diff options
Diffstat (limited to 'test/results/tls_heuristics_enabled')
5 files changed, 338 insertions, 0 deletions
diff --git a/test/results/tls_heuristics_enabled/tls_heur__shadowsocks-tcp.pcapng.out b/test/results/tls_heuristics_enabled/tls_heur__shadowsocks-tcp.pcapng.out new file mode 100644 index 000000000..76ffd5fd1 --- /dev/null +++ b/test/results/tls_heuristics_enabled/tls_heur__shadowsocks-tcp.pcapng.out @@ -0,0 +1,53 @@ +00598{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__shadowsocks-tcp.pcapng","alias":"nDPId-test","version":"1.7.0","ndpi_version":"4.11.0-4976-59ee1fe","max-flows-per-thread":2048,"max-idle-flows-per-thread":64,"reader-thread-count":1,"flow-scan-interval":10000000,"generic-max-idle-time":600000000,"icmp-max-idle-time":120000000,"udp-max-idle-time":180000000,"tcp-max-idle-time":7560000000,"max-packets-per-flow-to-send":5,"max-packets-per-flow-to-process":32,"max-packets-per-flow-to-analyse":32,"global_ts_usec":0} +00822{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":1,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__shadowsocks-tcp.pcapng","alias":"nDPId-test","version":"1.7.0","ndpi_version":"4.11.0-4976-59ee1fe","packets-captured":1,"packets-processed":0,"pfring_active":false,"pfring_recv":0,"pfring_drop":0,"pfring_shunt":0,"total-skipped-flows":0,"total-l4-payload-len":0,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":0,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":0,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"global-alloc-count":0,"global-free-count":0,"global-alloc-bytes":0,"global-free-bytes":0,"total-events-serialized":2,"global_ts_usec":1725100298253624} +00804{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__shadowsocks-tcp.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725100298253624,"flow_src_last_pkt_time":1725100298253624,"flow_dst_last_pkt_time":1725100298253624,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725100298253624,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":44424,"dst_port":1080,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":5} +00597{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__shadowsocks-tcp.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_src_last_pkt_time":1725100298253624,"flow_dst_last_pkt_time":1725100298253624,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"thread_ts_usec":1725100298253624,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADypskAAQAaTB38AAAF\/AAABrYgEOPrjCTkAAAAAoAL\/1\/4wAAACBP\/XBAIICoJ3H6YAAAAAAQMDBw=="} +00597{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__shadowsocks-tcp.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1725100298253624,"flow_dst_last_pkt_time":1725100298253646,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"thread_ts_usec":1725100298253646,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADwAAEAAQAY8un8AAAF\/AAABBDitiFpVj4z64wk6oBL\/y\/4wAAACBP\/XBAIICoJ3H6aCdx+mAQMDBw=="} +00582{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__shadowsocks-tcp.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1725100298253662,"flow_dst_last_pkt_time":1725100298253646,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1725100298253662,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADSps0AAQAaTDn8AAAF\/AAABrYgEOPrjCTpaVY+NgBACAP4oAAABAQgKgncfpoJ3H6Y="} +00586{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__shadowsocks-tcp.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":4,"flow_src_last_pkt_time":1725100298253733,"flow_dst_last_pkt_time":1725100298253646,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":72,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":72,"pkt_l4_len":36,"thread_ts_usec":1725100298253733,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADiptEAAQAaTCX8AAAF\/AAABrYgEOPrjCTpaVY+NgBgCAP4sAAABAQgKgncfpoJ3H6YFAgAB"} +00582{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__shadowsocks-tcp.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":5,"flow_src_last_pkt_time":1725100298253733,"flow_dst_last_pkt_time":1725100298253743,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1725100298253743,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADROv0AAQAbuAn8AAAF\/AAABBDitiFpVj4364wk+gBACAP4oAAABAQgKgncfpoJ3H6Y="} +00948{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":6,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__shadowsocks-tcp.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1725100298253624,"flow_src_last_pkt_time":1725100298253733,"flow_dst_last_pkt_time":1725100298254043,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":4,"flow_dst_max_l4_payload_len":2,"flow_src_tot_l4_payload_len":4,"flow_dst_tot_l4_payload_len":2,"midstream":0,"thread_ts_usec":1725100298254043,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":44424,"dst_port":1080,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"SOCKS","proto_id":"172","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +00805{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":8,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__shadowsocks-tcp.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725100298254824,"flow_src_last_pkt_time":1725100298254824,"flow_dst_last_pkt_time":1725100298254824,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725100298254824,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.53","src_port":41182,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":5} +00610{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__shadowsocks-tcp.pcapng","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1725100298254824,"flow_dst_last_pkt_time":1725100298254824,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":88,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":88,"pkt_l4_len":52,"thread_ts_usec":1725100298254824,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAAEiXpkAAQBGkyH8AAAF\/AAA1oN4ANQA0\/nssJwEgAAEAAAAAAAEDd3d3B3lvdXR1YmUDY29tAAABAAEAACkEsAAAAAAAAA=="} +01113{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":8,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__shadowsocks-tcp.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725100298254824,"flow_src_last_pkt_time":1725100298254824,"flow_dst_last_pkt_time":1725100298254824,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725100298254824,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.53","src_port":41182,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.YouTube","proto_id":"5.124","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":14,"category":"Network","hostname":"www.youtube.com","domainame":"www.youtube.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr": []}}} +00610{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__shadowsocks-tcp.pcapng","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1725100298254907,"flow_dst_last_pkt_time":1725100298254824,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":88,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":88,"pkt_l4_len":52,"thread_ts_usec":1725100298254907,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAAEiXp0AAQBGkx38AAAF\/AAA1oN4ANQA0\/nsrKAEgAAEAAAAAAAEDd3d3B3lvdXR1YmUDY29tAAAcAAEAACkEsAAAAAAAAA=="} +01247{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":9,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__shadowsocks-tcp.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1725100298254824,"flow_src_last_pkt_time":1725100298254907,"flow_dst_last_pkt_time":1725100298254824,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":88,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725100298254907,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.53","src_port":41182,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"46": {"risk":"Unidirectional Traffic","severity":"Low","risk_score": {"total":500,"client":430,"server":70}}},"confidence": {"6":"DPI"},"proto":"DNS.YouTube","proto_id":"5.124","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":14,"category":"Network","hostname":"www.youtube.com","domainame":"www.youtube.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":28,"rsp_type":0,"rsp_addr": []}}} +00979{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":10,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__shadowsocks-tcp.pcapng","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1725100298254907,"flow_dst_last_pkt_time":1725100298255187,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":362,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":362,"pkt_l4_len":326,"thread_ts_usec":1725100298255187,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAAVrnm0AAARGSwX8AADV\/AAABADWg3gFG\/40sJ4GAAAEACQAAAAUDd3d3B3lvdXR1YmUDY29tAAABAAHADAAFAAEAAAEgABYKeW91dHViZS11aQFsBmdvb2dsZcAYwC0AAQABAAAAVwAE2DrMjsAtAAEAAQAAAFcABI770Q7ALQABAAEAAABXAATYOszuwC0AAQABAAAAVwAEjvq0rsAtAAEAAQAAAFcABNg60S7ALQABAAEAAABXAASO+rSOwC0AAQABAAAAVwAEjvvRLsAtAAEAAQAAAFcABNg6zS7ALQAcAAEAAAEgABAqABRQQAIEAgAAAAAAACAOwC0AHAABAAABIAAQKgAUUEACBBUAAAAAAAAgDsAtABwAAQAAASAAECoAFFBAAgQDAAAAAAAAIA7ALQAcAAEAAAEgABAqABRQQAIEFgAAAAAAACAOAAAp\/9YAAAAAAAA="} +01224{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":10,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__shadowsocks-tcp.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":1,"flow_first_seen":1725100298254824,"flow_src_last_pkt_time":1725100298254907,"flow_dst_last_pkt_time":1725100298255187,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":318,"flow_src_tot_l4_payload_len":88,"flow_dst_tot_l4_payload_len":318,"midstream":0,"thread_ts_usec":1725100298255187,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.53","src_port":41182,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.YouTube","proto_id":"5.124","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":14,"category":"Network","hostname":"www.youtube.com","domainame":"www.youtube.com","dns": {"num_queries":1,"num_answers":14,"reply_code":0,"query_type":28,"rsp_type":1,"rsp_addr": ["216.58.204.142,ttl=87","142.251.209.14,ttl=87","216.58.204.238,ttl=87","142.250.180.174,ttl=87"]}}} +00807{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":11,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__shadowsocks-tcp.pcapng","alias":"nDPId-test","flow_id":2,"flow_packet_id":4,"flow_src_last_pkt_time":1725100298254907,"flow_dst_last_pkt_time":1725100298255342,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":234,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":234,"pkt_l4_len":198,"thread_ts_usec":1725100298255342,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAANrnnEAAARGTQH8AADV\/AAABADWg3gDG\/w0rKIGAAAEABQAAAAEDd3d3B3lvdXR1YmUDY29tAAAcAAHADAAFAAEAAAEgABYKeW91dHViZS11aQFsBmdvb2dsZcAYwC0AHAABAAABIAAQKgAUUEACBBYAAAAAAAAgDsAtABwAAQAAASAAECoAFFBAAgQDAAAAAAAAIA7ALQAcAAEAAAEgABAqABRQQAIEAgAAAAAAACAOwC0AHAABAAABIAAQKgAUUEACBBUAAAAAAAAgDgAAKf\/WAAAAAAAA"} +00805{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":14,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__shadowsocks-tcp.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725100298257324,"flow_src_last_pkt_time":1725100298257324,"flow_dst_last_pkt_time":1725100298257324,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725100298257324,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":40164,"dst_port":1234,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":5} +00598{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__shadowsocks-tcp.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1725100298257324,"flow_dst_last_pkt_time":1725100298257324,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"thread_ts_usec":1725100298257324,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADxrZEAAQAbRVX8AAAF\/AAABnOQE0krrbnkAAAAAoAL\/1\/4wAAACBP\/XBAIICoJ3H6oAAAAAAQMDBw=="} +00598{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":15,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__shadowsocks-tcp.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1725100298257324,"flow_dst_last_pkt_time":1725100298257341,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"thread_ts_usec":1725100298257341,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADwAAEAAQAY8un8AAAF\/AAABBNKc5JkJBktK6256oBL\/y\/4wAAACBP\/XBAIICoJ3H6qCdx+qAQMDBw=="} +00583{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":16,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__shadowsocks-tcp.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1725100298257355,"flow_dst_last_pkt_time":1725100298257341,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1725100298257355,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADRrZUAAQAbRXH8AAAF\/AAABnOQE0krrbnqZCQZMgBACAP4oAAABAQgKgncfqoJ3H6o="} +01446{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":19,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__shadowsocks-tcp.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":4,"flow_src_last_pkt_time":1725100298309586,"flow_dst_last_pkt_time":1725100298257341,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":704,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":704,"pkt_l4_len":668,"thread_ts_usec":1725100298309586,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAArBrZkAAQAbO338AAAF\/AAABnOQE0krrbnqZCQZMgBgCAAClAAABAQgKgncf3oJ3H6qBA2rGLAEzqPEwLb\/KFfL5e8vU7IzPJpjoNKgzhjRBh5OBXxkktb9U30b+qyzpd0WLLLVGh5uhEx76EzDYoWGwiWJOv4RqcgvXmphlFUQgCYhjxCYb+KP7HieVrD17rK+aP1LM2HBZI3M9WsFhTjaUFWlW\/lt1L7C7e980aQlWRbjOLgGm7i5UjOgWhFOpdS1LodL1R+7UFZBXoisJnD7bdNyJmFXTpFK6RZie4ckwE0NOMq1YmG5ISgx\/dCvhJEezj+nv5gBNAJ\/oo5rL8U7eccdavLmj5dBR3ZdNGy6ym1FpbbHUhuePjlq99AUhu6SFsvjHUUU9sKRCRqfmp0wxKGqf7\/XjezLAJTBMygWC+5lwVn08py\/Hy2rO\/8BeEjZBzxR3lmOQHseGow+gFE75GaINSdxYEEAmK9vzCcn3N\/aIDbERL0Mi35iR5evUvWyYAAW7FhFat3BkGriNPYWafjRKQyKRf2PSPIDx+3exbfQxrSxnH88XV7GzY2uHE\/JCX+MAE7msjcf31CbV3CfEsJepw36ePcNxPprNx0zHxjFe3tyJ\/3AybbagoJpqwjivoKgne6ZzhOA+Ro7pPQ6Rjrw9WeEuCSL1jgrnSpzS4momEQ7WqLuprOI2BTgjsr\/oPnphtevQid2o8cm4ousUW3j5JbplDjkJSem7JCToDL31xvKOYP8a2fO5suEhfrD17ZZpghRGymVq4LlPflx4Er7gfingMVbmEQhFvmYv4qfFfkdqmyJN7+EuCcXF22gclvbEJkyDlRRF60UQkHQS3MUYT4lTJrI9RSr2yazLXUdIQf8lOEMc8RZ\/iIEcQFCbmTXnsrfG0KiYrqE="} +00584{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":20,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__shadowsocks-tcp.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":5,"flow_src_last_pkt_time":1725100298309586,"flow_dst_last_pkt_time":1725100298309603,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1725100298309603,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADThGkAAQAZbp38AAAF\/AAABBNKc5JkJBkxK63D2gBAB+\/4oAAABAQgKgncf3oJ3H94="} +00847{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":21,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__shadowsocks-tcp.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725100298310198,"flow_src_last_pkt_time":1725100298310198,"flow_dst_last_pkt_time":1725100298310198,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725100298310198,"l3_proto":"ip6","src_ip":"2001:b07:a3d:c112:8628:88aa:8b00:913c","dst_ip":"2a00:1450:4002:416::200e","src_port":45334,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":5} +00620{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":21,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__shadowsocks-tcp.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_src_last_pkt_time":1725100298310198,"flow_dst_last_pkt_time":1725100298310198,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":96,"pkt_type":34525,"pkt_l3_offset":16,"pkt_l4_offset":56,"pkt_len":96,"pkt_l4_len":40,"thread_ts_usec":1725100298310198,"pkt":"AAQAAQAGCAAn\/ADWAACG3WAKi4kAKAZAIAELBwo9wRKGKIiqiwCRPCoAFFBAAgQWAAAAAAAAIA6xFgG73BclGgAAAACgAv8oxAwAAAIEBYwEAggKUwIM1wAAAAABAwMH"} +00622{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":22,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__shadowsocks-tcp.