diff options
Diffstat (limited to 'test/results/default/nordvpn.pcap.out')
| -rw-r--r-- | test/results/default/nordvpn.pcap.out | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/test/results/default/nordvpn.pcap.out b/test/results/default/nordvpn.pcap.out new file mode 100644 index 000000000..526079b7d --- /dev/null +++ b/test/results/default/nordvpn.pcap.out @@ -0,0 +1,52 @@ +00612{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"cfgs\/default\/pcap\/nordvpn.pcap","alias":"nDPId-test","version":"1.7.0","ndpi_version":"4.13.0-5173-c49d126","ndpi_api_version":11990,"size_per_flow":1400,"max-flows-per-thread":32768,"max-idle-flows-per-thread":1024,"reader-thread-count":1,"flow-scan-interval":10000000,"generic-max-idle-time":600000000,"icmp-max-idle-time":120000000,"udp-max-idle-time":180000000,"tcp-max-idle-time":7560000000,"max-packets-per-flow-to-send":5,"max-packets-per-flow-to-process":32,"max-packets-per-flow-to-analyse":32,"global_ts_usec":0} +00750{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"cfgs\/default\/pcap\/nordvpn.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":72956182,"flow_src_last_pkt_time":72956182,"flow_dst_last_pkt_time":72956182,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":148,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":148,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":148,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":72956182,"l3_proto":"ip4","src_ip":"192.168.1.204","dst_ip":"138.199.54.231","src_port":53465,"dst_port":51820,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5} +00687{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"cfgs\/default\/pcap\/nordvpn.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_src_last_pkt_time":72956182,"flow_dst_last_pkt_time":72956182,"flow_idle_time":200000000,"pkt_datalink":1,"pkt_caplen":190,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":190,"pkt_l4_len":156,"thread_ts_usec":72956182,"pkt":"ILAB4IZiCAAnOk7TCABFAACwxYkAAIAR8JDAqAHMisc259DZymwAnGN7AQAAAHCugaGuyNQrgpjUMMvMRv7tce\/UxbPHmzgM4LnyLwPRKrv+f1lPN089Zz9DutclWxa2b9kbYJ9kEX3SHwseg9E6ZgGcSILv3pxypQ8XNJaJEu3uxCNItzEaZIvw5Da46v65wcrR8Sdsrbqt8UBCO8iPM7MsevZdJlISnocLHSzwAAAAAAAAAAAAAAAAAAAAAA=="} +00610{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"cfgs\/default\/pcap\/nordvpn.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":72956182,"flow_dst_last_pkt_time":72980286,"flow_idle_time":200000000,"pkt_datalink":1,"pkt_caplen":134,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":134,"pkt_l4_len":100,"thread_ts_usec":72980286,"pkt":"CAAnOk7TILAB4IZiCABFiAB4BHgAADgR+VKKxzbnwKgBzMps0NkAZOQeAgAAAO40GlZwroGhVrO4D1FIBzFVRMFp83WK3C+jc+btex70OBI3KcNQUDYhwc581LFzWOk2ELMrgwg7HkxAgpDbawfT4PLuuWKO9QAAAAAAAAAAAAAAAAAAAAA="} +00916{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2,"source":"cfgs\/default\/pcap\/nordvpn.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":72956182,"flow_src_last_pkt_time":72956182,"flow_dst_last_pkt_time":72980286,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":148,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":148,"flow_dst_max_l4_payload_len":92,"flow_src_tot_l4_payload_len":148,"flow_dst_tot_l4_payload_len":92,"midstream":0,"thread_ts_usec":72980286,"l3_proto":"ip4","src_ip":"192.168.1.204","dst_ip":"138.199.54.231","src_port":53465,"dst_port":51820,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"WireGuard.NordVPN","proto_id":"206.426","proto_by_ip":"NordVPN","proto_by_ip_id":426,"encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} +00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"cfgs\/default\/pcap\/nordvpn.