flow_first_seen":1605289713743557,"flow_src_last_pkt_time":1605289713802981,"flow_dst_last_pkt_time":1605289713803139,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5240,"midstream":0,"thread_ts_usec":1605289713803139,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33262,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"www.pinterest.fr","tls": {"version":"TLSv1.2","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}}} 02178{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":36,"source":"cfgs\/default\/pcap\/pinterest.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605289713743557,"flow_src_last_pkt_time":1605289713845515,"flow_dst_last_pkt_time":1605289714059633,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1112,"flow_dst_tot_l4_payload_len":8219,"midstream":0,"thread_ts_usec":1605289714059633,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33262,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":0,"avg":13485.0,"max":172415,"stddev":32478.6,"var":1054859584.0,"ent":2.7,"data": [17629,17683,505,39969,1745,1,2,41182,41,13,234,2,0,175,23,26,7012,281,424,41621,1,1,33877,492,1,473,243,41960,172415,2,1]},"pktlen": {"min":72,"avg":364.1,"max":1120,"stddev":421.4,"var":177613.6,"ent":4.2,"data": [80,80,72,589,72,1120,1120,1120,72,72,72,1120,1120,154,72,72,72,165,171,437,72,72,330,72,138,72,72,110,72,1120,1120,549]},"bins": {"c_to_s": [10,1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,2,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,0,1,1,0,0,1,1,1,1],"entropies": [4.847575665,5.229952335,5.179864883,4.532552719,5.045369625,6.786690235,4.454385281,6.617737293,5.179864883,5.207642555,5.263197899,7.131698132,7.585322857,6.331103802,5.207642555,5.150118828,5.137001514,6.091404438,6.368394852,7.380807877,5.073147297,5.045369625,7.067039967,5.263197899,6.187361240,5.128702641,5.207642555,5.611329079,5.128702641,7.815224648,7.838888168,7.557251453]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} -03099{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":36,"source":"cfgs\/default\/pcap\/pinterest.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605289713743557,"flow_src_last_pkt_time":1605289713845515,"flow_dst_last_pkt_time":1605289714059633,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1112,"flow_dst_tot_l4_payload_len":8219,"midstream":0,"thread_ts_usec":1605289714059633,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33262,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"www.pinterest.fr","tls": {"version":"TLSv1.2","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}}} 00806{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":40,"source":"cfgs\/default\/pcap\/pinterest.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605289714142423,"flow_src_last_pkt_time":1605289714142423,"flow_dst_last_pkt_time":1605289714142423,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605289714142423,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38512,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00584{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":40,"source":"cfgs\/default\/pcap\/pinterest.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_src_last_pkt_time":1605289714142423,"flow_dst_last_pkt_time":1605289714142423,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605289714142423,"pkt":"qtsDr8lk5EKm5WPyht1gBvDPACgGQCoBywEgSYsHmR3shSjf9ikqBE5CAB0AAAAAAAAAAACElnABu5Qp1R0AAAAAoAL9IJUzAAACBAWgBAIICtZiIAMAAAAAAQMDBw=="} 00806{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":41,"source":"cfgs\/default\/pcap\/pinterest.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605289714142533,"flow_src_last_pkt_time":1605289714142533,"flow_dst_last_pkt_time":1605289714142533,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605289714142533,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38514,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} @@ -118,9 +117,7 @@ 01297{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":267,"source":"cfgs\/default\/pcap\/pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605289714782619,"flow_src_last_pkt_time":1605289714833176,"flow_dst_last_pkt_time":1605289714867730,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1388,"midstream":0,"thread_ts_usec":1605289714867730,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::720","src_port":57050,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"images.unsplash.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 03522{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":273,"source":"cfgs\/default\/pcap\/pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":6,"flow_first_seen":1605289714782619,"flow_src_last_pkt_time":1605289714868409,"flow_dst_last_pkt_time":1605289714869584,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5552,"midstream":0,"thread_ts_usec":1605289714869584,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::720","src_port":57050,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":1,"category":"Media","hostname":"images.unsplash.com","tls": {"version":"TLSv1.2","server_names":"imgix2.map.fastly.net,*.camp-fire.jp,*.carwow.co.uk,*.carwow.de,*.carwow.es,*.catchandrelease.com,*.dorothee-schumacher.com,*.footway.com,*.img-ikyu.com,*.imgix.drizly.com,*.instamotor.com,*.microdinc.com,*.msastaging.com,*.peddle.com,*.remax.ca,*.ustudio.com,*.vaping360.com,*.weber.com,article-image-ix.nikkei.com,assets.eberhardt-travel.de,assets.verishop.com,assets.verishop.xyz,cdn.airstream.com,cdn.elementthree.com,cdn.hashnode.com,cdn.naturalhealthyconcepts.com,cdn.parent.eu,cdn.phonehouse.es,cdn.shiplus.co.il,i.drop-cdn.com,i.upworthy.com,image.volunteerworld.com,imageproxy.themaven.net,images-dev.takeshape.io,images.101cookbooks.com,images.beano.com,images.businessoffashion.com,images.congstar.de,images.diesdas.digital,images.fandor.com,images.greetingsisland.com,images.malaecuia.com.br,images.omaze.com,images.roulottesgagnon.com,images.takeshape.io,images.thewanderful.co,images.unsplash.com,images.victoriaplum.com,images.vraiandoro.com,img-1.homely.com.au,img-stack.imagereflow.com,img.badshop.se,img.bernieandphyls.com,img.bioopticsworld.com,img.broadbandtechreport.com,img.broadwaybox.com,img.bygghemma.se,img.bygghjemme.no,img.byggshop.se,img.cablinginstall.com,img.dentaleconomics.com,img.dentistryiq.com,img.evaluationengineering.com,img.golvshop.se,img.grudado.com.br,img.industrial-lasers.com,img.induux.de,img.intelligent-aerospace.com,img.inturn.co,img.laserfocusworld.com,img.ledsmagazine.com,img.lightwaveonline.com,img.militaryaerospace.com,img.mychannels.video,img.officer.com,img.offshore-mag.com,img.ogj.com,img.perioimplantadvisory.com,img.plasticsmachinerymagazine.com,img.prevu.com,img.rdhmag.com,img.speedcurve.com,img.strategies-u.com,img.utilityproducts.com,img.vision-systems.com,img.waterworld.com,img.workbook.com,img.xlhemma.se,img1.nowpurchase.com,iw.induux.de,m.22slides.com,media.sailrace.com,media.useyourlocal.com,pictures.hideaways.dk,raven.contrado.com,resources.intuitive.com,static.doorsuperstore.co.uk","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3","subjectDN":"C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=imgix2.map.fastly.net","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1F:BC:A1:79:48:96:70:32:B8:08:C1:38:D4:20:12:BE:D9:6F:14:B6"}}} 02184{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":282,"source":"cfgs\/default\/pcap\/pinterest.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289714658043,"flow_src_last_pkt_time":1605289714873020,"flow_dst_last_pkt_time":1605289714873010,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1043,"flow_dst_tot_l4_payload_len":6264,"midstream":0,"thread_ts_usec":1605289714873020,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33280,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":0,"avg":13869.2,"max":89623,"stddev":22425.8,"var":502918720.0,"ent":3.3,"data": [39835,39893,388,39880,1850,1,41296,35,60,0,18,4,565,0,563,29,2922,2605,564,39805,119,1086,1924,0,36819,15,203,49740,40102,0,89623]},"pktlen": {"min":72,"avg":300.8,"max":1120,"stddev":374.8,"var":140490.0,"ent":4.1,"data": [80,80,72,589,72,1120,1120,72,72,1120,1120,72,72,1120,154,72,72,165,171,368,72,72,72,330,138,72,72,110,72,516,246,72]},"bins": {"c_to_s": [11,1,1,1,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,2,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,0,0,1,1,0,0,0,0,0,1,1,1,1,1,0,0,0,1,1,1,0],"entropies": [4.759509563,5.142373085,5.117740154,4.564804554,4.953123093,6.789499283,4.442035198,5.175263882,5.103079796,6.610801220,7.126421452,5.203041553,5.203041553,7.603042603,6.151700974,5.175263882,5.175263882,6.101224422,6.300935745,7.262635231,4.980900764,5.036456108,4.980900764,7.043718815,6.196548939,5.175263882,5.175263882,5.631328106,5.036456108,7.479037762,6.852047443,5.230819225]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} -03107{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":282,"source":"cfgs\/default\/pcap\/pinterest.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289714658043,"flow_src_last_pkt_time":1605289714873020,"flow_dst_last_pkt_time":1605289714873010,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1043,"flow_dst_tot_l4_payload_len":6264,"midstream":0,"thread_ts_usec":1605289714873020,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33280,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"accounts.pinterest.com","tls": {"version":"TLSv1.2","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}}} 02153{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":297,"source":"cfgs\/default\/pcap\/pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289714782619,"flow_src_last_pkt_time":1605289714902517,"flow_dst_last_pkt_time":1605289714903070,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1077,"flow_dst_tot_l4_payload_len":12561,"midstream":0,"thread_ts_usec":1605289714903070,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::720","src_port":57050,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":0,"avg":7753.2,"max":50337,"stddev":15382.7,"var":236626480.0,"ent":2.9,"data": [50290,50337,220,31719,3102,0,34561,13,675,659,1179,1,1182,11,2643,116,155,32346,0,0,0,1,29460,6,548,1,0,514,15,6,589]},"pktlen": {"min":72,"avg":498.7,"max":1460,"stddev":595.9,"var":355070.7,"ent":4.0,"data": [80,80,72,589,72,1460,1460,72,72,1460,72,1460,1205,72,72,165,171,440,72,72,72,330,138,72,72,1460,1460,1460,72,72,72,1460]},"bins": {"c_to_s": [12,0,1,1,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,8,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,1,1,0,0,0,0,0,1,1,1,1,1,0,0,1,1,1,0,0,0,1],"entropies": [4.703702927,5.136080265,5.124309540,4.545345783,5.017591953,6.717867374,4.853471756,5.096531868,5.124309540,7.395221710,5.124309540,7.321218014,7.643990993,5.124309540,5.152087212,5.949683189,6.333797455,7.364598274,5.017591953,5.017591953,4.989814281,7.067564487,6.163845539,5.152087212,5.124309540,7.852941513,7.865815639,7.871354580,5.096531868,5.124309540,5.053668499,7.834792614]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":1,"category":"Media"}} -03526{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":297,"source":"cfgs\/default\/pcap\/pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289714782619,"flow_src_last_pkt_time":1605289714902517,"flow_dst_last_pkt_time":1605289714903070,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1077,"flow_dst_tot_l4_payload_len":12561,"midstream":0,"thread_ts_usec":1605289714903070,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::720","src_port":57050,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":1,"category":"Media","hostname":"images.unsplash.com","tls": {"version":"TLSv1.2","server_names":"imgix2.map.fastly.net,*.camp-fire.jp,*.carwow.co.uk,*.carwow.de,*.carwow.es,*.catchandrelease.com,*.dorothee-schumacher.com,*.footway.com,*.img-ikyu.com,*.imgix.drizly.com,*.instamotor.com,*.microdinc.com,*.msastaging.com,*.peddle.com,*.remax.ca,*.ustudio.com,*.vaping360.com,*.weber.com,article-image-ix.nikkei.com,assets.eberhardt-travel.de,assets.verishop.com,assets.verishop.xyz,cdn.airstream.com,cdn.elementthree.com,cdn.hashnode.com,cdn.naturalhealthyconcepts.com,cdn.parent.eu,cdn.phonehouse.es,cdn.shiplus.co.il,i.drop-cdn.com,i.upworthy.com,image.volunteerworld.com,imageproxy.themaven.net,images-dev.takeshape.io,images.101cookbooks.com,images.beano.com,images.businessoffashion.com,images.congstar.de,images.diesdas.digital,images.fandor.com,images.greetingsisland.com,images.malaecuia.com.br,images.omaze.com,images.roulottesgagnon.com,images.takeshape.io,images.thewanderful.co,images.unsplash.com,images.victoriaplum.com,images.vraiandoro.com,img-1.homely.com.au,img-stack.imagereflow.com,img.badshop.se,img.bernieandphyls.com,img.bioopticsworld.com,img.broadbandtechreport.com,img.broadwaybox.com,img.bygghemma.se,img.bygghjemme.no,img.byggshop.se,img.cablinginstall.com,img.dentaleconomics.com,img.dentistryiq.com,img.evaluationengineering.com,img.golvshop.se,img.grudado.com.br,img.industrial-lasers.com,img.induux.de,img.intelligent-aerospace.com,img.inturn.co,img.laserfocusworld.com,img.ledsmagazine.com,img.lightwaveonline.com,img.militaryaerospace.com,img.mychannels.video,img.officer.com,img.offshore-mag.com,img.ogj.com,img.perioimplantadvisory.com,img.plasticsmachinerymagazine.com,img.prevu.com,img.rdhmag.com,img.speedcurve.com,img.strategies-u.com,img.utilityproducts.com,img.vision-systems.com,img.waterworld.com,img.workbook.com,img.xlhemma.se,img1.nowpurchase.com,iw.induux.de,m.22slides.com,media.sailrace.com,media.useyourlocal.com,pictures.hideaways.dk,raven.contrado.com,resources.intuitive.com,static.doorsuperstore.co.uk","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3","subjectDN":"C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=imgix2.map.fastly.net","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1F:BC:A1:79:48:96:70:32:B8:08:C1:38:D4:20:12:BE:D9:6F:14:B6"}}} 00816{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":306,"source":"cfgs\/default\/pcap\/pinterest.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605289715133578,"flow_src_last_pkt_time":1605289715133578,"flow_dst_last_pkt_time":1605289715133578,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605289715133578,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2003","src_port":51582,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00586{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":306,"source":"cfgs\/default\/pcap\/pinterest.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":1,"flow_src_last_pkt_time":1605289715133578,"flow_dst_last_pkt_time":1605289715133578,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605289715133578,"pkt":"qtsDr8lk5EKm5WPyht1gAUyOACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIFgAAAAAAACADyX4Bu+HPmfcAAAAAoAL9IJHxAAACBAWgBAIICjiITggAAAAAAQMDBw=="} 00587{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":307,"source":"cfgs\/default\/pcap\/pinterest.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":2,"flow_src_last_pkt_time":1605289715133578,"flow_dst_last_pkt_time":1605289715210396,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605289715210396,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoAFFBABwgWAAAAAAAAIAMqAcsBIEmLB5kd7IUo3\/YpAbvJfoEpGV7hz5n4oBJXgLSTAAACBAV4AQMDAwQCCArCuSXYOIhOCA=="} @@ -234,7 +231,6 @@ 01301{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":774,"source":"cfgs\/default\/pcap\/pinterest.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605289732972740,"flow_src_last_pkt_time":1605289733019850,"flow_dst_last_pkt_time":1605289733177092,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605289733177092,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80a::200e","src_port":45126,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","proto_by_ip":"Google","proto_by_ip_id":126,"encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement","hostname":"www.google-analytics.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","advertised_alpns":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 02186{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":802,"source":"cfgs\/default\/pcap\/pinterest.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605289732972740,"flow_src_last_pkt_time":1605289733216831,"flow_dst_last_pkt_time":1605289733216812,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":969,"flow_dst_tot_l4_payload_len":9927,"midstream":0,"thread_ts_usec":1605289733216831,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80a::200e","src_port":45126,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":0,"avg":15747.2,"max":157269,"stddev":35268.1,"var":1243837184.0,"ent":2.7,"data": [46894,46909,201,112030,45428,0,2,157269,9,5,2935,270,2964,37660,1,0,1100,1,0,32562,12,3,631,955,1,0,0,308,7,3,3]},"pktlen": {"min":72,"avg":413.0,"max":1280,"stddev":486.7,"var":236885.8,"ent":4.1,"data": [80,80,72,589,72,1280,1280,549,72,72,72,136,164,337,72,72,72,652,486,1280,72,72,72,103,1280,1280,1280,1280,72,72,72,72]},"bins": {"c_to_s": [13,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0],"entropies": [4.855388165,5.286173344,5.149313450,4.600729942,5.080059052,7.797164440,7.832664490,7.507453918,5.138828754,5.081305504,5.166606903,6.092433929,6.575641632,7.259848118,5.043183804,5.097352505,5.052281380,7.626473904,7.461633682,7.832756042,5.149313450,5.132019997,5.083273411,5.775549889,7.833918095,7.851273537,7.839205742,7.857754707,5.121535778,5.177091122,5.111051083,5.177091122]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","proto_by_ip":"Google","proto_by_ip_id":126,"encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement"}} 02181{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":829,"source":"cfgs\/default\/pcap\/pinterest.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605289732959160,"flow_src_last_pkt_time":1605289733287022,"flow_dst_last_pkt_time":1605289733341107,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1151,"flow_dst_tot_l4_payload_len":10308,"midstream":0,"thread_ts_usec":1605289733341107,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38546,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":0,"avg":22897.1,"max":135965,"stddev":39614.3,"var":1569289984.0,"ent":3.2,"data": [46509,46553,392,49783,3591,0,52945,10,1267,1,1272,3,2358,266,496,109019,0,0,1,0,1,105909,5,6,6499,35807,111148,135965,1,2,0]},"pktlen": {"min":72,"avg":430.6,"max":1460,"stddev":544.3,"var":296293.8,"ent":4.0,"data": [80,80,72,589,72,1460,1460,72,72,1460,1230,72,72,165,171,338,72,72,330,138,72,570,72,72,72,110,72,210,72,1460,1460,1460]},"bins": {"c_to_s": [9,1,1,1,1,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,1,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,6,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,1,0,1,1,1,1],"entropies": [4.684510231,5.128057957,5.091930866,4.525407314,4.980900764,6.391155720,5.165083408,5.175263882,5.175263882,7.346390247,7.633969307,5.175263882,5.109223843,6.098253250,6.329233170,7.209453583,5.008678436,4.970416069,7.086939812,6.058278084,4.925345421,7.519527912,5.175263882,5.147486210,5.175263882,5.594966412,4.980900764,6.689027309,4.980900764,7.853739262,7.845409870,7.847467899]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} -03104{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":829,"source":"cfgs\/default\/pcap\/pinterest.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605289732959160,"flow_src_last_pkt_time":1605289733287022,"flow_dst_last_pkt_time":1605289733341107,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1151,"flow_dst_tot_l4_payload_len":10308,"midstream":0,"thread_ts_usec":1605289733341107,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38546,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"assets.pinterest.com","tls": {"version":"TLSv1.2","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}}} 00810{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":864,"source":"cfgs\/default\/pcap\/pinterest.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605289733399863,"flow_src_last_pkt_time":1605289733399863,"flow_dst_last_pkt_time":1605289733399863,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605289733399863,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7a6e","src_port":40114,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00586{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":864,"source":"cfgs\/default\/pcap\/pinterest.pcap","alias":"nDPId-test","flow_id":37,"flow_packet_id":1,"flow_src_last_pkt_time":1605289733399863,"flow_dst_last_pkt_time":1605289733399863,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605289733399863,"pkt":"qtsDr8lk5EKm5WPyht1gBe6sACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXpunLIBuwBxlgkAAAAAoAL9IKzvAAACBAWgBAIICsW6TI0AAAAAAQMDBw=="} 00588{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":865,"source":"cfgs\/default\/pcap\/pinterest.pcap","alias":"nDPId-test","flow_id":37,"flow_packet_id":2,"flow_src_last_pkt_time":1605289733399863,"flow_dst_last_pkt_time":1605289733420828,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605289733420828,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPQBk\/5sAAAAAAAAAAJdlem4qAcsBIEmLB5kd7IUo3\/YpAbucsmOjoioAcZYKoBJXgB0AAAACBAV4AQMDAwQCCArCuW0jxbpMjQ=="} @@ -245,7 +241,6 @@ 01343{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":869,"source":"cfgs\/default\/pcap\/pinterest.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605289733399863,"flow_src_last_pkt_time":1605289733421383,"flow_dst_last_pkt_time":1605289733466833,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1048,"midstream":0,"thread_ts_usec":1605289733466833,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7a6e","src_port":40114,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ADS_Analytic_Track","proto_id":"91.107","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Tracker\/Ads","category_id":101,"category":"Advertisement","hostname":"js-agent.newrelic.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 03205{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":875,"source":"cfgs\/default\/pcap\/pinterest.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":7,"flow_first_seen":1605289733399863,"flow_src_last_pkt_time":1605289733466898,"flow_dst_last_pkt_time":1605289733468841,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5240,"midstream":0,"thread_ts_usec":1605289733468841,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7a6e","src_port":40114,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ADS_Analytic_Track","proto_id":"91.107","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Tracker\/Ads","category_id":101,"category":"Advertisement","hostname":"js-agent.newrelic.com","tls": {"version":"TLSv1.2","server_names":"f4.shared.global.fastly.net,*.500px.com,*.500px.net,*.500px.org,*.acceptance.habitat.sh,*.api.swiftype.com,*.art19.com,*.brave.com,*.chef.co,*.chef.io,*.cookpad.com,*.evbstatic.com,*.eventbrite.com,*.experiencepoint.com,*.fs.pastbook.com,*.fs.quploads.com,*.ftcdn.net,*.fubo.tv,*.getchef.com,*.githash.fubo.tv,*.habitat.sh,*.inspec.io,*.issuu.com,*.isu.pub,*.jimdo-dev-staging.com,*.jimdo-stable-staging.com,*.lulus.com,*.mansion-market.com,*.marfeel.com,*.massrel.io,*.meetu.ps,*.meetup.com,*.meetupstatic.com,*.newrelic.com,*.opscode.com,*.perimeterx.net,*.production.cdn.art19.com,*.staging.art19.com,*.staging.cdn.art19.com,*.swiftype.com,*.tissuu.com,*.video.franklyinc.com,*.wikihow.com,*.worldnow.com,500px.com,500px.net,500px.org,a1.awin1.com,acceptance.habitat.sh,api.swiftype.com,app.birchbox.com,app.staging.birchbox.com,app.staging.birchbox.es,art19.com,brave.com,cdn-f.adsmoloco.com,cdn.evbuc.com,cdn.polyfills.io,chef.co,chef.io,content.gamefuel.info,evbuc.com,experiencepoint.com,fast.appcues.com,fast.wistia.com,fast.wistia.net,fast.wistia.st,fubo.tv,getchef.com,githash.fubo.tv,habitat.sh,hbbtv.6play.fr,houstontexans.com,insight.atpi.com,inspec.io,jimdo-dev-staging.com,jimdo-stable-staging.com,link.sg.booking.com,mansion-market.com,media.bunited.com,meetu.ps,meetup.com,meetupstatic.com,onairhls.malimarcdn.net,opscode.com,perimeterx.net,polyfill.webservices.ft.com,qa.polyfills.io,raiders.com,s.sg.booking.com,s.swiftypecdn.com,static.birchbox.com,swiftype.com,viverepiusani.it,wikihow.com,wistia.com,www.dwin2.com,www.houstontexans.com,www.raiders.com,www.wada-ama.org","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3","subjectDN":"C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=f4.shared.global.fastly.net","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"BE:28:82:77:5B:06:41:1F:70:84:BD:A4:B9:FB:F0:BC:B1:B5:E3:A0"}}} 02197{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":895,"source":"cfgs\/default\/pcap\/pinterest.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289733399863,"flow_src_last_pkt_time":1605289733500742,"flow_dst_last_pkt_time":1605289733511200,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1017,"flow_dst_tot_l4_payload_len":8749,"midstream":0,"thread_ts_usec":1605289733511200,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7a6e","src_port":40114,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":1,"avg":6845.7,"max":45476,"stddev":12150.2,"var":147627232.0,"ent":3.2,"data": [20965,21014,506,37100,8905,1,45476,39,2004,2,1,1,1959,29,12,7,90,33,7803,454,394,31006,1,387,1,22756,38,359,8296,2575,2]},"pktlen": {"min":72,"avg":377.7,"max":1120,"stddev":441.2,"var":194656.5,"ent":4.1,"data": [80,80,72,589,72,1120,1120,72,72,1120,1120,1120,1120,72,72,72,72,113,72,165,171,342,72,72,330,138,72,72,110,72,1120,1120]},"bins": {"c_to_s": [11,1,1,1,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,1,1,0,0,0,0,1,0,0,0,0,1,1,1,1,0,0,0,1,1,1],"entropies": [4.809510231,5.143908501,5.203041553,4.540377140,5.064233780,6.870509624,5.058271885,5.230819225,5.230819225,6.720662117,7.193079948,7.346520901,7.621092319,5.230819225,5.137001038,5.203041553,5.175263882,5.649272442,5.175263405,6.019917488,6.380431175,7.094295502,5.064233780,5.064233780,7.049797535,6.150704861,5.203041077,5.203041553,5.667691708,5.008678436,7.799199581,7.796170235]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ADS_Analytic_Track","proto_id":"91.107","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Tracker\/Ads","category_id":101,"category":"Advertisement"}} -03208{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":895,"source":"cfgs\/default\/pcap\/pinterest.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289733399863,"flow_src_last_pkt_time":1605289733500742,"flow_dst_last_pkt_time":1605289733511200,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1017,"flow_dst_tot_l4_payload_len":8749,"midstream":0,"thread_ts_usec":1605289733511200,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7a6e","src_port":40114,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ADS_Analytic_Track","proto_id":"91.107","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Tracker\/Ads","category_id":101,"category":"Advertisement","hostname":"js-agent.newrelic.com","tls": {"version":"TLSv1.2","server_names":"f4.shared.global.fastly.net,*.500px.com,*.500px.net,*.500px.org,*.acceptance.habitat.sh,*.api.swiftype.com,*.art19.com,*.brave.com,*.chef.co,*.chef.io,*.cookpad.com,*.evbstatic.com,*.eventbrite.com,*.experiencepoint.com,*.fs.pastbook.com,*.fs.quploads.com,*.ftcdn.net,*.fubo.tv,*.getchef.com,*.githash.fubo.tv,*.habitat.sh,*.inspec.io,*.issuu.com,*.isu.pub,*.jimdo-dev-staging.com,*.jimdo-stable-staging.com,*.lulus.com,*.mansion-market.com,*.marfeel.com,*.massrel.io,*.meetu.ps,*.meetup.com,*.meetupstatic.com,*.newrelic.com,*.opscode.com,*.perimeterx.net,*.production.cdn.art19.com,*.staging.art19.com,*.staging.cdn.art19.com,*.swiftype.com,*.tissuu.com,*.video.franklyinc.com,*.wikihow.com,*.worldnow.com,500px.com,500px.net,500px.org,a1.awin1.com,acceptance.habitat.sh,api.swiftype.com,app.birchbox.com,app.staging.birchbox.com,app.staging.birchbox.es,art19.com,brave.com,cdn-f.adsmoloco.com,cdn.evbuc.com,cdn.polyfills.io,chef.co,chef.io,content.gamefuel.info,evbuc.com,experiencepoint.com,fast.appcues.com,fast.wistia.com,fast.wistia.net,fast.wistia.st,fubo.tv,getchef.com,githash.fubo.tv,habitat.sh,hbbtv.6play.fr,houstontexans.com,insight.atpi.com,inspec.io,jimdo-dev-staging.com,jimdo-stable-staging.com,link.sg.booking.com,mansion-market.com,media.bunited.com,meetu.ps,meetup.com,meetupstatic.com,onairhls.malimarcdn.net,opscode.com,perimeterx.net,polyfill.webservices.ft.com,qa.polyfills.io,raiders.com,s.sg.booking.com,s.swiftypecdn.com,static.birchbox.com,swiftype.com,viverepiusani.it,wikihow.com,wistia.com,www.dwin2.com,www.houstontexans.com,www.raiders.com,www.wada-ama.org","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3","subjectDN":"C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=f4.shared.global.fastly.net","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"BE:28:82:77:5B:06:41:1F:70:84:BD:A4:B9:FB:F0:BC:B1:B5:E3:A0"}}} 00962{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":911,"source":"cfgs\/default\/pcap\/pinterest.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1605289712203025,"flow_src_last_pkt_time":1605289712203025,"flow_dst_last_pkt_time":1605289712420176,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605289733529878,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:807::200a","src_port":40876,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"TLS","proto_id":"91","proto_by_ip":"Google","proto_by_ip_id":126,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00816{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":911,"source":"cfgs\/default\/pcap\/pinterest.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1605289712203025,"flow_src_last_pkt_time":1605289712203025,"flow_dst_last_pkt_time":1605289712420176,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605289733529878,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:807::200a","src_port":40876,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 01004{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":911,"source":"cfgs\/default\/pcap\/pinterest.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":21,"flow_first_seen":1605289714558209,"flow_src_last_pkt_time":1605289715028550,"flow_dst_last_pkt_time":1605289715083530,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1817,"flow_dst_tot_l4_payload_len":6047,"midstream":0,"thread_ts_usec":1605289733529878,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2600:1901::7a0b::","src_port":47032,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"GoogleCloud","proto_by_ip_id":284,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} @@ -299,7 +294,7 @@ 00817{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":911,"source":"cfgs\/default\/pcap\/pinterest.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1605289718347065,"flow_src_last_pkt_time":1605289718347065,"flow_dst_last_pkt_time":1605289718378827,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605289733529878,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80c::200a","src_port":57130,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00961{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":911,"source":"cfgs\/default\/pcap\/pinterest.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1605289722442860,"flow_src_last_pkt_time":1605289722442860,"flow_dst_last_pkt_time":1605289722621701,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605289733529878,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2600:1901::7a0b::","src_port":46918,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"TLS","proto_id":"91","proto_by_ip":"GoogleCloud","proto_by_ip_id":284,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00810{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":911,"source":"cfgs\/default\/pcap\/pinterest.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1605289722442860,"flow_src_last_pkt_time":1605289722442860,"flow_dst_last_pkt_time":1605289722621701,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605289733529878,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2600:1901::7a0b::","src_port":46918,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} -00648{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":911,"source":"cfgs\/default\/pcap\/pinterest.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":911,"packets-processed":911,"total-skipped-flows":0,"total-l4-payload-len":367869,"total-not-detected-flows":0,"total-guessed-flows":16,"total-detected-flows":21,"total-detection-updates":38,"total-updates":0,"current-active-flows":0,"total-active-flows":37,"total-idle-flows":37,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":302,"global_ts_usec":1605289733529878} +00648{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":911,"source":"cfgs\/default\/pcap\/pinterest.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":911,"packets-processed":911,"total-skipped-flows":0,"total-l4-payload-len":367869,"total-not-detected-flows":0,"total-guessed-flows":16,"total-detected-flows":21,"total-detection-updates":33,"total-updates":0,"current-active-flows":0,"total-active-flows":37,"total-idle-flows":37,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":297,"global_ts_usec":1605289733529878} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ ~~ packets captured/processed: 911/911 ~~ skipped flows.............: 0 @@ -313,5 +308,5 @@ ~~ total allocations/frees...: 219176/219176 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json message min len.......: 570 chars -~~ json message max len.......: 3531 chars -~~ json message avg len.......: 2050 chars +~~ json message max len.......: 3527 chars +~~ json message avg len.......: 2048 chars diff --git a/test/results/default/pop3_stls.pcap.out b/test/results/default/pop3_stls.pcap.out index 2293f5524..c57afde17 100644 --- a/test/results/default/pop3_stls.pcap.out +++ b/test/results/default/pop3_stls.pcap.out @@ -11,9 +11,8 @@ 01169{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":14,"source":"cfgs\/default\/pcap\/pop3_stls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":8,"flow_first_seen":1346096808946579,"flow_src_last_pkt_time":1346096810351879,"flow_dst_last_pkt_time":1346096810420652,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":168,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":186,"flow_dst_tot_l4_payload_len":1685,"midstream":0,"thread_ts_usec":1346096810420652,"l3_proto":"ip4","src_ip":"192.168.20.18","dst_ip":"72.249.41.52","src_port":50583,"dst_port":110,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":310,"client":275,"server":35}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":450,"client":345,"server":105}}},"confidence": {"6":"DPI"},"proto":"POPS","proto_id":"23","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} 01170{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":18,"source":"cfgs\/default\/pcap\/pop3_stls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":7,"flow_dst_packets_processed":11,"flow_first_seen":1346096808946579,"flow_src_last_pkt_time":1346096810421794,"flow_dst_last_pkt_time":1346096810490233,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":168,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":186,"flow_dst_tot_l4_payload_len":4965,"midstream":0,"thread_ts_usec":1346096810490233,"l3_proto":"ip4","src_ip":"192.168.20.18","dst_ip":"72.249.41.52","src_port":50583,"dst_port":110,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":310,"client":275,"server":35}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":450,"client":345,"server":105}}},"confidence": {"6":"DPI"},"proto":"POPS","proto_id":"23","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} 02426{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"cfgs\/default\/pcap\/pop3_stls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1346096808946579,"flow_src_last_pkt_time":1346096812985585,"flow_dst_last_pkt_time":1346096813059760,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":314,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":648,"flow_dst_tot_l4_payload_len":5522,"midstream":0,"thread_ts_usec":1346096813059760,"l3_proto":"ip4","src_ip":"192.168.20.18","dst_ip":"72.249.41.52","src_port":50583,"dst_port":110,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":215,"avg":262973.8,"max":2072094,"stddev":524859.6,"var":275477528576.0,"ent":3.3,"data": [68193,68972,68661,120626,119751,1003135,1075317,72544,524,70840,70284,69545,70981,215,69915,69104,262,69187,6957,114416,36010,229437,154000,2002867,2072094,69067,658,117241,116699,68875,75810]},"pktlen": {"min":40,"avg":234.5,"max":1500,"stddev":417.0,"var":173868.9,"ent":3.7,"data": [52,52,40,51,46,46,68,46,46,189,46,77,208,1500,1500,40,1500,400,40,354,46,278,71,46,93,71,46,208,84,89,82,89]},"bins": {"c_to_s": [9,2,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,4,0,0,1,1,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,1,0,1,1,0,1,1,0,1,0,1,1,0,1,1,0,0,1,1,0,1,1,0,1,1,0,1,0,1],"entropies": [4.492581844,4.801308632,4.734183788,5.157432556,4.996070385,4.501398087,5.447610855,4.952592373,4.501398087,5.483742237,5.012480259,5.432518482,5.539906025,7.142385483,7.103268623,4.734183788,6.899816990,7.242932796,4.784183979,7.363773823,4.501398087,6.985215187,5.760285378,4.501398087,5.843768597,5.665146351,4.501398087,6.988708973,5.939931870,5.954314232,5.674627304,5.896972179]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":310,"client":275,"server":35}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":450,"client":345,"server":105}}},"confidence": {"6":"DPI"},"proto":"POPS","proto_id":"23","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} -01171{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"cfgs\/default\/pcap\/pop3_stls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1346096808946579,"flow_src_last_pkt_time":1346096812985585,"flow_dst_last_pkt_time":1346096813059760,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":314,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":648,"flow_dst_tot_l4_payload_len":5522,"midstream":0,"thread_ts_usec":1346096813059760,"l3_proto":"ip4","src_ip":"192.168.20.18","dst_ip":"72.249.41.52","src_port":50583,"dst_port":110,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":310,"client":275,"server":35}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":450,"client":345,"server":105}}},"confidence": {"6":"DPI"},"proto":"POPS","proto_id":"23","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} 01201{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":53,"source":"cfgs\/default\/pcap\/pop3_stls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":23,"flow_dst_packets_processed":30,"flow_first_seen":1346096808946579,"flow_src_last_pkt_time":1346096814309972,"flow_dst_last_pkt_time":1346096814377321,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":314,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":805,"flow_dst_tot_l4_payload_len":7462,"midstream":0,"thread_ts_usec":1346096814377321,"l3_proto":"ip4","src_ip":"192.168.20.18","dst_ip":"72.249.41.52","src_port":50583,"dst_port":110,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":310,"client":275,"server":35}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":450,"client":345,"server":105}}},"confidence": {"6":"DPI"},"proto":"POPS","proto_id":"23","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} -00637{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":53,"source":"cfgs\/default\/pcap\/pop3_stls.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":53,"packets-processed":53,"total-skipped-flows":0,"total-l4-payload-len":8267,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":4,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":16,"global_ts_usec":1346096814377321} +00637{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":53,"source":"cfgs\/default\/pcap\/pop3_stls.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":53,"packets-processed":53,"total-skipped-flows":0,"total-l4-payload-len":8267,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":3,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":15,"global_ts_usec":1346096814377321} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ ~~ packets captured/processed: 53/53 ~~ skipped flows.............: 0 @@ -28,4 +27,4 @@ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json message min len.......: 531 chars ~~ json message max len.......: 2431 chars -~~ json message avg len.......: 1440 chars +~~ json message avg len.......: 1400 chars diff --git a/test/results/default/psiphon3.pcap.out b/test/results/default/psiphon3.pcap.out index 8ad65e27f..94ab44d1b 100644 --- a/test/results/default/psiphon3.pcap.out +++ b/test/results/default/psiphon3.pcap.out @@ -10,9 +10,8 @@ 01425{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":11,"source":"cfgs\/default\/pcap\/psiphon3.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":5,"flow_first_seen":1613865079123029,"flow_src_last_pkt_time":1613865079144402,"flow_dst_last_pkt_time":1613865079168363,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":168,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":336,"flow_dst_tot_l4_payload_len":1460,"midstream":0,"thread_ts_usec":1613865079168363,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"104.18.151.190","src_port":40557,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":300,"client":210,"server":90}},"52": {"risk":"ALPN\/SNI Mismatch","severity":"Medium","risk_score": {"total":350,"client":235,"server":115}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Cloudflare","proto_by_ip_id":220,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"2d703033628575a99d44820c43b84876","ja3s":"eca9b8f0f3eae50309eaf901cb822d9b","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2"}}} 01741{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":12,"source":"cfgs\/default\/pcap\/psiphon3.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":6,"flow_first_seen":1613865079123029,"flow_src_last_pkt_time":1613865079144402,"flow_dst_last_pkt_time":1613865079168363,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":168,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":336,"flow_dst_tot_l4_payload_len":2422,"midstream":0,"thread_ts_usec":1613865079168363,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"104.18.151.190","src_port":40557,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":300,"client":210,"server":90}},"52": {"risk":"ALPN\/SNI Mismatch","severity":"Medium","risk_score": {"total":350,"client":235,"server":115}}},"confidence": {"6":"DPI"},"proto":"TLS.Psiphon","proto_id":"91.303","proto_by_ip":"Cloudflare","proto_by_ip_id":220,"encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN","hostname":"","tls": {"version":"TLSv1.2","server_names":"sni.cloudflaressl.com,psiphon3.net,*.psiphon3.net","ja3":"2d703033628575a99d44820c43b84876","ja3s":"eca9b8f0f3eae50309eaf901cb822d9b","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3","subjectDN":"C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","fingerprint":"49:30:DE:8F:B7:AF:C3:76:40:09:44:15:B4:6B:D9:8F:BE:0C:6B:0C"}}} 02386{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"cfgs\/default\/pcap\/psiphon3.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1613865079123029,"flow_src_last_pkt_time":1613865079254264,"flow_dst_last_pkt_time":1613865079202653,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1008,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":2038,"flow_dst_tot_l4_payload_len":5498,"midstream":0,"thread_ts_usec":1613865079254264,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"104.18.151.190","src_port":40557,"dst_port":443,"l4_proto":"tcp","flow_datalink":12,"flow_max_packets":5,"data_analysis": {"iat": {"min":0,"avg":6801.9,"max":46102,"stddev":10684.6,"var":114161304.0,"ent":3.6,"data": [6003,17375,0,14372,0,0,998,15961,7000,4998,0,0,3002,27963,1997,2998,1002,0,7002,25852,0,1389,0,0,4047,20760,1037,46102,1001,0,0]},"pktlen": {"min":40,"avg":277.5,"max":1500,"stddev":421.9,"var":177964.3,"ent":3.8,"data": [60,60,52,52,40,208,40,208,40,40,1500,1002,1500,1002,40,40,40,40,133,133,40,40,298,109,298,109,40,40,133,417,78,1048]},"bins": {"c_to_s": [10,1,3,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,2,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,0,1,1,0,0,0,0,1,1,1,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,0,0],"entropies": [4.559092522,4.559092522,4.801308632,4.801308632,4.780641556,5.412927151,4.780641556,5.412927151,4.780641079,4.780641079,6.953819275,7.189953327,6.953819275,7.189953327,4.780641556,4.780641556,4.780641556,4.780641556,5.944580555,5.944580555,4.780641079,4.780641079,7.039272308,5.966729164,7.039272308,5.966729164,4.730641365,4.730641365,6.272472382,7.310267448,5.370555401,7.811244488]},"ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":300,"client":210,"server":90}},"52": {"risk":"ALPN\/SNI Mismatch","severity":"Medium","risk_score": {"total":350,"client":235,"server":115}}},"confidence": {"6":"DPI"},"proto":"TLS.Psiphon","proto_id":"91.303","proto_by_ip":"Cloudflare","proto_by_ip_id":220,"encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} -01745{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"cfgs\/default\/pcap\/psiphon3.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1613865079123029,"flow_src_last_pkt_time":1613865079254264,"flow_dst_last_pkt_time":1613865079202653,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1008,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":2038,"flow_dst_tot_l4_payload_len":5498,"midstream":0,"thread_ts_usec":1613865079254264,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"104.18.151.190","src_port":40557,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":300,"client":210,"server":90}},"52": {"risk":"ALPN\/SNI Mismatch","severity":"Medium","risk_score": {"total":350,"client":235,"server":115}}},"confidence": {"6":"DPI"},"proto":"TLS.Psiphon","proto_id":"91.303","proto_by_ip":"Cloudflare","proto_by_ip_id":220,"encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN","hostname":"","tls": {"version":"TLSv1.2","server_names":"sni.cloudflaressl.com,psiphon3.net,*.psiphon3.net","ja3":"2d703033628575a99d44820c43b84876","ja3s":"eca9b8f0f3eae50309eaf901cb822d9b","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3","subjectDN":"C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","fingerprint":"49:30:DE:8F:B7:AF:C3:76:40:09:44:15:B4:6B:D9:8F:BE:0C:6B:0C"}}} 01226{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":62,"source":"cfgs\/default\/pcap\/psiphon3.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":30,"flow_first_seen":1613865079123029,"flow_src_last_pkt_time":1613865079845431,"flow_dst_last_pkt_time":1613865079841273,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1008,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3700,"flow_dst_tot_l4_payload_len":5574,"midstream":0,"thread_ts_usec":1613865079845431,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"104.18.151.190","src_port":40557,"dst_port":443,"l4_proto":"tcp","flow_datalink":12,"flow_max_packets":5,"ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":300,"client":210,"server":90}},"52": {"risk":"ALPN\/SNI Mismatch","severity":"Medium","risk_score": {"total":350,"client":235,"server":115}}},"confidence": {"6":"DPI"},"proto":"TLS.Psiphon","proto_id":"91.303","proto_by_ip":"Cloudflare","proto_by_ip_id":220,"encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} -00636{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":62,"source":"cfgs\/default\/pcap\/psiphon3.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":62,"packets-processed":62,"total-skipped-flows":0,"total-l4-payload-len":9274,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":3,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":15,"global_ts_usec":1613865079845431} +00636{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":62,"source":"cfgs\/default\/pcap\/psiphon3.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":62,"packets-processed":62,"total-skipped-flows":0,"total-l4-payload-len":9274,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":2,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":14,"global_ts_usec":1613865079845431} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ ~~ packets captured/processed: 62/62 ~~ skipped flows.............: 0 @@ -27,4 +26,4 @@ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json message min len.......: 514 chars ~~ json message max len.......: 2391 chars -~~ json message avg len.......: 1424 chars +~~ json message avg len.......: 1396 chars diff --git a/test/results/default/reddit.pcap.out b/test/results/default/reddit.pcap.out index b831082d6..9eefb79a0 100644 --- a/test/results/default/reddit.pcap.out +++ b/test/results/default/reddit.pcap.out @@ -180,7 +180,6 @@ 01317{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":334,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291686084924,"flow_src_last_pkt_time":1605291686130302,"flow_dst_last_pkt_time":1605291686182406,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1048,"midstream":0,"thread_ts_usec":1605291686182406,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56590,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"emoji.redditmedia.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01601{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":341,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":5,"flow_first_seen":1605291686084924,"flow_src_last_pkt_time":1605291686182436,"flow_dst_last_pkt_time":1605291686183890,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3144,"midstream":0,"thread_ts_usec":1605291686183890,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56590,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"emoji.redditmedia.com","tls": {"version":"TLSv1.2","server_names":"*.redditmedia.com,redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redditmedia.com","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"96:A3:77:56:81:79:10:5C:E8:7F:F0:33:D2:7E:1C:45:08:2C:25:85"}}} 02164{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":420,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291686084954,"flow_src_last_pkt_time":1605291686233012,"flow_dst_last_pkt_time":1605291686233017,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1107,"flow_dst_tot_l4_payload_len":8188,"midstream":0,"thread_ts_usec":1605291686233017,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56592,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":0,"avg":9552.3,"max":52464,"stddev":18854.0,"var":355471904.0,"ent":2.8,"data": [44627,44653,347,50980,1843,1,0,0,52464,10,3,2,2413,668,102,121,49031,1,45760,75,169,1186,0,1,1,1443,16,7,133,49,15]},"pktlen": {"min":72,"avg":363.0,"max":1120,"stddev":422.8,"var":178733.3,"ent":4.1,"data": [80,80,72,589,72,1120,1120,1120,602,72,72,72,72,165,171,389,153,72,330,72,72,72,138,72,1120,1118,72,72,72,1120,72,1120]},"bins": {"c_to_s": [11,0,2,1,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,0,1,1,1,1,1,1,0,0,0,1,0,1],"entropies": [4.907011986,5.354953289,5.301460266,4.552157402,5.139187336,6.938700199,7.322981834,7.354511738,7.534717083,5.245904922,5.218127251,5.245904922,5.273682594,6.089848042,6.412801743,7.335155964,6.124976635,5.139187336,7.085140228,5.273682594,5.111409664,5.028076649,6.191080093,5.111409664,7.845114708,7.817538738,5.273682594,5.245904922,5.263197899,7.819205284,5.245904922,7.795106411]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} -01604{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":420,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291686084954,"flow_src_last_pkt_time":1605291686233012,"flow_dst_last_pkt_time":1605291686233017,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1107,"flow_dst_tot_l4_payload_len":8188,"midstream":0,"thread_ts_usec":1605291686233017,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56592,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"emoji.redditmedia.com","tls": {"version":"TLSv1.2","server_names":"*.redditmedia.com,redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redditmedia.com","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"96:A3:77:56:81:79:10:5C:E8:7F:F0:33:D2:7E:1C:45:08:2C:25:85"}}} 00807{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":426,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291686301196,"flow_src_last_pkt_time":1605291686301196,"flow_dst_last_pkt_time":1605291686301196,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291686301196,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56594,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00583{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":426,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":1,"flow_src_last_pkt_time":1605291686301196,"flow_dst_last_pkt_time":1605291686301196,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291686301196,"pkt":"qtsDr8lk5EKm5WPyht1gDu9XACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXmM3RIBuyQ3ML0AAAAAoAL9IDDZAAACBAWgBAIICql05vEAAAAAAQMDBw=="} 00585{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":427,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":2,"flow_src_last_pkt_time":1605291686301196,"flow_dst_last_pkt_time":1605291686327034,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291686327034,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPQBk\/5sAAAAAAAAAAJdleYwqAcsBIEmLB5kd7IUo3\/YpAbvdEkHBFWUkNzC+oBJXgILuAAACBAV4AQMDAwQCCArC1zmoqXTm8Q=="} @@ -191,7 +190,6 @@ 01320{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":431,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291686301196,"flow_src_last_pkt_time":1605291686327471,"flow_dst_last_pkt_time":1605291686419456,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1048,"midstream":0,"thread_ts_usec":1605291686419456,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56594,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"b.thumbs.redditmedia.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01625{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":434,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":5,"flow_first_seen":1605291686301196,"flow_src_last_pkt_time":1605291686419467,"flow_dst_last_pkt_time":1605291686420291,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3144,"midstream":0,"thread_ts_usec":1605291686420291,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56594,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"b.thumbs.redditmedia.com","tls": {"version":"TLSv1.2","server_names":"*.thumbs.redditmedia.com,thumbs.redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.thumbs.redditmedia.com","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"FF:F4:6C:CF:D6:FD:64:3E:50:17:A2:DE:B0:F2:B6:9B:76:59:C6:75"}}} 02159{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":457,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291686301196,"flow_src_last_pkt_time":1605291686469619,"flow_dst_last_pkt_time":1605291686468646,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1078,"flow_dst_tot_l4_payload_len":8227,"midstream":0,"thread_ts_usec":1605291686469619,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56594,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":0,"avg":10834.6,"max":91996,"stddev":22155.6,"var":490868928.0,"ent":2.8,"data": [25838,25880,395,66367,26055,91996,835,0,0,829,7,4,1579,121,254,42141,1,1,6209,0,2,0,0,1,46395,10,6,2,1,4,940]},"pktlen": {"min":72,"avg":363.3,"max":1120,"stddev":424.0,"var":179781.3,"ent":4.1,"data": [80,80,72,589,72,1120,72,1120,1120,623,72,72,72,165,171,403,72,72,72,346,138,1120,1120,1120,1120,72,72,72,72,72,72,110]},"bins": {"c_to_s": [12,1,1,1,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0],"entropies": [4.907011986,5.304953098,5.301460266,4.568593025,5.139187336,6.968538761,5.258596897,7.334045410,7.344312668,7.577483654,5.301460266,5.329237938,5.301460266,6.086132526,6.472829342,7.337939262,5.128702641,5.166965008,5.166965008,7.241396427,6.241778851,7.834823132,7.795830250,7.800470352,7.816886902,5.273682594,5.301460266,5.273682594,5.329237938,5.301460266,5.329237938,5.684057236]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} -01628{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":457,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291686301196,"flow_src_last_pkt_time":1605291686469619,"flow_dst_last_pkt_time":1605291686468646,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1078,"flow_dst_tot_l4_payload_len":8227,"midstream":0,"thread_ts_usec":1605291686469619,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56594,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"b.thumbs.redditmedia.com","tls": {"version":"TLSv1.2","server_names":"*.thumbs.redditmedia.com,thumbs.redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.thumbs.redditmedia.com","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"FF:F4:6C:CF:D6:FD:64:3E:50:17:A2:DE:B0:F2:B6:9B:76:59:C6:75"}}} 00813{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":461,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291686985114,"flow_src_last_pkt_time":1605291686985114,"flow_dst_last_pkt_time":1605291686985114,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291686985114,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2002","src_port":50960,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00583{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":461,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":1,"flow_src_last_pkt_time":1605291686985114,"flow_dst_last_pkt_time":1605291686985114,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291686985114,"pkt":"qtsDr8lk5EKm5WPyht1gAMi0ACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIBQAAAAAAACACxxABu7duD88AAAAAoAL9IJsfAAACBAWgBAIIClRf4AwAAAAAAQMDBw=="} 00806{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":462,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291686985710,"flow_src_last_pkt_time":1605291686985710,"flow_dst_last_pkt_time":1605291686985710,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291686985710,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::df9:21c6","src_port":43492,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} @@ -218,7 +216,6 @@ 01250{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":498,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291686996891,"flow_src_last_pkt_time":1605291687024606,"flow_dst_last_pkt_time":1605291687096859,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1388,"midstream":0,"thread_ts_usec":1605291687096859,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::6853:b3b6","src_port":38320,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"c.aaxads.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","advertised_alpns":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 02193{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":530,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291686985114,"flow_src_last_pkt_time":1605291687110047,"flow_dst_last_pkt_time":1605291687110135,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":965,"flow_dst_tot_l4_payload_len":10234,"midstream":0,"thread_ts_usec":1605291687110135,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2002","src_port":50960,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":0,"avg":8063.0,"max":43636,"stddev":14163.2,"var":200595904.0,"ent":3.1,"data": [31477,31507,233,36835,7050,0,43636,16,599,576,2431,165,135,37718,689,1069,36764,111,89,22,531,8580,9121,90,75,174,0,158,5,98,0]},"pktlen": {"min":72,"avg":422.5,"max":1280,"stddev":490.0,"var":240053.7,"ent":4.1,"data": [80,80,72,589,72,1280,1280,72,72,533,72,136,164,333,72,72,652,72,103,72,103,72,778,72,1280,72,1280,1280,72,72,1280,1280]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,0,0,1,1,1,0,1,0,0,1,1,0,1,0,1,1,0,0,1,1],"entropies": [4.794175148,5.301737785,5.137723446,4.609352589,5.163392067,7.822265148,7.828993320,5.193279266,5.193279266,7.574356556,5.165501595,6.187675953,6.451539040,7.193062782,5.135614395,5.135614395,7.646523952,5.182794571,5.842692375,5.165501595,5.903290272,5.163392067,7.712309837,5.193279266,7.843823910,5.165501595,7.846527100,7.838549614,5.193279266,5.165501118,7.822370052,7.826137066]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","proto_by_ip":"Google","proto_by_ip_id":126,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 02157{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":552,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291686985710,"flow_src_last_pkt_time":1605291687112023,"flow_dst_last_pkt_time":1605291687112006,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":962,"flow_dst_tot_l4_payload_len":11490,"midstream":0,"thread_ts_usec":1605291687112023,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::df9:21c6","src_port":43492,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":0,"avg":8148.7,"max":51019,"stddev":15066.4,"var":226995168.0,"ent":3.0,"data": [38538,38619,398,37312,14166,1,0,0,1,51019,20,3,2,2,2408,107,140,31274,2,1645,1,30239,111,3355,1,0,0,3233,8,2,2]},"pktlen": {"min":72,"avg":461.6,"max":1460,"stddev":586.5,"var":343946.1,"ent":4.0,"data": [80,80,72,589,72,1460,1460,1460,1460,387,72,72,72,72,72,136,164,330,72,72,72,143,72,103,1460,1460,1460,1460,72,72,72,72]},"bins": {"c_to_s": [13,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,0,0,1,1,1,1,0,0,0,0],"entropies": [4.836891651,5.211080551,5.205674171,4.514605999,5.057240963,7.814661026,7.847680092,7.865528107,7.842185020,7.380033970,5.243936539,5.243936539,5.155763149,5.188381195,5.132825851,6.139283180,6.518441677,7.254546165,5.029463291,5.029463291,5.057240963,6.252353668,5.243936539,5.873327255,7.877524853,7.827719688,7.871821880,7.839930534,5.243936539,5.243936539,5.271714211,5.271714211]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01278{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":552,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291686985710,"flow_src_last_pkt_time":1605291687112023,"flow_dst_last_pkt_time":1605291687112006,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":962,"flow_dst_tot_l4_payload_len":11490,"midstream":0,"thread_ts_usec":1605291687112023,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::df9:21c6","src_port":43492,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"c.amazon-adsystem.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","advertised_alpns":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 00807{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":601,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291687485783,"flow_src_last_pkt_time":1605291687485783,"flow_dst_last_pkt_time":1605291687485783,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291687485783,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::acd9:12c2","src_port":51026,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00584{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":601,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":1,"flow_src_last_pkt_time":1605291687485783,"flow_dst_last_pkt_time":1605291687485783,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291687485783,"pkt":"qtsDr8lk5EKm5WPyht1gDGJhACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACs2RLCx1IBu5\/PXZ4AAAAAoAL9IP2VAAACBAWgBAIICruOxrcAAAAAAQMDBw=="} 00585{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":602,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":2,"flow_src_last_pkt_time":1605291687485783,"flow_dst_last_pkt_time":1605291687512994,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291687512994,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPQBk\/5sAAAAAAAAAAKzZEsIqAcsBIEmLB5kd7IUo3\/YpAbvHUvrRnoyfz12foBJXgAjWAAACBAV4AQMDAwQCCArC1z5Fu47Gtw=="} @@ -296,7 +293,6 @@ 01320{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":818,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291687800179,"flow_src_last_pkt_time":1605291687829706,"flow_dst_last_pkt_time":1605291688046248,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1388,"midstream":0,"thread_ts_usec":1605291688046248,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::68f4:2ac8","src_port":56782,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Twitter","proto_id":"91.120","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"syndication.twitter.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"8d2a028aa94425f76ced7826b1f39039","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01766{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":821,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":5,"flow_first_seen":1605291687800179,"flow_src_last_pkt_time":1605291688046258,"flow_dst_last_pkt_time":1605291688046580,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3439,"midstream":0,"thread_ts_usec":1605291688046580,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::68f4:2ac8","src_port":56782,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Twitter","proto_id":"91.120","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"syndication.twitter.com","tls": {"version":"TLSv1.2","server_names":"syndication.twitter.com,syndication.twimg.com,syndication-o.twitter.com,syndication-o.twimg.com,cdn.syndication.twitter.com,cdn.syndication.twimg.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"8d2a028aa94425f76ced7826b1f39039","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Twitter, Inc., OU=lon3, CN=syndication.twitter.com","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"09:D3:FE:9A:3E:39:A7:E2:90:5B:C9:1F:3B:7D:CE:7C:7E:08:1C:6F"}}} 02189{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":867,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291687933355,"flow_src_last_pkt_time":1605291688258109,"flow_dst_last_pkt_time":1605291688258300,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1296,"flow_dst_tot_l4_payload_len":10685,"midstream":0,"thread_ts_usec":1605291688258300,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2620:116:800d:21:f916:5049:f87f:108e","src_port":48648,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":0,"avg":20958.0,"max":180245,"stddev":38814.9,"var":1506599424.0,"ent":3.3,"data": [41345,41375,239,45639,16078,1,0,61463,16,3,3880,365,125,94049,180245,10480,2,92307,53,428,5467,8019,1891,14882,15513,1,15533,36,263,0,1]},"pktlen": {"min":72,"avg":446.9,"max":1460,"stddev":554.6,"var":307585.9,"ent":4.0,"data": [80,80,72,589,72,1460,1460,660,72,72,72,198,171,330,330,72,346,141,72,72,110,72,72,110,72,1460,1460,72,72,1460,1460,1460]},"bins": {"c_to_s": [10,1,0,2,0,0,0,0,2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,1,0,0,0,1,1,1,0,1,1,0,0,1,1,1],"entropies": [5.270193100,5.621731281,5.459350586,4.656135082,5.421088219,6.918155670,7.356199741,7.583865643,5.431572914,5.431572914,5.348239899,6.523558617,6.440567493,7.245548248,7.233427525,5.403794765,7.155272961,6.347721100,5.459350586,5.459350586,5.820535183,5.393310547,5.355048180,6.026633739,5.409216881,7.855928898,7.870290756,5.487128258,5.459350586,7.867146015,7.870689869,7.867941856]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} -01697{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":867,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291687933355,"flow_src_last_pkt_time":1605291688258109,"flow_dst_last_pkt_time":1605291688258300,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1296,"flow_dst_tot_l4_payload_len":10685,"midstream":0,"thread_ts_usec":1605291688258300,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2620:116:800d:21:f916:5049:f87f:108e","src_port":48648,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"secure.quantserve.com","tls": {"version":"TLSv1.2","server_names":"*.quantserve.com,*.quantcount.com,*.apextag.com,quantserve.com,quantcount.com,apextag.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"b898351eb5e266aefd3723d466935494","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Quantcast Corporation, CN=*.quantserve.com","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"3A:30:B1:4A:CE:62:AF:55:B1:89:FF:0C:CB:69:E3:80:CB:B0:91:90"}}} 00807{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":881,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291688324076,"flow_src_last_pkt_time":1605291688324076,"flow_dst_last_pkt_time":1605291688324076,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291688324076,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::d83a:d1e6","src_port":51100,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00583{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":881,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":34,"flow_packet_id":1,"flow_src_last_pkt_time":1605291688324076,"flow_dst_last_pkt_time":1605291688324076,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291688324076,"pkt":"qtsDr8lk5EKm5WPyht1gDP1bACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAADYOtHmx5wBu0pXpjQAAAAAoAL9INe7AAACBAWgBAIICn8mSwwAAAAAAQMDBw=="} 00807{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":885,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291688336354,"flow_src_last_pkt_time":1605291688336354,"flow_dst_last_pkt_time":1605291688336354,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291688336354,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::d83a:d1e6","src_port":51102,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} @@ -323,7 +319,6 @@ 01280{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":925,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291688344280,"flow_src_last_pkt_time":1605291688372055,"flow_dst_last_pkt_time":1605291688411963,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605291688411963,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2600:9000:219c:ee00:6:44e3:f8c0:93a1","src_port":56186,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"rules.quantcount.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","advertised_alpns":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 02197{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":975,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1605291688324076,"flow_src_last_pkt_time":1605291688488430,"flow_dst_last_pkt_time":1605291688495517,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1402,"flow_dst_tot_l4_payload_len":4278,"midstream":0,"thread_ts_usec":1605291688495517,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::d83a:d1e6","src_port":51100,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":1,"avg":10832.1,"max":42730,"stddev":14959.8,"var":223794400.0,"ent":3.6,"data": [41079,41100,165,31856,11033,42730,469,1,470,25,2812,1299,93,34223,10205,1,40205,536,1458,1,938,16571,1,3,16547,20,17,4417,310,12670,24540]},"pktlen": {"min":72,"avg":250.0,"max":1460,"stddev":362.6,"var":131502.0,"ent":4.0,"data": [80,80,72,589,72,1460,72,1460,172,72,72,136,164,486,72,652,72,72,103,72,103,72,793,103,111,72,72,72,111,107,282,72]},"bins": {"c_to_s": [11,2,2,0,0,0,1,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,0,0,0,1,1,1,0,0,1,1,0,1,1,1,0,0,0,0,0,0,1],"entropies": [4.857011318,5.329952717,5.273682594,4.540163040,5.139187336,7.843326092,5.273682594,7.862450600,6.539532185,5.273682594,5.273682594,6.134756088,6.541216850,7.446951866,5.166965008,7.636521339,5.100924969,5.273682594,5.932955742,5.111409664,5.777672768,5.263197899,7.737014294,5.703792095,5.962306976,5.301460266,5.329237938,5.329237938,6.057867527,5.878192425,7.107053280,5.166965008]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement"}} 02204{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":987,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291687800179,"flow_src_last_pkt_time":1605291688483940,"flow_dst_last_pkt_time":1605291688560007,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1460,"flow_dst_tot_l4_payload_len":4488,"midstream":0,"thread_ts_usec":1605291688560007,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::68f4:2ac8","src_port":56782,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":0,"avg":46567.4,"max":216552,"stddev":67587.7,"var":4568099328.0,"ent":3.6,"data": [29231,29299,228,29539,187299,216552,332,0,326,7,1815,188,30,70254,211900,6516,1,182884,58339,20162,41757,64,46,873,11694,10868,9898,6233,112514,128634,76106]},"pktlen": {"min":72,"avg":258.4,"max":1460,"stddev":353.4,"var":124913.6,"ent":4.1,"data": [80,80,72,589,72,1460,72,1460,735,72,72,198,171,362,362,72,72,72,172,72,314,72,116,72,110,110,72,72,72,531,72,338]},"bins": {"c_to_s": [9,1,0,3,0,0,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,0,0,0,0,0,1,1,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,0,0,0,0,1,1,1,0,1,1,0,1,0,0,1,0,1,1,1,0,1],"entropies": [4.822575092,5.245516300,5.245904922,4.574756145,5.111409664,6.787540913,5.218127251,7.353115559,7.586227894,5.162571907,5.190349579,6.362659931,6.273279667,7.149994850,7.138213634,5.083631992,5.055854321,5.055854321,6.419822216,5.083631992,6.981730461,5.245904922,5.900056362,5.218127251,5.636374950,5.857635021,5.190349579,5.083631992,5.083631992,7.496485710,5.175263882,7.287763596]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Twitter","proto_id":"91.120","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} -01769{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":987,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291687800179,"flow_src_last_pkt_time":1605291688483940,"flow_dst_last_pkt_time":1605291688560007,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1460,"flow_dst_tot_l4_payload_len":4488,"midstream":0,"thread_ts_usec":1605291688560007,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::68f4:2ac8","src_port":56782,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Twitter","proto_id":"91.120","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"syndication.twitter.com","tls": {"version":"TLSv1.2","server_names":"syndication.twitter.com,syndication.twimg.com,syndication-o.twitter.com,syndication-o.twimg.com,cdn.syndication.twitter.com,cdn.syndication.twimg.