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1725100298310198,"flow_dst_last_pkt_time":1725100298313607,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":96,"pkt_type":34525,"pkt_l3_offset":16,"pkt_l4_offset":56,"pkt_len":96,"pkt_l4_len":40,"thread_ts_usec":1725100298313607,"pkt":"AAAAAQAGILAB4IZiAACG3WABZDcAKAZ6KgAUUEACBBYAAAAAAAAgDiABCwcKPcEShiiIqosAkTwBu7EW0+tTyNwXJRugEv\/\/C5sAAAIEBMQEAggK3tRe\/1MCDNcBAwMI"} +00614{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":23,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__shadowsocks-tcp.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1725100298313659,"flow_dst_last_pkt_time":1725100298313607,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":88,"pkt_type":34525,"pkt_l3_offset":16,"pkt_l4_offset":56,"pkt_len":88,"pkt_l4_len":32,"thread_ts_usec":1725100298313659,"pkt":"AAQAAQAGCAAn\/ADWAACG3WAKi4kAIAZAIAELBwo9wRKGKIiqiwCRPCoAFFBAAgQWAAAAAAAAIA6xFgG73BclG9PrU8mAEAH\/xAQAAAEBCApTAgza3tRe\/w=="} +01307{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__shadowsocks-tcp.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":4,"flow_src_last_pkt_time":1725100298313913,"flow_dst_last_pkt_time":1725100298313607,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":605,"pkt_type":34525,"pkt_l3_offset":16,"pkt_l4_offset":56,"pkt_len":605,"pkt_l4_len":549,"thread_ts_usec":1725100298313913,"pkt":"AAQAAQAGCAAn\/ADWAACG3WAKi4kCJQZAIAELBwo9wRKGKIiqiwCRPCoAFFBAAgQWAAAAAAAAIA6xFgG73BclG9PrU8mAGAH\/xgkAAAEBCApTAgzb3tRe\/xYDAQIAAQAB\/AMD0QQOGD1r51FKjEPNQJN1h62HWSTHs5bRNmVY2hJonmEgbnxnUOUBRf5MJC1ai8S6VAQph1UkRLBIC2FW5HjjmfEAPhMCEwMTAcAswDAAn8ypzKjMqsArwC8AnsAkwCgAa8AjwCcAZ8AKwBQAOcAJwBMAMwCdAJwAPQA8ADUALwD\/AQABdQAAABQAEgAAD3d3dy55b3V0dWJlLmNvbQALAAQDAAECAAoAFgAUAB0AFwAeABkAGAEAAQEBAgEDAQQzdAAAABAADgAMAmgyCGh0dHAvMS4xABYAAAAXAAAAMQAAAA0AKgAoBAMFAwYDCAcICAgJCAoICwgECAUIBgQBBQEGAQMDAwEDAgQCBQIGAgArAAUEAwQDAwAtAAIBAQAzACYAJAAdACAlt12GL08sPkwJuetHKa9LUAZJmFh0wmqKvWTBdy8bGwAVAK4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="} +01325{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":24,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__shadowsocks-tcp.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1725100298310198,"flow_src_last_pkt_time":1725100298313913,"flow_dst_last_pkt_time":1725100298313607,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725100298313913,"l3_proto":"ip6","src_ip":"2001:b07:a3d:c112:8628:88aa:8b00:913c","dst_ip":"2a00:1450:4002:416::200e","src_port":45334,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","proto_by_ip":"Google","proto_by_ip_id":126,"encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"www.youtube.com","domainame":"www.youtube.com","tls": {"version":"TLSv1.2","ja3":"4ea056e63b7910cbf543f0c095064dfe","ja3s":"","ja4":"t13d3113h2_e8f1e7e78f70_ce5650b735ce","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","advertised_alpns":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","blocks":0}}} +00611{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":25,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__shadowsocks-tcp.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":5,"flow_src_last_pkt_time":1725100298313913,"flow_dst_last_pkt_time":1725100298317482,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":88,"pkt_type":34525,"pkt_l3_offset":16,"pkt_l4_offset":56,"pkt_len":88,"pkt_l4_len":32,"thread_ts_usec":1725100298317482,"pkt":"AAAAAQAGILAB4IZiAACG3WABZDcAIAZ6KgAUUEACBBYAAAAAAAAgDiABCwcKPcEShiiIqosAkTwBu7EW0+tTydwXJyCAEAEFNmcAAAEBCAre1F8CUwIM2w=="} +01370{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":26,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__shadowsocks-tcp.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1725100298310198,"flow_src_last_pkt_time":1725100298313913,"flow_dst_last_pkt_time":1725100298341941,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1725100298341941,"l3_proto":"ip6","src_ip":"2001:b07:a3d:c112:8628:88aa:8b00:913c","dst_ip":"2a00:1450:4002:416::200e","src_port":45334,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","proto_by_ip":"Google","proto_by_ip_id":126,"encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"www.youtube.com","domainame":"www.youtube.com","tls": {"version":"TLSv1.3","ja3":"4ea056e63b7910cbf543f0c095064dfe","ja3s":"907bf3ecef1c987c889946b737b43de8","ja4":"t13d3113h2_e8f1e7e78f70_ce5650b735ce","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","advertised_alpns":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","blocks":0}}} +02218{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":89,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__shadowsocks-tcp.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1725100298310198,"flow_src_last_pkt_time":1725100298432355,"flow_dst_last_pkt_time":1725100298432652,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":4876,"flow_src_tot_l4_payload_len":821,"flow_dst_tot_l4_payload_len":22039,"midstream":0,"thread_ts_usec":1725100298432652,"l3_proto":"ip6","src_ip":"2001:b07:a3d:c112:8628:88aa:8b00:913c","dst_ip":"2a00:1450:4002:416::200e","src_port":45334,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":5,"data_analysis": {"iat": {"min":0,"avg":7890.7,"max":49565,"stddev":13540.2,"var":183336016.0,"ent":3.3,"data": [3409,3461,254,3875,24459,28067,229,0,209,14,2973,7544,5275,6462,46393,49565,1,0,8985,52,29,430,0,0,0,285,43,26100,26117,380,0]},"pktlen": {"min":72,"avg":786.9,"max":4948,"stddev":1186.2,"var":1407143.5,"ent":3.9,"data": [80,80,72,589,72,1280,72,4904,631,72,72,345,720,103,103,72,1280,293,1280,72,72,72,1280,1280,1280,4948,72,72,1280,72,1280,1280]},"bins": {"c_to_s": [13,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,2]},"directions": [0,1,0,0,1,1,0,1,1,0,0,0,1,0,1,0,1,1,1,0,0,0,1,1,1,1,0,0,1,0,1,1],"entropies": [4.755182266,5.261822701,5.153629780,4.806141853,5.165501118,7.786862373,5.164113998,7.965732574,7.625080109,5.164113998,5.164113998,7.146784306,7.713749886,5.760443687,5.767366886,5.125851631,7.825596809,7.149698257,7.853908539,5.153629303,5.153629303,5.153629303,7.834226608,7.855994701,7.841277122,7.962058067,5.125851631,5.153629780,7.850774765,5.153629303,7.848540783,7.840482712]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","proto_by_ip":"Google","proto_by_ip_id":126,"encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} +01031{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__shadowsocks-tcp.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1725100298254824,"flow_src_last_pkt_time":1725100298254907,"flow_dst_last_pkt_time":1725100298255342,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":318,"flow_src_tot_l4_payload_len":88,"flow_dst_tot_l4_payload_len":508,"midstream":0,"thread_ts_usec":1725100298432922,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.53","src_port":41182,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.YouTube","proto_id":"5.124","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":14,"category":"Network","hostname":"www.youtube.com"}} +01033{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":100,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__shadowsocks-tcp.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":11,"flow_first_seen":1725100298257324,"flow_src_last_pkt_time":1725100298432715,"flow_dst_last_pkt_time":1725100298432675,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":636,"flow_dst_max_l4_payload_len":7428,"flow_src_tot_l4_payload_len":1076,"flow_dst_tot_l4_payload_len":20131,"midstream":0,"thread_ts_usec":1725100298432922,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":40164,"dst_port":1234,"l4_proto":"tcp","ndpi": {"flow_risk": {"51": {"risk":"Fully Encrypted Flow","severity":"Medium","risk_score": {"total":360,"client":240,"server":120}}},"proto":"Unknown","proto_id":"0","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Unrated"}} +00821{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__shadowsocks-tcp.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":11,"flow_first_seen":1725100298257324,"flow_src_last_pkt_time":1725100298432715,"flow_dst_last_pkt_time":1725100298432675,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":636,"flow_dst_max_l4_payload_len":7428,"flow_src_tot_l4_payload_len":1076,"flow_dst_tot_l4_payload_len":20131,"midstream":0,"thread_ts_usec":1725100298432922,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":40164,"dst_port":1234,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":5} +01004{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__shadowsocks-tcp.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":12,"flow_first_seen":1725100298253624,"flow_src_last_pkt_time":1725100298407018,"flow_dst_last_pkt_time":1725100298407002,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":9887,"flow_src_tot_l4_payload_len":847,"flow_dst_tot_l4_payload_len":18427,"midstream":0,"thread_ts_usec":1725100298432922,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":44424,"dst_port":1080,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"SOCKS","proto_id":"172","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01080{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__shadowsocks-tcp.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":21,"flow_first_seen":1725100298310198,"flow_src_last_pkt_time":1725100298432922,"flow_dst_last_pkt_time":1725100298432653,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":6040,"flow_src_tot_l4_payload_len":821,"flow_dst_tot_l4_payload_len":31703,"midstream":0,"thread_ts_usec":1725100298432922,"l3_proto":"ip6","src_ip":"2001:b07:a3d:c112:8628:88aa:8b00:913c","dst_ip":"2a00:1450:4002:416::200e","src_port":45334,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","proto_by_ip":"Google","proto_by_ip_id":126,"encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"www.youtube.com"}} +00835{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":100,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__shadowsocks-tcp.pcapng","alias":"nDPId-test","version":"1.7.0","ndpi_version":"4.11.0-4976-59ee1fe","packets-captured":100,"packets-processed":100,"pfring_active":false,"pfring_recv":0,"pfring_drop":0,"pfring_shunt":0,"total-skipped-flows":0,"total-l4-payload-len":73601,"total-not-detected-flows":1,"total-guessed-flows":0,"total-detected-flows":3,"total-detection-updates":3,"total-updates":0,"current-active-flows":0,"total-active-flows":4,"total-idle-flows":4,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"global-alloc-count":0,"global-free-count":0,"global-alloc-bytes":0,"global-free-bytes":0,"total-events-serialized":38,"global_ts_usec":1725100298432922} +~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ +~~ packets captured/processed: 100/100 +~~ skipped flows.............: 0 +~~ total layer4 data length..: 73601 bytes +~~ total detected protocols..: 3 +~~ total active/idle flows...: 4/4 +~~ total timeout flows.......: 0 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ total memory allocated....: 6821029 bytes +~~ total memory freed........: 6821029 bytes +~~ total allocations/frees...: 114293/114293 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ json message min len.......: 587 chars +~~ json message max len.......: 2223 chars +~~ json message avg len.......: 1401 chars diff --git a/test/results/tls_heuristics_enabled/tls_heur__trojan-tcp-tls.pcapng.out b/test/results/tls_heuristics_enabled/tls_heur__trojan-tcp-tls.pcapng.out new file mode 100644 index 000000000..c15936234 --- /dev/null +++ b/test/results/tls_heuristics_enabled/tls_heur__trojan-tcp-tls.pcapng.out @@ -0,0 +1,90 @@ +00597{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","version":"1.7.0","ndpi_version":"4.11.0-4976-59ee1fe","max-flows-per-thread":2048,"max-idle-flows-per-thread":64,"reader-thread-count":1,"flow-scan-interval":10000000,"generic-max-idle-time":600000000,"icmp-max-idle-time":120000000,"udp-max-idle-time":180000000,"tcp-max-idle-time":7560000000,"max-packets-per-flow-to-send":5,"max-packets-per-flow-to-process":32,"max-packets-per-flow-to-analyse":32,"global_ts_usec":0} +00821{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":1,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","version":"1.7.0","ndpi_version":"4.11.0-4976-59ee1fe","packets-captured":1,"packets-processed":0,"pfring_active":false,"pfring_recv":0,"pfring_drop":0,"pfring_shunt":0,"total-skipped-flows":0,"total-l4-payload-len":0,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":0,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":0,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"global-alloc-count":0,"global-free-count":0,"global-alloc-bytes":0,"global-free-bytes":0,"total-events-serialized":2,"global_ts_usec":1725367999181087} +00803{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725367999181087,"flow_src_last_pkt_time":1725367999181087,"flow_dst_last_pkt_time":1725367999181087,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725367999181087,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":60654,"dst_port":1080,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":5} +00596{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_src_last_pkt_time":1725367999181087,"flow_dst_last_pkt_time":1725367999181087,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"thread_ts_usec":1725367999181087,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADzyHEAAQAZKnX8AAAF\/AAAB7O4EOOE3LPkAAAAAoAL\/1\/4wAAACBP\/XBAIICrEoZggAAAAAAQMDBw=="} +00596{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1725367999181087,"flow_dst_last_pkt_time":1725367999181104,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"thread_ts_usec":1725367999181104,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADwAAEAAQAY8un8AAAF\/AAABBDjs7jONTa3hNyz6oBL\/y\/4wAAACBP\/XBAIICrEoZgixKGYIAQMDBw=="} +00581{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1725367999181119,"flow_dst_last_pkt_time":1725367999181104,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1725367999181119,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADTyHUAAQAZKpH8AAAF\/AAAB7O4EOOE3LPozjU2ugBACAP4oAAABAQgKsShmCLEoZgg="} +00585{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":4,"flow_src_last_pkt_time":1725367999181167,"flow_dst_last_pkt_time":1725367999181104,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":72,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":72,"pkt_l4_len":36,"thread_ts_usec":1725367999181167,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADjyHkAAQAZKn38AAAF\/AAAB7O4EOOE3LPozjU2ugBgCAP4sAAABAQgKsShmCLEoZggFAgAB"} +00581{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":5,"flow_src_last_pkt_time":1725367999181167,"flow_dst_last_pkt_time":1725367999181175,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1725367999181175,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADQDyUAAQAY4+X8AAAF\/AAABBDjs7jONTa7hNyz+gBACAP4oAAABAQgKsShmCLEoZgg="} +00947{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":6,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1725367999181087,"flow_src_last_pkt_time":1725367999181167,"flow_dst_last_pkt_time":1725367999182460,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":4,"flow_dst_max_l4_payload_len":2,"flow_src_tot_l4_payload_len":4,"flow_dst_tot_l4_payload_len":2,"midstream":0,"thread_ts_usec":1725367999182460,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":60654,"dst_port":1080,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"SOCKS","proto_id":"172","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +00804{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":8,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725367999183111,"flow_src_last_pkt_time":1725367999183111,"flow_dst_last_pkt_time":1725367999183111,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725367999183111,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.53","src_port":52786,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":5} +00609{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1725367999183111,"flow_dst_last_pkt_time":1725367999183111,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":88,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":88,"pkt_l4_len":52,"thread_ts_usec":1725367999183111,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAAEgCBkAAQBE6aX8AAAF\/AAA1zjIANQA0\/nu+eQEgAAEAAAAAAAEDd3d3B3lvdXR1YmUDY29tAAABAAEAACkEsAAAAAAAAA=="} +01112{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":8,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725367999183111,"flow_src_last_pkt_time":1725367999183111,"flow_dst_last_pkt_time":1725367999183111,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725367999183111,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.53","src_port":52786,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.YouTube","proto_id":"5.124","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":14,"category":"Network","hostname":"www.youtube.com","domainame":"www.youtube.