aboutsummaryrefslogtreecommitdiff
path: root/test/results/flow-captured
diff options
context:
space:
mode:
Diffstat (limited to 'test/results/flow-captured')
-rw-r--r--test/results/flow-captured/caches_cfg/ookla.pcap.out1
-rw-r--r--test/results/flow-captured/caches_cfg/teams.pcap.out4
-rw-r--r--test/results/flow-captured/caches_global/ookla.pcap.out1
-rw-r--r--test/results/flow-captured/caches_global/teams.pcap.out4
-rw-r--r--test/results/flow-captured/default/1kxun.pcap.out4
-rw-r--r--test/results/flow-captured/default/KakaoTalk_chat.pcap.out2
-rw-r--r--test/results/flow-captured/default/KakaoTalk_talk.pcap.out4
-rw-r--r--test/results/flow-captured/default/alexa-app.pcapng.out54
-rw-r--r--test/results/flow-captured/default/anyconnect-vpn.pcap.out2
-rw-r--r--test/results/flow-captured/default/dingtalk.pcap.out0
-rw-r--r--test/results/flow-captured/default/dnscrypt-v2-doh.pcap.out38
-rw-r--r--test/results/flow-captured/default/emotet.pcap.out1
-rw-r--r--test/results/flow-captured/default/fuzz-2006-09-29-28586.pcap.out1
-rw-r--r--test/results/flow-captured/default/googledns_android10.pcap.out2
-rw-r--r--test/results/flow-captured/default/http-basic-auth.pcap.out15
-rw-r--r--test/results/flow-captured/default/http-pwd.pcapng.out1
-rw-r--r--test/results/flow-captured/default/http_ipv6.pcap.out1
-rw-r--r--test/results/flow-captured/default/instagram.pcap.out1
-rw-r--r--test/results/flow-captured/default/naver.pcap.out0
-rw-r--r--test/results/flow-captured/default/netflix.pcap.out5
-rw-r--r--test/results/flow-captured/default/ocs.pcap.out5
-rw-r--r--test/results/flow-captured/default/ookla.pcap.out1
-rw-r--r--test/results/flow-captured/default/openvpn_obfuscated.pcapng.out4
-rw-r--r--test/results/flow-captured/default/paltalk.pcapng.out0
-rw-r--r--test/results/flow-captured/default/quic_sh.pcap.out3
-rw-r--r--test/results/flow-captured/default/rdp_over_tls.pcap.out1
-rw-r--r--test/results/flow-captured/default/safari.pcap.out4
-rw-r--r--test/results/flow-captured/default/sites2.pcapng.out0
-rw-r--r--test/results/flow-captured/default/smtp-starttls.pcap.out2
-rw-r--r--test/results/flow-captured/default/snapchat.pcap.out1
-rw-r--r--test/results/flow-captured/default/sonos.pcapng.out1
-rw-r--r--test/results/flow-captured/default/stun_wa_call.pcapng.out4
-rw-r--r--test/results/flow-captured/default/teams.pcap.out4
-rw-r--r--test/results/flow-captured/default/tls_1.2_unidirectional_client.pcapng.out0
-rw-r--r--test/results/flow-captured/default/tls_1.2_unidirectional_client_no_cert.pcapng.out0
-rw-r--r--test/results/flow-captured/default/tls_1.2_unidirectional_server.pcapng.out0
-rw-r--r--test/results/flow-captured/default/tls_1.2_unidirectional_server_no_cert.pcapng.out0
-rw-r--r--test/results/flow-captured/default/tls_1.3_unidirectional_client.pcapng.out0
-rw-r--r--test/results/flow-captured/default/tls_1.3_unidirectional_server.pcapng.out0
-rw-r--r--test/results/flow-captured/default/tls_change_cipher.pcap.out0
-rw-r--r--test/results/flow-captured/default/tls_heur__shadowsocks-tcp.pcapng.out2
-rw-r--r--test/results/flow-captured/default/tls_heur__trojan-tcp-tls.pcapng.out3
-rw-r--r--test/results/flow-captured/default/tls_heur__vmess-tcp-tls.pcapng.out3
-rw-r--r--test/results/flow-captured/default/tls_heur__vmess-tcp.pcapng.out2
-rw-r--r--test/results/flow-captured/default/tls_heur__vmess-websocket.pcapng.out1
-rw-r--r--test/results/flow-captured/default/tls_with_huge_ch.pcapng.out1
-rw-r--r--test/results/flow-captured/default/tor.pcap.out6
-rw-r--r--test/results/flow-captured/default/waze.pcap.out5
-rw-r--r--test/results/flow-captured/default/webex.pcap.out19
-rw-r--r--test/results/flow-captured/default/whatsapp_login_call.pcap.out4
-rw-r--r--test/results/flow-captured/default/windscribe.pcapng.out1
-rw-r--r--test/results/flow-captured/default/zoom.pcap.out3
-rw-r--r--test/results/flow-captured/disable_aggressiveness/ookla.pcap.out1
-rw-r--r--test/results/flow-captured/disable_metadata/sip.pcap.out1
-rw-r--r--test/results/flow-captured/disable_use_client_ip/bot.pcap.out1
-rw-r--r--test/results/flow-captured/disable_use_client_port/iphone.pcap.out1
-rw-r--r--test/results/flow-captured/enable_payload_stat/1kxun.pcap.out4
-rw-r--r--test/results/flow-captured/fpc_disabled/teams.pcap.out4
-rw-r--r--test/results/flow-captured/guess_ip_before_port_enabled/1kxun.pcap.out111
-rw-r--r--test/results/flow-captured/guessing_disable/webex.pcap.out19
-rw-r--r--test/results/flow-captured/ip_lists_disable/1kxun.pcap.out4
-rw-r--r--test/results/flow-captured/monitoring/stun.pcap.out3
-rw-r--r--test/results/flow-captured/monitoring/stun_google_meet.pcapng.out4
-rw-r--r--test/results/flow-captured/monitoring/stun_signal.pcapng.out16
-rw-r--r--test/results/flow-captured/monitoring/stun_wa_call.pcapng.out9
-rw-r--r--test/results/flow-captured/monitoring/stun_zoom.pcapng.out2
-rw-r--r--test/results/flow-captured/monitoring/teams.pcap.out17
-rw-r--r--test/results/flow-captured/monitoring/telegram_videocall.pcapng.out17
-rw-r--r--test/results/flow-captured/openvpn_heuristic_enabled/openvpn_obfuscated.pcapng.out4
-rw-r--r--test/results/flow-captured/stun_all_attributes_disabled/teams.pcap.out4
-rw-r--r--test/results/flow-captured/stun_only_peer_address_enabled/stun_wa_call.pcapng.out4
-rw-r--r--test/results/flow-captured/tls_heuristics_enabled/tls_heur__shadowsocks-tcp.pcapng.out2
-rw-r--r--test/results/flow-captured/tls_heuristics_enabled/tls_heur__trojan-tcp-tls.pcapng.out3
-rw-r--r--test/results/flow-captured/tls_heuristics_enabled/tls_heur__vmess-tcp-tls.pcapng.out3
-rw-r--r--test/results/flow-captured/tls_heuristics_enabled/tls_heur__vmess-tcp.pcapng.out2
-rw-r--r--test/results/flow-captured/tls_heuristics_enabled/tls_heur__vmess-websocket.pcapng.out1
-rw-r--r--test/results/flow-captured/zoom_extra_dissection/zoom.pcap.out3
77 files changed, 274 insertions, 187 deletions
diff --git a/test/results/flow-captured/caches_cfg/ookla.pcap.out b/test/results/flow-captured/caches_cfg/ookla.pcap.out
index 76a45ed58..1f5694308 100644
--- a/test/results/flow-captured/caches_cfg/ookla.pcap.out
+++ b/test/results/flow-captured/caches_cfg/ookla.pcap.out
@@ -1,2 +1 @@
Flow 3 risky: tcp 192.168.1.7:51207 -> 46.44.253.187:80
-Flow 6 risky: tcp 192.168.1.128:35830 -> 89.96.108.170:8080
diff --git a/test/results/flow-captured/caches_cfg/teams.pcap.out b/test/results/flow-captured/caches_cfg/teams.pcap.out
index f9a450ce5..4e70f518c 100644
--- a/test/results/flow-captured/caches_cfg/teams.pcap.out
+++ b/test/results/flow-captured/caches_cfg/teams.pcap.out
@@ -1,4 +1,3 @@
-Flow 7 risky: tcp 192.168.1.6:60535 -> 52.114.77.33:443
Flow 48 risky: tcp 192.168.1.6:60559 -> 52.114.77.33:443
Flow 64 risky: tcp 192.168.1.6:50018 -> 52.114.250.123:443
Flow 78 risky: udp 93.71.110.205:16332 -> 192.168.1.6:50016
@@ -6,11 +5,10 @@ Flow 67 risky: tcp 192.168.1.6:50021 -> 52.114.250.123:443
Flow 43 risky: tcp 192.168.1.6:60554 -> 52.113.194.132:443
Flow 36 risky: udp 192.168.1.6:61245 -> 192.168.1.1:53
Flow 4 risky: tcp 192.168.1.6:60532 -> 52.114.77.33:443
+Flow 7 risky: tcp 192.168.1.6:60535 -> 52.114.77.33:443
Flow 25 risky: tcp 192.168.1.6:60543 -> 52.114.77.33:443
Flow 51 risky: tcp 192.168.1.6:60561 -> 52.114.77.33:443
Flow 74 risky: tcp 192.168.1.6:60567 -> 52.114.77.136:443
-Flow 30 risky: tcp 192.168.1.6:60546 -> 167.99.215.164:4434
-Flow 61 risky: tcp 192.168.1.6:60566 -> 167.99.215.164:4434
Flow 60 not-detected: tcp 151.11.50.139:2222 -> 192.168.1.6:54750
Flow 60 midstream: tcp 151.11.50.139:2222 -> 192.168.1.6:54750
Flow 79 risky: udp 93.71.110.205:16333 -> 192.168.1.6:50036
diff --git a/test/results/flow-captured/caches_global/ookla.pcap.out b/test/results/flow-captured/caches_global/ookla.pcap.out
index 76a45ed58..1f5694308 100644
--- a/test/results/flow-captured/caches_global/ookla.pcap.out
+++ b/test/results/flow-captured/caches_global/ookla.pcap.out
@@ -1,2 +1 @@
Flow 3 risky: tcp 192.168.1.7:51207 -> 46.44.253.187:80
-Flow 6 risky: tcp 192.168.1.128:35830 -> 89.96.108.170:8080
diff --git a/test/results/flow-captured/caches_global/teams.pcap.out b/test/results/flow-captured/caches_global/teams.pcap.out
index f9a450ce5..4e70f518c 100644
--- a/test/results/flow-captured/caches_global/teams.pcap.out
+++ b/test/results/flow-captured/caches_global/teams.pcap.out
@@ -1,4 +1,3 @@
-Flow 7 risky: tcp 192.168.1.6:60535 -> 52.114.77.33:443
Flow 48 risky: tcp 192.168.1.6:60559 -> 52.114.77.33:443
Flow 64 risky: tcp 192.168.1.6:50018 -> 52.114.250.123:443
Flow 78 risky: udp 93.71.110.205:16332 -> 192.168.1.6:50016
@@ -6,11 +5,10 @@ Flow 67 risky: tcp 192.168.1.6:50021 -> 52.114.250.123:443
Flow 43 risky: tcp 192.168.1.6:60554 -> 52.113.194.132:443