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"8d2a028aa94425f76ced7826b1f39039","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Twitter, Inc., OU=lon3, CN=syndication.twitter.com","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"09:D3:FE:9A:3E:39:A7:E2:90:5B:C9:1F:3B:7D:CE:7C:7E:08:1C:6F"}}} 00823{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":993,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291688611238,"flow_src_last_pkt_time":1605291688611238,"flow_dst_last_pkt_time":1605291688611238,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291688611238,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2606:2800:134:1a0d:1429:742:782:b6","src_port":39736,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00585{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":993,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":37,"flow_packet_id":1,"flow_src_last_pkt_time":1605291688611238,"flow_dst_last_pkt_time":1605291688611238,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291688611238,"pkt":"qtsDr8lk5EKm5WPyht1gDEO\/ACgGQCoBywEgSYsHmR3shSjf9ikmBigAATQaDRQpB0IHggC2mzgBu\/F3Z44AAAAAoAL9IIe6AAACBAWgBAIICvY2BR4AAAAAAQMDBw=="} 00584{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":994,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":37,"flow_packet_id":2,"flow_src_last_pkt_time":1605291688611238,"flow_dst_last_pkt_time":1605291688654248,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291688654248,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSYGKAABNBoNFCkHQgeCALYqAcsBIEmLB5kd7IUo3\/YpAbubOJS20cTxd2ePoBJXgMFkAAACBAV4AQMDAwQCCArC10K+9jYFHg=="} @@ -393,7 +388,6 @@ 01315{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1225,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291689408040,"flow_src_last_pkt_time":1605291689434011,"flow_dst_last_pkt_time":1605291689577976,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1048,"midstream":0,"thread_ts_usec":1605291689577976,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56640,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"gateway.reddit.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01584{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1229,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":5,"flow_first_seen":1605291689408040,"flow_src_last_pkt_time":1605291689578012,"flow_dst_last_pkt_time":1605291689578047,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3144,"midstream":0,"thread_ts_usec":1605291689578047,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56640,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"gateway.reddit.com","tls": {"version":"TLSv1.2","server_names":"reddit.com,*.reddit.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.reddit.com","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"DB:E9:D5:FE:EB:EF:68:34:55:FD:62:BA:C9:BB:04:D4:E3:22:18:81"}}} 02171{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1251,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291689408040,"flow_src_last_pkt_time":1605291689629927,"flow_dst_last_pkt_time":1605291689672104,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1710,"flow_dst_tot_l4_payload_len":4392,"midstream":0,"thread_ts_usec":1605291689672104,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56640,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":0,"avg":15675.8,"max":144189,"stddev":36484.9,"var":1331146624.0,"ent":2.7,"data": [25745,25768,203,144189,2,0,143997,4,71,1,41,7,2508,597,1253,49737,1,0,1,45397,18,103,1,65,704,437,888,38392,2516,1067,2238]},"pktlen": {"min":72,"avg":263.2,"max":1120,"stddev":320.8,"var":102914.8,"ent":4.2,"data": [80,80,72,589,72,1120,1120,72,72,1120,587,72,72,165,171,471,72,72,330,138,72,72,72,439,72,110,566,142,72,72,72,114]},"bins": {"c_to_s": [9,1,2,1,0,0,0,0,0,0,0,0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,1,1,0,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,0,1,1,1,1,0,0,1,1,0,0,0,0,1,1,1,1],"entropies": [4.857011795,5.259831905,5.179864883,4.529115200,5.055853844,6.908260822,7.364731312,5.245904922,5.218127251,7.327914715,7.541935444,5.162571907,5.218127251,6.139030457,6.351455688,7.439690113,5.166965008,5.139187336,7.125073433,6.245332241,5.235420227,5.273682594,5.139187336,7.450459003,5.273682594,5.556783676,7.574505329,6.164192200,5.085018635,5.139187336,5.139187336,5.963419437]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} -01587{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1251,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291689408040,"flow_src_last_pkt_time":1605291689629927,"flow_dst_last_pkt_time":1605291689672104,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1710,"flow_dst_tot_l4_payload_len":4392,"midstream":0,"thread_ts_usec":1605291689672104,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56640,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"gateway.reddit.com","tls": {"version":"TLSv1.2","server_names":"reddit.com,*.reddit.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.reddit.com","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"DB:E9:D5:FE:EB:EF:68:34:55:FD:62:BA:C9:BB:04:D4:E3:22:18:81"}}} 00814{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1271,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":45,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291690373466,"flow_src_last_pkt_time":1605291690373466,"flow_dst_last_pkt_time":1605291690373466,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291690373466,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2002","src_port":51006,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00584{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1271,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":45,"flow_packet_id":1,"flow_src_last_pkt_time":1605291690373466,"flow_dst_last_pkt_time":1605291690373466,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291690373466,"pkt":"qtsDr8lk5EKm5WPyht1gB68TACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIBQAAAAAAACACxz4Buz6Su2UAAAAAoAL9IFr7AAACBAWgBAIIClRf7UgAAAAAAQMDBw=="} 00814{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1272,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":46,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291690384370,"flow_src_last_pkt_time":1605291690384370,"flow_dst_last_pkt_time":1605291690384370,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291690384370,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::2002","src_port":59336,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} @@ -585,7 +579,7 @@ 01015{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1942,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":53,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":13,"flow_first_seen":1605291690926830,"flow_src_last_pkt_time":1605291691044050,"flow_dst_last_pkt_time":1605291691043957,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":581,"flow_dst_tot_l4_payload_len":7976,"midstream":0,"thread_ts_usec":1605291698602574,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:808::2001","src_port":46814,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","proto_by_ip":"Google","proto_by_ip_id":126,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 01032{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1942,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"finished","flow_src_packets_processed":63,"flow_dst_packets_processed":101,"flow_first_seen":1605291686985114,"flow_src_last_pkt_time":1605291698488081,"flow_dst_last_pkt_time":1605291698522640,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1168,"flow_dst_max_l4_payload_len":2333,"flow_src_tot_l4_payload_len":3956,"flow_dst_tot_l4_payload_len":41414,"midstream":0,"thread_ts_usec":1605291698602574,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2002","src_port":50960,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","proto_by_ip":"Google","proto_by_ip_id":126,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 01021{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1942,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","flow_id":45,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":15,"flow_first_seen":1605291690373466,"flow_src_last_pkt_time":1605291690495529,"flow_dst_last_pkt_time":1605291690520905,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1020,"flow_dst_tot_l4_payload_len":4664,"midstream":0,"thread_ts_usec":1605291698602574,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2002","src_port":51006,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","proto_by_ip":"Google","proto_by_ip_id":126,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -00647{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":1942,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":1942,"packets-processed":1942,"total-skipped-flows":0,"total-l4-payload-len":546888,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":59,"total-detection-updates":90,"total-updates":0,"current-active-flows":0,"total-active-flows":60,"total-idle-flows":60,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":588,"global_ts_usec":1605291698602574} +00647{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":1942,"source":"cfgs\/default\/pcap\/reddit.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":1942,"packets-processed":1942,"total-skipped-flows":0,"total-l4-payload-len":546888,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":59,"total-detection-updates":84,"total-updates":0,"current-active-flows":0,"total-active-flows":60,"total-idle-flows":60,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":582,"global_ts_usec":1605291698602574} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ ~~ packets captured/processed: 1942/1942 ~~ skipped flows.............: 0 diff --git a/test/results/default/roblox.pcapng.out b/test/results/default/roblox.pcapng.out index bf44d6e7d..d76c50696 100644 --- a/test/results/default/roblox.pcapng.out +++ b/test/results/default/roblox.pcapng.out @@ -16,8 +16,7 @@ 02504{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":18,"source":"cfgs\/default\/pcap\/roblox.pcapng","alias":"nDPId-test","flow_id":2,"flow_packet_id":5,"flow_src_last_pkt_time":1686316284117183,"flow_dst_last_pkt_time":1686316284145726,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":1514,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1514,"pkt_l4_len":1480,"thread_ts_usec":1686316284145726,"pkt":"Jjb1W8R1CL6sCxduCABFAAXcEjxAADUGZiOAdHoEwKgMnAG7mHqQakPs+bx0zYAQAAnwhAAAAQEICkEwULPVk0gbFgMDAHoCAAB2AwP4BXPwGT00VIKjwhz\/iAjBX5hcQlAkH8qUL2GYRZ2JDyCEEkqPT4hvfG5BhIptV74wk3A2PYO6qS2cp+AMu2mVSBMBAAAuACsAAgMEADMAJAAdACDv+sSz2sc9nAJ2xwbZNggYo\/XMPVfMs1rZ+FhiOG7sbhQDAwABARcDAwAqj+ObT3wmRQmspaK+qrIa0FIN2nKpicKwZLltd1NMgyZxPs+Q5NFbKMq1FwMDFt7NiDihBiTew2A1WYHeDFdb5XjnvadO4mz9ZVoyi1Ud7AuqmJ+YhFC\/tSnrhA\/L9YMIX2NDYlSfhkKS61LUR3CsO5LWxV6DUNKqWrFqcTDF8xzIxNty2lMXpegl17yEWyWtR4qECJaNI0mFsBGmeiHmJCTnM1GmMWo91RdX4cVtapki45ZCFFhYF7chaucSShcOZFWE63CfZodB8A40WMSp9k7zkyemrxe5n0d6xWkWN8TPelzxLckRFGlo8kHq+PtReTKHOKWX5Zy\/6g4PcgoBi\/6rBmWM45HnQ+\/LknwOl9OivcqylNqUEfZO6tK2muefZQVPfbuuj+VXsN60KrKQRolxaOXUyCjHdGsiOv21Hn31cZeqEh5fNBDNGGOGaHas494sghqnDFo4qeI3vRmyL5KQVb3s9rt+Ci8FuYv10vMhHS1aLhUHGod3kY8qnWue1aHYZnxHYkk5YwGoz\/bf4MMd5ArSh27vxxzyYrYCFzNRDox47Dy1phgxx4k5IiPGwqGraYagHEj4rzEJuaJSgbhvXVx8ur8RBTFWlbn9V9o7zCyhFyjpdF8Vr1GNh\/5cfLE84m6h1kHKyQxl1YRe+0iZ6LpbSYEG3alX+6vxuOKfc8y9tVeg4A0MXdj3bf5SY8tForlzUVmEyfWkEvXuIG5TbGI3BbQTi\/x9B63QNDd8HujYxb4IKgGUYPxObk8szG+W3pZljxqX7uKnvHk7gF6WS1N+\/SdVK8FeBQZRRtnUXBSYfMNUQVr4PZnIRzwdZpS9BpXNqLj+w7eQcFCVWDU00\/cMybr2LM0khbNMHA0G9NB3RsWxJz2d8kJcY3XuEG3eiJnPzBo0AxV8u8rXuzBF56HtPyrdp6CsITbT2CK9OdxNnHlB6yXkXulNvClvweEwpJtm\/IxMsqEEOYhNsr4whK3WPvN7X6bOC\/dQfyaxmfyYAWB3dFl\/JGabl8sJoB6fxJaBAAcKLtRAXYmLBv6ZmmZj5WyC7bzZwBnoCmJmyMK1sMXQv1Pk5WMVJEPtEvxX0nxspeMnd+A+UZPGnb9Rmh6bp43bceptOmDswoXcUs2K31dd8Ly4f63mJHzOOcNTe6BlkHJf12AyJ2ke3vR2afu1m5ra3u79zEP\/SK5u5S0TNxJWBMK9F+WNbvSgx9WgrGqGuUWHiLuX9ckai13\/ulSH0DmgGDWc+V+Z6DLKD0HiOd+WQNkMLFV1jVvCZf3HDSS0yv\/SQ54Y9YBBBTdI+Y5i+Pv\/kQo5sBDRkyHDG33HajhsGNrGOZCybwHs5a1kpsDabpgf0VU8GZJBD5Hgd+lIZxqt1YblX3jwEpkKjCar+TbJ6HyKIVWdhHeOEhwwLFfki93bsT0beK8KJMz63nEv0YIOtQHWsiAuAwpzSnHJtznf2Z0+uCEPwMJgLEO5V7OAd5wxrDhI8ONbOPL3DL3HH6ggibiIQLcFi6HiI29Y+9b6G6RmmPAlyA4rw6PIK9cU9BFkJujokIKPu2o0\/4jJkMpL316i4xHdbWh4\/7\/2JB\/A9H9JyIhKoSZPq0IKNmOZejI9rUJowqzW+B9m3zB1DZjf8MdO6LjPPDYFYzeu1pKFrZH0c0aWZ8cwagPf5nE6xiuAQ8ZdqDMiYsu\/R992FEud16tqrGdqp0G6kY2eJinf4uLYYyuxMS4THTGHQDSMdrIGDdz+Ri0="} 01216{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":18,"source":"cfgs\/default\/pcap\/roblox.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1686316283901532,"flow_src_last_pkt_time":1686316284117183,"flow_dst_last_pkt_time":1686316284145726,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1686316284145726,"l3_proto":"ip4","src_ip":"192.168.12.156","dst_ip":"128.116.122.4","src_port":39034,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Roblox","proto_id":"91.346","proto_by_ip":"Roblox","proto_by_ip_id":346,"encrypted":1,"breed":"Fun","category_id":8,"category":"Game","hostname":"assetgame.roblox.com","tls": {"version":"TLSv1.3","ja3":"f436b9416f37d134cadd04886327d3e8","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","advertised_alpns":"http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 02190{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":45,"source":"cfgs\/default\/pcap\/roblox.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1686316283901532,"flow_src_last_pkt_time":1686316295462569,"flow_dst_last_pkt_time":1686316295484971,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1024,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":2279,"flow_dst_tot_l4_payload_len":7499,"midstream":0,"thread_ts_usec":1686316295484971,"l3_proto":"ip4","src_ip":"192.168.12.156","dst_ip":"128.116.122.4","src_port":39034,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":7,"avg":746596.0,"max":10785585,"stddev":2538101.5,"var":6441959161856.0,"ent":1.7,"data": [28467,194118,21533,215727,23,12,472,7,126878,1267,3499,273,4379,2627,513,240,137878,55,702,108040,106788,174593,10000206,310,357197,548002,10785585,40059,91693,5740,187593]},"pktlen": {"min":40,"avg":357.7,"max":1500,"stddev":487.7,"var":237869.3,"ent":3.9,"data": [60,60,52,569,1500,1500,1252,1500,891,52,52,52,52,52,116,1076,702,323,323,52,52,578,52,76,52,52,76,52,52,76,52,40]},"bins": {"c_to_s": [13,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,0,1,0,1,1,1,1,0,0,0,0,1],"entropies": [4.779968262,5.300120354,5.195351124,4.779649258,7.870378971,7.875164032,7.842136383,7.870733738,7.754308224,5.156889439,5.156889439,5.118428230,5.118427753,4.988526344,6.087430477,7.824826241,7.718070984,7.273851871,7.313729286,5.195351124,5.118428230,7.627631664,5.195351124,5.716266155,5.233812809,5.065449238,5.742581844,5.142372608,5.118427753,5.663634777,5.118428230,4.019286156]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Roblox","proto_id":"91.346","proto_by_ip":"Roblox","proto_by_ip_id":346,"encrypted":1,"breed":"Fun","category_id":8,"category":"Game"}} -01220{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":45,"source":"cfgs\/default\/pcap\/roblox.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1686316283901532,"flow_src_last_pkt_time":1686316295462569,"flow_dst_last_pkt_time":1686316295484971,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1024,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":2279,"flow_dst_tot_l4_payload_len":7499,"midstream":0,"thread_ts_usec":1686316295484971,"l3_proto":"ip4","src_ip":"192.168.12.156","dst_ip":"128.116.122.4","src_port":39034,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Roblox","proto_id":"91.346","proto_by_ip":"Roblox","proto_by_ip_id":346,"encrypted":1,"breed":"Fun","category_id":8,"category":"Game","hostname":"assetgame.roblox.com","tls": {"version":"TLSv1.3","ja3":"f436b9416f37d134cadd04886327d3e8","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","advertised_alpns":"http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} -00635{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":48,"source":"cfgs\/default\/pcap\/roblox.pcapng","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":48,"packets-processed":47,"total-skipped-flows":0,"total-l4-payload-len":13253,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":2,"total-updates":0,"current-active-flows":2,"total-active-flows":2,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":20,"global_ts_usec":1686326648493170} +00635{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":48,"source":"cfgs\/default\/pcap\/roblox.pcapng","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":48,"packets-processed":47,"total-skipped-flows":0,"total-l4-payload-len":13253,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":1,"total-updates":0,"current-active-flows":2,"total-active-flows":2,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":19,"global_ts_usec":1686326648493170} 00787{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":48,"source":"cfgs\/default\/pcap\/roblox.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1686326648493170,"flow_src_last_pkt_time":1686326648493170,"flow_dst_last_pkt_time":1686326648493170,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1356,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1356,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1356,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1686326648493170,"l3_proto":"ip4","src_ip":"192.168.12.156","dst_ip":"128.116.44.33","src_port":45693,"dst_port":53385,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5} 02329{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":48,"source":"cfgs\/default\/pcap\/roblox.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1686326648493170,"flow_dst_last_pkt_time":1686326648493170,"flow_idle_time":200000000,"pkt_datalink":1,"pkt_caplen":1398,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1398,"pkt_l4_len":1364,"thread_ts_usec":1686326648493170,"pkt":"CL6sCxduJjb1W8R1CABFAAVoAABAAEARu6vAqAycgHQsIbJ90IkFVNfxAQAAHwERAaMCLkuAjaPJ6FqVJdO4\/a0CBgoJAJDQiXsA\/\/8A\/v7+\/v39\/f0SNFZ4BQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} 00929{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":48,"source":"cfgs\/default\/pcap\/roblox.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1686326648493170,"flow_src_last_pkt_time":1686326648493170,"flow_dst_last_pkt_time":1686326648493170,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1356,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1356,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1356,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1686326648493170,"l3_proto":"ip4","src_ip":"192.168.12.156","dst_ip":"128.116.44.33","src_port":45693,"dst_port":53385,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"RakNet","proto_id":"286","proto_by_ip":"Roblox","proto_by_ip_id":346,"encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}} @@ -27,7 +26,7 @@ 00605{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":52,"source":"cfgs\/default\/pcap\/roblox.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":5,"flow_src_last_pkt_time":1686326648735662,"flow_dst_last_pkt_time":1686326648493170,"flow_idle_time":200000000,"pkt_datalink":1,"pkt_caplen":109,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":109,"pkt_l4_len":75,"thread_ts_usec":1686326648735662,"pkt":"CL6sCxduJjb1W8R1CABFAABfhZcAAEARex3AqAycgHQsIbJ90IkAS7YiAQAAHwERAoJSCQq+6il8U+Lfk82kmGMCBgoJAJDQiQPawcSA\/bOuR7gJ5LgpDk+soFdu7AZnfJ12rVYjGKUI3M\/gLA=="} 00971{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":65,"source":"cfgs\/default\/pcap\/roblox.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":6,"flow_dst_packets_processed":7,"flow_first_seen":1686316283692571,"flow_src_last_pkt_time":1686316283794515,"flow_dst_last_pkt_time":1686316283806465,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":27,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1356,"flow_dst_max_l4_payload_len":138,"flow_src_tot_l4_payload_len":2977,"flow_dst_tot_l4_payload_len":498,"midstream":0,"thread_ts_usec":1686326648875787,"l3_proto":"ip4","src_ip":"192.168.12.156","dst_ip":"128.116.89.113","src_port":42965,"dst_port":63862,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"RakNet","proto_id":"286","proto_by_ip":"Roblox","proto_by_ip_id":346,"encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}} 00978{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":65,"source":"cfgs\/default\/pcap\/roblox.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":15,"flow_first_seen":1686316283901532,"flow_src_last_pkt_time":1686316296142505,"flow_dst_last_pkt_time":1686316295484971,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1024,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":2279,"flow_dst_tot_l4_payload_len":7499,"midstream":0,"thread_ts_usec":1686326648875787,"l3_proto":"ip4","src_ip":"192.168.12.156","dst_ip":"128.116.122.4","src_port":39034,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Roblox","proto_id":"91.346","proto_by_ip":"Roblox","proto_by_ip_id":346,"encrypted":1,"breed":"Fun","category_id":8,"category":"Game"}} -00635{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":65,"source":"cfgs\/default\/pcap\/roblox.pcapng","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":65,"packets-processed":64,"total-skipped-flows":0,"total-l4-payload-len":22280,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":3,"total-detection-updates":2,"total-updates":0,"current-active-flows":1,"total-active-flows":3,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":30,"global_ts_usec":1686333469750635} +00635{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":65,"source":"cfgs\/default\/pcap\/roblox.pcapng","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":65,"packets-processed":64,"total-skipped-flows":0,"total-l4-payload-len":22280,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":3,"total-detection-updates":1,"total-updates":0,"current-active-flows":1,"total-active-flows":3,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":29,"global_ts_usec":1686333469750635} 00787{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":65,"source":"cfgs\/default\/pcap\/roblox.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1686333469750635,"flow_src_last_pkt_time":1686333469750635,"flow_dst_last_pkt_time":1686333469750635,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1356,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1356,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1356,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1686333469750635,"l3_proto":"ip4","src_ip":"192.168.12.156","dst_ip":"128.116.44.33","src_port":46507,"dst_port":51438,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5} 02328{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":65,"source":"cfgs\/default\/pcap\/roblox.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_src_last_pkt_time":1686333469750635,"flow_dst_last_pkt_time":1686333469750635,"flow_idle_time":200000000,"pkt_datalink":1,"pkt_caplen":1398,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1398,"pkt_l4_len":1364,"thread_ts_usec":1686333469750635,"pkt":"CL6sCxduJjb1W8R1CABFAAVoAABAAEARu6vAqAycgHQsIbWryO4FVEvhAQAAHwERAYlJ+hMYU2DqGCGy2n4VfpgCBgoJBgPI7nsA\/\/8A\/v7+\/v39\/f0SNFZ4BQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} 00929{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":65,"source":"cfgs\/default\/pcap\/roblox.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1686333469750635,"flow_src_last_pkt_time":1686333469750635,"flow_dst_last_pkt_time":1686333469750635,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1356,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1356,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1356,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1686333469750635,"l3_proto":"ip4","src_ip":"192.168.12.156","dst_ip":"128.116.44.33","src_port":46507,"dst_port":51438,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"RakNet","proto_id":"286","proto_by_ip":"Roblox","proto_by_ip_id":346,"encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}} @@ -37,7 +36,7 @@ 00603{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":69,"source":"cfgs\/default\/pcap\/roblox.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":5,"flow_src_last_pkt_time":1686333470028956,"flow_dst_last_pkt_time":1686333469750635,"flow_idle_time":200000000,"pkt_datalink":1,"pkt_caplen":109,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":109,"pkt_l4_len":75,"thread_ts_usec":1686333470028956,"pkt":"CL6sCxduJjb1W8R1CABFAABfb+QAAEARkNDAqAycgHQsIbWryO4AS++iAQAAHwERAkoGEJobUjvDjWy+zNTNvQ4CBgoJBgPI7ncnCfOsPT8PcVse23VWPpNtYldufworZLI4u9rBGniKI+a64A=="} 00973{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":78,"source":"cfgs\/default\/pcap\/roblox.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":2,"flow_first_seen":1686326648493170,"flow_src_last_pkt_time":1686326648875787,"flow_dst_last_pkt_time":1686326648846178,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":58,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1356,"flow_dst_max_l4_payload_len":1332,"flow_src_tot_l4_payload_len":6363,"flow_dst_tot_l4_payload_len":2664,"midstream":0,"thread_ts_usec":1686333470172917,"l3_proto":"ip4","src_ip":"192.168.12.156","dst_ip":"128.116.44.33","src_port":45693,"dst_port":53385,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"RakNet","proto_id":"286","proto_by_ip":"Roblox","proto_by_ip_id":346,"encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}} 00973{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":78,"source":"cfgs\/default\/pcap\/roblox.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":1,"flow_first_seen":1686333469750635,"flow_src_last_pkt_time":1686333470172917,"flow_dst_last_pkt_time":1686333470150567,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":58,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1356,"flow_dst_max_l4_payload_len":1332,"flow_src_tot_l4_payload_len":6225,"flow_dst_tot_l4_payload_len":1332,"midstream":0,"thread_ts_usec":1686333470172917,"l3_proto":"ip4","src_ip":"192.168.12.156","dst_ip":"128.116.44.33","src_port":46507,"dst_port":51438,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"RakNet","proto_id":"286","proto_by_ip":"Roblox","proto_by_ip_id":346,"encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}} -00637{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":78,"source":"cfgs\/default\/pcap\/roblox.pcapng","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":78,"packets-processed":78,"total-skipped-flows":0,"total-l4-payload-len":29837,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":4,"total-detection-updates":2,"total-updates":0,"current-active-flows":0,"total-active-flows":4,"total-idle-flows":4,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":40,"global_ts_usec":1686333470172917} +00637{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":78,"source":"cfgs\/default\/pcap\/roblox.pcapng","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":78,"packets-processed":78,"total-skipped-flows":0,"total-l4-payload-len":29837,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":4,"total-detection-updates":1,"total-updates":0,"current-active-flows":0,"total-active-flows":4,"total-idle-flows":4,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":39,"global_ts_usec":1686333470172917} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ ~~ packets captured/processed: 78/78 ~~ skipped flows.............: 0 diff --git a/test/results/default/signal.pcap.out b/test/results/default/signal.pcap.out index 8d6bec39e..7a47b3df8 100644 --- a/test/results/default/signal.pcap.out +++ b/test/results/default/signal.pcap.out @@ -153,7 +153,6 @@ 01250{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":378,"source":"cfgs\/default\/pcap\/signal.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569051267121677,"flow_src_last_pkt_time":1569051267161538,"flow_dst_last_pkt_time":1569051267197332,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1569051267197332,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"13.35.253.42","src_port":57027,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"cdn.signal.org","tls": {"version":"TLSv1.2","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"c4b2785a87896e19d37eee932070cb22","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 01574{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":379,"source":"cfgs\/default\/pcap\/signal.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1569051267121677,"flow_src_last_pkt_time":1569051267161538,"flow_dst_last_pkt_time":1569051267197345,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":2383,"midstream":0,"thread_ts_usec":1569051267197345,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"13.35.253.42","src_port":57027,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"cdn.signal.org","tls": {"version":"TLSv1.2","server_names":"cdn.signal.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"c4b2785a87896e19d37eee932070cb22","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=California, L=San Francisco, O=Open Whisper Systems, OU=Open Whisper Systems, CN=TextSecure","subjectDN":"C=US, ST=California, O=Open Whisper Systems, OU=Open Whisper Systems, CN=cdn.signal.org","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","tls_supported_versions":"TLSv1.3,TLSv1.2","fingerprint":"81:3D:8A:2E:EE:B2:E1:F4:1C:2B:6D:20:16:54:B2:C1:87:D0:1E:12"}}} 02158{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":404,"source":"cfgs\/default\/pcap\/signal.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1569051267121677,"flow_src_last_pkt_time":1569051267296344,"flow_dst_last_pkt_time":1569051267317465,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":11716,"flow_dst_tot_l4_payload_len":2541,"midstream":0,"thread_ts_usec":1569051267317465,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"13.35.253.42","src_port":57027,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":13,"avg":11950.2,"max":43365,"stddev":16041.8,"var":257340416.0,"ent":3.7,"data": [32885,39763,98,40023,2747,13,39382,7752,43365,416,22,34673,57,7463,493,19,81,373,5900,119,379,42152,16,471,26781,7559,10672,123,259,280,26119]},"pktlen": {"min":52,"avg":498.2,"max":1492,"stddev":608.0,"var":369644.2,"ent":4.0,"data": [64,60,52,569,52,1492,995,52,178,52,103,121,52,52,105,102,94,243,90,1492,1492,1492,52,90,52,671,52,1492,1492,1492,1492,52]},"bins": {"c_to_s": [5,4,0,1,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0],"s_to_c": [7,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,1,1,1,0,1,0,0,0,0,1],"entropies": [4.433722496,5.194311619,5.024262428,4.269306660,5.062724590,7.102223873,7.698739052,5.077241421,6.281415939,5.115703106,5.989915848,6.360937119,5.077241421,5.077241421,5.716584206,5.596204281,5.530496597,6.966745853,5.422244072,7.874898434,7.862365246,7.863490105,4.937912464,5.888910294,5.077241421,7.631612301,5.077241421,7.861750603,7.881488323,7.873866558,7.857449532,5.115703106]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} -01579{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":404,"source":"cfgs\/default\/pcap\/signal.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1569051267121677,"flow_src_last_pkt_time":1569051267296344,"flow_dst_last_pkt_time":1569051267317465,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":11716,"flow_dst_tot_l4_payload_len":2541,"midstream":0,"thread_ts_usec":1569051267317465,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"13.35.253.42","src_port":57027,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"cdn.signal.org","tls": {"version":"TLSv1.2","server_names":"cdn.signal.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"c4b2785a87896e19d37eee932070cb22","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=California, L=San Francisco, O=Open Whisper Systems, OU=Open Whisper Systems, CN=TextSecure","subjectDN":"C=US, ST=California, O=Open Whisper Systems, OU=Open Whisper Systems, CN=cdn.signal.org","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","tls_supported_versions":"TLSv1.3,TLSv1.2","fingerprint":"81:3D:8A:2E:EE:B2:E1:F4:1C:2B:6D:20:16:54:B2:C1:87:D0:1E:12"}}} 00961{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":637,"source":"cfgs\/default\/pcap\/signal.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":4,"flow_dst_packets_processed":0,"flow_first_seen":1569051245838268,"flow_src_last_pkt_time":1569051261595218,"flow_dst_last_pkt_time":1569051245838268,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":300,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":300,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1200,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569051267601717,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DHCP","proto_id":"18","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 01077{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":637,"source":"cfgs\/default\/pcap\/signal.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1569051255515841,"flow_src_last_pkt_time":1569051255541412,"flow_dst_last_pkt_time":1569051255539776,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":46,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":77,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1569051267601717,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.146.144","src_port":56996,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"flow_risk": {"46": {"risk":"Unidirectional Traffic","severity":"Low","risk_score": {"total":500,"client":430,"server":70}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Apple","proto_by_ip_id":140,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00932{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":637,"source":"cfgs\/default\/pcap\/signal.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569051264115004,"flow_src_last_pkt_time":1569051264115004,"flow_dst_last_pkt_time":1569051264115004,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569051267601717,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"192.168.2.1","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} @@ -173,7 +172,7 @@ 00981{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":637,"source":"cfgs\/default\/pcap\/signal.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"finished","flow_src_packets_processed":170,"flow_dst_packets_processed":95,"flow_first_seen":1569051267121677,"flow_src_last_pkt_time":1569051267569935,"flow_dst_last_pkt_time":1569051267601717,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":195730,"flow_dst_tot_l4_payload_len":3003,"midstream":0,"thread_ts_usec":1569051267601717,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"13.35.253.42","src_port":57027,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} 00967{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":637,"source":"cfgs\/default\/pcap\/signal.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1569051264088425,"flow_src_last_pkt_time":1569051264088425,"flow_dst_last_pkt_time":1569051264113960,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":55,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":55,"flow_dst_max_l4_payload_len":151,"flow_src_tot_l4_payload_len":55,"flow_dst_tot_l4_payload_len":151,"midstream":0,"thread_ts_usec":1569051267601717,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"192.168.2.1","src_port":56263,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Signal","proto_id":"5.39","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":14,"category":"Network"}} 00961{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":637,"source":"cfgs\/default\/pcap\/signal.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1569051247593701,"flow_src_last_pkt_time":1569051247593701,"flow_dst_last_pkt_time":1569051247630078,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":43,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":43,"flow_dst_max_l4_payload_len":59,"flow_src_tot_l4_payload_len":43,"flow_dst_tot_l4_payload_len":59,"midstream":0,"thread_ts_usec":1569051267601717,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"192.168.2.1","src_port":60793,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} -00644{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":637,"source":"cfgs\/default\/pcap\/signal.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":637,"packets-processed":637,"total-skipped-flows":0,"total-l4-payload-len":273842,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":19,"total-detection-updates":28,"total-updates":0,"current-active-flows":0,"total-active-flows":19,"total-idle-flows":19,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":176,"global_ts_usec":1569051267601717} +00644{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":637,"source":"cfgs\/default\/pcap\/signal.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":637,"packets-processed":637,"total-skipped-flows":0,"total-l4-payload-len":273842,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":19,"total-detection-updates":27,"total-updates":0,"current-active-flows":0,"total-active-flows":19,"total-idle-flows":19,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":175,"global_ts_usec":1569051267601717} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ ~~ packets captured/processed: 637/637 ~~ skipped flows.............: 0 diff --git a/test/results/default/simple-dnscrypt.pcap.out b/test/results/default/simple-dnscrypt.pcap.out index 9d69b3295..9e7373b1f 100644 --- a/test/results/default/simple-dnscrypt.pcap.out +++ b/test/results/default/simple-dnscrypt.pcap.out @@ -10,7 +10,6 @@ 01206{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"cfgs\/default\/pcap\/simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1491813284555591,"flow_src_last_pkt_time":1491813284694670,"flow_dst_last_pkt_time":1491813284804255,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":206,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":206,"flow_dst_tot_l4_payload_len":1310,"midstream":0,"thread_ts_usec":1491813284804255,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50233,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"simplednscrypt.org","tls": {"version":"TLSv1.2","ja3":"b8f81673c0e1d29908346f3bab892b9b","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2"}}} 01570{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":11,"source":"cfgs\/default\/pcap\/simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":7,"flow_first_seen":1491813284555591,"flow_src_last_pkt_time":1491813284809547,"flow_dst_last_pkt_time":1491813284819906,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":206,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":206,"flow_dst_tot_l4_payload_len":6550,"midstream":0,"thread_ts_usec":1491813284819906,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50233,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DNScrypt","proto_id":"91.208","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"simplednscrypt.org","tls": {"version":"TLSv1.2","server_names":"simplednscrypt.org,www.simplednscrypt.org","ja3":"b8f81673c0e1d29908346f3bab892b9b","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA","subjectDN":"OU=Domain Control Validated, OU=PositiveSSL, CN=simplednscrypt.org","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","fingerprint":"3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41"}}} 02191{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"cfgs\/default\/pcap\/simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1491813284555591,"flow_src_last_pkt_time":1491813285148253,"flow_dst_last_pkt_time":1491813285258007,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":218,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":804,"flow_dst_tot_l4_payload_len":10162,"midstream":0,"thread_ts_usec":1491813285258007,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50233,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":0,"avg":41776.7,"max":221977,"stddev":52354.6,"var":2741003520.0,"ent":3.9,"data": [110617,111151,27928,119560,18487,5167,114877,3012,7467,5,1,10608,4894,14894,118,54,378,91813,2,71462,3132,28841,0,26832,76361,36004,32630,95192,61613,221977,1]},"pktlen": {"min":40,"avg":383.4,"max":1350,"stddev":516.9,"var":267229.7,"ent":3.9,"data": [52,52,40,246,40,1350,1350,40,1350,1350,1350,346,40,166,93,96,82,258,298,109,40,78,40,78,40,40,40,401,40,105,1350,1310]},"bins": {"c_to_s": [7,4,1,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,1,0,0,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,6,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,1,1,1,1,0,0,0,0,0,0,1,1,0,0,1,1,1,0,1,1,0,0,1,1],"entropies": [4.700937748,5.053297043,4.884183884,5.597340584,4.884183884,7.257542610,7.247560978,4.734184265,7.594522476,7.479546547,7.614046097,7.344598770,4.780641079,6.391661167,5.721328735,5.834361076,5.503191471,7.138485432,7.091854095,6.122251511,4.934183598,5.396905422,4.884183884,5.818656921,4.884183884,4.884183884,4.884183884,7.331987381,4.934183598,5.989890099,7.848228931,7.847333908]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DNScrypt","proto_id":"91.208","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Acceptable","category_id":14,"category":"Network"}} -01573{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"cfgs\/default\/pcap\/simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1491813284555591,"flow_src_last_pkt_time":1491813285148253,"flow_dst_last_pkt_time":1491813285258007,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":218,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":804,"flow_dst_tot_l4_payload_len":10162,"midstream":0,"thread_ts_usec":1491813285258007,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50233,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DNScrypt","proto_id":"91.208","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"simplednscrypt.org","tls": {"version":"TLSv1.2","server_names":"simplednscrypt.org,www.simplednscrypt.org","ja3":"b8f81673c0e1d29908346f3bab892b9b","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA","subjectDN":"OU=Domain Control Validated, OU=PositiveSSL, CN=simplednscrypt.org","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","fingerprint":"3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41"}}} 00784{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":40,"source":"cfgs\/default\/pcap\/simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1491813286275625,"flow_src_last_pkt_time":1491813286275625,"flow_dst_last_pkt_time":1491813286275625,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1491813286275625,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50253,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00549{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":40,"source":"cfgs\/default\/pcap\/simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1491813286275625,"flow_dst_last_pkt_time":1491813286275625,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1491813286275625,"pkt":"uFpz9d6dpDTZFrEGCABFAAA0PSdAAIAGML7AqCunhncaGMRNAbtYb9jbAAAAAIACIADK3QAAAgQFtAEDAwgBAQQC"} 00784{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":41,"source":"cfgs\/default\/pcap\/simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1491813286392272,"flow_src_last_pkt_time":1491813286392272,"flow_dst_last_pkt_time":1491813286392272,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1491813286392272,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50258,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} @@ -39,12 +38,11 @@ 01239{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":81,"source":"cfgs\/default\/pcap\/simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1491813286392272,"flow_src_last_pkt_time":1491813286491438,"flow_dst_last_pkt_time":1491813286609961,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":210,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":210,"flow_dst_tot_l4_payload_len":1310,"midstream":0,"thread_ts_usec":1491813286609961,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50258,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"5":"DPI (cache)"},"proto":"TLS.DNScrypt","proto_id":"91.208","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"simplednscrypt.org","tls": {"version":"TLSv1.2","ja3":"83e04bc58d402f9633983cbf22724b02","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2"}}} 01578{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":87,"source":"cfgs\/default\/pcap\/simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":7,"flow_first_seen":1491813286392272,"flow_src_last_pkt_time":1491813286612199,"flow_dst_last_pkt_time":1491813286612925,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":210,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":210,"flow_dst_tot_l4_payload_len":6550,"midstream":0,"thread_ts_usec":1491813286612925,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50258,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"5":"DPI (cache)"},"proto":"TLS.DNScrypt","proto_id":"91.208","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"simplednscrypt.org","tls": {"version":"TLSv1.2","server_names":"simplednscrypt.org,www.simplednscrypt.org","ja3":"83e04bc58d402f9633983cbf22724b02","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA","subjectDN":"OU=Domain Control Validated, OU=PositiveSSL, CN=simplednscrypt.org","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","fingerprint":"3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41"}}} 02183{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":107,"source":"cfgs\/default\/pcap\/simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1491813286393273,"flow_src_last_pkt_time":1491813286786121,"flow_dst_last_pkt_time":1491813286786057,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":280,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":962,"flow_dst_tot_l4_payload_len":7944,"midstream":0,"thread_ts_usec":1491813286786121,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50259,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":0,"avg":25343.0,"max":105611,"stddev":35915.9,"var":1289953152.0,"ent":3.6,"data": [76904,76992,229,75549,27738,2534,105611,594,1,590,1297,3,1553,3254,3682,128,52,3057,79,49,84732,1,74133,4254,0,9610,25085,23405,82024,4138,98354]},"pktlen": {"min":40,"avg":319.1,"max":1350,"stddev":456.8,"var":208637.0,"ent":3.9,"data": [52,52,40,250,40,1350,1350,40,1350,1350,40,1350,346,40,166,93,96,82,320,119,118,298,109,40,40,78,40,78,40,402,401,40]},"bins": {"c_to_s": [7,4,2,1,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,1,0,0,0,0,0,1,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,1,1,0,1,1,0,0,0,0,0,0,0,0,1,1,0,1,1,1,0,1,1,1,0],"entropies": [4.662476063,5.014835358,4.784183979,5.463803768,4.784183979,7.264608860,7.254951954,4.784183979,7.596163750,7.476695061,4.665311813,7.616894245,7.412656784,4.784183979,6.267624378,5.635307789,5.800558090,5.503190994,7.286572456,6.049404621,6.063973427,7.156964302,6.273537159,4.934183598,4.884183884,5.802693844,4.834183693,5.438509464,4.884183884,7.476879120,7.394095898,4.934183598]},"ndpi": {"confidence": {"5":"DPI (cache)"},"proto":"TLS.DNScrypt","proto_id":"91.208","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Acceptable","category_id":14,"category":"Network"}} -01581{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":107,"source":"cfgs\/default\/pcap\/simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1491813286393273,"flow_src_last_pkt_time":1491813286786121,"flow_dst_last_pkt_time":1491813286786057,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":280,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":962,"flow_dst_tot_l4_payload_len":7944,"midstream":0,"thread_ts_usec":1491813286786121,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50259,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"5":"DPI (cache)"},"proto":"TLS.DNScrypt","proto_id":"91.208","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"simplednscrypt.org","tls": {"version":"TLSv1.2","server_names":"simplednscrypt.org,www.simplednscrypt.org","ja3":"83e04bc58d402f9633983cbf22724b02","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA","subjectDN":"OU=Domain Control Validated, OU=PositiveSSL, CN=simplednscrypt.org","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","fingerprint":"3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41"}}} 00998{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":111,"source":"cfgs\/default\/pcap\/simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":21,"flow_first_seen":1491813284555591,"flow_src_last_pkt_time":1491813285262104,"flow_dst_last_pkt_time":1491813285262021,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":218,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":804,"flow_dst_tot_l4_payload_len":13434,"midstream":0,"thread_ts_usec":1491813286913648,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50233,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DNScrypt","proto_id":"91.208","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Acceptable","category_id":14,"category":"Network"}} 01000{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":111,"source":"cfgs\/default\/pcap\/simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":8,"flow_dst_packets_processed":10,"flow_first_seen":1491813286275625,"flow_src_last_pkt_time":1491813286718876,"flow_dst_last_pkt_time":1491813286718848,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":210,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":336,"flow_dst_tot_l4_payload_len":7183,"midstream":0,"thread_ts_usec":1491813286913648,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50253,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"5":"DPI (cache)"},"proto":"TLS.DNScrypt","proto_id":"91.208","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Acceptable","category_id":14,"category":"Network"}} 01000{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":111,"source":"cfgs\/default\/pcap\/simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":8,"flow_dst_packets_processed":10,"flow_first_seen":1491813286392272,"flow_src_last_pkt_time":1491813286753444,"flow_dst_last_pkt_time":1491813286753424,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":210,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":336,"flow_dst_tot_l4_payload_len":7183,"midstream":0,"thread_ts_usec":1491813286913648,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50258,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"5":"DPI (cache)"},"proto":"TLS.DNScrypt","proto_id":"91.208","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Acceptable","category_id":14,"category":"Network"}} 01006{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":111,"source":"cfgs\/default\/pcap\/simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":18,"flow_first_seen":1491813286393273,"flow_src_last_pkt_time":1491813286845298,"flow_dst_last_pkt_time":1491813286913648,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":280,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":1004,"flow_dst_tot_l4_payload_len":8306,"midstream":0,"thread_ts_usec":1491813286913648,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50259,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"5":"DPI (cache)"},"proto":"TLS.DNScrypt","proto_id":"91.208","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Acceptable","category_id":14,"category":"Network"}} -00648{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":111,"source":"cfgs\/default\/pcap\/simple-dnscrypt.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":111,"packets-processed":111,"total-skipped-flows":0,"total-l4-payload-len":38586,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":4,"total-detection-updates":10,"total-updates":0,"current-active-flows":0,"total-active-flows":4,"total-idle-flows":4,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":47,"global_ts_usec":1491813286913648} +00647{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":111,"source":"cfgs\/default\/pcap\/simple-dnscrypt.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":111,"packets-processed":111,"total-skipped-flows":0,"total-l4-payload-len":38586,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":4,"total-detection-updates":8,"total-updates":0,"current-active-flows":0,"total-active-flows":4,"total-idle-flows":4,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":45,"global_ts_usec":1491813286913648} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ ~~ packets captured/processed: 111/111 ~~ skipped flows.............: 0 diff --git a/test/results/default/sites.pcapng.out b/test/results/default/sites.pcapng.out index a5e1ca8fd..3cf2c0a6f 100644 --- a/test/results/default/sites.pcapng.out +++ b/test/results/default/sites.pcapng.out @@ -38,9 +38,8 @@ 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":71,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":5,"flow_src_last_pkt_time":1623223596004515,"flow_dst_last_pkt_time":1623223596051971,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1623223596051971,"pkt":"PKn0qB\/spJGxgjQ5CABFAAA0PfVAADEGPxBbxq7QwKgBgAG7xbxrNtsh2iAZDYAQAFTIswAAAQEIChefvGW86k8J"} 01220{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":72,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1623223595952198,"flow_src_last_pkt_time":1623223596004515,"flow_dst_last_pkt_time":1623223596052201,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1623223596052201,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"91.198.174.208","src_port":50620,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Wikipedia","proto_id":"91.176","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"upload.wikimedia.org","tls": {"version":"TLSv1.3","ja3":"6b5e0cfe988c723ee71faf54f8460684","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","advertised_alpns":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 02132{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":98,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1623223595952198,"flow_src_last_pkt_time":1623223596109406,"flow_dst_last_pkt_time":1623223596108936,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1036,"flow_dst_tot_l4_payload_len":16479,"midstream":0,"thread_ts_usec":1623223596109406,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"91.198.174.208","src_port":50620,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":0,"avg":10127.3,"max":52937,"stddev":19772.5,"var":390950848.0,"ent":2.8,"data": [46836,50076,2241,52937,230,0,0,0,52220,0,0,0,1478,638,2420,52443,0,779,3077,0,237,0,0,0,0,0,199,47900,0,0,235]},"pktlen": {"min":52,"avg":599.8,"max":1500,"stddev":646.4,"var":417856.7,"ent":4.1,"data": [60,60,52,569,52,1500,1500,1252,152,52,52,52,52,132,222,290,355,95,83,1500,1500,1500,1500,1500,1500,1500,1500,374,52,52,52,83]},"bins": {"c_to_s": [10,0,1,0,0,1,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,1,0,1,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0],"entropies": [4.713301182,5.220872402,5.008629799,5.408417225,5.079967022,7.845353127,7.893048763,7.841969490,6.480354786,5.047091007,5.047091484,5.085552692,5.085553169,6.254513264,6.947219372,7.136369228,7.362440109,5.997154236,5.666953564,7.893563271,7.867501259,7.878776073,7.865104198,7.874600887,7.869311810,7.861063480,7.860395432,7.425109863,5.085552692,5.047091007,5.085552692,5.564384460]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Wikipedia","proto_id":"91.176","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} -01224{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":98,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1623223595952198,"flow_src_last_pkt_time":1623223596109406,"flow_dst_last_pkt_time":1623223596108936,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1036,"flow_dst_tot_l4_payload_len":16479,"midstream":0,"thread_ts_usec":1623223596109406,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"91.198.174.208","src_port":50620,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Wikipedia","proto_id":"91.176","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"upload.wikimedia.org","tls": {"version":"TLSv1.3","ja3":"6b5e0cfe988c723ee71faf54f8460684","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","advertised_alpns":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 00980{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":107,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":17,"flow_first_seen":1623222051753416,"flow_src_last_pkt_time":1623222112086485,"flow_dst_last_pkt_time":1623222112185361,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":965,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":2226,"flow_dst_tot_l4_payload_len":6554,"midstream":0,"thread_ts_usec":1623223596203292,"l3_proto":"ip4","src_ip":"192.168.1.227","dst_ip":"52.73.71.226","src_port":50071,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Fuze","proto_id":"91.270","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} -00637{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":119,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":119,"packets-processed":118,"total-skipped-flows":0,"total-l4-payload-len":35609,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":4,"total-detection-updates":6,"total-updates":0,"current-active-flows":1,"total-active-flows":4,"total-idle-flows":3,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":43,"global_ts_usec":1623226283573712} +00637{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":119,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":119,"packets-processed":118,"total-skipped-flows":0,"total-l4-payload-len":35609,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":4,"total-detection-updates":5,"total-updates":0,"current-active-flows":1,"total-active-flows":4,"total-idle-flows":3,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":42,"global_ts_usec":1623226283573712} 00774{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":119,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1623226283573712,"flow_src_last_pkt_time":1623226283573712,"flow_dst_last_pkt_time":1623226283573712,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1623226283573712,"l3_proto":"ip4","src_ip":"192.168.1.250","dst_ip":"45.82.241.51","src_port":39890,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":119,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1623226283573712,"flow_dst_last_pkt_time":1623226283573712,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1623226283573712,"pkt":"pJGxgjQ5AoEfHBPlCABFAAA8M5RAAEAGJgDAqAH6LVLxM5vSAFAXgCu+AAAAAKAC\/\/9tawAAAgQFtAQCCAolvfRMAAAAAAEDAwk="} 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":120,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":1623226283573712,"flow_dst_last_pkt_time":1623226283601626,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1623226283601626,"pkt":"AoEfHBPlpJGxgjQ5CABFAAA0AABAADMGZpwtUvEzwKgB+gBQm9LNImc9F4Arv4ASchAIQAAAAgQFeAEBBAIBAwMK"} @@ -50,7 +49,7 @@ 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":123,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":5,"flow_packet_id":5,"flow_src_last_pkt_time":1623226283612303,"flow_dst_last_pkt_time":1623226283640806,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1623226283640806,"pkt":"AoEfHBPlpJGxgjQ5CABFAAAox9pAADMGns0tUvEzwKgB+gBQm9LNImc+F4AsfVAQAB66DQAAAAAAAAAA"} 02146{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":150,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1623226283573712,"flow_src_last_pkt_time":1623226284678348,"flow_dst_last_pkt_time":1623226284677149,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":190,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":380,"flow_dst_tot_l4_payload_len":18862,"midstream":0,"thread_ts_usec":1623226284678348,"l3_proto":"ip4","src_ip":"192.168.1.250","dst_ip":"45.82.241.51","src_port":39890,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":0,"avg":71228.2,"max":1031142,"stddev":245139.1,"var":60093177856.0,"ent":1.6,"data": [27914,29082,9509,39180,2950,0,249,0,0,0,0,59912,0,307,0,0,304,0,974261,1031142,0,0,0,29550,491,2002,0,490,0,730,0]},"pktlen": {"min":46,"avg":645.1,"max":1500,"stddev":701.2,"var":491744.0,"ent":4.0,"data": [60,52,46,230,46,1500,1500,1500,1500,1500,1500,1382,46,46,46,46,46,46,46,230,1500,1500,1500,1500,46,46,1500,1500,46,46,46,46]},"bins": {"c_to_s": [15,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,12,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,0,0,1,1,0,0,0,0],"entropies": [4.650921822,4.854286671,4.347350597,5.690956593,4.347350597,7.663578510,7.860166073,7.846680641,7.877070427,7.858085155,7.884421825,7.865271091,4.347350597,4.303872585,4.260394573,4.303872585,4.303872585,4.347350597,4.347350597,5.731587410,7.670816898,7.866776943,7.851586819,7.865674973,4.303872585,4.303872108,7.855195045,7.870656013,4.303872585,4.260394096,4.303872108,4.303872585]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Likee","proto_id":"7.261","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00980{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":229,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":28,"flow_dst_packets_processed":24,"flow_first_seen":1623223595952198,"flow_src_last_pkt_time":1623223766553269,"flow_dst_last_pkt_time":1623223766548680,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1177,"flow_dst_tot_l4_payload_len":16557,"midstream":0,"thread_ts_usec":1623226286427901,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"91.198.174.208","src_port":50620,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Wikipedia","proto_id":"91.176","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} -00638{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":231,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":231,"packets-processed":230,"total-skipped-flows":0,"total-l4-payload-len":108050,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":5,"total-detection-updates":6,"total-updates":0,"current-active-flows":1,"total-active-flows":5,"total-idle-flows":4,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":53,"global_ts_usec":1631088115362469} +00638{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":231,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":231,"packets-processed":230,"total-skipped-flows":0,"total-l4-payload-len":108050,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":5,"total-detection-updates":5,"total-updates":0,"current-active-flows":1,"total-active-flows":5,"total-idle-flows":4,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":52,"global_ts_usec":1631088115362469} 00777{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":231,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1631088115362469,"flow_src_last_pkt_time":1631088115362469,"flow_dst_last_pkt_time":1631088115362469,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1631088115362469,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"199.232.82.109","src_port":46724,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":231,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_src_last_pkt_time":1631088115362469,"flow_dst_last_pkt_time":1631088115362469,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1631088115362469,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA8aylAAEAG8xTAqAGAx+hSbbaEAbsR7WhdAAAAAKAC+vCzrwAAAgQFtAQCCAqzLdcpAAAAAAEDAwc="} 00559{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":232,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_src_last_pkt_time":1631088115362469,"flow_dst_last_pkt_time":1631088115376274,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1631088115376274,"pkt":"PKn0qB\/spJGxgjQ5CABFAAA8AABAADQGaj7H6FJtwKgBgAG7toQ\/rdv6Ee1oXqAS\/\/\/HZwAAAgQFTAQCCApg6mr7sy3XKQEDAwk="} @@ -61,7 +60,7 @@ 01276{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":236,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1631088115362469,"flow_src_last_pkt_time":1631088115376494,"flow_dst_last_pkt_time":1631088115392643,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1344,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1344,"midstream":0,"thread_ts_usec":1631088115392643,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"199.232.82.109","src_port":46724,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Vimeo","proto_id":"91.267","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"f.vimeocdn.com","tls": {"version":"TLSv1.2","ja3":"cd08e31494f9531f560d64c695473da9","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01493{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":240,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":5,"flow_first_seen":1631088115362469,"flow_src_last_pkt_time":1631088115392667,"flow_dst_last_pkt_time":1631088115392674,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1344,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":4032,"midstream":0,"thread_ts_usec":1631088115392674,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"199.232.82.109","src_port":46724,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Vimeo","proto_id":"91.267","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"f.vimeocdn.com","tls": {"version":"TLSv1.2","server_names":"*.vimeocdn.com","ja3":"cd08e31494f9531f560d64c695473da9","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA 2020","subjectDN":"CN=*.vimeocdn.com","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"3A:0F:CF:EC:3C:13:25:E2:E1:4D:C6:52:A6:4D:8D:96:10:1E:8E:37"}}} 00981{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":248,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":58,"flow_dst_packets_processed":54,"flow_first_seen":1623226283573712,"flow_src_last_pkt_time":1623226466507324,"flow_dst_last_pkt_time":1623226466414542,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":190,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":950,"flow_dst_tot_l4_payload_len":71491,"midstream":0,"thread_ts_usec":1631088115406479,"l3_proto":"ip4","src_ip":"192.168.1.250","dst_ip":"45.82.241.51","src_port":39890,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Likee","proto_id":"7.261","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} -00638{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":256,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":256,"packets-processed":255,"total-skipped-flows":0,"total-l4-payload-len":113664,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":6,"total-detection-updates":8,"total-updates":0,"current-active-flows":1,"total-active-flows":6,"total-idle-flows":5,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":64,"global_ts_usec":1637349011376367} +00638{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":256,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":256,"packets-processed":255,"total-skipped-flows":0,"total-l4-payload-len":113664,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":6,"total-detection-updates":7,"total-updates":0,"current-active-flows":1,"total-active-flows":6,"total-idle-flows":5,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":63,"global_ts_usec":1637349011376367} 00775{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":256,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1637349011376367,"flow_src_last_pkt_time":1637349011376367,"flow_dst_last_pkt_time":1637349011376367,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1637349011376367,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"143.204.9.65","src_port":48918,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":256,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_src_last_pkt_time":1637349011376367,"flow_dst_last_pkt_time":1637349011376367,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1637349011376367,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA8TGJAAEAGkyTAqAGAj8wJQb8WAbs5hVBVAAAAAKAC+vA+\/wAAAgQFtAQCCAoHfmCrAAAAAAEDAww="} 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":257,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_src_last_pkt_time":1637349011376367,"flow_dst_last_pkt_time":1637349011393884,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1637349011393884,"pkt":"PKn0qB\/spJGxgjQ5CABFAAA8T5MAAPMGHPOPzAlBwKgBgAG7vxa2dgKJOYVQVqASBZSQpgAAAgQFoAQCCArIQyJ4B35gqwEDAwk="} @@ -71,7 +70,7 @@ 01191{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":261,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1637349011376367,"flow_src_last_pkt_time":1637349011396134,"flow_dst_last_pkt_time":1637349011393908,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1637349011396134,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"143.204.9.65","src_port":48918,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DisneyPlus","proto_id":"91.71","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"prod-static.disney-plus.net","tls": {"version":"TLSv1.2","ja3":"579ccef312d18482fc42e2b822ca2430","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","advertised_alpns":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 01236{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":263,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1637349011376367,"flow_src_last_pkt_time":1637349011396134,"flow_dst_last_pkt_time":1637349011405023,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1428,"midstream":0,"thread_ts_usec":1637349011405023,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"143.204.9.65","src_port":48918,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DisneyPlus","proto_id":"91.71","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"prod-static.disney-plus.net","tls": {"version":"TLSv1.3","ja3":"579ccef312d18482fc42e2b822ca2430","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","advertised_alpns":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 00976{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":285,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":12,"flow_first_seen":1631088115362469,"flow_src_last_pkt_time":1631088168165179,"flow_dst_last_pkt_time":1631088168165177,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1344,"flow_src_tot_l4_payload_len":610,"flow_dst_tot_l4_payload_len":5004,"midstream":0,"thread_ts_usec":1637349011425927,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"199.232.82.109","src_port":46724,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Vimeo","proto_id":"91.267","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":17,"category":"Streaming"}} -00638{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":285,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":285,"packets-processed":284,"total-skipped-flows":0,"total-l4-payload-len":121431,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":7,"total-detection-updates":9,"total-updates":0,"current-active-flows":1,"total-active-flows":7,"total-idle-flows":6,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":74,"global_ts_usec":1642584017659993} +00638{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":285,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":285,"packets-processed":284,"total-skipped-flows":0,"total-l4-payload-len":121431,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":7,"total-detection-updates":8,"total-updates":0,"current-active-flows":1,"total-active-flows":7,"total-idle-flows":6,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":73,"global_ts_usec":1642584017659993} 00776{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":285,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1642584017659993,"flow_src_last_pkt_time":1642584017659993,"flow_dst_last_pkt_time":1642584017659993,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1642584017659993,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"23.12.104.83","src_port":39248,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":285,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_src_last_pkt_time":1642584017659993,"flow_dst_last_pkt_time":1642584017659993,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1642584017659993,"pkt":"CL6sCxdumt9Y+uvcCABFAAA8EtFAAEAG2zrAqAypFwxoU5lQAbvzO0RFAAAAAKAC\/\/9KaQAAAgQFtAQCCApYVYYCAAAAAAEDAwk="} 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":286,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":8,"flow_packet_id":2,"flow_src_last_pkt_time":1642584017659993,"flow_dst_last_pkt_time":1642584017680129,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1642584017680129,"pkt":"mt9Y+uvcCL6sCxduCABFAAA8AABAADcG9wsXDGhTwKgMqQG7mVB1nT8a8ztERqAS\/ojzIwAAAgQFtAQCCAqw3vMWWFWGAgEDAwc="} @@ -81,12 +80,12 @@ 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":289,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":8,"flow_packet_id":5,"flow_src_last_pkt_time":1642584017683650,"flow_dst_last_pkt_time":1642584017706128,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1642584017706128,"pkt":"mt9Y+uvcCL6sCxduCABFAAA0SOBAADcGrjMXDGhTwKgMqQG7mVB1nT8b8ztGS4AQAfocSAAAAQEICrDe8zFYVYYZ"} 01231{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":290,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1642584017659993,"flow_src_last_pkt_time":1642584017683650,"flow_dst_last_pkt_time":1642584017706175,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1642584017706175,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"23.12.104.83","src_port":39248,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AccuWeather","proto_id":"91.280","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":5,"category":"Web","hostname":"api.accuweather.com","tls": {"version":"TLSv1.3","ja3":"9b02ebd3a43b62d825e1ac605b621dc8","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","advertised_alpns":"http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 00982{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":315,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":14,"flow_first_seen":1637349011376367,"flow_src_last_pkt_time":1637349011425914,"flow_dst_last_pkt_time":1637349011425927,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":792,"flow_dst_tot_l4_payload_len":6975,"midstream":0,"thread_ts_usec":1642584019409362,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"143.204.9.65","src_port":48918,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DisneyPlus","proto_id":"91.71","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Fun","category_id":17,"category":"Streaming"}} -00639{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":315,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":315,"packets-processed":314,"total-skipped-flows":0,"total-l4-payload-len":128021,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":8,"total-detection-updates":10,"total-updates":0,"current-active-flows":1,"total-active-flows":8,"total-idle-flows":7,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":84,"global_ts_usec":1643355518166568} +00638{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":315,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":315,"packets-processed":314,"total-skipped-flows":0,"total-l4-payload-len":128021,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":8,"total-detection-updates":9,"total-updates":0,"current-active-flows":1,"total-active-flows":8,"total-idle-flows":7,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":83,"global_ts_usec":1643355518166568} 