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr": []}}} +00609{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1725367999183131,"flow_dst_last_pkt_time":1725367999183111,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":88,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":88,"pkt_l4_len":52,"thread_ts_usec":1725367999183131,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAAEgCB0AAQBE6aH8AAAF\/AAA1zjIANQA0\/nsqewEgAAEAAAAAAAEDd3d3B3lvdXR1YmUDY29tAAAcAAEAACkEsAAAAAAAAA=="} +01246{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":9,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1725367999183111,"flow_src_last_pkt_time":1725367999183131,"flow_dst_last_pkt_time":1725367999183111,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":88,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725367999183131,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.53","src_port":52786,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"46": {"risk":"Unidirectional Traffic","severity":"Low","risk_score": {"total":500,"client":430,"server":70}}},"confidence": {"6":"DPI"},"proto":"DNS.YouTube","proto_id":"5.124","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":14,"category":"Network","hostname":"www.youtube.com","domainame":"www.youtube.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":28,"rsp_type":0,"rsp_addr": []}}} +00812{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":10,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725367999183433,"flow_src_last_pkt_time":1725367999183433,"flow_dst_last_pkt_time":1725367999183433,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725367999183433,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"192.168.1.253","src_port":46451,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":5} +00609{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":10,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1725367999183433,"flow_dst_last_pkt_time":1725367999183433,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":88,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":88,"pkt_l4_len":52,"thread_ts_usec":1725367999183433,"pkt":"AAQAAQAGCAAn\/ADWAAAIAEUAAEimRgAAQBFPWsCoAbfAqAH9tXMANQA0hUp6qwEAAAEAAAAAAAEDd3d3B3lvdXR1YmUDY29tAAABAAEAACkFwAAAAAAAAA=="} +01120{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":10,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725367999183433,"flow_src_last_pkt_time":1725367999183433,"flow_dst_last_pkt_time":1725367999183433,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725367999183433,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"192.168.1.253","src_port":46451,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.YouTube","proto_id":"5.124","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":14,"category":"Network","hostname":"www.youtube.com","domainame":"www.youtube.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr": []}}} +00812{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":11,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725367999187954,"flow_src_last_pkt_time":1725367999187954,"flow_dst_last_pkt_time":1725367999187954,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725367999187954,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"192.168.1.253","src_port":54260,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":5} +00610{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":11,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_src_last_pkt_time":1725367999187954,"flow_dst_last_pkt_time":1725367999187954,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":88,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":88,"pkt_l4_len":52,"thread_ts_usec":1725367999187954,"pkt":"AAQAAQAGCAAn\/ADWAAAIAEUAAEjgmQAAQBEVB8CoAbfAqAH90\/QANQA0hUqvmwEAAAEAAAAAAAEDd3d3B3lvdXR1YmUDY29tAAAcAAEAACkFwAAAAAAAAA=="} +01121{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":11,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725367999187954,"flow_src_last_pkt_time":1725367999187954,"flow_dst_last_pkt_time":1725367999187954,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725367999187954,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"192.168.1.253","src_port":54260,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.YouTube","proto_id":"5.124","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":14,"category":"Network","hostname":"www.youtube.com","domainame":"www.youtube.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":28,"rsp_type":0,"rsp_addr": []}}} +01043{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":12,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1725367999183433,"flow_dst_last_pkt_time":1725367999215826,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":413,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":413,"pkt_l4_len":377,"thread_ts_usec":1725367999215826,"pkt":"AAAAAQAG3KYyW3JVAAAIAEUAAY1SakAAQBFh8cCoAf3AqAG3ADW1cwF5sn56q4GAAAEACAAAAAEDd3d3B3lvdXR1YmUDY29tAAABAAEDd3d3B3lvdXR1YmUDY29tAAAFAAEAAADfABkKeW91dHViZS11aQFsBmdvb2dsZQNjb20ACnlvdXR1YmUtdWkBbAZnb29nbGUDY29tAAABAAEAAADfAASO+rSOCnlvdXR1YmUtdWkBbAZnb29nbGUDY29tAAABAAEAAADfAASO+9EOCnlvdXR1YmUtdWkBbAZnb29nbGUDY29tAAABAAEAAADfAASO+rSuCnlvdXR1YmUtdWkBbAZnb29nbGUDY29tAAABAAEAAADfAASO+9EuCnlvdXR1YmUtdWkBbAZnb29nbGUDY29tAAABAAEAAADfAATYOs0uCnlvdXR1YmUtdWkBbAZnb29nbGUDY29tAAABAAEAAADfAATYOszuCnlvdXR1YmUtdWkBbAZnb29nbGUDY29tAAABAAEAAADfAATYOsyOAAApBNAAAAAAAAA="} +01233{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":12,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1725367999183433,"flow_src_last_pkt_time":1725367999183433,"flow_dst_last_pkt_time":1725367999215826,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":369,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":369,"midstream":0,"thread_ts_usec":1725367999215826,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"192.168.1.253","src_port":46451,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.YouTube","proto_id":"5.124","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":14,"category":"Network","hostname":"www.youtube.com","domainame":"www.youtube.com","dns": {"num_queries":1,"num_answers":9,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr": ["142.250.180.142,ttl=223","142.251.209.14,ttl=223","142.250.180.174,ttl=223","142.251.209.46,ttl=223"]}}} +00951{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":13,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1725367999187954,"flow_dst_last_pkt_time":1725367999216106,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":344,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":344,"pkt_l4_len":308,"thread_ts_usec":1725367999216106,"pkt":"AAAAAQAG3KYyW3JVAAAIAEUAAUhSa0AAQBFiNcCoAf3AqAG3ADXT9AE0aXKvm4GAAAEABQAAAAEDd3d3B3lvdXR1YmUDY29tAAAcAAEDd3d3B3lvdXR1YmUDY29tAAAFAAEAAAB3ABkKeW91dHViZS11aQFsBmdvb2dsZQNjb20ACnlvdXR1YmUtdWkBbAZnb29nbGUDY29tAAAcAAEAAAB3ABAqABRQQAIEEQAAAAAAACAOCnlvdXR1YmUtdWkBbAZnb29nbGUDY29tAAAcAAEAAAB3ABAqABRQQAIEAgAAAAAAACAOCnlvdXR1YmUtdWkBbAZnb29nbGUDY29tAAAcAAEAAAB3ABAqABRQQAIEAwAAAAAAACAOCnlvdXR1YmUtdWkBbAZnb29nbGUDY29tAAAcAAEAAAB3ABAqABRQQAIEEAAAAAAAACAOAAApBNAAAAAAAAA="} +01273{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":13,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1725367999187954,"flow_src_last_pkt_time":1725367999187954,"flow_dst_last_pkt_time":1725367999216106,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":300,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":300,"midstream":0,"thread_ts_usec":1725367999216106,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"192.168.1.253","src_port":54260,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.YouTube","proto_id":"5.124","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":14,"category":"Network","hostname":"www.youtube.com","domainame":"www.youtube.com","dns": {"num_queries":1,"num_answers":6,"reply_code":0,"query_type":28,"rsp_type":28,"rsp_addr": ["2a00:1450:4002:411::200e,ttl=119","2a00:1450:4002:402::200e,ttl=119","2a00:1450:4002:403::200e,ttl=119","2a00:1450:4002:410::200e,ttl=119"]}}} +00806{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1725367999183131,"flow_dst_last_pkt_time":1725367999216307,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":234,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":234,"pkt_l4_len":198,"thread_ts_usec":1725367999216307,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAANo1i0AAARFFUn8AADV\/AAABADXOMgDG\/w2+eYGAAAEACAAAAAEDd3d3B3lvdXR1YmUDY29tAAABAAHADAAFAAEAAADfABYKeW91dHViZS11aQFsBmdvb2dsZcAYwC0AAQABAAAA3wAEjvq0jsAtAAEAAQAAAN8ABI770Q7ALQABAAEAAADfAASO+rSuwC0AAQABAAAA3wAEjvvRLsAtAAEAAQAAAN8ABNg6zS7ALQABAAEAAADfAATYOszuwC0AAQABAAAA3wAE2DrMjgAAKf\/WAAAAAAAA"} +01227{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":14,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":1,"flow_first_seen":1725367999183111,"flow_src_last_pkt_time":1725367999183131,"flow_dst_last_pkt_time":1725367999216307,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":190,"flow_src_tot_l4_payload_len":88,"flow_dst_tot_l4_payload_len":190,"midstream":0,"thread_ts_usec":1725367999216307,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.53","src_port":52786,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.YouTube","proto_id":"5.124","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":14,"category":"Network","hostname":"www.youtube.com","domainame":"www.youtube.com","dns": {"num_queries":1,"num_answers":9,"reply_code":0,"query_type":28,"rsp_type":1,"rsp_addr": ["142.250.180.142,ttl=223","142.251.209.14,ttl=223","142.250.180.174,ttl=223","142.251.209.46,ttl=223"]}}} +00806{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":15,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":2,"flow_packet_id":4,"flow_src_last_pkt_time":1725367999183131,"flow_dst_last_pkt_time":1725367999216536,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":234,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":234,"pkt_l4_len":198,"thread_ts_usec":1725367999216536,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAANo1jEAAARFFUX8AADV\/AAABADXOMgDG\/w0qe4GAAAEABQAAAAEDd3d3B3lvdXR1YmUDY29tAAAcAAHADAAFAAEAAAB3ABYKeW91dHViZS11aQFsBmdvb2dsZcAYwC0AHAABAAAAdwAQKgAUUEACBBEAAAAAAAAgDsAtABwAAQAAAHcAECoAFFBAAgQCAAAAAAAAIA7ALQAcAAEAAAB3ABAqABRQQAIEAwAAAAAAACAOwC0AHAABAAAAdwAQKgAUUEACBBAAAAAAAAAgDgAAKf\/WAAAAAAAA"} +00805{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":19,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725367999227781,"flow_src_last_pkt_time":1725367999227781,"flow_dst_last_pkt_time":1725367999227781,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725367999227781,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.53","src_port":53154,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":5} +00598{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":19,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1725367999227781,"flow_dst_last_pkt_time":1725367999227781,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":81,"pkt_l4_len":45,"thread_ts_usec":1725367999227781,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAAEHfN0AAQBFdPn8AAAF\/AAA1z6IANQAt\/nTjvAEgAAEAAAAAAAEEdGVzdANsYW4AAAEAAQAAKQTQAAAAAAAA"} +01094{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":19,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725367999227781,"flow_src_last_pkt_time":1725367999227781,"flow_dst_last_pkt_time":1725367999227781,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725367999227781,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.53","src_port":53154,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"test.lan","domainame":"test.lan","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr": []}}} +00805{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":20,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725367999227781,"flow_src_last_pkt_time":1725367999227781,"flow_dst_last_pkt_time":1725367999227781,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725367999227781,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.53","src_port":56496,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":5} +00598{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":20,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_src_last_pkt_time":1725367999227781,"flow_dst_last_pkt_time":1725367999227781,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":81,"pkt_l4_len":45,"thread_ts_usec":1725367999227781,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAAEGDYEAAQBG5FX8AAAF\/AAA13LAANQAt\/nTiwwEgAAEAAAAAAAEEdGVzdANsYW4AABwAAQAAKQTQAAAAAAAA"} +01095{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":20,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725367999227781,"flow_src_last_pkt_time":1725367999227781,"flow_dst_last_pkt_time":1725367999227781,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725367999227781,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.53","src_port":56496,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"test.lan","domainame":"test.lan","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":28,"rsp_type":0,"rsp_addr": []}}} +00812{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":21,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725367999227989,"flow_src_last_pkt_time":1725367999227989,"flow_dst_last_pkt_time":1725367999227989,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725367999227989,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"192.168.1.253","src_port":39434,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":5} +00597{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":21,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_src_last_pkt_time":1725367999227989,"flow_dst_last_pkt_time":1725367999227989,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":81,"pkt_l4_len":45,"thread_ts_usec":1725367999227989,"pkt":"AAQAAQAGCAAn\/ADWAAAIAEUAAEE0KQAAQBHBfsCoAbfAqAH9mgoANQAthUPOfQEAAAEAAAAAAAEEdGVzdANsYW4AAAEAAQAAKQXAAAAAAAAA"} +01101{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":21,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725367999227989,"flow_src_last_pkt_time":1725367999227989,"flow_dst_last_pkt_time":1725367999227989,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725367999227989,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"192.168.1.253","src_port":39434,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"test.lan","domainame":"test.lan","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr": []}}} +00812{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":22,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725367999228105,"flow_src_last_pkt_time":1725367999228105,"flow_dst_last_pkt_time":1725367999228105,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725367999228105,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"192.168.1.253","src_port":38613,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":5} +00597{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":22,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_src_last_pkt_time":1725367999228105,"flow_dst_last_pkt_time":1725367999228105,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":81,"pkt_l4_len":45,"thread_ts_usec":1725367999228105,"pkt":"AAQAAQAGCAAn\/ADWAAAIAEUAAEEG4gAAQBHuxcCoAbfAqAH9ltUANQAthUNZ0wEAAAEAAAAAAAEEdGVzdANsYW4AABwAAQAAKQXAAAAAAAAA"} +01102{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":22,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725367999228105,"flow_src_last_pkt_time":1725367999228105,"flow_dst_last_pkt_time":1725367999228105,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725367999228105,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"192.168.1.253","src_port":38613,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"test.lan","domainame":"test.lan","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":28,"rsp_type":0,"rsp_addr": []}}} +00620{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":23,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_src_last_pkt_time":1725367999227989,"flow_dst_last_pkt_time":1725367999228682,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":97,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":97,"pkt_l4_len":61,"thread_ts_usec":1725367999228682,"pkt":"AAAAAQAG3KYyW3JVAAAIAEUAAFFSbkAAQBFjKcCoAf3AqAG3ADWaCgA9m8bOfYWAAAEAAQAAAAEEdGVzdANsYW4AAAEAAcAMAAEAAQAAAAAABH8AAAEAACkE0AAAAAAAAA=="} +01244{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":23,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1725367999227989,"flow_src_last_pkt_time":1725367999227989,"flow_dst_last_pkt_time":1725367999228682,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":53,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":53,"midstream":0,"thread_ts_usec":1725367999228682,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"192.168.1.253","src_port":39434,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"49": {"risk":"Minor