Flow 36 risky: udp 192.168.1.6:61245 -> 192.168.1.1:53
Flow 4 risky: tcp 192.168.1.6:60532 -> 52.114.77.33:443
+Flow 7 risky: tcp 192.168.1.6:60535 -> 52.114.77.33:443
Flow 25 risky: tcp 192.168.1.6:60543 -> 52.114.77.33:443
Flow 51 risky: tcp 192.168.1.6:60561 -> 52.114.77.33:443
Flow 74 risky: tcp 192.168.1.6:60567 -> 52.114.77.136:443
-Flow 30 risky: tcp 192.168.1.6:60546 -> 167.99.215.164:4434
-Flow 61 risky: tcp 192.168.1.6:60566 -> 167.99.215.164:4434
Flow 60 not-detected: tcp 151.11.50.139:2222 -> 192.168.1.6:54750
Flow 60 midstream: tcp 151.11.50.139:2222 -> 192.168.1.6:54750
Flow 79 risky: udp 93.71.110.205:16333 -> 192.168.1.6:50036
diff --git a/test/results/flow-captured/default/1kxun.pcap.out b/test/results/flow-captured/default/1kxun.pcap.out
index e68307bbc..034a664ad 100644
--- a/test/results/flow-captured/default/1kxun.pcap.out
+++ b/test/results/flow-captured/default/1kxun.pcap.out
@@ -21,10 +21,6 @@ Flow 42 not-detected: udp 192.168.10.110:60480 -> 255.255.255.255:62976
Flow 56 not-detected: udp 59.120.208.218:50151 -> 255.255.255.255:1947
Flow 59 risky: tcp 192.168.5.16:53624 -> 68.233.253.133:80
Flow 36 risky: tcp 192.168.115.8:49605 -> 106.185.35.110:80
-Flow 45 risky: tcp 192.168.5.16:53623 -> 192.168.115.75:443
-Flow 87 risky: tcp 192.168.5.16:53625 -> 192.168.115.75:443
-Flow 107 risky: tcp 192.168.5.16:53626 -> 192.168.115.75:443
-Flow 117 risky: tcp 192.168.5.16:53629 -> 192.168.115.75:443
Flow 65 not-detected: udp 192.168.140.140:62976 -> 255.255.255.255:62976
Flow 71 not-detected: udp 192.168.10.7:62976 -> 255.255.255.255:62976
Flow 22 not-detected: udp 192.168.125.30:62976 -> 255.255.255.255:62976
diff --git a/test/results/flow-captured/default/KakaoTalk_chat.pcap.out b/test/results/flow-captured/default/KakaoTalk_chat.pcap.out
index fe86462c2..39160a3b9 100644
--- a/test/results/flow-captured/default/KakaoTalk_chat.pcap.out
+++ b/test/results/flow-captured/default/KakaoTalk_chat.pcap.out
@@ -1,5 +1,5 @@
Flow 26 risky: tcp 10.24.82.188:43581 -> 31.13.68.70:443
-Flow 34 risky: tcp 10.24.82.188:35511 -> 173.252.97.2:443
Flow 15 risky: tcp 10.24.82.188:35503 -> 173.252.97.2:443
+Flow 34 risky: tcp 10.24.82.188:35511 -> 173.252.97.2:443
Flow 37 midstream: tcp 10.24.82.188:49217 -> 216.58.220.174:443
Flow 22 midstream: tcp 31.13.68.73:443 -> 10.24.82.188:47007
diff --git a/test/results/flow-captured/default/KakaoTalk_talk.pcap.out b/test/results/flow-captured/default/KakaoTalk_talk.pcap.out
index 68d1bf6a1..56ea1f174 100644
--- a/test/results/flow-captured/default/KakaoTalk_talk.pcap.out
+++ b/test/results/flow-captured/default/KakaoTalk_talk.pcap.out
@@ -1,4 +1,4 @@
+Flow 4 risky: tcp 10.24.82.188:48489 -> 203.205.147.215:80
Flow 6 risky: tcp 10.24.82.188:32968 -> 110.76.143.50:8080
-Flow 8 risky: tcp 10.24.82.188:58857 -> 110.76.143.50:9001
-Flow 19 risky: tcp 10.24.82.188:59954 -> 173.252.88.128:443
Flow 14 midstream: tcp 10.24.82.188:49217 -> 216.58.220.174:443
+Flow 8 risky: tcp 10.24.82.188:58857 -> 110.76.143.50:9001
diff --git a/test/results/flow-captured/default/alexa-app.pcapng.out b/test/results/flow-captured/default/alexa-app.pcapng.out
index b3d3ac84c..04eafb2eb 100644
--- a/test/results/flow-captured/default/alexa-app.pcapng.out
+++ b/test/results/flow-captured/default/alexa-app.pcapng.out
@@ -1,34 +1,9 @@
-Flow 28 risky: tcp 172.16.42.216:45661 -> 52.94.232.134:443
Flow 14 risky: icmp 172.16.42.1 -> 172.16.42.216
-Flow 80 risky: tcp 172.16.42.216:45703 -> 52.94.232.134:443
-Flow 87 risky: tcp 172.16.42.216:45710 -> 52.94.232.134:443
-Flow 89 risky: tcp 172.16.42.216:45712 -> 52.94.232.134:443
-Flow 107 risky: tcp 172.16.42.216:40856 -> 54.239.29.253:443
-Flow 105 risky: tcp 172.16.42.216:40854 -> 54.239.29.253:443
-Flow 88 risky: tcp 172.16.42.216:45711 -> 52.94.232.134:443
Flow 120 risky: tcp 172.16.42.216:51986 -> 52.84.63.56:80
-Flow 125 risky: tcp 172.16.42.216:40871 -> 54.239.29.253:443
Flow 129 risky: tcp 172.16.42.216:51995 -> 52.84.63.56:80
Flow 126 risky: tcp 172.16.42.216:51992 -> 52.84.63.56:80
Flow 45 risky: tcp 172.16.42.216:49589 -> 52.94.232.134:80
-Flow 29 risky: tcp 172.16.42.216:45662 -> 52.94.232.134:443
-Flow 30 risky: tcp 172.16.42.216:45663 -> 52.94.232.134:443
-Flow 43 risky: tcp 172.16.42.216:45673 -> 52.94.232.134:443
-Flow 44 risky: tcp 172.16.42.216:45674 -> 52.94.232.134:443
-Flow 46 risky: tcp 172.16.42.216:45676 -> 52.94.232.134:443
-Flow 47 risky: tcp 172.16.42.216:45677 -> 52.94.232.134:443
-Flow 48 risky: tcp 172.16.42.216:45678 -> 52.94.232.134:443
-Flow 49 risky: tcp 172.16.42.216:45679 -> 52.94.232.134:443
-Flow 50 risky: tcp 172.16.42.216:45680 -> 52.94.232.134:443
-Flow 53 risky: tcp 172.16.42.216:45683 -> 52.94.232.134:443
-Flow 57 risky: tcp 172.16.42.216:45687 -> 52.94.232.134:443
-Flow 59 risky: tcp 172.16.42.216:45688 -> 52.94.232.134:443
-Flow 67 risky: tcp 172.16.42.216:45693 -> 52.94.232.134:443
-Flow 70 risky: tcp 172.16.42.216:45695 -> 52.94.232.134:443
-Flow 71 risky: tcp 172.16.42.216:45696 -> 52.94.232.134:443
-Flow 72 risky: tcp 172.16.42.216:45697 -> 52.94.232.134:443
-Flow 74 risky: tcp 172.16.42.216:45698 -> 52.94.232.134:443
-Flow 157 risky: tcp 172.16.42.216:38483 -> 52.85.209.143:443
+Flow 28 risky: tcp 172.16.42.216:45661 -> 52.94.232.134:443
Flow 142 risky: tcp 172.16.42.216:50799 -> 54.239.28.178:443
Flow 119 risky: tcp 172.16.42.216:51985 -> 52.84.63.56:80
Flow 121 risky: tcp 172.16.42.216:51987 -> 52.84.63.56:80
@@ -40,25 +15,14 @@ Flow 128 risky: tcp 172.16.42.216:51994 -> 52.84.63.56:80
Flow 130 risky: tcp 172.16.42.216:51996 -> 52.84.63.56:80
Flow 131 risky: tcp 172.16.42.216:51997 -> 52.84.63.56:80
Flow 93 risky: tcp 172.16.42.216:49630 -> 52.94.232.134:80
-Flow 117 risky: tcp 172.16.42.216:40864 -> 54.239.29.253:443
-Flow 132 risky: tcp 172.16.42.216:40878 -> 54.239.29.253:443
-Flow 75 risky: tcp 172.16.42.216:37113 -> 52.94.232.134:443
-Flow 81 risky: tcp 172.16.42.216:45704 -> 52.94.232.134:443
-Flow 82 risky: tcp 172.16.42.216:45705 -> 52.94.232.134:443
-Flow 86 risky: tcp 172.16.42.216:45709 -> 52.94.232.134:443
-Flow 91 risky: tcp 172.16.42.216:45714 -> 52.94.232.134:443
-Flow 92 risky: tcp 172.16.42.216:45715 -> 52.94.232.134:443
-Flow 109 risky: tcp 172.16.42.216:45728 -> 52.94.232.134:443
-Flow 110 risky: tcp 172.16.42.216:45729 -> 52.94.232.134:443
-Flow 111 risky: tcp 172.16.42.216:45730 -> 52.94.232.134:443
-Flow 112 risky: tcp 172.16.42.216:45731 -> 52.94.232.134:443
-Flow 113 risky: tcp 172.16.42.216:45732 -> 52.94.232.134:443
-Flow 133 risky: tcp 172.16.42.216:45750 -> 52.94.232.134:443
-Flow 134 risky: tcp 172.16.42.216:45751 -> 52.94.232.134:443
-Flow 137 risky: tcp 172.16.42.216:45752 -> 52.94.232.134:443
-Flow 136 risky: tcp 172.16.42.216:39750 -> 52.94.232.134:443
-Flow 156 risky: tcp 172.16.42.216:58048 -> 54.239.28.178:443
+Flow 105 risky: tcp 172.16.42.216:40854 -> 54.239.29.253:443
+Flow 107 risky: tcp 172.16.42.216:40856 -> 54.239.29.253:443
+Flow 125 risky: tcp 172.16.42.216:40871 -> 54.239.29.253:443
+Flow 80 risky: tcp 172.16.42.216:45703 -> 52.94.232.134:443
+Flow 87 risky: tcp 172.16.42.216:45710 -> 52.94.232.134:443
+Flow 88 risky: tcp 172.16.42.216:45711 -> 52.94.232.134:443
+Flow 89 risky: tcp 172.16.42.216:45712 -> 52.94.232.134:443
Flow 65 risky: tcp 172.16.42.216:41691 -> 54.239.29.146:443
+Flow 157 risky: tcp 172.16.42.216:38483 -> 52.85.209.143:443
Flow 99 risky: tcp 172.16.42.216:44001 -> 176.32.101.52:443
-Flow 11 risky: tcp 172.16.42.216:42878 -> 173.194.223.188:5228
Flow 16 risky: tcp 172.16.42.216:55242 -> 52.85.209.197:443
diff --git a/test/results/flow-captured/default/anyconnect-vpn.pcap.out b/test/results/flow-captured/default/anyconnect-vpn.pcap.out
index 1dbcad056..996513233 100644
--- a/test/results/flow-captured/default/anyconnect-vpn.pcap.out
+++ b/test/results/flow-captured/default/anyconnect-vpn.pcap.out
@@ -1,4 +1,3 @@
-Flow 30 risky: tcp 10.0.0.227:56921 -> 8.37.96.194:4287
Flow 25 midstream: tcp 10.0.0.227:56884 -> 184.25.56.77:80
Flow 24 midstream: tcp 10.0.0.227:56917 -> 184.25.56.77:80
Flow 26 risky: udp 10.0.0.227:54851 -> 75.75.76.76:53
@@ -12,6 +11,7 @@ Flow 3 risky: tcp 10.0.0.227:56320 -> 10.0.0.149:8009
Flow 3 midstream: tcp 10.0.0.227:56320 -> 10.0.0.149:8009
Flow 44 risky: tcp 10.0.0.227:56886 -> 17.57.144.116:5223
Flow 44 midstream: tcp 10.0.0.227:56886 -> 17.57.144.116:5223
+Flow 30 risky: tcp 10.0.0.227:56921 -> 8.37.96.194:4287
Flow 15 risky: tcp 10.0.0.227:56919 -> 8.37.102.91:443
Flow 38 risky: tcp 10.0.0.227:56929 -> 8.37.102.91:443
Flow 40 not-detected: tcp 10.0.0.227:56866 -> 10.0.0.151:8060
diff --git a/test/results/flow-captured/default/dingtalk.pcap.out b/test/results/flow-captured/default/dingtalk.pcap.out