00784{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":315,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1643355518166568,"flow_src_last_pkt_time":1643355518166568,"flow_dst_last_pkt_time":1643355518166568,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1250,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1250,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1250,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1643355518166568,"l3_proto":"ip4","src_ip":"192.168.1.123","dst_ip":"216.58.209.46","src_port":59102,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5} 02217{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":315,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_src_last_pkt_time":1643355518166568,"flow_dst_last_pkt_time":1643355518166568,"flow_idle_time":200000000,"pkt_datalink":1,"pkt_caplen":1292,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1292,"pkt_l4_len":1258,"thread_ts_usec":1643355518166568,"pkt":"pJGxgjQ5SKRyNpegCABFAAT+PElAAIARThnAqAF72DrRLubeAbsE6urRwAAAAAEIZ7HskbOWr9QAAETQNKtjIjiCXCI+9vqBWPy31G7jDH4RlwYv0XhaWuj0UrdcSVWZIrVwzwDrJa8dEWOeUvaAw7BXeYev6bi8Nu9Z4LWOvt0+XPgNkeHB6PvaZ9N4cpB1UIRx6byg5QljaxCkgdia5\/WZz2yX\/TayWJG0egLwFK4DYqDDADilA59ewmPTSu6+F3\/EVfKw86o2Yio5HeQqtUOtEdw6pRwxBehgjTrZf0PMuk40XDPug94YB\/sEApD8Ghq1zUUVofn\/jZoji68n+CZ74BkmZ8LSaemosx3Vm7YV3yQUauQU4lBHNM2XdkooJSDGv9YINXu8hmpHdW\/1encLGdPSyOJC8itWve1maDbUaMRhrbQrpaAPeVfgND5alDCN2DMGvFe3nB6Pz2LOpDsj\/3ZN3caT5Nt0nSv8HN+DYWZc+2JmBlBY71FJ57bmTqruFnoZ\/GjM0BGxB5WlpJ0M3zE3M16k0p8WRYGK3bOkXFB5rtEix709VUri+WnB1ivvzP4A8iO977JvKVGlPddOYZ4k7qZne6v\/jb1y0P5AatOM7YYIeRI7u8jf\/xM8RY8UTL\/Pv+EQzBcgac+DyXJSt\/sJo+Uuz0dGCYpa4Aa01DbWUiA5x+j4g5WT5LGdKrytMkGgkIcVSlNAt4nWOQc2IroqJjfmf+NbusGe\/Gviz5jV93bOaTFv7sGyuvESP0iH2MD2mwPgizF6t5EabtXWaevGbit0evQ9O3bHeRpQwTlwh0hRD7WqrIf0Wri9spAJN53856UKZFRupvrVqTH40ht5wGl2g3HXmJvEKnWBsD1hEB3sacVd4lWjKim62JMTY6yUmMhRBlNu2AupnyFsChUJ1NgsRbg5cQPowXRIBVG8WcjCs7OHKUH\/zza5xjXEz1FrdKQASDLCvFyh9YUzlRmDx7d99nX5vf9AwJejikY1uel\/yRMHcT9IqYO0kZBeGiX2ZDJD7vD1sF+05Qq++ztAL3CTqhuU\/7KSbWKiGOoFGj9phj6fZiE+g9e7+HIVuvPAKr+aSbxS71gHelt+hKMcDj7jdDFk5P6TqQdUXfqrnN38RDusNZmvWB+23Sj9NvIjlpua1MtXRWVJaLY5mX9AL1kTENCHtxomZwiXSqkSWtzS8dZocOlqjfWrd2hnw5yl8b7T0843OsmN6ZOoho4X9bhFw\/52C+NFDBAC42\/6jsH2i4NdbJBqOAuf4tLWi3oaJ\/0r5Y0wWyVnBbFtq1sx6d6EHxqir52O50dkkD8SF7j+wGSCG2L1l5bcQGnAqpzpZNB8AgofMTbrgYgdYIyrh\/neffOlCQyXy2EgLb\/xWEt+QftF8p5n2FzevDADqTCGGVeWULgrEsb\/3qULNf4uZHaY4HBD6To7yTuITvaXdqFt30MJBKnhBexi0dhA\/MGpMyVJfR\/PhbhWZmiNdx\/LRAV2Semg\/nPWe+DzSBBXm7wJXZiE\/8ewkRVdkujJi\/QhXAX0aOL76X77YYeny\/V35WiIqUmuxRHrBRdP5AMMQo\/adJoX4bzVdEvw3cGw7\/\/hO2VzwL5m0trABzWAWdjRjsrTEu\/mWAVCZDP5\/peoG8YXeXsdHWwpRLyNJpzOlRz5aND24Jgn5x2v3PqoD5RBiIEHwD8jlV2fRCZXq1e7tPV6eLhSI74="} 01276{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":315,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1643355518166568,"flow_src_last_pkt_time":1643355518166568,"flow_dst_last_pkt_time":1643355518166568,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1250,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1250,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1250,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1643355518166568,"l3_proto":"ip4","src_ip":"192.168.1.123","dst_ip":"216.58.209.46","src_port":59102,"dst_port":443,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.GoogleClassroom","proto_id":"188.281","proto_by_ip":"Google","proto_by_ip_id":126,"encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"classroom.google.com","quic": {"user_agent":"Chrome\/97.0.4692.99 Windows NT 10.0; Win64; x64","quic_version":"V-1","tls": {"version":"TLSv1.3","ja3":"a27a03a8478393fe7f8958648bb71ff4","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","advertised_alpns":"h3","tls_supported_versions":"TLSv1.3"}}}} 00974{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":316,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":14,"flow_first_seen":1642584017659993,"flow_src_last_pkt_time":1642584019409362,"flow_dst_last_pkt_time":1642584019407774,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":924,"flow_dst_tot_l4_payload_len":5666,"midstream":0,"thread_ts_usec":1643355518166568,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"23.12.104.83","src_port":39248,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AccuWeather","proto_id":"91.280","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":5,"category":"Web"}} -00639{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":316,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":316,"packets-processed":315,"total-skipped-flows":0,"total-l4-payload-len":129271,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":9,"total-detection-updates":10,"total-updates":0,"current-active-flows":1,"total-active-flows":9,"total-idle-flows":8,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":89,"global_ts_usec":1646482623895784} +00638{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":316,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":316,"packets-processed":315,"total-skipped-flows":0,"total-l4-payload-len":129271,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":9,"total-detection-updates":9,"total-updates":0,"current-active-flows":1,"total-active-flows":9,"total-idle-flows":8,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":88,"global_ts_usec":1646482623895784} 00777{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":316,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1646482623895784,"flow_src_last_pkt_time":1646482623895784,"flow_dst_last_pkt_time":1646482623895784,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1646482623895784,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"31.222.67.112","src_port":35054,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":316,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":10,"flow_packet_id":1,"flow_src_last_pkt_time":1646482623895784,"flow_dst_last_pkt_time":1646482623895784,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1646482623895784,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA8U5dAAEAGwa7AqAGAH95DcIjuAbuZU7+5AAAAAKAC+vB+rAAAAgQFtAQCCAqYsCyFAAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":317,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":10,"flow_packet_id":2,"flow_src_last_pkt_time":1646482623895784,"flow_dst_last_pkt_time":1646482623937401,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1646482623937401,"pkt":"PKn0qB\/spJGxgjQ5CABFAAA0AABAADIGI04f3kNwwKgBgAG7iO5SHRbemVO\/uoASa9CRawAAAgQFUAEBBAIBAwMH"} @@ -278,7 +277,7 @@ 02490{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":452,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":36,"flow_packet_id":4,"flow_src_last_pkt_time":1646483012643710,"flow_dst_last_pkt_time":1646483012821762,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":1514,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1514,"pkt_l4_len":1480,"thread_ts_usec":1646483012821762,"pkt":"PKn0qB\/spJGxgjQ5CABFAAXch65AAOYGfOEoYaACwKgBgAG7m5Tksd5e67EgM1AQCAPV9wAAFgMDEU4CAABZAwNiI1ZE1H27b6T6JRvCm\/MD0luKFyMTDe3jrQbpiHy4ICC5MgAADb+Tw4RbiKuNvdQaqUF3iqCf4+0IdypYCofcN8AwAAARAAUAAAAjAAAAFwAA\/wEAAQALAA2dAA2aAAiqMIIIpjCCB46gAwIBAgIQBlZfm2qDLxvIgJ9OV3KS5zANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSUwIwYDVQQDExxEaWdpQ2VydCBDbG91ZCBTZXJ2aWNlcyBDQS0xMB4XDTIxMTIyMjAwMDAwMFoXDTIyMTIyMjIzNTk1OVowajELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEUMBIGA1UEAxMLb3V0bG9vay5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB9wlkgtAgWRPrtQjN+hjPY9n1E5BhRmtLNo5GgPTzKcmU9tJGqc3zsJF3xgbCIc1AB8dt7DonJfZNasePo6d0IRrMqsbrNLn0GUGS9qjY3dLxV51XQ61Sd9T5EQIE\/XwKZh3BtIehwUH0rE3omOA9+auyHPSNQb+BS4A5N6ZgG9TmdvEIgWfY9f1Id2M+DUxfatVW0Jp89Wvw8GBDfyzllLm0\/EDzmv3rk1vx4MWpb91yl2TwrYu1EMiyNNtVWRMGhTp1gkz5aMgVZO6TpdbLjcEUMxNrBEfUptVSqyzS++eERCA14Kg2rdfoONwwYHx3GIbJwcFbAJhsLXa\/I7dxAgMBAAGjggVlMIIFYTAfBgNVHSMEGDAWgBTdUdCiMXOpc66PtAF+XYxXy5\/w9zAdBgNVHQ4EFgQU3Odtv0FtIj23r9K5dpo4sXI2NS8wggIQBgNVHREEggIHMIICA4IWKi5pbnRlcm5hbC5vdXRsb29rLmNvbYINKi5vdXRsb29rLmNvbYILb3V0bG9vay5jb22CDW9mZmljZTM2NS5jb22CDyoub2ZmaWNlMzY1LmNvbYIXKi5vdXRsb29rLm9mZmljZTM2NS5jb22CDCoub2ZmaWNlLmNvbYISb3V0bG9vay5vZmZpY2UuY29tghRzdWJzdHJhdGUub2ZmaWNlLmNvbYIbYXR0YWNobWVudC5vdXRsb29rLmxpdmUubmV0gh1hdHRhY2htZW50Lm91dGxvb2sub2ZmaWNlLm5ldIIgYXR0YWNobWVudC5vdXRsb29rLm9mZmljZXBwZS5uZXSCFmF0dGFjaG1lbnRzLm9mZmljZS5uZXSCFiouY2xvLmZvb3RwcmludGRucy5jb22CFioubnJiLmZvb3RwcmludGRucy5jb22CHWNjcy5sb2dpbi5taWNyb3NvZnRvbmxpbmUuY29tgiFjY3Mtc2RmLmxvZ2luLm1pY3Jvc29mdG9ubGluZS5jb22CGHN1YnN0cmF0ZS1zZGYub2ZmaWNlLmNvbYIaYXR0YWNobWVudHMtc2RmLm9mZmljZS5uZXSCCioubGl2ZS5jb22CFm1haWwuc2VydmljZXMubGl2ZS5jb22CC2hvdG1haWwuY29tgg0qLmhvdG1haWwuY29tMA4GA1UdDwEB\/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwgY0GA1UdHwSBhTCBgjA\/oD2gO4Y5aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0Q2xvdWRTZXJ2aWNlc0NBLTEtZzEuY3JsMD+gPaA7hjlodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRDbG91ZFNlcnZpY2VzQ0EtMS1nMS5jcmw="} 02505{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":453,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":36,"flow_packet_id":5,"flow_src_last_pkt_time":1646483012643710,"flow_dst_last_pkt_time":1646483012821837,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":1514,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1514,"pkt_l4_len":1480,"thread_ts_usec":1646483012821837,"pkt":"PKn0qB\/spJGxgjQ5CABFAAXch69AAOYGfOAoYaACwKgBgAG7m5TkseQS67EgM1AQCAPVywAAMD4GA1UdIAQ3MDUwMwYGZ4EMAQICMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzB8BggrBgEFBQcBAQRwMG4wJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NweC5kaWdpY2VydC5jb20wRQYIKwYBBQUHMAKGOWh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydENsb3VkU2VydmljZXNDQS0xLmNydDAMBgNVHRMBAf8EAjAAMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgApeb7wnjk5IfBWc59jpXflvld9nGAK+PlNXSZcJV3HhAAAAX3fdqGRAAAEAwBHMEUCIG19vZQ3ztPNq5S85GBThQ4+TBDHFxFC0nXZ4LXpUu3rAiEA8+M15TzZmOUopQftFbHUpCuDhU09pI7ZIoZ4rqlvzwYAdwBRo7D1\/QF5nFZtuDd4jwykeswbJ8v3nohCmg3+1IsF5QAAAX3fdqIKAAAEAwBIMEYCIQCCt\/CWyrB3z5L9JJQqtKhuKwSHXVPO\/nIzLQIRvE8QSAIhALAUu2+684sYBmTAWbK9qLsoHMJRLVDtf7PKkkuPEhCsAHUAQcjKsd8iRkoQxqE6CUKHXk4xixsD6+tLx2jwkGKWBvYAAAF933aiIAAABAMARjBEAiAmY6DHSC0PRZfjQURv9gfH7XNEvLtjnimdIZ9DL1pP\/wIgEm240\/6jgHbB2vouW4klCYLhx1mBUl2EGyo40QGnLN8wDQYJKoZIhvcNAQELBQADggEBAKs0Do0f0D7XJa8EwMbjj8gm+KWD\/Y615EL0mYouOSdmvSw1h3kWcf3Z3gP9p7LPMTiWc9WgaATbbQQyCdIiD4lE+y\/Hgw+bok2WmRbY6mYbpvHNrk5MrGqzAuJQP6PKt3aBz7PPYPmXPTacuSVPid0KRE9WekJR9Qbk7uWzQ9sUrU4qL0vpapgXTftedAVBzNTW+x6T9ZQXCGPbPWrvcN8p2WRUpvQPorVZ+8K6hKQ74Unfe858rN6lgFCEo0o1k\/W4HSPYM\/GX2BRkg5zPfLO7nMgTuWoOm6j0aPk8QFiDRXKTGIlkTm3CU1U8PU5zGVtJrxLepFiwH8haosDkiUMABOowggTmMIIDzqADAgECAhAPFxpIxvIjgJIYzS7W3cDoMA0GCSqGSIb3DQEBCwUAMGExCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMB4XDTIwMDkyNTAwMDAwMFoXDTMwMDkyNDIzNTk1OVowSzELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzElMCMGA1UEAxMcRGlnaUNlcnQgQ2xvdWQgU2VydmljZXMgQ0EtMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANGt9ocUeVQnV8cvBWg8mzzNZ+xFECyE8qRHxNlTQkUJu+T+M8HXvEYv0Yvmt7VneHxqcL79uOW2VM9MXqy4InRzVSkIc8hk99CVCQ55g1C\/X\/XUzJtCYY6ABLlBqs5OEpmbrNbFvlsCc7UWpKtxYtSY6kA5hab2uy\/o54fCi\/acMs3s+D6\/ied0I4JL2uq\/c6YlPP2\/qeVo\/\/gwomDHOy6j88V\/Ozv9DzGhfHQP0L8UxL1o8aXna6ffmwB+RiVO5ugT8\/YGx9RvCycgQl1hvD9g0nyWcsl8sIv\/+UgFUwT6Iq+3zVFdbd2QdAPwM0\/0x8A+VkZHr3Mgi9x6PqPyXf8CAwEAAaOCAa4wggGqMB0GA1UdDgQWBBTdUdCiMXOpc66PtAF+XYxXy5\/w9zAfBgM="} 01969{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":455,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":5,"flow_first_seen":1646483012464918,"flow_src_last_pkt_time":1646483012643710,"flow_dst_last_pkt_time":1646483012821897,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":4435,"midstream":0,"thread_ts_usec":1646483012821897,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"40.97.160.2","src_port":39828,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Outlook","proto_id":"91.21","proto_by_ip":"Outlook","proto_by_ip_id":21,"encrypted":1,"breed":"Acceptable","category_id":3,"category":"Email","hostname":"outlook.com","tls": {"version":"TLSv1.2","server_names":"*.internal.outlook.com,*.outlook.com,outlook.com,office365.com,*.office365.com,*.outlook.office365.com,*.office.com,outlook.office.com,substrate.office.com,attachment.outlook.live.net,attachment.outlook.office.net,attachment.outlook.officeppe.net,attachments.office.net,*.clo.footprintdns.com,*.nrb.footprintdns.com,ccs.login.microsoftonline.com,ccs-sdf.login.microsoftonline.com,substrate-sdf.office.com,attachments-sdf.office.net,*.live.com,mail.services.live.com,hotmail.com,*.hotmail.com","ja3":"579ccef312d18482fc42e2b822ca2430","ja3s":"71d9ce75f347e6cf54268d7114ae6925","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1","subjectDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=outlook.com","advertised_alpns":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","fingerprint":"4E:39:B4:13:4B:8C:77:57:7D:80:3D:76:40:E8:88:22:05:00:1C:58"}}} -00643{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":458,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":458,"packets-processed":457,"total-skipped-flows":0,"total-l4-payload-len":197833,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":32,"total-detection-updates":39,"total-updates":0,"current-active-flows":27,"total-active-flows":36,"total-idle-flows":9,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":281,"global_ts_usec":1646495488872237} +00643{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":458,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":458,"packets-processed":457,"total-skipped-flows":0,"total-l4-payload-len":197833,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":32,"total-detection-updates":38,"total-updates":0,"current-active-flows":27,"total-active-flows":36,"total-idle-flows":9,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":280,"global_ts_usec":1646495488872237} 00777{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":458,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1646495488872237,"flow_src_last_pkt_time":1646495488872237,"flow_dst_last_pkt_time":1646495488872237,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1646495488872237,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"15.160.39.187","src_port":45898,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00558{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":458,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":37,"flow_packet_id":1,"flow_src_last_pkt_time":1646495488872237,"flow_dst_last_pkt_time":1646495488872237,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1646495488872237,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA8\/MhAAEAGRHDAqAGAD6Anu7NKAbvmP22QAAAAAKAC+vBpUQAAAgQFtAQCCAoE\/txmAAAAAAEDAwc="} 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":459,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":37,"flow_packet_id":2,"flow_src_last_pkt_time":1646495488872237,"flow_dst_last_pkt_time":1646495488880478,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1646495488880478,"pkt":"PKn0qB\/spJGxgjQ5CABFAAA8AABAADIGTzkPoCe7wKgBgAG7s0optQbo5j9tkaAS9LPzBQAAAgQFtAQCCAoEQEeaBP7cZgEDAwc="} @@ -380,7 +379,7 @@ 01202{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":511,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":46,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1646495837086190,"flow_src_last_pkt_time":1646495837086190,"flow_dst_last_pkt_time":1646495837086190,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1357,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1357,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1357,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1646495837086190,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"142.250.181.238","src_port":36832,"dst_port":443,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.GooglePlus","proto_id":"188.72","proto_by_ip":"Google","proto_by_ip_id":126,"encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"plus.google.com","quic": {"quic_version":"V-1","tls": {"version":"TLSv1.3","ja3":"b719940c5ab9a3373cb4475d8143ff88","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","advertised_alpns":"h3","tls_supported_versions":"TLSv1.3"}}}} 02351{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":512,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":46,"flow_packet_id":2,"flow_src_last_pkt_time":1646495837086190,"flow_dst_last_pkt_time":1646495837102627,"flow_idle_time":200000000,"pkt_datalink":1,"pkt_caplen":1399,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1399,"pkt_l4_len":1365,"thread_ts_usec":1646495837102627,"pkt":"PKn0qB\/spJGxgjQ5CABFgAVpAABAADMROvOO+rXuwKgBgAG7j+AFVSXtyAAAAAEDuYLxCBrJK2uwimWBAEU4Tznrzq28hb1XmRDs0MFqelTnhcFUZ84H4q1aY4G8iO4oHDfc48pBHn\/VwFJa95gqSHvH4Ev8Om2dP0drKfHTm5RIabnMUwABEpNiK30Wb+s0DC1P8fJqrYirSkcMUtk+OScepXvvMoUJqb3oK\/SHueY\/CR+1r94ahlb+lQ5CMkRrFEpV8Y80c9Tk558ky1YvZroBJocv+D8x22dTrB3Nr2zV5BXUe4IfZjyM1uOvrGOzm7BFlSrMgOj6FKIkCgp\/pf+jrmIN6zoTCYHljLfpxOi3CtJlotE5kvBNJfYTIlpV6ePxOeaBHnLAnR8AUiLMe4EQhoCyafpPSu2uRilBt0zY24SPHj+Vr1q8JDD3+tdbrEpwnhqALSf4fMlI0nlCiW6KDCz9YYUL75K4IS9444yNzf1Yr99Mh0kbqbRkqVD2lz0sc+tejmla91jt2s1ymwqM2Dkc57wq\/ZGL2qTvHoCDCrWXzzSFq2DtMODbeFddKrW7D2S\/WC6gNpi8CkmnUEfrksPztXbMxr+4svM2m36IzD+uTDtBonQOeeetS42fSNmayHtkfbHFRhxhKIWxbXnDeYhaHVYjCQ+4X0zwkTVPladnLIcVEBYqwYQv5\/bz9ieX8wyoykaDLtE9CrJi2EKtZ8wkCC7Z741Zd+Wml1GFTEX8vTPcXOs4jWXGa8by36ak7R21cVgtCbMzCsX51MXYO9rxKpqzQ90YL3ZJybESTLyCZVaetnFQQy0zj9i3aMbEeaF1GIY8fpv41LJIfBTcuddEsku5mHk0ET+hIJRQHhrqv3\/7dLCFIB8IbFzqoMNXvst3vFd153RNd4+wDFw0PTKp3WxAax7aH3o4vpIKkH5MYZZm6QdYg4AXeCOVs+yOQckfo449mppsZnBCauNFwyGHgfdImQc5ChUcBackKfZKPm+8gpfez3Lh5cIH5TVZfBcX2049yxCxwBIQNMHRFZ\/l6px98JrGqv9wlLvZ9x05f9o+OBwqtGjSma1n6CqkHTjCKDb9wEKbD27oXi\/IB1KPHp2u9d\/c+7X2RVtjWmizhI43eqsfAt6YQSI\/I6i5XWGJRa1qw\/6lLbvQvj\/jHqXTS68GWhBdBLJUtfTko6qCsN7rqu1qRzGoIhl0BkGE92lNyYY\/ZTU6\/hdcvPHH\/gVolLu3hFDPu+ipgvDDLIZuRl+UaoOI4gJccnN1m37oKsX6NQtnyeGSc2tM6+62ei3A6X8waSaElCusvteiUGCHQxwaHmAxN+l0Fnrtj2W9v8HqhbG8zavLaMSK9TCSurpq1GtTp5SAztNP1KCrvVnqVhJrjpPBsMoRZgIibHU+b02bSrZ5vLUq8fMRq1DHjSpmxuFXNZXv4gyNl3Dl6lhcF466Vu3DVIKOpmXUnOt94P9drBleL2pc6g\/Rsi+uKui90velUE0hGPgoOIhhDJ0ymy34LYnDdDZuGwprFKEAglwy2+YC1sXbba6gKVjcOV1Ca5zHuLIWZHit470RXXzr7m1Xi\/5cXZYyKSyJACVo6ge6ve+Upi7YI+aW+jgyPqmHMKb+I\/eIOcKZeHyih24R2l7AgjvcvMggC5W8nbNUSu9cpnGWdlPqjTB0D+d7oT5+bGyUabkzh3dJ2t9fzH8gnGtlT1zFzufTmcBCKpbCY6sP\/0lUq7vHjuvu650M0IhuYA8e9G78Y8vHGY8YN9zIOLD+CF2bDXHwqf3VW0Z0KdlLeLkOH0oqFJ9UgLOZLQqYMUReoZ97In3a7hJ65ZurIhpFxCeAoO9kMhJrGIJTN\/Ls9g=="} 00990{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":513,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":44,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1646495785326719,"flow_src_last_pkt_time":1646495785326719,"flow_dst_last_pkt_time":1646495785351813,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1357,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1357,"flow_dst_max_l4_payload_len":1357,"flow_src_tot_l4_payload_len":1357,"flow_dst_tot_l4_payload_len":1357,"midstream":0,"thread_ts_usec":1646495837102627,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"216.58.212.142","src_port":38642,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Google","proto_id":"188.126","proto_by_ip":"Google","proto_by_ip_id":126,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -00644{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":513,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":513,"packets-processed":512,"total-skipped-flows":0,"total-l4-payload-len":233934,"total-not-detected-flows":0,"total-guessed-flows":4,"total-detected-flows":42,"total-detection-updates":48,"total-updates":1,"current-active-flows":10,"total-active-flows":46,"total-idle-flows":36,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":383,"global_ts_usec":1646568788171099} +00644{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":513,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":513,"packets-processed":512,"total-skipped-flows":0,"total-l4-payload-len":233934,"total-not-detected-flows":0,"total-guessed-flows":4,"total-detected-flows":42,"total-detection-updates":47,"total-updates":1,"current-active-flows":10,"total-active-flows":46,"total-idle-flows":36,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":382,"global_ts_usec":1646568788171099} 00777{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":513,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":47,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1646568788171099,"flow_src_last_pkt_time":1646568788171099,"flow_dst_last_pkt_time":1646568788171099,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1646568788171099,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"208.85.40.158","src_port":53978,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":513,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":47,"flow_packet_id":1,"flow_src_last_pkt_time":1646568788171099,"flow_dst_last_pkt_time":1646568788171099,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1646568788171099,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA8AQRAAEAGfpzAqAGA0FUontLaAbs4n4KKAAAAAKAC+vB1NgAAAgQFtAQCCArSjLpwAAAAAAEDAwc="} 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":514,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":47,"flow_packet_id":2,"flow_src_last_pkt_time":1646568788171099,"flow_dst_last_pkt_time":1646568788337647,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1646568788337647,"pkt":"PKn0qB\/spJGxgjQ5CABFAAA8Ke1AAPAGpbLQVSiewKgBgAG70tpN2CtOOJ+Ci6ASOQiNqgAAAgQFtAEDAwAEAggKXyXRHtKMunA="} @@ -401,7 +400,7 @@ 00995{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":520,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":46,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1646495837086190,"flow_src_last_pkt_time":1646495837086190,"flow_dst_last_pkt_time":1646495837102627,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1357,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1357,"flow_dst_max_l4_payload_len":1357,"flow_src_tot_l4_payload_len":1357,"flow_dst_tot_l4_payload_len":1357,"midstream":0,"thread_ts_usec":1646568788847834,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"142.250.181.238","src_port":36832,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.GooglePlus","proto_id":"188.72","proto_by_ip":"Google","proto_by_ip_id":126,"encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00987{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":520,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":5,"flow_first_seen":1646495650748124,"flow_src_last_pkt_time":1646495650812560,"flow_dst_last_pkt_time":1646495650832457,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":675,"flow_dst_tot_l4_payload_len":4252,"midstream":0,"thread_ts_usec":1646568788847834,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"52.113.194.132","src_port":57878,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","proto_by_ip":"Skype_Teams","proto_by_ip_id":125,"encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}} 00994{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":520,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1646495488872237,"flow_src_last_pkt_time":1646495488882948,"flow_dst_last_pkt_time":1646495488890513,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1646568788847834,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"15.160.39.187","src_port":45898,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AppleSiri","proto_id":"91.254","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Acceptable","category_id":32,"category":"VirtAssistant"}} -00645{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":520,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":520,"packets-processed":520,"total-skipped-flows":0,"total-l4-payload-len":238171,"total-not-detected-flows":0,"total-guessed-flows":4,"total-detected-flows":43,"total-detection-updates":50,"total-updates":1,"current-active-flows":0,"total-active-flows":47,"total-idle-flows":47,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":404,"global_ts_usec":1646568788847834} +00645{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":520,"source":"cfgs\/default\/pcap\/sites.pcapng","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":520,"packets-processed":520,"total-skipped-flows":0,"total-l4-payload-len":238171,"total-not-detected-flows":0,"total-guessed-flows":4,"total-detected-flows":43,"total-detection-updates":49,"total-updates":1,"current-active-flows":0,"total-active-flows":47,"total-idle-flows":47,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":403,"global_ts_usec":1646568788847834} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ ~~ packets captured/processed: 520/520 ~~ skipped flows.............: 0 diff --git a/test/results/default/teams.pcap.out b/test/results/default/teams.pcap.out index 6c337ffaf..bded6bbec 100644 --- a/test/results/default/teams.pcap.out +++ b/test/results/default/teams.pcap.out @@ -38,7 +38,6 @@ 00778{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":37,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":4,"flow_src_last_pkt_time":1587041676499766,"flow_dst_last_pkt_time":1587041676405623,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":240,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":240,"pkt_l4_len":206,"thread_ts_usec":1587041676499766,"pkt":"EBMx8Tl2KDc3AG3ICABFAADiAABAAEAG9tTAqAEGNHJNIex0AbuczSMoSaIgqYAYEAlcWgAAAQEICjCEl\/VhBkyoFgMBAKkBAAClAwNgsc\/zVfk3fJaoeGVjBvcvXHJydxa1mwDEXFImXbQK\/wAAHsAvwCvAMMAszKnMqMAJwBPACsAUAJwAnQAvADUACgEAAF7\/AQABAAAAACMAIQAAHm1vYmlsZS5waXBlLmFyaWEubWljcm9zb2Z0LmNvbQAXAAAAIwAAAA0AFAASBAMIBAQBBQMIBQUBCAYGAQIBAAsAAgEAAAoACAAGAB0AFwAY"} 01241{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":37,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1587041676362386,"flow_src_last_pkt_time":1587041676499766,"flow_dst_last_pkt_time":1587041676405623,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":174,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":174,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041676499766,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60532,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","proto_by_ip":"Azure","proto_by_ip_id":276,"encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud","hostname":"mobile.pipe.aria.microsoft.com","tls": {"version":"TLSv1.2","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 02163{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":47,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1587041676435900,"flow_src_last_pkt_time":1587041676535873,"flow_dst_last_pkt_time":1587041676535853,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":258,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":757,"flow_dst_tot_l4_payload_len":10509,"midstream":0,"thread_ts_usec":1587041676535873,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60533,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":2,"avg":6449.2,"max":29755,"stddev":8827.8,"var":77930416.0,"ent":3.7,"data": [12466,12563,1399,13862,1628,233,14289,254,250,114,2,99,4851,16541,1120,12847,339,301,11408,365,232,23032,26,11077,443,29285,29755,471,122,15,537]},"pktlen": {"min":40,"avg":393.9,"max":1492,"stddev":548.1,"var":300365.6,"ent":3.9,"data": [64,52,40,250,46,1492,1492,40,1492,40,1492,257,40,198,46,366,40,109,40,133,78,298,78,46,40,46,556,40,1492,1492,671,40]},"bins": {"c_to_s": [10,1,1,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,1,0,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,1,0,1,0,0,0,0,1,1,0,1,1,0,1,1,1,0],"entropies": [4.365527153,4.946223736,4.521928787,5.447622776,4.609350681,7.356091499,7.445232391,4.680641174,7.544306755,4.571928501,7.621133804,7.081102371,4.630641460,6.624766827,4.609350681,7.169972897,4.680641174,6.030838013,4.630641460,6.150182247,5.105917454,7.025798798,5.428217888,4.565872192,4.680641174,4.565872192,7.556540489,4.680641174,7.827769756,7.840335846,7.703694820,4.680641174]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","proto_by_ip":"Skype_Teams","proto_by_ip_id":125,"encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}} -01488{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":47,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1587041676435900,"flow_src_last_pkt_time":1587041676535873,"flow_dst_last_pkt_time":1587041676535853,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":258,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":757,"flow_dst_tot_l4_payload_len":10509,"midstream":0,"thread_ts_usec":1587041676535873,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60533,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","proto_by_ip":"Skype_Teams","proto_by_ip_id":125,"encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"teams.microsoft.com","tls": {"version":"TLSv1.2","server_names":"teams.microsoft.com","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"0f14538e1c9070becdad7739c67d6363","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=teams.microsoft.com","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","fingerprint":"68:1E:E8:3C:83:70:6F:E3:86:F4:E8:8C:C4:E6:A0:9A:3E:E0:9C:0E"}}} 02481{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":56,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":5,"flow_src_last_pkt_time":1587041676499766,"flow_dst_last_pkt_time":1587041676545373,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":1506,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1506,"pkt_l4_len":1472,"thread_ts_usec":1587041676545373,"pkt":"KDc3AG3IEBMx8Tl2CABFAAXUL\/9AAGwGleM0ck0hwKgBBgG77HRJoiCpnM0j1oAQBAXctwAAAQEICmEGTTMwhJf1FgMDEGYCAABRAwNemFWMXBNb2F1eIS0NgygX31DvjFSWgfTq\/PXgXBX\/USAORwAAVmOWcPohT0niCo9N4puGGU7iW5AxxYvHQvC098AwAAAJABcAAP8BAAEACwAO3QAO2gAJHDCCCRgwggcAoAMCAQICExYACr2jKIomrOvxeF4AAAAKvaMwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xFTATBgNVBAsTDE1pY3Jvc29mdCBJVDEeMBwGA1UEAxMVTWljcm9zb2Z0IElUIFRMUyBDQSA0MB4XDTE5MTAxMDIxNTUzOFoXDTIxMTAxMDIxNTUzOFowJjEkMCIGA1UEAwwbKi5ldmVudHMuZGF0YS5taWNyb3NvZnQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq8J31SJyCTCkjxtLC8JE7aU56y+0937PcYfrFGWW\/wSL1vxV6UtbY+5UyBq7YUvoZUI+YYWI6FMysHpnkiGQR5h3NLX2it0lgM0JMJXgIYfO+vdhJalxciwWfJHOcY4+eUQwpTmpGeOTzK\/sd1W+VOYbkgWPJ0lAEgTcRXL\/NZZAtyce+Sv4+b4jHwY9pwQxOHJWtnns0bK3jD\/RcAtjLeUisGvBGtt1SItPOQvgD6i2AdvjCkjqVXn0nxT\/yKuGkvtii1i85nrjeMS5pKgL+N2I4goIXeRAaK089dd0KrnNO6kLEhhSHgHwJHnPwfqeXH1Q2p1Zw2r13mOsJdyP7QIDAQABo4IE1zCCBNMwggF\/BgorBgEEAdZ5AgQCBIIBbwSCAWsBaQB2APZclC\/RdzAiFFQYCDCUVo7jTRMZM7\/fDC8gC8xO8WTjAAABbbe0zD0AAAQDAEcwRQIgXUu8wYK\/QqX5unkLcaUv4T8oQWu5yZb6M3RYbUFPJ7sCIQCVvziq+dynpJXSFyAk+ZobbjdMm8Ziuyzc0miXoW9hmQB2AFWB1MIWkDYBSuoLm1c8U\/DA5Dh4cCUIFy+jqh0HE9MMAAABbbe0zTwAAAQDAEcwRQIgOIr7NuYD18H8X6OV\/YdBgg0HoCy47ognD1Etlbp3ZVgCIQCAVAoqvjDqhz4It72mColVOT\/FZuexWjdVPWkvuAPY1AB3AESUZS6w7s6vxEAH2Kj+KMDa5oK+2MsxtT\/TM5a1toGoAAABbbe0zEEAAAQDAEgwRgIhAMLyKXAV0HvPisLX5tlLiDTgtSUtRgffnQWc5h8Pdj8PAiEAo6ENbH0+qORahbVCksBW940dOZQUoTXblsn+bri9ExQwJwYJKwYBBAGCNxUKBBowGDAKBggrBgEFBQcDAjAKBggrBgEFBQcDATA+BgkrBgEEAYI3FQcEMTAvBicrBgEEAYI3FQiH2oZ1g+7ZAYLJhRuBtZ5hhfTrYIFdhNLfQoLnk3oCAWQCAR0wgYUGCCsGAQUFBwEBBHkwdzBRBggrBgEFBQcwAoZFaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvTWljcm9zb2Z0JTIwSVQlMjBUTFMlMjBDQSUyMDQuY3J0MCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC5tc29jc3AuY29tMB0GA1UdDgQWBBQa+kPWU8gwtBlTGMvS3dHpIWlv7TALBgNVHQ8EBAMCBLAwgfIGA1UdEQSB6jCB54IbKi5ldmVudHMuZGF0YS5taWNyb3NvZnQuY29tghlldmVudHMuZGF0YS5taWNyb3NvZnQuY29tghkqLnBpcGUuYXJpYS5taWNyb3NvZnQuY29tgg5waXBl"} 01773{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":59,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1587041676362386,"flow_src_last_pkt_time":1587041676545644,"flow_dst_last_pkt_time":1587041676545713,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":174,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":174,"flow_dst_tot_l4_payload_len":4203,"midstream":0,"thread_ts_usec":1587041676545713,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60532,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","proto_by_ip":"Azure","proto_by_ip_id":276,"encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud","hostname":"mobile.pipe.aria.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"ae4edc6faf64d08308082ad26be60767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}}} 00291{"error_event_id":5,"error_event_name":"Unknown packet type","threshold_n":7,"threshold_n_max":16,"threshold_time":10000000,"threshold_ts_usec":1587041676611249,"packet_id":64,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1587041676611249} @@ -52,7 +51,6 @@ 02496{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":69,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":5,"flow_src_last_pkt_time":1587041676643404,"flow_dst_last_pkt_time":1587041676675374,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":1506,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1506,"pkt_l4_len":1472,"thread_ts_usec":1587041676675374,"pkt":"KDc3AG3IEBMx8Tl2CABFAAXULqZAAG0G5kwofgkFwKgBBgG77HaiQyYcpEtP4IAQBAWIzwAAAQEIClUAvgAwhJiBCxMMTWljcm9zb2Z0IElUMR4wHAYDVQQDExVNaWNyb3NvZnQgSVQgVExTIENBIDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCO8\/GEdXe8vsmk9RalUytQYJnc2H3ZJLXhckk3SP7ahpOjfR2aSxBNd3l+Zal8bjbiR9Q2SdDMJAInFOKucc3ZV3Q8EFYZkkqHYvnjkI1e3tFBGxqmH0CiLB6OVdcm2GhCq+wN3t1eYZWzrGyBzqjgra9fyqbkUWguJ\/1UKnGkzLt+kvH2U1EFMdAZgrDKY9DySgALzfRpS\/RallY5JsmdSwpjNDKApQTl6ii3wQDAbRrwKNRKj4CscxnY9RYvra4Il2IGLP7npfCtQVN\/jSsxwxRzId3jeGOcUYa1okhJwHkIFUMAK5m4S+DHVwdsxLmmVC0BU\/Kj8qTM2cFU84jN5EwT04ozIVitGL++OYFwOWk3+FukY+8JB9+HGmLHmgjF0R1eYnYB3WnmOLtEsC1NOsYugOBgclvyzOaOXDohHl2wOSu96hPLlsu2anSMjrwOEJ8bpUBBj5FcdqcO8ao6h7cMd99xai8oYUItkA9yBatn4MF7y5xAmsQKCESMfD26qQ4esdkivR9fQWpzVPZm4qD5pjne0nfzaQS\/t7s8xJP\/cgQctTadaH\/f+jlPsvaPuRz\/re0OFQjjhnzySEl3lxb2\/QD2T6Zeb+c5wFFlPeuxlzDs6p5z\/B4soN+Lz3NftQ4GQhcmlezYqSfQ0GWUXOI\/yigppSD0yN1dtP\/m3QIDAQABo4IBQjCCAT4wHQYDVR0OBBYEFFiIn9bcnEgitxQ+\/4SI6OaF\/\/p9MB8GA1UdIwQYMBaAFOWdWTCCR1jMrPoIVDaGezq1BE3wMBIGA1UdEwEB\/wQIMAYBAf8CAQAwDgYDVR0PAQH\/BAQDAgGGMCcGA1UdJQQgMB4GCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwkwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL09tbmlyb290MjAyNS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDQYJKoZIhvcNAQELBQADggEBADCaxp1q\/e+TCAy+gnf5dqBtnnswI3uoKVr0aj7HCwyW37hLUuQNnDjteGO1c8AcHzvgp\/9\/SVGVMrjQm6nlz5YDgYDVSmEY\/sRqxt9\/QUYinIBm6w9CoOTzpCGjmNB6dPaM6MPSK6orzhFZGUTnXAcJQuvX\/RVNuW9sRDUmh7qjO2iwgecgyX8TAvPMq58clVDLrmSAu4cKXc6ma7J94z024ilRtyX80AnjsK3EYi4+foUmsvav920xc8YZmKlykwLOygs9POzZcOiA9RareGqHTcaBN6gKdoEGqO8XYHxwEBM8ONczTOQ3ZQj7kbPoFnZhKmX1WJSzRQHvwE8De7gMAAFJAwAXQQTOd4jCuMTh7EYDlmBiiGmTGwexXcFlv\/T2ck50p74cYWIJH\/qL5LjbfCSDp3wqAO8ZZNaw1gxy4Uzbx\/mTFEUoBAEBACuEjKAM1qXUNVaS\/GaC95SQ9vmaMh+jYNW\/golBe81NwxyW1ReEMvroTkbS6BjiR97ixB57SOr\/EVlzcCLlr0XL6vCOvZKaaq3SzHreSfwbGspHUYxwK5i8j23AovUYK4FdR8PK9GkF5j5DZYPL2nmL62KrpTU3AqFF18hKfZ2alq2jaowqtsC3NBCAd6aifgpEBRhB9rZP2x\/YPgDeBGSAHqMX"} 01199{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":69,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1587041676612882,"flow_src_last_pkt_time":1587041676643404,"flow_dst_last_pkt_time":1587041676675374,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":246,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":246,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1587041676675374,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"40.126.9.5","src_port":60534,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Microsoft365","proto_id":"91.219","proto_by_ip":"Azure","proto_by_ip_id":276,"encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative","hostname":"login.microsoftonline.com","tls": {"version":"TLSv1.2","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","advertised_alpns":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}}} 02305{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":109,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1587041676362386,"flow_src_last_pkt_time":1587041676859269,"flow_dst_last_pkt_time":1587041676859222,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":23115,"flow_dst_tot_l4_payload_len":4254,"midstream":0,"thread_ts_usec":1587041676859269,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60532,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":1,"avg":32055.5,"max":221245,"stddev":54144.2,"var":2931591680.0,"ent":3.4,"data": [43237,43341,94039,139750,215,45878,125,102,1406,46781,45438,177198,6,1,221245,44042,6,2,2,21255,21237,4,23005,23005,5,2,3,1223,1159,4,3]},"pktlen": {"min":52,"avg":907.9,"max":1492,"stddev":687.5,"var":472618.5,"ent":4.4,"data": [64,60,52,226,1492,1492,52,1375,52,145,103,52,1480,1480,1480,52,1480,1480,1480,1480,52,1480,1480,52,1480,1480,1480,1480,52,1480,1480,1480]},"bins": {"c_to_s": [5,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0],"s_to_c": [5,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0],"entropies": [4.428027153,5.210652828,4.884933472,5.556665897,7.283374786,7.268235207,4.923395157,7.674625397,4.884933472,5.901349068,5.537203789,4.923394680,7.865010738,7.865353107,7.863998413,5.116508007,7.872262955,7.872727394,7.850155830,7.872891426,5.101991177,7.883207798,7.861774921,5.078046322,7.883695126,7.860937595,7.861885548,7.869150639,5.092563629,7.862890244,7.881820202,7.880939960]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","proto_by_ip":"Azure","proto_by_ip_id":276,"encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud"}} -01778{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":109,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1587041676362386,"flow_src_last_pkt_time":1587041676859269,"flow_dst_last_pkt_time":1587041676859222,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":23115,"flow_dst_tot_l4_payload_len":4254,"midstream":0,"thread_ts_usec":1587041676859269,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60532,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","proto_by_ip":"Azure","proto_by_ip_id":276,"encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud","hostname":"mobile.pipe.aria.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"ae4edc6faf64d08308082ad26be60767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}}} 00771{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":153,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041677042751,"flow_src_last_pkt_time":1587041677042751,"flow_dst_last_pkt_time":1587041677042751,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041677042751,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60535,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00559{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":153,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_src_last_pkt_time":1587041677042751,"flow_dst_last_pkt_time":1587041677042751,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1587041677042751,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAG93bAqAEGNHJNIex3AbvbPWM6AAAAALAC\/\/\/8iwAAAgQFtAEDAwUBAQgKMISaAAAAAAAEAgAA"} 00552{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":156,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_src_last_pkt_time":1587041677042751,"flow_dst_last_pkt_time":1587041677088014,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1587041677088014,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8FwhAAGwGtHI0ck0hwKgBBgG77Hf6fNLR2z1jO6ASIACfvwAAAgQFoAEDAwgEAggKYRMfbzCEmgA="} @@ -222,7 +220,6 @@ 02480{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":451,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":5,"flow_src_last_pkt_time":1587041682744658,"flow_dst_last_pkt_time":1587041682792228,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":1506,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1506,"pkt_l4_len":1472,"thread_ts_usec":1587041682792228,"pkt":"KDc3AG3IEBMx8Tl2CABFAAXU9YZAAGwG0EI0ck06wKgBBgG77IG+FZj3YAjihlAQCAQbpwAAahz3MIwwCwYDVR0PBAQDAgSwMIHfBgNVHREEgdcwgdSCIyoubm9hbS5wcmVzZW5jZS50ZWFtcy5taWNyb3NvZnQuY29tgiMqLmVtZWEucHJlc2VuY2UudGVhbXMubWljcm9zb2Z0LmNvbYIjKi5hcGFjLnByZXNlbmNlLnRlYW1zLm1pY3Jvc29mdC5jb22CJSoubm9hbWRmLnByZXNlbmNlLnRlYW1zLm1pY3Jvc29mdC5jb22CHioucHJlc2VuY2UudGVhbXMubWljcm9zb2Z0LmNvbYIccHJlc2VuY2UudGVhbXMubWljcm9zb2Z0LmNvbTCBrAYDVR0fBIGkMIGhMIGeoIGboIGYhktodHRwOi8vbXNjcmwubWljcm9zb2Z0LmNvbS9wa2kvbXNjb3JwL2NybC9NaWNyb3NvZnQlMjBJVCUyMFRMUyUyMENBJTIwMS5jcmyGSWh0dHA6Ly9jcmwubWljcm9zb2Z0LmNvbS9wa2kvbXNjb3JwL2NybC9NaWNyb3NvZnQlMjBJVCUyMFRMUyUyMENBJTIwMS5jcmwwTQYDVR0gBEYwRDBCBgkrBgEEAYI3KgEwNTAzBggrBgEFBQcCARYnaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvY3BzMB8GA1UdIwQYMBaAFFiIn9bcnEgitxQ+\/4SI6OaF\/\/p9MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAgEAFfJmXOb1G3\/gkDpDClarQB6kon6qcwX4Kh295CbM2AS5Vgj29434HX0cY+Z9iv\/MTbIOmx9325DU4Jkds6+IU\/YaIPC6iJQpcE2e349x3dnDm3opekdQpM9PDa129MKr2YMPfEeN8v0qTyUuQZhGs4n0KhbSGQjx5\/B9gHGSpxe32oG49c+UQMe29vQ918eWYGlRxmosgaDo1O8G3hucKxVwq7wwZImn3rzlX2p3MvbHeLrrJ0NnlDsEaTwHS4Q6zzFHSGKHEGxwFQAn8mD1A4CEULHR5utg70c+5SvpcPBwDRulBAl1YVyuiG0lQXudeFRPjGil0p6dBb5dVHM6sDa+2bhTnT5Xrs6ALFkSOC2eT01f34o0LD\/iYJpYUBbRpunp7qdsCEujVxZR8n0k581k760zp6eOKdldSwGD2zCkU49qbfX71ampz0Sa7apdvaSE3KDX92BVUqVgQf0FXIZml2UETl7GkuJ7ywmJNZy\/VBh5fwF2G5tkeqqgUFl6Pz5ffSKavNMdYdiF0oJdwf95BiDLfhWMFAZ\/Az1Qj25O939c39zHdQmU2Gk65JAtVnlAhmcxyqDVZJv7WCLyYv8x3gCNb27V5dMzb8gu1mMtVqxF0t9OtLhe0ZVbT57TWBzaMHvBs\/e9XYiw9V9PDcm\/ctwDNyy0pJxMD8+96LUABbgwggW0MIIEnKADAgECAhAIuHpQG76c2i0WTT45Ub9VMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNVBAYTAklFMRIwEAYDVQQKEwlCYWx0aW1vcmUxEzARBgNVBAsTCkN5YmVyVHJ1c3QxIjAgBgNVBAMTGUJhbHRpbW9yZSBDeWJlclRydXN0IFJvb3QwHhcNMTYwNTIwMTI1MTI4WhcNMjQwNTIwMTI1MTI4WjCBizELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEVMBMGA1UECxMMTWljcm9zb2Z0IElUMR4wHAYDVQQDExVNaWNyb3NvZnQgSVQgVExTIENBIDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCO8\/GEdXe8vsmk"} 01157{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":451,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1587041682698689,"flow_src_last_pkt_time":1587041682744658,"flow_dst_last_pkt_time":1587041682792228,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":219,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":219,"flow_dst_tot_l4_payload_len":1452,"midstream":0,"thread_ts_usec":1587041682792228,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.58","src_port":60545,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","proto_by_ip":"Azure","proto_by_ip_id":276,"encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"presence.teams.microsoft.com","tls": {"version":"TLSv1.2","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","advertised_alpns":"h2,http\/1.1"}}} 02304{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":467,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1587041682369801,"flow_src_last_pkt_time":1587041682803345,"flow_dst_last_pkt_time":1587041682803309,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":20291,"flow_dst_tot_l4_payload_len":4254,"midstream":0,"thread_ts_usec":1587041682803345,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60543,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":2,"avg":27969.4,"max":152917,"stddev":40324.3,"var":1626047232.0,"ent":3.6,"data": [50532,50647,291,64604,72036,210,136507,124,96,1421,68048,86231,152917,2268,6,3,46387,44112,4,2,3,23630,23615,4,20861,20866,7,7,3,845,765]},"pktlen": {"min":52,"avg":819.7,"max":1492,"stddev":699.2,"var":488828.9,"ent":4.3,"data": [64,60,52,258,52,1492,1492,52,1375,52,145,52,103,52,1480,1480,1480,52,1480,1480,1480,1480,52,1480,1480,52,1480,1480,1480,1480,52,1480]},"bins": {"c_to_s": [5,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0],"s_to_c": [7,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,1,1,0,0,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0],"entropies": [4.384982109,5.323234558,4.961856842,5.939832211,5.116507530,7.288343430,7.267649651,5.000318527,7.662917614,4.961856842,5.882802486,5.193430901,5.624773026,4.961856842,7.851280689,7.841383457,7.873037815,5.154969692,7.851320267,7.856824398,7.856104374,7.863511562,5.154969215,7.862011433,7.862949848,5.154969215,7.888728619,7.861488342,7.847744942,7.865393639,5.193430901,7.879679203]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","proto_by_ip":"Azure","proto_by_ip_id":276,"encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud"}} -01780{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":467,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1587041682369801,"flow_src_last_pkt_time":1587041682803345,"flow_dst_last_pkt_time":1587041682803309,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":20291,"flow_dst_tot_l4_payload_len":4254,"midstream":0,"thread_ts_usec":1587041682803345,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60543,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","proto_by_ip":"Azure","proto_by_ip_id":276,"encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud","hostname":"mobile.pipe.aria.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"ae4edc6faf64d08308082ad26be60767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}}} 00775{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":472,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041682809173,"flow_src_last_pkt_time":1587041682809173,"flow_dst_last_pkt_time":1587041682809173,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041682809173,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"167.99.215.164","src_port":60546,"dst_port":4434,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00559{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":472,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":1,"flow_src_last_pkt_time":1587041682809173,"flow_dst_last_pkt_time":1587041682809173,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1587041682809173,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAG+gHAqAEGp2PXpOyCEVImrEWfAAAAALAC\/\/+rgAAAAgQFtAEDAwUBAQgKMISwIQAAAAAEAgAA"} 00554{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":516,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":2,"flow_src_last_pkt_time":1587041682809173,"flow_dst_last_pkt_time":1587041682862686,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1587041682862686,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADQGBganY9ekwKgBBhFS7ILLfLe3JqxFoKAS\/ogNbwAAAgQFrAQCCAoTeRnVMISwIQEDAwc="} @@ -267,9 +264,7 @@ 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":672,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":35,"flow_packet_id":5,"flow_src_last_pkt_time":1587041684317987,"flow_dst_last_pkt_time":1587041684329497,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1587041684329497,"pkt":"KDc3AG3IEBMx8Tl2CABFAAAoFJtAAHYGDxENaxILwKgBBgG77IU13hw1zZy5bVAQBAEDUQAAAAAAAAAA"} 01996{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":677,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":6,"flow_first_seen":1587041684306115,"flow_src_last_pkt_time":1587041684362150,"flow_dst_last_pkt_time":1587041684362335,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":211,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":211,"flow_dst_tot_l4_payload_len":4396,"midstream":0,"thread_ts_usec":1587041684362335,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"13.107.18.11","src_port":60549,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Microsoft365","proto_id":"91.219","proto_by_ip":"Outlook","proto_by_ip_id":21,"encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative","hostname":"substrate.office.com","tls": {"version":"TLSv1.2","server_names":"outlook.office.com,attachment.outlook.office.net,attachment.outlook.officeppe.net,bookings.office.com,delve.office.com,edge.outlook.office365.com,edgesdf.outlook.com,img.delve.office.com,outlook.live.com,outlook-sdf.live.com,outlook-sdf.office.com,sdfedge-pilot.outlook.com,substrate.office.com,substrate-sdf.office.com,afd-k-acdc-direct.office.com,beta-sdf.yammer.com,teams-sdf.yammer.com,beta.yammer.com,teams.yammer.com,attachments.office.net,attachments-sdf.office.net,afd-k.office.com,afd-k-sdf.office.com","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"a66ea560599a2f5c89eec8c3a0d69cee","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1","subjectDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Outlook.office.com","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","fingerprint":"AA:D3:F5:66:06:48:AA:F8:8E:9B:79:D6:7F:1D:53:EA:3F:97:03:A2"}}} 02180{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":697,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1587041682144166,"flow_src_last_pkt_time":1587041684314927,"flow_dst_last_pkt_time":1587041684501131,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":521,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":1329,"flow_dst_tot_l4_payload_len":7087,"midstream":0,"thread_ts_usec":1587041684501131,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60542,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":3,"avg":146055.7,"max":2009785,"stddev":489503.9,"var":239614050304.0,"ent":1.7,"data": [12667,12766,154,12385,2459,251,14879,502,529,250,3,817,4854,17134,1376,20,13097,4,249,321,136,11841,14,11155,108,621,112917,113684,1998116,2009785,174632]},"pktlen": {"min":40,"avg":305.2,"max":1492,"stddev":468.1,"var":219152.8,"ent":3.8,"data": [64,52,40,257,46,1492,1492,40,1492,40,1492,181,40,198,46,366,109,40,40,133,78,561,46,78,40,46,46,440,40,342,46,345]},"bins": {"c_to_s": [9,1,1,0,1,0,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,1,0,1,0,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,1,1,0,0,0,0,0,1,1,0,1,1,1,0,0,1,1],"entropies": [4.396777153,4.984685421,4.571928501,5.492863178,4.462504387,7.269914627,7.475378990,4.630641460,7.477076530,4.571928501,7.667408466,6.767431736,4.680641174,6.542833328,4.505983353,7.221371651,5.957443714,4.630641460,4.630640984,6.221683502,5.214766979,7.578815937,4.414441109,5.396905422,4.571928501,4.457919598,4.522393703,7.482207775,4.680641174,7.242818356,4.478915691,7.266457558]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","proto_by_ip":"Skype_Teams","proto_by_ip_id":125,"encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}} -01540{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":697,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1587041682144166,"flow_src_last_pkt_time":1587041684314927,"flow_dst_last_pkt_time":1587041684501131,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":521,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":1329,"flow_dst_tot_l4_payload_len":7087,"midstream":0,"thread_ts_usec":1587041684501131,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60542,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","proto_by_ip":"Skype_Teams","proto_by_ip_id":125,"encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"config.teams.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.config.teams.microsoft.com,config.teams.microsoft.com","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"0f14538e1c9070becdad7739c67d6363","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 1","subjectDN":"CN=config.teams.microsoft.com","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","fingerprint":"B9:54:54:12:C9:E9:43:65:10:70:04:7B:AD:B6:0C:46:06:38:A5:FA"}}} 02174{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":702,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1587041684306115,"flow_src_last_pkt_time":1587041684950374,"flow_dst_last_pkt_time":1587041684410372,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":3472,"flow_dst_tot_l4_payload_len":5797,"midstream":0,"thread_ts_usec":1587041684950374,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"13.107.18.11","src_port":60549,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":1,"avg":24145.7,"max":539594,"stddev":94604.1,"var":8949939200.0,"ent":1.9,"data": [11504,11610,262,11878,32500,90,44163,247,1,223,3839,7741,325,72,14634,1492,13,4159,11,266,6513,474,6734,4309,9884,14215,10718,10725,539594,6,314]},"pktlen": {"min":40,"avg":331.5,"max":1492,"stddev":473.5,"var":224192.2,"ent":3.9,"data": [64,52,40,251,46,1492,1492,40,1492,80,40,198,133,578,172,46,366,109,40,40,78,46,78,40,46,689,40,359,40,1480,694,248]},"bins": {"c_to_s": [9,1,1,0,2,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [5,2,1,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,0,1,1,0,0,0,0,0,1,1,1,0,0,0,1,1,0,1,1,0,1,0,0,0,0],"entropies": [4.428027153,4.893245220,4.521928310,5.397158146,4.505983353,6.671830177,7.464404583,4.630641460,7.577803612,5.737496376,4.680641174,6.516131401,6.154890537,7.647973537,6.500202656,4.505983353,7.196300030,5.817581654,4.611769199,4.561769485,5.250086308,4.457919598,5.392898560,4.630641460,4.522393227,7.690679073,4.680641174,7.335716724,4.680641174,7.846065521,7.720572472,6.957527637]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Microsoft365","proto_id":"91.219","proto_by_ip":"Outlook","proto_by_ip_id":21,"encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative"}} -02000{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":702,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1587041684306115,"flow_src_last_pkt_time":1587041684950374,"flow_dst_last_pkt_time":1587041684410372,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":3472,"flow_dst_tot_l4_payload_len":5797,"midstream":0,"thread_ts_usec":1587041684950374,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"13.107.18.11","src_port":60549,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Microsoft365","proto_id":"91.219","proto_by_ip":"Outlook","proto_by_ip_id":21,"encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative","hostname":"substrate.office.com","tls": {"version":"TLSv1.2","server_names":"outlook.office.com,attachment.outlook.office.net,attachment.outlook.officeppe.net,bookings.office.com,delve.office.com,edge.outlook.office365.com,edgesdf.outlook.com,img.delve.office.com,outlook.live.com,outlook-sdf.live.com,outlook-sdf.office.com,sdfedge-pilot.outlook.com,substrate.office.com,substrate-sdf.office.com,afd-k-acdc-direct.office.com,beta-sdf.yammer.com,teams-sdf.yammer.com,beta.yammer.com,teams.yammer.com,attachments.office.net,attachments-sdf.office.net,afd-k.office.com,afd-k-sdf.office.com","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"a66ea560599a2f5c89eec8c3a0d69cee","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1","subjectDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Outlook.office.com","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","fingerprint":"AA:D3:F5:66:06:48:AA:F8:8E:9B:79:D6:7F:1D:53:EA:3F:97:03:A2"}}} 00772{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":714,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041685090830,"flow_src_last_pkt_time":1587041685090830,"flow_dst_last_pkt_time":1587041685090830,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":45,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":45,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":45,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041685090830,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":61245,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5} 00568{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":714,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":36,"flow_packet_id":1,"flow_src_last_pkt_time":1587041685090830,"flow_dst_last_pkt_time":1587041685090830,"flow_idle_time":200000000,"pkt_datalink":1,"pkt_caplen":87,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":87,"pkt_l4_len":53,"thread_ts_usec":1587041685090830,"pkt":"EBMx8Tl2KDc3AG3ICABFAABJHhYAAP8RGjbAqAEGwKgBAe89ADUANcKVVKoBAAABAAAAAAAABGV1YXoCdHIFdGVhbXMJbWljcm9zb2Z0A2NvbQAAAQAB"} 01069{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":714,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041685090830,"flow_src_last_pkt_time":1587041685090830,"flow_dst_last_pkt_time":1587041685090830,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":45,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":45,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":45,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041685090830,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":61245,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Teams","proto_id":"5.250","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Safe","category_id":14,"category":"Network","hostname":"euaz.tr.teams.microsoft.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} @@ -341,7 +336,6 @@ 02483{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":824,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":40,"flow_packet_id":5,"flow_src_last_pkt_time":1587041685262299,"flow_dst_last_pkt_time":1587041685419490,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":1506,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1506,"pkt_l4_len":1472,"thread_ts_usec":1587041685419490,"pkt":"KDc3AG3IEBMx8Tl2CABFAAXUjN5AAG0Gdfg0cg8twKgBBgG77IfA1AaSAv0PYlAQCARVFQAAFgMDF0UCAABVAwNemFWVsa3S0qCCJCKRvR5FvfRm4ku4Wp9dZjR4sGYcKSB2HAAAgvc9nFx0wNSQ+kfvV9B0Mq9ipN+Lt19U\/tPHHsAwAAANAAUAAAAXAAD\/AQABAAsADkgADkUACIcwggiDMIIGa6ADAgECAhMgAA1\/5iyI2CMUD4FHAAAADX\/mMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMRUwEwYDVQQLEwxNaWNyb3NvZnQgSVQxHjAcBgNVBAMTFU1pY3Jvc29mdCBJVCBUTFMgQ0EgMjAeFw0xOTExMjkxNzU3NThaFw0yMTExMjkxNzU3NThaMCgxJjAkBgNVBAMMHSoudHJvdXRlci50ZWFtcy5taWNyb3NvZnQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyKcimDO37qOiITdGLLSgRk4SNqeQiChf5fToMO+7e1Qw4j4NVAURrkRlqOSwosi6x2ool0Qjlt5bANU2A7E0ubHR6fs+J4y2vgrsv41S7Ao\/UxdKklkG0wgp+paNcl2enqs+JFcPVtFPe+T+pnY6IZUpOziGi8NLx\/K2NG5xSvrdawVpY5vXRxXKsvLFIAdaJQozyWf9lCNbt+4C0IVl2Ep7N5bp06LVMZktn1YAjolqeEl3RQ6hM3GKceom5l4hpyP43E\/dTe3eLNBfmO8cDd9p8HlGVSrgjhKz1wuJWFoWgHTgDnVBSZVB7t78lIFlze4qLsPX90PfKUlmjF\/zIQIDAQABo4IEQDCCBDwwggGABgorBgEEAdZ5AgQCBIIBcASCAWwBagB2APZclC\/RdzAiFFQYCDCUVo7jTRMZM7\/fDC8gC8xO8WTjAAABbrhZJv4AAAQDAEcwRQIhALfHXTClbVL1ZG3BQH+fsd9EVlnIhlrRTh9b\/BWQkqOPAiArDlgg99bYekywwY8T40DyNspZOTZKKrpABVWSIcE7CwB3AFzcQ5L+5qtFRLFemtRW5hA3+9X6R9yhc5SyXub2xw7KAAABbrhZJyYAAAQDAEgwRgIhAJuNw4ivK3DXIXmUE+m57QEHF+rXHdB72ZviRwQ9s+0GAiEA9kNgaFnkw8l1xiyZdSGjaIfmqNZ4qpxCiXwbbmlDWu4AdwBElGUusO7Or8RAB9io\/ijA2uaCvtjLMbU\/0zOWtbaBqAAAAW64WScNAAAEAwBIMEYCIQDmc93n7UJEyvvIddsbJMxC7aPmS7n2Z\/C8vjlA2j\/H8AIhAP0Hy\/4XLfkD3pYHuzfG85l40mxoPZVRGXbh3zqAj+miMCcGCSsGAQQBgjcVCgQaMBgwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwEwPgYJKwYBBAGCNxUHBDEwLwYnKwYBBAGCNxUIh9qGdYPu2QGCyYUbgbWeYYX062CBXYTS30KC55N6AgFkAgEdMIGFBggrBgEFBQcBAQR5MHcwUQYIKwYBBQUHMAKGRWh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2kvbXNjb3JwL01pY3Jvc29mdCUyMElUJTIwVExTJTIwQ0ElMjAyLmNydDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AubXNvY3NwLmNvbTAdBgNVHQ4EFgQUdTnCFCgplfnCaQOBNT9YTfK9XfMwCwYDVR0PBAQDAgSwMFsGA1UdEQRUMFKCHSoudHJvdXRlci50ZWFtcy5taWNyb3NvZnQuY29tgg1nby50cm91dGVyLmlvghEqLmRyaXAudHJvdXRlci5pb4IPKi5kYy50cm91dGVyLmlvMIGsBgNVHR8EgaQwgaEw"} 01650{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":830,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":6,"flow_first_seen":1587041685106192,"flow_src_last_pkt_time":1587041685420065,"flow_dst_last_pkt_time":1587041685420103,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":203,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":203,"flow_dst_tot_l4_payload_len":5962,"midstream":0,"thread_ts_usec":1587041685420103,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.15.45","src_port":60551,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","proto_by_ip":"Azure","proto_by_ip_id":276,"encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"trouter2-asse-a.trouter.teams.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.trouter.teams.microsoft.com,go.trouter.io,*.drip.trouter.io,*.dc.trouter.io","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"986571066668055ae9481cb84fda634a","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 2","subjectDN":"CN=*.trouter.teams.microsoft.com","fingerprint":"DD:24:DF:0E:F3:63:CC:10:B5:03:CF:34:EB:A5:14:8B:97:90:9B:D4"}}} 02318{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":855,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1587041685240465,"flow_src_last_pkt_time":1587041685469669,"flow_dst_last_pkt_time":1587041685469973,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1082,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":1426,"flow_dst_tot_l4_payload_len":15976,"midstream":0,"thread_ts_usec":1587041685469973,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60554,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":3,"avg":14797.2,"max":153955,"stddev":35697.7,"var":1274323968.0,"ent":2.8,"data": [12903,12995,473,12371,1988,1502,15362,129,134,115,3,85,21608,33026,11480,11732,109,11784,570,13396,140399,715,153955,248,230,250,250,503,25,129,243]},"pktlen": {"min":40,"avg":585.7,"max":1492,"stddev":671.4,"var":450756.0,"ent":4.0,"data": [64,52,40,226,46,1492,1492,40,1492,40,1492,168,40,147,46,91,46,91,40,1122,46,1492,1492,40,1317,40,1492,1492,40,40,1492,1492]},"bins": {"c_to_s": [10,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,0,1,1,0,0,1,1,1,0,1,0,1,1,0,0,1,1],"entropies": [4.365527153,4.878727913,4.471928596,5.502106190,4.402616024,7.277978420,7.489027023,4.630640984,7.478912354,4.521928310,7.663036823,6.686788082,4.630640984,6.493359089,4.462505341,5.681205750,4.462504864,5.560394764,4.580641270,7.802004814,4.565872192,7.879904747,7.863986492,4.580641270,7.860152721,4.580640793,7.874552727,7.850657463,4.580641270,4.471928596,7.869473934,7.878328800]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","proto_by_ip":"Skype_Teams","proto_by_ip_id":125,"encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}} -01621{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":855,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1587041685240465,"flow_src_last_pkt_time":1587041685469669,"flow_dst_last_pkt_time":1587041685469973,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1082,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":1426,"flow_dst_tot_l4_payload_len":15976,"midstream":0,"thread_ts_usec":1587041685469973,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60554,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","proto_by_ip":"Skype_Teams","proto_by_ip_id":125,"encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"config.teams.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.config.teams.microsoft.com,config.teams.microsoft.com","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"7d8fd34fdb13a7fff30d5a52846b6c4c","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 1","subjectDN":"CN=config.teams.microsoft.com","fingerprint":"B9:54:54:12:C9:E9:43:65:10:70:04:7B:AD:B6:0C:46:06:38:A5:FA"}}} 00774{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":920,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041685984732,"flow_src_last_pkt_time":1587041685984732,"flow_dst_last_pkt_time":1587041685984732,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041685984732,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60557,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00559{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":920,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":47,"flow_packet_id":1,"flow_src_last_pkt_time":1587041685984732,"flow_dst_last_pkt_time":1587041685984732,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1587041685984732,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGghTAqAEGNHHChOyNAbtKVk3bAAAAALAC\/\/8LQAAAAgQFtAEDAwUBAQgKMIS8GgAAAAAEAgAA"} 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":921,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":47,"flow_packet_id":2,"flow_src_last_pkt_time":1587041685984732,"flow_dst_last_pkt_time":1587041685996890,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1587041685996890,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA0TQBAAHUGACA0ccKEwKgBBgG77I3LqgPISlZN3IAS\/\/9gggAAAgQFoAEDAwgBAQQC"} @@ -400,7 +394,6 @@ 00775{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1082,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041687745932,"flow_src_last_pkt_time":1587041687745932,"flow_dst_last_pkt_time":1587041687745932,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041687745932,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.169.186.119","src_port":60563,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00560{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1082,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":1,"flow_src_last_pkt_time":1587041687745932,"flow_dst_last_pkt_time":1587041687745932,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1587041687745932,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGienAqAEGNKm6d+yTAbth0wzHAAAAALAC\/\/81+QAAAgQFtAEDAwUBAQgKMITCxwAAAAAEAgAA"} 02310{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1085,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":51,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1587041687245112,"flow_src_last_pkt_time":1587041687718851,"flow_dst_last_pkt_time":1587041687768506,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":17623,"flow_dst_tot_l4_payload_len":4254,"midstream":0,"thread_ts_usec":1587041687768506,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60561,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":2,"avg":32165.6,"max":161774,"stddev":44327.4,"var":1964919296.0,"ent":3.6,"data": [48418,48527,459,88180,136486,113743,249,161774,129,117,1072,74551,73518,1076,4,2,50124,49022,3,3,12,48400,48413,4,15,2,1599,1536,46881,1065,1749]},"pktlen": {"min":52,"avg":736.7,"max":1492,"stddev":694.0,"var":481656.1,"ent":4.2,"data": [64,60,52,258,258,64,1492,1492,52,1375,52,145,103,52,1480,1480,1480,52,1480,1480,1480,1480,52,1480,1480,1480,1480,52,1462,52,52,52]},"bins": {"c_to_s": [5,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0],"s_to_c": [8,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0]},"directions": [0,1,0,0,0,1,1,1,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,0,0,1,0,1,1,1],"entropies": [4.396777153,5.256567478,4.923395157,5.966666698,5.971492767,5.091578960,7.290405750,7.275161743,4.961856842,7.668800354,5.000318527,6.002202988,5.583368301,4.961856842,7.860765934,7.857263088,7.894361019,5.193430901,7.864349842,7.853641510,7.869278908,7.874048233,5.054101944,7.853607655,7.866478443,7.865472317,7.878810406,5.154969692,7.853725433,5.193431377,5.154969692,5.154969692]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","proto_by_ip":"Azure","proto_by_ip_id":276,"encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud"}} -01781{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1085,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":51,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1587041687245112,"flow_src_last_pkt_time":1587041687718851,"flow_dst_last_pkt_time":1587041687768506,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":17623,"flow_dst_tot_l4_payload_len":4254,"midstream":0,"thread_ts_usec":1587041687768506,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60561,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","proto_by_ip":"Azure","proto_by_ip_id":276,"encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud","hostname":"mobile.pipe.aria.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"ae4edc6faf64d08308082ad26be60767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}}} 00554{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1086,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":2,"flow_src_last_pkt_time":1587041687745932,"flow_dst_last_pkt_time":1587041687789261,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1587041687789261,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8GLFAAGwGRTw0qbp3wKgBBgG77JMQ1B2QYdMMyKASIACACgAAAgQFoAEDAwgEAggKASJ3bTCEwsc="} 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1087,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":3,"flow_src_last_pkt_time":1587041687789367,"flow_dst_last_pkt_time":1587041687789261,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1587041687789367,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGifXAqAEGNKm6d+yTAbth0wzIENQdkYAQEAm+kQAAAQEICjCEwvABIndt"} 00842{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1088,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":4,"flow_src_last_pkt_time":1587041687789561,"flow_dst_last_pkt_time":1587041687789261,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":287,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":287,"pkt_l4_len":253,"thread_ts_usec":1587041687789561,"pkt":"EBMx8Tl2KDc3AG3ICABFAAERAABAAEAGiRjAqAEGNKm6d+yTAbth0wzIENQdkYAYEAmMqgAAAQEICjCEwvABIndtFgMBANgBAADUAwN1hCAWlzZVXD7TCb6igB3LJP9WVkluJUaJIbsmWjvyJAAAHCoqzKnMqMArwC\/ALMAwwBPAFACcAJ0ALwA1AAoBAACP6uoAAP8BAAEAAAAAIwAhAAAeZXVuby0xLmFwaS5taWNyb3NvZnRzdHJlYW0uY29tABcAAAAjAAAADQAUABIEAwgEBAEFAwgFBQEIBgYBAgEABQAFAQAAAAAAEgAAABAADgAMAmgyCGh0dHAvMS4xAAsAAgEAAAoACgAI2toAHQAXABgAGwADAgACOjoAAQA="} @@ -678,7 +671,7 @@ 00967{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1540,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":75,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1587041694221137,"flow_src_last_pkt_time":1587041694221137,"flow_dst_last_pkt_time":1587041694234511,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":58,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":58,"flow_dst_max_l4_payload_len":134,"flow_src_tot_l4_payload_len":58,"flow_dst_tot_l4_payload_len":134,"midstream":0,"thread_ts_usec":1587041698021081,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":60837,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Teams","proto_id":"5.250","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} 00999{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1540,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":53,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1587041687436782,"flow_src_last_pkt_time":1587041687725655,"flow_dst_last_pkt_time":1587041687725568,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1313,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2206,"flow_dst_tot_l4_payload_len":7143,"midstream":0,"thread_ts_usec":1587041698021081,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"104.40.187.151","src_port":60562,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"3":"DPI (partial)"},"proto":"TLS.Skype_Teams","proto_id":"91.125","proto_by_ip":"Azure","proto_by_ip_id":276,"encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00967{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1540,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","flow_id":39,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1587041685093044,"flow_src_last_pkt_time":1587041685093044,"flow_dst_last_pkt_time":1587041685127636,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":53,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":53,"flow_dst_max_l4_payload_len":174,"flow_src_tot_l4_payload_len":53,"flow_dst_tot_l4_payload_len":174,"midstream":0,"thread_ts_usec":1587041698021081,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":50653,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Teams","proto_id":"5.250","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} -00646{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":1540,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":1540,"packets-processed":1498,"total-skipped-flows":0,"total-l4-payload-len":587095,"total-not-detected-flows":1,"total-guessed-flows":2,"total-detected-flows":80,"total-detection-updates":64,"total-updates":0,"current-active-flows":0,"total-active-flows":83,"total-idle-flows":83,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":681,"global_ts_usec":1587041698021081} +00646{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":1540,"source":"cfgs\/default\/pcap\/teams.