Issues","severity":"Low","risk_score": {"total":210,"client":105,"server":105}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"test.lan","domainame":"test.lan","dns": {"num_queries":1,"num_answers":2,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr": ["127.0.0.1,ttl=0"]}}} +00623{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":1725367999227781,"flow_dst_last_pkt_time":1725367999228836,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":97,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":97,"pkt_l4_len":61,"thread_ts_usec":1725367999228836,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAAFE1jUAAARFF2X8AADV\/AAABADXPogA9\/oTjvIGAAAEAAQAAAAEEdGVzdANsYW4AAAEAAcAMAAEAAQAAAAAABH8AAAEAACn\/1gAAAAAAAA=="} +01237{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":24,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1725367999227781,"flow_src_last_pkt_time":1725367999227781,"flow_dst_last_pkt_time":1725367999228836,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":53,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":53,"midstream":0,"thread_ts_usec":1725367999228836,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.53","src_port":53154,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"49": {"risk":"Minor Issues","severity":"Low","risk_score": {"total":210,"client":105,"server":105}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"test.lan","domainame":"test.lan","dns": {"num_queries":1,"num_answers":2,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr": ["127.0.0.1,ttl=0"]}}} +00596{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":25,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":8,"flow_packet_id":2,"flow_src_last_pkt_time":1725367999228105,"flow_dst_last_pkt_time":1725367999228906,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":81,"pkt_l4_len":45,"thread_ts_usec":1725367999228906,"pkt":"AAAAAQAG3KYyW3JVAAAIAEUAAEFSb0AAQBFjOMCoAf3AqAG3ADWW1QAtVsBZ04GAAAEAAAAAAAEEdGVzdANsYW4AABwAAQAAKQTQAAAAAAAA"} +01112{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":25,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1725367999228105,"flow_src_last_pkt_time":1725367999228105,"flow_dst_last_pkt_time":1725367999228906,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":37,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":37,"midstream":0,"thread_ts_usec":1725367999228906,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"192.168.1.253","src_port":38613,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"test.lan","domainame":"test.lan","dns": {"num_queries":1,"num_answers":1,"reply_code":0,"query_type":28,"rsp_type":0,"rsp_addr": []}}} +00599{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":26,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_src_last_pkt_time":1725367999227781,"flow_dst_last_pkt_time":1725367999229017,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":81,"pkt_l4_len":45,"thread_ts_usec":1725367999229017,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAAEE1jkAAARFF6H8AADV\/AAABADXcsAAt\/nTiw4GAAAEAAAAAAAEEdGVzdANsYW4AABwAAQAAKf\/WAAAAAAAA"} +01105{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":26,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1725367999227781,"flow_src_last_pkt_time":1725367999227781,"flow_dst_last_pkt_time":1725367999229017,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":37,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":37,"midstream":0,"thread_ts_usec":1725367999229017,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.53","src_port":56496,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"test.lan","domainame":"test.lan","dns": {"num_queries":1,"num_answers":1,"reply_code":0,"query_type":28,"rsp_type":0,"rsp_addr": []}}} +00804{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":27,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725367999229171,"flow_src_last_pkt_time":1725367999229171,"flow_dst_last_pkt_time":1725367999229171,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725367999229171,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":41796,"dst_port":1234,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":5} +00597{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":27,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_src_last_pkt_time":1725367999229171,"flow_dst_last_pkt_time":1725367999229171,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"thread_ts_usec":1725367999229171,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADzxDkAAQAZLq38AAAF\/AAABo0QE0usUzpMAAAAAoAL\/1\/4wAAACBP\/XBAIICrEoZjgAAAAAAQMDBw=="} +00598{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":28,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":9,"flow_packet_id":2,"flow_src_last_pkt_time":1725367999229171,"flow_dst_last_pkt_time":1725367999229192,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"thread_ts_usec":1725367999229192,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADwAAEAAQAY8un8AAAF\/AAABBNKjRM5Wxk\/rFM6UoBL\/y\/4wAAACBP\/XBAIICrEoZjixKGY4AQMDBw=="} +00582{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":29,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":9,"flow_packet_id":3,"flow_src_last_pkt_time":1725367999229206,"flow_dst_last_pkt_time":1725367999229192,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1725367999229206,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADTxD0AAQAZLsn8AAAF\/AAABo0QE0usUzpTOVsZQgBACAP4oAAABAQgKsShmOLEoZjg="} +00960{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":30,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":9,"flow_packet_id":4,"flow_src_last_pkt_time":1725367999254153,"flow_dst_last_pkt_time":1725367999229192,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":346,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":346,"pkt_l4_len":310,"thread_ts_usec":1725367999254153,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAAUrxEEAAQAZKm38AAAF\/AAABo0QE0usUzpTOVsZQgBgCAP8+AAABAQgKsShmUbEoZjgWAwEBEQEAAQ0DAyFGnh8Cu2Rm520uiVKrZ3Z0nhuQpd8QGiRhwieK6Fq7IGWx9syJCANsbwb1\/6RMETFXEH9DLz1n5y+wNDEptuuPACbAK8AvwCzAMMypzKjACcATwArAFACcAJ0ALwA1wBIAChMBEwITAwEAAJ4AAAANAAsAAAh0ZXN0LmxhbgAFAAUBAAAAAAAKAAoACAAdABcAGAAZAAsAAgEAAA0AGgAYCAQEAwgHCAUIBgQBBQEGAQUDBgMCAQID\/wEAAQAAFwAAABAADgAMAmgyCGh0dHAvMS4xABIAAAArAAUEAwQDAwAzACYAJAAdACCdNqsfelyxagOYCAVYwvh5JHJ9cB\/kxfOyzmGD42qyLA=="} +01386{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":30,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1725367999229171,"flow_src_last_pkt_time":1725367999254153,"flow_dst_last_pkt_time":1725367999229192,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":278,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":278,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725367999254153,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":41796,"dst_port":1234,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":160,"client":140,"server":20}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"test.lan","domainame":"test.lan","tls": {"version":"TLSv1.2","ja3":"7a15285d4efc355608b304698cd7f9ab","ja3s":"","ja4":"t13d1911h2_9dc949149365_e7c285222651","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","advertised_alpns":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","blocks":0}}} +00583{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":31,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":9,"flow_packet_id":5,"flow_src_last_pkt_time":1725367999254153,"flow_dst_last_pkt_time":1725367999254186,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1725367999254186,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADT8A0AAQAZAvn8AAAF\/AAABBNKjRM5WxlDrFM+qgBAB\/v4oAAABAQgKsShmUbEoZlE="} +01431{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1725367999229171,"flow_src_last_pkt_time":1725367999254153,"flow_dst_last_pkt_time":1725367999255053,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":278,"flow_dst_max_l4_payload_len":1126,"flow_src_tot_l4_payload_len":278,"flow_dst_tot_l4_payload_len":1126,"midstream":0,"thread_ts_usec":1725367999255053,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":41796,"dst_port":1234,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":160,"client":140,"server":20}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"test.lan","domainame":"test.lan","tls": {"version":"TLSv1.3","ja3":"7a15285d4efc355608b304698cd7f9ab","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","ja4":"t13d1911h2_9dc949149365_e7c285222651","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","advertised_alpns":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","blocks":0}}} +00814{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":38,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725367999286453,"flow_src_last_pkt_time":1725367999286453,"flow_dst_last_pkt_time":1725367999286453,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725367999286453,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"142.250.180.142","src_port":58730,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":5} +00595{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":38,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":10,"flow_packet_id":1,"flow_src_last_pkt_time":1725367999286453,"flow_dst_last_pkt_time":1725367999286453,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"thread_ts_usec":1725367999286453,"pkt":"AAQAAQAGCAAn\/ADWAAAIAEUAADyj8EAAQAaQ48CoAbeO+rSO5WoBuxNFvnkAAAAAoAL68AYXAAACBAW0BAIICvUADzYAAAAAAQMDBw=="} +00597{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":39,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":10,"flow_packet_id":2,"flow_src_last_pkt_time":1725367999286453,"flow_dst_last_pkt_time":1725367999289133,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"thread_ts_usec":1725367999289133,"pkt":"AAAAAQAGILAB4IZiAAAIAEWAADwAAEAAegb6U476tI7AqAG3AbvlauLwuUUTRb56oBL\/\/2yMAAACBAWEBAIICjS\/R5j1AA82AQMDCA=="} +00584{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":40,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":10,"flow_packet_id":3,"flow_src_last_pkt_time":1725367999289173,"flow_dst_last_pkt_time":1725367999289133,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1725367999289173,"pkt":"AAQAAQAGCAAn\/ADWAAAIAEUAADSj8UAAQAaQ6sCoAbeO+rSO5WoBuxNFvnri8LlGgBAB9gYPAAABAQgK9QAPODS\/R5g="} +01278{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":41,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":10,"flow_packet_id":4,"flow_src_last_pkt_time":1725367999289505,"flow_dst_last_pkt_time":1725367999289133,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":585,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":585,"pkt_l4_len":549,"thread_ts_usec":1725367999289505,"pkt":"AAQAAQAGCAAn\/ADWAAAIAEUAAjmj8kAAQAaO5MCoAbeO+rSO5WoBuxNFvnri8LlGgBgB9ggUAAABAQgK9QAPOTS\/R5gWAwECAAEAAfwDA4eghpH2KHwMz8AziuY+gtGDs4emEbDYMr6OK+pG\/9UPIOlVNmZrGlj4sxUBofwqgMFT84dd6Al6OXnI6uFNzHqnAD4TAhMDEwHALMAwAJ\/MqcyozKrAK8AvAJ7AJMAoAGvAI8AnAGfACsAUADnACcATADMAnQCcAD0APAA1AC8A\/wEAAXUAAAAUABIAAA93d3cueW91dHViZS5jb20ACwAEAwABAgAKABYAFAAdABcAHgAZABgBAAEBAQIBAwEEM3QAAAAQAA4ADAJoMghodHRwLzEuMQAWAAAAFwAAADEAAAANACoAKAQDBQMGAwgHCAgICQgKCAsIBAgFCAYEAQUBBgEDAwMBAwIEAgUCBgIAKwAFBAMEAwMALQACAQEAMwAmACQAHQAgD6DiLfdb+oxcXsrCDCUXGsf+oAEllX5Rv3fccTFrE34AFQCuAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} +01292{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":41,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1725367999286453,"flow_src_last_pkt_time":1725367999289505,"flow_dst_last_pkt_time":1725367999289133,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725367999289505,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"142.250.180.142","src_port":58730,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","proto_by_ip":"Google","proto_by_ip_id":126,"encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"www.youtube.com","domainame":"www.youtube.com","tls": {"version":"TLSv1.2","ja3":"4ea056e63b7910cbf543f0c095064dfe","ja3s":"","ja4":"t13d3113h2_e8f1e7e78f70_ce5650b735ce","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","advertised_alpns":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","blocks":0}}} +00584{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":42,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":10,"flow_packet_id":5,"flow_src_last_pkt_time":1725367999289505,"flow_dst_last_pkt_time":1725367999291862,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1725367999291862,"pkt":"AAAAAQAGILAB4IZiAAAIAEWAADSCqgAAega3sY76tI7AqAG3AbvlauLwuUYTRcB\/gBABBZgZAAABAQgKNL9Hm\/UADzk="} +01337{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":43,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1725367999286453,"flow_src_last_pkt_time":1725367999289505,"flow_dst_last_pkt_time":1725367999309030,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1400,"midstream":0,"thread_ts_usec":1725367999309030,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"142.250.180.142","src_port":58730,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","proto_by_ip":"Google","proto_by_ip_id":126,"encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"www.youtube.com","domainame":"www.youtube.com","tls": {"version":"TLSv1.3","ja3":"4ea056e63b7910cbf543f0c095064dfe","ja3s":"907bf3ecef1c987c889946b737b43de8","ja4":"t13d3113h2_e8f1e7e78f70_ce5650b735ce","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","advertised_alpns":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","blocks":0}}} +02179{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":100,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1725367999286453,"flow_src_last_pkt_time":1725367999398999,"flow_dst_last_pkt_time":1725367999398966,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":821,"flow_dst_tot_l4_payload_len":12908,"midstream":0,"thread_ts_usec":1725367999398999,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"142.250.180.142","src_port":58730,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":5,"data_analysis": {"iat": {"min":22,"avg":7260.0,"max":70369,"stddev":15439.7,"var":238384560.0,"ent":3.0,"data": [2680,2720,332,2729,17168,19575,50,34,34,27,27,25,25,22,8415,468,11244,2981,2278,5685,46101,70369,31667,78,33,33,33,33,80,80,33]},"pktlen": {"min":52,"avg":481.5,"max":1452,"stddev":599.8,"var":359742.8,"ent":3.9,"data": [60,60,52,569,52,1452,52,1452,52,1452,52,1452,52,1053,52,132,245,700,83,83,52,52,1452,52,80,52,1452,52,1452,52,1452,52]},"bins": {"c_to_s": [14,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0],"entropies": [4.560013294,5.154205322,4.948144436,4.755980968,4.948144436,7.827642918,4.832759857,7.843367100,4.871221066,7.869987488,4.818243027,7.874095440,4.832759380,7.816403389,4.818242550,6.232886791,6.951427460,7.683448792,5.618761063,5.537375927,4.909682751,4.909683228,7.868943691,4.909682751,5.617374897,4.909682751,7.869823933,4.909682751,7.884392262,4.909682751,7.861354828,4.830034733]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","proto_by_ip":"Google","proto_by_ip_id":126,"encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} +01023{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1725367999228105,"flow_src_last_pkt_time":1725367999228105,"flow_dst_last_pkt_time":1725367999228906,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":37,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":37,"midstream":0,"thread_ts_usec":1725367999398999,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"192.168.1.253","src_port":38613,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"test.lan"}} +01132{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1725367999227781,"flow_src_last_pkt_time":1725367999227781,"flow_dst_last_pkt_time":1725367999228836,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":53,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":53,"midstream":0,"thread_ts_usec":1725367999398999,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.53","src_port":53154,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":5,"ndpi": {"flow_risk": {"49": {"risk":"Minor