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/test/results/flow-captured/default/dingtalk.pcap.out
diff --git a/test/results/flow-captured/default/dnscrypt-v2-doh.pcap.out b/test/results/flow-captured/default/dnscrypt-v2-doh.pcap.out
index 402ab903d..e69de29bb 100644
--- a/test/results/flow-captured/default/dnscrypt-v2-doh.pcap.out
+++ b/test/results/flow-captured/default/dnscrypt-v2-doh.pcap.out
@@ -1,38 +0,0 @@
-Flow 29 risky: tcp 10.0.0.1:35714 -> 209.250.241.25:443
-Flow 29 midstream: tcp 10.0.0.1:35714 -> 209.250.241.25:443
-Flow 12 midstream: tcp 10.0.0.1:41720 -> 116.203.179.248:443
-Flow 34 risky: tcp 10.0.0.1:35742 -> 209.250.241.25:443
-Flow 34 midstream: tcp 10.0.0.1:35742 -> 209.250.241.25:443
-Flow 25 risky: tcp 10.0.0.1:52028 -> 45.76.113.31:8443
-Flow 25 midstream: tcp 10.0.0.1:52028 -> 45.76.113.31:8443
-Flow 26 midstream: tcp 10.0.0.1:34036 -> 217.169.20.23:443
-Flow 10 midstream: tcp 10.0.0.1:55322 -> 185.134.196.55:443
-Flow 14 midstream: tcp 10.0.0.1:46658 -> 185.233.106.232:443
-Flow 20 midstream: tcp 10.0.0.1:33724 -> 104.28.28.34:443
-Flow 6 midstream: tcp 10.0.0.1:40938 -> 172.104.93.80:443
-Flow 4 midstream: tcp 10.0.0.1:55962 -> 51.158.147.50:443
-Flow 8 risky: tcp 10.0.0.1:38186 -> 185.43.135.1:443
-Flow 8 midstream: tcp 10.0.0.1:38186 -> 185.43.135.1:443
-Flow 13 midstream: tcp 10.0.0.1:60026 -> 195.30.94.28:443
-Flow 31 midstream: tcp 10.0.0.1:57058 -> 46.227.200.54:443
-Flow 17 midstream: tcp 10.0.0.1:44640 -> 185.235.81.1:443
-Flow 21 midstream: tcp 10.0.0.1:53802 -> 1.0.0.1:443
-Flow 28 midstream: tcp 10.0.0.1:54164 -> 193.70.85.11:443
-Flow 27 midstream: tcp 10.0.0.1:43718 -> 146.255.56.98:443
-Flow 33 midstream: tcp 10.0.0.1:44704 -> 185.235.81.1:443
-Flow 18 midstream: tcp 10.0.0.1:43106 -> 116.202.176.26:443
-Flow 9 midstream: tcp 10.0.0.1:51770 -> 9.9.9.10:443
-Flow 32 midstream: tcp 10.0.0.1:51846 -> 9.9.9.10:443
-Flow 30 midstream: tcp 10.0.0.1:43888 -> 95.216.229.153:443
-Flow 11 midstream: tcp 10.0.0.1:52386 -> 51.15.124.208:443
-Flow 19 midstream: tcp 10.0.0.1:59026 -> 85.5.93.230:443
-Flow 23 midstream: tcp 10.0.0.1:52176 -> 136.144.215.158:443
-Flow 22 midstream: tcp 10.0.0.1:33338 -> 45.90.28.0:443
-Flow 15 risky: tcp 10.0.0.1:36012 -> 149.56.228.45:453
-Flow 15 midstream: tcp 10.0.0.1:36012 -> 149.56.228.45:453
-Flow 7 risky: tcp 10.0.0.1:37530 -> 167.114.220.125:453
-Flow 7 midstream: tcp 10.0.0.1:37530 -> 167.114.220.125:453
-Flow 3 midstream: tcp 10.0.0.1:50614 -> 185.95.218.42:443
-Flow 24 midstream: tcp 10.0.0.1:39214 -> 104.28.0.106:443
-Flow 16 midstream: tcp 10.0.0.1:38018 -> 45.153.187.96:443
-Flow 5 midstream: tcp 10.0.0.1:59404 -> 185.253.154.66:443
diff --git a/test/results/flow-captured/default/emotet.pcap.out b/test/results/flow-captured/default/emotet.pcap.out
index 3eb459004..5a3513579 100644
--- a/test/results/flow-captured/default/emotet.pcap.out
+++ b/test/results/flow-captured/default/emotet.pcap.out
@@ -1,3 +1,2 @@
Flow 3 risky: tcp 10.4.20.102:54319 -> 107.161.178.210:80
Flow 4 risky: tcp 10.4.25.101:49797 -> 77.105.36.156:80
-Flow 6 risky: tcp 10.4.25.101:49804 -> 138.197.147.101:443
diff --git a/test/results/flow-captured/default/fuzz-2006-09-29-28586.pcap.out b/test/results/flow-captured/default/fuzz-2006-09-29-28586.pcap.out
index 7ba8a7993..31d61ed01 100644
--- a/test/results/flow-captured/default/fuzz-2006-09-29-28586.pcap.out
+++ b/test/results/flow-captured/default/fuzz-2006-09-29-28586.pcap.out
@@ -1,3 +1,4 @@
+Flow 5 risky: tcp 172.20.3.13:53132 -> 172.20.3.5:80
Flow 34 risky: tcp 172.20.3.13:53136 -> 172.20.3.5:80
Flow 34 midstream: tcp 172.20.3.13:53136 -> 172.20.3.5:80
Flow 39 not-detected: 115 172.20.3.13 -> 172.20.3.5
diff --git a/test/results/flow-captured/default/googledns_android10.pcap.out b/test/results/flow-captured/default/googledns_android10.pcap.out
index 6814757f0..a1dd70b50 100644
--- a/test/results/flow-captured/default/googledns_android10.pcap.out
+++ b/test/results/flow-captured/default/googledns_android10.pcap.out
@@ -1,4 +1,4 @@
-Flow 4 risky: tcp 192.168.1.159:48048 -> 8.8.4.4:853
Flow 5 risky: icmp 192.168.1.159 -> 8.8.8.8
+Flow 4 risky: tcp 192.168.1.159:48048 -> 8.8.4.4:853
Flow 7 risky: tcp 192.168.1.159:48098 -> 8.8.4.4:853
Flow 8 risky: tcp 192.168.1.159:48210 -> 8.8.4.4:853
diff --git a/test/results/flow-captured/default/http-basic-auth.pcap.out b/test/results/flow-captured/default/http-basic-auth.pcap.out
new file mode 100644
index 000000000..d891a90e8
--- /dev/null
+++ b/test/results/flow-captured/default/http-basic-auth.pcap.out
@@ -0,0 +1,15 @@
+Flow 1 risky: tcp 192.168.0.4:54317 -> 192.254.189.169:80
+Flow 2 risky: tcp 192.168.0.4:54318 -> 192.254.189.169:80
+Flow 7 risky: tcp 192.168.0.4:54337 -> 192.254.189.169:80
+Flow 8 risky: tcp 192.168.0.4:54338 -> 192.254.189.169:80
+Flow 9 risky: tcp 192.168.0.4:54340 -> 192.254.189.169:80
+Flow 14 risky: tcp 192.168.0.4:54487 -> 192.254.189.169:80
+Flow 15 risky: tcp 192.168.0.4:54505 -> 192.254.189.169:80
+Flow 24 risky: tcp 192.168.0.4:54584 -> 192.254.189.169:80
+Flow 10 risky: tcp 192.168.0.4:54341 -> 192.254.189.169:80
+Flow 11 risky: tcp 192.168.0.4:54342 -> 192.254.189.169:80
+Flow 12 risky: tcp 192.168.0.4:54343 -> 192.254.189.169:80
+Flow 20 risky: tcp 192.168.0.4:54580 -> 192.254.189.169:80
+Flow 21 risky: tcp 192.168.0.4:54581 -> 192.254.189.169:80
+Flow 22 risky: tcp 192.168.0.4:54582 -> 192.254.189.169:80
+Flow 23 risky: tcp 192.168.0.4:54583 -> 192.254.189.169:80
diff --git a/test/results/flow-captured/default/http-pwd.pcapng.out b/test/results/flow-captured/default/http-pwd.pcapng.out
new file mode 100644
index 000000000..2f04e0388
--- /dev/null
+++ b/test/results/flow-captured/default/http-pwd.pcapng.out
@@ -0,0 +1 @@
+Flow 1 risky: tcp 127.0.0.1:56451 -> 127.0.0.1:3000
diff --git a/test/results/flow-captured/default/http_ipv6.pcap.out b/test/results/flow-captured/default/http_ipv6.pcap.out
index 5ac0c101b..e69de29bb 100644
--- a/test/results/flow-captured/default/http_ipv6.pcap.out
+++ b/test/results/flow-captured/default/http_ipv6.pcap.out
@@ -1 +0,0 @@
-Flow 12 risky: tcp 2a00:d40:1:3:7aac:c0ff:fea7:d4c:37506 -> 2a03:b0c0:3:d0::70:1001:443
diff --git a/test/results/flow-captured/default/instagram.pcap.out b/test/results/flow-captured/default/instagram.pcap.out
index 30265e546..3850d611e 100644
--- a/test/results/flow-captured/default/instagram.pcap.out
+++ b/test/results/flow-captured/default/instagram.pcap.out
@@ -9,7 +9,6 @@ Flow 7 midstream: tcp 192.168.0.103:33976 -> 77.67.29.17:80
Flow 28 guessed: tcp 31.13.86.52:80 -> 192.168.0.103:58216
Flow 28 not-detected: tcp 31.13.86.52:80 -> 192.168.0.103:58216
Flow 28 midstream: tcp 31.13.86.52:80 -> 192.168.0.103:58216
-Flow 1 risky: tcp 192.168.0.103:56382 -> 173.252.107.4:443
Flow 29 guessed: tcp 2.22.236.51:80 -> 192.168.0.103:44151
Flow 29 not-detected: tcp 2.22.236.51:80 -> 192.168.0.103:44151
Flow 29 midstream: tcp 2.22.236.51:80 -> 192.168.0.103:44151
diff --git a/test/results/flow-captured/default/naver.pcap.out b/test/results/flow-captured/default/naver.pcap.out
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/test/results/flow-captured/default/naver.pcap.out
diff --git a/test/results/flow-captured/default/netflix.pcap.out b/test/results/flow-captured/default/netflix.pcap.out
index 2b4cb701c..dad38067c 100644
--- a/test/results/flow-captured/default/netflix.pcap.out
+++ b/test/results/flow-captured/default/netflix.pcap.out
@@ -13,15 +13,12 @@ Flow 40 risky: tcp 192.168.1.7:53179 -> 23.246.11.141:80
Flow 37 risky: tcp 192.168.1.7:53176 -> 23.246.11.141:80
Flow 44 risky: tcp 192.168.1.7:53183 -> 23.246.3.140:80
Flow 2 risky: udp 192.168.1.7:51543 -> 192.168.1.1:53
-Flow 57 risky: tcp 192.168.1.7:53249 -> 52.41.30.5:443
Flow 47 risky: tcp 192.168.1.7:53202 -> 54.191.17.51:443
-Flow 8 risky: tcp 192.168.1.7:53117 -> 52.32.196.36:443
Flow 28 risky: tcp 192.168.1.7:53153 -> 184.25.204.24:80
Flow 14 risky: tcp 192.168.1.7:53132 -> 52.89.39.139:443
Flow 15 risky: tcp 192.168.1.7:53133 -> 52.89.39.139:443
-Flow 16 risky: tcp 192.168.1.7:53134 -> 52.89.39.139:443
Flow 52 risky: udp 192.168.1.7:51622 -> 192.168.1.1:53
-Flow 58 risky: tcp 192.168.1.7:53250 -> 52.41.30.5:443
+Flow 57 risky: tcp 192.168.1.7:53249 -> 52.41.30.5:443
Flow 31 risky: tcp 192.168.1.7:53164 -> 23.246.10.139:80
Flow 45 risky: tcp 192.168.1.7:53184 -> 23.246.11.141:80
Flow 50 risky: tcp 192.168.1.7:53210 -> 23.246.11.133:80
diff --git a/test/results/flow-captured/default/ocs.pcap.out b/test/results/flow-captured/default/ocs.pcap.out
index 90f35e706..90f0a8251 100644
--- a/test/results/flow-captured/default/ocs.pcap.out
+++ b/test/results/flow-captured/default/ocs.pcap.out
@@ -1,7 +1,2 @@
Flow 13 risky: tcp 192.168.180.2:49881 -> 178.248.208.54:80