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":72980701,"flow_dst_last_pkt_time":72980286,"flow_idle_time":200000000,"pkt_datalink":1,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":72980701,"pkt":"ILAB4IZiCAAnOk7TCABFAAA8xYoAAIAR8QPAqAHMisc259DZymwAKFWIBAAAAO40GlYAAAAAAAAAALAcAiZ4o3Pd\/G3gv4U4fPc="} +00616{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4,"source":"cfgs\/default\/pcap\/nordvpn.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":4,"flow_src_last_pkt_time":73268424,"flow_dst_last_pkt_time":72980286,"flow_idle_time":200000000,"pkt_datalink":1,"pkt_caplen":138,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":138,"pkt_l4_len":104,"thread_ts_usec":73268424,"pkt":"ILAB4IZiCAAnOk7TCABFAAB8xYsAAIAR8MLAqAHMisc259DZymwAaCITBAAAAO40GlYBAAAAAAAAAJzNTDDHi7emtnZB\/DQSl1Ybr1oCCRSrGfd9bi6sNOc645kW2\/hYMUwYHHSX9IHxTBpFvr5TtDsV1awARcrDQrVLIE0L2KKFf2++n2sGinM4"} +00594{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5,"source":"cfgs\/default\/pcap\/nordvpn.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":5,"flow_src_last_pkt_time":73687529,"flow_dst_last_pkt_time":72980286,"flow_idle_time":200000000,"pkt_datalink":1,"pkt_caplen":122,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":122,"pkt_l4_len":88,"thread_ts_usec":73687529,"pkt":"ILAB4IZiCAAnOk7TCABFAABsxYwAAIAR8NHAqAHMisc259DZymwAWHCNBAAAAO40GlYCAAAAAAAAANUAbYsxHO\/z400gNsizEVe7IlshLEEO0YxpTTqcxI61KQ7xj81zickdTvbZYkhpZnJgwOnowNHvDgjRnxwLjbw="} +00747{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":23,"source":"cfgs\/default\/pcap\/nordvpn.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":87609474,"flow_src_last_pkt_time":87609474,"flow_dst_last_pkt_time":87609474,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":86,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":86,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":86,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":87609474,"l3_proto":"ip4","src_ip":"192.168.1.204","dst_ip":"192.145.125.35","src_port":63670,"dst_port":1198,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5} +00604{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":23,"source":"cfgs\/default\/pcap\/nordvpn.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":87609474,"flow_dst_last_pkt_time":87609474,"flow_idle_time":200000000,"pkt_datalink":1,"pkt_caplen":128,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":128,"pkt_l4_len":94,"thread_ts_usec":87609474,"pkt":"ILAB4IZiCAAnOk7TCABFAAByZE8AAIAR1gLAqAHMwJF9I\/i2BK4AXl8FTD0zMzk8szuBTSApLX13zSoTt3QNB0dUze1n+DidtH04WRWqKMC0ejcFi\/JMriDbw0+5AsCixFsM8OvZGC9XUWrS68M0OptsPejbnyR16IbYkVDFW50="} +00622{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24,"source":"cfgs\/default\/pcap\/nordvpn.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":87609474,"flow_dst_last_pkt_time":87645977,"flow_idle_time":200000000,"pkt_datalink":1,"pkt_caplen":140,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":140,"pkt_l4_len":106,"thread_ts_usec":87645977,"pkt":"CAAnOk7TILAB4IZiCABFAAB+fs1AADURxnjAkX0jwKgBzASu+LYAaosKNAkHBzX6ideGWckIkGE\/LQUpryeLVzIwPTjD1d8QWPEd35Elwv\/y49D\/iqgMAzZDYwnmPhgaOyZz7o6T+5TIiSjw03TFbcuJu7DuMGSjQeBWntiJUZaP4MXUYZrghDQsIUQ="} +01002{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":25,"source":"cfgs\/default\/pcap\/nordvpn.