Issues","severity":"Low","risk_score": {"total":210,"client":105,"server":105}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"test.lan"}} +01122{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":12,"flow_first_seen":1725367999229171,"flow_src_last_pkt_time":1725367999367040,"flow_dst_last_pkt_time":1725367999322792,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":607,"flow_dst_max_l4_payload_len":2070,"flow_src_tot_l4_payload_len":1341,"flow_dst_tot_l4_payload_len":8560,"midstream":0,"thread_ts_usec":1725367999398999,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":41796,"dst_port":1234,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":5,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":160,"client":140,"server":20}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +01002{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":10,"flow_first_seen":1725367999181087,"flow_src_last_pkt_time":1725367999367164,"flow_dst_last_pkt_time":1725367999322863,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":4096,"flow_src_tot_l4_payload_len":835,"flow_dst_tot_l4_payload_len":7292,"midstream":0,"thread_ts_usec":1725367999398999,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":60654,"dst_port":1080,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"SOCKS","proto_id":"172","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01047{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1725367999286453,"flow_src_last_pkt_time":1725367999398999,"flow_dst_last_pkt_time":1725367999398966,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":821,"flow_dst_tot_l4_payload_len":12908,"midstream":0,"thread_ts_usec":1725367999398999,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"142.250.180.142","src_port":58730,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","proto_by_ip":"Google","proto_by_ip_id":126,"encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"www.youtube.com"}} +01139{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1725367999227989,"flow_src_last_pkt_time":1725367999227989,"flow_dst_last_pkt_time":1725367999228682,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":53,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":53,"midstream":0,"thread_ts_usec":1725367999398999,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"192.168.1.253","src_port":39434,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":5,"ndpi": {"flow_risk": {"49": {"risk":"Minor Issues","severity":"Low","risk_score": {"total":210,"client":105,"server":105}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"test.lan"}} +01037{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1725367999187954,"flow_src_last_pkt_time":1725367999187954,"flow_dst_last_pkt_time":1725367999216106,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":300,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":300,"midstream":0,"thread_ts_usec":1725367999398999,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"192.168.1.253","src_port":54260,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.YouTube","proto_id":"5.124","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":14,"category":"Network","hostname":"www.youtube.com"}} +01016{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1725367999227781,"flow_src_last_pkt_time":1725367999227781,"flow_dst_last_pkt_time":1725367999229017,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":37,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":37,"midstream":0,"thread_ts_usec":1725367999398999,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.53","src_port":56496,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"test.lan"}} +01037{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1725367999183433,"flow_src_last_pkt_time":1725367999183433,"flow_dst_last_pkt_time":1725367999215826,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":369,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":369,"midstream":0,"thread_ts_usec":1725367999398999,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"192.168.1.253","src_port":46451,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.YouTube","proto_id":"5.124","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":14,"category":"Network","hostname":"www.youtube.com"}} +01030{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1725367999183111,"flow_src_last_pkt_time":1725367999183131,"flow_dst_last_pkt_time":1725367999216536,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":190,"flow_src_tot_l4_payload_len":88,"flow_dst_tot_l4_payload_len":380,"midstream":0,"thread_ts_usec":1725367999398999,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.53","src_port":52786,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.YouTube","proto_id":"5.124","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":14,"category":"Network","hostname":"www.youtube.com"}} +00838{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":100,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__trojan-tcp-tls.pcapng","alias":"nDPId-test","version":"1.7.0","ndpi_version":"4.11.0-4976-59ee1fe","packets-captured":100,"packets-processed":100,"pfring_active":false,"pfring_recv":0,"pfring_drop":0,"pfring_shunt":0,"total-skipped-flows":0,"total-l4-payload-len":33310,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":10,"total-detection-updates":10,"total-updates":0,"current-active-flows":0,"total-active-flows":10,"total-idle-flows":10,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"global-alloc-count":0,"global-free-count":0,"global-alloc-bytes":0,"global-free-bytes":0,"total-events-serialized":75,"global_ts_usec":1725367999398999} +~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ +~~ packets captured/processed: 100/100 +~~ skipped flows.............: 0 +~~ total layer4 data length..: 33310 bytes +~~ total detected protocols..: 10 +~~ total active/idle flows...: 10/10 +~~ total timeout flows.......: 0 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ total memory allocated....: 6815415 bytes +~~ total memory freed........: 6815415 bytes +~~ total allocations/frees...: 114369/114369 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ json message min len.......: 586 chars +~~ json message max len.......: 2184 chars +~~ json message avg len.......: 1384 chars diff --git a/test/results/tls_heuristics_enabled/tls_heur__vmess-tcp-tls.pcapng.out b/test/results/tls_heuristics_enabled/tls_heur__vmess-tcp-tls.pcapng.out new file mode 100644 index 000000000..b5c9fe7ad --- /dev/null +++ b/test/results/tls_heuristics_enabled/tls_heur__vmess-tcp-tls.pcapng.out @@ -0,0 +1,89 @@ +00596{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","version":"1.7.0","ndpi_version":"4.11.0-4976-59ee1fe","max-flows-per-thread":2048,"max-idle-flows-per-thread":64,"reader-thread-count":1,"flow-scan-interval":10000000,"generic-max-idle-time":600000000,"icmp-max-idle-time":120000000,"udp-max-idle-time":180000000,"tcp-max-idle-time":7560000000,"max-packets-per-flow-to-send":5,"max-packets-per-flow-to-process":32,"max-packets-per-flow-to-analyse":32,"global_ts_usec":0} +00820{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":1,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","version":"1.7.0","ndpi_version":"4.11.0-4976-59ee1fe","packets-captured":1,"packets-processed":0,"pfring_active":false,"pfring_recv":0,"pfring_drop":0,"pfring_shunt":0,"total-skipped-flows":0,"total-l4-payload-len":0,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":0,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":0,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"global-alloc-count":0,"global-free-count":0,"global-alloc-bytes":0,"global-free-bytes":0,"total-events-serialized":2,"global_ts_usec":1725132050807636} +00802{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725132050807636,"flow_src_last_pkt_time":1725132050807636,"flow_dst_last_pkt_time":1725132050807636,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725132050807636,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":40136,"dst_port":1080,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":5} +00592{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_src_last_pkt_time":1725132050807636,"flow_dst_last_pkt_time":1725132050807636,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"thread_ts_usec":1725132050807636,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADwowkAAQAYT+H8AAAF\/AAABnMgEOHy9vSYAAAAAoAL68P4wAAACBAW0BAIICoRbnDUAAAAAAQMDBw=="} +00592{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1725132050807636,"flow_dst_last_pkt_time":1725132050807653,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"thread_ts_usec":1725132050807653,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADwAAEAAQAY8un8AAAF\/AAABBDicyAJPxIx8vb0noBL+iP4wAAACBAW0BAIICoRbnDWEW5w1AQMDBw=="} +00581{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1725132050807667,"flow_dst_last_pkt_time":1725132050807653,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1725132050807667,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADQow0AAQAYT\/38AAAF\/AAABnMgEOHy9vScCT8SNgBAB9v4oAAABAQgKhFucNYRbnDU="} +00584{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":4,"flow_src_last_pkt_time":1725132050807747,"flow_dst_last_pkt_time":1725132050807653,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":72,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":72,"pkt_l4_len":36,"thread_ts_usec":1725132050807747,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADgoxEAAQAYT+n8AAAF\/AAABnMgEOHy9vScCT8SNgBgB9v4sAAABAQgKhFucNYRbnDUFAgAB"} +00581{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":5,"flow_src_last_pkt_time":1725132050807747,"flow_dst_last_pkt_time":1725132050807759,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1725132050807759,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADT8tUAAQAZADH8AAAF\/AAABBDicyAJPxI18vb0rgBAB\/v4oAAABAQgKhFucNYRbnDU="} +00946{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":6,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1725132050807636,"flow_src_last_pkt_time":1725132050807747,"flow_dst_last_pkt_time":1725132050808089,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":4,"flow_dst_max_l4_payload_len":2,"flow_src_tot_l4_payload_len":4,"flow_dst_tot_l4_payload_len":2,"midstream":0,"thread_ts_usec":1725132050808089,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":40136,"dst_port":1080,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"SOCKS","proto_id":"172","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +00803{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":8,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725132050809269,"flow_src_last_pkt_time":1725132050809269,"flow_dst_last_pkt_time":1725132050809269,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725132050809269,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.53","src_port":46548,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":5} +00608{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1725132050809269,"flow_dst_last_pkt_time":1725132050809269,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":88,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":88,"pkt_l4_len":52,"thread_ts_usec":1725132050809269,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAAEg2zUAAQBEFon8AAAF\/AAA1tdQANQA0\/nvt0QEgAAEAAAAAAAEDd3d3B3lvdXR1YmUDY29tAAABAAEAACkEsAAAAAAAAA=="} +01111{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":8,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725132050809269,"flow_src_last_pkt_time":1725132050809269,"flow_dst_last_pkt_time":1725132050809269,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725132050809269,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.53","src_port":46548,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.YouTube","proto_id":"5.124","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":14,"category":"Network","hostname":"www.youtube.com","domainame":"www.youtube.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr": []}}} +00608{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1725132050809288,"flow_dst_last_pkt_time":1725132050809269,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":88,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":88,"pkt_l4_len":52,"thread_ts_usec":1725132050809288,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAAEg2zkAAQBEFoX8AAAF\/AAA1tdQANQA0\/ntG1QEgAAEAAAAAAAEDd3d3B3lvdXR1YmUDY29tAAAcAAEAACkEsAAAAAAAAA=="} +01245{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":9,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1725132050809269,"flow_src_last_pkt_time":1725132050809288,"flow_dst_last_pkt_time":1725132050809269,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":88,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725132050809288,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.53","src_port":46548,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"46": {"risk":"Unidirectional Traffic","severity":"Low","risk_score": {"total":500,"client":430,"server":70}}},"confidence": {"6":"DPI"},"proto":"DNS.YouTube","proto_id":"5.124","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":14,"category":"Network","hostname":"www.youtube.com","domainame":"www.youtube.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":28,"rsp_type":0,"rsp_addr": []}}} +00811{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":10,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725132050809501,"flow_src_last_pkt_time":1725132050809501,"flow_dst_last_pkt_time":1725132050809501,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725132050809501,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"192.168.1.253","src_port":49817,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":5} +00608{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":10,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1725132050809501,"flow_dst_last_pkt_time":1725132050809501,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":88,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":88,"pkt_l4_len":52,"thread_ts_usec":1725132050809501,"pkt":"AAQAAQAGCAAn\/ADWAAAIAEUAAEhwxQAAQBGE28CoAbfAqAH9wpkANQA0hUrEigEAAAEAAAAAAAEDd3d3B3lvdXR1YmUDY29tAAABAAEAACkFwAAAAAAAAA=="} +01119{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":10,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725132050809501,"flow_src_last_pkt_time":1725132050809501,"flow_dst_last_pkt_time":1725132050809501,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725132050809501,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"192.168.1.253","src_port":49817,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.YouTube","proto_id":"5.124","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":14,"category":"Network","hostname":"www.youtube.com","domainame":"www.youtube.