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":1540,"packets-processed":1498,"total-skipped-flows":0,"total-l4-payload-len":587095,"total-not-detected-flows":1,"total-guessed-flows":2,"total-detected-flows":80,"total-detection-updates":57,"total-updates":0,"current-active-flows":0,"total-active-flows":83,"total-idle-flows":83,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":674,"global_ts_usec":1587041698021081} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ ~~ packets captured/processed: 1540/1498 ~~ skipped flows.............: 0 diff --git a/test/results/default/telnet.pcap.out b/test/results/default/telnet.pcap.out index 3e2e98ea2..8cb4fd6fe 100644 --- a/test/results/default/telnet.pcap.out +++ b/test/results/default/telnet.pcap.out @@ -10,9 +10,8 @@ 01091{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":29,"source":"cfgs\/default\/pcap\/telnet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":15,"flow_first_seen":943755158387203,"flow_src_last_pkt_time":943755158616442,"flow_dst_last_pkt_time":943755159705066,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":85,"flow_dst_max_l4_payload_len":32,"flow_src_tot_l4_payload_len":197,"flow_dst_tot_l4_payload_len":139,"midstream":0,"thread_ts_usec":943755159705066,"l3_proto":"ip4","src_ip":"192.168.0.2","dst_ip":"192.168.0.1","src_port":1550,"dst_port":23,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":450,"client":345,"server":105}}},"confidence": {"6":"DPI"},"proto":"Telnet","proto_id":"77","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Unsafe","category_id":12,"category":"RemoteAccess","telnet": {"username":"","password":""}}} 01095{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":31,"source":"cfgs\/default\/pcap\/telnet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":15,"flow_first_seen":943755158387203,"flow_src_last_pkt_time":943755160949196,"flow_dst_last_pkt_time":943755159705066,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":85,"flow_dst_max_l4_payload_len":32,"flow_src_tot_l4_payload_len":203,"flow_dst_tot_l4_payload_len":139,"midstream":0,"thread_ts_usec":943755160949196,"l3_proto":"ip4","src_ip":"192.168.0.2","dst_ip":"192.168.0.1","src_port":1550,"dst_port":23,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":450,"client":345,"server":105}}},"confidence": {"6":"DPI"},"proto":"Telnet","proto_id":"77","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Unsafe","category_id":12,"category":"RemoteAccess","telnet": {"username":"fake","password":""}}} 02271{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"cfgs\/default\/pcap\/telnet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":943755158387203,"flow_src_last_pkt_time":943755160950568,"flow_dst_last_pkt_time":943755159705066,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":85,"flow_dst_max_l4_payload_len":32,"flow_src_tot_l4_payload_len":203,"flow_dst_tot_l4_payload_len":139,"midstream":0,"thread_ts_usec":943755160950568,"l3_proto":"ip4","src_ip":"192.168.0.2","dst_ip":"192.168.0.1","src_port":1550,"dst_port":23,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":172,"avg":125200.9,"max":1232764,"stddev":336743.6,"var":113396252672.0,"ent":2.2,"data": [2525,2572,1588,147810,146242,172,1611,1711,3291,1327,593,1791,1069,2370,3571,617,1174,22251,20360,1248,13791,15049,1196,784,12789,12241,20023,1107336,1099990,1232764,1372]},"pktlen": {"min":52,"avg":63.2,"max":137,"stddev":18.8,"var":354.0,"ent":4.9,"data": [60,60,52,79,55,52,55,52,77,116,52,70,61,52,76,52,137,52,55,55,52,64,58,52,67,52,84,52,59,52,58,52]},"bins": {"c_to_s": [15,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,0,1,1,0,1,1,0,1,1,0,0,0,1,0,1,1,0,1,1,0,1,0,1,0,0,0],"entropies": [4.315444469,4.777318954,4.791129112,5.044729233,4.800010681,4.791129112,4.871557236,4.662475586,5.051413059,5.269734383,4.647958755,5.011583805,5.044849873,4.777860641,4.820554256,4.791128635,5.556590080,4.868052006,4.850099087,4.862643719,4.777860641,4.944003105,4.924550533,4.739398956,4.948766708,4.791129112,5.493695259,4.829590797,5.035621166,4.686420441,5.042736053,4.829590321]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":450,"client":345,"server":105}}},"confidence": {"6":"DPI"},"proto":"Telnet","proto_id":"77","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Unsafe","category_id":12,"category":"RemoteAccess"}} -01095{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"cfgs\/default\/pcap\/telnet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":943755158387203,"flow_src_last_pkt_time":943755160950568,"flow_dst_last_pkt_time":943755159705066,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":85,"flow_dst_max_l4_payload_len":32,"flow_src_tot_l4_payload_len":203,"flow_dst_tot_l4_payload_len":139,"midstream":0,"thread_ts_usec":943755160950568,"l3_proto":"ip4","src_ip":"192.168.0.2","dst_ip":"192.168.0.1","src_port":1550,"dst_port":23,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":450,"client":345,"server":105}}},"confidence": {"6":"DPI"},"proto":"Telnet","proto_id":"77","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Unsafe","category_id":12,"category":"RemoteAccess","telnet": {"username":"fake","password":""}}} 01083{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":92,"source":"cfgs\/default\/pcap\/telnet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":48,"flow_dst_packets_processed":44,"flow_first_seen":943755158387203,"flow_src_last_pkt_time":943755197957149,"flow_dst_last_pkt_time":943755197958477,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":85,"flow_dst_max_l4_payload_len":488,"flow_src_tot_l4_payload_len":289,"flow_dst_tot_l4_payload_len":1371,"midstream":0,"thread_ts_usec":943755197958477,"l3_proto":"ip4","src_ip":"192.168.0.2","dst_ip":"192.168.0.1","src_port":1550,"dst_port":23,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":450,"client":345,"server":105}}},"confidence": {"6":"DPI"},"proto":"Telnet","proto_id":"77","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Unsafe","category_id":12,"category":"RemoteAccess"}} -00633{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":92,"source":"cfgs\/default\/pcap\/telnet.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":92,"packets-processed":92,"total-skipped-flows":0,"total-l4-payload-len":1660,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":3,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":15,"global_ts_usec":943755197958477} +00633{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":92,"source":"cfgs\/default\/pcap\/telnet.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":92,"packets-processed":92,"total-skipped-flows":0,"total-l4-payload-len":1660,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":2,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":14,"global_ts_usec":943755197958477} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ ~~ packets captured/processed: 92/92 ~~ skipped flows.............: 0 @@ -27,4 +26,4 @@ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json message min len.......: 543 chars ~~ json message max len.......: 2276 chars -~~ json message avg len.......: 1370 chars +~~ json message avg len.......: 1332 chars diff --git a/test/results/default/tls-appdata.pcap.out b/test/results/default/tls-appdata.pcap.out index d495ffbcc..20fc42b52 100644 --- a/test/results/default/tls-appdata.pcap.out +++ b/test/results/default/tls-appdata.pcap.out @@ -20,12 +20,11 @@ 04463{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":11,"source":"cfgs\/default\/pcap\/tls-appdata.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":5,"flow_src_last_pkt_time":1643610288724000,"flow_dst_last_pkt_time":1643610288740000,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":2958,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":2958,"pkt_l4_len":2924,"thread_ts_usec":1643610288740000,"pkt":"YDjgxTWgeJS0JASgCABFAAuAJktAADkGUjo038YHwKgCZAG75mCdFTXMOSeK4VAQCRbJZQAAojBMnRDZFuM5IayC7DxZg14hGjptzpz7JyYn\/VlCW5HvsHG0Mf4\/S4so+0jRr7AUxe\/99FVXASYAy6+CnvN+L3wtaase6XcKwXPlMdIoSbRjhWoksZG1BLBjH5CzFnJVtvvwB4EQoSLCePdVBagaQtfWaLJfD9KQjJfE3+tjeuNO1zSZMQ3b3SV\/CSdUT8nZm6O5PfBzi9sFGCnyTeNgfHUexbr2KlFVjtjvSJtGOZY9oQaXPXGon+WPWFia+cJl+PLMl30C6oEUkTrH1lnP6uYZAtt02PaZK3cUjSU38gWQl0mmp1p4JVBUFUunkphM0+4YGawKHKXk+vQiFjN3ioqCBpN2z5nUccWMpzdzKOH6igknO7RExCKwvouXPpQ1blUE60W7wlRxBK7a0fhB\/hEFnGm0piRzqfUyfkXfj8Aof2hNjFMEOEym2LmXZpn326GR6rL8krrzqq3jihuk9\/AJbQW14B0xtzidDDna0EDhooCbiph5alqpOttnFPxdRRlN4M3rm\/reacV6TXT7cW1KkHfh4S8amolRozdjsBvB+KXa1i0gO\/5vi2yk8+fmbTfysVYk0Mvot7TD7\/Q1OwHq8ukhZ98JRoSBH0A8ZugikuD+4fy8dDXQgmV9\/YjKxYS6suqEHKksJ6+eZnU0mOC1DFDZX8lJCGWr8U4GyEY2CucVAkVGOktZvjRxG+3KNum5rBmsjeKJKSXGphUlupzVu0f4VVY7wiV4ctynrgVcw6ux9CX0IeEQl5wqxPMtwt7BaO89NjsCNj6gBqvFnAiEPTlZMERaymXlqNjw6veeiP13MVewTF0Rlrxjs8XDcqVMweVVmiCGwNbAjrc9sbh5GiU+faYg0AZTYafaQ36A7UsGPL3XlJxu951A5GXa6I2hlFIfAm7t0yxrQzKkAFb92IMk0IgoUmNFBTaMIniGjbcg\/z72wygn0RTxN8KnivzxYQacLE1FbOM0XK4dmV2rWgp+Woc+M1naNVKjCed5+RuQ+PBJD2sGM593KdXRlSF0I\/SAHo+T0+jf2U3PXlt2QrPuQpndaIkizrlweYwaGhzlzfAThT79ndRbdgGdHcTIIJL+MXNsCiks6XeMcyRuHaOEvM1XIHYKmvKFAJZlleY\/Md9YkNu8Lc1FVg28\/P\/YP9PE+FE0wUPrHKDT90ahjqHx43fmVvDRFl0eyLX3VrDZHsVxgJz2NN\/6cFvSemOcMT6B5\/SaiFcsESeYNjEqMLLc\/tV3eHld9iBH+VKKSpOWuT31emkQm6WixpHzFLID7PdiPOPeJv\/Z++fRf7ZLiyjHCozFlx4mqF7XfW9kA9UjpiMSECP+TidaPkx1HpdntfbzbR7fbmt6D993D4P6R0yffuLWnvUMv4qc+9exQOApudzlzhy8NkoTfBeulTXY5\/ULZFEW04bMOmxUV5Ne4bJTPM85nWvxLwxrGbnCTGn1gZMhUBctWzKdsQtAZQBwJqg\/qxXYLpiyHVwsiuv7ogoiDRR6QB6CsGgfBJOngbM\/aB5tsN1FXLYI2gLNzpo+xIqeYAtt1NTdzgJBvWrxj6Duk0z6E4qZpjDk\/svivOFJiM8KoSRX02zLN5x++UZ25zaMeFAwNEEL35xQQ4+Romt98\/A8tPyC4dL3gsmm7tYWUXOSd8QR\/+NkCUj\/dcif73fs+3ibQHbzNwa6kSb32Hx6C5Y+4xJeMGX92ODFuVRrt83\/1jnoAmrYSyiFAHhIOa1xKvUU8AH\/LXNtfqCN74U9hr+Wn8eg8quEgaeugyd7xLnbDYEQqYYnIcDbxSZ6XYYn9DMkM0ySze2bJmgpY9ix3kvkhVIIHhheuMqAS9jeqpodL+prASW5286G5rJV1w6ZaHEbL9tyhpXhdjHxkKivgLhvlkGYbWuGY2gK4BqKCsUf0afYcwpk59fZcpXaa\/X1cUuThVmEFyCzCKV90qwcQbbh3NV94v59hKYCqRRVRhczTJbB3O24laSakXKqPpoCepQA4PYv0unbtAjaTLi7fnhCTbkJUeBKwZDldC5PTtweRlnf8strRAZKsIR8IQXhz+ZULlotXXCRgmVXaJT6ntsyREGK4i2UG6IiNPExNFOuYp7ngey+fOEo37VnteRim5SBGHCmpjlaIEO6il7e14KczR2ul0BjjZg1LVP4XtQzVGx50jB2l8EZPGZrIiDab6th1u3sffiYMboSZlVYcGeeeQAQYcxYkSJ5ikCOo2r71WNGtMobC1nRrpkIkH60qawk3IFODuL3ip6EVMR0gUK4uJLQ451UAiCycCyM3CKstjMDA3+H2kNBwIk3K3ualeSa0ojhqP9TMdZ2Upmf7xvtPxNOj3h7Vepw41umUU94JF4B56rNQVjbppIuFIvFcX0R4mYCImIYYsreCnItiEnzaz8qLLKy0DfMK0uYjezNlowQAxgmeGeM7rACrWUV8MTm\/FksrPSXAAjmkFYlv0\/ha6Hgb5hC7dwHoszxFNONQhLvB+l1oMZE3OczPqJkj2NcafixDE7zVK+ICgGbXwYGzzVjpgU3jKIBPryo+Mtqmz9ww8OES90G77kCoTiJrGSIbwPF9xf6g56VF9GoPrRNwWpdiu3KuJYw98xjWhVX2xnNbhSb4CONR1K1stR3uCOKxPYE1Y0WCpQ5aDNUSlleK5PTy4H51wRPNViq9PWUz72OoK2qNv7Cm2bFrTIY\/uCDzd4QSh9OHwBLCqlInnnwzjZ3hk9I6v7OyEGeqjryjZ8Xdy8iIoPkYNQJBlq5UbqDVkawPgYeELv3Xp+4mLSAz3VjZsPByIvGEuV5erP1UlRyVhmB+g64ztQZglHJAUxLbmhoCe43waLX218\/mXhae1gmHPSpKzBfGlu32McJYULZY32m+WjPTruIMvwjvc6SKGFSR0vSBsOkqlUtZV3yp9sqkwkU+LeNfQVrRZzzRFN6DGJ24PJfxgvI1RYt8dN2Nri4x7+3pAfT5WWt+O6qbHbvfM8h+hBty\/3VRCemu+NcbzhUmRNuS9yHf0pm5rCKEl5F2kggRV\/GrvmICg3rJCbvLZjITqdjJmYudk5RyaSyiJTaYphXdTPMcl4YG8cyyAH6s\/1wgixKpV3xb\/SfMo4qWJoIVuhR7WvPzNE\/MI0ALUEw63Pc3e8E4+F3F2bjw8BGgwKoQfW2Lyfo24WttMks8v8TOzcFnwSxtAPEjoZ8zUo\/uvMNI917Cfo2O2azHoB26EdQTS73RiPZo1210flS1H9TiWVMOwalb\/LRkw8knpierR0b3sF9t1vudCPcllN\/5soJ1f2xf\/Nh\/YJcFGdtYLxK3I0j9\/V6D6fmziCR08\/WOtbeL4EQKrGverdZekDGA7LmHuyhMOxDNE06L4PcioMQclaxuQyq38gf5nWqDn6RoVu3Z41rAgmRlLOnF18QFLOBDph08txavJqEvdWoTP+qDUKSDfYW+QFthsg+Qo+JgOoHCWonB8FWzYEgWi8\/atdiP5WDsg2rwQrr\/NUT1vgk5ZclxAx1\/e54AU9jBsWrS4sUBQQb3bLz2P7PqgURGuoIecGXEI\/hnw109WGsaESCD9fllzvGhKzmyWbTPb1KCFfmfAQpkuHkBytT5BBiBauRp5IEiTD4bjWwk9lHcRP6F3bisGHc+igeU9j62Qa9LX3HabNwo1841nlNNKWPQ+zsvGMqE3e2viT4h\/3LDoe4E1i1FBbi4OzpDPLSJ\/dxPvQ\/+1eGqycUBPOm4aqeSJh4OgXPDJpRHNr7MWnZ\/WfBGq4GZHKyKD4IcFcLwVibRcMQQ7pkbbzEla\/I4\/EdC1pemyTZynZWPszPz4NWCy22jypV\/MHL0PpLsWrMnnU7TRwpsljMYp00akEln5hv5cNWNhrdre4SI+py"} 00960{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":31,"source":"cfgs\/default\/pcap\/tls-appdata.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1642636825083000,"flow_src_last_pkt_time":1642636825195000,"flow_dst_last_pkt_time":1642636825303000,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":135,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":159,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":429,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1643610288741000,"l3_proto":"ip4","src_ip":"179.60.195.173","dst_ip":"192.168.2.100","src_port":443,"dst_port":60636,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Facebook","proto_by_ip_id":119,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 02139{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":38,"source":"cfgs\/default\/pcap\/tls-appdata.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1643610288722000,"flow_src_last_pkt_time":1643610304703000,"flow_dst_last_pkt_time":1643610304703000,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1452,"flow_dst_max_l4_payload_len":2904,"flow_src_tot_l4_payload_len":4416,"flow_dst_tot_l4_payload_len":30419,"midstream":1,"thread_ts_usec":1643610304703000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"52.223.198.7","src_port":58976,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":0,"avg":1031032.2,"max":15956000,"stddev":3917522.5,"var":15346982453248.0,"ent":1.0,"data": [2000,15000,3000,0,16000,0,0,0,0,1000,1000,0,0,0,0,0,0,0,0,0,0,0,0,15941000,1000,15956000,5000,0,19000,1000,1000]},"pktlen": {"min":40,"avg":1129.2,"max":2944,"stddev":1252.1,"var":1567845.6,"ent":4.0,"data": [1492,60,46,1492,2944,40,2944,40,40,2944,2871,40,40,40,40,1492,60,46,1492,2944,40,2944,40,2944,1492,60,46,1492,2944,40,2944,40]},"bins": {"c_to_s": [14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0],"s_to_c": [3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,9]},"directions": [0,0,1,1,1,0,1,0,0,1,1,0,0,0,0,0,0,1,1,1,0,1,0,1,0,0,1,1,1,0,1,0],"entropies": [7.874306679,5.500818253,4.652828693,7.888679028,7.939795017,4.981687069,7.939328194,4.931686878,4.931686878,7.934259415,7.938295841,4.981687069,4.931687355,4.931687355,4.981687069,7.885500431,5.513399124,4.565871716,7.865909100,7.927158833,4.881687164,7.936643124,4.881687164,7.934941769,7.882087708,5.613399506,4.522394180,7.860544682,7.936390877,4.881687641,7.928893089,4.912815094]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Twitch","proto_by_ip_id":195,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} -00939{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":38,"source":"cfgs\/default\/pcap\/tls-appdata.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1643610288722000,"flow_src_last_pkt_time":1643610304703000,"flow_dst_last_pkt_time":1643610304703000,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1452,"flow_dst_max_l4_payload_len":2904,"flow_src_tot_l4_payload_len":4416,"flow_dst_tot_l4_payload_len":30419,"midstream":1,"thread_ts_usec":1643610304703000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"52.223.198.7","src_port":58976,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Twitch","proto_by_ip_id":195,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} -00638{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":46,"source":"cfgs\/default\/pcap\/tls-appdata.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":46,"packets-processed":45,"total-skipped-flows":0,"total-l4-payload-len":41014,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":4,"total-updates":0,"current-active-flows":1,"total-active-flows":2,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":24,"global_ts_usec":1643611942615000} -00638{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":76,"source":"cfgs\/default\/pcap\/tls-appdata.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":76,"packets-processed":75,"total-skipped-flows":0,"total-l4-payload-len":70000,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":4,"total-updates":0,"current-active-flows":1,"total-active-flows":2,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":25,"global_ts_usec":1643612754900000} -00641{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":106,"source":"cfgs\/default\/pcap\/tls-appdata.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":106,"packets-processed":105,"total-skipped-flows":0,"total-l4-payload-len":98963,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":4,"total-updates":0,"current-active-flows":1,"total-active-flows":2,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":26,"global_ts_usec":1643614758865000} +00638{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":46,"source":"cfgs\/default\/pcap\/tls-appdata.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":46,"packets-processed":45,"total-skipped-flows":0,"total-l4-payload-len":41014,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":3,"total-updates":0,"current-active-flows":1,"total-active-flows":2,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":23,"global_ts_usec":1643611942615000} +00638{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":76,"source":"cfgs\/default\/pcap\/tls-appdata.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":76,"packets-processed":75,"total-skipped-flows":0,"total-l4-payload-len":70000,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":3,"total-updates":0,"current-active-flows":1,"total-active-flows":2,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":24,"global_ts_usec":1643612754900000} +00641{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":106,"source":"cfgs\/default\/pcap\/tls-appdata.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":106,"packets-processed":105,"total-skipped-flows":0,"total-l4-payload-len":98963,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":3,"total-updates":0,"current-active-flows":1,"total-active-flows":2,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":25,"global_ts_usec":1643614758865000} 00973{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":120,"source":"cfgs\/default\/pcap\/tls-appdata.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":65,"flow_dst_packets_processed":49,"flow_first_seen":1643610288722000,"flow_src_last_pkt_time":1643614758886000,"flow_dst_last_pkt_time":1643614758885000,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1452,"flow_dst_max_l4_payload_len":2904,"flow_src_tot_l4_payload_len":11776,"flow_dst_tot_l4_payload_len":101176,"midstream":1,"thread_ts_usec":1643614758886000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"52.223.198.7","src_port":58976,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Twitch","proto_by_ip_id":195,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} -00644{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":120,"source":"cfgs\/default\/pcap\/tls-appdata.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":120,"packets-processed":120,"total-skipped-flows":0,"total-l4-payload-len":113381,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":4,"total-updates":0,"current-active-flows":0,"total-active-flows":2,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":28,"global_ts_usec":1643614758886000} +00644{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":120,"source":"cfgs\/default\/pcap\/tls-appdata.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":120,"packets-processed":120,"total-skipped-flows":0,"total-l4-payload-len":113381,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":3,"total-updates":0,"current-active-flows":0,"total-active-flows":2,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":27,"global_ts_usec":1643614758886000} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ ~~ packets captured/processed: 120/120 ~~ skipped flows.............: 0 @@ -40,4 +39,4 @@ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json message min len.......: 533 chars ~~ json message max len.......: 4468 chars -~~ json message avg len.......: 2498 chars +~~ json message avg len.......: 2496 chars diff --git a/test/results/default/tls_verylong_certificate.pcap.out b/test/results/default/tls_verylong_certificate.pcap.out index bbf95bd05..103733bf2 100644 --- a/test/results/default/tls_verylong_certificate.pcap.out +++ b/test/results/default/tls_verylong_certificate.pcap.out @@ -10,9 +10,8 @@ 01245{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"cfgs\/default\/pcap\/tls_verylong_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1578254908457751,"flow_src_last_pkt_time":1578254908475203,"flow_dst_last_pkt_time":1578254908490162,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1368,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1368,"midstream":0,"thread_ts_usec":1578254908490162,"l3_proto":"ip4","src_ip":"192.168.1.160","dst_ip":"151.101.66.49","src_port":54804,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Cybersec","proto_id":"91.283","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":33,"category":"Cybersecurity","hostname":"feodotracker.abuse.ch","tls": {"version":"TLSv1.2","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"ae53107a2e47ea20c72ac44821a728bf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","advertised_alpns":"http\/1.1","negotiated_alpn":"http\/1.1"}}} 03931{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":11,"source":"cfgs\/default\/pcap\/tls_verylong_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":6,"flow_first_seen":1578254908457751,"flow_src_last_pkt_time":1578254908490465,"flow_dst_last_pkt_time":1578254908490567,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1368,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5472,"midstream":0,"thread_ts_usec":1578254908490567,"l3_proto":"ip4","src_ip":"192.168.1.160","dst_ip":"151.101.66.49","src_port":54804,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Cybersec","proto_id":"91.283","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":33,"category":"Cybersecurity","hostname":"feodotracker.abuse.ch","tls": {"version":"TLSv1.2","server_names":"p2.shared.global.fastly.net,*.12wbt.com,*.2bleacherreport.com,*.3bleacherreport.com,*.4bleacherreport.com,*.8bleacherreport.com,*.abuse.ch,*.acdn-it.ps-pantheon.com,*.cdn.livingmap.com,*.content.plastiq.com,*.dimensions.ai,*.dollarshaveclub.co.uk,*.dollarshaveclub.com,*.dontpayfull.com,*.ebisubook.com,*.foreignaffairs.com,*.fs.jibjab.com,*.fs.unitprints.com,*.ggleap.com,*.goodeggs.com,*.huevosbuenos.com,*.indy.myomnigon.com,*.jwatch.org,*.kingsfordcharcoal.com.au,*.lancenters.com,*.madebywe.com,*.minirodini.com,*.modcloth.net,*.orionlabs.io,*.ps-pantheon.com,*.scodle.com,*.steelseries.com,*.theforeman.org,*.uploads.eversign.com,*.uploads.schoox.com,*.vts.com,*.x.stg1.ebisubook.com,*.yang2020.com,12wbt.com,2bleacherreport.com,3bleacherreport.com,4bleacherreport.com,8bleacherreport.com,abuse.ch,brita.com,cdn.fwupd.org,cdn.livingmap.com,cdn.seated.com,cdn.skillacademy.com,clinicaloptions.com,clorox.com,content-preprod.beaverbrooksweb2.co.uk,content.beaverbrooks.co.uk,content.plastiq.com,coolmathgames.com,copterroyale.coolmathgames.com,d8-dev.coolmathgames.com,deflyio.coolmathgames.com,delivery-api.evadacms.com,dimensions.ai,dollarshaveclub.co.uk,dollarshaveclub.com,dontpayfull.com,eluniverso.com,email.amg-group.co,email.tekoforlife.co.uk,feedmarket.fr,freshstep.com,ggleap.com,goodeggs.com,heap.io,huevosbuenos.com,identity.linuxfoundation.org,joebiden.com,jwatch.org,kingsford.co.nz,kingsfordcharcoal.com.au,lancenters.com,lists.linuxfoundation.org,m-stage.coolmathgames.com,m.coolmathgames.com,madebywe.com,minirodini.com,modcloth.net,orionlabs.io,puritanmedproducts.com,reviews.org,rg-video-staging.ruangguru.com,rg-video.ruangguru.com,ruangguru.com,scodle.com,stage.coolmathgames.com,staging.appblade.com,steelseries.com,stg.platform.eluniverso.com,test.brita.com,test.heap.io,test.joebiden.com,test.ruangguru.com,theforeman.org,video-cdn.quipper.com,videos.calcworkshop.com,vts.com,www.101network.com,www.autos101.com,www.brita.com,www.clorox.com,www.collider.com,www.coolmathgames.com,www.eluniverso.com,www.flinto.com,www.freshstep.com,www.heap.io,www.holagente.com,www.icsydney.com.au,www.joebiden.com,www.kingsford.co.nz,www.mrnatty.com,www.myjewellerystory.com.au,www.myjs.com,www.netacea.com,www.parenting101.com,www.puritanmedproducts.com,www.reviews.org,www.sba.sa,www.shashatcom.sa,www.uat.ontariocolleges.ca,www.vacation101.com,www.walterspeople.co.uk,www.westwayelectricsupply.com","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"ae53107a2e47ea20c72ac44821a728bf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3","subjectDN":"C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=p2.shared.global.fastly.net","advertised_alpns":"http\/1.1","negotiated_alpn":"http\/1.1","fingerprint":"E9:34:DF:E0:C5:31:3C:59:7E:E2:57:44:F2:82:E9:80:F5:5D:05:4B"}}} 02171{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"cfgs\/default\/pcap\/tls_verylong_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1578254908457751,"flow_src_last_pkt_time":1578254908528417,"flow_dst_last_pkt_time":1578254908528437,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1368,"flow_src_tot_l4_payload_len":813,"flow_dst_tot_l4_payload_len":14097,"midstream":0,"thread_ts_usec":1578254908528437,"l3_proto":"ip4","src_ip":"192.168.1.160","dst_ip":"151.101.66.49","src_port":54804,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":2,"avg":4559.7,"max":21714,"stddev":6622.1,"var":43852844.0,"ent":3.5,"data": [11591,11712,5740,17683,3137,204,15209,67,53,134,2,140,10611,21714,11194,334,14931,21,2,14564,19,7,256,346,4,564,2,480,517,112,2]},"pktlen": {"min":52,"avg":518.6,"max":1420,"stddev":615.3,"var":378610.9,"ent":4.0,"data": [64,60,52,569,52,1420,1420,52,1420,52,1420,262,52,178,103,52,222,1420,1420,104,52,52,52,1420,1420,104,52,52,1420,52,1420,104]},"bins": {"c_to_s": [12,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,4,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,0,0,1,1,1,0,0,0,1,1,1,0,0,1,0,1,1],"entropies": [4.398337364,5.146034718,4.868495941,4.434582233,5.025067329,6.773365974,4.940563202,4.983880520,6.553000927,4.900255680,7.433587551,7.043814659,4.983880520,6.336580276,5.976200581,5.022342205,6.883139610,7.866776943,7.867276192,6.143959045,4.906957150,4.791572571,4.731892109,7.850933075,7.865261078,6.040546417,4.906957626,4.906957626,7.852932453,4.823332310,7.877495766,6.208910465]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Cybersec","proto_id":"91.283","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":33,"category":"Cybersecurity"}} -03934{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"cfgs\/default\/pcap\/tls_verylong_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1578254908457751,"flow_src_last_pkt_time":1578254908528417,"flow_dst_last_pkt_time":1578254908528437,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1368,"flow_src_tot_l4_payload_len":813,"flow_dst_tot_l4_payload_len":14097,"midstream":0,"thread_ts_usec":1578254908528437,"l3_proto":"ip4","src_ip":"192.168.1.160","dst_ip":"151.101.66.49","src_port":54804,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Cybersec","proto_id":"91.283","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":33,"category":"Cybersecurity","hostname":"feodotracker.abuse.ch","tls": {"version":"TLSv1.2","server_names":"p2.shared.global.fastly.net,*.12wbt.com,*.2bleacherreport.com,*.3bleacherreport.com,*.4bleacherreport.com,*.8bleacherreport.com,*.abuse.ch,*.acdn-it.ps-pantheon.com,*.cdn.livingmap.com,*.content.plastiq.com,*.dimensions.ai,*.dollarshaveclub.co.uk,*.dollarshaveclub.com,*.dontpayfull.com,*.ebisubook.com,*.foreignaffairs.com,*.fs.jibjab.com,*.fs.unitprints.com,*.ggleap.com,*.goodeggs.com,*.huevosbuenos.com,*.indy.myomnigon.com,*.jwatch.org,*.kingsfordcharcoal.com.au,*.lancenters.com,*.madebywe.com,*.minirodini.com,*.modcloth.net,*.orionlabs.io,*.ps-pantheon.com,*.scodle.com,*.steelseries.com,*.theforeman.org,*.uploads.eversign.com,*.uploads.schoox.com,*.vts.com,*.x.stg1.ebisubook.com,*.yang2020.com,12wbt.com,2bleacherreport.com,3bleacherreport.com,4bleacherreport.com,8bleacherreport.com,abuse.ch,brita.com,cdn.fwupd.org,cdn.livingmap.com,cdn.seated.com,cdn.skillacademy.com,clinicaloptions.com,clorox.com,content-preprod.beaverbrooksweb2.co.uk,content.beaverbrooks.co.uk,content.plastiq.com,coolmathgames.com,copterroyale.coolmathgames.com,d8-dev.coolmathgames.com,deflyio.coolmathgames.com,delivery-api.evadacms.com,dimensions.ai,dollarshaveclub.co.uk,dollarshaveclub.com,dontpayfull.com,eluniverso.com,email.amg-group.co,email.tekoforlife.co.uk,feedmarket.fr,freshstep.com,ggleap.com,goodeggs.com,heap.io,huevosbuenos.com,identity.linuxfoundation.org,joebiden.com,jwatch.org,kingsford.co.nz,kingsfordcharcoal.com.au,lancenters.com,lists.linuxfoundation.org,m-stage.coolmathgames.com,m.coolmathgames.com,madebywe.com,minirodini.com,modcloth.net,orionlabs.io,puritanmedproducts.com,reviews.org,rg-video-staging.ruangguru.com,rg-video.ruangguru.com,ruangguru.com,scodle.com,stage.coolmathgames.com,staging.appblade.com,steelseries.com,stg.platform.eluniverso.com,test.brita.com,test.heap.io,test.joebiden.com,test.ruangguru.com,theforeman.org,video-cdn.quipper.com,videos.calcworkshop.com,vts.com,www.101network.com,www.autos101.com,www.brita.com,www.clorox.com,www.collider.com,www.coolmathgames.com,www.eluniverso.com,www.flinto.com,www.freshstep.com,www.heap.io,www.holagente.com,www.icsydney.com.au,www.joebiden.com,www.kingsford.co.nz,www.mrnatty.com,www.myjewellerystory.com.au,www.myjs.com,www.netacea.com,www.parenting101.com,www.puritanmedproducts.com,www.reviews.org,www.sba.sa,www.shashatcom.sa,www.uat.ontariocolleges.ca,www.vacation101.com,www.walterspeople.co.uk,www.westwayelectricsupply.com","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"ae53107a2e47ea20c72ac44821a728bf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3","subjectDN":"C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=p2.shared.global.fastly.net","advertised_alpns":"http\/1.1","negotiated_alpn":"http\/1.1","fingerprint":"E9:34:DF:E0:C5:31:3C:59:7E:E2:57:44:F2:82:E9:80:F5:5D:05:4B"}}} 01004{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":48,"source":"cfgs\/default\/pcap\/tls_verylong_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":24,"flow_dst_packets_processed":24,"flow_first_seen":1578254908457751,"flow_src_last_pkt_time":1578254908551114,"flow_dst_last_pkt_time":1578254908551079,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1368,"flow_src_tot_l4_payload_len":844,"flow_dst_tot_l4_payload_len":18233,"midstream":0,"thread_ts_usec":1578254908551114,"l3_proto":"ip4","src_ip":"192.168.1.160","dst_ip":"151.101.66.49","src_port":54804,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Cybersec","proto_id":"91.283","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":33,"category":"Cybersecurity"}} -00653{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":48,"source":"cfgs\/default\/pcap\/tls_verylong_certificate.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":48,"packets-processed":48,"total-skipped-flows":0,"total-l4-payload-len":19077,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":3,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":15,"global_ts_usec":1578254908551114} +00653{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":48,"source":"cfgs\/default\/pcap\/tls_verylong_certificate.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":48,"packets-processed":48,"total-skipped-flows":0,"total-l4-payload-len":19077,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":2,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":14,"global_ts_usec":1578254908551114} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ ~~ packets captured/processed: 48/48 ~~ skipped flows.............: 0 @@ -26,5 +25,5 @@ ~~ total allocations/frees...: 216812/216812 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json message min len.......: 562 chars -~~ json message max len.......: 3939 chars -~~ json message avg len.......: 2207 chars +~~ json message max len.......: 3936 chars +~~ json message avg len.......: 2164 chars diff --git a/test/results/default/tumblr.pcap.out b/test/results/default/tumblr.pcap.out index 654384c34..a78d5c334 100644 --- a/test/results/default/tumblr.pcap.out +++ b/test/results/default/tumblr.pcap.out @@ -64,7 +64,6 @@ 01266{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":122,"source":"cfgs\/default\/pcap\/tumblr.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":4,"flow_src_last_pkt_time":1605292105231042,"flow_dst_last_pkt_time":1605292105230486,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":603,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":603,"pkt_l4_len":549,"thread_ts_usec":1605292105231042,"pkt":"qtsDr8lk5EKm5WPyht1gCsuaAiUGQCoBywEgSYsHmR3shSjf9ikmBigAATUVWiO6Cyol\/xIt5AwBu6fu9OfC4X5egBgB++4yAAABAQgKUVPzg8LdnfMWAwECAAEAAfwDAwsTuD27e9O7zSR9QGg\/BjcA3VInM4oSJon9YBOCv5++IFdStpb+CkXQy2c2uOI7+AVrIzBfj1oZ8gAG3CYIQoMEACC6uhMBEwITA8ArwC\/ALMAwzKnMqMATwBQAnACdAC8ANQEAAZPq6gAAAAAAGQAXAAAUY29uc2VudC5jbXAub2F0aC5jb20AFwAA\/wEAAQAACgAKAAja2gAdABcAGAALAAIBAAAjAAAAEAAOAAwCaDIIaHR0cC8xLjEABQAFAQAAAAAADQASABAEAwgEBAEFAwgFBQEIBgYBABIAAAAzACsAKdraAAEAAB0AIDYvcGjd9fK5d+Sh8kpRELYm8anOzkwuInZrhF5dnrEgAC0AAgEBACsACwp6egMEAwMDAgMBABsAAwIAAjo6AAEAABUAyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} 01235{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":122,"source":"cfgs\/default\/pcap\/tumblr.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605292105197307,"flow_src_last_pkt_time":1605292105231042,"flow_dst_last_pkt_time":1605292105230486,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605292105231042,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2606:2800:135:155a:23ba:b2a:25ff:122d","src_port":58380,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Edgecast","proto_by_ip_id":288,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"consent.cmp.oath.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","advertised_alpns":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 02154{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":126,"source":"cfgs\/default\/pcap\/tumblr.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292105171046,"flow_src_last_pkt_time":1605292105231565,"flow_dst_last_pkt_time":1605292105231522,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":112,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":362,"flow_dst_tot_l4_payload_len":16800,"midstream":1,"thread_ts_usec":1605292105231565,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d28","src_port":43434,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":1,"avg":3903.1,"max":45055,"stddev":9416.3,"var":88667112.0,"ent":2.8,"data": [365,4822,355,27249,2992,337,2701,17288,45055,519,518,603,1,579,9,7282,1,7292,34,289,2,248,25,174,1,157,27,1036,1,1005,28]},"pktlen": {"min":72,"avg":608.3,"max":1472,"stddev":669.7,"var":448506.0,"ent":4.1,"data": [184,111,183,172,72,72,72,72,1472,72,1472,72,1472,1472,72,72,1472,1472,72,72,1472,1472,72,72,1472,1472,72,72,1472,1472,72,72]},"bins": {"c_to_s": [12,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0]},"directions": [0,0,0,0,1,1,1,1,1,0,1,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0],"entropies": [6.587406158,5.914531231,6.603403568,6.519369125,4.980900764,4.980900764,4.894209862,4.980900764,7.851428509,5.118321419,7.864492416,5.118321419,7.853987694,7.848294735,5.062766075,5.080059052,7.860019684,7.828007221,5.118321419,5.118321419,7.856985092,7.866126060,5.118321419,5.080059052,7.856244087,7.840456009,5.146099091,5.080059052,7.871989727,7.857123375,5.118321419,5.118321419]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} -00964{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":126,"source":"cfgs\/default\/pcap\/tumblr.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292105171046,"flow_src_last_pkt_time":1605292105231565,"flow_dst_last_pkt_time":1605292105231522,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":112,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":362,"flow_dst_tot_l4_payload_len":16800,"midstream":1,"thread_ts_usec":1605292105231565,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d28","src_port":43434,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00826{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":140,"source":"cfgs\/default\/pcap\/tumblr.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292105274861,"flow_src_last_pkt_time":1605292105274861,"flow_dst_last_pkt_time":1605292105274861,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605292105274861,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2606:2800:135:155a:23ba:b2a:25ff:122d","src_port":58382,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00584{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":140,"source":"cfgs\/default\/pcap\/tumblr.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":1,"flow_src_last_pkt_time":1605292105274861,"flow_dst_last_pkt_time":1605292105274861,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605292105274861,"pkt":"qtsDr8lk5EKm5WPyht1gA8c5ACgGQCoBywEgSYsHmR3shSjf9ikmBigAATUVWiO6Cyol\/xIt5A4Bu+LGvZYAAAAAoAL9IG8jAAACBAWgBAIIClFT868AAAAAAQMDBw=="} 00573{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":141,"source":"cfgs\/default\/pcap\/tumblr.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":5,"flow_src_last_pkt_time":1605292105231042,"flow_dst_last_pkt_time":1605292105278180,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292105278180,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACAGPSYGKAABNRVaI7oLKiX\/Ei0qAcsBIEmLB5kd7IUo3\/YpAbvkDMLhfl6n7vbsgBALMO8iAAABAQgKwt2eLFFT84M="} @@ -101,7 +100,6 @@ 00674{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":222,"source":"cfgs\/default\/pcap\/tumblr.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":5,"flow_src_last_pkt_time":1605292105670139,"flow_dst_last_pkt_time":1605292105669051,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":157,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":157,"pkt_l4_len":103,"thread_ts_usec":1605292105670139,"pkt":"qtsDr8lk5EKm5WPyht1gCP\/sAGcGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAADAAE0D3doBu3fKO\/AW2C\/9gBhA0UbJAAABAQgKBcmbrcLdLRcXAwMAQrLK9m5yPUYZr\/Ss7uS7ctPQk7DORD1YOYAxKYpWRXgQ31nGrlNl9GZg3NHqc299aEIRfgvacsXASirCF1SyoYgbpg=="} 00957{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":224,"source":"cfgs\/default\/pcap\/tumblr.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":1,"flow_first_seen":1605292105669051,"flow_src_last_pkt_time":1605292105696558,"flow_dst_last_pkt_time":1605292105705697,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":130,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":525,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605292105705697,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d03","src_port":56794,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 02146{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":249,"source":"cfgs\/default\/pcap\/tumblr.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1605292105669051,"flow_src_last_pkt_time":1605292105720296,"flow_dst_last_pkt_time":1605292105720289,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":130,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":525,"flow_dst_tot_l4_payload_len":11113,"midstream":1,"thread_ts_usec":1605292105720296,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d03","src_port":56794,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":0,"avg":3305.9,"max":36646,"stddev":8575.8,"var":73544632.0,"ent":2.4,"data": [375,92,385,236,26419,36646,2159,0,376,0,10012,21697,203,197,169,221,0,406,8,175,469,1,0,620,51,101,150,197,535,21,562]},"pktlen": {"min":72,"avg":435.7,"max":1472,"stddev":586.0,"var":343353.7,"ent":3.9,"data": [192,111,201,202,143,108,72,72,72,72,72,1472,72,1472,72,1460,84,1472,72,72,1460,84,1327,103,72,72,111,1460,72,84,1460,72]},"bins": {"c_to_s": [8,2,1,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,7,0,0,0,0]},"directions": [0,0,0,0,0,0,1,1,1,1,1,1,0,1,0,1,1,1,0,0,1,1,1,1,0,0,1,1,0,1,1,0],"entropies": [6.771437645,5.700867176,6.623061657,6.706957817,6.270517826,5.792555332,5.008678436,5.036456108,5.008678436,5.036456108,5.008678436,7.827867985,5.069574833,7.856517315,5.080059528,7.842531681,5.292736530,7.873940468,5.069574833,5.034988403,7.877679825,5.307831764,7.852031708,5.639400959,5.146099567,5.090544224,5.719091892,7.856316566,5.118321896,5.301723003,7.853841305,5.090544224]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} -00965{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":249,"source":"cfgs\/default\/pcap\/tumblr.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1605292105669051,"flow_src_last_pkt_time":1605292105720296,"flow_dst_last_pkt_time":1605292105720289,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":130,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":525,"flow_dst_tot_l4_payload_len":11113,"midstream":1,"thread_ts_usec":1605292105720296,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d03","src_port":56794,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00813{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":255,"source":"cfgs\/default\/pcap\/tumblr.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292105726518,"flow_src_last_pkt_time":1605292105726518,"flow_dst_last_pkt_time":1605292105726518,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":127,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":127,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":127,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605292105726518,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4c03","src_port":51874,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00745{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":255,"source":"cfgs\/default\/pcap\/tumblr.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":1,"flow_src_last_pkt_time":1605292105726518,"flow_dst_last_pkt_time":1605292105726518,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":213,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":213,"pkt_l4_len":159,"thread_ts_usec":1605292105726518,"pkt":"qtsDr8lk5EKm5WPyht1gBYNxAJ8GQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAADAAEwDyqIBu7npntnZTJergBgB9damAAABAQgKLIniTsLdLfkXAwMAepLzP8oRHbXAD5D56fW\/ezxXNRxKdaqM6BwQpjw0zyORx06Rl8gHWinoWY19NxmIXl2owLgVHJ\/UEVkHmda\/PMinu6FgCqLeUi5RUsVJaGqL1ulKRH6Mi5nxYau2z9M9f+jUaBIVXH47AOoxy+jPs5YTh+8Es3OdfTIr"} 00950{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":255,"source":"cfgs\/default\/pcap\/tumblr.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292105726518,"flow_src_last_pkt_time":1605292105726518,"flow_dst_last_pkt_time":1605292105726518,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":127,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":127,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":127,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605292105726518,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4c03","src_port":51874,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} @@ -205,7 +203,6 @@ 01590{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":385,"source":"cfgs\/default\/pcap\/tumblr.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":6,"flow_first_seen":1605292121486006,"flow_src_last_pkt_time":1605292121697627,"flow_dst_last_pkt_time":1605292121698447,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5097,"midstream":0,"thread_ts_usec":1605292121698447,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::4a72:9a16","src_port":43328,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Tumblr","proto_id":"91.90","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"catasters.tumblr.com","tls": {"version":"TLSv1.2","server_names":"*.tumblr.com,tumblr.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"738f0c3c6e00286f3afac626676d352d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA","subjectDN":"CN=*.tumblr.com","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"14:78:BA:5B:B5:54:5D:A1:2C:D2:79:4C:42:99:BB:3A:A9:DB:86:C2"}}} 00574{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":387,"source":"cfgs\/default\/pcap\/tumblr.pcap","alias":"nDPId-test","flow_id":42,"flow_packet_id":2,"flow_src_last_pkt_time":1605292121674877,"flow_dst_last_pkt_time":1605292121698552,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292121698552,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACAGPSoAFFBABwgXAAAAAAAAIAoqAcsBIEmLB5kd7IUo3\/YpAbvZCJmV\/O79d79\/gBALlo7gAAABAQgKwt3eUxu5BaQ="} 02195{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":406,"source":"cfgs\/default\/pcap\/tumblr.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292121486006,"flow_src_last_pkt_time":1605292121915646,"flow_dst_last_pkt_time":1605292121915718,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":1174,"flow_dst_tot_l4_payload_len":11033,"midstream":0,"thread_ts_usec":1605292121915718,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::4a72:9a16","src_port":43328,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":0,"avg":27721.0,"max":189403,"stddev":49540.4,"var":2454247936.0,"ent":3.2,"data": [21421,21468,523,29545,160398,189403,235,0,213,14,842,826,3808,144,202,28681,1,1011,77988,2,103570,74,656,29813,79144,108203,110,95,435,441,86]},"pktlen": {"min":72,"avg":454.0,"max":1472,"stddev":568.3,"var":322990.4,"ent":4.0,"data": [80,80,72,589,72,1472,72,1472,1368,72,72,1073,72,157,163,523,72,72,72,338,142,72,72,102,72,1472,72,1472,72,1472,72,1472]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,6,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,0,0,0,0,1,1,1,1,1,0,0,0,1,1,0,1,0,1,0,1],"entropies": [4.847575665,5.264388561,5.273682594,4.570615292,5.139187336,7.183391094,5.218127251,7.306411743,7.637944698,5.179864883,5.245904922,7.569734573,5.218127251,6.162980080,6.493566990,7.590200424,5.139187336,5.139187336,5.083631992,7.038479328,6.319642544,5.162571907,5.162571907,5.715408325,5.083631992,7.863587856,5.218127251,7.862967491,5.245904922,7.863145828,5.190349579,7.850796700]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Tumblr","proto_id":"91.90","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} -01594{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":406,"source":"cfgs\/default\/pcap\/tumblr.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292121486006,"flow_src_last_pkt_time":1605292121915646,"flow_dst_last_pkt_time":1605292121915718,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":1174,"flow_dst_tot_l4_payload_len":11033,"midstream":0,"thread_ts_usec":1605292121915718,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::4a72:9a16","src_port":43328,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Tumblr","proto_id":"91.90","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"catasters.tumblr.com","tls": {"version":"TLSv1.2","server_names":"*.tumblr.com,tumblr.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"738f0c3c6e00286f3afac626676d352d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA","subjectDN":"CN=*.tumblr.com","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"h2","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"14:78:BA:5B:B5:54:5D:A1:2C:D2:79:4C:42:99:BB:3A:A9:DB:86:C2"}}} 00813{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":428,"source":"cfgs\/default\/pcap\/tumblr.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292122064463,"flow_src_last_pkt_time":1605292122064463,"flow_dst_last_pkt_time":1605292122064463,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605292122064463,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:809::200e","src_port":49548,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00583{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":428,"source":"cfgs\/default\/pcap\/tumblr.pcap","alias":"nDPId-test","flow_id":43,"flow_packet_id":1,"flow_src_last_pkt_time":1605292122064463,"flow_dst_last_pkt_time":1605292122064463,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605292122064463,"pkt":"qtsDr8lk5EKm5WPyht1gAy+bACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcICQAAAAAAACAOwYwBu0AeaGkAAAAAoAL9IOE8AAACBAWgBAIICthbOh0AAAAAAQMDBw=="} 00689{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":429,"source":"cfgs\/default\/pcap\/tumblr.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1605292122076240,"flow_dst_last_pkt_time":1605292102602965,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":172,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":172,"pkt_l4_len":118,"thread_ts_usec":1605292122076240,"pkt":"qtsDr8lk5EKm5WPyht1gD4BTAHYGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXidvHABuwi2Qd9sejoTgBgk6QsuAAABAQgKJEeQFMLc4vQXAwMAUQAAAAAAAAAPN+72C7wfHoQtmaJB3aOHKjPk6JlEWLNjF5TOq7HiJ1O2KSnCxtEIEQAeO4GmbeSTOkkpawAah7BKsajx09L6L57ZkTTcEWLCJA=="} @@ -221,7 +218,6 @@ 00954{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":436,"source":"cfgs\/default\/pcap\/tumblr.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605292102602965,"flow_src_last_pkt_time":1605292122076586,"flow_dst_last_pkt_time":1605292122116538,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":86,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":132,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605292122116538,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:789d","src_port":48240,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 01993{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":437,"source":"cfgs\/default\/pcap\/tumblr.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":5,"flow_src_last_pkt_time":1605292122076586,"flow_dst_last_pkt_time":1605292122116538,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":1134,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":1134,"pkt_l4_len":1080,"thread_ts_usec":1605292122116538,"pkt":"5EKm5WPyqtsDr8lkht1gAAAABDgGPQBk\/5sAAAAAAAAAAJdleJ0qAcsBIEmLB5kd7IUo3\/YpAbu8cGx6OhMItkI1gBgMRHzEAAABAQgKwt3f5iRHkBQXAwNAGJc9h3GYNRFQlTKtM7rxIBlCWvu2+kAtsSKUpPeQGC2f9G6Xq+yeDPU221fnjVpofZnbGWH209M5VFwfCbYBd\/Ug672I7YdgqPjdHdeHhsk5JO7a6ZKrKfKPrNR6YV7haA9UHN\/J20tM3dd1ztVqjpfbv0\/ZJmmisIhD21RHxC+bpnR9aUwAHNslPkgS258ZBH2f6TbIDYUZtSMnZWw3Yk\/ci8p72sljAny1A0bK6nTpcgQdrpz72F8pAQANc8+dtvsHTLhIpCvOc6Ne6kWtUKT7C\/mvdjTu5edIany0ejKotIFClcl4RxqARVu2X1rfTugLw5NDSe0wQ2nHTzTqPvaW7AfYVBRuhLTkXbNrJI65nxsqhUnfa60m3bgzF7vJcVGCZnpJafd9EdKxWUn3zIF9HNZPAaoWOVFHMyX9a+GRL3JsX2Y5BoTsGub9kof4cZv9bszWuQGQ32PqzX8tj0vwQgSS+\/6S++A\/fvGhO3z2O4J5JcExiBHL9NO41Ci77nPGUPc8rzROsKBv+iwjPxII7ZTo+HPy8VtcXYK9fMChuPeM2GJGvjtvuTXBXbAajdN99K6za2E83mXsUFa4zXbW8l6vvPf\/QtzoTU4L9xdK63gJGDxlquf0XuSzocIpEQi1F1Wer1yQa02YyM9dE5pCuSsEvLN9e3nWr+e5ts1swpdDA9qB0i7vopuVw7pVJRa\/5jtj10ogWPHGj2tvaRujTQeDciYar+lH9\/+jsk7PRHX+uIUqDDNJr9L4h4Y5HFaECy28OARK+N8iZPMvLjs+b2v9+1SVFwvOZk2keVzr60iLx9SAxK+qK3iQWWRvVmrjER7XMeaQBw9ZDHNiSeMtNeFfmRKRTQN09GNCR0gb6nnbLaowG55byyc9Ixf0CX1E+gt7yBldEZUUKfDlxtw+uLgeGUXqthxjdDzHmt05igu5OjLX1G4r5IZOVC4zPzyhWkdvVj3Xlv+5VdG78q9fG74Kr4jrWd0HmfWAicEqqlrJ0tzM615CXJdHLq2i\/icncRzXkfKIHoIE7akepvW2uFW47l3zunDfCPS2CPdfu4SgfwscjhTdvMd0yEZgiOOpbXgOiFet4ZTlfmbFFc1UeXXFtn8JSmdDTZps738TSMj+kk9x8MshGWKOVu0ue6LonWUyQNu1K9\/sN\/LUbwtwiJhRTd4lbHV3YBTVFelyuUAiHAYYrO1BQq\/1qgPHYrAC9\/XR1LO2ONRYU\/Y5+xV2iMD3hHSQ30e3g5G4lPgWiJR\/5BxivIHZmOM3jV1\/ejjWfzi6Q+rJSgLP1NhRuCOEWEb8Rva9JGpl5hBrk9oX7wzBiu7yI4Hc4KR6E6bjwM0G+KtwCI+dvZO488RHnGsWkcv5evakZJvQrVRCJM0\/gTwn"} 02153{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":464,"source":"cfgs\/default\/pcap\/tumblr.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605292102602965,"flow_src_last_pkt_time":1605292122118409,"flow_dst_last_pkt_time":1605292122118430,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":86,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":132,"flow_dst_tot_l4_payload_len":16768,"midstream":1,"thread_ts_usec":1605292122118430,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:789d","src_port":48240,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":0,"avg":1259061.5,"max":19513573,"stddev":4788586.0,"var":22930555666432.0,"ent":1.0,"data": [19473275,346,19513573,0,40000,58,0,14,3,47,46,590,601,1080,1,1,0,1,0,0,1081,15,50,4,2,3,4,112,1,0,1]},"pktlen": {"min":72,"avg":600.1,"max":1120,"stddev":520.1,"var":270533.2,"ent":4.4,"data": [72,158,118,72,1120,72,1120,1120,72,72,1120,72,1120,72,1120,1120,1120,1120,1120,1120,1120,72,72,72,72,72,72,72,1120,1120,1120,1120]},"bins": {"c_to_s": [13,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,0,1,1,0,0,1,0,1,0,1,1,1,1,1,1,1,0,0,0,0,0,0,0,1,1,1,1],"entropies": [5.300073624,6.172540188,5.808043480,5.111409664,7.793330193,5.244518280,7.816789150,7.806469440,5.188962936,5.244518280,7.817547321,5.216740131,7.782293320,5.272295952,7.814203739,7.825418949,7.833592415,7.796096325,7.794456482,7.800365925,7.831590176,5.300073624,5.244518280,5.272295952,5.300073624,5.216740608,5.244518280,5.272295475,7.782464504,7.824431896,7.817936897,7.808838844]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} -00963{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":464,"source":"cfgs\/default\/pcap\/tumblr.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605292102602965,"flow_src_last_pkt_time":1605292122118409,"flow_dst_last_pkt_time":1605292122118430,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":86,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":132,"flow_dst_tot_l4_payload_len":16768,"midstream":1,"thread_ts_usec":1605292122118430,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:789d","src_port":48240,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00585{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":495,"source":"cfgs\/default\/pcap\/tumblr.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":2,"flow_src_last_pkt_time":1605292122095843,"flow_dst_last_pkt_time":1605292122163288,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605292122163288,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoAFFBABwgLAAAAAAAAIAoqAcsBIEmLB5kd7IUo3\/YpAbuW0O3zbp+IuQs5oBJXgJ7NAAACBAV4AQMDAwQCCArC3d\/9EsEnyA=="} 00572{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":496,"source":"cfgs\/default\/pcap\/tumblr.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":3,"flow_src_last_pkt_time":1605292122163315,"flow_dst_last_pkt_time":1605292122163288,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292122163315,"pkt":"qtsDr8lk5EKm5WPyht1gD2uVACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcICwAAAAAAACAKltABu4i5Cznt826ggBAB+yKbAAABAQgKEsEoDMLd3\/0="} 01267{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":497,"source":"cfgs\/default\/pcap\/tumblr.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":4,"flow_src_last_pkt_time":1605292122163584,"flow_dst_last_pkt_time":1605292122163288,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":603,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":603,"pkt_l4_len":549,"thread_ts_usec":1605292122163584,"pkt":"qtsDr8lk5EKm5WPyht1gD2uVAiUGQCoBywEgSYsHmR3shSjf9ikqABRQQAcICwAAAAAAACAKltABu4i5Cznt826ggBgB+67mAAABAQgKEsEoDMLd3\/0WAwECAAEAAfwDA7bS9qVsy5B4YR21YJQRtEh5Py7oz+4S+4EMfJZtbGRGIFTZBy5p0gziG2ybvndeac3\/kMpuKpBLUHIf7VQxlGl9ACDq6hMBEwITA8ArwC\/ALMAwzKnMqMATwBQAnACdAC8ANQEAAZNqagAAAAAAGAAWAAATYWpheC5nb29nbGVhcGlzLmNvbQAXAAD\/AQABAAAKAAoACPr6AB0AFwAYAAsAAgEAACMAAAAQAA4ADAJoMghodHRwLzEuMQAFAAUBAAAAAAANABIAEAQDCAQEAQUDCAUFAQgGBgEAEgAAADMAKwAp+voAAQAAHQAg8WEmWZ9OWDe9\/XkTSDe85PaENProAIW9qnEE9QmUWSAALQACAQEAKwALCurqAwQDAwMCAwEAGwADAgACWloAAQAAFQDJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} @@ -330,7 +326,7 @@ 00814{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":755,"source":"cfgs\/default\/pcap\/tumblr.pcap","alias":"nDPId-test","flow_id":39,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1605292120654889,"flow_src_last_pkt_time":1605292120654889,"flow_dst_last_pkt_time":1605292120853149,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605292122899206,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:806::200e","src_port":55014,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00960{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":755,"source":"cfgs\/default\/pcap\/tumblr.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1605292116554831,"flow_src_last_pkt_time":1605292116554831,"flow_dst_last_pkt_time":1605292116783801,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605292122899206,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2002","src_port":50960,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"TLS","proto_id":"91","proto_by_ip":"Google","proto_by_ip_id":126,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00814{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":755,"source":"cfgs\/default\/pcap\/tumblr.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1605292116554831,"flow_src_last_pkt_time":1605292116554831,"flow_dst_last_pkt_time":1605292116783801,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605292122899206,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2002","src_port":50960,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} -00645{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":755,"source":"cfgs\/default\/pcap\/tumblr.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":755,"packets-processed":755,"total-skipped-flows":0,"total-l4-payload-len":294634,"total-not-detected-flows":0,"total-guessed-flows":28,"total-detected-flows":19,"total-detection-updates":29,"total-updates":0,"current-active-flows":0,"total-active-flows":47,"total-idle-flows":47,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":333,"global_ts_usec":1605292122899206} +00645{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":755,"source":"cfgs\/default\/pcap\/tumblr.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":755,"packets-processed":755,"total-skipped-flows":0,"total-l4-payload-len":294634,"total-not-detected-flows":0,"total-guessed-flows":28,"total-detected-flows":19,"total-detection-updates":25,"total-updates":0,"current-active-flows":0,"total-active-flows":47,"total-idle-flows":47,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":329,"global_ts_usec":1605292122899206} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ ~~ packets captured/processed: 755/755 ~~ skipped flows.............: 0 diff --git a/test/results/default/viber.pcap.out b/test/results/default/viber.pcap.out index 7d9dc1648..da1d19c4b 100644 --- a/test/results/default/viber.pcap.out +++ b/test/results/default/viber.pcap.out @@ -67,7 +67,6 @@ 01216{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":89,"source":"cfgs\/default\/pcap\/viber.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1527155641845544,"flow_src_last_pkt_time":1527155641868230,"flow_dst_last_pkt_time":1527155641890520,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":183,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":183,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1527155641890520,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.230.93.53","src_port":53934,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Viber","proto_id":"91.144","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"dl-media.viber.com","tls": {"version":"TLSv1.2","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"http\/1.1"}}} 01479{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":91,"source":"cfgs\/default\/pcap\/viber.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":5,"flow_first_seen":1527155641845544,"flow_src_last_pkt_time":1527155641868230,"flow_dst_last_pkt_time":1527155641890790,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":183,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":183,"flow_dst_tot_l4_payload_len":4344,"midstream":0,"thread_ts_usec":1527155641890790,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.230.93.53","src_port":53934,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Viber","proto_id":"91.144","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"dl-media.viber.com","tls": {"version":"TLSv1.2","server_names":"*.viber.com,viber.com","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=thawte, Inc., CN=thawte SSL CA - G2","subjectDN":"C=LU, ST=Luxembourg, L=Luxembourg, O=Viber Media Sarl, OU=IT, CN=*.viber.com","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"http\/1.1","fingerprint":"E1:11:26:E6:14:A5:E6:F7:F1:CB:68:D1:A6:95:A1:5E:11:48:72:2A"}}} 02160{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":115,"source":"cfgs\/default\/pcap\/viber.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1527155641845544,"flow_src_last_pkt_time":1527155641984215,"flow_dst_last_pkt_time":1527155641981830,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":708,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1017,"flow_dst_tot_l4_payload_len":20153,"midstream":0,"thread_ts_usec":1527155641984215,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.230.93.53","src_port":53934,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":19,"avg":8869.6,"max":47784,"stddev":14735.4,"var":217133360.0,"ent":3.3,"data": [19470,21663,1023,22292,3214,249,21,217,39369,88,574,349,10837,47784,22339,40800,258,54,169,260,19,213,268,217,249,532,41188,70,47,44,1080]},"pktlen": {"min":52,"avg":714.1,"max":1500,"stddev":673.4,"var":453425.2,"ent":4.3,"data": [60,60,52,235,52,1500,1500,1500,397,52,52,52,52,178,294,760,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,794,52,52,52,52,52]},"bins": {"c_to_s": [11,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,13,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,1,0,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0],"entropies": [4.571673393,5.231404781,5.154164791,5.626152039,5.147462368,7.170236111,7.463209152,7.511432171,7.329006195,5.115703106,5.154164791,5.192625999,5.154164791,6.447020531,7.153199196,7.703028202,7.855375767,7.870701790,7.853311062,7.869762897,7.858384132,7.891494274,7.876748085,7.889567852,7.884804249,7.876610279,7.713707447,5.154164791,5.154164314,5.115703106,5.154164314,5.109001160]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Viber","proto_id":"91.144","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} -01484{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":115,"source":"cfgs\/default\/pcap\/viber.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1527155641845544,"flow_src_last_pkt_time":1527155641984215,"flow_dst_last_pkt_time":1527155641981830,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":708,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1017,"flow_dst_tot_l4_payload_len":20153,"midstream":0,"thread_ts_usec":1527155641984215,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.230.93.53","src_port":53934,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Viber","proto_id":"91.144","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"dl-media.viber.com","tls": {"version":"TLSv1.2","server_names":"*.viber.com,viber.com","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=thawte, Inc., CN=thawte SSL CA - G2","subjectDN":"C=LU, ST=Luxembourg, L=Luxembourg, O=Viber Media Sarl, OU=IT, CN=*.viber.com","advertised_alpns":"h2,http\/1.1","negotiated_alpn":"http\/1.1","fingerprint":"E1:11:26:E6:14:A5:E6:F7:F1:CB:68:D1:A6:95:A1:5E:11:48:72:2A"}}} 00777{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":119,"source":"cfgs\/default\/pcap\/viber.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1527155644240774,"flow_src_last_pkt_time":1527155644240774,"flow_dst_last_pkt_time":1527155644240774,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":23,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":23,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":23,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1527155644240774,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"172.217.23.106","src_port":41993,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5} 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":119,"source":"cfgs\/default\/pcap\/viber.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":1,"flow_src_last_pkt_time":1527155644240774,"flow_dst_last_pkt_time":1527155644240774,"flow_idle_time":200000000,"pkt_datalink":1,"pkt_caplen":65,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":65,"pkt_l4_len":31,"thread_ts_usec":1527155644240774,"pkt":"AA6OMNv9MAdNo1+nCABFAAAzV0lAAEARXnTAqAARrNkXaqQJAbsAHwH3DO5PoOHayJNED10MJ0pTvsIOJQ7muOI="} 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":120,"source":"cfgs\/default\/pcap\/viber.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":2,"flow_src_last_pkt_time":1527155644243647,"flow_dst_last_pkt_time":1527155644240774,"flow_idle_time":200000000,"pkt_datalink":1,"pkt_caplen":65,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":65,"pkt_l4_len":31,"thread_ts_usec":1527155644243647,"pkt":"AA6OMNv9MAdNo1+nCABFAAAzV0pAAEARXnPAqAARrNkXaqQJAbsAH4RqDO5PoOHayJNEEDIopLF1oa8UykhAnf8="} @@ -167,7 +166,7 @@ 00990{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":425,"source":"cfgs\/default\/pcap\/viber.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1527155639005882,"flow_src_last_pkt_time":1527155639005882,"flow_dst_last_pkt_time":1527155639008484,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":32,"flow_dst_max_l4_payload_len":261,"flow_src_tot_l4_payload_len":32,"flow_dst_tot_l4_payload_len":261,"midstream":0,"thread_ts_usec":1527155685757669,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"192.168.0.15","src_port":35283,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.ADS_Analytic_Track","proto_id":"5.107","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Tracker\/Ads","category_id":14,"category":"Network"}} 00971{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":425,"source":"cfgs\/default\/pcap\/viber.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1527155638474128,"flow_src_last_pkt_time":1527155638474128,"flow_dst_last_pkt_time":1527155638476527,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":161,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":161,"midstream":0,"thread_ts_usec":1527155685757669,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"192.168.0.15","src_port":45743,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Facebook","proto_id":"5.119","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":14,"category":"Network"}} 00965{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":425,"source":"cfgs\/default\/pcap\/viber.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1527155639234839,"flow_src_last_pkt_time":1527155639234839,"flow_dst_last_pkt_time":1527155639237450,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":331,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":331,"midstream":0,"thread_ts_usec":1527155685757669,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"192.168.0.15","src_port":62872,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} -00641{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":425,"source":"cfgs\/default\/pcap\/viber.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":425,"packets-processed":420,"total-skipped-flows":0,"total-l4-payload-len":122215,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":22,"total-detection-updates":20,"total-updates":4,"current-active-flows":26,"total-active-flows":26,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":170,"global_ts_usec":1648952182644000} +00641{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":425,"source":"cfgs\/default\/pcap\/viber.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":425,"packets-processed":420,"total-skipped-flows":0,"total-l4-payload-len":122215,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":22,"total-detection-updates":19,"total-updates":4,"current-active-flows":26,"total-active-flows":26,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":169,"global_ts_usec":1648952182644000} 00775{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":425,"source":"cfgs\/default\/pcap\/viber.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1648952182644000,"flow_src_last_pkt_time":1648952182644000,"flow_dst_last_pkt_time":1648952182644000,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1648952182644000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"52.0.252.145","src_port":48690,"dst_port":4244,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":425,"source":"cfgs\/default\/pcap\/viber.pcap","alias":"nDPId-test","flow_id":27,"flow_packet_id":1,"flow_src_last_pkt_time":1648952182644000,"flow_dst_last_pkt_time":1648952182644000,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1648952182644000,"pkt":"eJS0JASgYDjgxTWgCABFAAA8QZ1AAD8GBoHAqAJkNAD8kb4yEJT33RMVAAAAAKAC\/\/+7mwAAAgQFtAQCCApvD0\/7AAAAAAEDAwk="} 00553{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":426,"source":"cfgs\/default\/pcap\/viber.pcap","alias":"nDPId-test","flow_id":27,"flow_packet_id":2,"flow_src_last_pkt_time":1648952182644000,"flow_dst_last_pkt_time":1648952182749000,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1648952182749000,"pkt":"YDjgxTWgeJS0JASgCABFAAA8AABAAOcGoB00APyRwKgCZBCUvjJ96pBe990TFqASaN8gOAAAAgQFrAQCCArnVjzbbw9P+wEDAwk="} @@ -205,7 +204,7 @@ 00921{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":440,"source":"cfgs\/default\/pcap\/viber.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1527155679410348,"flow_src_last_pkt_time":1527155685132180,"flow_dst_last_pkt_time":1527155685130784,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1648952183755000,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"18.201.4.3","src_port":33744,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"TLS","proto_id":"91","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00771{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":440,"source":"cfgs\/default\/pcap\/viber.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1527155679410348,"flow_src_last_pkt_time":1527155685132180,"flow_dst_last_pkt_time":1527155685130784,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1648952183755000,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"18.201.4.3","src_port":33744,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00966{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":440,"source":"cfgs\/default\/pcap\/viber.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1527155641813689,"flow_src_last_pkt_time":1527155641813689,"flow_dst_last_pkt_time":1527155641840131,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":143,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":143,"midstream":0,"thread_ts_usec":1648952183755000,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"192.168.0.15","src_port":40445,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Viber","proto_id":"5.144","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":14,"category":"Network"}} -00641{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":440,"source":"cfgs\/default\/pcap\/viber.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":440,"packets-processed":435,"total-skipped-flows":0,"total-l4-payload-len":125733,"total-not-detected-flows":0,"total-guessed-flows":4,"total-detected-flows":23,"total-detection-updates":20,"total-updates":4,"current-active-flows":1,"total-active-flows":27,"total-idle-flows":26,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":208,"global_ts_usec":1648954023554000} +00641{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":440,"source":"cfgs\/default\/pcap\/viber.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":440,"packets-processed":435,"total-skipped-flows":0,"total-l4-payload-len":125733,"total-not-detected-flows":0,"total-guessed-flows":4,"total-detected-flows":23,"total-detection-updates":19,"total-updates":4,"current-active-flows":1,"total-active-flows":27,"total-idle-flows":26,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":207,"global_ts_usec":1648954023554000} 00773{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":440,"source":"cfgs\/default\/pcap\/viber.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1648954023554000,"flow_src_last_pkt_time":1648954023554000,"flow_dst_last_pkt_time":1648954023554000,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1648954023554000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"52.0.252.2","src_port":41184,"dst_port":5242,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":440,"source":"cfgs\/default\/pcap\/viber.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":1,"flow_src_last_pkt_time":1648954023554000,"flow_dst_last_pkt_time":1648954023554000,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1648954023554000,"pkt":"eJS0JASgYDjgxTWgCABFAAA86GpAAD8GYELAqAJkNAD8AqDgFHo59lPMAAAAAKAC\/\/81EwAAAgQFtAQCCArXUgVsAAAAAAEDAwk="} 00554{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":441,"source":"cfgs\/default\/pcap\/viber.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":2,"flow_src_last_pkt_time":1648954023554000,"flow_dst_last_pkt_time":1648954023662000,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1648954023662000,"pkt":"YDjgxTWgeJS0JASgCABFAAA8AABAAOwGm6w0APwCwKgCZBR6oOA1qzY9OfZTzaASaN\/krwAAAgQFrAQCCApiDhmE11IFbAEDAwk="} @@ -213,14 +212,14 @@ 00574{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":443,"source":"cfgs\/default\/pcap\/viber.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":4,"flow_src_last_pkt_time":1648954023697000,"flow_dst_last_pkt_time":1648954023662000,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"thread_ts_usec":1648954023697000,"pkt":"eJS0JASgYDjgxTWgCABFAABM6GxAAD8GYDDAqAJkNAD8AqDgFHo59lPNNas2PoAYAKwkewAAAQEICtdSBfpiDhmEGAAAAAAA\/P8FgAkAAAAAAAAAAAAzAAAA"} 00916{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":443,"source":"cfgs\/default\/pcap\/viber.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1648954023554000,"flow_src_last_pkt_time":1648954023697000,"flow_dst_last_pkt_time":1648954023662000,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1648954023697000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"52.0.252.2","src_port":41184,"dst_port":5242,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"Viber","proto_id":"144","proto_by_ip":"Viber","proto_by_ip_id":144,"encrypted":1,"breed":"Fun","category_id":10,"category":"VoIP"}} 00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":444,"source":"cfgs\/default\/pcap\/viber.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":5,"flow_src_last_pkt_time":1648954023697000,"flow_dst_last_pkt_time":1648954023803000,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1648954023803000,"pkt":"YDjgxTWgeJS0JASgCABFAAA07m1AAOwGrUY0APwCwKgCZBR6oOA1qzY+OfZT5YAQADV67AAAAQEICmIOGhLXUgX6"} -00641{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":451,"source":"cfgs\/default\/pcap\/viber.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":451,"packets-processed":446,"total-skipped-flows":0,"total-l4-payload-len":126273,"total-not-detected-flows":0,"total-guessed-flows":4,"total-detected-flows":24,"total-detection-updates":20,"total-updates":4,"current-active-flows":2,"total-active-flows":28,"total-idle-flows":26,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":216,"global_ts_usec":1648968035683000} +00641{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":451,"source":"cfgs\/default\/pcap\/viber.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":451,"packets-processed":446,"total-skipped-flows":0,"total-l4-payload-len":126273,"total-not-detected-flows":0,"total-guessed-flows":4,"total-detected-flows":24,"total-detection-updates":19,"total-updates":4,"current-active-flows":2,"total-active-flows":28,"total-idle-flows":26,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":215,"global_ts_usec":1648968035683000} 00779{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":451,"source":"cfgs\/default\/pcap\/viber.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1648968035683000,"flow_src_last_pkt_time":1648968035683000,"flow_dst_last_pkt_time":1648968035683000,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":96,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":96,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1648968035683000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"44.192.202.74","src_port":42900,"dst_port":4244,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00674{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":451,"source":"cfgs\/default\/pcap\/viber.pcap","alias":"nDPId-test","flow_id":29,"flow_packet_id":1,"flow_src_last_pkt_time":1648968035683000,"flow_dst_last_pkt_time":1648968035683000,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":162,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":162,"pkt_l4_len":128,"thread_ts_usec":1648968035683000,"pkt":"eJS0JASgYDjgxTWgCABFAACU2kpAAD8GpwLAqAJkLMDKSqeUEJTyP2Q6cEHfOoAYAVdrNwAAAQEICphN6aPkLWTjYAAuDuoU\/P8DgFkAGwAAAAAAAAAuDuoUyCWY+Eiv3vNvHuU8izmtmd1xLKgDGQAAAC4GaTctzm2TgBHTuz9kkBDO3BN0gtQM11m3wPtySAu5MwDtuOA\/BIT7TjIAAaAP"} 00924{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":451,"source":"cfgs\/default\/pcap\/viber.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1648968035683000,"flow_src_last_pkt_time":1648968035683000,"flow_dst_last_pkt_time":1648968035683000,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":96,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":96,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1648968035683000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"44.192.202.74","src_port":42900,"dst_port":4244,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"Viber","proto_id":"144","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Fun","category_id":10,"category":"VoIP"}} 00963{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":451,"source":"cfgs\/default\/pcap\/viber.