Flow 20 risky: tcp 192.168.180.2:42590 -> 178.248.208.210:80
-Flow 6 risky: tcp 192.168.180.2:39263 -> 23.21.230.199:443
-Flow 15 risky: tcp 192.168.180.2:36680 -> 178.248.208.54:443
-Flow 16 risky: tcp 192.168.180.2:32946 -> 64.233.184.188:443
-Flow 10 risky: tcp 192.168.180.2:41223 -> 216.58.208.46:443
-Flow 18 risky: tcp 192.168.180.2:47803 -> 64.233.166.95:443
diff --git a/test/results/flow-captured/default/ookla.pcap.out b/test/results/flow-captured/default/ookla.pcap.out
index 76a45ed58..1f5694308 100644
--- a/test/results/flow-captured/default/ookla.pcap.out
+++ b/test/results/flow-captured/default/ookla.pcap.out
@@ -1,2 +1 @@
Flow 3 risky: tcp 192.168.1.7:51207 -> 46.44.253.187:80
-Flow 6 risky: tcp 192.168.1.128:35830 -> 89.96.108.170:8080
diff --git a/test/results/flow-captured/default/openvpn_obfuscated.pcapng.out b/test/results/flow-captured/default/openvpn_obfuscated.pcapng.out
new file mode 100644
index 000000000..073dd5a71
--- /dev/null
+++ b/test/results/flow-captured/default/openvpn_obfuscated.pcapng.out
@@ -0,0 +1,4 @@
+Flow 1 guessed: tcp 192.168.12.156:37976 -> 185.128.25.99:465
+Flow 1 not-detected: tcp 192.168.12.156:37976 -> 185.128.25.99:465
+Flow 3 guessed: tcp 107.161.86.131:443 -> 192.168.12.156:48072
+Flow 3 not-detected: tcp 107.161.86.131:443 -> 192.168.12.156:48072
diff --git a/test/results/flow-captured/default/paltalk.pcapng.out b/test/results/flow-captured/default/paltalk.pcapng.out
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/test/results/flow-captured/default/paltalk.pcapng.out
diff --git a/test/results/flow-captured/default/quic_sh.pcap.out b/test/results/flow-captured/default/quic_sh.pcap.out
new file mode 100644
index 000000000..b81c51fc0
--- /dev/null
+++ b/test/results/flow-captured/default/quic_sh.pcap.out
@@ -0,0 +1,3 @@
+Flow 3 risky: udp 192.168.1.245:40408 -> 13.226.175.53:443
+Flow 1 risky: udp 2001:b07:a3d:c112:91b7:b97e:6e2:fad8:37542 -> 2606:4700:7::a29f:9804:443
+Flow 2 risky: udp 2a00:1450:4002:411::200e:443 -> 2001:b07:a3d:c112:91b7:b97e:6e2:fad8:33144
diff --git a/test/results/flow-captured/default/rdp_over_tls.pcap.out b/test/results/flow-captured/default/rdp_over_tls.pcap.out
new file mode 100644
index 000000000..16134110e
--- /dev/null
+++ b/test/results/flow-captured/default/rdp_over_tls.pcap.out
@@ -0,0 +1 @@
+Flow 1 risky: tcp 91.238.181.21:35888 -> 89.31.79.12:3389
diff --git a/test/results/flow-captured/default/safari.pcap.out b/test/results/flow-captured/default/safari.pcap.out
index 8b4353ac7..4f6e400bc 100644
--- a/test/results/flow-captured/default/safari.pcap.out
+++ b/test/results/flow-captured/default/safari.pcap.out
@@ -1,5 +1 @@
Flow 4 risky: tcp 192.168.1.178:55267 -> 146.48.58.18:443
-Flow 2 risky: tcp 192.168.1.178:55265 -> 146.48.58.18:443
-Flow 3 risky: tcp 192.168.1.178:55266 -> 146.48.58.18:443
-Flow 5 risky: tcp 192.168.1.178:55268 -> 146.48.58.18:443
-Flow 6 risky: tcp 192.168.1.178:55269 -> 146.48.58.18:443
diff --git a/test/results/flow-captured/default/sites2.pcapng.out b/test/results/flow-captured/default/sites2.pcapng.out
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/test/results/flow-captured/default/sites2.pcapng.out
diff --git a/test/results/flow-captured/default/smtp-starttls.pcap.out b/test/results/flow-captured/default/smtp-starttls.pcap.out
index e1a4b74a1..91d1e8a54 100644
--- a/test/results/flow-captured/default/smtp-starttls.pcap.out
+++ b/test/results/flow-captured/default/smtp-starttls.pcap.out
@@ -1,2 +1,2 @@
-Flow 1 risky: tcp 10.0.0.1:57406 -> 173.194.68.26:25
Flow 2 risky: tcp 2003:de:2016:125:fc36:8317:4e86:cb72:7562 -> 2003:de:2016:120::a08:53:25
+Flow 1 risky: tcp 10.0.0.1:57406 -> 173.194.68.26:25
diff --git a/test/results/flow-captured/default/snapchat.pcap.out b/test/results/flow-captured/default/snapchat.pcap.out
index 81b9eb29b..e69de29bb 100644
--- a/test/results/flow-captured/default/snapchat.pcap.out
+++ b/test/results/flow-captured/default/snapchat.pcap.out
@@ -1 +0,0 @@
-Flow 1 risky: tcp 10.8.0.1:33233 -> 74.125.136.141:443
diff --git a/test/results/flow-captured/default/sonos.pcapng.out b/test/results/flow-captured/default/sonos.pcapng.out
new file mode 100644
index 000000000..1c7e2dd75
--- /dev/null
+++ b/test/results/flow-captured/default/sonos.pcapng.out
@@ -0,0 +1 @@
+Flow 1 risky: tcp 192.168.1.29:52425 -> 192.168.1.70:1443
diff --git a/test/results/flow-captured/default/stun_wa_call.pcapng.out b/test/results/flow-captured/default/stun_wa_call.pcapng.out
index 333efcc49..0d1b98afe 100644
--- a/test/results/flow-captured/default/stun_wa_call.pcapng.out
+++ b/test/results/flow-captured/default/stun_wa_call.pcapng.out
@@ -5,9 +5,5 @@ Flow 4 risky: udp 192.168.12.156:46652 -> 157.240.21.51:3478
Flow 5 risky: udp 192.168.12.156:46652 -> 157.240.195.48:3478
Flow 3 risky: udp 192.168.12.156:46652 -> 157.240.231.62:3478
Flow 13 risky: icmp 93.63.100.129 -> 192.168.12.156
-Flow 7 risky: udp 192.168.12.156:49526 -> 157.240.231.62:3478
-Flow 8 risky: udp 192.168.12.156:49526 -> 157.240.196.62:3478
Flow 11 risky: udp 192.168.12.156:49526 -> 10.82.40.241:40436
Flow 12 risky: udp 192.168.12.156:49526 -> 93.33.118.87:41107
-Flow 9 risky: udp 192.168.12.156:49526 -> 179.60.192.48:3478
-Flow 10 risky: udp 192.168.12.156:49526 -> 185.60.216.51:3478
diff --git a/test/results/flow-captured/default/teams.pcap.out b/test/results/flow-captured/default/teams.pcap.out
index f9a450ce5..4e70f518c 100644
--- a/test/results/flow-captured/default/teams.pcap.out
+++ b/test/results/flow-captured/default/teams.pcap.out
@@ -1,4 +1,3 @@
-Flow 7 risky: tcp 192.168.1.6:60535 -> 52.114.77.33:443
Flow 48 risky: tcp 192.168.1.6:60559 -> 52.114.77.33:443
Flow 64 risky: tcp 192.168.1.6:50018 -> 52.114.250.123:443
Flow 78 risky: udp 93.71.110.205:16332 -> 192.168.1.6:50016
@@ -6,11 +5,10 @@ Flow 67 risky: tcp 192.168.1.6:50021 -> 52.114.250.123:443
Flow 43 risky: tcp 192.168.1.6:60554 -> 52.113.194.132:443
Flow 36 risky: udp 192.168.1.6:61245 -> 192.168.1.1:53
Flow 4 risky: tcp 192.168.1.6:60532 -> 52.114.77.33:443
+Flow 7 risky: tcp 192.168.1.6:60535 -> 52.114.77.33:443
Flow 25 risky: tcp 192.168.1.6:60543 -> 52.114.77.33:443
Flow 51 risky: tcp 192.168.1.6:60561 -> 52.114.77.33:443
Flow 74 risky: tcp 192.168.1.6:60567 -> 52.114.77.136:443
-Flow 30 risky: tcp 192.168.1.6:60546 -> 167.99.215.164:4434
-Flow 61 risky: tcp 192.168.1.6:60566 -> 167.99.215.164:4434
Flow 60 not-detected: tcp 151.11.50.139:2222 -> 192.168.1.6:54750
Flow 60 midstream: tcp 151.11.50.139:2222 -> 192.168.1.6:54750
Flow 79 risky: udp 93.71.110.205:16333 -> 192.168.1.6:50036
diff --git a/test/results/flow-captured/default/tls_1.2_unidirectional_client.pcapng.out b/test/results/flow-captured/default/tls_1.2_unidirectional_client.pcapng.out
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/test/results/flow-captured/default/tls_1.2_unidirectional_client.pcapng.out
diff --git a/test/results/flow-captured/default/tls_1.2_unidirectional_client_no_cert.pcapng.out b/test/results/flow-captured/default/tls_1.2_unidirectional_client_no_cert.pcapng.out
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/test/results/flow-captured/default/tls_1.2_unidirectional_client_no_cert.pcapng.out
diff --git a/test/results/flow-captured/default/tls_1.2_unidirectional_server.pcapng.out b/test/results/flow-captured/default/tls_1.2_unidirectional_server.pcapng.out
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/test/results/flow-captured/default/tls_1.2_unidirectional_server.pcapng.out
diff --git a/test/results/flow-captured/default/tls_1.2_unidirectional_server_no_cert.pcapng.out b/test/results/flow-captured/default/tls_1.2_unidirectional_server_no_cert.pcapng.out
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/test/results/flow-captured/default/tls_1.2_unidirectional_server_no_cert.pcapng.out
diff --git a/test/results/flow-captured/default/tls_1.3_unidirectional_client.pcapng.out b/test/results/flow-captured/default/tls_1.3_unidirectional_client.pcapng.out
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/test/results/flow-captured/default/tls_1.3_unidirectional_client.pcapng.out
diff --git a/test/results/flow-captured/default/tls_1.3_unidirectional_server.pcapng.out b/test/results/flow-captured/default/tls_1.3_unidirectional_server.pcapng.out
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/test/results/flow-captured/default/tls_1.3_unidirectional_server.pcapng.out
diff --git a/test/results/flow-captured/default/tls_change_cipher.pcap.out b/test/results/flow-captured/default/tls_change_cipher.pcap.out
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/test/results/flow-captured/default/tls_change_cipher.pcap.out