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":87646644,"flow_dst_last_pkt_time":87645977,"flow_idle_time":200000000,"pkt_datalink":1,"pkt_caplen":423,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":423,"pkt_l4_len":389,"thread_ts_usec":87646644,"pkt":"ILAB4IZiCAAnOk7TCABFAAGZZFAAAIAR1NrAqAHMwJF9I\/i2BK4BhWgyVAJJmWSM6fzPn9dlOr9FfUd\/swaiegQq2ESWC+kj90HNOBoHEzoWaj4hRj0bGEc3GiwUFBQpGws9Gh4WFRgYHhMbFxdFGRc+Fh8bCBEeHhgTAxUeTR8fEgQSARsEHkQ2FU4\/HBlCGR4BFyAXIB4LFg0cEBcLGh4QGxcWRxsXOBYCGhUXCBsHFxYeAkcBFhAYGBsTHRJMNRLRPBobuBopLwTQHu0nCwLaFtBwHT3aMth9FG7aMviJGjXMPNax3L\/Ht9rYFybaNNobAB0FTi0gRmrf71\/ZeJFk+XX0xlpHSN8R+fmvX\/YZzKRR14vGFP3KLC9Sj074LkWDuA+8o3+fTLjFE3ZHVYXpOY+reT8ySHjJLh0ZFxodBhYcGQwQGBYUELjNjUoTNBEXFhsQFowYtCAVFhoY5qntNHkQbzMIP6scpSys1dUCmpty0X+pH6hyaBkykAzTbah7ogJflGIbJVrKdtjrByu04xIkXiJG3IOzkGPaIvar\/PZ95hq2"} +00615{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":26,"source":"cfgs\/default\/pcap\/nordvpn.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":4,"flow_src_last_pkt_time":87646644,"flow_dst_last_pkt_time":87680794,"flow_idle_time":200000000,"pkt_datalink":1,"pkt_caplen":136,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":136,"pkt_l4_len":102,"thread_ts_usec":87680794,"pkt":"CAAnOk7TILAB4IZiCABFAAB6fs5AADURxnvAkX0jwKgBzASu+LYAZpRWXP+K3YBTwACaMzkxNWSzL7tTOT0tNP0PZss9pBITZvw1ySGYUPQCA6N8MJIVUK5dfYKXm25NqjGFwtvPuqF1Dvng1e1QQjRGHCAZKHnuvN9YCGW5EhFhl+KMZj0RKA=="} +01999{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":27,"source":"cfgs\/default\/pcap\/nordvpn.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":5,"flow_src_last_pkt_time":87646644,"flow_dst_last_pkt_time":87680845,"flow_idle_time":200000000,"pkt_datalink":1,"pkt_caplen":1158,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1158,"pkt_l4_len":1124,"thread_ts_usec":87680845,"pkt":"CAAnOk7TILAB4IZiCABFAAR4fs9AADURwnzAkX0jwKgBzASu+LYEZKiLVO\/sf7W6Z7\/qhR1ko2Nn5goAnmw5f3Y+Ar8fuVredqNnQsm4XnQNYo8yxReJfXqyQKoss6jSZUCfmp5B4bPdu1oPgPpR2S1eTtcSSBXSrWDCfDpbjrz6lGAe\/tQmXM1dSH7TZAgdMsTE2Jo07HDpGAVJwQhl6aumnSE7ggDvL3Iny1wUt05PYfWZy\/RRYwVGb6NI5hgx6amotnSfkEXdvOV5Tw8ZxHpS9JZoZO5+cMEBi1CzodZar\/b05lUOuCqKEN7cXLq0hFb0iyn2TeHKaFROGzAVpz3IqFVHcSHfxnFzS9YrfTyzLY64jL2Hi1S97NDH9GRMBcfj3z20rkkcnm0QpLAOXLPR33qVsDD0roks654hnEiGX+Dv2p\/+E+LQC+AEUOFlS1HShy+MyjNs3AWfb\/BNXnttbjHkitI1S279pT6BJGRLVXTu36OiWtTx58uiwYodN0RFOds7+rrbFjE1LjrZtpuiWv34LiKRJdEErbj7V28mLOHAQVT1CzAvfaEZPmBVal5Ysq+mDjwDmPIW\/YTMlbhFxaQYnEO0z\/9aLQd3KfuyQ1Yk\/dNhPUu2m2VK+8vrX5TMEzUvBy\/ekjqt8\/JPciLYd0JTSt8WQEwoRZGUdvzGfA6Q6XeGOoCj3rF3lCf9e8F+hp3TjsWN1duLafxIc15jtTFp2q9H+ZSf99B+ezbFGe+nLATwHbO4FerhMjRDEE8d\/LkG05sR4f68g+UNtyETXaa3beTZtBfrCBr\/zNh7qcZNyotAmNT7sEn1FGeQAJJnj0ljl4zdHckrcZhF6cKIaqm8JQg7aqyi11e+rgP44ZjfJ+Y0KWXrdvqxaYQ2sS2ZvqVjldTWXs0AbWEfuskd9j5tysnWmnsyMPg\/rWrqA1oHE7SdfdYSKjetxweGvP0bf5Hxyib1zjCdgk7Ddr0XV4lQcRtWRrjZvF4XlgIH5dtCytrwWh8V5qW9H\/KXVSfFzYCgKxw2DfekXswHqcqhuw4gr76iUhzt1n64t0Q\/4XX3l9Man1x9ysVdcavIHJ3THarJaV4qXPlgGh677MpxSrbp6Eec4qnuXtZzkO2WtR7Z4lDrg+L5wkZg41x4P6IRjOqL5m7v1qdyBLckAkFOu9yvv+0rErkap9uTVEyzt6S0+OO4LaJKMgX6pNzsghquwdaUzjc7oS+q11Q5CSZ59R1C2TWwxTQYITw6LzU6Lm9JvWIVohmVXmQsNhLX9Fg3iEJbOnn4jaw13ijyZnLVVXtmcVB8Vnt2enN1DntXWXR5bjuxglzyVpRK3gbv4Wpqaf4z09PGWtZmwYsuq6jFD9HnFp9u\/aijKPeOEmrWwYkioN+AXLtzEnZ2p4MJsbt\/Vcz49\/SzOTk5Tj82bgcyZR09O+w9h2k3MTAMjZ+LcO2sL2Rwahv\/0y0FVlL8Ksy388YC8MAKRHUXGIIFiOqor0LZrqxE0ei6hzVjT5E+gDm5VBuBwbv21DBrTG+S7IJqbhMq"} +01961{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":54,"source":"cfgs\/default\/pcap\/nordvpn.