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1648968035683000,"flow_src_last_pkt_time":1648968035683000,"flow_dst_last_pkt_time":1648968035683000,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":96,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":96,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1648968035683000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"44.192.202.74","src_port":42900,"dst_port":4244,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"Viber","proto_id":"144","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Fun","category_id":10,"category":"VoIP"}} 00958{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":451,"source":"cfgs\/default\/pcap\/viber.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":6,"flow_dst_packets_processed":5,"flow_first_seen":1648954023554000,"flow_src_last_pkt_time":1648954024001000,"flow_dst_last_pkt_time":1648954024107000,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":516,"flow_src_tot_l4_payload_len":24,"flow_dst_tot_l4_payload_len":516,"midstream":0,"thread_ts_usec":1648968035683000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"52.0.252.2","src_port":41184,"dst_port":5242,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"Viber","proto_id":"144","proto_by_ip":"Viber","proto_by_ip_id":144,"encrypted":1,"breed":"Fun","category_id":10,"category":"VoIP"}} 00965{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":451,"source":"cfgs\/default\/pcap\/viber.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"finished","flow_src_packets_processed":7,"flow_dst_packets_processed":8,"flow_first_seen":1648952182644000,"flow_src_last_pkt_time":1648952183650000,"flow_dst_last_pkt_time":1648952183755000,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":197,"flow_dst_tot_l4_payload_len":3321,"midstream":0,"thread_ts_usec":1648968035683000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"52.0.252.145","src_port":48690,"dst_port":4244,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"Viber","proto_id":"144","proto_by_ip":"Viber","proto_by_ip_id":144,"encrypted":1,"breed":"Fun","category_id":10,"category":"VoIP"}} -00643{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":451,"source":"cfgs\/default\/pcap\/viber.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":451,"packets-processed":447,"total-skipped-flows":0,"total-l4-payload-len":126369,"total-not-detected-flows":0,"total-guessed-flows":4,"total-detected-flows":25,"total-detection-updates":20,"total-updates":4,"current-active-flows":0,"total-active-flows":29,"total-idle-flows":29,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":223,"global_ts_usec":1648968035683000} +00643{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":451,"source":"cfgs\/default\/pcap\/viber.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":451,"packets-processed":447,"total-skipped-flows":0,"total-l4-payload-len":126369,"total-not-detected-flows":0,"total-guessed-flows":4,"total-detected-flows":25,"total-detection-updates":19,"total-updates":4,"current-active-flows":0,"total-active-flows":29,"total-idle-flows":29,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":222,"global_ts_usec":1648968035683000} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ ~~ packets captured/processed: 451/447 ~~ skipped flows.............: 0 diff --git a/test/results/default/vk.pcapng.out b/test/results/default/vk.pcapng.out index 4012dd3ec..46f0f3f10 100644 --- a/test/results/default/vk.pcapng.out +++ b/test/results/default/vk.pcapng.out @@ -22,7 +22,6 @@ 01279{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14,"source":"cfgs\/default\/pcap\/vk.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":4,"flow_src_last_pkt_time":1675334162670570,"flow_dst_last_pkt_time":1675334161630633,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":610,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":610,"pkt_l4_len":576,"thread_ts_usec":1675334162670570,"pkt":"dNqIE5X\/CI6QkAulCABFAAJUMQhAAEAGaLzAqAH5V\/CETuwUAbu8Rx7XB\/V9KYAYJD\/9BAAAAQEICtCCZtNlMJuZFwMDAhtY\/q7BUk5TAeZkuwnSkaIBm4q8UbCv2G2pS+i\/0lp4moQ5jc1ymK4zf5EvMCN35RZlcnbVs9Gr4ytW7if5PDTv65d3nakpYg3wIpcGoMgF0wqfq5o5+bY0yDpLP0s2QDGcRE9LyJU2w+6e+HGAfbntfu3jungPbzXYkSN8hAOq87Q4B3PFoTo6Qidm2Z01spuRv4VCgMsRoRXoOi+MD33t2BI96jQr5ArZOE0gQRJOZ9ahwMFj9F0dOePIkyLvkMzhydJbFAhjpqwWYHaG44PJImg61oISUxg2CZWplApOQoQWo0uLbnCi4L1efczszW8Y0NCHfDHERyEP9LSwPbFAqVKzp1V00t2gI1wneiPo9bvLxQOqop7lw0lEeWA1CpTOPIZsOKfBjhQZh0thmx+j3KrgA0hxDuh93TE0l995qVN7OdnsHXzbLf1T\/YAjttdUEx2ep1SU6Sa+xag6BUsmuDpucoVQLFVE0DpLxBfCqB5xnNcyL5IkgOj6wlZ2yV\/uDIb6JUF3US+5dtxFw9qN\/8w7+uYsDkFU7AMEIj1fgJlnli8seRRR+Tir5IgpfgKaXV2\/AszNYTY3ymBNrSjwRZVNclOllo1FNN+YKcnOBHJssXNqSdRF0toNr6yiUnquioLZVUMARFPnTVg2dAwIVtnpRDC6D3SKApSHH+zfYtjMA9LZ2bJGHpdQHV0FBhMnYpqPKKBq5G8XNg=="} 01153{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":15,"source":"cfgs\/default\/pcap\/vk.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":5,"flow_src_last_pkt_time":1675334162672319,"flow_dst_last_pkt_time":1675334161630633,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":515,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":515,"pkt_l4_len":481,"thread_ts_usec":1675334162672319,"pkt":"dNqIE5X\/CI6QkAulCABFAAH1MQlAAEAGaRrAqAH5V\/CETuwUAbu8RyD3B\/V9KYAYJD8KxAAAAQEICtCCZtVlMJuZFwMDAbwgQ3L6I9NhaDNw6UhntKLmQIsVYWbdcbUVQvkhoF9k+WaG\/GQZxVdBrctZ1wzjmJD+7ZFlWgDKpb4DkUsA5upIhc7a4\/9EUqwrmGOJDwYzUJB5owou4Tysc9csr1OatCeiNkcofDiJoC+bQDE32ozrAWogfeew59JJAPi6J5EytrTpmQQ+YnWBA\/8iCi4XfimU2ZiaHgMHCD21pO4mHImT1\/jAUTq\/1GH08VkAZIDze1mbZy32rhOAyG5W7jqkxVvInIq8OyVJKSi3wtxeO2RYuZi1P0aAmiGgViMJ6tH2+cjXkD4ts+iaafMmiuZkDGl\/jNM399RYjBjSiwZsQWfs3Z5qTUKgpu5hB4RRVEpKZpMRJY7k4SK8EUYard4HyVkQO2t9hJd2zoxRIyCDh37iSBhiY97MJsWhkqWCQ8rSyPsCsd4ES0j4e7sSJyWBy9xjT6HyL0cu9PDjjTTqGC88QFJNAP\/ZgdQV26m0Ev\/zHzIRoPERrjAp4EwRWBDWI843JTMrxhgXkQE2R7nY84alQ4A8qiVtqXNXWpUDBw\/oSlSpt3twoVUcme4EO0ePtBtkV7LyPiaypqmomHk="} 02232{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":43,"source":"cfgs\/default\/pcap\/vk.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1675334161630633,"flow_src_last_pkt_time":1675334162970119,"flow_dst_last_pkt_time":1675334161630633,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":706,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":2285,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1675334162970119,"l3_proto":"ip4","src_ip":"192.168.1.249","dst_ip":"87.240.132.78","src_port":60436,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":9,"avg":43209.2,"max":1009982,"stddev":180973.6,"var":32751437824.0,"ent":1.3,"data": [1009982,14622,15333,1749,16345,26,12,11,29,15083,24,227705,48,13,11,2653,38,12801,28,1545,20,9,1508,1138,1634,11081,2465,1543,41,782,1207]},"pktlen": {"min":52,"avg":125.3,"max":758,"stddev":191.1,"var":36507.6,"ent":4.0,"data": [638,758,52,596,501,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,64,64,64,64,64,52,52,52,52,52,52]},"bins": {"c_to_s": [28,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"entropies": [7.658514977,7.774987221,5.246409416,7.623703957,7.570796013,5.246409416,5.246409416,5.246409416,5.284871101,5.284871101,5.207947731,5.169486523,5.246409416,5.284871101,5.169486046,5.131024837,5.284871101,5.246409416,5.169486046,5.169486046,5.246409416,5.259624004,5.259624004,5.247828960,5.259624004,5.290874004,5.246409416,5.284871101,5.207947731,5.207947731,5.246409416,5.207948208]},"ndpi": {"flow_risk": {"46": {"risk":"Unidirectional Traffic","severity":"Low","risk_score": {"total":500,"client":430,"server":70}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"VK","proto_by_ip_id":22,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} -01044{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":43,"source":"cfgs\/default\/pcap\/vk.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1675334161630633,"flow_src_last_pkt_time":1675334162970119,"flow_dst_last_pkt_time":1675334161630633,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":706,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":2285,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1675334162970119,"l3_proto":"ip4","src_ip":"192.168.1.249","dst_ip":"87.240.132.78","src_port":60436,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"46": {"risk":"Unidirectional Traffic","severity":"Low","risk_score": {"total":500,"client":430,"server":70}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"VK","proto_by_ip_id":22,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00774{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":174,"source":"cfgs\/default\/pcap\/vk.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1675334163910616,"flow_src_last_pkt_time":1675334163910616,"flow_dst_last_pkt_time":1675334163910616,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1675334163910616,"l3_proto":"ip4","src_ip":"192.168.1.249","dst_ip":"87.240.185.137","src_port":59154,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00553{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":174,"source":"cfgs\/default\/pcap\/vk.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_src_last_pkt_time":1675334163910616,"flow_dst_last_pkt_time":1675334163910616,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1675334163910616,"pkt":"dNqIE5X\/CI6QkAulCABFAAA8M1FAAEAGM1DAqAH5V\/C5iecSAbu7eFLeAAAAAKAC+vDPqgAAAgQFtAQCCAoIy6lZAAAAAAEDAwc="} 00773{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":175,"source":"cfgs\/default\/pcap\/vk.pcapng","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1675334163912330,"flow_src_last_pkt_time":1675334163912330,"flow_dst_last_pkt_time":1675334163912330,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1675334163912330,"l3_proto":"ip4","src_ip":"192.168.1.249","dst_ip":"87.240.169.10","src_port":32990,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} @@ -48,7 +47,6 @@ 00745{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":256,"source":"cfgs\/default\/pcap\/vk.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":4,"flow_src_last_pkt_time":1675334164676638,"flow_dst_last_pkt_time":1675334160555793,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":212,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":212,"pkt_l4_len":178,"thread_ts_usec":1675334164676638,"pkt":"dNqIE5X\/CI6QkAulCABFAADGkUBAAEAGDN3AqAH5V\/CBg4RwAbulKVZxc9gL4IAYAfUPdAAAAQEIColQsjvg\/suqFwMDAI3KM06gVQ95ENMbHyUcjDay+BDIky59\/hXK8b9KEEh44vXCXf8Z5I23ZEl0wWKnsXf\/LewZuF4zhcGkYk1BcC4ZjSXMxgEdaKMkuP9JbZvjAKjgDFjDE\/V5RF0zBSmn807oaZR4Y3KEaj2GtkIvAkkJtfsTWZ\/7vkBcmzldSlZjHC8zEXvy+ngngapwgFk="} 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":257,"source":"cfgs\/default\/pcap\/vk.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":5,"flow_src_last_pkt_time":1675334164691179,"flow_dst_last_pkt_time":1675334160555793,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1675334164691179,"pkt":"dNqIE5X\/CI6QkAulCABFAAA0kUFAAEAGDW7AqAH5V\/CBg4RwAbulKVcDc9gMA4AQAfXiPgAAAQEIColQskrg\/tem"} 02266{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":266,"source":"cfgs\/default\/pcap\/vk.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1675334160592919,"flow_src_last_pkt_time":1675334165285590,"flow_dst_last_pkt_time":1675334160592919,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":965,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":6049,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1675334165285590,"l3_proto":"ip4","src_ip":"192.168.1.249","dst_ip":"87.240.129.140","src_port":40344,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":12,"avg":151376.5,"max":2006629,"stddev":451077.3,"var":203470716928.0,"ent":2.1,"data": [37,14329,22998,2006629,46,764,13490,98211,1614502,285,99,283,260,13216,1250,18419,1704,886,6878,22622,24,179811,40,14057,67447,12,24,579540,41,1048,13719]},"pktlen": {"min":52,"avg":241.0,"max":1017,"stddev":249.5,"var":62251.3,"ent":4.3,"data": [247,332,52,52,240,776,565,52,52,385,563,339,564,1017,52,52,52,52,52,52,52,52,243,316,52,52,52,52,250,563,429,52]},"bins": {"c_to_s": [17,0,0,0,0,2,2,0,3,0,1,1,0,0,0,2,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"entropies": [7.151976109,7.356266499,5.207948208,5.169486523,6.965931416,7.731954098,7.617059708,5.131024837,5.207947731,7.360937595,7.613526821,7.349236012,7.610394001,7.787010193,5.092563152,5.131024837,5.061608315,5.056022644,5.131024837,5.092563152,5.131024361,5.131024361,7.143619061,7.305361271,5.116507530,5.131024361,5.169486046,5.131024361,7.176092148,7.631054878,7.485155582,5.116507530]},"ndpi": {"flow_risk": {"46": {"risk":"Unidirectional Traffic","severity":"Low","risk_score": {"total":500,"client":430,"server":70}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"VK","proto_by_ip_id":22,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} -01046{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":266,"source":"cfgs\/default\/pcap\/vk.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1675334160592919,"flow_src_last_pkt_time":1675334165285590,"flow_dst_last_pkt_time":1675334160592919,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":965,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":6049,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1675334165285590,"l3_proto":"ip4","src_ip":"192.168.1.249","dst_ip":"87.240.129.140","src_port":40344,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"46": {"risk":"Unidirectional Traffic","severity":"Low","risk_score": {"total":500,"client":430,"server":70}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"VK","proto_by_ip_id":22,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00772{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":644,"source":"cfgs\/default\/pcap\/vk.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1675334171361391,"flow_src_last_pkt_time":1675334171361391,"flow_dst_last_pkt_time":1675334171361391,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1675334171361391,"l3_proto":"ip4","src_ip":"192.168.1.249","dst_ip":"87.240.169.3","src_port":47934,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00553{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":644,"source":"cfgs\/default\/pcap\/vk.pcapng","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_src_last_pkt_time":1675334171361391,"flow_dst_last_pkt_time":1675334171361391,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1675334171361391,"pkt":"dNqIE5X\/CI6QkAulCABFAAA88c9AAEAGhVfAqAH5V\/CpA7s+AbsjOasgAAAAAKAC+vBdJQAAAgQFtAQCCApf00EuAAAAAAEDAwc="} 00773{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":645,"source":"cfgs\/default\/pcap\/vk.pcapng","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1675334171362184,"flow_src_last_pkt_time":1675334171362184,"flow_dst_last_pkt_time":1675334171362184,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1675334171362184,"l3_proto":"ip4","src_ip":"192.168.1.249","dst_ip":"87.240.169.11","src_port":59722,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} @@ -83,7 +81,7 @@ 01079{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":909,"source":"cfgs\/default\/pcap\/vk.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":706,"flow_dst_packets_processed":0,"flow_first_seen":1675334161630633,"flow_src_last_pkt_time":1675334178414776,"flow_dst_last_pkt_time":1675334161630633,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1398,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":38528,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1675334178414776,"l3_proto":"ip4","src_ip":"192.168.1.249","dst_ip":"87.240.132.78","src_port":60436,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"flow_risk": {"46": {"risk":"Unidirectional Traffic","severity":"Low","risk_score": {"total":500,"client":430,"server":70}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"VK","proto_by_ip_id":22,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 01073{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":909,"source":"cfgs\/default\/pcap\/vk.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":21,"flow_dst_packets_processed":0,"flow_first_seen":1675334160555793,"flow_src_last_pkt_time":1675334171438126,"flow_dst_last_pkt_time":1675334160555793,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":305,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":2212,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1675334178414776,"l3_proto":"ip4","src_ip":"192.168.1.249","dst_ip":"87.240.129.131","src_port":33904,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"flow_risk": {"46": {"risk":"Unidirectional Traffic","severity":"Low","risk_score": {"total":500,"client":430,"server":70}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"VK","proto_by_ip_id":22,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 01071{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":909,"source":"cfgs\/default\/pcap\/vk.pcapng","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":0,"flow_first_seen":1675334163969940,"flow_src_last_pkt_time":1675334164019208,"flow_dst_last_pkt_time":1675334163969940,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":633,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":922,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1675334178414776,"l3_proto":"ip4","src_ip":"192.168.1.249","dst_ip":"87.240.129.135","src_port":56504,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"flow_risk": {"46": {"risk":"Unidirectional Traffic","severity":"Low","risk_score": {"total":500,"client":430,"server":70}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"VK","proto_by_ip_id":22,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} -00639{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":909,"source":"cfgs\/default\/pcap\/vk.pcapng","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":909,"packets-processed":909,"total-skipped-flows":0,"total-l4-payload-len":66779,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":10,"total-detection-updates":8,"total-updates":0,"current-active-flows":0,"total-active-flows":10,"total-idle-flows":10,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":86,"global_ts_usec":1675334178414776} +00639{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":909,"source":"cfgs\/default\/pcap\/vk.pcapng","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":909,"packets-processed":909,"total-skipped-flows":0,"total-l4-payload-len":66779,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":10,"total-detection-updates":6,"total-updates":0,"current-active-flows":0,"total-active-flows":10,"total-idle-flows":10,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":84,"global_ts_usec":1675334178414776} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ ~~ packets captured/processed: 909/909 ~~ skipped flows.............: 0 diff --git a/test/results/default/waze.pcap.out b/test/results/default/waze.pcap.out index 490c2c7b3..9ed47ebf4 100644 --- a/test/results/default/waze.pcap.out +++ b/test/results/default/waze.pcap.out @@ -124,7 +124,6 @@ 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":202,"source":"cfgs\/default\/pcap\/waze.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":5,"flow_src_last_pkt_time":1435587872706282,"flow_dst_last_pkt_time":1435587872706630,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1435587872706630,"pkt":"ABoRAAACABoRAAABCABFAAAodM1AABAG0Wc25uOsCggAAQBQsfL9DvHBAvEO1lAQ\/\/\/YXgAA"} 02345{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":227,"source":"cfgs\/default\/pcap\/waze.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1435587867755556,"flow_src_last_pkt_time":1435587873023451,"flow_dst_last_pkt_time":1435587873023894,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":263,"flow_dst_max_l4_payload_len":11779,"flow_src_tot_l4_payload_len":263,"flow_dst_tot_l4_payload_len":60924,"midstream":0,"thread_ts_usec":1435587873023894,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"65.39.128.135","src_port":54915,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":2041,"avg":339878.5,"max":3680611,"stddev":884676.9,"var":782653259776.0,"ent":2.8,"data": [3747,3915,21835,22372,3677989,3680611,286073,284297,338879,393453,330278,329396,54620,2041,179324,179523,2610,51219,50746,3092,28507,76268,51141,51323,122745,73523,10248,59104,52582,58295,56477]},"pktlen": {"min":40,"avg":1952.7,"max":11819,"stddev":3090.5,"var":9551440.0,"ent":3.5,"data": [60,40,40,303,40,1408,40,2776,40,5512,40,8248,40,2673,40,1408,40,1408,40,9616,40,2776,40,5512,40,5512,40,2776,40,11819,40,40]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,10]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1],"entropies": [4.427644730,4.730641365,4.680641174,5.499622345,4.630641460,7.039453506,4.630641460,6.947220325,4.630641460,5.584113598,4.680641174,6.835184574,4.680641174,6.998500347,4.580641747,3.024588346,4.630641460,6.950185776,4.730640888,6.195324898,4.680641651,6.552656651,4.680641174,1.660765886,4.730641365,1.651001215,4.730640888,1.384768248,4.611768723,1.660717368,4.680640697,4.680641174]},"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":150,"client":135,"server":15}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}} 02430{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":236,"source":"cfgs\/default\/pcap\/waze.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1435587868634159,"flow_src_last_pkt_time":1435587873119875,"flow_dst_last_pkt_time":1435587873120117,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":5461,"flow_src_tot_l4_payload_len":3221,"flow_dst_tot_l4_payload_len":13199,"midstream":0,"thread_ts_usec":1435587873120117,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36100,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":169,"avg":289408.8,"max":1658841,"stddev":505049.6,"var":255075106816.0,"ent":3.3,"data": [1230,10859,357221,367097,474392,475318,8069,9038,265872,317654,51992,865,554,304,254,1430075,1483289,119461,172808,51439,51948,1420,901,467,433,340,381,1601922,1658841,169,57061]},"pktlen": {"min":40,"avg":553.8,"max":5501,"stddev":1270.8,"var":1615041.0,"ent":3.0,"data": [60,40,40,222,40,3187,40,366,40,274,189,40,576,40,101,40,5501,40,189,40,576,40,576,40,576,40,101,40,4397,40,189,40]},"bins": {"c_to_s": [5,2,0,0,3,1,0,0,0,0,1,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3]},"directions": [0,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,1,0,0,1,0,1,0,1,0,1,0,1,1,0,0,1],"entropies": [4.346510887,4.684184074,4.665311813,5.227974892,4.665312290,7.402610779,4.615312099,7.299519062,4.665312290,7.035841465,6.858353615,4.615312099,7.612000942,4.665312290,6.077723026,4.615312099,7.960921764,4.665311813,6.823141098,4.596440315,7.582696438,4.615312099,7.667782307,4.615312099,7.607909679,4.665312290,6.192669392,4.665312290,7.950992584,4.615312099,6.755126476,4.615312099]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":310,"client":275,"server":35}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":150,"client":135,"server":15}}},"confidence": {"6":"DPI"},"proto":"TLS.Waze","proto_id":"91.135","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01623{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":236,"source":"cfgs\/default\/pcap\/waze.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1435587868634159,"flow_src_last_pkt_time":1435587873119875,"flow_dst_last_pkt_time":1435587873120117,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":5461,"flow_src_tot_l4_payload_len":3221,"flow_dst_tot_l4_payload_len":13199,"midstream":0,"thread_ts_usec":1435587873120117,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36100,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":310,"client":275,"server":35}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":150,"client":135,"server":15}}},"confidence": {"6":"DPI"},"proto":"TLS.Waze","proto_id":"91.135","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1","server_names":"*.world.waze.com","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"714ac86d50db68420429ca897688f5f3","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","subjectDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.world.waze.com","fingerprint":"30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B"}}} 01248{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":247,"source":"cfgs\/default\/pcap\/waze.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1435587871929480,"flow_src_last_pkt_time":1435587872139946,"flow_dst_last_pkt_time":1435587873486827,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":182,"flow_dst_max_l4_payload_len":1368,"flow_src_tot_l4_payload_len":182,"flow_dst_tot_l4_payload_len":1368,"midstream":0,"thread_ts_usec":1435587873486827,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.103.105","src_port":51050,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":310,"client":275,"server":35}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"}}} 01512{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":249,"source":"cfgs\/default\/pcap\/waze.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1435587871935294,"flow_src_last_pkt_time":1435587872566264,"flow_dst_last_pkt_time":1435587873688799,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":182,"flow_dst_max_l4_payload_len":2111,"flow_src_tot_l4_payload_len":182,"flow_dst_tot_l4_payload_len":3479,"midstream":0,"thread_ts_usec":1435587873688799,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.103.105","src_port":51051,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":310,"client":275,"server":35}}},"confidence": {"6":"DPI"},"proto":"TLS.Waze","proto_id":"91.135","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1","server_names":"*.waze.com","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","subjectDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.waze.com","fingerprint":"A9:35:F0:16:17:A3:FD:73:EC:0C:03:24:F8:34:5A:8A:B3:D7:8D:57"}}} 01512{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":251,"source":"cfgs\/default\/pcap\/waze.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1435587871929480,"flow_src_last_pkt_time":1435587873537747,"flow_dst_last_pkt_time":1435587873741385,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":182,"flow_dst_max_l4_payload_len":2111,"flow_src_tot_l4_payload_len":182,"flow_dst_tot_l4_payload_len":3479,"midstream":0,"thread_ts_usec":1435587873741385,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.103.105","src_port":51050,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":310,"client":275,"server":35}}},"confidence": {"6":"DPI"},"proto":"TLS.Waze","proto_id":"91.135","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1","server_names":"*.waze.com","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","subjectDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.waze.com","fingerprint":"A9:35:F0:16:17:A3:FD:73:EC:0C:03:24:F8:34:5A:8A:B3:D7:8D:57"}}} @@ -212,7 +211,6 @@ 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":469,"source":"cfgs\/default\/pcap\/waze.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":4,"flow_src_last_pkt_time":1435587880590669,"flow_dst_last_pkt_time":1435587880589665,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1435587880590669,"pkt":"ABoRAAACABoRAAABCABFAAAoAABAAEAGY\/YKCAAByKAEMew\/Abump6BrAAAAAFAEAACj+AAA"} 02351{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":481,"source":"cfgs\/default\/pcap\/waze.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1435587878215938,"flow_src_last_pkt_time":1435587880855977,"flow_dst_last_pkt_time":1435587880856912,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":21888,"flow_src_tot_l4_payload_len":1024,"flow_dst_tot_l4_payload_len":56070,"midstream":0,"thread_ts_usec":1435587880856912,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"52.17.114.219","src_port":39021,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":475,"avg":170355.3,"max":415925,"stddev":135089.4,"var":18249146368.0,"ent":4.4,"data": [1325,1585,226918,227495,336533,387205,51299,1169,297221,297772,252519,309444,358705,415925,755,475,490,567,254342,305451,51846,52474,211304,161331,247956,249119,81326,79510,208662,209727,563]},"pktlen": {"min":40,"avg":1824.8,"max":21928,"stddev":4660.8,"var":21723256.0,"ent":2.6,"data": [60,40,40,222,40,1408,40,2163,40,174,40,274,40,189,40,576,40,63,40,1408,40,12352,40,5512,40,21928,40,11345,40,40,40,40]},"bins": {"c_to_s": [12,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,5]},"directions": [0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,0,1,1],"entropies": [4.438340664,4.834184170,4.684184074,5.259868145,4.715312481,7.222858906,4.734184265,7.563067913,4.665312290,6.516509533,4.784184456,7.076688766,4.734184265,6.928961754,4.784184456,7.607337475,4.734184265,5.572360516,4.734184265,7.872128963,4.734184265,7.984007359,4.734184265,7.969620705,4.634184361,7.992324829,4.734184265,7.982760429,4.734183788,4.665311813,4.684184074,4.734184265]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":310,"client":275,"server":35}}},"confidence": {"6":"DPI"},"proto":"TLS.Waze","proto_id":"91.135","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 02345{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":492,"source":"cfgs\/default\/pcap\/waze.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1435587878606407,"flow_src_last_pkt_time":1435587882306533,"flow_dst_last_pkt_time":1435587880854651,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":11132,"flow_src_tot_l4_payload_len":1238,"flow_dst_tot_l4_payload_len":41633,"midstream":0,"thread_ts_usec":1435587882306533,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.186.180","src_port":36312,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":330,"avg":191882.9,"max":1449192,"stddev":279549.5,"var":78147936256.0,"ent":3.8,"data": [2413,2787,291811,292494,279839,332432,52742,50748,425063,475681,259886,310653,731,51371,620,734,450,330,293909,545953,252820,1543,20204,21185,56923,56823,156171,205918,52727,4217,1449192]},"pktlen": {"min":40,"avg":1380.3,"max":11172,"stddev":2994.0,"var":8963944.0,"ent":2.9,"data": [60,40,40,222,40,1052,40,2519,40,174,40,274,40,576,40,389,40,77,40,10160,40,8136,40,1052,40,11172,40,1052,40,6576,40,40]},"bins": {"c_to_s": [12,1,0,0,1,1,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5]},"directions": [0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,0],"entropies": [4.438340187,4.834184170,4.784184456,5.232826710,4.734184265,7.011441231,4.784184456,7.575597763,4.634184361,6.629845142,4.684184074,7.007690430,4.734184742,7.624808311,4.784184456,7.415266037,4.734184742,5.664109230,4.734184265,7.981531620,4.784184456,7.979642391,4.734184265,7.801960945,4.715312004,7.982071400,4.834183693,7.818040848,4.834183693,7.971698284,4.715311527,4.765311718]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":310,"client":275,"server":35}}},"confidence": {"6":"DPI"},"proto":"TLS.Waze","proto_id":"91.135","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01529{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":492,"source":"cfgs\/default\/pcap\/waze.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1435587878606407,"flow_src_last_pkt_time":1435587882306533,"flow_dst_last_pkt_time":1435587880854651,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":11132,"flow_src_tot_l4_payload_len":1238,"flow_dst_tot_l4_payload_len":41633,"midstream":0,"thread_ts_usec":1435587882306533,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.186.180","src_port":36312,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":310,"client":275,"server":35}}},"confidence": {"6":"DPI"},"proto":"TLS.Waze","proto_id":"91.135","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1","server_names":"*.world.waze.com","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","subjectDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.world.waze.com","fingerprint":"30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B"}}} 02456{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":518,"source":"cfgs\/default\/pcap\/waze.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1435587868635666,"flow_src_last_pkt_time":1435587884544120,"flow_dst_last_pkt_time":1435587884544651,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":501,"flow_dst_max_l4_payload_len":3606,"flow_src_tot_l4_payload_len":1600,"flow_dst_tot_l4_payload_len":8366,"midstream":0,"thread_ts_usec":1435587884544651,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36102,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":413,"avg":1026369.1,"max":5890947,"stddev":1778823.2,"var":3164212035584.0,"ent":3.4,"data": [9060,9459,461199,462055,319157,370793,51463,554,58722,59273,267346,318521,5838678,5890947,1921,3057,232692,285896,1892628,1892382,50926,52168,293028,345106,632,413,1258587,1309974,5014758,5014527,51517]},"pktlen": {"min":40,"avg":352.1,"max":3646,"stddev":731.9,"var":535720.0,"ent":3.4,"data": [60,40,40,222,40,1052,40,2175,40,366,40,274,40,221,40,541,40,93,40,1052,40,3646,40,189,40,301,40,317,40,77,40,40]},"bins": {"c_to_s": [10,0,0,0,1,2,0,0,1,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2]},"directions": [0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,0,1,0,1,1,0,1,0,1],"entropies": [4.325758457,4.734184265,4.684184074,5.244800568,4.615312099,7.020944595,4.734184265,7.476994514,4.634184361,7.276714802,4.665312290,7.041373253,4.734184265,6.961156845,4.734184265,7.528326035,4.684184551,6.083172798,4.734184265,7.792463779,4.734184265,7.940383911,4.734184265,6.823890686,4.734184265,7.240302563,4.734184265,7.320995331,4.734184265,5.654304981,4.615312099,4.665312290]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":310,"client":275,"server":35}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":150,"client":135,"server":15}}},"confidence": {"6":"DPI"},"proto":"TLS.Waze","proto_id":"91.135","proto_by_ip":"AmazonAWS","proto_by_ip_id":265,"encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00769{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":532,"source":"cfgs\/default\/pcap\/waze.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1435587894241434,"flow_src_last_pkt_time":1435587894241434,"flow_dst_last_pkt_time":1435587894241434,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1435587894241434,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36134,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":532,"source":"cfgs\/default\/pcap\/waze.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":1,"flow_src_last_pkt_time":1435587894241434,"flow_dst_last_pkt_time":1435587894241434,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1435587894241434,"pkt":"ABoRAAACABoRAAABCABFAAA87+5AAEAGZNsKCAABLjOtto0mAbvDfJnqAAAAAKAC\/\/\/\/twAAAgQFtAQCCAoACHYEAAAAAAEDAwg="} @@ -281,7 +279,7 @@ 00771{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":597,"source":"cfgs\/default\/pcap\/waze.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1435587880581548,"flow_src_last_pkt_time":1435587880589942,"flow_dst_last_pkt_time":1435587880582653,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1435587907392933,"l3_proto":"ip4","src_ip":"10.16.37.157","dst_ip":"200.160.4.49","src_port":52746,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00864{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":597,"source":"cfgs\/default\/pcap\/waze.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":8,"flow_dst_packets_processed":2,"flow_first_seen":1435587866603221,"flow_src_last_pkt_time":1435587898628291,"flow_dst_last_pkt_time":1435587898628143,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":25,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":150,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1435587907392933,"l3_proto":"ip4","src_ip":"10.16.37.157","dst_ip":"174.37.231.81","src_port":42256,"dst_port":5222,"l4_proto":"tcp","ndpi": {"proto":"Unknown","proto_id":"0","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Unrated"}} 00776{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":597,"source":"cfgs\/default\/pcap\/waze.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":8,"flow_dst_packets_processed":2,"flow_first_seen":1435587866603221,"flow_src_last_pkt_time":1435587898628291,"flow_dst_last_pkt_time":1435587898628143,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":25,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":150,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1435587907392933,"l3_proto":"ip4","src_ip":"10.16.37.157","dst_ip":"174.37.231.81","src_port":42256,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} -00642{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":597,"source":"cfgs\/default\/pcap\/waze.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":597,"packets-processed":597,"total-skipped-flows":0,"total-l4-payload-len":326183,"total-not-detected-flows":1,"total-guessed-flows":9,"total-detected-flows":23,"total-detection-updates":24,"total-updates":0,"current-active-flows":0,"total-active-flows":33,"total-idle-flows":33,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":284,"global_ts_usec":1435587907392933} +00642{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":597,"source":"cfgs\/default\/pcap\/waze.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":597,"packets-processed":597,"total-skipped-flows":0,"total-l4-payload-len":326183,"total-not-detected-flows":1,"total-guessed-flows":9,"total-detected-flows":23,"total-detection-updates":22,"total-updates":0,"current-active-flows":0,"total-active-flows":33,"total-idle-flows":33,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":282,"global_ts_usec":1435587907392933} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ ~~ packets captured/processed: 597/597 ~~ skipped flows.............: 0 diff --git a/test/results/default/webex.pcap.out b/test/results/default/webex.pcap.out index fc13206f5..098b61b26 100644 --- a/test/results/default/webex.pcap.out +++ b/test/results/default/webex.pcap.out @@ -9,7 +9,6 @@ 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5,"source":"cfgs\/default\/pcap\/webex.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":5,"flow_src_last_pkt_time":1444570624860735,"flow_dst_last_pkt_time":1444570624860939,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1444570624860939,"pkt":"ABoRAAACABoRAAABCABFAAAoAQ9AABAGtg1ARGlnCggAAQG7oYKw53j0TxiH0FAQ\/\/9YHgAA"} 01582{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":8,"source":"cfgs\/default\/pcap\/webex.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1444570624853841,"flow_src_last_pkt_time":1444570625418062,"flow_dst_last_pkt_time":1444570625424499,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":195,"flow_dst_max_l4_payload_len":2720,"flow_src_tot_l4_payload_len":195,"flow_dst_tot_l4_payload_len":3939,"midstream":0,"thread_ts_usec":1444570625424499,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41346,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","proto_by_ip":"Webex","proto_by_ip_id":141,"encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"radcom.webex.com","tls": {"version":"TLSv1.2","server_names":"*.webex.com","ja3":"f9010d8c34749bdf7659b52227e6f91b","ja3s":"c253ec3ad88e42f8da4032682892f9a0","unsafe_cipher":2,"cipher":"TLS_RSA_WITH_RC4_128_MD5","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}}} 02322{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"cfgs\/default\/pcap\/webex.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1444570624853841,"flow_src_last_pkt_time":1444570626601155,"flow_dst_last_pkt_time":1444570626600999,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":2720,"flow_src_tot_l4_payload_len":2935,"flow_dst_tot_l4_payload_len":8179,"midstream":0,"thread_ts_usec":1444570626601155,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41346,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":160,"avg":112724.9,"max":557327,"stddev":156273.3,"var":24421341184.0,"ent":3.7,"data": [6506,6734,160,592,505708,557327,57852,60147,905,55625,257454,309311,10052,61432,845,730,299224,351252,55954,56159,800,52876,398,2835,268644,322298,52259,51930,18450,69467,546]},"pktlen": {"min":40,"avg":387.9,"max":2760,"stddev":588.9,"var":346810.6,"ent":3.8,"data": [60,40,40,235,40,2760,40,1259,40,350,40,83,40,576,40,124,40,1400,40,809,40,576,40,314,40,1400,40,748,40,576,40,504]},"bins": {"c_to_s": [9,0,1,0,0,0,1,0,1,1,0,0,0,0,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0,0,0,1]},"directions": [0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,1,0,1,0,0,1,0],"entropies": [4.446510792,4.665312290,4.665311813,5.481472969,4.665312290,7.284092903,4.765311718,7.073906422,4.661769390,7.186378956,4.565312386,5.608655453,4.561769009,7.664141655,4.515312195,6.329119682,4.565312386,7.871033669,4.715311527,7.782140255,4.765311718,7.598457336,4.615312099,7.304864407,4.665312290,7.852759361,4.665311813,7.733906269,4.715312004,7.600008011,4.511769772,7.572229862]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","proto_by_ip":"Webex","proto_by_ip_id":141,"encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} -01586{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"cfgs\/default\/pcap\/webex.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1444570624853841,"flow_src_last_pkt_time":1444570626601155,"flow_dst_last_pkt_time":1444570626600999,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":2720,"flow_src_tot_l4_payload_len":2935,"flow_dst_tot_l4_payload_len":8179,"midstream":0,"thread_ts_usec":1444570626601155,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41346,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","proto_by_ip":"Webex","proto_by_ip_id":141,"encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"radcom.webex.com","tls": {"version":"TLSv1.2","server_names":"*.webex.com","ja3":"f9010d8c34749bdf7659b52227e6f91b","ja3s":"c253ec3ad88e42f8da4032682892f9a0","unsafe_cipher":2,"cipher":"TLS_RSA_WITH_RC4_128_MD5","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}}} 00768{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":50,"source":"cfgs\/default\/pcap\/webex.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1444570627404164,"flow_src_last_pkt_time":1444570627404164,"flow_dst_last_pkt_time":1444570627404164,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1444570627404164,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41348,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00552{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":50,"source":"cfgs\/default\/pcap\/webex.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1444570627404164,"flow_dst_last_pkt_time":1444570627404164,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1444570627404164,"pkt":"ABoRAAACABoRAAABCABFAAA8hnNAAEAGAJUKCAABQERpZ6GEAbuwMDkNAAAAAKACOQgO\/QAAAgQFtAQCCAoATL9+AAAAAAEDAwY="} 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":51,"source":"cfgs\/default\/pcap\/webex.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1444570627404164,"flow_dst_last_pkt_time":1444570627409779,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1444570627409779,"pkt":"ABoRAAACABoRAAABCABFAAAoASZAABAGtfZARGlnCggAAQG7oYRPz8bysDA5DlAS\/\/9Y3gAA"} @@ -498,7 +497,7 @@ 01204{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1110,"source":"cfgs\/default\/pcap\/webex.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":9,"flow_dst_packets_processed":8,"flow_first_seen":1444570636387910,"flow_src_last_pkt_time":1444570640346348,"flow_dst_last_pkt_time":1444570639263789,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":522,"flow_dst_max_l4_payload_len":3939,"flow_src_tot_l4_payload_len":911,"flow_dst_tot_l4_payload_len":6552,"midstream":0,"thread_ts_usec":1444570742172121,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41386,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":310,"client":275,"server":35}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":150,"client":135,"server":15}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","proto_by_ip":"Webex","proto_by_ip_id":141,"encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 01075{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1110,"source":"cfgs\/default\/pcap\/webex.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":5,"flow_first_seen":1444570640319795,"flow_src_last_pkt_time":1444570652359038,"flow_dst_last_pkt_time":1444570652361105,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":63,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":63,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1444570742172121,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41394,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":310,"client":275,"server":35}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Webex","proto_by_ip_id":141,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 01204{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1110,"source":"cfgs\/default\/pcap\/webex.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":7,"flow_dst_packets_processed":7,"flow_first_seen":1444570672215106,"flow_src_last_pkt_time":1444570673280105,"flow_dst_last_pkt_time":1444570673246494,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":522,"flow_dst_max_l4_payload_len":3939,"flow_src_tot_l4_payload_len":911,"flow_dst_tot_l4_payload_len":6552,"midstream":0,"thread_ts_usec":1444570742172121,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41419,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":310,"client":275,"server":35}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":150,"client":135,"server":15}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","proto_by_ip":"Webex","proto_by_ip_id":141,"encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} -00646{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":1110,"source":"cfgs\/default\/pcap\/webex.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":1110,"packets-processed":1110,"total-skipped-flows":0,"total-l4-payload-len":494354,"total-not-detected-flows":0,"total-guessed-flows":4,"total-detected-flows":53,"total-detection-updates":40,"total-updates":2,"current-active-flows":0,"total-active-flows":57,"total-idle-flows":57,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":501,"global_ts_usec":1444570742172121} +00646{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":1110,"source":"cfgs\/default\/pcap\/webex.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":1110,"packets-processed":1110,"total-skipped-flows":0,"total-l4-payload-len":494354,"total-not-detected-flows":0,"total-guessed-flows":4,"total-detected-flows":53,"total-detection-updates":39,"total-updates":2,"current-active-flows":0,"total-active-flows":57,"total-idle-flows":57,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":500,"global_ts_usec":1444570742172121} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ ~~ packets captured/processed: 1110/1110 ~~ skipped flows.............: 0 diff --git a/test/results/default/wechat.pcap.out b/test/results/default/wechat.pcap.out index b0fab8c6f..d30eb3974 100644 --- a/test/results/default/wechat.pcap.out +++ b/test/results/default/wechat.pcap.out @@ -281,7 +281,6 @@ 01185{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":648,"source":"cfgs\/default\/pcap\/wechat.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1492167455528205,"flow_src_last_pkt_time":1492167455891558,"flow_dst_last_pkt_time":1492167456251036,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":1428,"midstream":0,"thread_ts_usec":1492167456251036,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54104,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","advertised_alpns":"h2,http\/1.1"}}} 01719{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":650,"source":"cfgs\/default\/pcap\/wechat.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1492167455528205,"flow_src_last_pkt_time":1492167456251067,"flow_dst_last_pkt_time":1492167456251627,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":2856,"midstream":0,"thread_ts_usec":1492167456251627,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54104,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","advertised_alpns":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}}} 02201{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":673,"source":"cfgs\/default\/pcap\/wechat.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1492167454818522,"flow_src_last_pkt_time":1492167456832685,"flow_dst_last_pkt_time":1492167456833193,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1088,"flow_dst_max_l4_payload_len":3068,"flow_src_tot_l4_payload_len":2540,"flow_dst_tot_l4_payload_len":21943,"midstream":0,"thread_ts_usec":1492167456833193,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54103,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":485,"avg":129962.4,"max":646724,"stddev":181880.5,"var":33080510464.0,"ent":3.5,"data": [360844,360859,1106,320164,2049,321124,836,835,489,485,2516,331784,329811,339551,757,339771,547,4542,5088,2482,2487,1143,1132,271360,646724,757,376133,549,914,1456,539]},"pktlen": {"min":52,"avg":817.6,"max":3120,"stddev":861.6,"var":742326.2,"ent":4.2,"data": [60,60,52,290,52,1480,52,1480,52,312,52,178,103,1140,1480,1480,52,1480,1480,52,2908,52,3120,52,1140,1480,1480,52,1480,1480,52,1480]},"bins": {"c_to_s": [11,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,2]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,1,0,1,1,0,1,1,0,1,0,1,0,0,1,1,0,1,1,0,1],"entropies": [4.726680756,5.220871925,5.014835358,5.858064651,5.079967022,6.831523418,5.053297043,7.519194603,5.025067329,7.301003456,5.025067329,6.369594574,5.816505909,7.860216618,7.880475521,7.853042603,5.063529015,7.867065430,7.870931625,5.025067806,7.935112953,5.025067806,7.943042755,4.986606121,7.835324287,7.881664753,7.863303185,5.017560005,7.863364220,7.864516258,5.132945061,7.866506577]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} -01724{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":673,"source":"cfgs\/default\/pcap\/wechat.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1492167454818522,"flow_src_last_pkt_time":1492167456832685,"flow_dst_last_pkt_time":1492167456833193,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1088,"flow_dst_max_l4_payload_len":3068,"flow_src_tot_l4_payload_len":2540,"flow_dst_tot_l4_payload_len":21943,"midstream":0,"thread_ts_usec":1492167456833193,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54103,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","advertised_alpns":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}}} 02215{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":702,"source":"cfgs\/default\/pcap\/wechat.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1492167454457964,"flow_src_last_pkt_time":1492167457755437,"flow_dst_last_pkt_time":1492167457756747,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":6267,"flow_dst_tot_l4_payload_len":9439,"midstream":0,"thread_ts_usec":1492167457756747,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54101,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":383,"avg":212782.5,"max":951677,"stddev":233185.6,"var":54375542784.0,"ent":4.0,"data": [378875,378978,383,354036,2419,355982,2806,2818,1046,367448,367322,4404,365806,31144,394889,3196,367851,55930,2766,420112,17934,846,381296,34840,434328,543113,951677,371599,549,523,1340]},"pktlen": {"min":52,"avg":543.3,"max":1740,"stddev":599.1,"var":358890.2,"ent":4.1,"data": [60,60,52,290,52,1480,52,1740,52,178,103,1225,429,52,250,1292,527,52,1480,216,52,1225,429,52,250,52,1140,1480,52,1480,52,1480]},"bins": {"c_to_s": [8,0,0,1,0,0,0,1,0,0,0,2,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,2,0,1,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,0,0,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,1]},"directions": [0,1,0,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,1,1,0,0,0,1,1,0,0,1,0,1,0,1],"entropies": [4.714098930,5.162375927,5.053297043,5.901997566,5.094483376,6.795276642,5.014835358,7.609866619,4.988526344,6.379345417,6.050486088,7.830496788,7.398893356,5.094483852,7.075847626,7.833686829,7.562863827,5.130220413,7.881128788,6.984771252,5.025067329,7.832070827,7.381729126,5.056022167,7.076413155,5.025067806,7.815702915,7.858382225,5.063529015,7.880737305,5.063529015,7.870216846]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":831,"source":"cfgs\/default\/pcap\/wechat.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":5,"flow_src_last_pkt_time":1492167468008215,"flow_dst_last_pkt_time":1492167422991183,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1492167468008215,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0KNFAAEAGqhrAqAFn2DrNjsJ7AbvMOVSD1yvysIAQAT22vQAAAQEICgAxKkAyc0s1"} 00927{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":840,"source":"cfgs\/default\/pcap\/wechat.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1492167337792745,"flow_src_last_pkt_time":1492167353998138,"flow_dst_last_pkt_time":1492167353687334,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":604,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":604,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1492167478295735,"l3_proto":"ip4","src_ip":"203.205.151.162","dst_ip":"192.168.1.103","src_port":443,"dst_port":54084,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"TLS","proto_id":"91","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} @@ -604,7 +603,6 @@ 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1456,"source":"cfgs\/default\/pcap\/wechat.pcap","alias":"nDPId-test","flow_id":73,"flow_packet_id":4,"flow_src_last_pkt_time":1492167866495436,"flow_dst_last_pkt_time":1492167867786741,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1492167867786741,"pkt":"eJKcD6iO8IQvSpdgCABFoAA8AABAAC8GKZTLzZOrwKgBZwG74rl6NAw+rnErxqASN8h\/HQAAAgQFoAQCCApFrzUwADKvZQEDAwc="} 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1457,"source":"cfgs\/default\/pcap\/wechat.pcap","alias":"nDPId-test","flow_id":73,"flow_packet_id":5,"flow_src_last_pkt_time":1492167867786787,"flow_dst_last_pkt_time":1492167867786741,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1492167867786787,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0hOlAAEAGlFLAqAFny82Tq+K5AbuucSvGejQMP4AQAOXkuAAAAQEICgAysKhFrzPt"} 02198{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1465,"source":"cfgs\/default\/pcap\/wechat.pcap","alias":"nDPId-test","flow_id":72,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1492167865975033,"flow_src_last_pkt_time":1492167868793020,"flow_dst_last_pkt_time":1492167868783731,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":12291,"flow_dst_tot_l4_payload_len":3489,"midstream":0,"thread_ts_usec":1492167868793020,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58040,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":11,"avg":181506.0,"max":1577028,"stddev":351924.9,"var":123851137024.0,"ent":3.2,"data": [268280,268366,474,270444,798,270739,392,385,993,969,2788,273097,271415,164,26,13,12,11,1155,289376,22800,22424,9724,380702,1255603,4960,1577028,73342,350958,5989,3258]},"pktlen": {"min":52,"avg":545.6,"max":1480,"stddev":599.0,"var":358844.3,"ent":4.1,"data": [60,60,52,290,52,1480,52,1480,52,312,52,178,103,1232,1480,1480,1480,1480,1480,315,52,52,52,143,52,1220,513,52,283,52,1292,527]},"bins": {"c_to_s": [7,0,0,1,0,0,0,1,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,1,0,0,0,0,0,5,0,0,0],"s_to_c": [6,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,1,0,0,0,0,0,0,0,1,1,1,1,0,0,0,1,1,0,0,0],"entropies": [4.680765629,5.154205322,4.884933472,5.839785576,5.017560482,6.813761711,4.831954956,7.514670849,4.842186928,7.190687180,4.895165443,6.306419849,5.873158932,7.841919422,7.869560242,7.865934372,7.865987301,7.878506184,7.864762306,7.242313385,4.964581966,4.834680080,4.895165443,6.393952847,4.986606121,7.814539909,7.515988827,5.061608315,7.244477749,4.895165443,7.844690800,7.504737377]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","proto_by_ip":"Tencent","proto_by_ip_id":285,"encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} -01727{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1465,"source":"cfgs\/default\/pcap\/wechat.pcap","alias":"nDPId-test","flow_id":72,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1492167865975033,"flow_src_last_pkt_time":1492167868793020,"flow_dst_last_pkt_time":1492167868783731,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":12291,"flow_dst_tot_l4_payload_len":3489,"midstream":0,"thread_ts_usec":1492167868793020,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58040,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","proto_by_ip":"Tencent","proto_by_ip_id":285,"encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","advertised_alpns":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}}} 01128{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1478,"source":"cfgs\/default\/pcap\/wechat.pcap","alias":"nDPId-test","flow_id":73,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1492167866226283,"flow_src_last_pkt_time":1492167871050375,"flow_dst_last_pkt_time":1492167867786741,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167871050375,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58041,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","proto_by_ip":"Tencent","proto_by_ip_id":285,"encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","advertised_alpns":"h2,http\/1.1"}}} 01188{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1484,"source":"cfgs\/default\/pcap\/wechat.pcap","alias":"nDPId-test","flow_id":73,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1492167866226283,"flow_src_last_pkt_time":1492167871050375,"flow_dst_last_pkt_time":1492167871323158,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":1428,"midstream":0,"thread_ts_usec":1492167871323158,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58041,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","proto_by_ip":"Tencent","proto_by_ip_id":285,"encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","advertised_alpns":"h2,http\/1.1"}}} 01722{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1486,"source":"cfgs\/default\/pcap\/wechat.pcap","alias":"nDPId-test","flow_id":73,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":5,"flow_first_seen":1492167866226283,"flow_src_last_pkt_time":1492167871323215,"flow_dst_last_pkt_time":1492167871323625,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":3116,"midstream":0,"thread_ts_usec":1492167871323625,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58041,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","proto_by_ip":"Tencent","proto_by_ip_id":285,"encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","advertised_alpns":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}}} @@ -648,7 +646,7 @@ 00935{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1553,"source":"cfgs\/default\/pcap\/wechat.pcap","alias":"nDPId-test","flow_id":70,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1492167851203580,"flow_src_last_pkt_time":1492167851203580,"flow_dst_last_pkt_time":1492167851203580,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":32,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":32,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167918120269,"l3_proto":"ip6","src_ip":"::","dst_ip":"ff02::1:ff86:6c5b","l4_proto":"icmp6","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"ICMPV6","proto_id":"102","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00974{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1553,"source":"cfgs\/default\/pcap\/wechat.pcap","alias":"nDPId-test","flow_id":54,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1492167765155968,"flow_src_last_pkt_time":1492167765155968,"flow_dst_last_pkt_time":1492167765432548,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":32,"flow_dst_max_l4_payload_len":349,"flow_src_tot_l4_payload_len":32,"flow_dst_tot_l4_payload_len":349,"midstream":0,"thread_ts_usec":1492167918120269,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.254","src_port":60356,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.WeChat","proto_id":"5.197","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":14,"category":"Network"}} 00946{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1553,"source":"cfgs\/default\/pcap\/wechat.pcap","alias":"nDPId-test","flow_id":68,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1492167849769805,"flow_src_last_pkt_time":1492167851204799,"flow_dst_last_pkt_time":1492167849769805,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":8,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":16,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167918120269,"l3_proto":"ip6","src_ip":"fe80::842:a3f3:a286:6c5b","dst_ip":"ff02::2","l4_proto":"icmp6","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"ICMPV6","proto_id":"102","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} -00648{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":1553,"source":"cfgs\/default\/pcap\/wechat.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":1553,"packets-processed":1552,"total-skipped-flows":0,"total-l4-payload-len":556502,"total-not-detected-flows":0,"total-guessed-flows":11,"total-detected-flows":60,"total-detection-updates":63,"total-updates":72,"current-active-flows":30,"total-active-flows":75,"total-idle-flows":45,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":651,"global_ts_usec":1492171154216266} +00648{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":1553,"source":"cfgs\/default\/pcap\/wechat.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":1553,"packets-processed":1552,"total-skipped-flows":0,"total-l4-payload-len":556502,"total-not-detected-flows":0,"total-guessed-flows":11,"total-detected-flows":60,"total-detection-updates":61,"total-updates":72,"current-active-flows":30,"total-active-flows":75,"total-idle-flows":45,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":649,"global_ts_usec":1492171154216266} 00788{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1553,"source":"cfgs\/default\/pcap\/wechat.pcap","alias":"nDPId-test","flow_id":76,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1492171154216266,"flow_src_last_pkt_time":1492171154216266,"flow_dst_last_pkt_time":1492171154216266,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":1188,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1188,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1188,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1492171154216266,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54183,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 02162{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1553,"source":"cfgs\/default\/pcap\/wechat.pcap","alias":"nDPId-test","flow_id":76,"flow_packet_id":1,"flow_src_last_pkt_time":1492171154216266,"flow_dst_last_pkt_time":1492171154216266,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":1254,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1254,"pkt_l4_len":1220,"thread_ts_usec":1492171154216266,"pkt":"8IQvSpdgeJKcD6iOCABFAATYpoxAAEAGahTAqAFny82XotOnAbtQhl2xjWp\/PoAYBaSJeAAAAQEICgA\/OhBF4BL0FwMDBJ8AAAAAAAAAk06IK7tTPaQ0tnXGeqHKil75lMj6OyIERVlvQ89pkJ\/5uFrYubJHeJqSrynvitkot5qunWtMUvVbyI8vjd8zycM9IsUAAB\/fKHCxwAngzbmC6gdk\/UoKTL4MIPiK4NVVPRz1DsYhuoql6sqmFMKJKaM6NXpyBkCtYpvlazDCWxllWCP\/i12XdKQQMbcGYN2wvAB3a6vg6oJPIx+XXkk4cY\/+EENsi+PDerl+pB2IlJMObTfaJBhM\/rJFUKMd1xriphMBzgM9PCE+gKKP\/k+AYg8NddY\/gnJX\/+unfAflhC1NZ1nFt2\/\/Y9gesYC0uhG0uLLlbtLmKF2MPjllgxHAEeq6L2rXw2szIJL4yllp+t9tcKCYfzVRzCQkgUtQQaP0YiRh1NQtDTvnuPpM8CS6YfFOx17PkSNzepokWNsrLXMtr9p2nc9zczirZ\/D9H9Xey3Xx0qFAN\/MVzWUXfWpSlTWrXzNWP5kDdvTYBf19VGMPfxtzLKYTLOd\/rVswJ6OAUsAdfTYAu7j6c4KJubGecouom8T9brd1TJm6pyXignKkiQR+nvp0U\/G\/NxhEcnKV91SvFM0mQxh+hfK10svoh9dj1Bq8+PvXaAQljscptiwRlr+X\/V1zPyapTZcrW9A2fGrnzKqVYJASiCPQWyYD8Mn6pda0e6knRW3Ae28WpLnmyjMKx4\/7dOqugSoKa3q7BQRxbcpbcOXlPFfrjt+CwbA3KCTzFvdocE4QeSDn8FuJ85HFummmQOxK7tDtjljV+L\/2nbiMgjTy6jJzYFwXGw6xLdoXOupF5XjIfHUSMeB+R0BhUmtVxXEWPPHfAVdVJcBt8uO5QMhp9jxrSrOX54VXB+P7Qj0VmSag75Jhz20k8Z3uI27cFcp7OjdlKhlEBtlzESNSQ8FGkqCxygPJSf0REdvr2uQA0ApTgzzF+s6YbdeH3vy1SJOH2fQsH4IeYeRjAPrh1RmlhN066XBLLeGtIiz1LEJx17TCB8c1JpUan\/1+JYoV0SCzXlaZWYybCxcBBIz\/2EdpG8hJzN4rtTVwf\/3OYFkhRTMbe1PHW9T5IfuTuKU76wWlDp+aujzjWp1vvFdq4bUrI6AdEquAU5C3BTnuLB9tqzlOb5nzcQjb4fPQCkUUcvHBPPLW9qrLyB05aTRG1W9ShnsibG\/AerW39YgPMVulkynnwtbGsYcGZs7KelCQXCLt3D6RU08N5SulLgw+o5aYItue0wJaW5VDEXxAVhsE4KU4+QsEuXkbd9rTsMt9Gf+Td49H8NzJEXxlYX\/ThtsZsn5doQpcdUcGVMiJrwpHQzTDWZLiBcd51axsLca9fP61xaeKb48j0Kb0TeXy0DcAfEDH4Sy29YAuNi7N4uKdxMrzHsqaQhCFI\/jmx6CqCWjy1zA6Ijzjpx6KTEeNxn3m7OTzuxckZQeS0ArKR7BX7UnCFIAenlvKt7e\/DzO9W1DndidXP+Qwf3XzvB+qvenTl6HWA0XtGBky3MCwBE5b++HXnyFlygjOvbY7LPZovuQtASvUqwAHPkuONuar\/2ZEP2TwCB+AOJYrpZq+HLOc"} 00925{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1553,"source":"cfgs\/default\/pcap\/wechat.pcap","alias":"nDPId-test","flow_id":76,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1492171154216266,"flow_src_last_pkt_time":1492171154216266,"flow_dst_last_pkt_time":1492171154216266,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":1188,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1188,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1188,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1492171154216266,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54183,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} @@ -887,7 +885,7 @@ 00775{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1672,"source":"cfgs\/default\/pcap\/wechat.pcap","alias":"nDPId-test","flow_id":82,"flow_state":"info","flow_src_packets_processed":9,"flow_dst_packets_processed":0,"flow_first_seen":1492171168104237,"flow_src_last_pkt_time":1492171267294579,"flow_dst_last_pkt_time":1492171168104237,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1492171291761740,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"95.101.34.34","src_port":39231,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00925{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":1672,"source":"cfgs\/default\/pcap\/wechat.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1492167377896227,"flow_src_last_pkt_time":1492167468008215,"flow_dst_last_pkt_time":1492167468048114,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1492171291761740,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"216.58.205.142","src_port":49787,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"TLS","proto_id":"91","proto_by_ip":"Google","proto_by_ip_id":126,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00779{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1672,"source":"cfgs\/default\/pcap\/wechat.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1492167377896227,"flow_src_last_pkt_time":1492167468008215,"flow_dst_last_pkt_time":1492167468048114,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1492171291761740,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"216.58.205.142","src_port":49787,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} -00651{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":1672,"source":"cfgs\/default\/pcap\/wechat.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":1672,"packets-processed":1672,"total-skipped-flows":0,"total-l4-payload-len":561272,"total-not-detected-flows":0,"total-guessed-flows":25,"total-detected-flows":84,"total-detection-updates":71,"total-updates":77,"current-active-flows":0,"total-active-flows":109,"total-idle-flows":109,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":890,"global_ts_usec":1492171291761740} +00651{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":1672,"source":"cfgs\/default\/pcap\/wechat.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":1672,"packets-processed":1672,"total-skipped-flows":0,"total-l4-payload-len":561272,"total-not-detected-flows":0,"total-guessed-flows":25,"total-detected-flows":84,"total-detection-updates":69,"total-updates":77,"current-active-flows":0,"total-active-flows":109,"total-idle-flows":109,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":888,"global_ts_usec":1492171291761740} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ ~~ packets captured/processed: 1672/1672 ~~ skipped flows.............: 0 diff --git a/test/results/default/whatsapp_login_call.pcap.out b/test/results/default/whatsapp_login_call.pcap.out index 54e077273..c1573b9ad 100644 --- a/test/results/default/whatsapp_login_call.pcap.out +++ b/test/results/default/whatsapp_login_call.pcap.out @@ -84,7 +84,6 @@ 00554{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":85,"source":"cfgs\/default\/pcap\/whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":4,"flow_src_last_pkt_time":1432582228504689,"flow_dst_last_pkt_time":1432582228758036,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1432582228758036,"pkt":"APS5Jrv0xiwDYGpkCABFAAA0JuQAAC8Gq7cRbuUOwKgCBBRnwCnUixpMuGhTAIAQASWP9wAAAQEICm+GjRMt+jMS"} 01754{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":100,"source":"cfgs\/default\/pcap\/whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":5,"flow_src_last_pkt_time":1432582229313322,"flow_dst_last_pkt_time":1432582228758036,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":940,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":940,"pkt_l4_len":906,"thread_ts_usec":1432582229313322,"pkt":"xiwDYGpkAPS5Jrv0CABFAAOeCM9AAEAGdWLAqAIEEW7lDsApFGe4aFMA1IsaTIAYIAAJ\/gAAAQEICi36Nkxvho0TFwMBACAlPDy+6eU1URCb\/ilwjZ\/NM4vs5JNXKOeqBoWnuFfSpBcDAQNA3j6jFaNyp+Ee\/ueUmJ4vlYvRK6kIcmHPC2wSftiGLR4gr5c\/Gb\/AgGHTRAH\/r9QBCzwugl9+wIQsEEA+6vgnX80sTVdiCq3IE0ZfhwPcmqS\/pvpJq+j5hyWlZXNXxBAlIeuiPMUI7U1xe4adpS+ZdUxATIGzNM6hrWeZ9H4ASsfQXeiA+wdzvISU9UxFu83+z22MDx\/tldbYAE+R8dfZ1\/auzjriI8GHA5\/Z6Cc+Uz0r1oTWeoBe3R2YcD7pJ1Zp+GUdsNfFNsOOljc6msXw5zV8uKCTwzPdu1PB0VQRVdAKD+vFDEflXLvINqtZdS+GiBKca8KXunrfOFq7X1OoUZQZllLznrlGRARAU4V1Y7cGkmN8Uc2h1tGvN\/5iRKDzTZFhU5XJe4P\/iKT6ObWhjHQUMbLQK\/O\/weHxMKyTP9++DqmeWXj0JsiGUj5GSaaoQ+KDUml6Yqq02t81luMmnBNmeqVavl5012j2lGmh80AxHNPNWRZiVQNRDcTSSfp91g1UvA75D2gSMzIYw13NDzT9yRfpHFL1O1KpPU3dtcFgTnouF262JANgvzjPLbUYkD8qcdDjprWUY421XR1k5dKQq1eKe8aO8MrOlOI1dk0bBpb46SY8pGCb0wUs\/JJj0+ykc4w2dot17bxGgM1vpWVNWtftB7w479ANTyXb\/vsu4\/IFF29hdjwpRD3YVYqEczDcy74P9cuNs2\/frl\/d80ieXwrpsOhbVVW6CRic9yCz8z0BapVHv2EbrzpMkhKISSrAZ+CPGJIQoG2tQSbXzAKV3e2IWOEQJVMhqYxIUF1a2DbR00i68r9L4H7pNaIXs5RuM1uRA2q+2E4H6hsR3U2vC+apU2DQHkZ04jGoyLn2yaCx8TqsmQwWf58m3h0WkbOED\/Fe4DxQ\/9UY9GB3cQZ9rTty0KPxrmpN5mArMfL21LYMnkrY3aTybt1p4CiU69ruMsGvI\/gImnWD9rYEwuNqpD5Sn1AtqFHf\/17YOVQuqms9g9uLrVyXBwFKmjMaFaMK8LxW8LHpc\/BPQcCfoJiWAJNmkMBdMnR8r9I87mCv\/CAa\/B\/pu0dz7SnGhhQTZ2vSAcoHnKO5WtXEktOiDg=="} 02321{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":108,"source":"cfgs\/default\/pcap\/whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1432582227604482,"flow_src_last_pkt_time":1432582229309355,"flow_dst_last_pkt_time":1432582229616362,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":6486,"flow_dst_tot_l4_payload_len":6050,"midstream":0,"thread_ts_usec":1432582229616362,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.178.104.12","src_port":49201,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":9,"avg":119895.3,"max":712466,"stddev":179472.3,"var":32210292736.0,"ent":3.4,"data": [281831,283163,8705,294373,1121,35,286034,828,475,587,39758,240,307,326381,1436,373,2981,289942,5828,471,9,317531,1875,68938,587,382640,405162,707,17,712466,1952]},"pktlen": {"min":40,"avg":432.9,"max":1480,"stddev":595.1,"var":354099.2,"ent":3.8,"data": [64,52,40,230,1480,1480,571,40,40,40,40,307,46,77,40,40,40,83,40,1480,1480,153,40,40,1480,1196,40,1480,1480,153,40,40]},"bins": {"c_to_s": [9,1,0,2,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0],"s_to_c": [8,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1],"entropies": [4.541277409,4.887659073,4.715312004,5.559735775,7.184122086,7.417570591,6.899518967,4.931687355,4.881687641,4.931686878,4.765311718,7.230942249,4.759187222,5.742031574,4.834183693,4.834183693,4.834183693,5.811724186,4.931686878,7.864183426,7.878191471,6.699968815,4.684184074,4.684184074,7.862710953,7.817599297,4.931687355,7.865705967,7.847981453,6.673823357,4.784183979,4.834183693]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.Apple","proto_id":"91.140","proto_by_ip":"Apple","proto_by_ip_id":140,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} -01569{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":108,"source":"cfgs\/default\/pcap\/whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1432582227604482,"flow_src_last_pkt_time":1432582229309355,"flow_dst_last_pkt_time":1432582229616362,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":6486,"flow_dst_tot_l4_payload_len":6050,"midstream":0,"thread_ts_usec":1432582229616362,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.178.104.12","src_port":49201,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.Apple","proto_id":"91.140","proto_by_ip":"Apple","proto_by_ip_id":140,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"query.ess.apple.com","tls": {"version":"TLSv1.2","server_names":"*.ess.apple.com","ja3":"799135475da362592a4be9199d258726","ja3s":"c253ec3ad88e42f8da4032682892f9a0","unsafe_cipher":2,"cipher":"TLS_RSA_WITH_RC4_128_MD5","issuerDN":"CN=Apple Server Authentication CA, OU=Certification Authority, O=Apple Inc., C=US","subjectDN":"CN=*.ess.apple.com, OU=ISG Delivery Ops, O=Apple Inc., C=US","fingerprint":"BD:E0:62:C3:F2:9D:09:5D:52:D4:AA:60:11:1B:36:1B:03:24:F1:9B"}}} 00787{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":137,"source":"cfgs\/default\/pcap\/whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1432582230648273,"flow_src_last_pkt_time":1432582230648273,"flow_dst_last_pkt_time":1432582230648273,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432582230648273,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.173.66.102","src_port":49204,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} 00575{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":137,"source":"cfgs\/default\/pcap\/whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":1,"flow_src_last_pkt_time":1432582230648273,"flow_dst_last_pkt_time":1432582230648273,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1432582230648273,"pkt":"xiwDYGpkAPS5Jrv0CABFAABAZppAAEAGvV7AqAIEEa1CZsA0AbuMr4Y\/AAAAALAC\/\/\/iDQAAAgQFtAEDAwQBAQgKLfo7WAAAAAAEAgAA"} 02201{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":138,"source":"cfgs\/default\/pcap\/whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1432582227643274,"flow_src_last_pkt_time":1432582230649748,"flow_dst_last_pkt_time":1432582230614203,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":201,"flow_dst_max_l4_payload_len":78,"flow_src_tot_l4_payload_len":1159,"flow_dst_tot_l4_payload_len":445,"midstream":0,"thread_ts_usec":1432582230649748,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"184.173.179.37","src_port":49202,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":0,"avg":192819.5,"max":709350,"stddev":172077.7,"var":29610717184.0,"ent":4.4,"data": [153871,242175,244771,708056,709350,35643,213202,306,145666,324955,262756,250323,148242,98446,249378,163432,164508,351063,174021,177975,4,178327,331,171720,16,302683,276,301856,4,0,204047]},"pktlen": {"min":52,"avg":102.8,"max":253,"stddev":60.8,"var":3698.6,"ent":4.8,"data": [64,60,52,52,218,130,73,52,52,253,84,71,73,52,227,84,52,118,84,184,84,84,186,52,85,85,252,52,85,85,85,118]},"bins": {"c_to_s": [9,0,2,0,2,2,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,10,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,1,0,0,0,1,0,1,0,0,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,1,0],"entropies": [4.535581589,5.323234558,5.284870625,5.118428230,6.648615837,6.247110844,5.434191704,5.231892109,5.169486046,7.074976444,5.807060719,5.762281895,5.680767059,5.207947731,7.065171242,5.820694447,5.246409416,6.336829185,5.802911282,6.766283989,5.781786919,5.740469933,6.833239079,5.270353794,5.863435745,5.886964798,7.017980099,5.284870625,5.854554653,5.807495594,5.816376686,6.257439613]},"ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} @@ -459,7 +458,7 @@ 01134{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1253,"source":"cfgs\/default\/pcap\/whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":0,"flow_first_seen":1432582258587552,"flow_src_last_pkt_time":1432582267438091,"flow_dst_last_pkt_time":1432582258587552,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":660,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432582361929399,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"1.194.90.191","src_port":51518,"dst_port":60312,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":160,"client":140,"server":20}}},"confidence": {"5":"DPI (cache)"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 01140{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1253,"source":"cfgs\/default\/pcap\/whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":29,"flow_dst_packets_processed":24,"flow_first_seen":1432582230648273,"flow_src_last_pkt_time":1432582264928868,"flow_dst_last_pkt_time":1432582264924464,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":948,"flow_src_tot_l4_payload_len":10180,"flow_dst_tot_l4_payload_len":5304,"midstream":0,"thread_ts_usec":1432582361929399,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.173.66.102","src_port":49204,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.AppleStore","proto_id":"91.224","proto_by_ip":"Apple","proto_by_ip_id":140,"encrypted":1,"breed":"Safe","category_id":19,"category":"SoftwareUpdate"}} 01140{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1253,"source":"cfgs\/default\/pcap\/whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1432582355253275,"flow_src_last_pkt_time":1432582356195572,"flow_dst_last_pkt_time":1432582356100109,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":948,"flow_src_tot_l4_payload_len":5224,"flow_dst_tot_l4_payload_len":2717,"midstream":0,"thread_ts_usec":1432582361929399,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.173.66.102","src_port":49205,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.AppleStore","proto_id":"91.224","proto_by_ip":"Apple","proto_by_ip_id":140,"encrypted":1,"breed":"Safe","category_id":19,"category":"SoftwareUpdate"}} -00662{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":1253,"source":"cfgs\/default\/pcap\/whatsapp_login_call.