diff --git a/test/results/flow-captured/default/tls_heur__shadowsocks-tcp.pcapng.out b/test/results/flow-captured/default/tls_heur__shadowsocks-tcp.pcapng.out
new file mode 100644
index 000000000..563044a1a
--- /dev/null
+++ b/test/results/flow-captured/default/tls_heur__shadowsocks-tcp.pcapng.out
@@ -0,0 +1,2 @@
+Flow 2 risky: udp 127.0.0.1:41182 -> 127.0.0.53:53
+Flow 3 not-detected: tcp 127.0.0.1:40164 -> 127.0.0.1:1234
diff --git a/test/results/flow-captured/default/tls_heur__trojan-tcp-tls.pcapng.out b/test/results/flow-captured/default/tls_heur__trojan-tcp-tls.pcapng.out
new file mode 100644
index 000000000..85942bf64
--- /dev/null
+++ b/test/results/flow-captured/default/tls_heur__trojan-tcp-tls.pcapng.out
@@ -0,0 +1,3 @@
+Flow 5 risky: udp 127.0.0.1:53154 -> 127.0.0.53:53
+Flow 7 risky: udp 192.168.1.183:39434 -> 192.168.1.253:53
+Flow 2 risky: udp 127.0.0.1:52786 -> 127.0.0.53:53
diff --git a/test/results/flow-captured/default/tls_heur__vmess-tcp-tls.pcapng.out b/test/results/flow-captured/default/tls_heur__vmess-tcp-tls.pcapng.out
new file mode 100644
index 000000000..bf495d8f4
--- /dev/null
+++ b/test/results/flow-captured/default/tls_heur__vmess-tcp-tls.pcapng.out
@@ -0,0 +1,3 @@
+Flow 6 risky: udp 127.0.0.1:45262 -> 127.0.0.53:53
+Flow 2 risky: udp 127.0.0.1:46548 -> 127.0.0.53:53
+Flow 8 risky: udp 192.168.1.183:42485 -> 192.168.1.253:53
diff --git a/test/results/flow-captured/default/tls_heur__vmess-tcp.pcapng.out b/test/results/flow-captured/default/tls_heur__vmess-tcp.pcapng.out
new file mode 100644
index 000000000..57479df0d
--- /dev/null
+++ b/test/results/flow-captured/default/tls_heur__vmess-tcp.pcapng.out
@@ -0,0 +1,2 @@
+Flow 3 not-detected: tcp 127.0.0.1:40818 -> 127.0.0.1:1234
+Flow 2 risky: udp 127.0.0.1:35957 -> 127.0.0.53:53
diff --git a/test/results/flow-captured/default/tls_heur__vmess-websocket.pcapng.out b/test/results/flow-captured/default/tls_heur__vmess-websocket.pcapng.out
new file mode 100644
index 000000000..237524927
--- /dev/null
+++ b/test/results/flow-captured/default/tls_heur__vmess-websocket.pcapng.out
@@ -0,0 +1 @@
+Flow 3 risky: tcp 127.0.0.1:33702 -> 127.0.0.1:1234
diff --git a/test/results/flow-captured/default/tls_with_huge_ch.pcapng.out b/test/results/flow-captured/default/tls_with_huge_ch.pcapng.out
new file mode 100644
index 000000000..001aa041c
--- /dev/null
+++ b/test/results/flow-captured/default/tls_with_huge_ch.pcapng.out
@@ -0,0 +1 @@
+Flow 1 risky: tcp 172.30.84.193:40640 -> 208.253.217.142:443
diff --git a/test/results/flow-captured/default/tor.pcap.out b/test/results/flow-captured/default/tor.pcap.out
index e379ec029..c48d3f0d5 100644
--- a/test/results/flow-captured/default/tor.pcap.out
+++ b/test/results/flow-captured/default/tor.pcap.out
@@ -1,8 +1,6 @@
-Flow 3 risky: tcp 192.168.1.252:51112 -> 38.229.70.53:443
-Flow 1 risky: tcp 192.168.1.252:51110 -> 91.143.93.242:443
Flow 5 risky: udp 192.168.1.252:138 -> 192.168.1.255:138
+Flow 1 risky: tcp 192.168.1.252:51110 -> 91.143.93.242:443
Flow 2 risky: tcp 192.168.1.252:51111 -> 46.59.52.31:443
Flow 8 risky: tcp 192.168.1.252:51175 -> 91.143.93.242:443
Flow 7 risky: tcp 192.168.1.252:51174 -> 212.83.155.250:443
-Flow 10 risky: tcp 192.168.1.252:51185 -> 62.210.137.230:443
-Flow 9 risky: tcp 192.168.1.252:51176 -> 38.229.70.53:443
+Flow 3 risky: tcp 192.168.1.252:51112 -> 38.229.70.53:443
diff --git a/test/results/flow-captured/default/waze.pcap.out b/test/results/flow-captured/default/waze.pcap.out
index 5eadfae81..f35eddff7 100644
--- a/test/results/flow-captured/default/waze.pcap.out
+++ b/test/results/flow-captured/default/waze.pcap.out
@@ -1,6 +1,4 @@
Flow 3 risky: tcp 10.8.0.1:54915 -> 65.39.128.135:80
-Flow 18 risky: tcp 10.8.0.1:39021 -> 52.17.114.219:443
-Flow 6 risky: tcp 10.8.0.1:36102 -> 46.51.173.182:443
Flow 4 risky: tcp 10.8.0.1:45529 -> 54.230.227.172:80
Flow 8 risky: tcp 10.8.0.1:45536 -> 54.230.227.172:80
Flow 9 risky: tcp 10.8.0.1:45538 -> 54.230.227.172:80
@@ -9,7 +7,8 @@ Flow 15 risky: tcp 10.8.0.1:45546 -> 54.230.227.172:80
Flow 16 risky: tcp 10.8.0.1:45552 -> 54.230.227.172:80
Flow 17 risky: tcp 10.8.0.1:45554 -> 54.230.227.172:80
Flow 5 risky: tcp 10.8.0.1:36100 -> 46.51.173.182:443
+Flow 6 risky: tcp 10.8.0.1:36102 -> 46.51.173.182:443
Flow 19 risky: tcp 10.8.0.1:36312 -> 176.34.186.180:443
-Flow 7 risky: tcp 10.8.0.1:36585 -> 173.194.118.48:443
+Flow 18 risky: tcp 10.8.0.1:39021 -> 52.17.114.219:443
Flow 1 not-detected: tcp 10.16.37.157:42256 -> 174.37.231.81:5222
Flow 1 midstream: tcp 10.16.37.157:42256 -> 174.37.231.81:5222
diff --git a/test/results/flow-captured/default/webex.pcap.out b/test/results/flow-captured/default/webex.pcap.out
index 1e895a83d..33650debc 100644
--- a/test/results/flow-captured/default/webex.pcap.out
+++ b/test/results/flow-captured/default/webex.pcap.out
@@ -1,18 +1,9 @@
-Flow 2 risky: tcp 10.8.0.1:41348 -> 64.68.105.103:443
-Flow 9 risky: tcp 10.8.0.1:41358 -> 64.68.105.103:443
-Flow 37 risky: tcp 10.8.0.1:51155 -> 62.109.224.120:443
-Flow 36 risky: tcp 10.8.0.1:51154 -> 62.109.224.120:443
-Flow 52 risky: tcp 10.8.0.1:51857 -> 62.109.229.158:443
Flow 45 risky: tcp 10.8.0.1:59756 -> 78.46.237.91:80
Flow 46 risky: tcp 10.8.0.1:59757 -> 78.46.237.91:80
+Flow 52 risky: tcp 10.8.0.1:51857 -> 62.109.229.158:443
Flow 33 midstream: tcp 10.133.206.47:33459 -> 80.74.110.68:443
-Flow 56 risky: tcp 10.8.0.1:51194 -> 62.109.224.120:443
-Flow 35 risky: tcp 10.8.0.1:33512 -> 80.74.110.68:443
-Flow 47 risky: tcp 10.8.0.1:33551 -> 80.74.110.68:443
-Flow 48 risky: tcp 10.8.0.1:33553 -> 80.74.110.68:443
-Flow 49 risky: tcp 10.8.0.1:33554 -> 80.74.110.68:443
-Flow 51 risky: tcp 10.8.0.1:33559 -> 80.74.110.68:443
+Flow 36 risky: tcp 10.8.0.1:51154 -> 62.109.224.120:443
+Flow 37 risky: tcp 10.8.0.1:51155 -> 62.109.224.120:443
Flow 1 risky: tcp 10.8.0.1:41346 -> 64.68.105.103:443
-Flow 3 risky: tcp 10.8.0.1:41350 -> 64.68.105.103:443
-Flow 4 risky: tcp 10.8.0.1:41351 -> 64.68.105.103:443
-Flow 7 risky: tcp 10.8.0.1:41354 -> 64.68.105.103:443
+Flow 2 risky: tcp 10.8.0.1:41348 -> 64.68.105.103:443
+Flow 9 risky: tcp 10.8.0.1:41358 -> 64.68.105.103:443
diff --git a/test/results/flow-captured/default/whatsapp_login_call.pcap.out b/test/results/flow-captured/default/whatsapp_login_call.pcap.out
index 681fca7d1..2dbd14228 100644
--- a/test/results/flow-captured/default/whatsapp_login_call.pcap.out
+++ b/test/results/flow-captured/default/whatsapp_login_call.pcap.out
@@ -1,9 +1,7 @@
-Flow 17 risky: tcp 192.168.2.4:49204 -> 17.173.66.102:443
Flow 39 risky: udp 192.168.2.4:51518 -> 91.253.176.65:9344
Flow 29 risky: udp 192.168.2.4:51518 -> 31.13.93.48:3478
Flow 55 risky: udp 192.168.2.4:52794 -> 91.253.176.65:9665
Flow 38 risky: udp 192.168.2.4:51518 -> 1.194.90.191:60312
-Flow 57 risky: tcp 192.168.2.4:49205 -> 17.173.66.102:443
Flow 6 midstream: tcp 192.168.2.4:49172 -> 23.50.148.228:443
Flow 53 risky: udp 192.168.2.4:52794 -> 31.13.84.48:3478
Flow 54 risky: udp 192.168.2.4:52794 -> 1.194.90.191:51727
@@ -11,3 +9,5 @@ Flow 1 risky: tcp 192.168.2.4:49199 -> 17.172.100.70:993
Flow 1 midstream: tcp 192.168.2.4:49199 -> 17.172.100.70:993
Flow 16 midstream: tcp 192.168.2.4:49193 -> 17.110.229.14:5223
Flow 13 risky: tcp 192.168.2.4:49201 -> 17.178.104.12:443
+Flow 17 risky: tcp 192.168.2.4:49204 -> 17.173.66.102:443
+Flow 57 risky: tcp 192.168.2.4:49205 -> 17.173.66.102:443
diff --git a/test/results/flow-captured/default/windscribe.pcapng.out b/test/results/flow-captured/default/windscribe.pcapng.out
index c714774e3..e69de29bb 100644
--- a/test/results/flow-captured/default/windscribe.pcapng.out
+++ b/test/results/flow-captured/default/windscribe.pcapng.out
@@ -1 +0,0 @@
-Flow 1 risky: tcp 192.168.12.156:42192 -> 107.161.86.132:443
diff --git a/test/results/flow-captured/default/zoom.pcap.out b/test/results/flow-captured/default/zoom.pcap.out
index 40e91288c..7537da3f2 100644
--- a/test/results/flow-captured/default/zoom.pcap.out
+++ b/test/results/flow-captured/default/zoom.pcap.out
@@ -1,6 +1,5 @@
-Flow 30 risky: tcp 192.168.1.117:54871 -> 109.94.160.99:443
Flow 9 risky: udp 192.168.1.117:65394 -> 192.168.1.1:53
Flow 14 risky: udp 192.168.1.117:23903 -> 162.255.38.14:3479
-Flow 3 risky: tcp 192.168.1.117:54863 -> 167.99.215.164:4434
Flow 16 risky: tcp 192.168.1.117:53872 -> 35.186.224.53:443
Flow 16 midstream: tcp 192.168.1.117:53872 -> 35.186.224.53:443
+Flow 30 risky: tcp 192.168.1.117:54871 -> 109.94.160.99:443
diff --git a/test/results/flow-captured/disable_aggressiveness/ookla.pcap.out b/test/results/flow-captured/disable_aggressiveness/ookla.pcap.out
index 76a45ed58..1f5694308 100644
--- a/test/results/flow-captured/disable_aggressiveness/ookla.pcap.out
+++ b/test/results/flow-captured/disable_aggressiveness/ookla.pcap.out