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":87609474,"flow_src_last_pkt_time":89456311,"flow_dst_last_pkt_time":88825983,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":73,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":679,"flow_dst_max_l4_payload_len":1116,"flow_src_tot_l4_payload_len":3115,"flow_dst_tot_l4_payload_len":6510,"midstream":0,"thread_ts_usec":89456311,"l3_proto":"ip4","src_ip":"192.168.1.204","dst_ip":"192.145.125.35","src_port":63670,"dst_port":1198,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":8,"avg":98817.6,"max":1082706,"stddev":265178.8,"var":70319783936.0,"ent":2.4,"data": [36503,37170,34817,51,22,8,12,34710,68,19,15,30459,31119,31774,54,31119,282,1045872,1082706,103,218338,91,15,11,34796,1189,13872,57,22,22,398050]},"pktlen": {"min":101,"avg":328.8,"max":1144,"stddev":349.5,"var":122181.9,"ent":4.4,"data": [114,126,409,122,1144,1144,1144,1144,126,130,134,138,834,707,284,362,146,150,173,122,392,150,159,129,129,129,128,117,117,101,189,128]},"bins": {"c_to_s": [0,0,4,12,2,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,2,1,0,0,0,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,1,1,1,1,0,0,0,0,1,0,1,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0],"entropies": [6.285833836,6.574460030,6.914950848,6.427595139,7.850133896,7.818133354,7.800798893,7.842847347,6.303515434,6.469485283,6.482215405,6.459611416,7.768293381,7.693883896,7.179449081,7.458499432,6.471373081,6.424789429,6.796693802,6.355833054,7.444475651,6.568186760,6.619147778,6.537427425,6.412118435,6.473360538,6.475629807,6.317978859,6.331737041,6.152075768,6.867091179,6.444379807]}} +01030{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":54,"source":"cfgs\/default\/pcap\/nordvpn.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":87609474,"flow_src_last_pkt_time":89456311,"flow_dst_last_pkt_time":88825983,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":73,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":679,"flow_dst_max_l4_payload_len":1116,"flow_src_tot_l4_payload_len":3115,"flow_dst_tot_l4_payload_len":6510,"midstream":0,"thread_ts_usec":89456311,"l3_proto":"ip4","src_ip":"192.168.1.204","dst_ip":"192.145.125.35","src_port":63670,"dst_port":1198,"l4_proto":"udp","ndpi": {"flow_risk": {"35": {"risk":"Susp Entropy","severity":"Low","risk_score": {"total":210,"client":165,"server":45}}},"confidence": {"7":"Match by IP"},"proto":"NordVPN","proto_id":"426","proto_by_ip":"NordVPN","proto_by_ip_id":426,"encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} +00744{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":66,"source":"cfgs\/default\/pcap\/nordvpn.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":96300241,"flow_src_last_pkt_time":96300241,"flow_dst_last_pkt_time":96300241,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":96300241,"l3_proto":"ip4","src_ip":"192.168.1.204","dst_ip":"212.129.45.224","src_port":49766,"dst_port":995,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} +00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":66,"source":"cfgs\/default\/pcap\/nordvpn.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":96300241,"flow_dst_last_pkt_time":96300241,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":96300241,"pkt":"ILAB4IZiCAAnOk7TCABFAAA0XutAAIAG1wLAqAHM1IEt4MJmA+N62e9\/AAAAAIAC\/\/95mwAAAgQFtAEDAwQBAQQC"} +00519{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":67,"source":"cfgs\/default\/pcap\/nordvpn.