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":1253,"packets-processed":1251,"total-skipped-flows":0,"total-l4-payload-len":132660,"total-not-detected-flows":0,"total-guessed-flows":20,"total-detected-flows":37,"total-detection-updates":11,"total-updates":45,"current-active-flows":0,"total-active-flows":57,"total-idle-flows":57,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":462,"global_ts_usec":1432582361929399} +00662{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":1253,"source":"cfgs\/default\/pcap\/whatsapp_login_call.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":1253,"packets-processed":1251,"total-skipped-flows":0,"total-l4-payload-len":132660,"total-not-detected-flows":0,"total-guessed-flows":20,"total-detected-flows":37,"total-detection-updates":10,"total-updates":45,"current-active-flows":0,"total-active-flows":57,"total-idle-flows":57,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":461,"global_ts_usec":1432582361929399} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ ~~ packets captured/processed: 1253/1251 ~~ skipped flows.............: 0 diff --git a/test/results/default/zoom.pcap.out b/test/results/default/zoom.pcap.out index 58d942b0f..5261114a1 100644 --- a/test/results/default/zoom.pcap.out +++ b/test/results/default/zoom.pcap.out @@ -123,7 +123,6 @@ 01506{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":116,"source":"cfgs\/default\/pcap\/zoom.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":6,"flow_first_seen":1569520470022260,"flow_src_last_pkt_time":1569520470280708,"flow_dst_last_pkt_time":1569520470280793,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5608,"midstream":0,"thread_ts_usec":1569520470280793,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"52.202.62.236","src_port":54866,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","proto_by_ip":"Zoom","proto_by_ip_id":189,"encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video","hostname":"www3.zoom.us","tls": {"version":"TLSv1.2","server_names":"*.zoom.us,zoom.us","ja3":"535aca3d99fc247509cd50933cd71d37","ja3s":"3c30f2c064a3aed8cd95de8d68c726a6","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http:\/\/certs.godaddy.com\/repository\/, CN=Go Daddy Secure Certificate Authority - G2","subjectDN":"OU=Domain Control Validated, CN=*.zoom.us","advertised_alpns":"http\/1.1","fingerprint":"F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8"}}} 00813{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":124,"source":"cfgs\/default\/pcap\/zoom.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1569520470350181,"flow_dst_last_pkt_time":1569520466080774,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":265,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":265,"pkt_l4_len":231,"thread_ts_usec":1569520470350181,"pkt":"EBMx8Tl2KDc3AG3ICABFAAD7AABAAEAGtb7AqAF1rNkVSNZGAbt9MLg2pduNV4AYEAjK4AAAAQEICiWc3wRwmChtFgMBAMIBAAC+AwE5BEH329R9hgOe6JDNh5Do5\/IyBg\/qLeMPj9mOGNz+swAAEgAvADMANQA5wAnACsATwBRWAAEAAIP\/AQABAAAAAB0AGwAAGHd3dy5nb29nbGV0YWdtYW5hZ2VyLmNvbQAXAAAABQAFAQAAAAAzdAAAABIAAAAQADAALgJoMgVoMi0xNgVoMi0xNQVoMi0xNAhzcGR5LzMuMQZzcGR5LzMIaHR0cC8xLjEACwACAQAACgAKAAgAHQAXABgAGQ=="} 02175{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":156,"source":"cfgs\/default\/pcap\/zoom.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1569520470022260,"flow_src_last_pkt_time":1569520470618561,"flow_dst_last_pkt_time":1569520470618526,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":810,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":2209,"flow_dst_tot_l4_payload_len":17680,"midstream":0,"thread_ts_usec":1569520470618561,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"52.202.62.236","src_port":54866,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":3,"avg":38469.9,"max":210729,"stddev":59394.9,"var":3527759616.0,"ent":3.3,"data": [112386,112530,31116,143960,1761,226,34,114802,166,170,7182,2922,121940,111900,4272,3,116559,98015,494,36,210729,39,183,114,242,129,123,246,127,13,148]},"pktlen": {"min":40,"avg":663.0,"max":1492,"stddev":660.1,"var":435695.1,"ent":4.2,"data": [64,52,40,557,46,1492,1492,1492,40,1292,40,40,231,91,40,731,850,46,1492,1492,1492,40,40,1492,1492,40,1492,1492,40,1492,445,40]},"bins": {"c_to_s": [11,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,1,1,0,1,0,0,0,1,0,0,0,1,1,1,1,0,0,1,1,0,1,1,0,1,1,0],"entropies": [4.416232109,4.853979111,4.521928310,4.120527744,4.501398087,7.132670879,7.329687119,7.314774990,4.730641365,7.640571117,4.630640984,4.680641174,6.885639668,5.726258755,4.730641365,7.684801102,7.726203442,4.457919598,7.862352848,7.860615253,7.859583378,4.680641174,4.621928692,7.878399849,7.862105846,4.680641174,7.872378349,7.851402760,4.630641460,7.881779194,7.526136398,4.561769009]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","proto_by_ip":"Zoom","proto_by_ip_id":189,"encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}} -01510{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":156,"source":"cfgs\/default\/pcap\/zoom.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1569520470022260,"flow_src_last_pkt_time":1569520470618561,"flow_dst_last_pkt_time":1569520470618526,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":810,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":2209,"flow_dst_tot_l4_payload_len":17680,"midstream":0,"thread_ts_usec":1569520470618561,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"52.202.62.236","src_port":54866,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","proto_by_ip":"Zoom","proto_by_ip_id":189,"encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video","hostname":"www3.zoom.us","tls": {"version":"TLSv1.2","server_names":"*.zoom.us,zoom.us","ja3":"535aca3d99fc247509cd50933cd71d37","ja3s":"3c30f2c064a3aed8cd95de8d68c726a6","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http:\/\/certs.godaddy.com\/repository\/, CN=Go Daddy Secure Certificate Authority - G2","subjectDN":"OU=Domain Control Validated, CN=*.zoom.us","advertised_alpns":"http\/1.1","fingerprint":"F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8"}}} 00778{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":158,"source":"cfgs\/default\/pcap\/zoom.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569520470666966,"flow_src_last_pkt_time":1569520470666966,"flow_dst_last_pkt_time":1569520470666966,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569520470666966,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"192.168.1.255","src_port":57621,"dst_port":57621,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5} 00576{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":158,"source":"cfgs\/default\/pcap\/zoom.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":1,"flow_src_last_pkt_time":1569520470666966,"flow_dst_last_pkt_time":1569520470666966,"flow_idle_time":200000000,"pkt_datalink":1,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1569520470666966,"pkt":"\/\/\/\/\/\/\/\/KDc3AG3ICABFAABI4PAAAEARFPDAqAF1wKgB\/+EV4RUANLyaU3BvdFVkcDAJFTOWktM6lAABAARIlcIDDi3QR5gZLZgtSkZtNr91y8rdz4k="} 00922{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":158,"source":"cfgs\/default\/pcap\/zoom.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569520470666966,"flow_src_last_pkt_time":1569520470666966,"flow_dst_last_pkt_time":1569520470666966,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569520470666966,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"192.168.1.255","src_port":57621,"dst_port":57621,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Spotify","proto_id":"156","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Fun","category_id":25,"category":"Music"}} @@ -250,7 +249,7 @@ 00968{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":700,"source":"cfgs\/default\/pcap\/zoom.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"finished","flow_src_packets_processed":8,"flow_dst_packets_processed":8,"flow_first_seen":1569520469341987,"flow_src_last_pkt_time":1569520469402528,"flow_dst_last_pkt_time":1569520469413824,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1368,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":1489,"flow_dst_tot_l4_payload_len":4294,"midstream":1,"thread_ts_usec":1569520473198709,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"35.186.224.53","src_port":53872,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"GoogleCloud","proto_by_ip_id":284,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 01121{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":700,"source":"cfgs\/default\/pcap\/zoom.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"finished","flow_src_packets_processed":127,"flow_dst_packets_processed":83,"flow_first_seen":1569520471189039,"flow_src_last_pkt_time":1569520473190218,"flow_dst_last_pkt_time":1569520473152463,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":45724,"flow_dst_tot_l4_payload_len":12028,"midstream":0,"thread_ts_usec":1569520473198709,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":54871,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}} 00970{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":700,"source":"cfgs\/default\/pcap\/zoom.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1569520469984408,"flow_src_last_pkt_time":1569520469984408,"flow_dst_last_pkt_time":1569520470021639,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":30,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":30,"flow_dst_max_l4_payload_len":46,"flow_src_tot_l4_payload_len":30,"flow_dst_tot_l4_payload_len":46,"midstream":0,"thread_ts_usec":1569520473198709,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"192.168.1.1","src_port":62988,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Zoom","proto_id":"5.189","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} -00642{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":700,"source":"cfgs\/default\/pcap\/zoom.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":700,"packets-processed":697,"total-skipped-flows":0,"total-l4-payload-len":329478,"total-not-detected-flows":0,"total-guessed-flows":2,"total-detected-flows":31,"total-detection-updates":27,"total-updates":0,"current-active-flows":0,"total-active-flows":33,"total-idle-flows":33,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":253,"global_ts_usec":1569520473198709} +00642{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":700,"source":"cfgs\/default\/pcap\/zoom.pcap","alias":"nDPId-test","version":"1.6.0","ndpi_version":"4.9.0-4365-b08c787f","packets-captured":700,"packets-processed":697,"total-skipped-flows":0,"total-l4-payload-len":329478,"total-not-detected-flows":0,"total-guessed-flows":2,"total-detected-flows":31,"total-detection-updates":26,"total-updates":0,"current-active-flows":0,"total-active-flows":33,"total-idle-flows":33,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":252,"global_ts_usec":1569520473198709} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ ~~ packets captured/processed: 700/697 ~~ skipped flows.............: 0 diff --git a/test/results/flow-info/caches_cfg/teams.pcap.out b/test/results/flow-info/caches_cfg/teams.pcap.out index 9ebd658bc..333036c26 100644 --- a/test/results/flow-info/caches_cfg/teams.pcap.out +++ b/test/results/flow-info/caches_cfg/teams.pcap.out @@ -29,7 +29,6 @@ [IATS(ms)....: 12.5,12.6,1.4,13.9,1.6,0.2,14.3,0.3,0.2,0.1,0.0,0.1,4.9,16.5,1.1,12.8,0.3,0.3,11.4,0.4,0.2,23.0,0.0,11.1,0.4,29.3,29.8,0.5,0.1,0.0,0.5] [PKTLENS.....: 64,52,40,250,46,1492,1492,40,1492,40,1492,257,40,198,46,366,40,109,40,133,78,298,78,46,40,46,556,40,1492,1492,671,40] [ENTROPIES...: 4.4,4.9,4.5,5.4,4.6,7.4,7.4,4.7,7.5,4.6,7.6,7.1,4.6,6.6,4.6,7.2,4.7,6.0,4.6,6.2,5.1,7.0,5.4,4.6,4.7,4.6,7.6,4.7,7.8,7.8,7.7,4.7] - detection-update: [.....5] [ip4][..tcp] [....192.168.1.6][60533] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][teams.microsoft.com] detection-update: [.....4] [ip4][..tcp] [....192.168.1.6][60532] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS ERROR-EVENT: Unknown packet type [7/16] @@ -46,8 +45,6 @@ [IATS(ms)....: 43.2,43.3,94.0,139.8,0.2,45.9,0.1,0.1,1.4,46.8,45.4,177.2,0.0,0.0,221.2,44.0,0.0,0.0,0.0,21.3,21.2,0.0,23.0,23.0,0.0,0.0,0.0,1.2,1.2,0.0,0.0] [PKTLENS.....: 64,60,52,226,1492,1492,52,1375,52,145,103,52,1480,1480,1480,52,1480,1480,1480,1480,52,1480,1480,52,1480,1480,1480,1480,52,1480,1480,1480] [ENTROPIES...: 4.4,5.2,4.9,5.6,7.3,7.3,4.9,7.7,4.9,5.9,5.5,4.9,7.9,7.9,7.9,5.1,7.9,7.9,7.9,7.9,5.1,7.9,7.9,5.1,7.9,7.9,7.9,7.9,5.1,7.9,7.9,7.9] - detection-update: [.....4] [ip4][..tcp] [....192.168.1.6][60532] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] - RISK: TLS (probably) Not Carrying HTTPS new: [.....7] [ip4][..tcp] [....192.168.1.6][60535] -> [...52.114.77.33][..443] detected: [.....7] [ip4][..tcp] [....192.168.1.6][60535] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS @@ -148,8 +145,6 @@ [IATS(ms)....: 50.5,50.6,0.3,64.6,72.0,0.2,136.5,0.1,0.1,1.4,68.0,86.2,152.9,2.3,0.0,0.0,46.4,44.1,0.0,0.0,0.0,23.6,23.6,0.0,20.9,20.9,0.0,0.0,0.0,0.8,0.8] [PKTLENS.....: 64,60,52,258,52,1492,1492,52,1375,52,145,52,103,52,1480,1480,1480,52,1480,1480,1480,1480,52,1480,1480,52,1480,1480,1480,1480,52,1480] [ENTROPIES...: 4.4,5.3,5.0,5.9,5.1,7.3,7.3,5.0,7.7,5.0,5.9,5.2,5.6,5.0,7.9,7.8,7.9,5.2,7.9,7.9,7.9,7.9,5.2,7.9,7.9,5.2,7.9,7.9,7.8,7.9,5.2,7.9] - detection-update: [....25] [ip4][..tcp] [....192.168.1.6][60543] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] - RISK: TLS (probably) Not Carrying HTTPS new: [....30] [ip4][..tcp] [....192.168.1.6][60546] -> [.167.99.215.164][.4434] detected: [....30] [ip4][..tcp] [....192.168.1.6][60546] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe][dati.ntop.org] RISK: Known Proto on Non Std Port @@ -201,7 +196,6 @@ [IATS(ms)....: 12.7,12.8,0.2,12.4,2.5,0.3,14.9,0.5,0.5,0.2,0.0,0.8,4.9,17.1,1.4,0.0,13.1,0.0,0.2,0.3,0.1,11.8,0.0,11.2,0.1,0.6,112.9,113.7,1998.1,2009.8,174.6] [PKTLENS.....: 64,52,40,257,46,1492,1492,40,1492,40,1492,181,40,198,46,366,109,40,40,133,78,561,46,78,40,46,46,440,40,342,46,345] [ENTROPIES...: 4.4,5.0,4.6,5.5,4.5,7.3,7.5,4.6,7.5,4.6,7.7,6.8,4.7,6.5,4.5,7.2,6.0,4.6,4.6,6.2,5.2,7.6,4.4,5.4,4.6,4.5,4.5,7.5,4.7,7.2,4.5,7.3] - detection-update: [....23] [ip4][..tcp] [....192.168.1.6][60542] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][config.teams.microsoft.com] analyse: [....35] [ip4][..tcp] [....192.168.1.6][60549] -> [...13.107.18.11][..443] [TLS.Microsoft365][Outlook][Collaborative][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.540| 0.024| 0.095| 8949.939| 1.900] @@ -212,7 +206,6 @@ [IATS(ms)....: 11.5,11.6,0.3,11.9,32.5,0.1,44.2,0.2,0.0,0.2,3.8,7.7,0.3,0.1,14.6,1.5,0.0,4.2,0.0,0.3,6.5,0.5,6.7,4.3,9.9,14.2,10.7,10.7,539.6,0.0,0.3] [PKTLENS.....: 64,52,40,251,46,1492,1492,40,1492,80,40,198,133,578,172,46,366,109,40,40,78,46,78,40,46,689,40,359,40,1480,694,248] [ENTROPIES...: 4.4,4.9,4.5,5.4,4.5,6.7,7.5,4.6,7.6,5.7,4.7,6.5,6.2,7.6,6.5,4.5,7.2,5.8,4.6,4.6,5.3,4.5,5.4,4.6,4.5,7.7,4.7,7.3,4.7,7.8,7.7,7.0] - detection-update: [....35] [ip4][..tcp] [....192.168.1.6][60549] -> [...13.107.18.11][..443] [TLS.Microsoft365][Outlook][Collaborative][Acceptable][substrate.office.com] new: [....36] [ip4][..udp] [....192.168.1.6][61245] -> [....192.168.1.1][...53] detected: [....36] [ip4][..udp] [....192.168.1.6][61245] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][euaz.tr.teams.microsoft.com] new: [....37] [ip4][..udp] [....192.168.1.6][53678] -> [....192.168.1.1][...53] @@ -265,8 +258,6 @@ [IATS(ms)....: 12.9,13.0,0.5,12.4,2.0,1.5,15.4,0.1,0.1,0.1,0.0,0.1,21.6,33.0,11.5,11.7,0.1,11.8,0.6,13.4,140.4,0.7,154.0,0.2,0.2,0.2,0.2,0.5,0.0,0.1,0.2] [PKTLENS.....: 64,52,40,226,46,1492,1492,40,1492,40,1492,168,40,147,46,91,46,91,40,1122,46,1492,1492,40,1317,40,1492,1492,40,40,1492,1492] [ENTROPIES...: 4.4,4.9,4.5,5.5,4.4,7.3,7.5,4.6,7.5,4.5,7.7,6.7,4.6,6.5,4.5,5.7,4.5,5.6,4.6,7.8,4.6,7.9,7.9,4.6,7.9,4.6,7.9,7.9,4.6,4.5,7.9,7.9] - detection-update: [....43] [ip4][..tcp] [....192.168.1.6][60554] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][config.teams.microsoft.com] - RISK: TLS (probably) Not Carrying HTTPS new: [....47] [ip4][..tcp] [....192.168.1.6][60557] -> [.52.113.194.132][..443] detected: [....47] [ip4][..tcp] [....192.168.1.6][60557] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][teams.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS @@ -326,8 +317,6 @@ [IATS(ms)....: 48.4,48.5,0.5,88.2,136.5,113.7,0.2,161.8,0.1,0.1,1.1,74.6,73.5,1.1,0.0,0.0,50.1,49.0,0.0,0.0,0.0,48.4,48.4,0.0,0.0,0.0,1.6,1.5,46.9,1.1,1.7] [PKTLENS.....: 64,60,52,258,258,64,1492,1492,52,1375,52,145,103,52,1480,1480,1480,52,1480,1480,1480,1480,52,1480,1480,1480,1480,52,1462,52,52,52] [ENTROPIES...: 4.4,5.3,4.9,6.0,6.0,5.1,7.3,7.3,5.0,7.7,5.0,6.0,5.6,5.0,7.9,7.9,7.9,5.2,7.9,7.9,7.9,7.9,5.1,7.9,7.9,7.9,7.9,5.2,7.9,5.2,5.2,5.2] - detection-update: [....51] [ip4][..tcp] [....192.168.1.6][60561] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] - RISK: TLS (probably) Not Carrying HTTPS detected: [....55] [ip4][..tcp] [....192.168.1.6][60563] -> [.52.169.186.119][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][euno-1.api.microsoftstream.com] new: [....56] [ip4][..udp] [....192.168.1.6][63930] -> [....192.168.1.1][...53] detected: [....56] [ip4][..udp] [....192.168.1.6][63930] -> [....192.168.1.1][...53] [DNS.Microsoft][Unknown][Network][Safe][dc.applicationinsights.microsoft.com] diff --git a/test/results/flow-info/default/KakaoTalk_chat.pcap.out b/test/results/flow-info/default/KakaoTalk_chat.pcap.out index 9c8f48f45..3bfc7430e 100644 --- a/test/results/flow-info/default/KakaoTalk_chat.pcap.out +++ b/test/results/flow-info/default/KakaoTalk_chat.pcap.out @@ -128,8 +128,6 @@ [IATS(ms)....: 995.9,1037.9,49.3,6.7,695.5,683.6,56.0,2329.9,2320.4,251.6,299.0,4.5,4.4,4.1,3.7,105.5,239.4,242.2,376.5,82.6,125.8,244.5,287.3,18.1,164.6,239.0,428.1,146.0,274.1,3803.0,24.7] [PKTLENS.....: 60,60,44,40,224,44,40,44,224,40,1320,40,1320,40,1027,40,162,40,87,40,694,40,69,40,342,40,83,40,180,40,67,116] [ENTROPIES...: 4.7,4.7,5.0,4.9,5.2,5.1,5.0,4.7,5.2,4.9,6.5,4.7,7.1,4.8,6.7,4.9,6.6,4.9,5.7,4.8,7.7,4.9,5.5,4.9,7.4,5.0,5.9,4.8,6.8,5.0,5.6,6.4] - detection-update: [....15] [ip4][..tcp] [...10.24.82.188][35503] -> [...173.252.97.2][..443] [TLS.Facebook][Facebook][SocialNetwork][Fun][] - RISK: Obsolete TLS (v1.1 or older) new: [....34] [ip4][..tcp] [...10.24.82.188][35511] -> [...173.252.97.2][..443] detected: [....34] [ip4][..tcp] [...10.24.82.188][35511] -> [...173.252.97.2][..443] [TLS][Facebook][Web][Safe][] RISK: Obsolete TLS (v1.1 or older) diff --git a/test/results/flow-info/default/alexa-app.pcapng.out b/test/results/flow-info/default/alexa-app.pcapng.out index a9798896f..c1a8768fe 100644 --- a/test/results/flow-info/default/alexa-app.pcapng.out +++ b/test/results/flow-info/default/alexa-app.pcapng.out @@ -131,7 +131,6 @@ [IATS(ms)....: 47.0,53.0,0.3,73.2,0.1,18.9,0.4,0.3,0.4,88.2,0.3,0.7,0.2,8.1,32.8,75.3,63.7,49.4,70.9,0.8,90.5,2.0,0.4,0.5,0.4,0.5,0.7,0.0,5.3,0.3,1.1] [PKTLENS.....: 60,60,52,254,52,52,1500,1500,1500,819,52,52,52,52,178,1082,294,52,52,1500,1500,52,1500,1500,1500,450,1500,1112,86,52,52,52] [ENTROPIES...: 4.6,5.3,5.1,5.6,5.0,5.0,6.9,7.2,7.5,7.6,5.0,5.0,5.0,5.0,6.3,7.8,7.0,5.1,5.0,7.9,7.9,5.0,7.9,7.9,7.9,7.5,7.9,7.8,5.8,5.0,5.0,4.9] - detection-update: [....37] [ip4][..tcp] [..172.16.42.216][54411] -> [..52.85.209.216][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][www.amazon.com] detection-update: [....36] [ip4][..tcp] [..172.16.42.216][34019] -> [..54.239.24.186][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable][mobileanalytics.us-east-1.amazonaws.com] detection-update: [....36] [ip4][..tcp] [..172.16.42.216][34019] -> [..54.239.24.186][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable][mobileanalytics.us-east-1.amazonaws.com] new: [....40] [ip4][..udp] [..172.16.42.216][43350] -> [....172.16.42.1][...53] @@ -194,7 +193,6 @@ [IATS(ms)....: 54.2,55.4,0.5,50.3,258.9,520.1,785.3,3.8,0.2,0.1,0.0,60.8,0.3,0.1,0.1,52.1,11.0,287.0,223.9,2.7,139.2,0.2,171.9,179.9,0.1,402.7,22.4,216.5,783.8,835.9,50.5] [PKTLENS.....: 60,48,40,245,46,245,245,46,1500,1500,1500,674,40,40,40,40,166,1500,91,468,46,46,466,40,1500,1196,46,343,40,40,46,40] [ENTROPIES...: 4.6,5.1,4.9,5.6,4.5,5.6,5.6,4.6,7.1,7.3,7.4,7.6,4.8,4.9,4.8,4.8,6.3,7.9,5.9,7.5,4.6,4.6,7.5,4.8,7.9,7.8,4.6,7.4,4.9,4.9,4.6,4.9] - detection-update: [....42] [ip4][..tcp] [..172.16.42.216][42130] -> [..72.21.206.135][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][fls-na.amazon.com] new: [....50] [ip4][..tcp] [..172.16.42.216][45680] -> [..52.94.232.134][..443] detected: [....50] [ip4][..tcp] [..172.16.42.216][45680] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] detection-update: [....50] [ip4][..tcp] [..172.16.42.216][45680] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] @@ -285,8 +283,6 @@ [IATS(ms)....: 92.4,95.4,2.4,97.4,1.9,14.1,0.3,0.1,113.4,0.3,0.2,49.6,132.6,83.3,183.9,0.3,326.1,293.1,272.4,0.1,443.7,0.4,0.5,0.0,276.5,199.2,0.5,0.0,0.7,486.1,0.4] [PKTLENS.....: 60,48,40,261,46,46,1500,1500,450,40,40,40,166,91,40,1500,533,46,1500,46,46,1500,1500,1500,211,1500,1500,1500,211,1500,1500,1500] [ENTROPIES...: 4.7,5.1,4.7,5.4,4.6,4.6,7.2,7.3,7.4,4.8,4.8,4.8,6.6,5.8,4.7,7.9,7.6,4.7,7.9,4.5,4.5,7.8,7.9,7.9,7.0,7.8,7.9,7.9,7.0,7.8,7.8,7.9] - detection-update: [....65] [ip4][..tcp] [..172.16.42.216][41691] -> [..54.239.29.146][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][api.amazon.com] - RISK: TLS (probably) Not Carrying HTTPS new: [....66] [ip4][..tcp] [..172.16.42.216][49606] -> [..52.94.232.134][...80] new: [....67] [ip4][..tcp] [..172.16.42.216][45693] -> [..52.94.232.134][..443] new: [....68] [ip4][..tcp] [..172.16.42.216][45694] -> [..52.94.232.134][..443] @@ -516,8 +512,6 @@ [IATS(ms)....: 123.6,128.0,5.4,470.5,0.6,0.6,0.0,1232.5,1.5,5.0,0.7,0.7,10.0,973.2,0.5,0.1,0.0,190.9,73.2,0.3,171.9,0.1,117.0,408.2,413.7,66.7,140.9,83.3,0.1,166.3,19096.2] [PKTLENS.....: 60,48,40,232,46,1500,1500,522,232,232,40,40,40,166,46,46,46,85,40,1500,276,46,198,104,278,233,232,46,46,258,40,342] [ENTROPIES...: 4.7,5.1,4.8,5.5,4.6,7.2,7.3,7.6,5.5,5.5,4.8,4.9,4.7,6.3,4.5,4.5,4.8,5.6,4.8,7.9,7.2,4.5,6.8,6.0,7.1,7.0,6.9,4.5,4.6,7.0,4.8,7.3] - detection-update: [....99] [ip4][..tcp] [..172.16.42.216][44001] -> [..176.32.101.52][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][dp-gw-na-js.amazon.com] - RISK: TLS (probably) Not Carrying HTTPS new: [...108] [ip4][..udp] [..172.16.42.216][20922] -> [....172.16.42.1][...53] detected: [...108] [ip4][..udp] [..172.16.42.216][20922] -> [....172.16.42.1][...53] [DNS.Amazon][Unknown][Network][Acceptable][pitangui.amazon.com] detection-update: [...108] [ip4][..udp] [..172.16.42.216][20922] -> [....172.16.42.1][...53] [DNS.Amazon][Unknown][Network][Acceptable][pitangui.amazon.com] @@ -669,8 +663,6 @@ [IATS(ms)....: 77.1,79.5,13.2,60.9,0.4,0.6,0.1,48.6,1.8,3.6,177.8,227.4,44.5,20.0,267.2,445.6,122.6,0.1,0.0,0.0,282.5,8.7,270.5,1.6,407.0,0.1,164.1,0.1,290.0,120002.8,0.1] [PKTLENS.....: 60,60,52,273,52,1500,1500,626,52,52,52,178,294,52,1416,1416,52,1500,300,96,86,52,52,1500,1003,52,52,1315,86,52,83,52] [ENTROPIES...: 4.7,5.3,5.0,5.4,5.1,7.0,7.2,7.6,5.0,5.1,5.0,6.6,7.2,5.0,7.9,7.9,5.1,7.9,7.3,6.1,5.8,5.1,5.1,7.9,7.8,5.1,5.1,7.9,5.9,5.1,5.6,5.1] - detection-update: [....16] [ip4][..tcp] [..172.16.42.216][55242] -> [..52.85.209.197][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][www.amazon.com] - RISK: TLS (probably) Not Carrying HTTPS new: [...134] [ip4][..tcp] [..172.16.42.216][45751] -> [..52.94.232.134][..443] detected: [...134] [ip4][..tcp] [..172.16.42.216][45751] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] detection-update: [...134] [ip4][..tcp] [..172.16.42.216][45751] -> [..52.94.232.134][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] @@ -792,8 +784,6 @@ [IATS(ms)....: 133.8,140.4,3.2,141.6,1.3,0.1,137.2,0.3,0.1,2.7,82.2,0.2,95.7,0.4,359.1,405.4,633.6,688.6,100.8,373.1,50.8,202.6,7767.1,1.6,8001.1,353.8,410.1,314.8,108.3,0.2,84.0] [PKTLENS.....: 60,48,40,247,1500,1500,385,40,40,40,366,46,99,1500,190,46,1500,99,40,1500,46,669,40,1500,286,46,40,46,1500,46,46,40] [ENTROPIES...: 4.7,5.2,4.8,5.6,6.8,7.3,7.4,4.7,4.8,4.9,7.4,4.6,6.0,7.9,6.9,4.6,7.9,6.0,4.8,7.9,4.7,7.7,4.8,7.9,7.3,4.5,4.8,4.5,7.9,4.6,4.6,4.9] - detection-update: [...142] [ip4][..tcp] [..172.16.42.216][50799] -> [..54.239.28.178][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][pitangui.amazon.com] - RISK: Weak TLS Cipher detected: [...147] [ip4][..tcp] [..172.16.42.216][38757] -> [..54.239.28.178][..443] [TLS][AmazonAWS][Web][Safe][] RISK: Obsolete TLS (v1.1 or older) detection-update: [...147] [ip4][..tcp] [..172.16.42.216][38757] -> [..54.239.28.178][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][] @@ -825,7 +815,6 @@ [IATS(ms)....: 42.7,43.7,0.7,45.0,4.0,0.5,0.6,0.3,50.6,0.8,0.3,1.1,7.3,12.7,0.3,65.6,42.6,4.2,48.9,0.4,25.2,76.4,106.0,0.2,0.6,0.6,0.3,0.0,102.0,2.9,1.9] [PKTLENS.....: 60,60,52,254,52,1500,1500,1500,819,52,52,52,52,178,1500,767,64,178,1500,64,306,52,52,1500,1500,1500,683,594,129,52,149,52] [ENTROPIES...: 4.7,5.2,5.0,5.6,5.0,6.9,7.2,7.5,7.6,5.1,4.9,5.0,4.9,6.3,7.9,7.7,5.2,6.3,7.9,5.1,7.1,5.0,5.0,7.9,7.9,7.9,7.7,7.6,6.3,5.0,6.5,4.8] - detection-update: [...149] [ip4][..tcp] [..172.16.42.216][41828] -> [..52.85.209.143][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][www.amazon.com] new: [...152] [ip4][..udp] [..172.16.42.216][.4612] -> [....172.16.42.1][...53] detected: [...152] [ip4][..udp] [..172.16.42.216][.4612] -> [....172.16.42.1][...53] [DNS.Amazon][Unknown][Network][Acceptable][images-na.ssl-images-amazon.com] detection-update: [...152] [ip4][..udp] [..172.16.42.216][.4612] -> [....172.16.42.1][...53] [DNS.Amazon][Unknown][Network][Acceptable][images-na.ssl-images-amazon.com] @@ -901,7 +890,6 @@ [IATS(ms)....: 22.8,24.0,0.9,22.8,6.6,0.6,0.6,0.3,39.7,0.1,0.1,0.2,6.8,37.6,46.2,226.7,213.1,3.9,222.3,264.1,0.1,55.3,103.4,0.1,10.4,183.9,242.5,1.0,0.1,38.6,0.1] [PKTLENS.....: 60,60,52,271,52,1500,1500,1500,750,52,52,52,52,178,310,1337,310,64,1337,1337,930,86,86,52,52,64,1322,1500,1500,508,52,52] [ENTROPIES...: 4.7,5.3,5.1,5.7,5.1,7.1,7.3,7.5,7.6,5.1,5.0,5.1,5.0,6.4,7.2,7.9,7.2,5.0,7.9,7.9,7.8,5.8,5.8,5.1,5.1,5.1,7.8,7.9,7.9,7.5,5.1,5.1] - detection-update: [...155] [ip4][..tcp] [..172.16.42.216][41914] -> [...52.84.62.115][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][images-na.ssl-images-amazon.com] detection-update: [...158] [ip4][..udp] [..172.16.42.216][.2707] -> [....172.16.42.1][...53] [DNS.Amazon][Unknown][Network][Acceptable][fls-na.amazon.com] new: [...159] [ip4][..tcp] [..172.16.42.216][47605] -> [..72.21.206.121][..443] detected: [...159] [ip4][..tcp] [..172.16.42.216][47605] -> [..72.21.206.121][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][fls-na.amazon.com] @@ -916,7 +904,6 @@ [IATS(ms)....: 168.5,171.2,1.5,108.9,4.4,1.7,0.7,112.7,0.3,4.1,0.2,6.2,0.1,10.4,13.1,1.1,0.3,290.4,0.0,0.0,0.1,299.4,0.7,529.3,1065.9,2114.2,3665.4,7470.6,595.2,595.1,1817.1] [PKTLENS.....: 60,48,40,267,46,46,1500,1500,40,40,1500,655,40,40,166,1500,1424,360,46,46,91,46,40,1424,1424,1424,1424,40,46,1424,46,46] [ENTROPIES...: 4.6,5.1,4.8,5.7,4.6,4.5,7.1,7.3,4.8,4.8,7.4,7.6,4.9,4.8,6.3,7.9,7.9,7.3,4.4,4.3,5.9,4.4,4.7,7.9,7.9,7.9,7.9,4.8,4.3,7.9,4.5,4.5] - detection-update: [...145] [ip4][..tcp] [..172.16.42.216][44912] -> [...54.239.23.94][..443] [TLS.AmazonAWS][AmazonAWS][Cloud][Acceptable][mobileanalytics.us-east-1.amazonaws.com] detected: [...160] [ip4][..tcp] [..172.16.42.216][47606] -> [..72.21.206.121][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][fls-na.amazon.com] detection-update: [...159] [ip4][..tcp] [..172.16.42.216][47605] -> [..72.21.206.121][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][fls-na.amazon.com] detection-update: [...159] [ip4][..tcp] [..172.16.42.216][47605] -> [..72.21.206.121][..443] [TLS.Amazon][AmazonAWS][Web][Acceptable][fls-na.amazon.com] diff --git a/test/results/flow-info/default/anyconnect-vpn.pcap.out b/test/results/flow-info/default/anyconnect-vpn.pcap.out index db5087883..0aa87a3fc 100644 --- a/test/results/flow-info/default/anyconnect-vpn.pcap.out +++ b/test/results/flow-info/default/anyconnect-vpn.pcap.out @@ -53,8 +53,6 @@ [IATS(ms)....: 39.5,39.5,0.4,43.7,1.2,44.5,40.9,0.0,40.9,0.0,38.2,0.0,38.3,0.0,33.2,0.0,0.0,71.5,0.0,38.3,6.1,35.1,41.2,0.2,42.3,2.9,0.0,0.0,44.9,0.0,0.1] [PKTLENS.....: 64,56,52,219,52,1500,52,1500,1500,52,52,1500,1167,52,52,1500,1500,1319,52,52,663,52,127,52,1161,52,345,697,105,52,52,52] [ENTROPIES...: 4.3,5.1,4.8,5.5,4.8,7.3,4.8,7.1,7.2,4.9,4.8,7.4,5.9,4.8,4.8,6.8,7.2,7.5,4.7,4.8,7.6,4.7,6.2,4.8,7.8,4.9,7.3,7.7,5.8,4.9,4.8,4.8] - detection-update: [....15] [ip4][..tcp] [.....10.0.0.227][56919] -> [....8.37.102.91][..443] [TLS][Unknown][Web][Safe][] - RISK: Weak TLS Cipher, Missing SNI TLS Extn, ALPN/SNI Mismatch new: [....16] [ip4][..udp] [.....10.0.0.227][63107] -> [....75.75.76.76][...53] detected: [....16] [ip4][..udp] [.....10.0.0.227][63107] -> [....75.75.76.76][...53] [DNS][Unknown][Network][Acceptable][local] detection-update: [....16] [ip4][..udp] [.....10.0.0.227][63107] -> [....75.75.76.76][...53] [DNS][Unknown][Network][Acceptable][local] @@ -146,8 +144,6 @@ [IATS(ms)....: 42.4,42.4,2.0,46.9,1.2,46.1,40.3,0.0,40.3,0.0,37.2,0.0,37.2,0.0,97.2,138.0,40.9,1.2,43.3,9.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,51.2,0.0,0.0,0.0] [PKTLENS.....: 64,56,52,204,52,1500,52,1500,1500,52,52,1500,1167,52,52,406,127,52,1017,52,1500,209,1500,209,1500,209,1500,209,52,52,52,52] [ENTROPIES...: 4.2,5.0,4.7,5.5,4.7,7.3,4.7,7.1,7.2,4.8,4.8,7.4,5.9,4.8,4.8,7.4,6.2,4.8,7.8,4.9,7.9,6.9,7.9,6.9,7.9,6.7,7.8,6.8,4.8,4.8,4.8,4.8] - detection-update: [....38] [ip4][..tcp] [.....10.0.0.227][56929] -> [....8.37.102.91][..443] [TLS][Unknown][Web][Safe][] - RISK: Weak TLS Cipher, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn new: [....39] [ip4][..tcp] [.....10.0.0.227][56865] -> [.....10.0.0.149][.8008] [MIDSTREAM] new: [....40] [ip4][..tcp] [.....10.0.0.227][56866] -> [.....10.0.0.151][.8060] [MIDSTREAM] new: [....41] [ip4][..udp] [.....10.0.0.227][57253] -> [....75.75.75.75][...53] diff --git a/test/results/flow-info/default/anydesk.pcapng.out b/test/results/flow-info/default/anydesk.pcapng.out index 26d6ef703..f83683ddf 100644 --- a/test/results/flow-info/default/anydesk.pcapng.out +++ b/test/results/flow-info/default/anydesk.pcapng.out @@ -21,10 +21,8 @@ [IATS(ms)....: 164.8,164.9,0.6,1.1,165.0,165.4,0.5,0.5,0.3,0.3,1.8,2.0,164.9,165.2,0.2,0.2,0.2,0.3,218.6,218.7,0.6,0.9,1215.5,1216.3,0.0,0.1,0.9,0.0,0.0,1602.9,0.1] [PKTLENS.....: 60,46,40,303,46,1340,40,1340,40,46,40,1134,46,91,40,80,40,186,46,186,40,111,46,119,1500,1500,1242,46,46,46,1500,1180] [ENTROPIES...: 4.8,4.9,4.8,5.4,4.4,7.5,4.8,7.8,4.8,4.6,4.7,7.6,4.4,5.8,4.8,5.8,4.8,6.7,4.4,6.8,4.8,6.3,4.4,6.4,7.9,7.9,7.8,4.4,4.4,4.4,7.9,7.8] - detection-update: [.....2] [ip4][..tcp] [192.168.149.129][43535] -> [..51.83.238.219][...80] [TLS.AnyDesk][AnyDesk][RemoteAccess][Acceptable][] - RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn, Desktop/File Sharing DAEMON-EVENT: [Processed: 61 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 2 / 2|skipped: 0|!detected: 0|guessed: 0|detection-updates: 3|updates: 0] + DAEMON-EVENT: [Flows][active: 2 / 2|skipped: 0|!detected: 0|guessed: 0|detection-updates: 2|updates: 0] new: [.....3] [ip4][..udp] [..192.168.1.187][59511] -> [....192.168.1.1][...53] detected: [.....3] [ip4][..udp] [..192.168.1.187][59511] -> [....192.168.1.1][...53] [DNS.AnyDesk][Unknown][Network][Acceptable][relay-3185a847.net.anydesk.com] detection-update: [.....3] [ip4][..udp] [..192.168.1.187][59511] -> [....192.168.1.1][...53] [DNS.AnyDesk][Unknown][Network][Acceptable][relay-3185a847.net.anydesk.com] @@ -56,7 +54,7 @@ [PKTLENS.....: 52,52,40,285,46,46,1500,183,40,1326,46,954,80,40,87,46,75,74,46,74,40,3966,46,46,46,79,46,141,40,99,46,116] [ENTROPIES...: 4.5,4.7,4.7,5.4,4.2,4.3,7.7,6.2,4.7,7.7,4.3,7.8,5.6,4.6,5.7,4.2,5.5,5.6,4.3,5.6,4.7,8.0,4.2,4.3,4.2,5.7,4.3,6.5,4.6,6.0,4.3,6.2] DAEMON-EVENT: [Processed: 120 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 4 / 6|skipped: 0|!detected: 0|guessed: 0|detection-updates: 7|updates: 0] + DAEMON-EVENT: [Flows][active: 4 / 6|skipped: 0|!detected: 0|guessed: 0|detection-updates: 6|updates: 0] new: [.....7] [ip4][..tcp] [..192.168.1.128][48260] -> [195.181.174.176][..443] detected: [.....7] [ip4][..tcp] [..192.168.1.128][48260] -> [195.181.174.176][..443] [TLS.AnyDesk][Unknown][RemoteAccess][Acceptable][] RISK: Missing SNI TLS Extn, Desktop/File Sharing, Uncommon TLS ALPN diff --git a/test/results/flow-info/default/bets.pcapng.out b/test/results/flow-info/default/bets.pcapng.out index 6a07916db..e07e77127 100644 --- a/test/results/flow-info/default/bets.pcapng.out +++ b/test/results/flow-info/default/bets.pcapng.out @@ -14,6 +14,5 @@ [IATS(ms)....: 45.1,45.1,0.7,45.8,1.5,46.5,0.2,0.2,0.4,0.4,0.5,0.0,0.5,2.5,0.0,0.1,0.1,44.5,1.0,0.9,0.0,0.1,43.8,0.2,0.2,0.1,3.0,3.0,1.7,39.8,5.7] [PKTLENS.....: 64,60,52,380,52,1420,52,1420,52,1420,52,1420,93,52,58,110,138,116,52,52,52,52,198,52,123,52,83,1241,52,52,52,52] [ENTROPIES...: 4.4,5.3,5.1,6.2,5.1,7.8,5.0,7.8,5.2,7.9,5.1,7.8,6.0,5.1,4.9,6.1,6.5,6.1,5.2,5.2,5.2,5.2,6.8,5.1,6.2,5.2,5.6,7.8,5.1,5.0,5.2,5.2] - detection-update: [.....1] [ip4][..tcp] [...192.168.10.2][60099] -> [..13.224.103.22][..443] [TLS][AmazonAWS][Web][Safe][www.1084bets10.com] end: [.....1] [ip4][..tcp] [...192.168.10.2][60099] -> [..13.224.103.22][..443] [TLS][AmazonAWS][Web][Safe] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/emotet.pcap.out b/test/results/flow-info/default/emotet.pcap.out index 43d8d91f1..fc37e719e 100644 --- a/test/results/flow-info/default/emotet.pcap.out +++ b/test/results/flow-info/default/emotet.pcap.out @@ -79,8 +79,6 @@ [IATS(ms)....: 109.4,109.6,14.1,123.8,13.2,122.9,52.7,132.9,80.3,6.5,151.9,1117.1,0.1,0.2,1262.5,0.1,2.9,0.1,3.1,96.9,0.1,96.9,3.1,0.1,0.2,0.1,3.3,0.0,0.1,2.9,0.1] [PKTLENS.....: 52,52,46,189,46,1418,46,133,282,46,520,46,1428,1428,1428,46,46,1428,1428,52,1428,1428,60,1428,1428,1428,1428,60,60,60,1428,1428] [ENTROPIES...: 4.7,4.9,4.5,5.4,4.6,7.5,4.6,5.9,7.1,4.5,7.5,4.5,7.9,7.9,7.9,4.5,4.5,7.9,7.9,5.0,7.9,7.9,5.1,7.9,7.9,7.9,7.9,5.1,5.1,5.1,7.8,7.9] - detection-update: [.....5] [ip4][..tcp] [....10.4.25.101][49803] -> [138.197.147.101][..443] [TLS][Unknown][Web][Safe][] - RISK: Self-signed Cert, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn new: [.....6] [ip4][..tcp] [....10.4.25.101][49804] -> [138.197.147.101][..443] detected: [.....6] [ip4][..tcp] [....10.4.25.101][49804] -> [138.197.147.101][..443] [TLS][Unknown][Web][Safe][] RISK: TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn diff --git a/test/results/flow-info/default/ftp-start-tls.pcap.out b/test/results/flow-info/default/ftp-start-tls.pcap.out index 50f461b1e..7057706ae 100644 --- a/test/results/flow-info/default/ftp-start-tls.pcap.out +++ b/test/results/flow-info/default/ftp-start-tls.pcap.out @@ -20,8 +20,6 @@ [IATS(ms)....: 0.4,0.1,1.3,15.0,0.1,17.8,3.9,0.1,0.8,0.0,4.3,3.3,0.1,1.0,0.0,0.0,0.0,0.1,0.0,2.6,8.5,40.4,0.1,34.7,4.5,0.7,2.2,1.8,0.3,2.7,2.2] [PKTLENS.....: 46,46,46,46,113,113,50,46,46,71,71,190,46,46,552,552,255,552,552,255,46,370,91,91,77,122,122,77,122,122,85,130] [ENTROPIES...: 4.2,4.8,4.8,4.4,5.4,5.4,5.0,4.3,4.3,5.3,5.3,5.2,4.4,4.4,6.8,7.2,7.0,6.8,7.2,7.0,4.5,7.2,5.9,5.9,5.7,6.2,6.2,5.8,6.3,6.3,6.0,6.3] - detection-update: [.....1] [ip4][..tcp] [...10.238.26.36][62092] -> [...10.220.50.76][...21] [FTPS][Unknown][Download][Unsafe] - RISK: Weak TLS Cipher, TLS (probably) Not Carrying HTTPS, Unsafe Protocol, Missing SNI TLS Extn idle: [.....1] [ip4][..tcp] [...10.238.26.36][62092] -> [...10.220.50.76][...21] [FTPS][Unknown][Download][Unsafe] RISK: Weak TLS Cipher, TLS (probably) Not Carrying HTTPS, Unsafe Protocol, Missing SNI TLS Extn DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/geforcenow.pcapng.out b/test/results/flow-info/default/geforcenow.pcapng.out index 4b878fa29..5ade85c21 100644 --- a/test/results/flow-info/default/geforcenow.pcapng.out +++ b/test/results/flow-info/default/geforcenow.pcapng.out @@ -18,8 +18,6 @@ [IATS(ms)....: 41.2,41.2,0.2,42.7,42.5,0.1,0.0,5.9,47.3,42.0,42.4,0.0,42.0,0.2,4.2,2.5,15.9,0.0,0.0,0.0,9.3,25.2,0.0,25.2,4.2,4.3,11.8,11.7,0.0,0.0,0.0] [PKTLENS.....: 60,60,52,569,2948,52,575,52,145,326,721,324,235,52,217,96,96,2948,2948,2948,1500,52,2948,2948,52,2948,52,2948,52,2948,52,2948] [ENTROPIES...: 4.8,5.3,5.2,4.8,7.3,5.2,7.6,5.2,6.1,7.2,7.7,7.3,7.0,5.2,6.9,5.8,5.7,7.9,7.9,7.9,7.9,5.2,7.9,7.9,5.2,7.9,5.2,7.9,5.3,7.9,5.2,7.9] - detection-update: [.....1] [ip4][..tcp] [..192.168.1.245][57490] -> [..80.84.167.206][49100] [TLS.GeForceNow][Nvidia][Game][Fun][80-84-167-206.cloudmatchbeta.nvidiagrid.net] - RISK: Known Proto on Non Std Port new: [.....2] [ip4][..udp] [..192.168.1.245][52441] -> [..80.84.167.206][18452] detected: [.....2] [ip4][..udp] [..192.168.1.245][52441] -> [..80.84.167.206][18452] [STUN][Nvidia][Network][Acceptable][] RISK: Known Proto on Non Std Port diff --git a/test/results/flow-info/default/imap-starttls.pcap.out b/test/results/flow-info/default/imap-starttls.pcap.out index 4ab4f6cfd..bd2068a73 100644 --- a/test/results/flow-info/default/imap-starttls.pcap.out +++ b/test/results/flow-info/default/imap-starttls.pcap.out @@ -20,8 +20,6 @@ [IATS(ms)....: 189.8,189.9,188.3,188.3,0.1,192.5,0.3,192.6,0.2,186.5,0.0,186.4,0.4,197.4,0.2,197.1,2.0,0.2,2.2,0.1,3.7,191.6,187.9,1487.0,1677.8,0.2,190.8,0.0,0.3,0.0,189.4] [PKTLENS.....: 64,52,40,311,40,54,46,267,40,52,72,46,40,358,1500,1500,40,1500,622,40,40,166,91,40,79,119,71,40,40,71,40,46] [ENTROPIES...: 4.6,4.7,4.5,5.4,4.7,5.1,4.5,5.2,4.7,5.0,5.3,4.5,4.8,5.4,6.9,7.2,4.7,7.1,7.7,4.4,4.7,6.5,5.5,4.7,5.7,6.1,5.1,4.7,4.7,5.5,4.5,3.9] - detection-update: [.....1] [ip4][..tcp] [..192.168.17.53][49640] -> [.212.227.17.186][..143] [IMAPS][Unknown][Email][Safe] - RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn end: [.....1] [ip4][..tcp] [..192.168.17.53][49640] -> [.212.227.17.186][..143] [IMAPS][Unknown][Email][Safe] RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/instagram.pcap.out b/test/results/flow-info/default/instagram.pcap.out index b2f0a707c..d22e00bdf 100644 --- a/test/results/flow-info/default/instagram.pcap.out +++ b/test/results/flow-info/default/instagram.pcap.out @@ -18,7 +18,6 @@ [IATS(ms)....: 88.9,75.9,165.0,1522.7,1572.5,340.3,390.0,2.2,2.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,29.9,30.0,0.7,0.7,0.7,0.7] [PKTLENS.....: 1417,52,665,52,1049,52,1450,52,195,52,1450,52,1283,52,1450,52,1450,52,1450,52,1450,52,1450,52,1450,52,1450,52,1450,52,1450,52] [ENTROPIES...: 7.9,5.1,7.7,5.0,7.8,5.0,7.9,5.1,6.7,5.1,7.9,5.1,7.8,5.1,7.9,5.0,7.8,5.1,7.9,5.1,7.8,5.1,7.9,5.1,7.9,5.1,7.9,5.1,7.9,5.1,7.9,5.1] - detection-update: [.....2] [ip4][..tcp] [..192.168.0.103][33936] -> [....31.13.93.52][..443] [TLS][Facebook][Web][Safe] new: [.....3] [ip4][..tcp] [..192.168.0.103][38816] -> [...46.33.70.160][...80] [MIDSTREAM] detected: [.....3] [ip4][..tcp] [..192.168.0.103][38816] -> [...46.33.70.160][...80] [HTTP.Instagram][Unknown][SocialNetwork][Fun][photos-h.ak.instagram.com] new: [.....4] [ip4][..tcp] [..192.168.0.103][57936] -> [...82.85.26.162][...80] [MIDSTREAM] @@ -169,7 +168,7 @@ update: [....10] [ip4][..udp] [..192.168.0.106][17500] -> [..192.168.0.255][17500] [Dropbox][Unknown][Cloud][Acceptable] update: [....11] [ip4][..udp] [....192.168.0.1][..520] -> [..192.168.0.255][..520] DAEMON-EVENT: [Processed: 633 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 32 / 32|skipped: 0|!detected: 0|guessed: 0|detection-updates: 13|updates: 4] + DAEMON-EVENT: [Flows][active: 32 / 32|skipped: 0|!detected: 0|guessed: 0|detection-updates: 12|updates: 4] new: [....33] [ip4][..tcp] [...192.168.2.17][49355] -> [....31.13.86.52][..443] detected: [....33] [ip4][..tcp] [...192.168.2.17][49355] -> [....31.13.86.52][..443] [TLS.Instagram][Facebook][SocialNetwork][Fun][scontent-mxp1-1.cdninstagram.com] detection-update: [....33] [ip4][..tcp] [...192.168.2.17][49355] -> [....31.13.86.52][..443] [TLS.Instagram][Facebook][SocialNetwork][Fun][scontent-mxp1-1.cdninstagram.com] diff --git a/test/results/flow-info/default/iphone.pcap.out b/test/results/flow-info/default/iphone.pcap.out index db40cc79d..aed7c6528 100644 --- a/test/results/flow-info/default/iphone.pcap.out +++ b/test/results/flow-info/default/iphone.pcap.out @@ -176,7 +176,6 @@ [IATS(ms)....: 146.0,171.0,0.4,171.3,2.7,0.1,11.1,1.3,11.2,179.7,0.0,0.1,0.1,15.6,168.2,146.4,161.4,0.7,308.7,51.5,198.2,655.7,0.2,0.2,0.3,803.5,1.3,180.3,0.3,0.3,0.2] [PKTLENS.....: 64,60,52,569,52,1492,1492,1492,1492,1474,52,52,52,52,145,103,52,1169,344,52,996,52,1164,1492,1492,1492,52,52,1492,1492,1492,1492] [ENTROPIES...: 4.4,5.0,4.9,4.7,5.0,6.2,4.6,7.1,7.5,7.5,4.9,4.9,4.9,4.8,6.0,5.6,5.0,7.8,7.2,5.1,7.8,4.9,7.8,7.9,7.9,7.9,5.0,5.0,7.9,7.9,7.9,7.8] - detection-update: [....38] [ip4][..tcp] [...192.168.2.17][50581] -> [..17.248.185.87][..443] [TLS.AppleiCloud][Apple][Web][Acceptable][p26-keyvalueservice.icloud.com] new: [....50] [ip4][..udp] [...192.168.2.17][63677] -> [....192.168.2.1][...53] detected: [....50] [ip4][..udp] [...192.168.2.17][63677] -> [....192.168.2.1][...53] [DNS.AppleiTunes][Unknown][Network][Fun][sync.itunes.apple.com] detection-update: [....50] [ip4][..udp] [...192.168.2.17][63677] -> [....192.168.2.1][...53] [DNS.AppleiTunes][Unknown][Network][Fun][sync.itunes.apple.com] diff --git a/test/results/flow-info/default/long_tls_certificate.pcap.out b/test/results/flow-info/default/long_tls_certificate.pcap.out index 15c9d3771..5f66361d8 100644 --- a/test/results/flow-info/default/long_tls_certificate.pcap.out +++ b/test/results/flow-info/default/long_tls_certificate.pcap.out @@ -15,6 +15,5 @@ [IATS(ms)....: 370.8,370.9,9.4,360.9,2.8,0.1,0.1,354.4,0.1,0.1,0.1,0.1,8.1,8.1,5.8,200.3,194.6,174.3,0.0,174.3,0.0,2.3,0.1,0.1,0.1,0.1,94.1,91.5,274.6,0.0,0.0] [PKTLENS.....: 64,64,40,557,46,1492,1492,1492,40,1492,40,1090,40,1090,52,166,1492,52,91,109,40,40,93,96,82,114,78,109,52,52,52,52] [ENTROPIES...: 4.4,4.3,4.7,4.4,4.6,6.2,4.7,4.7,4.6,6.8,4.7,7.5,4.6,7.5,4.7,6.3,6.2,4.9,5.9,6.2,4.7,4.7,5.7,5.7,5.2,6.0,5.3,6.1,4.8,5.1,5.0,5.1] - detection-update: [.....1] [ip4][..tcp] [...192.168.1.60][55333] -> [.106.15.100.123][..443] [TLS.Alibaba][Alibaba][Web][Acceptable][beacon-api.aliyuncs.com] end: [.....1] [ip4][..tcp] [...192.168.1.60][55333] -> [.106.15.100.123][..443] [TLS.Alibaba][Alibaba][Web][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/nest_log_sink.pcap.out b/test/results/flow-info/default/nest_log_sink.pcap.out index ea3b570c7..92c99f38d 100644 --- a/test/results/flow-info/default/nest_log_sink.pcap.out +++ b/test/results/flow-info/default/nest_log_sink.pcap.out @@ -15,7 +15,6 @@ [PKTLENS.....: 46,40,46,40,40,46,46,40,46,40,40,46,46,40,46,40,40,46,46,40,46,40,40,46,46,40,46,40,40,46,46,40] [ENTROPIES...: 4.5,4.9,4.5,4.9,4.9,4.5,4.5,4.9,4.5,4.9,4.9,4.5,4.5,4.9,4.5,4.9,4.9,4.5,4.5,4.9,4.4,4.9,4.9,4.4,4.5,4.9,4.5,4.9,4.9,4.5,4.5,4.9] guessed: [.....1] [ip4][..tcp] [.192.168.242.15][63340] -> [..35.174.82.237][11095] [NestLogSink][AmazonAWS][Cloud][Acceptable] - detected: [.....1] [ip4][..tcp] [.192.168.242.15][63340] -> [..35.174.82.237][11095] [NestLogSink][AmazonAWS][Cloud][Acceptable] DAEMON-EVENT: [Processed: 60 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 1|detection-updates: 0|updates: 0] new: [.....2] [ip4][..udp] [.192.168.242.15][52849] -> [..192.168.242.1][...53] diff --git a/test/results/flow-info/default/netflix.pcap.out b/test/results/flow-info/default/netflix.pcap.out index abeadd9ed..02d78dc9a 100644 --- a/test/results/flow-info/default/netflix.pcap.out +++ b/test/results/flow-info/default/netflix.pcap.out @@ -88,8 +88,6 @@ [IATS(ms)....: 50.8,52.1,3.9,68.9,0.5,14.7,80.5,16.9,16.6,16.1,0.4,0.2,66.7,0.8,50.7,3.2,0.3,61.4,291.2,0.1,350.1,11.8,12.8,24.1,12.5,12.3,13.9,13.7,2.7,13.3,16.3] [PKTLENS.....: 64,60,52,260,52,1500,1500,52,245,52,127,58,97,52,103,52,1500,672,52,1500,1500,52,1500,1402,52,1500,52,237,52,1500,1019,52] [ENTROPIES...: 4.6,5.2,5.1,6.0,5.2,7.3,7.3,5.1,7.0,5.1,6.3,5.0,6.0,5.2,5.9,5.1,7.9,7.7,5.2,7.9,7.9,5.1,7.9,7.9,5.1,7.9,5.0,7.1,5.1,7.9,7.8,5.1] - detection-update: [....15] [ip4][..tcp] [....192.168.1.7][53133] -> [...52.89.39.139][..443] [TLS.NetFlix][AmazonAWS][Video][Fun][api-global.netflix.com] - RISK: TLS (probably) Not Carrying HTTPS new: [....17] [ip4][..udp] [....192.168.1.7][57719] -> [....192.168.1.1][...53] detected: [....17] [ip4][..udp] [....192.168.1.7][57719] -> [....192.168.1.1][...53] [DNS.NetFlix][Unknown][Network][Fun][sha2.san.akam.nflximg.net] detection-update: [....17] [ip4][..udp] [....192.168.1.7][57719] -> [....192.168.1.1][...53] [DNS.NetFlix][Unknown][Network][Fun][sha2.san.akam.nflximg.net] @@ -107,8 +105,6 @@ [IATS(ms)....: 49.5,50.9,4.4,54.3,2.4,1.0,53.5,43.0,42.8,12.7,0.3,0.2,57.4,5.1,49.3,4.2,0.4,50.0,75.8,32.1,2.0,0.9,5.1,4.7,0.1,7402.2,0.1,7507.8,0.9,35.7,1.0] [PKTLENS.....: 64,60,52,260,52,1500,1500,52,245,52,127,58,97,52,103,52,1500,661,52,52,184,96,86,52,52,52,1500,789,52,52,1500,474] [ENTROPIES...: 4.6,5.3,5.1,6.0,5.2,7.3,7.3,5.1,7.1,5.1,6.4,5.1,6.0,5.2,6.0,5.2,7.9,7.7,5.2,5.2,6.8,6.1,5.9,5.2,5.2,5.2,7.9,7.7,5.2,5.2,7.9,7.5] - detection-update: [....14] [ip4][..tcp] [....192.168.1.7][53132] -> [...52.89.39.139][..443] [TLS.NetFlix][AmazonAWS][Video][Fun][api-global.netflix.com] - RISK: TLS (probably) Not Carrying HTTPS new: [....19] [ip4][..udp] [....192.168.1.7][59180] -> [....192.168.1.1][...53] detected: [....19] [ip4][..udp] [....192.168.1.7][59180] -> [....192.168.1.1][...53] [DNS.NetFlix][Unknown][Network][Fun][artwork.akam.nflximg.net] detection-update: [....19] [ip4][..udp] [....192.168.1.7][59180] -> [....192.168.1.1][...53] [DNS.NetFlix][Unknown][Network][Fun][artwork.akam.nflximg.net] @@ -372,7 +368,6 @@ [IATS(ms)....: 47.0,48.4,1.7,53.1,2.6,1.0,62.3,11.1,6.0,10.8,0.3,0.3,60.3,3.4,50.1,4.4,0.9,0.6,55.9,50.5,0.3,42.7,4.0,5.1,5.2,0.1,57.7,0.3,30033.4,30086.0,0.8] [PKTLENS.....: 64,60,52,281,52,1500,1500,52,215,52,127,58,97,52,103,52,1402,1500,1500,52,1500,337,52,52,52,993,112,52,52,52,83,52] [ENTROPIES...: 4.5,5.3,5.1,5.8,5.1,7.3,7.3,5.1,6.9,5.1,6.1,5.0,6.0,5.2,6.0,5.2,7.9,7.9,7.9,5.2,7.8,7.4,5.1,5.1,5.1,7.8,6.3,5.2,5.1,5.1,5.8,5.1] - detection-update: [.....9] [ip4][..tcp] [....192.168.1.7][53118] -> [..54.69.204.241][..443] [TLS.NetFlix][AmazonAWS][Video][Fun][ichnaea.netflix.com] new: [....44] [ip4][..tcp] [....192.168.1.7][53183] -> [...23.246.3.140][...80] new: [....45] [ip4][..tcp] [....192.168.1.7][53184] -> [..23.246.11.141][...80] detected: [....45] [ip4][..tcp] [....192.168.1.7][53184] -> [..23.246.11.141][...80] [HTTP][NetFlix][Web][Acceptable][23.246.11.141] @@ -399,7 +394,6 @@ [IATS(ms)....: 44.9,46.3,7.4,58.2,1.8,1.0,55.8,12.1,9.9,9.3,0.3,0.2,60.5,0.1,50.8,11.5,0.5,0.2,72.1,60.9,0.3,50.8,0.4,15.7,16.9,0.1,0.1,82.9,0.3,0.1,30431.5] [PKTLENS.....: 64,60,52,281,52,1500,1500,52,215,52,127,58,97,52,103,52,1402,1500,1500,52,1500,322,52,52,52,993,107,86,52,52,52,52] [ENTROPIES...: 4.6,5.3,5.1,5.8,5.2,7.2,7.3,5.1,7.0,5.2,6.3,5.1,5.9,5.3,6.1,5.2,7.9,7.9,7.9,5.2,7.9,7.3,5.2,5.3,5.3,7.8,6.2,5.9,5.2,5.2,5.2,5.0] - detection-update: [....11] [ip4][..tcp] [....192.168.1.7][53119] -> [..54.69.204.241][..443] [TLS.NetFlix][AmazonAWS][Video][Fun][ichnaea.netflix.com] detected: [....46] [ip4][..tcp] [....192.168.1.7][53193] -> [...54.191.17.51][..443] [TLS.NetFlix][AmazonAWS][Video][Fun][ios.nccp.netflix.com] RISK: TLS (probably) Not Carrying HTTPS detected: [....47] [ip4][..tcp] [....192.168.1.7][53202] -> [...54.191.17.51][..443] [TLS.NetFlix][AmazonAWS][Video][Fun][ios.nccp.netflix.com] @@ -425,8 +419,6 @@ [IATS(ms)....: 50.8,52.1,6.3,61.1,40.7,74.7,170.4,11.8,79.4,67.6,2.0,57.4,55.8,1.7,0.8,0.2,0.2,82.5,79.7,0.2,94.6,127.5,60.6,282.5,10.6,27.6,38.0,39.9,42.9,7.7,0.7] [PKTLENS.....: 64,60,52,569,52,1500,1132,52,178,103,52,1043,106,52,1500,1500,1500,1500,52,1500,387,52,52,1243,52,1500,1486,52,101,52,83,52] [ENTROPIES...: 4.6,5.4,5.2,4.4,5.2,7.2,7.7,5.2,6.5,6.0,5.1,7.8,6.2,5.2,7.9,7.9,7.9,7.9,5.1,7.9,7.4,5.2,5.2,7.8,5.2,7.9,7.9,5.2,6.2,5.2,5.8,5.1] - detection-update: [....47] [ip4][..tcp] [....192.168.1.7][53202] -> [...54.191.17.51][..443] [TLS.NetFlix][AmazonAWS][Video][Fun][ios.nccp.netflix.com] - RISK: TLS (probably) Not Carrying HTTPS analyse: [....49] [ip4][..tcp] [....192.168.1.7][53203] -> [...52.37.36.252][..443] [TLS.NetFlix][AmazonAWS][Video][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.333| 0.059| 0.083| 6944.879| 3.800] @@ -437,7 +429,6 @@ [IATS(ms)....: 69.5,71.0,2.6,55.6,49.1,64.4,167.9,331.9,332.6,26.5,0.7,0.7,87.7,0.5,60.7,8.8,7.1,0.4,81.1,62.8,0.8,0.2,0.1,68.1,67.1,0.8,0.2,0.1,111.2,109.6,2.5] [PKTLENS.....: 64,60,52,281,52,1500,1500,52,215,52,127,58,97,52,103,52,1403,1500,1500,52,1500,1500,1500,1500,52,1500,1500,1500,1500,52,1500,1500] [ENTROPIES...: 4.6,5.3,5.2,5.8,5.1,7.2,7.3,5.2,6.9,5.2,6.2,5.1,6.1,5.2,6.0,5.2,7.9,7.9,7.9,5.2,7.9,7.8,7.9,7.9,5.2,7.9,7.9,7.9,7.9,5.2,7.9,7.9] - detection-update: [....49] [ip4][..tcp] [....192.168.1.7][53203] -> [...52.37.36.252][..443] [TLS.NetFlix][AmazonAWS][Video][Fun][ichnaea.netflix.com] analyse: [....44] [ip4][..tcp] [....192.168.1.7][53183] -> [...23.246.3.140][...80] [HTTP][NetFlix][Download][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: 0.005| 0.731| 0.102| 0.156| 24231.225| 4.000] @@ -530,7 +521,6 @@ [IATS(ms)....: 58.3,61.2,1.8,70.6,2.9,1.0,71.3,11.6,12.3,13.1,0.1,0.1,65.7,0.8,52.3,3.6,0.2,91.6,51.8,0.3,140.2,3.7,3.4,3.9,5.5,6.4,5.0,437.2,0.9,500.9,291.9] [PKTLENS.....: 64,60,52,569,52,1500,1500,52,245,52,127,58,97,52,103,52,1500,789,52,1500,476,52,448,52,751,52,86,52,1500,672,52,1500] [ENTROPIES...: 4.6,5.3,5.2,4.1,5.0,7.3,7.3,5.2,7.0,5.2,6.3,5.1,6.0,5.1,6.0,5.2,7.9,7.8,5.2,7.9,7.5,5.2,7.6,5.1,7.7,5.2,6.0,5.2,7.9,7.7,5.0,7.9] - detection-update: [....55] [ip4][..tcp] [....192.168.1.7][53239] -> [.....52.41.30.5][..443] [TLS.NetFlix][AmazonAWS][Video][Fun][api-global.netflix.com] analyse: [....61] [ip4][..tcp] [....192.168.1.7][53252] -> [..184.25.204.10][...80] [HTTP.NetFlix][Unknown][Video][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.100| 0.036| 0.022| 464.586| 4.700] diff --git a/test/results/flow-info/default/pinterest.pcap.out b/test/results/flow-info/default/pinterest.pcap.out index 2046e48c2..83e2461a6 100644 --- a/test/results/flow-info/default/pinterest.pcap.out +++ b/test/results/flow-info/default/pinterest.pcap.out @@ -17,7 +17,6 @@ [IATS(ms)....: 17.6,17.7,0.5,40.0,1.7,0.0,0.0,41.2,0.0,0.0,0.2,0.0,0.0,0.2,0.0,0.0,7.0,0.3,0.4,41.6,0.0,0.0,33.9,0.5,0.0,0.5,0.2,42.0,172.4,0.0,0.0] [PKTLENS.....: 80,80,72,589,72,1120,1120,1120,72,72,72,1120,1120,154,72,72,72,165,171,437,72,72,330,72,138,72,72,110,72,1120,1120,549] [ENTROPIES...: 4.8,5.2,5.2,4.5,5.0,6.8,4.5,6.6,5.2,5.2,5.3,7.1,7.6,6.3,5.2,5.2,5.1,6.1,6.4,7.4,5.1,5.0,7.1,5.3,6.2,5.1,5.2,5.6,5.1,7.8,7.8,7.6] - detection-update: [.....3] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][33262] -> [.....................64:ff9b::9765:7854][..443] [TLS.Pinterest][Unknown][SocialNetwork][Fun][www.pinterest.fr] new: [.....4] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38512] -> [.......................2a04:4e42:1d::84][..443] new: [.....5] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38514] -> [.......................2a04:4e42:1d::84][..443] new: [.....6] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38516] -> [.......................2a04:4e42:1d::84][..443] @@ -99,7 +98,6 @@ [IATS(ms)....: 39.8,39.9,0.4,39.9,1.9,0.0,41.3,0.0,0.1,0.0,0.0,0.0,0.6,0.0,0.6,0.0,2.9,2.6,0.6,39.8,0.1,1.1,1.9,0.0,36.8,0.0,0.2,49.7,40.1,0.0,89.6] [PKTLENS.....: 80,80,72,589,72,1120,1120,72,72,1120,1120,72,72,1120,154,72,72,165,171,368,72,72,72,330,138,72,72,110,72,516,246,72] [ENTROPIES...: 4.8,5.1,5.1,4.6,5.0,6.8,4.4,5.2,5.1,6.6,7.1,5.2,5.2,7.6,6.2,5.2,5.2,6.1,6.3,7.3,5.0,5.0,5.0,7.0,6.2,5.2,5.2,5.6,5.0,7.5,6.9,5.2] - detection-update: [....15] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][33280] -> [.....................64:ff9b::9765:7854][..443] [TLS.Pinterest][Unknown][SocialNetwork][Fun][accounts.pinterest.com] analyse: [....16] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][57050] -> [......................2a04:4e42:1d::720][..443] [TLS][Unknown][Media][Safe] min| max| avg| stddev| variance| entropy [IAT.........: 0.000| 0.050| 0.008| 0.015| 236.626| 2.900] @@ -110,7 +108,6 @@ [IATS(ms)....: 50.3,50.3,0.2,31.7,3.1,0.0,34.6,0.0,0.7,0.7,1.2,0.0,1.2,0.0,2.6,0.1,0.2,32.3,0.0,0.0,0.0,0.0,29.5,0.0,0.5,0.0,0.0,0.5,0.0,0.0,0.6] [PKTLENS.....: 80,80,72,589,72,1460,1460,72,72,1460,72,1460,1205,72,72,165,171,440,72,72,72,330,138,72,72,1460,1460,1460,72,72,72,1460] [ENTROPIES...: 4.7,5.1,5.1,4.5,5.0,6.7,4.9,5.1,5.1,7.4,5.1,7.3,7.6,5.1,5.2,5.9,6.3,7.4,5.0,5.0,5.0,7.1,6.2,5.2,5.1,7.9,7.9,7.9,5.1,5.1,5.1,7.8] - detection-update: [....16] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][57050] -> [......................2a04:4e42:1d::720][..443] [TLS][Unknown][Media][Safe][images.unsplash.com] new: [....17] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51582] -> [...............2a00:1450:4007:816::2003][..443] detected: [....17] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51582] -> [...............2a00:1450:4007:816::2003][..443] [TLS.Google][Google][Web][Acceptable][www.gstatic.com] new: [....18] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][54416] -> [...............2a00:1450:4007:806::200e][..443] @@ -212,7 +209,6 @@ [IATS(ms)....: 46.5,46.6,0.4,49.8,3.6,0.0,52.9,0.0,1.3,0.0,1.3,0.0,2.4,0.3,0.5,109.0,0.0,0.0,0.0,0.0,0.0,105.9,0.0,0.0,6.5,35.8,111.1,136.0,0.0,0.0,0.0] [PKTLENS.....: 80,80,72,589,72,1460,1460,72,72,1460,1230,72,72,165,171,338,72,72,330,138,72,570,72,72,72,110,72,210,72,1460,1460,1460] [ENTROPIES...: 4.7,5.1,5.1,4.5,5.0,6.4,5.2,5.2,5.2,7.3,7.6,5.2,5.1,6.1,6.3,7.2,5.0,5.0,7.1,6.1,4.9,7.5,5.2,5.1,5.2,5.6,5.0,6.7,5.0,7.9,7.8,7.8] - detection-update: [....35] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38546] -> [.......................2a04:4e42:1d::84][..443] [TLS.Pinterest][Unknown][SocialNetwork][Fun][assets.pinterest.com] new: [....37] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40114] -> [.....................64:ff9b::9765:7a6e][..443] detected: [....37] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40114] -> [.....................64:ff9b::9765:7a6e][..443] [TLS.ADS_Analytic_Track][Unknown][Advertisement][Tracker/Ads][js-agent.newrelic.com] detection-update: [....37] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40114] -> [.....................64:ff9b::9765:7a6e][..443] [TLS.ADS_Analytic_Track][Unknown][Advertisement][Tracker/Ads][js-agent.newrelic.com] @@ -227,7 +223,6 @@ [IATS(ms)....: 21.0,21.0,0.5,37.1,8.9,0.0,45.5,0.0,2.0,0.0,0.0,0.0,2.0,0.0,0.0,0.0,0.1,0.0,7.8,0.5,0.4,31.0,0.0,0.4,0.0,22.8,0.0,0.4,8.3,2.6,0.0] [PKTLENS.....: 80,80,72,589,72,1120,1120,72,72,1120,1120,1120,1120,72,72,72,72,113,72,165,171,342,72,72,330,138,72,72,110,72,1120,1120] [ENTROPIES...: 4.8,5.1,5.2,4.5,5.1,6.9,5.1,5.2,5.2,6.7,7.2,7.3,7.6,5.2,5.1,5.2,5.2,5.6,5.2,6.0,6.4,7.1,5.1,5.1,7.0,6.2,5.2,5.2,5.7,5.0,7.8,7.8] - detection-update: [....37] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40114] -> [.....................64:ff9b::9765:7a6e][..443] [TLS.ADS_Analytic_Track][Unknown][Advertisement][Tracker/Ads][js-agent.newrelic.com] guessed: [.....2] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40876] -> [...............2a00:1450:4007:807::200a][..443] [TLS][Google][Web][Safe] idle: [.....2] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40876] -> [...............2a00:1450:4007:807::200a][..443] idle: [....13] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47032] -> [......................2600:1901::7a0b::][..443] [TLS][GoogleCloud][Web][Safe] diff --git a/test/results/flow-info/default/pop3_stls.pcap.out b/test/results/flow-info/default/pop3_stls.pcap.out index 4299af780..f1998b6f9 100644 --- a/test/results/flow-info/default/pop3_stls.pcap.out +++ b/test/results/flow-info/default/pop3_stls.pcap.out @@ -20,8 +20,6 @@ [IATS(ms)....: 68.2,69.0,68.7,120.6,119.8,1003.1,1075.3,72.5,0.5,70.8,70.3,69.5,71.0,0.2,69.9,69.1,0.3,69.2,7.0,114.4,36.0,229.4,154.0,2002.9,2072.1,69.1,0.7,117.2,116.7,68.9,75.8] [PKTLENS.....: 52,52,40,51,46,46,68,46,46,189,46,77,208,1500,1500,40,1500,400,40,354,46,278,71,46,93,71,46,208,84,89,82,89] [ENTROPIES...: 4.5,4.8,4.7,5.2,5.0,4.5,5.4,5.0,4.5,5.5,5.0,5.4,5.5,7.1,7.1,4.7,6.9,7.2,4.8,7.4,4.5,7.0,5.8,4.5,5.8,5.7,4.5,7.0,5.9,6.0,5.7,5.9] - detection-update: [.....1] [ip4][..tcp] [..192.168.20.18][50583] -> [...72.249.41.52][..110] [POPS][Unknown][Email][Safe] - RISK: Obsolete TLS (v1.1 or older), Unsafe Protocol end: [.....1] [ip4][..tcp] [..192.168.20.18][50583] -> [...72.249.41.52][..110] [POPS][Unknown][Email][Safe] RISK: Obsolete TLS (v1.1 or older), Unsafe Protocol DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/psiphon3.pcap.out b/test/results/flow-info/default/psiphon3.pcap.out index f300a8205..051968a71 100644 --- a/test/results/flow-info/default/psiphon3.pcap.out +++ b/test/results/flow-info/default/psiphon3.pcap.out @@ -18,8 +18,6 @@ [IATS(ms)....: 6.0,17.4,0.0,14.4,0.0,0.0,1.0,16.0,7.0,5.0,0.0,0.0,3.0,28.0,2.0,3.0,1.0,0.0,7.0,25.9,0.0,1.4,0.0,0.0,4.0,20.8,1.0,46.1,1.0,0.0,0.0] [PKTLENS.....: 60,60,52,52,40,208,40,208,40,40,1500,1002,1500,1002,40,40,40,40,133,133,40,40,298,109,298,109,40,40,133,417,78,1048] [ENTROPIES...: 4.6,4.6,4.8,4.8,4.8,5.4,4.8,5.4,4.8,4.8,7.0,7.2,7.0,7.2,4.8,4.8,4.8,4.8,5.9,5.9,4.8,4.8,7.0,6.0,7.0,6.0,4.7,4.7,6.3,7.3,5.4,7.8] - detection-update: [.....1] [ip4][..tcp] [..192.168.0.103][40557] -> [.104.18.151.190][..443] [TLS.Psiphon][Cloudflare][VPN][Acceptable][] - RISK: Missing SNI TLS Extn, ALPN/SNI Mismatch end: [.....1] [ip4][..tcp] [..192.168.0.103][40557] -> [.104.18.151.190][..443] [TLS.Psiphon][Cloudflare][VPN][Acceptable] RISK: Missing SNI TLS Extn, ALPN/SNI Mismatch DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/reddit.pcap.out b/test/results/flow-info/default/reddit.pcap.out index b1ea3f106..6944b206f 100644 --- a/test/results/flow-info/default/reddit.pcap.out +++ b/test/results/flow-info/default/reddit.pcap.out @@ -99,7 +99,6 @@ [IATS(ms)....: 44.6,44.7,0.3,51.0,1.8,0.0,0.0,0.0,52.5,0.0,0.0,0.0,2.4,0.7,0.1,0.1,49.0,0.0,45.8,0.1,0.2,1.2,0.0,0.0,0.0,1.4,0.0,0.0,0.1,0.0,0.0] [PKTLENS.....: 80,80,72,589,72,1120,1120,1120,602,72,72,72,72,165,171,389,153,72,330,72,72,72,138,72,1120,1118,72,72,72,1120,72,1120] [ENTROPIES...: 4.9,5.4,5.3,4.6,5.1,6.9,7.3,7.4,7.5,5.2,5.2,5.2,5.3,6.1,6.4,7.3,6.1,5.1,7.1,5.3,5.1,5.0,6.2,5.1,7.8,7.8,5.3,5.2,5.3,7.8,5.2,7.8] - detection-update: [....20] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56592] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][Unknown][SocialNetwork][Fun][emoji.redditmedia.com] new: [....21] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56594] -> [.....................64:ff9b::9765:798c][..443] detected: [....21] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56594] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][Unknown][SocialNetwork][Fun][b.thumbs.redditmedia.com] detection-update: [....21] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56594] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][Unknown][SocialNetwork][Fun][b.thumbs.redditmedia.com] @@ -114,7 +113,6 @@ [IATS(ms)....: 25.8,25.9,0.4,66.4,26.1,92.0,0.8,0.0,0.0,0.8,0.0,0.0,1.6,0.1,0.3,42.1,0.0,0.0,6.2,0.0,0.0,0.0,0.0,0.0,46.4,0.0,0.0,0.0,0.0,0.0,0.9] [PKTLENS.....: 80,80,72,589,72,1120,72,1120,1120,623,72,72,72,165,171,403,72,72,72,346,138,1120,1120,1120,1120,72,72,72,72,72,72,110] [ENTROPIES...: 4.9,5.3,5.3,4.6,5.1,7.0,5.3,7.3,7.3,7.6,5.3,5.3,5.3,6.1,6.5,7.3,5.1,5.2,5.2,7.2,6.2,7.8,7.8,7.8,7.8,5.3,5.3,5.3,5.3,5.3,5.3,5.7] - detection-update: [....21] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56594] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][Unknown][SocialNetwork][Fun][b.thumbs.redditmedia.com] new: [....22] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][50960] -> [...............2a00:1450:4007:805::2002][..443] new: [....23] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43492] -> [......................64:ff9b::df9:21c6][..443] new: [....24] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38320] -> [.....................64:ff9b::6853:b3b6][..443] @@ -144,7 +142,6 @@ [IATS(ms)....: 38.5,38.6,0.4,37.3,14.2,0.0,0.0,0.0,0.0,51.0,0.0,0.0,0.0,0.0,2.4,0.1,0.1,31.3,0.0,1.6,0.0,30.2,0.1,3.4,0.0,0.0,0.0,3.2,0.0,0.0,0.0] [PKTLENS.....: 80,80,72,589,72,1460,1460,1460,1460,387,72,72,72,72,72,136,164,330,72,72,72,143,72,103,1460,1460,1460,1460,72,72,72,72] [ENTROPIES...: 4.8,5.2,5.2,4.5,5.1,7.8,7.8,7.9,7.8,7.4,5.2,5.2,5.2,5.2,5.1,6.1,6.5,7.3,5.0,5.0,5.1,6.3,5.2,5.9,7.9,7.8,7.9,7.8,5.2,5.2,5.3,5.3] - detection-update: [....23] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43492] -> [......................64:ff9b::df9:21c6][..443] [TLS.Amazon][Unknown][Web][Acceptable][c.amazon-adsystem.com] new: [....25] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51026] -> [.....................64:ff9b::acd9:12c2][..443] detected: [....25] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51026] -> [.....................64:ff9b::acd9:12c2][..443] [TLS.Google][Unknown][Advertisement][Acceptable][securepubads.g.doubleclick.net] new: [....26] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][48240] -> [.....................64:ff9b::9765:789d][..443] @@ -195,7 +192,6 @@ [IATS(ms)....: 41.3,41.4,0.2,45.6,16.1,0.0,0.0,61.5,0.0,0.0,3.9,0.4,0.1,94.0,180.2,10.5,0.0,92.3,0.1,0.4,5.5,8.0,1.9,14.9,15.5,0.0,15.5,0.0,0.3,0.0,0.0] [PKTLENS.....: 80,80,72,589,72,1460,1460,660,72,72,72,198,171,330,330,72,346,141,72,72,110,72,72,110,72,1460,1460,72,72,1460,1460,1460] [ENTROPIES...: 5.3,5.6,5.5,4.7,5.4,6.9,7.4,7.6,5.4,5.4,5.3,6.5,6.4,7.2,7.2,5.4,7.2,6.3,5.5,5.5,5.8,5.4,5.4,6.0,5.4,7.9,7.9,5.5,5.5,7.9,7.9,7.9] - detection-update: [....32] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][48648] -> [...2620:116:800d:21:f916:5049:f87f:108e][..443] [TLS][Unknown][Web][Safe][secure.quantserve.com] new: [....34] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51100] -> [.....................64:ff9b::d83a:d1e6][..443] new: [....35] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51102] -> [.....................64:ff9b::d83a:d1e6][..443] new: [....36] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56186] -> [...2600:9000:219c:ee00:6:44e3:f8c0:93a1][..443] @@ -225,7 +221,6 @@ [IATS(ms)....: 29.2,29.3,0.2,29.5,187.3,216.6,0.3,0.0,0.3,0.0,1.8,0.2,0.0,70.3,211.9,6.5,0.0,182.9,58.3,20.2,41.8,0.1,0.0,0.9,11.7,10.9,9.9,6.2,112.5,128.6,76.1] [PKTLENS.....: 80,80,72,589,72,1460,72,1460,735,72,72,198,171,362,362,72,72,72,172,72,314,72,116,72,110,110,72,72,72,531,72,338] [ENTROPIES...: 4.8,5.2,5.2,4.6,5.1,6.8,5.2,7.4,7.6,5.2,5.2,6.4,6.3,7.1,7.1,5.1,5.1,5.1,6.4,5.1,7.0,5.2,5.9,5.2,5.6,5.9,5.2,5.1,5.1,7.5,5.2,7.3] - detection-update: [....29] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56782] -> [.....................64:ff9b::68f4:2ac8][..443] [TLS.Twitter][Unknown][SocialNetwork][Fun][syndication.twitter.com] new: [....37] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39736] -> [.....2606:2800:134:1a0d:1429:742:782:b6][..443] detected: [....37] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39736] -> [.....2606:2800:134:1a0d:1429:742:782:b6][..443] [TLS.Twitter][Edgecast][SocialNetwork][Fun][cdn.syndication.twimg.com] detection-update: [....37] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39736] -> [.....2606:2800:134:1a0d:1429:742:782:b6][..443] [TLS.Twitter][Edgecast][SocialNetwork][Fun][cdn.syndication.twimg.com] @@ -291,7 +286,6 @@ [IATS(ms)....: 25.7,25.8,0.2,144.2,0.0,0.0,144.0,0.0,0.1,0.0,0.0,0.0,2.5,0.6,1.3,49.7,0.0,0.0,0.0,45.4,0.0,0.1,0.0,0.1,0.7,0.4,0.9,38.4,2.5,1.1,2.2] [PKTLENS.....: 80,80,72,589,72,1120,1120,72,72,1120,587,72,72,165,171,471,72,72,330,138,72,72,72,439,72,110,566,142,72,72,72,114] [ENTROPIES...: 4.9,5.3,5.2,4.5,5.1,6.9,7.4,5.2,5.2,7.3,7.5,5.2,5.2,6.1,6.4,7.4,5.2,5.1,7.1,6.2,5.2,5.3,5.1,7.5,5.3,5.6,7.6,6.2,5.1,5.1,5.1,6.0] - detection-update: [....44] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56640] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][Unknown][SocialNetwork][Fun][gateway.reddit.com] new: [....45] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51006] -> [...............2a00:1450:4007:805::2002][..443] new: [....46] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][59336] -> [...............2a00:1450:4007:80b::2002][..443] detected: [....45] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51006] -> [...............2a00:1450:4007:805::2002][..443] [TLS.Google][Google][Web][Acceptable][adservice.google.fr] diff --git a/test/results/flow-info/default/roblox.pcapng.out b/test/results/flow-info/default/roblox.pcapng.out index 1c0b2706b..c03a1d842 100644 --- a/test/results/flow-info/default/roblox.pcapng.out +++ b/test/results/flow-info/default/roblox.pcapng.out @@ -16,15 +16,14 @@ [IATS(ms)....: 28.5,194.1,21.5,215.7,0.0,0.0,0.5,0.0,126.9,1.3,3.5,0.3,4.4,2.6,0.5,0.2,137.9,0.1,0.7,108.0,106.8,174.6,10000.2,0.3,357.2,548.0,10785.6,40.1,91.7,5.7,187.6] [PKTLENS.....: 60,60,52,569,1500,1500,1252,1500,891,52,52,52,52,52,116,1076,702,323,323,52,52,578,52,76,52,52,76,52,52,76,52,40] [ENTROPIES...: 4.8,5.3,5.2,4.8,7.9,7.9,7.8,7.9,7.8,5.2,5.2,5.1,5.1,5.0,6.1,7.8,7.7,7.3,7.3,5.2,5.1,7.6,5.2,5.7,5.2,5.1,5.7,5.1,5.1,5.7,5.1,4.0] - detection-update: [.....2] [ip4][..tcp] [.192.168.12.156][39034] -> [..128.116.122.4][..443] [TLS.Roblox][Roblox][Game][Fun][assetgame.roblox.com] DAEMON-EVENT: [Processed: 47 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 2 / 2|skipped: 0|!detected: 0|guessed: 0|detection-updates: 2|updates: 0] + DAEMON-EVENT: [Flows][active: 2 / 2|skipped: 0|!detected: 0|guessed: 0|detection-updates: 1|updates: 0] new: [.....3] [ip4][..udp] [.192.168.12.156][45693] -> [..128.116.44.33][53385] detected: [.....3] [ip4][..udp] [.192.168.12.156][45693] -> [..128.116.44.33][53385] [RakNet][Roblox][Game][Fun] idle: [.....1] [ip4][..udp] [.192.168.12.156][42965] -> [.128.116.89.113][63862] [RakNet][Roblox][Game][Fun] end: [.....2] [ip4][..tcp] [.192.168.12.156][39034] -> [..128.116.122.4][..443] [TLS.Roblox][Roblox][Game][Fun] DAEMON-EVENT: [Processed: 64 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 1 / 3|skipped: 0|!detected: 0|guessed: 0|detection-updates: 2|updates: 0] + DAEMON-EVENT: [Flows][active: 1 / 3|skipped: 0|!detected: 0|guessed: 0|detection-updates: 1|updates: 0] new: [.....4] [ip4][..udp] [.192.168.12.156][46507] -> [..128.116.44.33][51438] detected: [.....4] [ip4][..udp] [.192.168.12.156][46507] -> [..128.116.44.33][51438] [RakNet][Roblox][Game][Fun] idle: [.....3] [ip4][..udp] [.192.168.12.156][45693] -> [..128.116.44.33][53385] [RakNet][Roblox][Game][Fun] diff --git a/test/results/flow-info/default/signal.pcap.out b/test/results/flow-info/default/signal.pcap.out index f570cceff..9dc2a1b9a 100644 --- a/test/results/flow-info/default/signal.pcap.out +++ b/test/results/flow-info/default/signal.pcap.out @@ -114,7 +114,6 @@ [IATS(ms)....: 32.9,39.8,0.1,40.0,2.7,0.0,39.4,7.8,43.4,0.4,0.0,34.7,0.1,7.5,0.5,0.0,0.1,0.4,5.9,0.1,0.4,42.2,0.0,0.5,26.8,7.6,10.7,0.1,0.3,0.3,26.1] [PKTLENS.....: 64,60,52,569,52,1492,995,52,178,52,103,121,52,52,105,102,94,243,90,1492,1492,1492,52,90,52,671,52,1492,1492,1492,1492,52] [ENTROPIES...: 4.4,5.2,5.0,4.3,5.1,7.1,7.7,5.1,6.3,5.1,6.0,6.4,5.1,5.1,5.7,5.6,5.5,7.0,5.4,7.9,7.9,7.9,4.9,5.9,5.1,7.6,5.1,7.9,7.9,7.9,7.9,5.1] - detection-update: [....19] [ip4][..tcp] [...192.168.2.17][57027] -> [...13.35.253.42][..443] [TLS.Signal][AmazonAWS][Chat][Fun][cdn.signal.org] idle: [.....1] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] [DHCP][Unknown][Network][Acceptable] end: [.....8] [ip4][..tcp] [...192.168.2.17][56996] -> [.17.248.146.144][..443] [TLS][Apple][Web][Safe] RISK: Unidirectional Traffic diff --git a/test/results/flow-info/default/simple-dnscrypt.pcap.out b/test/results/flow-info/default/simple-dnscrypt.pcap.out index 1dfe2adab..4e81440ad 100644 --- a/test/results/flow-info/default/simple-dnscrypt.pcap.out +++ b/test/results/flow-info/default/simple-dnscrypt.pcap.out @@ -15,7 +15,6 @@ [IATS(ms)....: 110.6,111.2,27.9,119.6,18.5,5.2,114.9,3.0,7.5,0.0,0.0,10.6,4.9,14.9,0.1,0.1,0.4,91.8,0.0,71.5,3.1,28.8,0.0,26.8,76.4,36.0,32.6,95.2,61.6,222.0,0.0] [PKTLENS.....: 52,52,40,246,40,1350,1350,40,1350,1350,1350,346,40,166,93,96,82,258,298,109,40,78,40,78,40,40,40,401,40,105,1350,1310] [ENTROPIES...: 4.7,5.1,4.9,5.6,4.9,7.3,7.2,4.7,7.6,7.5,7.6,7.3,4.8,6.4,5.7,5.8,5.5,7.1,7.1,6.1,4.9,5.4,4.9,5.8,4.9,4.9,4.9,7.3,4.9,6.0,7.8,7.8] - detection-update: [.....1] [ip4][..tcp] [.192.168.43.167][50233] -> [..134.119.26.24][..443] [TLS.DNScrypt][Unknown][Network][Acceptable][simplednscrypt.org] new: [.....2] [ip4][..tcp] [.192.168.43.167][50253] -> [..134.119.26.24][..443] new: [.....3] [ip4][..tcp] [.192.168.43.167][50258] -> [..134.119.26.24][..443] new: [.....4] [ip4][..tcp] [.192.168.43.167][50259] -> [..134.119.26.24][..443] @@ -38,7 +37,6 @@ [IATS(ms)....: 76.9,77.0,0.2,75.5,27.7,2.5,105.6,0.6,0.0,0.6,1.3,0.0,1.6,3.3,3.7,0.1,0.1,3.1,0.1,0.0,84.7,0.0,74.1,4.3,0.0,9.6,25.1,23.4,82.0,4.1,98.4] [PKTLENS.....: 52,52,40,250,40,1350,1350,40,1350,1350,40,1350,346,40,166,93,96,82,320,119,118,298,109,40,40,78,40,78,40,402,401,40] [ENTROPIES...: 4.7,5.0,4.8,5.5,4.8,7.3,7.3,4.8,7.6,7.5,4.7,7.6,7.4,4.8,6.3,5.6,5.8,5.5,7.3,6.0,6.1,7.2,6.3,4.9,4.9,5.8,4.8,5.4,4.9,7.5,7.4,4.9] - detection-update: [.....4] [ip4][..tcp] [.192.168.43.167][50259] -> [..134.119.26.24][..443] [TLS.DNScrypt][Unknown][Network][Acceptable][simplednscrypt.org] idle: [.....1] [ip4][..tcp] [.192.168.43.167][50233] -> [..134.119.26.24][..443] [TLS.DNScrypt][Unknown][Network][Acceptable] idle: [.....2] [ip4][..tcp] [.192.168.43.167][50253] -> [..134.119.26.24][..443] [TLS.DNScrypt][Unknown][Network][Acceptable] idle: [.....3] [ip4][..tcp] [.192.168.43.167][50258] -> [..134.119.26.24][..443] [TLS.DNScrypt][Unknown][Network][Acceptable] diff --git a/test/results/flow-info/default/sites.pcapng.out b/test/results/flow-info/default/sites.pcapng.out index 53efbbef8..a7aa66b10 100644 --- a/test/results/flow-info/default/sites.pcapng.out +++ b/test/results/flow-info/default/sites.pcapng.out @@ -32,10 +32,9 @@ [IATS(ms)....: 46.8,50.1,2.2,52.9,0.2,0.0,0.0,0.0,52.2,0.0,0.0,0.0,1.5,0.6,2.4,52.4,0.0,0.8,3.1,0.0,0.2,0.0,0.0,0.0,0.0,0.0,0.2,47.9,0.0,0.0,0.2] [PKTLENS.....: 60,60,52,569,52,1500,1500,1252,152,52,52,52,52,132,222,290,355,95,83,1500,1500,1500,1500,1500,1500,1500,1500,374,52,52,52,83] [ENTROPIES...: 4.7,5.2,5.0,5.4,5.1,7.8,7.9,7.8,6.5,5.0,5.0,5.1,5.1,6.3,6.9,7.1,7.4,6.0,5.7,7.9,7.9,7.9,7.9,7.9,7.9,7.9,7.9,7.4,5.1,5.0,5.1,5.6] - detection-update: [.....4] [ip4][..tcp] [..192.168.1.128][50620] -> [.91.198.174.208][..443] [TLS.Wikipedia][Unknown][Web][Safe][upload.wikimedia.org] end: [.....3] [ip4][..tcp] [..192.168.1.227][50071] -> [...52.73.71.226][..443] [TLS.Fuze][AmazonAWS][VoIP][Acceptable] DAEMON-EVENT: [Processed: 118 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 1 / 4|skipped: 0|!detected: 0|guessed: 0|detection-updates: 6|updates: 0] + DAEMON-EVENT: [Flows][active: 1 / 4|skipped: 0|!detected: 0|guessed: 0|detection-updates: 5|updates: 0] new: [.....5] [ip4][..tcp] [..192.168.1.250][39890] -> [...45.82.241.51][...80] detected: [.....5] [ip4][..tcp] [..192.168.1.250][39890] -> [...45.82.241.51][...80] [HTTP.Likee][Unknown][SocialNetwork][Fun][videosnap.like.video] analyse: [.....5] [ip4][..tcp] [..192.168.1.250][39890] -> [...45.82.241.51][...80] [HTTP.Likee][Unknown][SocialNetwork][Fun] @@ -50,31 +49,31 @@ [ENTROPIES...: 4.7,4.9,4.3,5.7,4.3,7.7,7.9,7.8,7.9,7.9,7.9,7.9,4.3,4.3,4.3,4.3,4.3,4.3,4.3,5.7,7.7,7.9,7.9,7.9,4.3,4.3,7.9,7.9,4.3,4.3,4.3,4.3] end: [.....4] [ip4][..tcp] [..192.168.1.128][50620] -> [.91.198.174.208][..443] [TLS.Wikipedia][Unknown][Web][Safe] DAEMON-EVENT: [Processed: 230 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 1 / 5|skipped: 0|!detected: 0|guessed: 0|detection-updates: 6|updates: 0] + DAEMON-EVENT: [Flows][active: 1 / 5|skipped: 0|!detected: 0|guessed: 0|detection-updates: 5|updates: 0] new: [.....6] [ip4][..tcp] [..192.168.1.128][46724] -> [.199.232.82.109][..443] detected: [.....6] [ip4][..tcp] [..192.168.1.128][46724] -> [.199.232.82.109][..443] [TLS.Vimeo][Unknown][Streaming][Fun][f.vimeocdn.com] detection-update: [.....6] [ip4][..tcp] [..192.168.1.128][46724] -> [.199.232.82.109][..443] [TLS.Vimeo][Unknown][Streaming][Fun][f.vimeocdn.com] detection-update: [.....6] [ip4][..tcp] [..192.168.1.128][46724] -> [.199.232.82.109][..443] [TLS.Vimeo][Unknown][Streaming][Fun][f.vimeocdn.com] end: [.....5] [ip4][..tcp] [..192.168.1.250][39890] -> [...45.82.241.51][...80] [HTTP.Likee][Unknown][SocialNetwork][Fun] DAEMON-EVENT: [Processed: 255 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 1 / 6|skipped: 0|!detected: 0|guessed: 0|detection-updates: 8|updates: 0] + DAEMON-EVENT: [Flows][active: 1 / 6|skipped: 0|!detected: 0|guessed: 0|detection-updates: 7|updates: 0] new: [.....7] [ip4][..tcp] [..192.168.1.128][48918] -> [...143.204.9.65][..443] detected: [.....7] [ip4][..tcp] [..192.168.1.128][48918] -> [...143.204.9.65][..443] [TLS.DisneyPlus][AmazonAWS][Streaming][Fun][prod-static.disney-plus.net] detection-update: [.....7] [ip4][..tcp] [..192.168.1.128][48918] -> [...143.204.9.65][..443] [TLS.DisneyPlus][AmazonAWS][Streaming][Fun][prod-static.disney-plus.net] end: [.....6] [ip4][..tcp] [..192.168.1.128][46724] -> [.199.232.82.109][..443] [TLS.Vimeo][Unknown][Streaming][Fun] DAEMON-EVENT: [Processed: 284 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 1 / 7|skipped: 0|!detected: 0|guessed: 0|detection-updates: 9|updates: 0] + DAEMON-EVENT: [Flows][active: 1 / 7|skipped: 0|!detected: 0|guessed: 0|detection-updates: 8|updates: 0] new: [.....8] [ip4][..tcp] [.192.168.12.169][39248] -> [...23.12.104.83][..443] detected: [.....8] [ip4][..tcp] [.192.168.12.169][39248] -> [...23.12.104.83][..443] [TLS.AccuWeather][Unknown][Web][Fun][api.accuweather.com] detection-update: [.....8] [ip4][..tcp] [.192.168.12.169][39248] -> [...23.12.104.83][..443] [TLS.AccuWeather][Unknown][Web][Fun][api.accuweather.com] end: [.....7] [ip4][..tcp] [..192.168.1.128][48918] -> [...143.204.9.65][..443] [TLS.DisneyPlus][AmazonAWS][Streaming][Fun] DAEMON-EVENT: [Processed: 314 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 1 / 8|skipped: 0|!detected: 0|guessed: 0|detection-updates: 10|updates: 0] + DAEMON-EVENT: [Flows][active: 1 / 8|skipped: 0|!detected: 0|guessed: 0|detection-updates: 9|updates: 0] new: [.....9] [ip4][..udp] [..192.168.1.123][59102] -> [..216.58.209.46][..443] detected: [.....9] [ip4][..udp] [..192.168.1.123][59102] -> [..216.58.209.46][..443] [QUIC.GoogleClassroom][Google][Collaborative][Safe][classroom.google.com] end: [.....8] [ip4][..tcp] [.192.168.12.169][39248] -> [...23.12.104.83][..443] [TLS.AccuWeather][Unknown][Web][Fun] DAEMON-EVENT: [Processed: 315 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 1 / 9|skipped: 0|!detected: 0|guessed: 0|detection-updates: 10|updates: 0] + DAEMON-EVENT: [Flows][active: 1 / 9|skipped: 0|!detected: 0|guessed: 0|detection-updates: 9|updates: 0] new: [....10] [ip4][..tcp] [..192.168.1.128][35054] -> [..31.222.67.112][..443] detected: [....10] [ip4][..tcp] [..192.168.1.128][35054] -> [..31.222.67.112][..443] [TLS.Badoo][Unknown][SocialNetwork][Fun][www.badoo.com] detection-update: [....10] [ip4][..tcp] [..192.168.1.128][35054] -> [..31.222.67.112][..443] [TLS.Badoo][Unknown][SocialNetwork][Fun][www.badoo.com] @@ -158,7 +157,7 @@ detected: [....36] [ip4][..tcp] [..192.168.1.128][39828] -> [....40.97.160.2][..443] [TLS.Outlook][Outlook][Email][Acceptable][outlook.com] detection-update: [....36] [ip4][..tcp] [..192.168.1.128][39828] -> [....40.97.160.2][..443] [TLS.Outlook][Outlook][Email][Acceptable][outlook.com] DAEMON-EVENT: [Processed: 457 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 27 / 36|skipped: 0|!detected: 0|guessed: 0|detection-updates: 39|updates: 0] + DAEMON-EVENT: [Flows][active: 27 / 36|skipped: 0|!detected: 0|guessed: 0|detection-updates: 38|updates: 0] new: [....37] [ip4][..tcp] [..192.168.1.128][45898] -> [..15.160.39.187][..443] detected: [....37] [ip4][..tcp] [..192.168.1.128][45898] -> [..15.160.39.187][..443] [TLS.AppleSiri][AmazonAWS][VirtAssistant][Acceptable][guzzoni.apple.com] detection-update: [....37] [ip4][..tcp] [..192.168.1.128][45898] -> [..15.160.39.187][..443] [TLS.AppleSiri][AmazonAWS][VirtAssistant][Acceptable][guzzoni.apple.com] @@ -222,7 +221,7 @@ detected: [....46] [ip4][..udp] [..192.168.1.128][36832] -> [142.250.181.238][..443] [QUIC.GooglePlus][Google][SocialNetwork][Fun][plus.google.com] update: [....44] [ip4][..udp] [..192.168.1.128][38642] -> [.216.58.212.142][..443] [QUIC.Google][Google][Web][Acceptable] DAEMON-EVENT: [Processed: 512 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 10 / 46|skipped: 0|!detected: 0|guessed: 4|detection-updates: 48|updates: 1] + DAEMON-EVENT: [Flows][active: 10 / 46|skipped: 0|!detected: 0|guessed: 4|detection-updates: 47|updates: 1] new: [....47] [ip4][..tcp] [..192.168.1.128][53978] -> [..208.85.40.158][..443] detected: [....47] [ip4][..tcp] [..192.168.1.128][53978] -> [..208.85.40.158][..443] [TLS.Pandora][Unknown][Streaming][Fun][pandora.com] detection-update: [....47] [ip4][..tcp] [..192.168.1.128][53978] -> [..208.85.40.158][..443] [TLS.Pandora][Unknown][Streaming][Fun][pandora.com] diff --git a/test/results/flow-info/default/teams.pcap.out b/test/results/flow-info/default/teams.pcap.out index 9ebd658bc..333036c26 100644 --- a/test/results/flow-info/default/teams.pcap.out +++ b/test/results/flow-info/default/teams.pcap.out @@ -29,7 +29,6 @@ [IATS(ms)....: 12.5,12.6,1.4,13.9,1.6,0.2,14.3,0.3,0.2,0.1,0.0,0.1,4.9,16.5,1.1,12.8,0.3,0.3,11.4,0.4,0.2,23.0,0.0,11.1,0.4,29.3,29.8,0.5,0.1,0.0,0.5] [PKTLENS.....: 64,52,40,250,46,1492,1492,40,1492,40,1492,257,40,198,46,366,40,109,40,133,78,298,78,46,40,46,556,40,1492,1492,671,40] [ENTROPIES...: 4.4,4.9,4.5,5.4,4.6,7.4,7.4,4.7,7.5,4.6,7.6,7.1,4.6,6.6,4.6,7.2,4.7,6.0,4.6,6.2,5.1,7.0,5.4,4.6,4.7,4.6,7.6,4.7,7.8,7.8,7.7,4.7] - detection-update: [.....5] [ip4][..tcp] [....192.168.1.6][60533] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][teams.microsoft.com] detection-update: [.....4] [ip4][..tcp] [....192.168.1.6][60532] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS ERROR-EVENT: Unknown packet type [7/16] @@ -46,8 +45,6 @@ [IATS(ms)....: 43.2,43.3,94.0,139.8,0.2,45.9,0.1,0.1,1.4,46.8,45.4,177.2,0.0,0.0,221.2,44.0,0.0,0.0,0.0,21.3,21.2,0.0,23.0,23.0,0.0,0.0,0.0,1.2,1.2,0.0,0.0] [PKTLENS.....: 64,60,52,226,1492,1492,52,1375,52,145,103,52,1480,1480,1480,52,1480,1480,1480,1480,52,1480,1480,52,1480,1480,1480,1480,52,1480,1480,1480] [ENTROPIES...: 4.4,5.2,4.9,5.6,7.3,7.3,4.9,7.7,4.9,5.9,5.5,4.9,7.9,7.9,7.9,5.1,7.9,7.9,7.9,7.9,5.1,7.9,7.9,5.1,7.9,7.9,7.9,7.9,5.1,7.9,7.9,7.9] - detection-update: [.....4] [ip4][..tcp] [....192.168.1.6][60532] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] - RISK: TLS (probably) Not Carrying HTTPS new: [.....7] [ip4][..tcp] [....192.168.1.6][60535] -> [...52.114.77.33][..443] detected: [.....7] [ip4][..tcp] [....192.168.1.6][60535] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS @@ -148,8 +145,6 @@ [IATS(ms)....: 50.5,50.6,0.3,64.6,72.0,0.2,136.5,0.1,0.1,1.4,68.0,86.2,152.9,2.3,0.0,0.0,46.4,44.1,0.0,0.0,0.0,23.6,23.6,0.0,20.9,20.9,0.0,0.0,0.0,0.8,0.8] [PKTLENS.....: 64,60,52,258,52,1492,1492,52,1375,52,145,52,103,52,1480,1480,1480,52,1480,1480,1480,1480,52,1480,1480,52,1480,1480,1480,1480,52,1480] [ENTROPIES...: 4.4,5.3,5.0,5.9,5.1,7.3,7.3,5.0,7.7,5.0,5.9,5.2,5.6,5.0,7.9,7.8,7.9,5.2,7.9,7.9,7.9,7.9,5.2,7.9,7.9,5.2,7.9,7.9,7.8,7.9,5.2,7.9] - detection-update: [....25] [ip4][..tcp] [....192.168.1.6][60543] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] - RISK: TLS (probably) Not Carrying HTTPS new: [....30] [ip4][..tcp] [....192.168.1.6][60546] -> [.167.99.215.164][.4434] detected: [....30] [ip4][..tcp] [....192.168.1.6][60546] -> [.167.99.215.164][.4434] [TLS.ntop][Unknown][Network][Safe][dati.ntop.org] RISK: Known Proto on Non Std Port @@ -201,7 +196,6 @@ [IATS(ms)....: 12.7,12.8,0.2,12.4,2.5,0.3,14.9,0.5,0.5,0.2,0.0,0.8,4.9,17.1,1.4,0.0,13.1,0.0,0.2,0.3,0.1,11.8,0.0,11.2,0.1,0.6,112.9,113.7,1998.1,2009.8,174.6] [PKTLENS.....: 64,52,40,257,46,1492,1492,40,1492,40,1492,181,40,198,46,366,109,40,40,133,78,561,46,78,40,46,46,440,40,342,46,345] [ENTROPIES...: 4.4,5.0,4.6,5.5,4.5,7.3,7.5,4.6,7.5,4.6,7.7,6.8,4.7,6.5,4.5,7.2,6.0,4.6,4.6,6.2,5.2,7.6,4.4,5.4,4.6,4.5,4.5,7.5,4.7,7.2,4.5,7.3] - detection-update: [....23] [ip4][..tcp] [....192.168.1.6][60542] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][config.teams.microsoft.com] analyse: [....35] [ip4][..tcp] [....192.168.1.6][60549] -> [...13.107.18.11][..443] [TLS.Microsoft365][Outlook][Collaborative][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.540| 0.024| 0.095| 8949.939| 1.900] @@ -212,7 +206,6 @@ [IATS(ms)....: 11.5,11.6,0.3,11.9,32.5,0.1,44.2,0.2,0.0,0.2,3.8,7.7,0.3,0.1,14.6,1.5,0.0,4.2,0.0,0.3,6.5,0.5,6.7,4.3,9.9,14.2,10.7,10.7,539.6,0.0,0.3] [PKTLENS.....: 64,52,40,251,46,1492,1492,40,1492,80,40,198,133,578,172,46,366,109,40,40,78,46,78,40,46,689,40,359,40,1480,694,248] [ENTROPIES...: 4.4,4.9,4.5,5.4,4.5,6.7,7.5,4.6,7.6,5.7,4.7,6.5,6.2,7.6,6.5,4.5,7.2,5.8,4.6,4.6,5.3,4.5,5.4,4.6,4.5,7.7,4.7,7.3,4.7,7.8,7.7,7.0] - detection-update: [....35] [ip4][..tcp] [....192.168.1.6][60549] -> [...13.107.18.11][..443] [TLS.Microsoft365][Outlook][Collaborative][Acceptable][substrate.office.com] new: [....36] [ip4][..udp] [....192.168.1.6][61245] -> [....192.168.1.1][...53] detected: [....36] [ip4][..udp] [....192.168.1.6][61245] -> [....192.168.1.1][...53] [DNS.Teams][Unknown][Network][Safe][euaz.tr.teams.microsoft.com] new: [....37] [ip4][..udp] [....192.168.1.6][53678] -> [....192.168.1.1][...53] @@ -265,8 +258,6 @@ [IATS(ms)....: 12.9,13.0,0.5,12.4,2.0,1.5,15.4,0.1,0.1,0.1,0.0,0.1,21.6,33.0,11.5,11.7,0.1,11.8,0.6,13.4,140.4,0.7,154.0,0.2,0.2,0.2,0.2,0.5,0.0,0.1,0.2] [PKTLENS.....: 64,52,40,226,46,1492,1492,40,1492,40,1492,168,40,147,46,91,46,91,40,1122,46,1492,1492,40,1317,40,1492,1492,40,40,1492,1492] [ENTROPIES...: 4.4,4.9,4.5,5.5,4.4,7.3,7.5,4.6,7.5,4.5,7.7,6.7,4.6,6.5,4.5,5.7,4.5,5.6,4.6,7.8,4.6,7.9,7.9,4.6,7.9,4.6,7.9,7.9,4.6,4.5,7.9,7.9] - detection-update: [....43] [ip4][..tcp] [....192.168.1.6][60554] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][config.teams.microsoft.com] - RISK: TLS (probably) Not Carrying HTTPS new: [....47] [ip4][..tcp] [....192.168.1.6][60557] -> [.52.113.194.132][..443] detected: [....47] [ip4][..tcp] [....192.168.1.6][60557] -> [.52.113.194.132][..443] [TLS.Teams][Skype_Teams][Collaborative][Safe][teams.microsoft.com] RISK: TLS (probably) Not Carrying HTTPS @@ -326,8 +317,6 @@ [IATS(ms)....: 48.4,48.5,0.5,88.2,136.5,113.7,0.2,161.8,0.1,0.1,1.1,74.6,73.5,1.1,0.0,0.0,50.1,49.0,0.0,0.0,0.0,48.4,48.4,0.0,0.0,0.0,1.6,1.5,46.9,1.1,1.7] [PKTLENS.....: 64,60,52,258,258,64,1492,1492,52,1375,52,145,103,52,1480,1480,1480,52,1480,1480,1480,1480,52,1480,1480,1480,1480,52,1462,52,52,52] [ENTROPIES...: 4.4,5.3,4.9,6.0,6.0,5.1,7.3,7.3,5.0,7.7,5.0,6.0,5.6,5.0,7.9,7.9,7.9,5.2,7.9,7.9,7.9,7.9,5.1,7.9,7.9,7.9,7.9,5.2,7.9,5.2,5.2,5.2] - detection-update: [....51] [ip4][..tcp] [....192.168.1.6][60561] -> [...52.114.77.33][..443] [TLS.Microsoft][Azure][Cloud][Safe][mobile.pipe.aria.microsoft.com] - RISK: TLS (probably) Not Carrying HTTPS detected: [....55] [ip4][..tcp] [....192.168.1.6][60563] -> [.52.169.186.119][..443] [TLS.Skype_Teams][Azure][VoIP][Acceptable][euno-1.api.microsoftstream.com] new: [....56] [ip4][..udp] [....192.168.1.6][63930] -> [....192.168.1.1][...53] detected: [....56] [ip4][..udp] [....192.168.1.6][63930] -> [....192.168.1.1][...53] [DNS.Microsoft][Unknown][Network][Safe][dc.applicationinsights.microsoft.com] diff --git a/test/results/flow-info/default/telnet.pcap.out b/test/results/flow-info/default/telnet.pcap.out index d73c4881f..64d6454eb 100644 --- a/test/results/flow-info/default/telnet.pcap.out +++ b/test/results/flow-info/default/telnet.pcap.out @@ -18,8 +18,6 @@ [IATS(ms)....: 2.5,2.6,1.6,147.8,146.2,0.2,1.6,1.7,3.3,1.3,0.6,1.8,1.1,2.4,3.6,0.6,1.2,22.3,20.4,1.2,13.8,15.0,1.2,0.8,12.8,12.2,20.0,1107.3,1100.0,1232.8,1.4] [PKTLENS.....: 60,60,52,79,55,52,55,52,77,116,52,70,61,52,76,52,137,52,55,55,52,64,58,52,67,52,84,52,59,52,58,52] [ENTROPIES...: 4.3,4.8,4.8,5.0,4.8,4.8,4.9,4.7,5.1,5.3,4.6,5.0,5.0,4.8,4.8,4.8,5.6,4.9,4.9,4.9,4.8,4.9,4.9,4.7,4.9,4.8,5.5,4.8,5.0,4.7,5.0,4.8] - detection-update: [.....1] [ip4][..tcp] [....192.168.0.2][.1550] -> [....192.168.0.1][...23] [Telnet][Unknown][RemoteAccess][Unsafe] - RISK: Unsafe Protocol end: [.....1] [ip4][..tcp] [....192.168.0.2][.1550] -> [....192.168.0.1][...23] [Telnet][Unknown][RemoteAccess][Unsafe] RISK: Unsafe Protocol DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/tls-appdata.pcap.out b/test/results/flow-info/default/tls-appdata.pcap.out index 109222e93..64d8dba2e 100644 --- a/test/results/flow-info/default/tls-appdata.pcap.out +++ b/test/results/flow-info/default/tls-appdata.pcap.out @@ -23,12 +23,11 @@ [IATS(ms)....: 2.0,15.0,3.0,0.0,16.0,0.0,0.0,0.0,0.0,1.0,1.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,15941.0,1.0,15956.0,5.0,0.0,19.0,1.0,1.0] [PKTLENS.....: 1492,60,46,1492,2944,40,2944,40,40,2944,2871,40,40,40,40,1492,60,46,1492,2944,40,2944,40,2944,1492,60,46,1492,2944,40,2944,40] [ENTROPIES...: 7.9,5.5,4.7,7.9,7.9,5.0,7.9,4.9,4.9,7.9,7.9,5.0,4.9,4.9,5.0,7.9,5.5,4.6,7.9,7.9,4.9,7.9,4.9,7.9,7.9,5.6,4.5,7.9,7.9,4.9,7.9,4.9] - detection-update: [.....2] [ip4][..tcp] [..192.168.2.100][58976] -> [...52.223.198.7][..443] [TLS][Twitch][Web][Safe] DAEMON-EVENT: [Processed: 45 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 1 / 2|skipped: 0|!detected: 0|guessed: 0|detection-updates: 4|updates: 0] + DAEMON-EVENT: [Flows][active: 1 / 2|skipped: 0|!detected: 0|guessed: 0|detection-updates: 3|updates: 0] DAEMON-EVENT: [Processed: 75 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 1 / 2|skipped: 0|!detected: 0|guessed: 0|detection-updates: 4|updates: 0] + DAEMON-EVENT: [Flows][active: 1 / 2|skipped: 0|!detected: 0|guessed: 0|detection-updates: 3|updates: 0] DAEMON-EVENT: [Processed: 105 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 1 / 2|skipped: 0|!detected: 0|guessed: 0|detection-updates: 4|updates: 0] + DAEMON-EVENT: [Flows][active: 1 / 2|skipped: 0|!detected: 0|guessed: 0|detection-updates: 3|updates: 0] idle: [.....2] [ip4][..tcp] [..192.168.2.100][58976] -> [...52.223.198.7][..443] [TLS][Twitch][Web][Safe] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/tls_verylong_certificate.pcap.out b/test/results/flow-info/default/tls_verylong_certificate.pcap.out index 781f329b5..2cfc0bcb4 100644 --- a/test/results/flow-info/default/tls_verylong_certificate.pcap.out +++ b/test/results/flow-info/default/tls_verylong_certificate.pcap.out @@ -15,6 +15,5 @@ [IATS(ms)....: 11.6,11.7,5.7,17.7,3.1,0.2,15.2,0.1,0.1,0.1,0.0,0.1,10.6,21.7,11.2,0.3,14.9,0.0,0.0,14.6,0.0,0.0,0.3,0.3,0.0,0.6,0.0,0.5,0.5,0.1,0.0] [PKTLENS.....: 64,60,52,569,52,1420,1420,52,1420,52,1420,262,52,178,103,52,222,1420,1420,104,52,52,52,1420,1420,104,52,52,1420,52,1420,104] [ENTROPIES...: 4.4,5.1,4.9,4.4,5.0,6.8,4.9,5.0,6.6,4.9,7.4,7.0,5.0,6.3,6.0,5.0,6.9,7.9,7.9,6.1,4.9,4.8,4.7,7.9,7.9,6.0,4.9,4.9,7.9,4.8,7.9,6.2] - detection-update: [.....1] [ip4][..tcp] [..192.168.1.160][54804] -> [..151.101.66.49][..443] [TLS.Cybersec][Unknown][Cybersecurity][Safe][feodotracker.abuse.ch] end: [.....1] [ip4][..tcp] [..192.168.1.160][54804] -> [..151.101.66.49][..443] [TLS.Cybersec][Unknown][Cybersecurity][Safe] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/default/tumblr.pcap.out b/test/results/flow-info/default/tumblr.pcap.out index 55bcbd32c..5ef517eb7 100644 --- a/test/results/flow-info/default/tumblr.pcap.out +++ b/test/results/flow-info/default/tumblr.pcap.out @@ -52,7 +52,6 @@ [IATS(ms)....: 0.4,4.8,0.4,27.2,3.0,0.3,2.7,17.3,45.1,0.5,0.5,0.6,0.0,0.6,0.0,7.3,0.0,7.3,0.0,0.3,0.0,0.2,0.0,0.2,0.0,0.2,0.0,1.0,0.0,1.0,0.0] [PKTLENS.....: 184,111,183,172,72,72,72,72,1472,72,1472,72,1472,1472,72,72,1472,1472,72,72,1472,1472,72,72,1472,1472,72,72,1472,1472,72,72] [ENTROPIES...: 6.6,5.9,6.6,6.5,5.0,5.0,4.9,5.0,7.9,5.1,7.9,5.1,7.9,7.8,5.1,5.1,7.9,7.8,5.1,5.1,7.9,7.9,5.1,5.1,7.9,7.8,5.1,5.1,7.9,7.9,5.1,5.1] - detection-update: [.....9] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43434] -> [.....................64:ff9b::c000:4d28][..443] [TLS][Unknown][Web][Safe] new: [....11] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58382] -> [..2606:2800:135:155a:23ba:b2a:25ff:122d][..443] detection-update: [....10] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58380] -> [..2606:2800:135:155a:23ba:b2a:25ff:122d][..443] [TLS][Edgecast][Web][Safe][consent.cmp.oath.com] detected: [....11] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58382] -> [..2606:2800:135:155a:23ba:b2a:25ff:122d][..443] [TLS][Edgecast][Web][Safe][consent.cmp.oath.com] @@ -87,7 +86,6 @@ [IATS(ms)....: 0.4,0.1,0.4,0.2,26.4,36.6,2.2,0.0,0.4,0.0,10.0,21.7,0.2,0.2,0.2,0.2,0.0,0.4,0.0,0.2,0.5,0.0,0.0,0.6,0.1,0.1,0.1,0.2,0.5,0.0,0.6] [PKTLENS.....: 192,111,201,202,143,108,72,72,72,72,72,1472,72,1472,72,1460,84,1472,72,72,1460,84,1327,103,72,72,111,1460,72,84,1460,72] [ENTROPIES...: 6.8,5.7,6.6,6.7,6.3,5.8,5.0,5.0,5.0,5.0,5.0,7.8,5.1,7.9,5.1,7.8,5.3,7.9,5.1,5.0,7.9,5.3,7.9,5.6,5.1,5.1,5.7,7.9,5.1,5.3,7.9,5.1] - detection-update: [....14] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56794] -> [.....................64:ff9b::c000:4d03][..443] [TLS][Unknown][Web][Safe] new: [....15] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51874] -> [.....................64:ff9b::c000:4c03][..443] [MIDSTREAM] detected: [....15] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51874] -> [.....................64:ff9b::c000:4c03][..443] [TLS][Unknown][Web][Safe] detection-update: [....15] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51874] -> [.....................64:ff9b::c000:4c03][..443] [TLS][Unknown][Web][Safe] @@ -136,7 +134,6 @@ [IATS(ms)....: 21.4,21.5,0.5,29.5,160.4,189.4,0.2,0.0,0.2,0.0,0.8,0.8,3.8,0.1,0.2,28.7,0.0,1.0,78.0,0.0,103.6,0.1,0.7,29.8,79.1,108.2,0.1,0.1,0.4,0.4,0.1] [PKTLENS.....: 80,80,72,589,72,1472,72,1472,1368,72,72,1073,72,157,163,523,72,72,72,338,142,72,72,102,72,1472,72,1472,72,1472,72,1472] [ENTROPIES...: 4.8,5.3,5.3,4.6,5.1,7.2,5.2,7.3,7.6,5.2,5.2,7.6,5.2,6.2,6.5,7.6,5.1,5.1,5.1,7.0,6.3,5.2,5.2,5.7,5.1,7.9,5.2,7.9,5.2,7.9,5.2,7.9] - detection-update: [....41] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43328] -> [.....................64:ff9b::4a72:9a16][..443] [TLS.Tumblr][Unknown][SocialNetwork][Fun][catasters.tumblr.com] new: [....43] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][49548] -> [...............2a00:1450:4007:809::200e][..443] detected: [.....2] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][48240] -> [.....................64:ff9b::9765:789d][..443] [TLS][Unknown][Web][Safe] RISK: Unidirectional Traffic @@ -153,7 +150,6 @@ [IATS(ms)....: 19473.3,0.3,19513.6,0.0,40.0,0.1,0.0,0.0,0.0,0.0,0.0,0.6,0.6,1.1,0.0,0.0,0.0,0.0,0.0,0.0,1.1,0.0,0.1,0.0,0.0,0.0,0.0,0.1,0.0,0.0,0.0] [PKTLENS.....: 72,158,118,72,1120,72,1120,1120,72,72,1120,72,1120,72,1120,1120,1120,1120,1120,1120,1120,72,72,72,72,72,72,72,1120,1120,1120,1120] [ENTROPIES...: 5.3,6.2,5.8,5.1,7.8,5.2,7.8,7.8,5.2,5.2,7.8,5.2,7.8,5.3,7.8,7.8,7.8,7.8,7.8,7.8,7.8,5.3,5.2,5.3,5.3,5.2,5.2,5.3,7.8,7.8,7.8,7.8] - detection-update: [.....2] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][48240] -> [.....................64:ff9b::9765:789d][..443] [TLS][Unknown][Web][Safe] detected: [....44] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38608] -> [...............2a00:1450:4007:80b::200a][..443] [TLS.GoogleServices][Google][Web][Acceptable][ajax.googleapis.com] detection-update: [....43] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][49548] -> [...............2a00:1450:4007:809::200e][..443] [TLS.Google][Google][Web][Acceptable][apis.google.com] detection-update: [....44] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38608] -> [...............2a00:1450:4007:80b::200a][..443] [TLS.GoogleServices][Google][Web][Acceptable][ajax.googleapis.com] diff --git a/test/results/flow-info/default/viber.pcap.out b/test/results/flow-info/default/viber.pcap.out index 425179c1c..9dbacd4d2 100644 --- a/test/results/flow-info/default/viber.pcap.out +++ b/test/results/flow-info/default/viber.pcap.out @@ -42,7 +42,6 @@ [IATS(ms)....: 19.5,21.7,1.0,22.3,3.2,0.2,0.0,0.2,39.4,0.1,0.6,0.3,10.8,47.8,22.3,40.8,0.3,0.1,0.2,0.3,0.0,0.2,0.3,0.2,0.2,0.5,41.2,0.1,0.0,0.0,1.1] [PKTLENS.....: 60,60,52,235,52,1500,1500,1500,397,52,52,52,52,178,294,760,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,794,52,52,52,52,52] [ENTROPIES...: 4.6,5.2,5.2,5.6,5.1,7.2,7.5,7.5,7.3,5.1,5.2,5.2,5.2,6.4,7.2,7.7,7.9,7.9,7.9,7.9,7.9,7.9,7.9,7.9,7.9,7.9,7.7,5.2,5.2,5.1,5.2,5.1] - detection-update: [....10] [ip4][..tcp] [...192.168.0.17][53934] -> [...54.230.93.53][..443] [TLS.Viber][AmazonAWS][Chat][Fun][dl-media.viber.com] new: [....11] [ip4][..udp] [...192.168.0.17][41993] -> [.172.217.23.106][..443] new: [....12] [ip4][..udp] [...192.168.0.17][35331] -> [...192.168.0.15][...53] detected: [....12] [ip4][..udp] [...192.168.0.17][35331] -> [...192.168.0.15][...53] [DNS.Google][Unknown][Network][Acceptable][app-measurement.com] @@ -114,7 +113,7 @@ update: [.....2] [ip4][..udp] [...192.168.0.17][45743] -> [...192.168.0.15][...53] [DNS.Facebook][Unknown][Network][Fun] update: [.....4] [ip4][..udp] [...192.168.0.17][62872] -> [...192.168.0.15][...53] [DNS][Unknown][Network][Acceptable] DAEMON-EVENT: [Processed: 420 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 26 / 26|skipped: 0|!detected: 0|guessed: 0|detection-updates: 20|updates: 4] + DAEMON-EVENT: [Flows][active: 26 / 26|skipped: 0|!detected: 0|guessed: 0|detection-updates: 19|updates: 4] new: [....27] [ip4][..tcp] [..192.168.2.100][48690] -> [...52.0.252.145][.4244] detected: [....27] [ip4][..tcp] [..192.168.2.100][48690] -> [...52.0.252.145][.4244] [Viber][Viber][VoIP][Fun] end: [.....5] [ip4][..tcp] [...192.168.0.17][36986] -> [..54.69.166.226][..443] [TLS][AmazonAWS][Web][Safe] @@ -148,11 +147,11 @@ end: [....22] [ip4][..tcp] [...192.168.0.17][33744] -> [.....18.201.4.3][..443] idle: [.....9] [ip4][..udp] [...192.168.0.17][40445] -> [...192.168.0.15][...53] [DNS.Viber][Unknown][Network][Fun] DAEMON-EVENT: [Processed: 435 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 1 / 27|skipped: 0|!detected: 0|guessed: 4|detection-updates: 20|updates: 4] + DAEMON-EVENT: [Flows][active: 1 / 27|skipped: 0|!detected: 0|guessed: 4|detection-updates: 19|updates: 4] new: [....28] [ip4][..tcp] [..192.168.2.100][41184] -> [.....52.0.252.2][.5242] detected: [....28] [ip4][..tcp] [..192.168.2.100][41184] -> [.....52.0.252.2][.5242] [Viber][Viber][VoIP][Fun] DAEMON-EVENT: [Processed: 446 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 2 / 28|skipped: 0|!detected: 0|guessed: 4|detection-updates: 20|updates: 4] + DAEMON-EVENT: [Flows][active: 2 / 28|skipped: 0|!detected: 0|guessed: 4|detection-updates: 19|updates: 4] new: [....29] [ip4][..tcp] [..192.168.2.100][42900] -> [..44.192.202.74][.4244] [MIDSTREAM] detected: [....29] [ip4][..tcp] [..192.168.2.100][42900] -> [..44.192.202.74][.4244] [Viber][AmazonAWS][VoIP][Fun] idle: [....29] [ip4][..tcp] [..192.168.2.100][42900] -> [..44.192.202.74][.4244] [Viber][AmazonAWS][VoIP][Fun] diff --git a/test/results/flow-info/default/vk.pcapng.out b/test/results/flow-info/default/vk.pcapng.out index a628ea051..29687ef00 100644 --- a/test/results/flow-info/default/vk.pcapng.out +++ b/test/results/flow-info/default/vk.pcapng.out @@ -23,8 +23,6 @@ [IATS(ms)....: 1010.0,14.6,15.3,1.7,16.3,0.0,0.0,0.0,0.0,15.1,0.0,227.7,0.0,0.0,0.0,2.7,0.0,12.8,0.0,1.5,0.0,0.0,1.5,1.1,1.6,11.1,2.5,1.5,0.0,0.8,1.2] [PKTLENS.....: 638,758,52,596,501,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,64,64,64,64,64,52,52,52,52,52,52] [ENTROPIES...: 7.7,7.8,5.2,7.6,7.6,5.2,5.2,5.2,5.3,5.3,5.2,5.2,5.2,5.3,5.2,5.1,5.3,5.2,5.2,5.2,5.2,5.3,5.3,5.2,5.3,5.3,5.2,5.3,5.2,5.2,5.2,5.2] - detection-update: [.....3] [ip4][..tcp] [..192.168.1.249][60436] -> [..87.240.132.78][..443] [TLS][VK][Web][Safe] - RISK: Unidirectional Traffic new: [.....4] [ip4][..tcp] [..192.168.1.249][59154] -> [.87.240.185.137][..443] new: [.....5] [ip4][..tcp] [..192.168.1.249][32990] -> [..87.240.169.10][..443] detected: [.....4] [ip4][..tcp] [..192.168.1.249][59154] -> [.87.240.185.137][..443] [TLS.VK][VK][SocialNetwork][Fun][sun9-10.userapi.com] @@ -45,8 +43,6 @@ [IATS(ms)....: 0.0,14.3,23.0,2006.6,0.0,0.8,13.5,98.2,1614.5,0.3,0.1,0.3,0.3,13.2,1.2,18.4,1.7,0.9,6.9,22.6,0.0,179.8,0.0,14.1,67.4,0.0,0.0,579.5,0.0,1.0,13.7] [PKTLENS.....: 247,332,52,52,240,776,565,52,52,385,563,339,564,1017,52,52,52,52,52,52,52,52,243,316,52,52,52,52,250,563,429,52] [ENTROPIES...: 7.2,7.4,5.2,5.2,7.0,7.7,7.6,5.1,5.2,7.4,7.6,7.3,7.6,7.8,5.1,5.1,5.1,5.1,5.1,5.1,5.1,5.1,7.1,7.3,5.1,5.1,5.2,5.1,7.2,7.6,7.5,5.1] - detection-update: [.....2] [ip4][..tcp] [..192.168.1.249][40344] -> [.87.240.129.140][..443] [TLS][VK][Web][Safe] - RISK: Unidirectional Traffic new: [.....7] [ip4][..tcp] [..192.168.1.249][47934] -> [...87.240.169.3][..443] new: [.....8] [ip4][..tcp] [..192.168.1.249][59722] -> [..87.240.169.11][..443] detected: [.....7] [ip4][..tcp] [..192.168.1.249][47934] -> [...87.240.169.3][..443] [TLS.VK][VK][SocialNetwork][Fun][sun9-80.userapi.com] diff --git a/test/results/flow-info/default/waze.pcap.out b/test/results/flow-info/default/waze.pcap.out index fb8d61969..753e6544a 100644 --- a/test/results/flow-info/default/waze.pcap.out +++ b/test/results/flow-info/default/waze.pcap.out @@ -77,8 +77,6 @@ [IATS(ms)....: 1.2,10.9,357.2,367.1,474.4,475.3,8.1,9.0,265.9,317.7,52.0,0.9,0.6,0.3,0.3,1430.1,1483.3,119.5,172.8,51.4,51.9,1.4,0.9,0.5,0.4,0.3,0.4,1601.9,1658.8,0.2,57.1] [PKTLENS.....: 60,40,40,222,40,3187,40,366,40,274,189,40,576,40,101,40,5501,40,189,40,576,40,576,40,576,40,101,40,4397,40,189,40] [ENTROPIES...: 4.3,4.7,4.7,5.2,4.7,7.4,4.6,7.3,4.7,7.0,6.9,4.6,7.6,4.7,6.1,4.6,8.0,4.7,6.8,4.6,7.6,4.6,7.7,4.6,7.6,4.7,6.2,4.7,8.0,4.6,6.8,4.6] - detection-update: [.....5] [ip4][..tcp] [.......10.8.0.1][36100] -> [..46.51.173.182][..443] [TLS.Waze][AmazonAWS][Web][Acceptable][] - RISK: Obsolete TLS (v1.1 or older), Weak TLS Cipher detection-update: [....12] [ip4][..tcp] [.......10.8.0.1][51050] -> [.176.34.103.105][..443] [TLS][AmazonAWS][Web][Safe][] RISK: Obsolete TLS (v1.1 or older) detection-update: [....13] [ip4][..tcp] [.......10.8.0.1][51051] -> [.176.34.103.105][..443] [TLS.Waze][AmazonAWS][Web][Acceptable][] @@ -142,8 +140,6 @@ [IATS(ms)....: 2.4,2.8,291.8,292.5,279.8,332.4,52.7,50.7,425.1,475.7,259.9,310.7,0.7,51.4,0.6,0.7,0.5,0.3,293.9,546.0,252.8,1.5,20.2,21.2,56.9,56.8,156.2,205.9,52.7,4.2,1449.2] [PKTLENS.....: 60,40,40,222,40,1052,40,2519,40,174,40,274,40,576,40,389,40,77,40,10160,40,8136,40,1052,40,11172,40,1052,40,6576,40,40] [ENTROPIES...: 4.4,4.8,4.8,5.2,4.7,7.0,4.8,7.6,4.6,6.6,4.7,7.0,4.7,7.6,4.8,7.4,4.7,5.7,4.7,8.0,4.8,8.0,4.7,7.8,4.7,8.0,4.8,7.8,4.8,8.0,4.7,4.8] - detection-update: [....19] [ip4][..tcp] [.......10.8.0.1][36312] -> [.176.34.186.180][..443] [TLS.Waze][AmazonAWS][Web][Acceptable][] - RISK: Obsolete TLS (v1.1 or older) analyse: [.....6] [ip4][..tcp] [.......10.8.0.1][36102] -> [..46.51.173.182][..443] [TLS.Waze][AmazonAWS][Web][Acceptable] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 5.891| 1.026| 1.779| 3164212.036| 3.400] diff --git a/test/results/flow-info/default/webex.pcap.out b/test/results/flow-info/default/webex.pcap.out index d9accedc8..f3d4f355e 100644 --- a/test/results/flow-info/default/webex.pcap.out +++ b/test/results/flow-info/default/webex.pcap.out @@ -16,8 +16,6 @@ [IATS(ms)....: 6.5,6.7,0.2,0.6,505.7,557.3,57.9,60.1,0.9,55.6,257.5,309.3,10.1,61.4,0.8,0.7,299.2,351.3,56.0,56.2,0.8,52.9,0.4,2.8,268.6,322.3,52.3,51.9,18.4,69.5,0.5] [PKTLENS.....: 60,40,40,235,40,2760,40,1259,40,350,40,83,40,576,40,124,40,1400,40,809,40,576,40,314,40,1400,40,748,40,576,40,504] [ENTROPIES...: 4.4,4.7,4.7,5.5,4.7,7.3,4.8,7.1,4.7,7.2,4.6,5.6,4.6,7.7,4.5,6.3,4.6,7.9,4.7,7.8,4.8,7.6,4.6,7.3,4.7,7.9,4.7,7.7,4.7,7.6,4.5,7.6] - detection-update: [.....1] [ip4][..tcp] [.......10.8.0.1][41346] -> [..64.68.105.103][..443] [TLS.Webex][Webex][VoIP][Acceptable][radcom.webex.com] - RISK: TLS (probably) Not Carrying HTTPS new: [.....2] [ip4][..tcp] [.......10.8.0.1][41348] -> [..64.68.105.103][..443] detected: [.....2] [ip4][..tcp] [.......10.8.0.1][41348] -> [..64.68.105.103][..443] [TLS.Webex][Webex][VoIP][Acceptable][radcom.webex.com] RISK: TLS (probably) Not Carrying HTTPS diff --git a/test/results/flow-info/default/wechat.pcap.out b/test/results/flow-info/default/wechat.pcap.out index 52bfd3a29..a9fd8499b 100644 --- a/test/results/flow-info/default/wechat.pcap.out +++ b/test/results/flow-info/default/wechat.pcap.out @@ -205,7 +205,6 @@ [IATS(ms)....: 360.8,360.9,1.1,320.2,2.0,321.1,0.8,0.8,0.5,0.5,2.5,331.8,329.8,339.6,0.8,339.8,0.5,4.5,5.1,2.5,2.5,1.1,1.1,271.4,646.7,0.8,376.1,0.5,0.9,1.5,0.5] [PKTLENS.....: 60,60,52,290,52,1480,52,1480,52,312,52,178,103,1140,1480,1480,52,1480,1480,52,2908,52,3120,52,1140,1480,1480,52,1480,1480,52,1480] [ENTROPIES...: 4.7,5.2,5.0,5.9,5.1,6.8,5.1,7.5,5.0,7.3,5.0,6.4,5.8,7.9,7.9,7.9,5.1,7.9,7.9,5.0,7.9,5.0,7.9,5.0,7.8,7.9,7.9,5.0,7.9,7.9,5.1,7.9] - detection-update: [....35] [ip4][..tcp] [..192.168.1.103][54103] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun][web.wechat.com] analyse: [....33] [ip4][..tcp] [..192.168.1.103][54101] -> [203.205.151.162][..443] [TLS.WeChat][Unknown][Chat][Fun] min| max| avg| stddev| variance| entropy [IAT.........: < 0.001| 0.952| 0.213| 0.233| 54375.543| 4.000] @@ -471,7 +470,6 @@ [IATS(ms)....: 268.3,268.4,0.5,270.4,0.8,270.7,0.4,0.4,1.0,1.0,2.8,273.1,271.4,0.2,0.0,0.0,0.0,0.0,1.2,289.4,22.8,22.4,9.7,380.7,1255.6,5.0,1577.0,73.3,351.0,6.0,3.3] [PKTLENS.....: 60,60,52,290,52,1480,52,1480,52,312,52,178,103,1232,1480,1480,1480,1480,1480,315,52,52,52,143,52,1220,513,52,283,52,1292,527] [ENTROPIES...: 4.7,5.2,4.9,5.8,5.0,6.8,4.8,7.5,4.8,7.2,4.9,6.3,5.9,7.8,7.9,7.9,7.9,7.9,7.9,7.2,5.0,4.8,4.9,6.4,5.0,7.8,7.5,5.1,7.2,4.9,7.8,7.5] - detection-update: [....72] [ip4][..tcp] [..192.168.1.103][58040] -> [203.205.147.171][..443] [TLS.WeChat][Tencent][Chat][Fun][web.wechat.com] detected: [....73] [ip4][..tcp] [..192.168.1.103][58041] -> [203.205.147.171][..443] [TLS.WeChat][Tencent][Chat][Fun][web.wechat.com] detection-update: [....73] [ip4][..tcp] [..192.168.1.103][58041] -> [203.205.147.171][..443] [TLS.WeChat][Tencent][Chat][Fun][web.wechat.com] detection-update: [....73] [ip4][..tcp] [..192.168.1.103][58041] -> [203.205.147.171][..443] [TLS.WeChat][Tencent][Chat][Fun][web.wechat.com] @@ -507,7 +505,7 @@ update: [....54] [ip4][..udp] [..192.168.1.103][60356] -> [..192.168.1.254][...53] [DNS.WeChat][Unknown][Network][Fun] update: [....68] [ip6][icmp6] [...............fe80::842:a3f3:a286:6c5b] -> [................................ff02::2] [ICMPV6][Unknown][Network][Acceptable] DAEMON-EVENT: [Processed: 1552 pkts][ZLib][compressions: 0|diff: 0 / 0] - DAEMON-EVENT: [Flows][active: 30 / 75|skipped: 0|!detected: 0|guessed: 11|detection-updates: 63|updates: 72] + DAEMON-EVENT: [Flows][active: 30 / 75|skipped: 0|!detected: 0|guessed: 11|detection-updates: 61|updates: 72] new: [....76] [ip4][..tcp] [..192.168.1.103][54183] -> [203.205.151.162][..443] [MIDSTREAM] detected: [....76] [ip4][..tcp] [..192.168.1.103][54183] -> [203.205.151.162][..443] [TLS][Unknown][Web][Safe] new: [....77] [ip4][..tcp] [..192.168.1.103][54205] -> [.64.233.167.188][..443] [MIDSTREAM] diff --git a/test/results/flow-info/default/whatsapp_login_call.pcap.out b/test/results/flow-info/default/whatsapp_login_call.pcap.out index b9df754f8..f58bc5b27 100644 --- a/test/results/flow-info/default/whatsapp_login_call.pcap.out +++ b/test/results/flow-info/default/whatsapp_login_call.pcap.out @@ -41,8 +41,6 @@ [IATS(ms)....: 281.8,283.2,8.7,294.4,1.1,0.0,286.0,0.8,0.5,0.6,39.8,0.2,0.3,326.4,1.4,0.4,3.0,289.9,5.8,0.5,0.0,317.5,1.9,68.9,0.6,382.6,405.2,0.7,0.0,712.5,2.0] [PKTLENS.....: 64,52,40,230,1480,1480,571,40,40,40,40,307,46,77,40,40,40,83,40,1480,1480,153,40,40,1480,1196,40,1480,1480,153,40,40] [ENTROPIES...: 4.5,4.9,4.7,5.6,7.2,7.4,6.9,4.9,4.9,4.9,4.8,7.2,4.8,5.7,4.8,4.8,4.8,5.8,4.9,7.9,7.9,6.7,4.7,4.7,7.9,7.8,4.9,7.9,7.8,6.7,4.8,4.8] - detection-update: [....13] [ip4][..tcp] [....192.168.2.4][49201] -> [..17.178.104.12][..443] [TLS.Apple][Apple][Web][Safe][query.ess.apple.com] - RISK: TLS (probably) Not Carrying HTTPS new: [....17] [ip4][..tcp] [....192.168.2.4][49204] -> [..17.173.66.102][..443] analyse: [....14] [ip4][..tcp] [....192.168.2.4][49202] -> [.184.173.179.37][.5222] [WhatsApp][Unknown][Chat][Acceptable] min| max| avg| stddev| variance| entropy diff --git a/test/results/flow-info/default/zoom.pcap.out b/test/results/flow-info/default/zoom.pcap.out index 1a3feed97..781f6c8c4 100644 --- a/test/results/flow-info/default/zoom.pcap.out +++ b/test/results/flow-info/default/zoom.pcap.out @@ -72,7 +72,6 @@ [IATS(ms)....: 112.4,112.5,31.1,144.0,1.8,0.2,0.0,114.8,0.2,0.2,7.2,2.9,121.9,111.9,4.3,0.0,116.6,98.0,0.5,0.0,210.7,0.0,0.2,0.1,0.2,0.1,0.1,0.2,0.1,0.0,0.1] [PKTLENS.....: 64,52,40,557,46,1492,1492,1492,40,1292,40,40,231,91,40,731,850,46,1492,1492,1492,40,40,1492,1492,40,1492,1492,40,1492,445,40] [ENTROPIES...: 4.4,4.9,4.5,4.1,4.5,7.1,7.3,7.3,4.7,7.6,4.6,4.7,6.9,5.7,4.7,7.7,7.7,4.5,7.9,7.9,7.9,4.7,4.6,7.9,7.9,4.7,7.9,7.9,4.6,7.9,7.5,4.6] - detection-update: [....21] [ip4][..tcp] [..192.168.1.117][54866] -> [..52.202.62.236][..443] [TLS.Zoom][Zoom][Video][Acceptable][www3.zoom.us] new: [....22] [ip4][..udp] [..192.168.1.117][57621] -> [..192.168.1.255][57621] detected: [....22] [ip4][..udp] [..192.168.1.117][57621] -> [..192.168.1.255][57621] [Spotify][Unknown][Music][Fun] new: [....23] [ip4][..udp] [..192.168.1.117][62563] -> [....192.168.1.1][...53] diff --git a/test/results/stats/caches_cfg/teams.pcap.out b/test/results/stats/caches_cfg/teams.pcap.out index b62944f9b..0e7b01f2d 100644 --- a/test/results/stats/caches_cfg/teams.pcap.out +++ b/test/results/stats/caches_cfg/teams.pcap.out @@ -1,5 +1,5 @@ -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:681 -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:649502 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:674 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:637423 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_new_count" interval=60 N:83 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_end_count" interval=60 N:17 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_idle_count" interval=60 N:66 @@ -7,7 +7,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_update_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_analyse_count" interval=60 N:16 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_guessed_count" interval=60 N:2 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detected_count" interval=60 N:80 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:64 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:57 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_not_detected_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_src_total_bytes" interval=60 N:293772 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_dst_total_bytes" interval=60 N:293323 @@ -18,8 +18,8 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-init_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-reconnect_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-shutdown_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-status_count" interval=60 N:1 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:89 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:54 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:83 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:53 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unsafe_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_potentially_dangerous_count" interval=60 N:0 @@ -39,9 +39,9 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_chat_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_voip_count" interval=60 N:24 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_database_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_remote_access_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_cloud_count" interval=60 N:22 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_cloud_count" interval=60 N:19 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_network_count" interval=60 N:52 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_collaborative_count" interval=60 N:43 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_collaborative_count" interval=60 N:39 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_rpc_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_streaming_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_system_count" interval=60 N:0 @@ -101,7 +101,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_11_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_12_count" interval=60 N:2 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_13_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_14_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_15_count" interval=60 N:37 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_15_count" interval=60 N:33 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_16_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_17_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_18_count" interval=60 N:0 diff --git a/test/results/stats/default/KakaoTalk_chat.pcap.out b/test/results/stats/default/KakaoTalk_chat.pcap.out index 2bff2e447..b3dd53747 100644 --- a/test/results/stats/default/KakaoTalk_chat.pcap.out +++ b/test/results/stats/default/KakaoTalk_chat.pcap.out @@ -1,5 +1,5 @@ -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:271 -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:239386 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:270 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:237305 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_new_count" interval=60 N:38 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_end_count" interval=60 N:8 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_idle_count" interval=60 N:30 @@ -7,7 +7,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_update_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_analyse_count" interval=60 N:3 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_guessed_count" interval=60 N:5 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detected_count" interval=60 N:33 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:34 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:33 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_not_detected_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_src_total_bytes" interval=60 N:15862 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_dst_total_bytes" interval=60 N:36150 @@ -20,7 +20,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-shutdown_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-status_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:14 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:33 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:21 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:20 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unsafe_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_potentially_dangerous_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_tracker_ads_count" interval=60 N:0 @@ -32,7 +32,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_vpn_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_email_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_data_transfer_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_web_count" interval=60 N:14 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_social_network_count" interval=60 N:15 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_social_network_count" interval=60 N:14 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_download_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_game_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_chat_count" interval=60 N:1 @@ -93,7 +93,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_3_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_4_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_5_count" interval=60 N:4 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_6_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_7_count" interval=60 N:13 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_7_count" interval=60 N:12 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_8_count" interval=60 N:2 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_9_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_10_count" interval=60 N:0 diff --git a/test/results/stats/default/alexa-app.pcapng.out b/test/results/stats/default/alexa-app.pcapng.out index de80db62e..e41715f4f 100644 --- a/test/results/stats/default/alexa-app.pcapng.out +++ b/test/results/stats/default/alexa-app.pcapng.out @@ -1,5 +1,5 @@ -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:1424 -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:1275029 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:1415 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:1259545 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_new_count" interval=60 N:160 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_end_count" interval=60 N:104 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_idle_count" interval=60 N:56 @@ -7,7 +7,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_update_count" interval=60 N:77 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_analyse_count" interval=60 N:23 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_guessed_count" interval=60 N:14 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detected_count" interval=60 N:146 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:152 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:143 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_not_detected_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_src_total_bytes" interval=60 N:399153 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_dst_total_bytes" interval=60 N:588052 @@ -19,7 +19,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-reconnect_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-shutdown_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-status_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:15 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:360 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:351 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unsafe_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_potentially_dangerous_count" interval=60 N:0 @@ -31,7 +31,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_media_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_vpn_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_email_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_data_transfer_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_web_count" interval=60 N:181 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_web_count" interval=60 N:173 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_social_network_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_download_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_game_count" interval=60 N:0 @@ -39,7 +39,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_chat_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_voip_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_database_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_remote_access_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_cloud_count" interval=60 N:35 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_cloud_count" interval=60 N:34 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_network_count" interval=60 N:147 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_collaborative_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_rpc_count" interval=60 N:0 @@ -94,14 +94,14 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_4_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_5_count" interval=60 N:2 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_6_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_7_count" interval=60 N:8 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_8_count" interval=60 N:52 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_8_count" interval=60 N:51 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_9_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_10_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_11_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_12_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_13_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_14_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_15_count" interval=60 N:27 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_15_count" interval=60 N:24 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_16_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_17_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_18_count" interval=60 N:0 diff --git a/test/results/stats/default/anyconnect-vpn.pcap.out b/test/results/stats/default/anyconnect-vpn.pcap.out index 7d909182f..c9e4b65bc 100644 --- a/test/results/stats/default/anyconnect-vpn.pcap.out +++ b/test/results/stats/default/anyconnect-vpn.pcap.out @@ -1,5 +1,5 @@ -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:459 -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:389043 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:457 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:385288 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_new_count" interval=60 N:69 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_end_count" interval=60 N:10 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_idle_count" interval=60 N:59 @@ -7,7 +7,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_update_count" interval=60 N:3 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_analyse_count" interval=60 N:3 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_guessed_count" interval=60 N:6 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detected_count" interval=60 N:61 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:36 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:34 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_not_detected_count" interval=60 N:2 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_src_total_bytes" interval=60 N:38688 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_dst_total_bytes" interval=60 N:56727 @@ -18,7 +18,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-init_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-reconnect_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-shutdown_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-status_count" interval=60 N:1 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:23 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:21 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:77 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unsafe_count" interval=60 N:0 @@ -31,7 +31,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_media_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_vpn_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_email_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_data_transfer_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_web_count" interval=60 N:23 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_web_count" interval=60 N:21 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_social_network_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_download_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_game_count" interval=60 N:0 @@ -94,14 +94,14 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_4_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_5_count" interval=60 N:6 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_6_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_7_count" interval=60 N:2 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_8_count" interval=60 N:8 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_8_count" interval=60 N:6 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_9_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_10_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_11_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_12_count" interval=60 N:2 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_13_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_14_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_15_count" interval=60 N:6 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_15_count" interval=60 N:5 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_16_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_17_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_18_count" interval=60 N:0 @@ -110,7 +110,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_20_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_21_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_22_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_23_count" interval=60 N:2 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_24_count" interval=60 N:13 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_24_count" interval=60 N:11 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_25_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_26_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_27_count" interval=60 N:0 @@ -138,5 +138,5 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_48_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_49_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_50_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_51_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_52_count" interval=60 N:7 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_52_count" interval=60 N:6 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_53_count" interval=60 N:0 diff --git a/test/results/stats/default/anydesk.pcapng.out b/test/results/stats/default/anydesk.pcapng.out index c38575758..b8ce7c421 100644 --- a/test/results/stats/default/anydesk.pcapng.out +++ b/test/results/stats/default/anydesk.pcapng.out @@ -1,5 +1,5 @@ -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:67 -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:66736 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:66 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:64887 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_new_count" interval=60 N:7 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_end_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_idle_count" interval=60 N:6 @@ -7,7 +7,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_update_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_analyse_count" interval=60 N:3 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_guessed_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detected_count" interval=60 N:7 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:9 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:8 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_not_detected_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_src_total_bytes" interval=60 N:19883 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_dst_total_bytes" interval=60 N:15955 @@ -19,7 +19,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-reconnect_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-shutdown_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-status_count" interval=60 N:3 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:5 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:11 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:10 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unsafe_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_potentially_dangerous_count" interval=60 N:0 @@ -38,7 +38,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_game_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_chat_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_voip_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_database_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_remote_access_count" interval=60 N:7 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_remote_access_count" interval=60 N:6 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_cloud_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_network_count" interval=60 N:4 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_collaborative_count" interval=60 N:0 @@ -91,7 +91,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_1_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_2_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_3_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_4_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_5_count" interval=60 N:9 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_5_count" interval=60 N:8 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_6_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_7_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_8_count" interval=60 N:1 @@ -101,7 +101,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_11_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_12_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_13_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_14_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_15_count" interval=60 N:8 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_15_count" interval=60 N:7 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_16_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_17_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_18_count" interval=60 N:0 @@ -110,13 +110,13 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_20_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_21_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_22_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_23_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_24_count" interval=60 N:11 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_24_count" interval=60 N:10 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_25_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_26_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_27_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_28_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_29_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_30_count" interval=60 N:5 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_30_count" interval=60 N:4 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_31_count" interval=60 N:3 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_32_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_33_count" interval=60 N:0 diff --git a/test/results/stats/default/bets.pcapng.out b/test/results/stats/default/bets.pcapng.out index 9b2d3a04c..7aac7e198 100644 --- a/test/results/stats/default/bets.pcapng.out +++ b/test/results/stats/default/bets.pcapng.out @@ -1,5 +1,5 @@ -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:14 -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:12528 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:13 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:11297 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_new_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_end_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_idle_count" interval=60 N:0 @@ -7,7 +7,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_update_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_analyse_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_guessed_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detected_count" interval=60 N:1 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:2 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_not_detected_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_src_total_bytes" interval=60 N:573 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_dst_total_bytes" interval=60 N:6919 @@ -18,7 +18,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-init_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-reconnect_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-shutdown_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-status_count" interval=60 N:1 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:3 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:2 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unsafe_count" interval=60 N:0 @@ -31,7 +31,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_media_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_vpn_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_email_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_data_transfer_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_web_count" interval=60 N:3 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_web_count" interval=60 N:2 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_social_network_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_download_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_game_count" interval=60 N:0 diff --git a/test/results/stats/default/emotet.pcap.out b/test/results/stats/default/emotet.pcap.out index 59dcd4855..c1c65e54e 100644 --- a/test/results/stats/default/emotet.pcap.out +++ b/test/results/stats/default/emotet.pcap.out @@ -1,5 +1,5 @@ -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:64 -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:61783 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:63 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:60034 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_new_count" interval=60 N:6 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_end_count" interval=60 N:6 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_idle_count" interval=60 N:0 @@ -7,7 +7,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_update_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_analyse_count" interval=60 N:5 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_guessed_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detected_count" interval=60 N:6 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:5 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:4 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_not_detected_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_src_total_bytes" interval=60 N:406814 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_dst_total_bytes" interval=60 N:1588411 @@ -18,7 +18,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-init_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-reconnect_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-shutdown_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-status_count" interval=60 N:4 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:5 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:4 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:6 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unsafe_count" interval=60 N:0 @@ -31,7 +31,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_media_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_vpn_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_email_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_data_transfer_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_web_count" interval=60 N:8 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_web_count" interval=60 N:7 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_social_network_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_download_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_game_count" interval=60 N:0 @@ -92,7 +92,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_2_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_3_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_4_count" interval=60 N:2 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_5_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_6_count" interval=60 N:2 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_6_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_7_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_8_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_9_count" interval=60 N:0 @@ -101,7 +101,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_11_count" interval=60 N:2 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_12_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_13_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_14_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_15_count" interval=60 N:5 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_15_count" interval=60 N:4 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_16_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_17_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_18_count" interval=60 N:0 @@ -110,7 +110,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_20_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_21_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_22_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_23_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_24_count" interval=60 N:5 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_24_count" interval=60 N:4 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_25_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_26_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_27_count" interval=60 N:0 diff --git a/test/results/stats/default/ftp-start-tls.pcap.out b/test/results/stats/default/ftp-start-tls.pcap.out index dc41f7bdd..484f0714f 100644 --- a/test/results/stats/default/ftp-start-tls.pcap.out +++ b/test/results/stats/default/ftp-start-tls.pcap.out @@ -1,5 +1,5 @@ -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:16 -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:16095 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:15 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:14689 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_new_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_end_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_idle_count" interval=60 N:1 @@ -7,7 +7,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_update_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_analyse_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_guessed_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detected_count" interval=60 N:1 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:4 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:3 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_not_detected_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_src_total_bytes" interval=60 N:856 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_dst_total_bytes" interval=60 N:3834 @@ -21,7 +21,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-status_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unsafe_count" interval=60 N:5 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unsafe_count" interval=60 N:4 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_potentially_dangerous_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_tracker_ads_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_dangerous_count" interval=60 N:0 @@ -59,7 +59,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_site_unavail_count" interval PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_allowed_site_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_antimalware_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_crypto_currency_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_unknown_count" interval=60 N:5 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_unknown_count" interval=60 N:4 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_l3_ip4_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_l3_ip6_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_l3_other_count" interval=60 N:0 @@ -94,23 +94,23 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_4_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_5_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_6_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_7_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_8_count" interval=60 N:3 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_8_count" interval=60 N:2 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_9_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_10_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_11_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_12_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_13_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_14_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_15_count" interval=60 N:4 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_15_count" interval=60 N:3 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_16_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_17_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_18_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_19_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_20_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_21_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_22_count" interval=60 N:5 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_22_count" interval=60 N:4 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_23_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_24_count" interval=60 N:4 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_24_count" interval=60 N:3 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_25_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_26_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_27_count" interval=60 N:0 diff --git a/test/results/stats/default/geforcenow.pcapng.out b/test/results/stats/default/geforcenow.pcapng.out index f5fc29235..1f6b44d7f 100644 --- a/test/results/stats/default/geforcenow.pcapng.out +++ b/test/results/stats/default/geforcenow.pcapng.out @@ -1,5 +1,5 @@ -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:28 -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:34935 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:27 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:33178 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_new_count" interval=60 N:2 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_end_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_idle_count" interval=60 N:2 @@ -7,7 +7,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_update_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_analyse_count" interval=60 N:2 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_guessed_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detected_count" interval=60 N:2 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:7 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:6 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_not_detected_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_src_total_bytes" interval=60 N:9542 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_dst_total_bytes" interval=60 N:53610 @@ -20,7 +20,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-shutdown_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-status_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:3 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:5 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:4 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unsafe_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_potentially_dangerous_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_tracker_ads_count" interval=60 N:0 @@ -34,7 +34,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_data_transfer_count" interva PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_web_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_social_network_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_download_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_game_count" interval=60 N:5 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_game_count" interval=60 N:4 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_chat_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_voip_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_database_count" interval=60 N:0 @@ -91,7 +91,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_1_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_2_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_3_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_4_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_5_count" interval=60 N:9 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_5_count" interval=60 N:8 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_6_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_7_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_8_count" interval=60 N:0 diff --git a/test/results/stats/default/imap-starttls.pcap.out b/test/results/stats/default/imap-starttls.pcap.out index 3fa407c53..5835c7add 100644 --- a/test/results/stats/default/imap-starttls.pcap.out +++ b/test/results/stats/default/imap-starttls.pcap.out @@ -1,5 +1,5 @@ -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:16 -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:16011 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:15 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:14694 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_new_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_end_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_idle_count" interval=60 N:0 @@ -7,7 +7,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_update_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_analyse_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_guessed_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detected_count" interval=60 N:1 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:4 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:3 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_not_detected_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_src_total_bytes" interval=60 N:540 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_dst_total_bytes" interval=60 N:5653 @@ -18,7 +18,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-init_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-reconnect_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-shutdown_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-status_count" interval=60 N:1 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:5 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:4 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unsafe_count" interval=60 N:0 @@ -29,7 +29,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unrated_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unknown_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_media_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_vpn_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_email_count" interval=60 N:5 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_email_count" interval=60 N:4 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_data_transfer_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_web_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_social_network_count" interval=60 N:0 @@ -91,7 +91,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_1_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_2_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_3_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_4_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_5_count" interval=60 N:5 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_5_count" interval=60 N:4 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_6_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_7_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_8_count" interval=60 N:0 @@ -101,7 +101,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_11_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_12_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_13_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_14_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_15_count" interval=60 N:4 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_15_count" interval=60 N:3 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_16_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_17_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_18_count" interval=60 N:0 @@ -110,7 +110,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_20_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_21_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_22_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_23_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_24_count" interval=60 N:4 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_24_count" interval=60 