@@ -1,2 +1 @@
Flow 3 risky: tcp 192.168.1.7:51207 -> 46.44.253.187:80
-Flow 6 risky: tcp 192.168.1.128:35830 -> 89.96.108.170:8080
diff --git a/test/results/flow-captured/disable_metadata/sip.pcap.out b/test/results/flow-captured/disable_metadata/sip.pcap.out
new file mode 100644
index 000000000..1090142cf
--- /dev/null
+++ b/test/results/flow-captured/disable_metadata/sip.pcap.out
@@ -0,0 +1 @@
+Flow 4 not-detected: udp 192.168.1.2:30001 -> 212.242.33.36:40393
diff --git a/test/results/flow-captured/disable_use_client_ip/bot.pcap.out b/test/results/flow-captured/disable_use_client_ip/bot.pcap.out
new file mode 100644
index 000000000..ccacd19f0
--- /dev/null
+++ b/test/results/flow-captured/disable_use_client_ip/bot.pcap.out
@@ -0,0 +1 @@
+Flow 1 risky: tcp 40.77.167.36:64768 -> 89.31.72.220:80
diff --git a/test/results/flow-captured/disable_use_client_port/iphone.pcap.out b/test/results/flow-captured/disable_use_client_port/iphone.pcap.out
new file mode 100644
index 000000000..fc598c82a
--- /dev/null
+++ b/test/results/flow-captured/disable_use_client_port/iphone.pcap.out
@@ -0,0 +1 @@
+Flow 7 not-detected: udp 192.168.2.1:5351 -> 224.0.0.1:5350
diff --git a/test/results/flow-captured/enable_payload_stat/1kxun.pcap.out b/test/results/flow-captured/enable_payload_stat/1kxun.pcap.out
index e68307bbc..034a664ad 100644
--- a/test/results/flow-captured/enable_payload_stat/1kxun.pcap.out
+++ b/test/results/flow-captured/enable_payload_stat/1kxun.pcap.out
@@ -21,10 +21,6 @@ Flow 42 not-detected: udp 192.168.10.110:60480 -> 255.255.255.255:62976
Flow 56 not-detected: udp 59.120.208.218:50151 -> 255.255.255.255:1947
Flow 59 risky: tcp 192.168.5.16:53624 -> 68.233.253.133:80
Flow 36 risky: tcp 192.168.115.8:49605 -> 106.185.35.110:80
-Flow 45 risky: tcp 192.168.5.16:53623 -> 192.168.115.75:443
-Flow 87 risky: tcp 192.168.5.16:53625 -> 192.168.115.75:443
-Flow 107 risky: tcp 192.168.5.16:53626 -> 192.168.115.75:443
-Flow 117 risky: tcp 192.168.5.16:53629 -> 192.168.115.75:443
Flow 65 not-detected: udp 192.168.140.140:62976 -> 255.255.255.255:62976
Flow 71 not-detected: udp 192.168.10.7:62976 -> 255.255.255.255:62976
Flow 22 not-detected: udp 192.168.125.30:62976 -> 255.255.255.255:62976
diff --git a/test/results/flow-captured/fpc_disabled/teams.pcap.out b/test/results/flow-captured/fpc_disabled/teams.pcap.out
index f9a450ce5..4e70f518c 100644
--- a/test/results/flow-captured/fpc_disabled/teams.pcap.out
+++ b/test/results/flow-captured/fpc_disabled/teams.pcap.out
@@ -1,4 +1,3 @@
-Flow 7 risky: tcp 192.168.1.6:60535 -> 52.114.77.33:443
Flow 48 risky: tcp 192.168.1.6:60559 -> 52.114.77.33:443
Flow 64 risky: tcp 192.168.1.6:50018 -> 52.114.250.123:443
Flow 78 risky: udp 93.71.110.205:16332 -> 192.168.1.6:50016
@@ -6,11 +5,10 @@ Flow 67 risky: tcp 192.168.1.6:50021 -> 52.114.250.123:443
Flow 43 risky: tcp 192.168.1.6:60554 -> 52.113.194.132:443
Flow 36 risky: udp 192.168.1.6:61245 -> 192.168.1.1:53
Flow 4 risky: tcp 192.168.1.6:60532 -> 52.114.77.33:443
+Flow 7 risky: tcp 192.168.1.6:60535 -> 52.114.77.33:443
Flow 25 risky: tcp 192.168.1.6:60543 -> 52.114.77.33:443
Flow 51 risky: tcp 192.168.1.6:60561 -> 52.114.77.33:443
Flow 74 risky: tcp 192.168.1.6:60567 -> 52.114.77.136:443
-Flow 30 risky: tcp 192.168.1.6:60546 -> 167.99.215.164:4434
-Flow 61 risky: tcp 192.168.1.6:60566 -> 167.99.215.164:4434
Flow 60 not-detected: tcp 151.11.50.139:2222 -> 192.168.1.6:54750
Flow 60 midstream: tcp 151.11.50.139:2222 -> 192.168.1.6:54750
Flow 79 risky: udp 93.71.110.205:16333 -> 192.168.1.6:50036
diff --git a/test/results/flow-captured/guess_ip_before_port_enabled/1kxun.pcap.out b/test/results/flow-captured/guess_ip_before_port_enabled/1kxun.pcap.out
new file mode 100644
index 000000000..034a664ad
--- /dev/null
+++ b/test/results/flow-captured/guess_ip_before_port_enabled/1kxun.pcap.out
@@ -0,0 +1,111 @@
+Flow 37 risky: tcp 192.168.115.8:49606 -> 106.185.35.110:80
+Flow 41 risky: tcp 192.168.115.8:49609 -> 42.120.51.152:8080
+Flow 14 risky: udp 192.168.115.8:51024 -> 8.8.8.8:53
+Flow 20 risky: udp 192.168.3.95:58779 -> 224.0.0.252:5355
+Flow 19 risky: udp fe80::e98f:bae2:19f7:6b0f:58779 -> ff02::1:3:5355
+Flow 24 risky: udp 192.168.115.8:52723 -> 168.95.1.1:53
+Flow 16 risky: udp 192.168.115.8:52723 -> 8.8.8.8:53
+Flow 35 risky: udp 192.168.5.67:138 -> 192.168.255.255:138
+Flow 34 risky: udp 192.168.3.95:54888 -> 224.0.0.252:5355
+Flow 39 risky: udp 192.168.115.8:54420 -> 8.8.8.8:53
+Flow 26 risky: udp 192.168.115.8:60724 -> 8.8.8.8:53
+Flow 33 risky: udp fe80::e98f:bae2:19f7:6b0f:54888 -> ff02::1:3:5355
+Flow 77 not-detected: udp 192.168.2.186:32768 -> 255.255.255.255:1947
+Flow 66 not-detected: udp 2001:b020:6::c2a0:bbff:fe73:eb57:62976 -> ff02::1:62976
+Flow 23 not-detected: udp 2001:b030:214:100:c2a0:bbff:fe73:eb47:62976 -> ff02::1:62976
+Flow 97 risky: udp fe80::e98f:bae2:19f7:6b0f:51451 -> ff02::1:3:5355
+Flow 94 not-detected: udp 192.168.119.2:43786 -> 255.255.255.255:5678
+Flow 70 risky: udp 192.168.5.45:138 -> 192.168.255.255:138
+Flow 38 risky: tcp 192.168.115.8:49607 -> 218.244.135.170:9099
+Flow 42 not-detected: udp 192.168.10.110:60480 -> 255.255.255.255:62976
+Flow 56 not-detected: udp 59.120.208.218:50151 -> 255.255.255.255:1947
+Flow 59 risky: tcp 192.168.5.16:53624 -> 68.233.253.133:80
+Flow 36 risky: tcp 192.168.115.8:49605 -> 106.185.35.110:80
+Flow 65 not-detected: udp 192.168.140.140:62976 -> 255.255.255.255:62976
+Flow 71 not-detected: udp 192.168.10.7:62976 -> 255.255.255.255:62976
+Flow 22 not-detected: udp 192.168.125.30:62976 -> 255.255.255.255:62976
+Flow 88 not-detected: udp 192.168.119.1:56861 -> 255.255.255.255:5678
+Flow 79 not-detected: udp 192.168.0.100:50925 -> 255.255.255.255:5678
+Flow 46 risky: tcp 192.168.115.8:49612 -> 183.131.48.145:80
+Flow 49 risky: tcp 192.168.115.8:49613 -> 183.131.48.144:80
+Flow 89 not-detected: udp fe80::4e5e:cff:feea:365:5678 -> ff02::1:5678
+Flow 60 not-detected: udp fe80::4e5e:cff:fe9a:ec54:5678 -> ff02::1:5678
+Flow 98 risky: udp 192.168.3.95:51451 -> 224.0.0.252:5355
+Flow 86 not-detected: udp 59.120.208.212:32768 -> 255.255.255.255:1947
+Flow 142 midstream: tcp 192.168.2.126:46170 -> 172.105.121.82:80
+Flow 146 midstream: tcp 192.168.2.126:45380 -> 161.117.13.29:80
+Flow 160 midstream: tcp 192.168.2.126:49380 -> 14.136.136.108:80
+Flow 158 midstream: tcp 192.168.2.126:49372 -> 14.136.136.108:80
+Flow 150 midstream: tcp 192.168.2.126:45416 -> 161.117.13.29:80
+Flow 147 midstream: tcp 192.168.2.126:45388 -> 161.117.13.29:80
+Flow 148 midstream: tcp 192.168.2.126:45398 -> 161.117.13.29:80
+Flow 163 risky: tcp 192.168.2.126:44368 -> 172.217.18.98:80
+Flow 163 midstream: tcp 192.168.2.126:44368 -> 172.217.18.98:80
+Flow 178 risky: tcp 192.168.2.126:56826 -> 8.209.97.107:80
+Flow 178 midstream: tcp 192.168.2.126:56826 -> 8.209.97.107:80
+Flow 149 midstream: tcp 192.168.2.126:45414 -> 161.117.13.29:80
+Flow 151 midstream: tcp 192.168.2.126:45422 -> 161.117.13.29:80
+Flow 152 midstream: tcp 192.168.2.126:45424 -> 161.117.13.29:80
+Flow 192 midstream: tcp 192.168.2.126:54810 -> 18.233.123.55:80
+Flow 184 midstream: tcp 192.168.2.126:36636 -> 18.64.103.30:80
+Flow 185 midstream: tcp 192.168.2.126:36640 -> 18.64.103.30:80
+Flow 186 midstream: tcp 192.168.2.126:36654 -> 18.64.103.30:80
+Flow 180 midstream: tcp 192.168.2.126:58758 -> 202.153.196.53:80
+Flow 181 midstream: tcp 192.168.2.126:58760 -> 202.153.196.53:80
+Flow 170 midstream: tcp 192.168.2.126:38314 -> 172.105.121.82:80
+Flow 171 midstream: tcp 192.168.2.126:38316 -> 172.105.121.82:80
+Flow 169 midstream: tcp 192.168.2.126:38326 -> 172.105.121.82:80
+Flow 193 midstream: tcp 192.168.2.126:40204 -> 18.235.204.9:80
+Flow 155 midstream: tcp 192.168.2.126:38354 -> 142.250.186.34:80
+Flow 157 midstream: tcp 192.168.2.126:49354 -> 14.136.136.108:80
+Flow 159 midstream: tcp 192.168.2.126:49370 -> 14.136.136.108:80
+Flow 162 midstream: tcp 192.168.2.126:49396 -> 14.136.136.108:80
+Flow 140 risky: tcp 192.168.2.126:49242 -> 172.104.119.80:80
+Flow 140 midstream: tcp 192.168.2.126:49242 -> 172.104.119.80:80
+Flow 161 midstream: tcp 192.168.2.126:49412 -> 14.136.136.108:80
+Flow 179 midstream: tcp 192.168.2.126:43272 -> 18.64.79.58:80
+Flow 164 midstream: tcp 192.168.2.126:50140 -> 161.117.13.29:80
+Flow 165 midstream: tcp 192.168.2.126:50148 -> 161.117.13.29:80
+Flow 166 midstream: tcp 192.168.2.126:50164 -> 161.117.13.29:80
+Flow 167 midstream: tcp 192.168.2.126:50166 -> 161.117.13.29:80
+Flow 168 midstream: tcp 192.168.2.126:50176 -> 161.117.13.29:80
+Flow 153 risky: tcp 192.168.2.126:41390 -> 18.64.79.37:80
+Flow 153 midstream: tcp 192.168.2.126:41390 -> 18.64.79.37:80
+Flow 197 midstream: tcp 192.168.2.126:51686 -> 18.64.79.64:80