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":96300241,"flow_dst_last_pkt_time":96338121,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":96338121,"pkt":"CAAnOk7TILAB4IZiCABFAAA0AABAADYGf+7UgS3gwKgBzAPjwma91rjletnvgIAS\/\/8CyQAAAgQFtAEBBAIBAwMJ"} +00501{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":68,"source":"cfgs\/default\/pcap\/nordvpn.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":96338375,"flow_dst_last_pkt_time":96338121,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":96338375,"pkt":"ILAB4IZiCAAnOk7TCABFAAAoXuxAAIAG1w3AqAHM1IEt4MJmA+N62e+Avda45lAQgADDnAAA"} +00624{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":69,"source":"cfgs\/default\/pcap\/nordvpn.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":4,"flow_src_last_pkt_time":96340181,"flow_dst_last_pkt_time":96338121,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":142,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":142,"pkt_l4_len":108,"thread_ts_usec":96340181,"pkt":"ILAB4IZiCAAnOk7TCABFAACAXu1AAIAG1rTAqAHM1IEt4MJmA+N62e+Avda45lAYgABvEwAAAFZMPTMzOTy6NYFNICktffazw4KYqbbSDhTT8os52PjTz4VUVn5Ok0Suf417eJb0FlARsW14Nqga92AuWc+gLlsk6tt1mA3Gj3dHYnCvscFASjXwu6+3WA=="} +00509{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":70,"source":"cfgs\/default\/pcap\/nordvpn.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":5,"flow_src_last_pkt_time":96340181,"flow_dst_last_pkt_time":96372515,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":96372515,"pkt":"CAAnOk7TILAB4IZiCABFAAAoBelAADYGehHUgS3gwKgBzAPjwma91rjmetnv2FAQAIBCxQAAAAAAAAAA"} +01975{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":97,"source":"cfgs\/default\/pcap\/nordvpn.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":96300241,"flow_src_last_pkt_time":97399908,"flow_dst_last_pkt_time":97431999,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1417,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3449,"flow_dst_tot_l4_payload_len":6441,"midstream":0,"thread_ts_usec":97431999,"l3_proto":"ip4","src_ip":"192.168.1.204","dst_ip":"212.129.45.224","src_port":49766,"dst_port":995,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":7,"avg":71981.5,"max":562257,"stddev":120648.8,"var":14556123136.0,"ent":3.7,"data": [37880,38134,1806,34394,51,32792,37583,41,7,15,37379,1040,32077,31137,32434,32443,75980,75921,32574,60,34626,34996,33564,34092,82850,427960,562257,84948,33625,185067,183692]},"pktlen": {"min":40,"avg":350.9,"max":1500,"stddev":470.2,"var":221099.3,"ent":4.0,"data": [52,52,40,128,46,140,423,136,1500,1500,1500,40,140,116,252,863,152,46,728,46,298,160,383,164,405,40,1457,46,142,46,143,46]},"bins": {"c_to_s": [4,0,1,6,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0],"s_to_c": [7,0,1,2,0,0,0,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,0,1,1,1,1,0,0,1,0,1,0,1,0,1,1,0,1,0,1,0,0,1,0,1,0,1],"entropies": [4.584304333,4.870416641,4.815311432,6.518347740,4.544876099,6.561948299,7.045429230,6.558662891,7.862508297,7.858582973,7.879600525,4.884183884,6.465450287,6.267211914,7.004919052,7.731593132,6.575685024,4.914867401,7.735645771,4.914866924,7.154484749,6.545032501,7.388613224,6.541764259,7.457901955,4.881687164,7.832018375,4.958345413,6.624888420,4.827910900,6.572180748,4.914867401]}} +01036{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":97,"source":"cfgs\/default\/pcap\/nordvpn.