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr": []}}} +00811{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":11,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725132050809672,"flow_src_last_pkt_time":1725132050809672,"flow_dst_last_pkt_time":1725132050809672,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725132050809672,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"192.168.1.253","src_port":41933,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":5} +00608{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":11,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_src_last_pkt_time":1725132050809672,"flow_dst_last_pkt_time":1725132050809672,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":88,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":88,"pkt_l4_len":52,"thread_ts_usec":1725132050809672,"pkt":"AAQAAQAGCAAn\/ADWAAAIAEUAAEhbqgAAQBGZ9sCoAbfAqAH9o80ANQA0hUqLXAEAAAEAAAAAAAEDd3d3B3lvdXR1YmUDY29tAAAcAAEAACkFwAAAAAAAAA=="} +01120{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":11,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725132050809672,"flow_src_last_pkt_time":1725132050809672,"flow_dst_last_pkt_time":1725132050809672,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725132050809672,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"192.168.1.253","src_port":41933,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.YouTube","proto_id":"5.124","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":14,"category":"Network","hostname":"www.youtube.com","domainame":"www.youtube.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":28,"rsp_type":0,"rsp_addr": []}}} +00830{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":12,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1725132050809501,"flow_dst_last_pkt_time":1725132050810429,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":253,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":253,"pkt_l4_len":217,"thread_ts_usec":1725132050810429,"pkt":"AAAAAQAG3KYyW3JVAAAIAEUAAO1doUAAQBFXWsCoAf3AqAG3ADXCmQDZ+UbEioGAAAEACQAAAAEDd3d3B3lvdXR1YmUDY29tAAABAAHADAAFAAEAAADaABkKeW91dHViZS11aQFsBmdvb2dsZQNjb20AwC0AAQABAAAAvQAE2DrMjsAtAAEAAQAAAL0ABNg6zO7ALQABAAEAAAC9AATYOs0uwC0AAQABAAAAvQAEjvq0rsAtAAEAAQAAAL0ABNg60S7ALQABAAEAAAC9AASO+9EuwC0AAQABAAAAvQAEjvvRDsAtAAEAAQAAAL0ABI76tI4AACkE0AAAAAAAAA=="} +01231{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":12,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1725132050809501,"flow_src_last_pkt_time":1725132050809501,"flow_dst_last_pkt_time":1725132050810429,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":209,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":209,"midstream":0,"thread_ts_usec":1725132050810429,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"192.168.1.253","src_port":49817,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.YouTube","proto_id":"5.124","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":14,"category":"Network","hostname":"www.youtube.com","domainame":"www.youtube.com","dns": {"num_queries":1,"num_answers":10,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr": ["216.58.204.142,ttl=189","216.58.204.238,ttl=189","216.58.205.46,ttl=189","142.250.180.174,ttl=189"]}}} +00806{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":13,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1725132050809672,"flow_dst_last_pkt_time":1725132050810814,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":237,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":237,"pkt_l4_len":201,"thread_ts_usec":1725132050810814,"pkt":"AAAAAQAG3KYyW3JVAAAIAEUAAN1dokAAQBFXacCoAf3AqAG3ADWjzQDJi4WLXIGAAAEABQAAAAEDd3d3B3lvdXR1YmUDY29tAAAcAAHADAAFAAEAAADaABkKeW91dHViZS11aQFsBmdvb2dsZQNjb20AwC0AHAABAAAA2gAQKgAUUEACBBAAAAAAAAAgDsAtABwAAQAAANoAECoAFFBAAgQRAAAAAAAAIA7ALQAcAAEAAADaABAqABRQQAIEFAAAAAAAACAOwC0AHAABAAAA2gAQKgAUUEACCAkAAAAAAAAgDgAAKQTQAAAAAAAA"} +01272{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":13,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1725132050809672,"flow_src_last_pkt_time":1725132050809672,"flow_dst_last_pkt_time":1725132050810814,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":193,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":193,"midstream":0,"thread_ts_usec":1725132050810814,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"192.168.1.253","src_port":41933,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.YouTube","proto_id":"5.124","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":14,"category":"Network","hostname":"www.youtube.com","domainame":"www.youtube.com","dns": {"num_queries":1,"num_answers":6,"reply_code":0,"query_type":28,"rsp_type":28,"rsp_addr": ["2a00:1450:4002:410::200e,ttl=218","2a00:1450:4002:411::200e,ttl=218","2a00:1450:4002:414::200e,ttl=218","2a00:1450:4002:809::200e,ttl=218"]}}} +00830{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1725132050809288,"flow_dst_last_pkt_time":1725132050810818,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":250,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":250,"pkt_l4_len":214,"thread_ts_usec":1725132050810818,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAAOr\/ZEAAARF7aH8AADV\/AAABADW11ADW\/x3t0YGAAAEACQAAAAEDd3d3B3lvdXR1YmUDY29tAAABAAHADAAFAAEAAADaABYKeW91dHViZS11aQFsBmdvb2dsZcAYwC0AAQABAAAAvQAE2DrMjsAtAAEAAQAAAL0ABNg6zO7ALQABAAEAAAC9AATYOs0uwC0AAQABAAAAvQAEjvq0rsAtAAEAAQAAAL0ABNg60S7ALQABAAEAAAC9AASO+9EuwC0AAQABAAAAvQAEjvvRDsAtAAEAAQAAAL0ABI76tI4AACn\/1gAAAAAAAA=="} +01225{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":14,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":1,"flow_first_seen":1725132050809269,"flow_src_last_pkt_time":1725132050809288,"flow_dst_last_pkt_time":1725132050810818,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":206,"flow_src_tot_l4_payload_len":88,"flow_dst_tot_l4_payload_len":206,"midstream":0,"thread_ts_usec":1725132050810818,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.53","src_port":46548,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.YouTube","proto_id":"5.124","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":14,"category":"Network","hostname":"www.youtube.com","domainame":"www.youtube.com","dns": {"num_queries":1,"num_answers":10,"reply_code":0,"query_type":28,"rsp_type":1,"rsp_addr": ["216.58.204.142,ttl=189","216.58.204.238,ttl=189","216.58.205.46,ttl=189","142.250.180.174,ttl=189"]}}} +00806{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":15,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":2,"flow_packet_id":4,"flow_src_last_pkt_time":1725132050809288,"flow_dst_last_pkt_time":1725132050810967,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":234,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":234,"pkt_l4_len":198,"thread_ts_usec":1725132050810967,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAANr\/ZUAAARF7d38AADV\/AAABADW11ADG\/w1G1YGAAAEABQAAAAEDd3d3B3lvdXR1YmUDY29tAAAcAAHADAAFAAEAAADaABYKeW91dHViZS11aQFsBmdvb2dsZcAYwC0AHAABAAAA2gAQKgAUUEACBBAAAAAAAAAgDsAtABwAAQAAANoAECoAFFBAAgQRAAAAAAAAIA7ALQAcAAEAAADaABAqABRQQAIEFAAAAAAAACAOwC0AHAABAAAA2gAQKgAUUEACCAkAAAAAAAAgDgAAKf\/WAAAAAAAA"} +00804{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":18,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725132050813050,"flow_src_last_pkt_time":1725132050813050,"flow_dst_last_pkt_time":1725132050813050,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725132050813050,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.53","src_port":50125,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":5} +00597{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":18,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1725132050813050,"flow_dst_last_pkt_time":1725132050813050,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":81,"pkt_l4_len":45,"thread_ts_usec":1725132050813050,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAAEF6yEAAQBHBrX8AAAF\/AAA1w80ANQAt\/nTqbwEgAAEAAAAAAAEEdGVzdANsYW4AABwAAQAAKQTQAAAAAAAA"} +01094{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":18,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725132050813050,"flow_src_last_pkt_time":1725132050813050,"flow_dst_last_pkt_time":1725132050813050,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725132050813050,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.53","src_port":50125,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"test.lan","domainame":"test.lan","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":28,"rsp_type":0,"rsp_addr": []}}} +00804{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":19,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725132050813192,"flow_src_last_pkt_time":1725132050813192,"flow_dst_last_pkt_time":1725132050813192,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725132050813192,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.53","src_port":45262,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":5} +00597{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":19,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_src_last_pkt_time":1725132050813192,"flow_dst_last_pkt_time":1725132050813192,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":81,"pkt_l4_len":45,"thread_ts_usec":1725132050813192,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAAEG1P0AAQBGHNn8AAAF\/AAA1sM4ANQAt\/nT9XAEgAAEAAAAAAAEEdGVzdANsYW4AAAEAAQAAKQTQAAAAAAAA"} +01093{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":19,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725132050813192,"flow_src_last_pkt_time":1725132050813192,"flow_dst_last_pkt_time":1725132050813192,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725132050813192,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.53","src_port":45262,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"test.lan","domainame":"test.lan","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr": []}}} +00811{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":20,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725132050813406,"flow_src_last_pkt_time":1725132050813406,"flow_dst_last_pkt_time":1725132050813406,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725132050813406,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"192.168.1.253","src_port":58009,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":5} +00597{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":20,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_src_last_pkt_time":1725132050813406,"flow_dst_last_pkt_time":1725132050813406,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":81,"pkt_l4_len":45,"thread_ts_usec":1725132050813406,"pkt":"AAQAAQAGCAAn\/ADWAAAIAEUAAEH\/CQAAQBH2ncCoAbfAqAH94pkANQAthUNDAwEAAAEAAAAAAAEEdGVzdANsYW4AABwAAQAAKQXAAAAAAAAA"} +01101{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":20,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725132050813406,"flow_src_last_pkt_time":1725132050813406,"flow_dst_last_pkt_time":1725132050813406,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725132050813406,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"192.168.1.253","src_port":58009,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"test.lan","domainame":"test.lan","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":28,"rsp_type":0,"rsp_addr": []}}} +00811{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":21,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725132050813503,"flow_src_last_pkt_time":1725132050813503,"flow_dst_last_pkt_time":1725132050813503,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725132050813503,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"192.168.1.253","src_port":42485,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":5} +00596{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":21,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_src_last_pkt_time":1725132050813503,"flow_dst_last_pkt_time":1725132050813503,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":81,"pkt_l4_len":45,"thread_ts_usec":1725132050813503,"pkt":"AAQAAQAGCAAn\/ADWAAAIAEUAAEHBgwAAQBE0JMCoAbfAqAH9pfUANQAthUPBnQEAAAEAAAAAAAEEdGVzdANsYW4AAAEAAQAAKQXAAAAAAAAA"} +01100{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":21,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725132050813503,"flow_src_last_pkt_time":1725132050813503,"flow_dst_last_pkt_time":1725132050813503,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725132050813503,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"192.168.1.253","src_port":42485,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"test.lan","domainame":"test.lan","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr": []}}} +00595{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":22,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_src_last_pkt_time":1725132050813406,"flow_dst_last_pkt_time":1725132050813923,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":81,"pkt_l4_len":45,"thread_ts_usec":1725132050813923,"pkt":"AAAAAQAG3KYyW3JVAAAIAEUAAEFdo0AAQBFYBMCoAf3AqAG3ADXimQAtIcxDA4GAAAEAAAAAAAEEdGVzdANsYW4AABwAAQAAKQTQAAAAAAAA"} +01111{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":22,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1725132050813406,"flow_src_last_pkt_time":1725132050813406,"flow_dst_last_pkt_time":1725132050813923,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":37,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":37,"midstream":0,"thread_ts_usec":1725132050813923,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"192.168.1.253","src_port":58009,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"test.lan","domainame":"test.lan","dns": {"num_queries":1,"num_answers":1,"reply_code":0,"query_type":28,"rsp_type":0,"rsp_addr": []}}} +00619{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":23,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":8,"flow_packet_id":2,"flow_src_last_pkt_time":1725132050813503,"flow_dst_last_pkt_time":1725132050814218,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":97,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":97,"pkt_l4_len":61,"thread_ts_usec":1725132050814218,"pkt":"AAAAAQAG3KYyW3JVAAAIAEUAAFFdpEAAQBFX88CoAf3AqAG3ADWl9QA9nLvBnYWAAAEAAQAAAAEEdGVzdANsYW4AAAEAAcAMAAEAAQAAAAAABH8AAAEAACkE0AAAAAAAAA=="} +01243{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":23,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1725132050813503,"flow_src_last_pkt_time":1725132050813503,"flow_dst_last_pkt_time":1725132050814218,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":53,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":53,"midstream":0,"thread_ts_usec":1725132050814218,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"192.168.1.253","src_port":42485,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"49": {"risk":"Minor