+Flow 156 midstream: tcp 192.168.2.126:36732 -> 142.250.186.174:80
+Flow 194 risky: tcp 192.168.2.126:53416 -> 172.217.16.142:80
+Flow 194 midstream: tcp 192.168.2.126:53416 -> 172.217.16.142:80
+Flow 189 midstream: tcp 192.168.2.126:42554 -> 35.156.44.13:80
+Flow 190 risky: tcp 192.168.2.126:42566 -> 35.156.44.13:80
+Flow 190 midstream: tcp 192.168.2.126:42566 -> 35.156.44.13:80
+Flow 195 midstream: tcp 192.168.2.126:33042 -> 3.122.190.70:80
+Flow 173 midstream: tcp 192.168.2.126:56094 -> 3.72.69.158:80
+Flow 175 midstream: tcp 192.168.2.126:56096 -> 3.72.69.158:80
+Flow 174 midstream: tcp 192.168.2.126:56098 -> 3.72.69.158:80
+Flow 176 midstream: tcp 192.168.2.126:56104 -> 3.72.69.158:80
+Flow 134 midstream: tcp 192.168.2.126:41134 -> 129.226.107.77:80
+Flow 130 risky: tcp 192.168.2.126:60962 -> 172.104.93.92:1234
+Flow 130 midstream: tcp 192.168.2.126:60962 -> 172.104.93.92:1234
+Flow 131 risky: tcp 192.168.2.126:60972 -> 172.104.93.92:1234
+Flow 131 midstream: tcp 192.168.2.126:60972 -> 172.104.93.92:1234
+Flow 132 risky: tcp 192.168.2.126:60984 -> 172.104.93.92:1234
+Flow 132 midstream: tcp 192.168.2.126:60984 -> 172.104.93.92:1234
+Flow 196 risky: tcp 192.168.2.126:35426 -> 8.209.112.118:80
+Flow 196 midstream: tcp 192.168.2.126:35426 -> 8.209.112.118:80
+Flow 191 midstream: tcp 192.168.2.126:41940 -> 18.64.79.50:80
+Flow 139 midstream: tcp 192.168.2.126:60148 -> 172.105.121.82:80
+Flow 172 midstream: tcp 192.168.2.126:59324 -> 104.117.221.10:80
+Flow 138 risky: tcp 192.168.2.126:38834 -> 119.45.78.184:80
+Flow 138 midstream: tcp 192.168.2.126:38834 -> 119.45.78.184:80
+Flow 182 midstream: tcp 192.168.2.126:35664 -> 18.66.2.90:80
+Flow 141 midstream: tcp 192.168.2.126:46184 -> 172.105.121.82:80
+Flow 133 risky: tcp 192.168.2.126:47230 -> 161.117.13.29:80
+Flow 133 midstream: tcp 192.168.2.126:47230 -> 161.117.13.29:80
+Flow 188 risky: tcp 192.168.2.126:37100 -> 52.29.177.177:80
+Flow 188 midstream: tcp 192.168.2.126:37100 -> 52.29.177.177:80
+Flow 143 midstream: tcp 192.168.2.126:46200 -> 172.105.121.82:80
+Flow 135 midstream: tcp 192.168.2.126:47246 -> 161.117.13.29:80
+Flow 144 midstream: tcp 192.168.2.126:46212 -> 172.105.121.82:80
+Flow 136 midstream: tcp 192.168.2.126:47262 -> 161.117.13.29:80
+Flow 137 midstream: tcp 192.168.2.126:47272 -> 161.117.13.29:80
+Flow 145 midstream: tcp 192.168.2.126:35200 -> 103.29.71.30:80
diff --git a/test/results/flow-captured/guessing_disable/webex.pcap.out b/test/results/flow-captured/guessing_disable/webex.pcap.out
index 1e895a83d..33650debc 100644
--- a/test/results/flow-captured/guessing_disable/webex.pcap.out
+++ b/test/results/flow-captured/guessing_disable/webex.pcap.out
@@ -1,18 +1,9 @@
-Flow 2 risky: tcp 10.8.0.1:41348 -> 64.68.105.103:443
-Flow 9 risky: tcp 10.8.0.1:41358 -> 64.68.105.103:443
-Flow 37 risky: tcp 10.8.0.1:51155 -> 62.109.224.120:443
-Flow 36 risky: tcp 10.8.0.1:51154 -> 62.109.224.120:443
-Flow 52 risky: tcp 10.8.0.1:51857 -> 62.109.229.158:443
Flow 45 risky: tcp 10.8.0.1:59756 -> 78.46.237.91:80
Flow 46 risky: tcp 10.8.0.1:59757 -> 78.46.237.91:80
+Flow 52 risky: tcp 10.8.0.1:51857 -> 62.109.229.158:443
Flow 33 midstream: tcp 10.133.206.47:33459 -> 80.74.110.68:443
-Flow 56 risky: tcp 10.8.0.1:51194 -> 62.109.224.120:443
-Flow 35 risky: tcp 10.8.0.1:33512 -> 80.74.110.68:443
-Flow 47 risky: tcp 10.8.0.1:33551 -> 80.74.110.68:443
-Flow 48 risky: tcp 10.8.0.1:33553 -> 80.74.110.68:443
-Flow 49 risky: tcp 10.8.0.1:33554 -> 80.74.110.68:443
-Flow 51 risky: tcp 10.8.0.1:33559 -> 80.74.110.68:443
+Flow 36 risky: tcp 10.8.0.1:51154 -> 62.109.224.120:443
+Flow 37 risky: tcp 10.8.0.1:51155 -> 62.109.224.120:443
Flow 1 risky: tcp 10.8.0.1:41346 -> 64.68.105.103:443
-Flow 3 risky: tcp 10.8.0.1:41350 -> 64.68.105.103:443
-Flow 4 risky: tcp 10.8.0.1:41351 -> 64.68.105.103:443
-Flow 7 risky: tcp 10.8.0.1:41354 -> 64.68.105.103:443
+Flow 2 risky: tcp 10.8.0.1:41348 -> 64.68.105.103:443
+Flow 9 risky: tcp 10.8.0.1:41358 -> 64.68.105.103:443
diff --git a/test/results/flow-captured/ip_lists_disable/1kxun.pcap.out b/test/results/flow-captured/ip_lists_disable/1kxun.pcap.out
index e68307bbc..034a664ad 100644
--- a/test/results/flow-captured/ip_lists_disable/1kxun.pcap.out
+++ b/test/results/flow-captured/ip_lists_disable/1kxun.pcap.out
@@ -21,10 +21,6 @@ Flow 42 not-detected: udp 192.168.10.110:60480 -> 255.255.255.255:62976
Flow 56 not-detected: udp 59.120.208.218:50151 -> 255.255.255.255:1947
Flow 59 risky: tcp 192.168.5.16:53624 -> 68.233.253.133:80
Flow 36 risky: tcp 192.168.115.8:49605 -> 106.185.35.110:80
-Flow 45 risky: tcp 192.168.5.16:53623 -> 192.168.115.75:443
-Flow 87 risky: tcp 192.168.5.16:53625 -> 192.168.115.75:443
-Flow 107 risky: tcp 192.168.5.16:53626 -> 192.168.115.75:443
-Flow 117 risky: tcp 192.168.5.16:53629 -> 192.168.115.75:443
Flow 65 not-detected: udp 192.168.140.140:62976 -> 255.255.255.255:62976
Flow 71 not-detected: udp 192.168.10.7:62976 -> 255.255.255.255:62976
Flow 22 not-detected: udp 192.168.125.30:62976 -> 255.255.255.255:62976
diff --git a/test/results/flow-captured/monitoring/stun.pcap.out b/test/results/flow-captured/monitoring/stun.pcap.out
new file mode 100644
index 000000000..19e9b46e3
--- /dev/null
+++ b/test/results/flow-captured/monitoring/stun.pcap.out
@@ -0,0 +1,3 @@
+Flow 2 risky: udp 192.168.12.169:43016 -> 74.125.247.128:3478
+Flow 3 risky: icmp 192.168.12.169 -> 74.125.247.128
+Flow 5 risky: udp 192.168.12.169:38123 -> 31.13.86.54:40003
diff --git a/test/results/flow-captured/monitoring/stun_google_meet.pcapng.out b/test/results/flow-captured/monitoring/stun_google_meet.pcapng.out
new file mode 100644
index 000000000..d406e6c37
--- /dev/null
+++ b/test/results/flow-captured/monitoring/stun_google_meet.pcapng.out
@@ -0,0 +1,4 @@
+Flow 3 risky: udp 192.168.12.156:38152 -> 142.250.82.76:19305
+Flow 2 risky: udp 192.168.12.156:45400 -> 74.125.128.127:19302
+Flow 1 risky: udp 192.168.12.156:38152 -> 74.125.128.127:19302
+Flow 7 risky: udp 2001:b07:a3d:c112:48a1:1094:1227:281e:45572 -> 2001:4860:4864:6::81:19305
diff --git a/test/results/flow-captured/monitoring/stun_signal.pcapng.out b/test/results/flow-captured/monitoring/stun_signal.pcapng.out
new file mode 100644
index 000000000..cf96af8df
--- /dev/null
+++ b/test/results/flow-captured/monitoring/stun_signal.pcapng.out
@@ -0,0 +1,16 @@
+Flow 14 risky: udp 192.168.12.169:43068 -> 18.195.131.143:61156
+Flow 7 risky: icmp 35.158.183.167 -> 192.168.12.169
+Flow 3 risky: udp 192.168.12.169:47204 -> 35.158.183.167:443
+Flow 6 risky: udp 192.168.12.169:39518 -> 35.158.183.167:443
+Flow 23 risky: udp 192.168.12.169:47767 -> 18.195.131.143:61498
+Flow 9 risky: udp 192.168.12.169:43068 -> 35.158.183.167:443
+Flow 10 risky: udp 192.168.12.169:43068 -> 172.253.121.127:19302
+Flow 12 risky: udp 192.168.12.169:39950 -> 35.158.183.167:443
+Flow 11 risky: udp 192.168.12.169:39950 -> 172.253.121.127:19302
+Flow 20 risky: udp 192.168.12.169:37970 -> 35.158.122.211:3478
+Flow 17 risky: udp 192.168.12.169:47767 -> 35.158.122.211:443
+Flow 15 risky: udp 192.168.12.169:47767 -> 172.253.121.127:19302
+Flow 18 risky: udp 192.168.12.169:37970 -> 35.158.122.211:443
+Flow 16 risky: udp 192.168.12.169:37970 -> 172.253.121.127:19302
+Flow 21 risky: icmp 35.158.122.211 -> 192.168.12.169
+Flow 19 risky: udp 192.168.12.169:47767 -> 35.158.122.211:3478
diff --git a/test/results/flow-captured/monitoring/stun_wa_call.pcapng.out b/test/results/flow-captured/monitoring/stun_wa_call.pcapng.out
new file mode 100644
index 000000000..0d1b98afe
--- /dev/null
+++ b/test/results/flow-captured/monitoring/stun_wa_call.pcapng.out
@@ -0,0 +1,9 @@
+Flow 1 risky: udp 192.168.12.156:46652 -> 93.57.123.227:3478
+Flow 6 risky: udp 192.168.12.156:49526 -> 157.240.203.62:3478
+Flow 2 risky: udp 192.168.12.156:46652 -> 157.240.203.62:3478
+Flow 4 risky: udp 192.168.12.156:46652 -> 157.240.21.51:3478
+Flow 5 risky: udp 192.168.12.156:46652 -> 157.240.195.48:3478
+Flow 3 risky: udp 192.168.12.156:46652 -> 157.240.231.62:3478
+Flow 13 risky: icmp 93.63.100.129 -> 192.168.12.156
+Flow 11 risky: udp 192.168.12.156:49526 -> 10.82.40.241:40436
+Flow 12 risky: udp 192.168.12.156:49526 -> 93.33.118.87:41107
diff --git a/test/results/flow-captured/monitoring/stun_zoom.pcapng.out b/test/results/flow-captured/monitoring/stun_zoom.pcapng.out
new file mode 100644
index 000000000..31ad627b4
--- /dev/null
+++ b/test/results/flow-captured/monitoring/stun_zoom.pcapng.out
@@ -0,0 +1,2 @@
+Flow 2 risky: udp 192.168.43.169:53065 -> 134.224.90.111:8801
+Flow 1 risky: udp 192.168.43.169:48854 -> 134.224.90.111:8801
diff --git a/test/results/flow-captured/monitoring/teams.pcap.out b/test/results/flow-captured/monitoring/teams.pcap.out