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":96300241,"flow_src_last_pkt_time":97399908,"flow_dst_last_pkt_time":97431999,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1417,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3449,"flow_dst_tot_l4_payload_len":6441,"midstream":0,"thread_ts_usec":97431999,"l3_proto":"ip4","src_ip":"192.168.1.204","dst_ip":"212.129.45.224","src_port":49766,"dst_port":995,"l4_proto":"tcp","ndpi": {"flow_risk": {"51": {"risk":"Fully Encrypted Flow","severity":"Medium","risk_score": {"total":360,"client":240,"server":120}}},"confidence": {"1":"Match by port"},"proto":"POPS","proto_id":"23","proto_by_ip":"NordVPN","proto_by_ip_id":426,"encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} +00748{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":119,"source":"cfgs\/default\/pcap\/nordvpn.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":142201471,"flow_src_last_pkt_time":142201471,"flow_dst_last_pkt_time":142201471,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":142201471,"l3_proto":"ip4","src_ip":"192.168.1.204","dst_ip":"45.80.28.142","src_port":49788,"dst_port":8443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5} +00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":119,"source":"cfgs\/default\/pcap\/nordvpn.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_src_last_pkt_time":142201471,"flow_dst_last_pkt_time":142201471,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":142201471,"pkt":"ILAB4IZiCAAnOk7TCABFAAA0SAdAAIAGpmrAqAHMLVAcjsJ8IPtv6RjNAAAAAIAC\/\/\/2jwAAAgQFtAEDAwgBAQQC"} +00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":120,"source":"cfgs\/default\/pcap\/nordvpn.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":142201471,"flow_dst_last_pkt_time":142205676,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":142205676,"pkt":"CAAnOk7TILAB4IZiCABFAAA0AABAADkGNXItUByOwKgBzCD7wnyOr9Qlb+kYzoAS\/\/+TqAAAAgQFtAEBBAIBAwMJ"} +00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":121,"source":"cfgs\/default\/pcap\/nordvpn.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":142205874,"flow_dst_last_pkt_time":142205676,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":142205874,"pkt":"ILAB4IZiCAAnOk7TCABFAAAoSAhAAIAGpnXAqAHMLVAcjsJ8IPtv6RjOjq\/UJlAQAP\/TfQAA"} +00862{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":122,"source":"cfgs\/default\/pcap\/nordvpn.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":4,"flow_src_last_pkt_time":142206076,"flow_dst_last_pkt_time":142205676,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":316,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":316,"pkt_l4_len":282,"thread_ts_usec":142206076,"pkt":"ILAB4IZiCAAnOk7TCABFAAEuSAlAAIAGpW7AqAHMLVAcjsJ8IPtv6RjOjq\/UJlAYAP+66AAAFgMBAQEBAAD9AwN2cseb1I7USn\/sDClITEw1kAVHYLgC1So1jwPawbNPZyDpXstC1M7f+zqyy1Sgp7uVpa2i0LgVhqjCbRElHRmeMAAUEwITARMDwCzAK8ypwDDAL8yoAP8BAACgAA0AJgAkBQMEAwgHCAYIBQgEBgEFAQQBBQMEAwgHCAYIBQgEBgEFAQQBAAsAAgEAAAUABQEAAAAAACsABQQDBAMDADMAJgAkAB0AIOpIdKKk4y2bLBdkYJUQWstuhlbvoJMrmkmCRR5YyhN7AAAAFgAUAAARaXQzMTUubm9yZHZwbi5jb20AIwAAABcAAAAKAAgABgAdABcAGAAtAAIBAQ=="} +01416{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":122,"source":"cfgs\/default\/pcap\/nordvpn.