Issues","severity":"Low","risk_score": {"total":210,"client":105,"server":105}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"test.lan","domainame":"test.lan","dns": {"num_queries":1,"num_answers":2,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr": ["127.0.0.1,ttl=0"]}}} +00599{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":1725132050813050,"flow_dst_last_pkt_time":1725132050816698,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":81,"pkt_l4_len":45,"thread_ts_usec":1725132050816698,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAAEH\/aEAAARF8DX8AADV\/AAABADXDzQAt\/nTqb4GAAAEAAAAAAAEEdGVzdANsYW4AABwAAQAAKf\/WAAAAAAAA"} +01104{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":24,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1725132050813050,"flow_src_last_pkt_time":1725132050813050,"flow_dst_last_pkt_time":1725132050816698,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":37,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":37,"midstream":0,"thread_ts_usec":1725132050816698,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.53","src_port":50125,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"test.lan","domainame":"test.lan","dns": {"num_queries":1,"num_answers":1,"reply_code":0,"query_type":28,"rsp_type":0,"rsp_addr": []}}} +00624{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":25,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_src_last_pkt_time":1725132050813192,"flow_dst_last_pkt_time":1725132050816780,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":97,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":97,"pkt_l4_len":61,"thread_ts_usec":1725132050816780,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAAFH\/aUAAARF7\/H8AADV\/AAABADWwzgA9\/oT9XIGAAAEAAQAAAAEEdGVzdANsYW4AAAEAAcAMAAEAAQAAAAAABH8AAAEAACn\/1gAAAAAAAA=="} +01236{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":25,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1725132050813192,"flow_src_last_pkt_time":1725132050813192,"flow_dst_last_pkt_time":1725132050816780,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":53,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":53,"midstream":0,"thread_ts_usec":1725132050816780,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.53","src_port":45262,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"49": {"risk":"Minor Issues","severity":"Low","risk_score": {"total":210,"client":105,"server":105}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"test.lan","domainame":"test.lan","dns": {"num_queries":1,"num_answers":2,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr": ["127.0.0.1,ttl=0"]}}} +00803{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":26,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725132050816926,"flow_src_last_pkt_time":1725132050816926,"flow_dst_last_pkt_time":1725132050816926,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725132050816926,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":57874,"dst_port":1234,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":5} +00593{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":26,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_src_last_pkt_time":1725132050816926,"flow_dst_last_pkt_time":1725132050816926,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"thread_ts_usec":1725132050816926,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADwSt0AAQAYqA38AAAF\/AAAB4hIE0oWuNnAAAAAAoAL68P4wAAACBAW0BAIICoRbnD4AAAAAAQMDBw=="} +00593{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":27,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":9,"flow_packet_id":2,"flow_src_last_pkt_time":1725132050816926,"flow_dst_last_pkt_time":1725132050816944,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"thread_ts_usec":1725132050816944,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADwAAEAAQAY8un8AAAF\/AAABBNLiEjFAczCFrjZxoBL+iP4wAAACBAW0BAIICoRbnD6EW5w+AQMDBw=="} +00581{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":28,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":9,"flow_packet_id":3,"flow_src_last_pkt_time":1725132050816958,"flow_dst_last_pkt_time":1725132050816944,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1725132050816958,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADQSuEAAQAYqCn8AAAF\/AAAB4hIE0oWuNnExQHMxgBAB9v4oAAABAQgKhFucPoRbnD4="} +00958{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":29,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":9,"flow_packet_id":4,"flow_src_last_pkt_time":1725132050847484,"flow_dst_last_pkt_time":1725132050816944,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":346,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":346,"pkt_l4_len":310,"thread_ts_usec":1725132050847484,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAAUoSuUAAQAYo838AAAF\/AAAB4hIE0oWuNnExQHMxgBgB9v8+AAABAQgKhFucXIRbnD4WAwEBEQEAAQ0DA30EqsQ+BgaZ\/NZ2sl5LiKqVzr2U1xOlxN3yXjWxHQZ9IDZNzzYemQ9l55Gei+lOem3cnZHqk5apYKdjmjaVAs8mACbAK8AvwCzAMMypzKjACcATwArAFACcAJ0ALwA1wBIAChMBEwITAwEAAJ4AAAANAAsAAAh0ZXN0LmxhbgAFAAUBAAAAAAAKAAoACAAdABcAGAAZAAsAAgEAAA0AGgAYCAQEAwgHCAUIBgQBBQEGAQUDBgMCAQID\/wEAAQAAFwAAABAADgAMAmgyCGh0dHAvMS4xABIAAAArAAUEAwQDAwAzACYAJAAdACALRGEIG9aswGxEJ3DWHRdQjm36OhPnUR7s3CJMIcmqPQ=="} +01385{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":29,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1725132050816926,"flow_src_last_pkt_time":1725132050847484,"flow_dst_last_pkt_time":1725132050816944,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":278,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":278,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725132050847484,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":57874,"dst_port":1234,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":160,"client":140,"server":20}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"test.lan","domainame":"test.lan","tls": {"version":"TLSv1.2","ja3":"7a15285d4efc355608b304698cd7f9ab","ja3s":"","ja4":"t13d1911h2_9dc949149365_e7c285222651","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","advertised_alpns":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","blocks":0}}} +00582{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":30,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":9,"flow_packet_id":5,"flow_src_last_pkt_time":1725132050847484,"flow_dst_last_pkt_time":1725132050847514,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1725132050847514,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADQmGUAAQAYWqX8AAAF\/AAABBNLiEjFAczGFrjeHgBAB+\/4oAAABAQgKhFucXIRbnFw="} +01430{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":31,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1725132050816926,"flow_src_last_pkt_time":1725132050847484,"flow_dst_last_pkt_time":1725132050848915,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":278,"flow_dst_max_l4_payload_len":1120,"flow_src_tot_l4_payload_len":278,"flow_dst_tot_l4_payload_len":1120,"midstream":0,"thread_ts_usec":1725132050848915,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":57874,"dst_port":1234,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":160,"client":140,"server":20}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"test.lan","domainame":"test.lan","tls": {"version":"TLSv1.3","ja3":"7a15285d4efc355608b304698cd7f9ab","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","ja4":"t13d1911h2_9dc949149365_e7c285222651","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","advertised_alpns":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","blocks":0}}} +00812{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":38,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725132050873451,"flow_src_last_pkt_time":1725132050873451,"flow_dst_last_pkt_time":1725132050873451,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725132050873451,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"216.58.204.142","src_port":58612,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":5} +00594{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":38,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":10,"flow_packet_id":1,"flow_src_last_pkt_time":1725132050873451,"flow_dst_last_pkt_time":1725132050873451,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"thread_ts_usec":1725132050873451,"pkt":"AAQAAQAGCAAn\/ADWAAAIAEUAADxo9EAAQAZqn8CoAbfYOsyO5PQBu7ZCkCEAAAAAoAL68GdXAAACBAW0BAIICjq0ShsAAAAAAQMDBw=="} +00595{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":39,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":10,"flow_packet_id":2,"flow_src_last_pkt_time":1725132050873451,"flow_dst_last_pkt_time":1725132050876326,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"thread_ts_usec":1725132050876326,"pkt":"AAAAAQAGILAB4IZiAAAIAEWAADwAAEAAegaZE9g6zI7AqAG3Abvk9JZ2W362QpAioBL\/\/3dxAAACBAWEBAIICjYtj346tEobAQMDCA=="} +00583{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":40,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":10,"flow_packet_id":3,"flow_src_last_pkt_time":1725132050876380,"flow_dst_last_pkt_time":1725132050876326,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1725132050876380,"pkt":"AAQAAQAGCAAn\/ADWAAAIAEUAADRo9UAAQAZqpsCoAbfYOsyO5PQBu7ZCkCKWdlt\/gBAB9mdPAAABAQgKOrRKHjYtj34="} +01279{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":41,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":10,"flow_packet_id":4,"flow_src_last_pkt_time":1725132050876814,"flow_dst_last_pkt_time":1725132050876326,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":585,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":585,"pkt_l4_len":549,"thread_ts_usec":1725132050876814,"pkt":"AAQAAQAGCAAn\/ADWAAAIAEUAAjlo9kAAQAZooMCoAbfYOsyO5PQBu7ZCkCKWdlt\/gBgB9mlUAAABAQgKOrRKHzYtj34WAwECAAEAAfwDA55vVzXI3mQH9e+wyvy5I6cXpuQRP5nZ6hYxg\/mFdw9\/IF4ht1IC8no54a26Y6+rkaHkm29\/NMcYzHfS4NjAh1BbAD4TAhMDEwHALMAwAJ\/MqcyozKrAK8AvAJ7AJMAoAGvAI8AnAGfACsAUADnACcATADMAnQCcAD0APAA1AC8A\/wEAAXUAAAAUABIAAA93d3cueW91dHViZS5jb20ACwAEAwABAgAKABYAFAAdABcAHgAZABgBAAEBAQIBAwEEM3QAAAAQAA4ADAJoMghodHRwLzEuMQAWAAAAFwAAADEAAAANACoAKAQDBQMGAwgHCAgICQgKCAsIBAgFCAYEAQUBBgEDAwMBAwIEAgUCBgIAKwAFBAMEAwMALQACAQEAMwAmACQAHQAghYsBTkOlEYIUsZIxHX6uxj6aE6rZEFOhADLyFofqEmYAFQCuAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} +01290{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":41,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1725132050873451,"flow_src_last_pkt_time":1725132050876814,"flow_dst_last_pkt_time":1725132050876326,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725132050876814,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"216.58.204.142","src_port":58612,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","proto_by_ip":"Google","proto_by_ip_id":126,"encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"www.youtube.com","domainame":"www.youtube.com","tls": {"version":"TLSv1.2","ja3":"4ea056e63b7910cbf543f0c095064dfe","ja3s":"","ja4":"t13d3113h2_e8f1e7e78f70_ce5650b735ce","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","advertised_alpns":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","blocks":0}}} +00582{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":42,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":10,"flow_packet_id":5,"flow_src_last_pkt_time":1725132050876814,"flow_dst_last_pkt_time":1725132050879524,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1725132050879524,"pkt":"AAAAAQAGILAB4IZiAAAIAEWAADRY\/wAAegaAHNg6zI7AqAG3Abvk9JZ2W3+2QpIngBABBaL9AAABAQgKNi2PgTq0Sh8="} +01335{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":43,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1725132050873451,"flow_src_last_pkt_time":1725132050876814,"flow_dst_last_pkt_time":1725132050895591,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":6600,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":6600,"midstream":0,"thread_ts_usec":1725132050895591,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"216.58.204.142","src_port":58612,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","proto_by_ip":"Google","proto_by_ip_id":126,"encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"www.youtube.com","domainame":"www.youtube.com","tls": {"version":"TLSv1.3","ja3":"4ea056e63b7910cbf543f0c095064dfe","ja3s":"907bf3ecef1c987c889946b737b43de8","ja4":"t13d3113h2_e8f1e7e78f70_ce5650b735ce","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","advertised_alpns":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","blocks":0}}} +01001{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":11,"flow_first_seen":1725132050807636,"flow_src_last_pkt_time":1725132050944716,"flow_dst_last_pkt_time":1725132050904186,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":2544,"flow_src_tot_l4_payload_len":835,"flow_dst_tot_l4_payload_len":7291,"midstream":0,"thread_ts_usec":1725132050978467,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":40136,"dst_port":1080,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"SOCKS","proto_id":"172","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01131{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1725132050813192,"flow_src_last_pkt_time":1725132050813192,"flow_dst_last_pkt_time":1725132050816780,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":53,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":53,"midstream":0,"thread_ts_usec":1725132050978467,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.53","src_port":45262,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":5,"ndpi": {"flow_risk": {"49": {"risk":"Minor Issues","severity":"Low","risk_score": {"total":210,"client":105,"server":105}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"test.lan"}} +01012{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":11,"flow_dst_packets_processed":15,"flow_first_seen":1725132050873451,"flow_src_last_pkt_time":1725132050978296,"flow_dst_last_pkt_time":1725132050978347,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":6600,"flow_src_tot_l4_payload_len":821,"flow_dst_tot_l4_payload_len":18386,"midstream":0,"thread_ts_usec":1725132050978467,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"216.58.204.142","src_port":58612,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","proto_by_ip":"Google","proto_by_ip_id":126,"encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} +01022{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1725132050813406,"flow_src_last_pkt_time":1725132050813406,"flow_dst_last_pkt_time":1725132050813923,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":37,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":37,"midstream":0,"thread_ts_usec":1725132050978467,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"192.168.1.253","src_port":58009,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"test.lan"}} +01036{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1725132050809501,"flow_src_last_pkt_time":1725132050809501,"flow_dst_last_pkt_time":1725132050810429,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":209,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":209,"midstream":0,"thread_ts_usec":1725132050978467,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"192.168.1.253","src_port":49817,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.YouTube","proto_id":"5.124","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":14,"category":"Network","hostname":"www.youtube.com"}} +01015{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1725132050813050,"flow_src_last_pkt_time":1725132050813050,"flow_dst_last_pkt_time":1725132050816698,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":37,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":37,"midstream":0,"thread_ts_usec":1725132050978467,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.53","src_port":50125,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"test.lan"}} +01036{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1725132050809672,"flow_src_last_pkt_time":1725132050809672,"flow_dst_last_pkt_time":1725132050810814,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":193,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":193,"midstream":0,"thread_ts_usec":1725132050978467,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"192.168.1.253","src_port":41933,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.YouTube","proto_id":"5.124","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":14,"category":"Network","hostname":"www.youtube.com"}} +01029{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1725132050809269,"flow_src_last_pkt_time":1725132050809288,"flow_dst_last_pkt_time":1725132050810967,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":206,"flow_src_tot_l4_payload_len":88,"flow_dst_tot_l4_payload_len":396,"midstream":0,"thread_ts_usec":1725132050978467,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.53","src_port":46548,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.YouTube","proto_id":"5.124","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":14,"category":"Network","hostname":"www.youtube.com"}} +01138{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1725132050813503,"flow_src_last_pkt_time":1725132050813503,"flow_dst_last_pkt_time":1725132050814218,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":53,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":53,"midstream":0,"thread_ts_usec":1725132050978467,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"192.168.1.253","src_port":42485,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":5,"ndpi": {"flow_risk": {"49": {"risk":"Minor