N:3 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_25_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_26_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_27_count" interval=60 N:0 diff --git a/test/results/stats/default/instagram.pcap.out b/test/results/stats/default/instagram.pcap.out index 8025dcf72..c13294f60 100644 --- a/test/results/stats/default/instagram.pcap.out +++ b/test/results/stats/default/instagram.pcap.out @@ -1,5 +1,5 @@ -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:300 -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:319028 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:299 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:318080 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_new_count" interval=60 N:38 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_end_count" interval=60 N:6 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_idle_count" interval=60 N:32 @@ -7,7 +7,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_update_count" interval=60 N:4 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_analyse_count" interval=60 N:9 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_guessed_count" interval=60 N:7 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detected_count" interval=60 N:30 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:19 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:18 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_not_detected_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_src_total_bytes" interval=60 N:210270 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_dst_total_bytes" interval=60 N:440492 @@ -18,7 +18,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-init_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-reconnect_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-shutdown_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-status_count" interval=60 N:2 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:6 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:5 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:6 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:40 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unsafe_count" interval=60 N:0 @@ -31,7 +31,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_media_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_vpn_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_email_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_data_transfer_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_web_count" interval=60 N:6 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_web_count" interval=60 N:5 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_social_network_count" interval=60 N:33 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_download_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_game_count" interval=60 N:0 diff --git a/test/results/stats/default/iphone.pcap.out b/test/results/stats/default/iphone.pcap.out index 1a888a81c..b818fd474 100644 --- a/test/results/stats/default/iphone.pcap.out +++ b/test/results/stats/default/iphone.pcap.out @@ -1,5 +1,5 @@ -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:357 -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:325989 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:356 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:322035 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_new_count" interval=60 N:51 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_end_count" interval=60 N:3 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_idle_count" interval=60 N:48 @@ -7,7 +7,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_update_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_analyse_count" interval=60 N:4 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_guessed_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detected_count" interval=60 N:50 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:41 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:40 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_not_detected_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_src_total_bytes" interval=60 N:99351 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_dst_total_bytes" interval=60 N:91009 @@ -19,7 +19,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-reconnect_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-shutdown_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-status_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:35 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:39 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:38 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:17 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unsafe_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_potentially_dangerous_count" interval=60 N:0 @@ -31,7 +31,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_media_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_vpn_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_email_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_data_transfer_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_web_count" interval=60 N:32 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_web_count" interval=60 N:31 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_social_network_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_download_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_game_count" interval=60 N:0 diff --git a/test/results/stats/default/long_tls_certificate.pcap.out b/test/results/stats/default/long_tls_certificate.pcap.out index a25a11f78..ec06dc3b4 100644 --- a/test/results/stats/default/long_tls_certificate.pcap.out +++ b/test/results/stats/default/long_tls_certificate.pcap.out @@ -1,5 +1,5 @@ -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:15 -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:22581 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:14 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:17195 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_new_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_end_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_idle_count" interval=60 N:0 @@ -7,7 +7,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_update_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_analyse_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_guessed_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detected_count" interval=60 N:1 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:3 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:2 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_not_detected_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_src_total_bytes" interval=60 N:1073 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_dst_total_bytes" interval=60 N:11027 @@ -19,7 +19,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-reconnect_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-shutdown_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-status_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:4 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:3 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unsafe_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_potentially_dangerous_count" interval=60 N:0 @@ -31,7 +31,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_media_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_vpn_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_email_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_data_transfer_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_web_count" interval=60 N:4 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_web_count" interval=60 N:3 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_social_network_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_download_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_game_count" interval=60 N:0 diff --git a/test/results/stats/default/nest_log_sink.pcap.out b/test/results/stats/default/nest_log_sink.pcap.out index 4fd04713c..b81657491 100644 --- a/test/results/stats/default/nest_log_sink.pcap.out +++ b/test/results/stats/default/nest_log_sink.pcap.out @@ -1,12 +1,12 @@ -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:169 -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:147397 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:168 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:146433 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_new_count" interval=60 N:17 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_end_count" interval=60 N:12 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_idle_count" interval=60 N:5 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_update_count" interval=60 N:8 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_analyse_count" interval=60 N:10 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_guessed_count" interval=60 N:1 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detected_count" interval=60 N:17 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detected_count" interval=60 N:16 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:5 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_not_detected_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_src_total_bytes" interval=60 N:55213 @@ -19,7 +19,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-reconnect_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-shutdown_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-status_count" interval=60 N:12 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:30 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:29 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unsafe_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_potentially_dangerous_count" interval=60 N:0 @@ -39,7 +39,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_chat_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_voip_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_database_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_remote_access_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_cloud_count" interval=60 N:13 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_cloud_count" interval=60 N:12 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_network_count" interval=60 N:17 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_collaborative_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_rpc_count" interval=60 N:0 diff --git a/test/results/stats/default/netflix.pcap.out b/test/results/stats/default/netflix.pcap.out index c2cef5535..411d840e5 100644 --- a/test/results/stats/default/netflix.pcap.out +++ b/test/results/stats/default/netflix.pcap.out @@ -1,5 +1,5 @@ -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:564 -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:565126 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:557 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:553210 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_new_count" interval=60 N:61 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_end_count" interval=60 N:31 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_idle_count" interval=60 N:30 @@ -7,7 +7,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_update_count" interval=60 N:9 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_analyse_count" interval=60 N:27 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_guessed_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detected_count" interval=60 N:60 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:76 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:69 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_not_detected_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_src_total_bytes" interval=60 N:117204 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_dst_total_bytes" interval=60 N:768140 @@ -20,7 +20,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-shutdown_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-status_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:44 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:101 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:94 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unsafe_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_potentially_dangerous_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_tracker_ads_count" interval=60 N:0 @@ -47,7 +47,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_streaming_count" interval=60 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_system_count" interval=60 N:2 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_software_update_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_music_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_video_count" interval=60 N:72 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_video_count" interval=60 N:65 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_shopping_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_productivity_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_file_sharing_count" interval=60 N:0 @@ -101,7 +101,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_11_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_12_count" interval=60 N:36 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_13_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_14_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_15_count" interval=60 N:35 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_15_count" interval=60 N:32 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_16_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_17_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_18_count" interval=60 N:0 diff --git a/test/results/stats/default/pinterest.pcap.out b/test/results/stats/default/pinterest.pcap.out index ce9301c66..b93b38756 100644 --- a/test/results/stats/default/pinterest.pcap.out +++ b/test/results/stats/default/pinterest.pcap.out @@ -1,5 +1,5 @@ -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:302 -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:311163 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:297 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:295069 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_new_count" interval=60 N:37 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_end_count" interval=60 N:5 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_idle_count" interval=60 N:32 @@ -7,7 +7,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_update_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_analyse_count" interval=60 N:13 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_guessed_count" interval=60 N:16 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detected_count" interval=60 N:21 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:38 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:33 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_not_detected_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_src_total_bytes" interval=60 N:30054 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_dst_total_bytes" interval=60 N:337815 @@ -18,21 +18,21 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-init_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-reconnect_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-shutdown_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-status_count" interval=60 N:1 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:9 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:8 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:12 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:34 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:31 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unsafe_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_potentially_dangerous_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_tracker_ads_count" interval=60 N:4 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_tracker_ads_count" interval=60 N:3 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_dangerous_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unrated_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unknown_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_media_count" interval=60 N:2 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_media_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_vpn_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_email_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_data_transfer_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_web_count" interval=60 N:17 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_social_network_count" interval=60 N:34 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_social_network_count" interval=60 N:31 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_download_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_game_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_chat_count" interval=60 N:0 @@ -53,7 +53,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_productivity_count" interval PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_file_sharing_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_mining_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_malware_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_advertisment_count" interval=60 N:6 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_advertisment_count" interval=60 N:5 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_banned_site_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_site_unavail_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_allowed_site_count" interval=60 N:0 diff --git a/test/results/stats/default/pop3_stls.pcap.out b/test/results/stats/default/pop3_stls.pcap.out index ddde67743..a37f67be7 100644 --- a/test/results/stats/default/pop3_stls.pcap.out +++ b/test/results/stats/default/pop3_stls.pcap.out @@ -1,5 +1,5 @@ -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:16 -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:14846 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:15 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:13665 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_new_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_end_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_idle_count" interval=60 N:0 @@ -7,7 +7,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_update_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_analyse_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_guessed_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detected_count" interval=60 N:1 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:4 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:3 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_not_detected_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_src_total_bytes" interval=60 N:805 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_dst_total_bytes" interval=60 N:7462 @@ -18,7 +18,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-init_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-reconnect_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-shutdown_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-status_count" interval=60 N:1 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:4 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:3 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unsafe_count" interval=60 N:1 @@ -29,7 +29,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unrated_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unknown_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_media_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_vpn_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_email_count" interval=60 N:5 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_email_count" interval=60 N:4 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_data_transfer_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_web_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_social_network_count" interval=60 N:0 @@ -93,7 +93,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_3_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_4_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_5_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_6_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_7_count" interval=60 N:4 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_7_count" interval=60 N:3 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_8_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_9_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_10_count" interval=60 N:0 @@ -108,7 +108,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_18_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_19_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_20_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_21_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_22_count" interval=60 N:5 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_22_count" interval=60 N:4 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_23_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_24_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_25_count" interval=60 N:0 diff --git a/test/results/stats/default/psiphon3.pcap.out b/test/results/stats/default/psiphon3.pcap.out index 022aae3b4..4991b2521 100644 --- a/test/results/stats/default/psiphon3.pcap.out +++ b/test/results/stats/default/psiphon3.pcap.out @@ -1,5 +1,5 @@ -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:15 -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:15251 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:14 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:13496 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_new_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_end_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_idle_count" interval=60 N:0 @@ -7,7 +7,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_update_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_analyse_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_guessed_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detected_count" interval=60 N:1 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:3 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:2 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_not_detected_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_src_total_bytes" interval=60 N:3700 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_dst_total_bytes" interval=60 N:5574 @@ -19,7 +19,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-reconnect_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-shutdown_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-status_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:2 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:2 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unsafe_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_potentially_dangerous_count" interval=60 N:0 @@ -28,7 +28,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_dangerous_count" interval=60 N: PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unrated_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unknown_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_media_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_vpn_count" interval=60 N:2 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_vpn_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_email_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_data_transfer_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_web_count" interval=60 N:2 @@ -110,7 +110,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_20_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_21_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_22_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_23_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_24_count" interval=60 N:4 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_24_count" interval=60 N:3 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_25_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_26_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_27_count" interval=60 N:0 @@ -138,5 +138,5 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_48_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_49_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_50_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_51_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_52_count" interval=60 N:4 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_52_count" interval=60 N:3 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_53_count" interval=60 N:0 diff --git a/test/results/stats/default/reddit.pcap.out b/test/results/stats/default/reddit.pcap.out index 1321a73f5..5aca0b8dd 100644 --- a/test/results/stats/default/reddit.pcap.out +++ b/test/results/stats/default/reddit.pcap.out @@ -1,5 +1,5 @@ -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:588 -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:567515 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:582 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:557892 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_new_count" interval=60 N:60 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_end_count" interval=60 N:23 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_idle_count" interval=60 N:37 @@ -7,7 +7,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_update_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_analyse_count" interval=60 N:17 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_guessed_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detected_count" interval=60 N:59 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:90 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:84 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_not_detected_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_src_total_bytes" interval=60 N:64920 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_dst_total_bytes" interval=60 N:481968 @@ -18,9 +18,9 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-init_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-reconnect_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-shutdown_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-status_count" interval=60 N:1 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:15 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:54 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:78 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:14 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:53 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:74 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unsafe_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_potentially_dangerous_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_tracker_ads_count" interval=60 N:2 @@ -31,8 +31,8 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_media_count" interval=60 N:6 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_vpn_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_email_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_data_transfer_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_web_count" interval=60 N:51 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_social_network_count" interval=60 N:72 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_web_count" interval=60 N:49 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_social_network_count" interval=60 N:68 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_download_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_game_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_chat_count" interval=60 N:0 diff --git a/test/results/stats/default/roblox.pcapng.out b/test/results/stats/default/roblox.pcapng.out index 217334fe2..1a7cb4c9f 100644 --- a/test/results/stats/default/roblox.pcapng.out +++ b/test/results/stats/default/roblox.pcapng.out @@ -1,5 +1,5 @@ -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:40 -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:44300 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:39 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:43070 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_new_count" interval=60 N:4 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_end_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_idle_count" interval=60 N:3 @@ -7,7 +7,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_update_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_analyse_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_guessed_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detected_count" interval=60 N:4 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:2 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_not_detected_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_src_total_bytes" interval=60 N:17844 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_dst_total_bytes" interval=60 N:11993 @@ -20,7 +20,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-shutdown_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-status_count" interval=60 N:3 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:6 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:5 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unsafe_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_potentially_dangerous_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_tracker_ads_count" interval=60 N:0 @@ -34,7 +34,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_data_transfer_count" interva PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_web_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_social_network_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_download_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_game_count" interval=60 N:6 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_game_count" interval=60 N:5 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_chat_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_voip_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_database_count" interval=60 N:0 diff --git a/test/results/stats/default/signal.pcap.out b/test/results/stats/default/signal.pcap.out index d337726fc..8c56b3b92 100644 --- a/test/results/stats/default/signal.pcap.out +++ b/test/results/stats/default/signal.pcap.out @@ -1,5 +1,5 @@ -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:176 -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:160871 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:175 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:159282 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_new_count" interval=60 N:19 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_end_count" interval=60 N:9 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_idle_count" interval=60 N:10 @@ -7,7 +7,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_update_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_analyse_count" interval=60 N:4 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_guessed_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detected_count" interval=60 N:19 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:28 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:27 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_not_detected_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_src_total_bytes" interval=60 N:219449 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_dst_total_bytes" interval=60 N:54393 @@ -20,7 +20,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-shutdown_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-status_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:6 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:4 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:37 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:36 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unsafe_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_potentially_dangerous_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_tracker_ads_count" interval=60 N:0 @@ -35,7 +35,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_web_count" interval=60 N:6 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_social_network_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_download_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_game_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_chat_count" interval=60 N:31 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_chat_count" interval=60 N:30 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_voip_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_database_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_remote_access_count" interval=60 N:0 diff --git a/test/results/stats/default/simple-dnscrypt.pcap.out b/test/results/stats/default/simple-dnscrypt.pcap.out index bfb0c2aa8..c80434acd 100644 --- a/test/results/stats/default/simple-dnscrypt.pcap.out +++ b/test/results/stats/default/simple-dnscrypt.pcap.out @@ -1,5 +1,5 @@ -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:47 -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:44741 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:45 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:41566 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_new_count" interval=60 N:4 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_end_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_idle_count" interval=60 N:4 @@ -7,7 +7,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_update_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_analyse_count" interval=60 N:2 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_guessed_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detected_count" interval=60 N:4 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:10 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:8 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_not_detected_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_src_total_bytes" interval=60 N:2480 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_dst_total_bytes" interval=60 N:36106 @@ -19,7 +19,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-reconnect_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-shutdown_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-status_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:2 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:12 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:10 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unsafe_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_potentially_dangerous_count" interval=60 N:0 @@ -40,7 +40,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_voip_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_database_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_remote_access_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_cloud_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_network_count" interval=60 N:12 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_network_count" interval=60 N:10 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_collaborative_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_rpc_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_streaming_count" interval=60 N:0 diff --git a/test/results/stats/default/sites.pcapng.out b/test/results/stats/default/sites.pcapng.out index ca3c643a7..166705863 100644 --- a/test/results/stats/default/sites.pcapng.out +++ b/test/results/stats/default/sites.pcapng.out @@ -1,5 +1,5 @@ -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:404 -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:454454 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:403 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:453218 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_new_count" interval=60 N:47 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_end_count" interval=60 N:7 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_idle_count" interval=60 N:40 @@ -7,7 +7,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_update_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_analyse_count" interval=60 N:2 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_guessed_count" interval=60 N:4 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detected_count" interval=60 N:43 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:50 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:49 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_not_detected_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_src_total_bytes" interval=60 N:31753 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_dst_total_bytes" interval=60 N:206418 @@ -18,7 +18,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-init_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-reconnect_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-shutdown_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-status_count" interval=60 N:12 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:19 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:18 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:27 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:46 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unsafe_count" interval=60 N:0 @@ -31,7 +31,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_media_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_vpn_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_email_count" interval=60 N:2 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_data_transfer_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_web_count" interval=60 N:17 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_web_count" interval=60 N:16 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_social_network_count" interval=60 N:8 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_download_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_game_count" interval=60 N:10 diff --git a/test/results/stats/default/teams.pcap.out b/test/results/stats/default/teams.pcap.out index f3d1a6a6d..cce638f7a 100644 --- a/test/results/stats/default/teams.pcap.out +++ b/test/results/stats/default/teams.pcap.out @@ -1,5 +1,5 @@ -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:681 -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:647459 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:674 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:635401 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_new_count" interval=60 N:83 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_end_count" interval=60 N:17 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_idle_count" interval=60 N:66 @@ -7,7 +7,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_update_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_analyse_count" interval=60 N:16 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_guessed_count" interval=60 N:2 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detected_count" interval=60 N:80 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:64 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:57 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_not_detected_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_src_total_bytes" interval=60 N:293772 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_dst_total_bytes" interval=60 N:293323 @@ -18,8 +18,8 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-init_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-reconnect_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-shutdown_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-status_count" interval=60 N:1 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:89 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:54 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:83 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:53 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unsafe_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_potentially_dangerous_count" interval=60 N:0 @@ -39,9 +39,9 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_chat_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_voip_count" interval=60 N:24 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_database_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_remote_access_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_cloud_count" interval=60 N:22 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_cloud_count" interval=60 N:19 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_network_count" interval=60 N:52 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_collaborative_count" interval=60 N:43 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_collaborative_count" interval=60 N:39 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_rpc_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_streaming_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_system_count" interval=60 N:0 @@ -101,7 +101,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_11_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_12_count" interval=60 N:2 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_13_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_14_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_15_count" interval=60 N:37 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_15_count" interval=60 N:33 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_16_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_17_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_18_count" interval=60 N:0 diff --git a/test/results/stats/default/telnet.pcap.out b/test/results/stats/default/telnet.pcap.out index 417c86c24..cb5ecfc04 100644 --- a/test/results/stats/default/telnet.pcap.out +++ b/test/results/stats/default/telnet.pcap.out @@ -1,5 +1,5 @@ -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:15 -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:13215 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:14 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:12110 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_new_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_end_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_idle_count" interval=60 N:0 @@ -7,7 +7,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_update_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_analyse_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_guessed_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detected_count" interval=60 N:1 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:3 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:2 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_not_detected_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_src_total_bytes" interval=60 N:289 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_dst_total_bytes" interval=60 N:1371 @@ -21,7 +21,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-status_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unsafe_count" interval=60 N:4 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unsafe_count" interval=60 N:3 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_potentially_dangerous_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_tracker_ads_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_dangerous_count" interval=60 N:0 @@ -38,7 +38,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_game_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_chat_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_voip_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_database_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_remote_access_count" interval=60 N:4 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_remote_access_count" interval=60 N:3 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_cloud_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_network_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_collaborative_count" interval=60 N:0 @@ -108,7 +108,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_18_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_19_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_20_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_21_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_22_count" interval=60 N:4 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_22_count" interval=60 N:3 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_23_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_24_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_25_count" interval=60 N:0 diff --git a/test/results/stats/default/tls-appdata.pcap.out b/test/results/stats/default/tls-appdata.pcap.out index f154904f6..8424441f3 100644 --- a/test/results/stats/default/tls-appdata.pcap.out +++ b/test/results/stats/default/tls-appdata.pcap.out @@ -1,5 +1,5 @@ -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:28 -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:29968 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:27 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:29019 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_new_count" interval=60 N:2 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_end_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_idle_count" interval=60 N:1 @@ -7,7 +7,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_update_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_analyse_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_guessed_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detected_count" interval=60 N:2 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:4 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:3 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_not_detected_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_src_total_bytes" interval=60 N:12205 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_dst_total_bytes" interval=60 N:101176 @@ -18,7 +18,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-init_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-reconnect_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-shutdown_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-status_count" interval=60 N:5 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:6 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:5 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unsafe_count" interval=60 N:0 @@ -31,7 +31,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_media_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_vpn_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_email_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_data_transfer_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_web_count" interval=60 N:6 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_web_count" interval=60 N:5 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_social_network_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_download_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_game_count" interval=60 N:0 diff --git a/test/results/stats/default/tls_verylong_certificate.pcap.out b/test/results/stats/default/tls_verylong_certificate.pcap.out index ec6fd53a2..2b603f381 100644 --- a/test/results/stats/default/tls_verylong_certificate.pcap.out +++ b/test/results/stats/default/tls_verylong_certificate.pcap.out @@ -1,5 +1,5 @@ -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:15 -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:19772 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:14 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:15828 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_new_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_end_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_idle_count" interval=60 N:0 @@ -7,7 +7,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_update_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_analyse_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_guessed_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detected_count" interval=60 N:1 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:3 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:2 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_not_detected_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_src_total_bytes" interval=60 N:844 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_dst_total_bytes" interval=60 N:18233 @@ -18,7 +18,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-init_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-reconnect_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-shutdown_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-status_count" interval=60 N:1 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:4 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:3 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unsafe_count" interval=60 N:0 @@ -59,7 +59,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_site_unavail_count" interval PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_allowed_site_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_antimalware_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_crypto_currency_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_unknown_count" interval=60 N:4 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_unknown_count" interval=60 N:3 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_l3_ip4_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_l3_ip6_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_l3_other_count" interval=60 N:0 diff --git a/test/results/stats/default/tumblr.pcap.out b/test/results/stats/default/tumblr.pcap.out index 8dd5de217..ccb6d4104 100644 --- a/test/results/stats/default/tumblr.pcap.out +++ b/test/results/stats/default/tumblr.pcap.out @@ -1,5 +1,5 @@ -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:333 -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:287322 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:329 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:282796 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_new_count" interval=60 N:47 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_end_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_idle_count" interval=60 N:46 @@ -7,7 +7,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_update_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_analyse_count" interval=60 N:9 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_guessed_count" interval=60 N:28 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detected_count" interval=60 N:19 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:29 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:25 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_not_detected_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_src_total_bytes" interval=60 N:19532 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_dst_total_bytes" interval=60 N:275102 @@ -18,9 +18,9 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-init_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-reconnect_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-shutdown_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-status_count" interval=60 N:1 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:34 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:31 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:4 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:6 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:5 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unsafe_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_potentially_dangerous_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_tracker_ads_count" interval=60 N:4 @@ -31,8 +31,8 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_media_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_vpn_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_email_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_data_transfer_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_web_count" interval=60 N:38 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_social_network_count" interval=60 N:6 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_web_count" interval=60 N:35 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_social_network_count" interval=60 N:5 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_download_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_game_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_chat_count" interval=60 N:0 diff --git a/test/results/stats/default/viber.pcap.out b/test/results/stats/default/viber.pcap.out index 4ffc8571f..cf5b9b95c 100644 --- a/test/results/stats/default/viber.pcap.out +++ b/test/results/stats/default/viber.pcap.out @@ -1,5 +1,5 @@ -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:223 -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:187099 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:222 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:185605 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_new_count" interval=60 N:29 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_end_count" interval=60 N:6 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_idle_count" interval=60 N:23 @@ -7,7 +7,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_update_count" interval=60 N:4 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_analyse_count" interval=60 N:4 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_guessed_count" interval=60 N:4 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detected_count" interval=60 N:25 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:20 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:19 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_not_detected_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_src_total_bytes" interval=60 N:30062 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_dst_total_bytes" interval=60 N:101892 @@ -20,7 +20,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-shutdown_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-status_count" interval=60 N:4 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:10 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:15 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:21 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:20 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unsafe_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_potentially_dangerous_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_tracker_ads_count" interval=60 N:3 @@ -35,7 +35,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_web_count" interval=60 N:12 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_social_network_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_download_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_game_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_chat_count" interval=60 N:7 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_chat_count" interval=60 N:6 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_voip_count" interval=60 N:7 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_database_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_remote_access_count" interval=60 N:0 diff --git a/test/results/stats/default/vk.pcapng.out b/test/results/stats/default/vk.pcapng.out index 61040a2ec..e0c9aaefe 100644 --- a/test/results/stats/default/vk.pcapng.out +++ b/test/results/stats/default/vk.pcapng.out @@ -1,5 +1,5 @@ -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:86 -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:76929 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:84 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:74819 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_new_count" interval=60 N:10 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_end_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_idle_count" interval=60 N:10 @@ -7,7 +7,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_update_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_analyse_count" interval=60 N:2 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_guessed_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detected_count" interval=60 N:10 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:8 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:6 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_not_detected_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_src_total_bytes" interval=60 N:66779 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_dst_total_bytes" interval=60 N:0 @@ -18,7 +18,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-init_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-reconnect_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-shutdown_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-status_count" interval=60 N:1 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:14 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:12 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:4 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unsafe_count" interval=60 N:0 @@ -31,7 +31,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_media_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_vpn_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_email_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_data_transfer_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_web_count" interval=60 N:14 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_web_count" interval=60 N:12 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_social_network_count" interval=60 N:4 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_download_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_game_count" interval=60 N:0 @@ -132,7 +132,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_42_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_43_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_44_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_45_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_46_count" interval=60 N:12 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_46_count" interval=60 N:10 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_47_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_48_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_49_count" interval=60 N:0 diff --git a/test/results/stats/default/waze.pcap.out b/test/results/stats/default/waze.pcap.out index 2153ee479..8584fa56a 100644 --- a/test/results/stats/default/waze.pcap.out +++ b/test/results/stats/default/waze.pcap.out @@ -1,5 +1,5 @@ -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:284 -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:230614 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:282 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:227442 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_new_count" interval=60 N:33 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_end_count" interval=60 N:30 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_idle_count" interval=60 N:3 @@ -7,7 +7,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_update_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_analyse_count" interval=60 N:5 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_guessed_count" interval=60 N:9 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detected_count" interval=60 N:23 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:24 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:22 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_not_detected_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_src_total_bytes" interval=60 N:19999 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_dst_total_bytes" interval=60 N:306184 @@ -19,7 +19,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-reconnect_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-shutdown_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-status_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:22 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:25 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:23 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unsafe_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_potentially_dangerous_count" interval=60 N:0 @@ -31,7 +31,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_media_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_vpn_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_email_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_data_transfer_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_web_count" interval=60 N:44 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_web_count" interval=60 N:42 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_social_network_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_download_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_game_count" interval=60 N:0 @@ -93,8 +93,8 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_3_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_4_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_5_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_6_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_7_count" interval=60 N:33 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_8_count" interval=60 N:7 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_7_count" interval=60 N:32 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_8_count" interval=60 N:6 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_9_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_10_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_11_count" interval=60 N:0 diff --git a/test/results/stats/default/webex.pcap.out b/test/results/stats/default/webex.pcap.out index 621b1cbef..4823e9889 100644 --- a/test/results/stats/default/webex.pcap.out +++ b/test/results/stats/default/webex.pcap.out @@ -1,5 +1,5 @@ -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:501 -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:420707 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:500 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:419111 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_new_count" interval=60 N:57 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_end_count" interval=60 N:45 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_idle_count" interval=60 N:12 @@ -7,7 +7,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_update_count" interval=60 N:2 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_analyse_count" interval=60 N:6 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_guessed_count" interval=60 N:4 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detected_count" interval=60 N:53 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:40 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:39 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_not_detected_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_src_total_bytes" interval=60 N:67701 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_dst_total_bytes" interval=60 N:426653 @@ -19,7 +19,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-reconnect_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-shutdown_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-status_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:52 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:43 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:42 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unsafe_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_potentially_dangerous_count" interval=60 N:0 @@ -36,7 +36,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_social_network_count" interv PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_download_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_game_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_chat_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_voip_count" interval=60 N:37 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_voip_count" interval=60 N:36 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_database_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_remote_access_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_cloud_count" interval=60 N:0 @@ -101,7 +101,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_11_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_12_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_13_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_14_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_15_count" interval=60 N:11 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_15_count" interval=60 N:10 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_16_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_17_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_18_count" interval=60 N:0 diff --git a/test/results/stats/default/wechat.pcap.out b/test/results/stats/default/wechat.pcap.out index c905db795..0698794d9 100644 --- a/test/results/stats/default/wechat.pcap.out +++ b/test/results/stats/default/wechat.pcap.out @@ -1,5 +1,5 @@ -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:890 -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:774666 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:888 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:771195 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_new_count" interval=60 N:109 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_end_count" interval=60 N:52 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_idle_count" interval=60 N:57 @@ -7,7 +7,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_update_count" interval=60 N:77 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_analyse_count" interval=60 N:17 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_guessed_count" interval=60 N:25 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detected_count" interval=60 N:84 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:71 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:69 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_not_detected_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_src_total_bytes" interval=60 N:184490 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_dst_total_bytes" interval=60 N:376782 @@ -20,7 +20,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-shutdown_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-status_count" interval=60 N:2 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:7 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:116 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:103 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:101 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unsafe_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_potentially_dangerous_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_tracker_ads_count" interval=60 N:0 @@ -35,7 +35,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_web_count" interval=60 N:17 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_social_network_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_download_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_game_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_chat_count" interval=60 N:82 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_chat_count" interval=60 N:80 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_voip_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_database_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_remote_access_count" interval=60 N:0 diff --git a/test/results/stats/default/whatsapp_login_call.pcap.out b/test/results/stats/default/whatsapp_login_call.pcap.out index 21f9de9f7..a28c2b1c3 100644 --- a/test/results/stats/default/whatsapp_login_call.pcap.out +++ b/test/results/stats/default/whatsapp_login_call.pcap.out @@ -1,5 +1,5 @@ -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:462 -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:379668 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:461 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:378089 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_new_count" interval=60 N:57 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_end_count" interval=60 N:24 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_idle_count" interval=60 N:33 @@ -7,7 +7,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_update_count" interval=60 N:45 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_analyse_count" interval=60 N:6 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_guessed_count" interval=60 N:20 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detected_count" interval=60 N:37 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:11 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:10 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_not_detected_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_src_total_bytes" interval=60 N:81240 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_dst_total_bytes" interval=60 N:51420 @@ -18,7 +18,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-init_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-reconnect_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-shutdown_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-status_count" interval=60 N:1 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:14 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:13 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:76 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:3 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unsafe_count" interval=60 N:0 @@ -31,7 +31,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_media_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_vpn_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_email_count" interval=60 N:2 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_data_transfer_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_web_count" interval=60 N:4 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_web_count" interval=60 N:3 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_social_network_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_download_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_game_count" interval=60 N:0 @@ -101,7 +101,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_11_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_12_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_13_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_14_count" interval=60 N:0 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_15_count" interval=60 N:7 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_15_count" interval=60 N:6 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_16_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_17_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_risk_18_count" interval=60 N:0 diff --git a/test/results/stats/default/zoom.pcap.out b/test/results/stats/default/zoom.pcap.out index c0ef85dea..c427ee55a 100644 --- a/test/results/stats/default/zoom.pcap.out +++ b/test/results/stats/default/zoom.pcap.out @@ -1,5 +1,5 @@ -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:253 -PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:216483 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_lines" interval=60 N:252 +PUTVAL "localhost/exec-nDPIsrvd/gauge-json_bytes" interval=60 N:214963 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_new_count" interval=60 N:33 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_end_count" interval=60 N:6 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_idle_count" interval=60 N:27 @@ -7,7 +7,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_update_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_analyse_count" interval=60 N:3 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_guessed_count" interval=60 N:2 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detected_count" interval=60 N:31 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:27 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_detection_update_count" interval=60 N:26 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_not_detected_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_src_total_bytes" interval=60 N:69672 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_dst_total_bytes" interval=60 N:259806 @@ -19,7 +19,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-reconnect_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-shutdown_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-status_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_safe_count" interval=60 N:8 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:49 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_acceptable_count" interval=60 N:48 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_fun_count" interval=60 N:1 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_unsafe_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_breed_potentially_dangerous_count" interval=60 N:0 @@ -47,7 +47,7 @@ PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_streaming_count" interval=60 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_system_count" interval=60 N:2 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_software_update_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_music_count" interval=60 N:1 -PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_video_count" interval=60 N:29 +PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_video_count" interval=60 N:28 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_shopping_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_productivity_count" interval=60 N:0 PUTVAL "localhost/exec-nDPIsrvd/gauge-flow_category_file_sharing_count" interval=60 N:0 |