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":142201471,"flow_src_last_pkt_time":142206076,"flow_dst_last_pkt_time":142205676,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":262,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":262,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":142206076,"l3_proto":"ip4","src_ip":"192.168.1.204","dst_ip":"45.80.28.142","src_port":49788,"dst_port":8443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":160,"client":140,"server":20}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.NordVPN","proto_id":"91.426","proto_by_ip":"NordVPN","proto_by_ip_id":426,"encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN","hostname":"it315.nordvpn.com","domainame":"it315.nordvpn.com","tls": {"version":"TLSv1.2","ja3s":"","ja4":"t13d101000_61a7ad8aa9b6_b082c14843f9","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","tls_supported_versions":"TLSv1.3,TLSv1.2","blocks":0}}} +00513{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":123,"source":"cfgs\/default\/pcap\/nordvpn.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":5,"flow_src_last_pkt_time":142206076,"flow_dst_last_pkt_time":142209879,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":142209879,"pkt":"CAAnOk7TILAB4IZiCABFAAAolaJAADkGn9stUByOwKgBzCD7wnyOr9Qmb+kZ1FAQAIPS8wAAAAAAAAAA"} +01461{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":124,"source":"cfgs\/default\/pcap\/nordvpn.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":142201471,"flow_src_last_pkt_time":142206076,"flow_dst_last_pkt_time":142214792,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":262,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":262,"flow_dst_tot_l4_payload_len":1460,"midstream":0,"thread_ts_usec":142214792,"l3_proto":"ip4","src_ip":"192.168.1.204","dst_ip":"45.80.28.142","src_port":49788,"dst_port":8443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":160,"client":140,"server":20}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.NordVPN","proto_id":"91.426","proto_by_ip":"NordVPN","proto_by_ip_id":426,"encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN","hostname":"it315.nordvpn.com","domainame":"it315.nordvpn.com","tls": {"version":"TLSv1.3","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","ja4":"t13d101000_61a7ad8aa9b6_b082c14843f9","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","tls_supported_versions":"TLSv1.3,TLSv1.2","blocks":0}}} +00963{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":143,"source":"cfgs\/default\/pcap\/nordvpn.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":8,"flow_first_seen":72956182,"flow_src_last_pkt_time":74235198,"flow_dst_last_pkt_time":74233325,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":768,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":1892,"flow_dst_tot_l4_payload_len":6300,"midstream":0,"thread_ts_usec":143113117,"l3_proto":"ip4","src_ip":"192.168.1.204","dst_ip":"138.199.54.231","src_port":53465,"dst_port":51820,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"WireGuard.NordVPN","proto_id":"206.426","proto_by_ip":"NordVPN","proto_by_ip_id":426,"encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} +01072{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":143,"source":"cfgs\/default\/pcap\/nordvpn.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":11,"flow_first_seen":87609474,"flow_src_last_pkt_time":91987482,"flow_dst_last_pkt_time":88825983,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":73,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":679,"flow_dst_max_l4_payload_len":1116,"flow_src_tot_l4_payload_len":4297,"flow_dst_tot_l4_payload_len":6510,"midstream":0,"thread_ts_usec":143113117,"l3_proto":"ip4","src_ip":"192.168.1.204","dst_ip":"192.145.125.35","src_port":63670,"dst_port":1198,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"flow_risk": {"35": {"risk":"Susp Entropy","severity":"Low","risk_score": {"total":210,"client":165,"server":45}}},"confidence": {"7":"Match by IP"},"proto":"NordVPN","proto_id":"426","proto_by_ip":"NordVPN","proto_by_ip_id":426,"encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} +01207{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":143,"source":"cfgs\/default\/pcap\/nordvpn.