new file mode 100644
index 000000000..4e70f518c
--- /dev/null
+++ b/test/results/flow-captured/monitoring/teams.pcap.out
@@ -0,0 +1,17 @@
+Flow 48 risky: tcp 192.168.1.6:60559 -> 52.114.77.33:443
+Flow 64 risky: tcp 192.168.1.6:50018 -> 52.114.250.123:443
+Flow 78 risky: udp 93.71.110.205:16332 -> 192.168.1.6:50016
+Flow 67 risky: tcp 192.168.1.6:50021 -> 52.114.250.123:443
+Flow 43 risky: tcp 192.168.1.6:60554 -> 52.113.194.132:443
+Flow 36 risky: udp 192.168.1.6:61245 -> 192.168.1.1:53
+Flow 4 risky: tcp 192.168.1.6:60532 -> 52.114.77.33:443
+Flow 7 risky: tcp 192.168.1.6:60535 -> 52.114.77.33:443
+Flow 25 risky: tcp 192.168.1.6:60543 -> 52.114.77.33:443
+Flow 51 risky: tcp 192.168.1.6:60561 -> 52.114.77.33:443
+Flow 74 risky: tcp 192.168.1.6:60567 -> 52.114.77.136:443
+Flow 60 not-detected: tcp 151.11.50.139:2222 -> 192.168.1.6:54750
+Flow 60 midstream: tcp 151.11.50.139:2222 -> 192.168.1.6:54750
+Flow 79 risky: udp 93.71.110.205:16333 -> 192.168.1.6:50036
+Flow 10 risky: udp 192.168.1.6:64046 -> 192.168.1.1:53
+Flow 68 risky: udp 192.168.1.6:50016 -> 52.114.250.141:3478
+Flow 70 risky: udp 192.168.1.6:50036 -> 52.114.250.137:3478
diff --git a/test/results/flow-captured/monitoring/telegram_videocall.pcapng.out b/test/results/flow-captured/monitoring/telegram_videocall.pcapng.out
new file mode 100644
index 000000000..f94ea0087
--- /dev/null
+++ b/test/results/flow-captured/monitoring/telegram_videocall.pcapng.out
@@ -0,0 +1,17 @@
+Flow 4 risky: tcp 192.168.12.169:37950 -> 149.154.167.91:443
+Flow 7 risky: tcp 192.168.12.169:40830 -> 149.154.167.222:443
+Flow 26 risky: udp 192.168.12.169:42405 -> 93.36.13.115:35393
+Flow 8 risky: tcp 192.168.12.169:40832 -> 149.154.167.222:443
+Flow 10 risky: tcp 192.168.12.169:37966 -> 149.154.167.91:443
+Flow 18 risky: udp 192.168.12.169:40643 -> 91.108.9.35:1400
+Flow 24 risky: udp 192.168.12.169:42405 -> 10.46.103.200:42554
+Flow 5 risky: tcp 192.168.12.169:46862 -> 149.154.167.51:443
+Flow 6 risky: tcp 192.168.12.169:46866 -> 149.154.167.51:443
+Flow 9 risky: tcp 192.168.12.169:40834 -> 149.154.167.222:443
+Flow 19 risky: udp 192.168.12.169:49667 -> 91.108.13.23:1400
+Flow 25 risky: udp 192.168.12.169:40906 -> 10.46.103.200:42554
+Flow 20 risky: udp 192.168.12.169:49780 -> 91.108.17.2:1400
+Flow 33 risky: icmp 192.168.12.169 -> 91.108.17.2
+Flow 32 risky: icmp 192.168.12.169 -> 91.108.13.23
+Flow 31 risky: icmp 192.168.12.169 -> 91.108.9.35
+Flow 34 midstream: tcp 18.195.162.93:443 -> 192.168.12.169:38956
diff --git a/test/results/flow-captured/openvpn_heuristic_enabled/openvpn_obfuscated.pcapng.out b/test/results/flow-captured/openvpn_heuristic_enabled/openvpn_obfuscated.pcapng.out
new file mode 100644
index 000000000..073dd5a71
--- /dev/null
+++ b/test/results/flow-captured/openvpn_heuristic_enabled/openvpn_obfuscated.pcapng.out
@@ -0,0 +1,4 @@
+Flow 1 guessed: tcp 192.168.12.156:37976 -> 185.128.25.99:465
+Flow 1 not-detected: tcp 192.168.12.156:37976 -> 185.128.25.99:465
+Flow 3 guessed: tcp 107.161.86.131:443 -> 192.168.12.156:48072
+Flow 3 not-detected: tcp 107.161.86.131:443 -> 192.168.12.156:48072
diff --git a/test/results/flow-captured/stun_all_attributes_disabled/teams.pcap.out b/test/results/flow-captured/stun_all_attributes_disabled/teams.pcap.out
index f9a450ce5..4e70f518c 100644
--- a/test/results/flow-captured/stun_all_attributes_disabled/teams.pcap.out
+++ b/test/results/flow-captured/stun_all_attributes_disabled/teams.pcap.out
@@ -1,4 +1,3 @@
-Flow 7 risky: tcp 192.168.1.6:60535 -> 52.114.77.33:443
Flow 48 risky: tcp 192.168.1.6:60559 -> 52.114.77.33:443
Flow 64 risky: tcp 192.168.1.6:50018 -> 52.114.250.123:443
Flow 78 risky: udp 93.71.110.205:16332 -> 192.168.1.6:50016
@@ -6,11 +5,10 @@ Flow 67 risky: tcp 192.168.1.6:50021 -> 52.114.250.123:443
Flow 43 risky: tcp 192.168.1.6:60554 -> 52.113.194.132:443
Flow 36 risky: udp 192.168.1.6:61245 -> 192.168.1.1:53
Flow 4 risky: tcp 192.168.1.6:60532 -> 52.114.77.33:443
+Flow 7 risky: tcp 192.168.1.6:60535 -> 52.114.77.33:443
Flow 25 risky: tcp 192.168.1.6:60543 -> 52.114.77.33:443
Flow 51 risky: tcp 192.168.1.6:60561 -> 52.114.77.33:443
Flow 74 risky: tcp 192.168.1.6:60567 -> 52.114.77.136:443
-Flow 30 risky: tcp 192.168.1.6:60546 -> 167.99.215.164:4434
-Flow 61 risky: tcp 192.168.1.6:60566 -> 167.99.215.164:4434
Flow 60 not-detected: tcp 151.11.50.139:2222 -> 192.168.1.6:54750
Flow 60 midstream: tcp 151.11.50.139:2222 -> 192.168.1.6:54750
Flow 79 risky: udp 93.71.110.205:16333 -> 192.168.1.6:50036
diff --git a/test/results/flow-captured/stun_only_peer_address_enabled/stun_wa_call.pcapng.out b/test/results/flow-captured/stun_only_peer_address_enabled/stun_wa_call.pcapng.out
index 333efcc49..0d1b98afe 100644
--- a/test/results/flow-captured/stun_only_peer_address_enabled/stun_wa_call.pcapng.out
+++ b/test/results/flow-captured/stun_only_peer_address_enabled/stun_wa_call.pcapng.out
@@ -5,9 +5,5 @@ Flow 4 risky: udp 192.168.12.156:46652 -> 157.240.21.51:3478
Flow 5 risky: udp 192.168.12.156:46652 -> 157.240.195.48:3478
Flow 3 risky: udp 192.168.12.156:46652 -> 157.240.231.62:3478
Flow 13 risky: icmp 93.63.100.129 -> 192.168.12.156
-Flow 7 risky: udp 192.168.12.156:49526 -> 157.240.231.62:3478
-Flow 8 risky: udp 192.168.12.156:49526 -> 157.240.196.62:3478
Flow 11 risky: udp 192.168.12.156:49526 -> 10.82.40.241:40436
Flow 12 risky: udp 192.168.12.156:49526 -> 93.33.118.87:41107
-Flow 9 risky: udp 192.168.12.156:49526 -> 179.60.192.48:3478
-Flow 10 risky: udp 192.168.12.156:49526 -> 185.60.216.51:3478
diff --git a/test/results/flow-captured/tls_heuristics_enabled/tls_heur__shadowsocks-tcp.pcapng.out b/test/results/flow-captured/tls_heuristics_enabled/tls_heur__shadowsocks-tcp.pcapng.out
new file mode 100644
index 000000000..563044a1a
--- /dev/null
+++ b/test/results/flow-captured/tls_heuristics_enabled/tls_heur__shadowsocks-tcp.pcapng.out
@@ -0,0 +1,2 @@
+Flow 2 risky: udp 127.0.0.1:41182 -> 127.0.0.53:53
+Flow 3 not-detected: tcp 127.0.0.1:40164 -> 127.0.0.1:1234
diff --git a/test/results/flow-captured/tls_heuristics_enabled/tls_heur__trojan-tcp-tls.pcapng.out b/test/results/flow-captured/tls_heuristics_enabled/tls_heur__trojan-tcp-tls.pcapng.out
new file mode 100644
index 000000000..85942bf64
--- /dev/null
+++ b/test/results/flow-captured/tls_heuristics_enabled/tls_heur__trojan-tcp-tls.pcapng.out
@@ -0,0 +1,3 @@
+Flow 5 risky: udp 127.0.0.1:53154 -> 127.0.0.53:53
+Flow 7 risky: udp 192.168.1.183:39434 -> 192.168.1.253:53
+Flow 2 risky: udp 127.0.0.1:52786 -> 127.0.0.53:53
diff --git a/test/results/flow-captured/tls_heuristics_enabled/tls_heur__vmess-tcp-tls.pcapng.out b/test/results/flow-captured/tls_heuristics_enabled/tls_heur__vmess-tcp-tls.pcapng.out
new file mode 100644
index 000000000..bf495d8f4
--- /dev/null
+++ b/test/results/flow-captured/tls_heuristics_enabled/tls_heur__vmess-tcp-tls.pcapng.out
@@ -0,0 +1,3 @@
+Flow 6 risky: udp 127.0.0.1:45262 -> 127.0.0.53:53
+Flow 2 risky: udp 127.0.0.1:46548 -> 127.0.0.53:53
+Flow 8 risky: udp 192.168.1.183:42485 -> 192.168.1.253:53
diff --git a/test/results/flow-captured/tls_heuristics_enabled/tls_heur__vmess-tcp.pcapng.out b/test/results/flow-captured/tls_heuristics_enabled/tls_heur__vmess-tcp.pcapng.out
new file mode 100644
index 000000000..57479df0d
--- /dev/null
+++ b/test/results/flow-captured/tls_heuristics_enabled/tls_heur__vmess-tcp.pcapng.out
@@ -0,0 +1,2 @@
+Flow 3 not-detected: tcp 127.0.0.1:40818 -> 127.0.0.1:1234
+Flow 2 risky: udp 127.0.0.1:35957 -> 127.0.0.53:53
diff --git a/test/results/flow-captured/tls_heuristics_enabled/tls_heur__vmess-websocket.pcapng.out b/test/results/flow-captured/tls_heuristics_enabled/tls_heur__vmess-websocket.pcapng.out
new file mode 100644
index 000000000..237524927
--- /dev/null
+++ b/test/results/flow-captured/tls_heuristics_enabled/tls_heur__vmess-websocket.pcapng.out
@@ -0,0 +1 @@
+Flow 3 risky: tcp 127.0.0.1:33702 -> 127.0.0.1:1234
diff --git a/test/results/flow-captured/zoom_extra_dissection/zoom.pcap.out b/test/results/flow-captured/zoom_extra_dissection/zoom.pcap.out
index 40e91288c..7537da3f2 100644
--- a/test/results/flow-captured/zoom_extra_dissection/zoom.pcap.out
+++ b/test/results/flow-captured/zoom_extra_dissection/zoom.pcap.out
@@ -1,6 +1,5 @@
-Flow 30 risky: tcp 192.168.1.117:54871 -> 109.94.160.99:443
Flow 9 risky: udp 192.168.1.117:65394 -> 192.168.1.1:53
Flow 14 risky: udp 192.168.1.117:23903 -> 162.255.38.14:3479
-Flow 3 risky: tcp 192.168.1.117:54863 -> 167.99.215.164:4434
Flow 16 risky: tcp 192.168.1.117:53872 -> 35.186.224.53:443
Flow 16 midstream: tcp 192.168.1.117:53872 -> 35.186.224.53:443
+Flow 30 risky: tcp 192.168.1.117:54871 -> 109.94.160.99:443
Powered by cgit, Themed by Ted Yin.