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":12,"flow_dst_packets_processed":13,"flow_first_seen":142201471,"flow_src_last_pkt_time":143113117,"flow_dst_last_pkt_time":142524666,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":2854,"flow_dst_tot_l4_payload_len":5148,"midstream":0,"thread_ts_usec":143113117,"l3_proto":"ip4","src_ip":"192.168.1.204","dst_ip":"45.80.28.142","src_port":49788,"dst_port":8443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":160,"client":140,"server":20}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":460,"client":410,"server":50}}},"confidence": {"6":"DPI"},"proto":"TLS.NordVPN","proto_id":"91.426","proto_by_ip":"NordVPN","proto_by_ip_id":426,"encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} +01079{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":143,"source":"cfgs\/default\/pcap\/nordvpn.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":26,"flow_dst_packets_processed":27,"flow_first_seen":96300241,"flow_src_last_pkt_time":100257768,"flow_dst_last_pkt_time":99939060,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1417,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":5803,"flow_dst_tot_l4_payload_len":6441,"midstream":0,"thread_ts_usec":143113117,"l3_proto":"ip4","src_ip":"192.168.1.204","dst_ip":"212.129.45.224","src_port":49766,"dst_port":995,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"flow_risk": {"51": {"risk":"Fully Encrypted Flow","severity":"Medium","risk_score": {"total":360,"client":240,"server":120}}},"confidence": {"1":"Match by port"},"proto":"POPS","proto_id":"23","proto_by_ip":"NordVPN","proto_by_ip_id":426,"encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} +00839{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":143,"source":"cfgs\/default\/pcap\/nordvpn.pcap","alias":"nDPId-test","version":"1.7.0","ndpi_version":"4.13.0-5173-c49d126","ndpi_api_version":11990,"size_per_flow":1400,"packets-captured":143,"packets-processed":143,"pfring_active":false,"pfring_recv":0,"pfring_drop":0,"pfring_shunt":0,"total-skipped-flows":0,"total-l4-payload-len":39245,"total-not-detected-flows":0,"total-guessed-flows":2,"total-detected-flows":2,"total-detection-updates":1,"total-updates":0,"current-active-flows":0,"total-active-flows":4,"total-idle-flows":4,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"global-alloc-count":0,"global-free-count":0,"global-alloc-bytes":0,"global-free-bytes":0,"total-events-serialized":37,"global_ts_usec":143113117} +~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ +~~ packets captured/processed: 143/143 +~~ skipped flows.............: 0 +~~ total layer4 data length..: 39245 bytes +~~ total detected protocols..: 2 +~~ total active/idle flows...: 4/4 +~~ total timeout flows.......: 0 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ total memory allocated....: 8459598 bytes +~~ total memory freed........: 8459598 bytes +~~ total allocations/frees...: 144921/144921 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ json message min len.......: 506 chars +~~ json message max len.......: 2004 chars +~~ json message avg len.......: 1255 chars |