Issues","severity":"Low","risk_score": {"total":210,"client":105,"server":105}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"test.lan"}} +01122{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":14,"flow_first_seen":1725132050816926,"flow_src_last_pkt_time":1725132050978467,"flow_dst_last_pkt_time":1725132050978462,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":663,"flow_dst_max_l4_payload_len":2070,"flow_src_tot_l4_payload_len":1405,"flow_dst_tot_l4_payload_len":10691,"midstream":0,"thread_ts_usec":1725132050978467,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":57874,"dst_port":1234,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":5,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":160,"client":140,"server":20}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +00837{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":100,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp-tls.pcapng","alias":"nDPId-test","version":"1.7.0","ndpi_version":"4.11.0-4976-59ee1fe","packets-captured":100,"packets-processed":100,"pfring_active":false,"pfring_recv":0,"pfring_drop":0,"pfring_shunt":0,"total-skipped-flows":0,"total-l4-payload-len":40731,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":10,"total-detection-updates":10,"total-updates":0,"current-active-flows":0,"total-active-flows":10,"total-idle-flows":10,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"global-alloc-count":0,"global-free-count":0,"global-alloc-bytes":0,"global-free-bytes":0,"total-events-serialized":74,"global_ts_usec":1725132050978467} +~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ +~~ packets captured/processed: 100/100 +~~ skipped flows.............: 0 +~~ total layer4 data length..: 40731 bytes +~~ total detected protocols..: 10 +~~ total active/idle flows...: 10/10 +~~ total timeout flows.......: 0 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ total memory allocated....: 6887561 bytes +~~ total memory freed........: 6887561 bytes +~~ total allocations/frees...: 114372/114372 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ json message min len.......: 586 chars +~~ json message max len.......: 1435 chars +~~ json message avg len.......: 1009 chars diff --git a/test/results/tls_heuristics_enabled/tls_heur__vmess-tcp.pcapng.out b/test/results/tls_heuristics_enabled/tls_heur__vmess-tcp.pcapng.out new file mode 100644 index 000000000..24c94b070 --- /dev/null +++ b/test/results/tls_heuristics_enabled/tls_heur__vmess-tcp.pcapng.out @@ -0,0 +1,53 @@ +00592{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp.pcapng","alias":"nDPId-test","version":"1.7.0","ndpi_version":"4.11.0-4976-59ee1fe","max-flows-per-thread":2048,"max-idle-flows-per-thread":64,"reader-thread-count":1,"flow-scan-interval":10000000,"generic-max-idle-time":600000000,"icmp-max-idle-time":120000000,"udp-max-idle-time":180000000,"tcp-max-idle-time":7560000000,"max-packets-per-flow-to-send":5,"max-packets-per-flow-to-process":32,"max-packets-per-flow-to-analyse":32,"global_ts_usec":0} +00816{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":1,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp.pcapng","alias":"nDPId-test","version":"1.7.0","ndpi_version":"4.11.0-4976-59ee1fe","packets-captured":1,"packets-processed":0,"pfring_active":false,"pfring_recv":0,"pfring_drop":0,"pfring_shunt":0,"total-skipped-flows":0,"total-l4-payload-len":0,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":0,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":0,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"global-alloc-count":0,"global-free-count":0,"global-alloc-bytes":0,"global-free-bytes":0,"total-events-serialized":2,"global_ts_usec":1725108604542518} +00798{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725108604542518,"flow_src_last_pkt_time":1725108604542518,"flow_dst_last_pkt_time":1725108604542518,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725108604542518,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":37218,"dst_port":1080,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":5} +00591{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_src_last_pkt_time":1725108604542518,"flow_dst_last_pkt_time":1725108604542518,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"thread_ts_usec":1725108604542518,"pkt":"AAADBAAGAAAAAAAAClUIAEUAADwueUAAQAYOQX8AAAF\/AAABkWIEOC0ia0MAAAAAoAL\/1\/4wAAACBP\/XBAIICoL13hcAAAAAAQMDBw=="} +00592{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1725108604542518,"flow_dst_last_pkt_time":1725108604542542,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"thread_ts_usec":1725108604542542,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADwAAEAAQAY8un8AAAF\/AAABBDiRYncsq\/stImtEoBL\/y\/4wAAACBP\/XBAIICoL13heC9d4XAQMDBw=="} +00576{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1725108604542557,"flow_dst_last_pkt_time":1725108604542542,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1725108604542557,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADQuekAAQAYOSH8AAAF\/AAABkWIEOC0ia0R3LKv8gBACAP4oAAABAQgKgvXeF4L13hc="} +00580{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":4,"flow_src_last_pkt_time":1725108604542632,"flow_dst_last_pkt_time":1725108604542542,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":72,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":72,"pkt_l4_len":36,"thread_ts_usec":1725108604542632,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADgue0AAQAYOQ38AAAF\/AAABkWIEOC0ia0R3LKv8gBgCAP4sAAABAQgKgvXeF4L13hcFAgAB"} +00577{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":5,"flow_src_last_pkt_time":1725108604542632,"flow_dst_last_pkt_time":1725108604542639,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1725108604542639,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADREJUAAQAb4nH8AAAF\/AAABBDiRYncsq\/wtImtIgBACAP4oAAABAQgKgvXeF4L13hc="} +00942{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":6,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1725108604542518,"flow_src_last_pkt_time":1725108604542632,"flow_dst_last_pkt_time":1725108604543203,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":4,"flow_dst_max_l4_payload_len":2,"flow_src_tot_l4_payload_len":4,"flow_dst_tot_l4_payload_len":2,"midstream":0,"thread_ts_usec":1725108604543203,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":37218,"dst_port":1080,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"SOCKS","proto_id":"172","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +00799{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":8,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725108604543910,"flow_src_last_pkt_time":1725108604543910,"flow_dst_last_pkt_time":1725108604543910,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725108604543910,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.53","src_port":35957,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":5} +00604{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp.pcapng","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1725108604543910,"flow_dst_last_pkt_time":1725108604543910,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":88,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":88,"pkt_l4_len":52,"thread_ts_usec":1725108604543910,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAAEgVJkAAQBEnSX8AAAF\/AAA1jHUANQA0\/nvdIwEgAAEAAAAAAAEDd3d3B3lvdXR1YmUDY29tAAABAAEAACkEsAAAAAAAAA=="} +01107{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":8,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725108604543910,"flow_src_last_pkt_time":1725108604543910,"flow_dst_last_pkt_time":1725108604543910,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725108604543910,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.53","src_port":35957,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.YouTube","proto_id":"5.124","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":14,"category":"Network","hostname":"www.youtube.com","domainame":"www.youtube.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr": []}}} +00604{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp.pcapng","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1725108604543926,"flow_dst_last_pkt_time":1725108604543910,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":88,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":88,"pkt_l4_len":52,"thread_ts_usec":1725108604543926,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAAEgVJ0AAQBEnSH8AAAF\/AAA1jHUANQA0\/nvRJgEgAAEAAAAAAAEDd3d3B3lvdXR1YmUDY29tAAAcAAEAACkEsAAAAAAAAA=="} +01241{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":9,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1725108604543910,"flow_src_last_pkt_time":1725108604543926,"flow_dst_last_pkt_time":1725108604543910,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":88,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725108604543926,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.53","src_port":35957,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"46": {"risk":"Unidirectional Traffic","severity":"Low","risk_score": {"total":500,"client":430,"server":70}}},"confidence": {"6":"DPI"},"proto":"DNS.YouTube","proto_id":"5.124","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":14,"category":"Network","hostname":"www.youtube.com","domainame":"www.youtube.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":28,"rsp_type":0,"rsp_addr": []}}} +01144{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":10,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp.pcapng","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1725108604543926,"flow_dst_last_pkt_time":1725108604544468,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":490,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":490,"pkt_l4_len":454,"thread_ts_usec":1725108604544468,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAAdo9I0AAARE8un8AADV\/AAABADWMdQHGAA7dI4GAAAEAEQAAAAUDd3d3B3lvdXR1YmUDY29tAAABAAHADAAFAAEAAAAOABYKeW91dHViZS11aQFsBmdvb2dsZcAYwC0AAQABAAAADgAErNkSLsAtAAEAAQAAAA4ABI77Jc7ALQABAAEAAAAOAASO+yUuwC0AAQABAAAADgAE2DrUbsAtAAEAAQAAAA4ABKzZEy7ALQABAAEAAAAOAASO+sjOwC0AAQABAAAADgAErNkVDsAtAAEAAQAAAA4ABKzZEu7ALQABAAEAAAAOAASs2avuwC0AAQABAAAADgAEjvrI7sAtAAEAAQAAAA4ABI76yQ7ALQABAAEAAAAOAASO+yXuwC0AAQABAAAADgAEjvrJLsAtAAEAAQAAAA4ABKzZE47ALQABAAEAAAAOAASO+svuwC0AAQABAAAADgAEjvslrsAtABwAAQAAAA4AECoAFFBABggNAAAAAAAAIA7ALQAcAAEAAAAOABAqABRQQAYIDgAAAAAAACAOwC0AHAABAAAADgAQKgAUUEAGCAYAAAAAAAAgDsAtABwAAQAAAA4AECoAFFBABggMAAAAAAAAIA4AACn\/1gAAAAAAAA=="} +01215{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":10,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":1,"flow_first_seen":1725108604543910,"flow_src_last_pkt_time":1725108604543926,"flow_dst_last_pkt_time":1725108604544468,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":446,"flow_src_tot_l4_payload_len":88,"flow_dst_tot_l4_payload_len":446,"midstream":0,"thread_ts_usec":1725108604544468,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.53","src_port":35957,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.YouTube","proto_id":"5.124","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":14,"category":"Network","hostname":"www.youtube.com","domainame":"www.youtube.com","dns": {"num_queries":1,"num_answers":22,"reply_code":0,"query_type":28,"rsp_type":1,"rsp_addr": ["172.217.18.46,ttl=14","142.251.37.206,ttl=14","142.251.37.46,ttl=14","216.58.212.110,ttl=14"]}}} +00801{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":11,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp.pcapng","alias":"nDPId-test","flow_id":2,"flow_packet_id":4,"flow_src_last_pkt_time":1725108604543926,"flow_dst_last_pkt_time":1725108604544652,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":234,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":234,"pkt_l4_len":198,"thread_ts_usec":1725108604544652,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAANo9JEAAARE9uX8AADV\/AAABADWMdQDG\/w3RJoGAAAEABQAAAAEDd3d3B3lvdXR1YmUDY29tAAAcAAHADAAFAAEAAAAOABYKeW91dHViZS11aQFsBmdvb2dsZcAYwC0AHAABAAAADgAQKgAUUEAGCA0AAAAAAAAgDsAtABwAAQAAAA4AECoAFFBABggOAAAAAAAAIA7ALQAcAAEAAAAOABAqABRQQAYIDAAAAAAAACAOwC0AHAABAAAADgAQKgAUUEAGCAYAAAAAAAAgDgAAKf\/WAAAAAAAA"} +00799{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":14,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725108604546168,"flow_src_last_pkt_time":1725108604546168,"flow_dst_last_pkt_time":1725108604546168,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725108604546168,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":40818,"dst_port":1234,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":5} +00593{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1725108604546168,"flow_dst_last_pkt_time":1725108604546168,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"thread_ts_usec":1725108604546168,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADzAV0AAQAZ8Yn8AAAF\/AAABn3IE0qMX\/XsAAAAAoAL\/1\/4wAAACBP\/XBAIICoL13hsAAAAAAQMDBw=="} +00593{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":15,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1725108604546168,"flow_dst_last_pkt_time":1725108604546180,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"thread_ts_usec":1725108604546180,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADwAAEAAQAY8un8AAAF\/AAABBNKfcgFEedujF\/18oBL\/y\/4wAAACBP\/XBAIICoL13huC9d4bAQMDBw=="} +00578{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":16,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1725108604546189,"flow_dst_last_pkt_time":1725108604546180,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1725108604546189,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADTAWEAAQAZ8aX8AAAF\/AAABn3IE0qMX\/XwBRHncgBACAP4oAAABAQgKgvXeG4L13hs="} +01510{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":19,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":4,"flow_src_last_pkt_time":1725108604628158,"flow_dst_last_pkt_time":1725108604546180,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":749,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":749,"pkt_l4_len":713,"thread_ts_usec":1725108604628158,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAAt3AWUAAQAZ5v38AAAF\/AAABn3IE0qMX\/XwBRHncgBgCAADSAAABAQgKgvXebYL13htR2QiOiIPSVg+qVxOKC2E2ejANDkkG7BFUCbyENDsaf3O1BLMjQJvyv6Zy8n7cIEIbmfXSrurAfx+TD8EF5zj\/gzxDqjxKOzss0PvwBj7fpGOTqYc\/0A4tR0Z2+OznjQpsJFOX3QoJr6HCPKNEUM2DmU8wm91TLhaiupGazJ59ORPBdvlSEjCZ1Fr+68ZAMrjRJLPjTO6RTnpqpDxqyXSGiEsBo\/nvvNPjXJcx+SO2GjBTPo7fNpDW2AcT7fJy7Rk8aMfoyUaSu\/McXFda0ScdgqfBqxUrzf2YfDExS\/\/WtYpe14eDrqAN0bEnMmwm\/gdjl8\/51qKoVWbtnAvRnHft6wi32zLtq021c8iOaHQfDUrOhGT0ia8nsdPV4MSQ\/D\/B9fAe8YZYT8Lu4uBCa5DiPbrv7CvVkbtPLdsv65cg\/pvSW1FR\/RGFlcz5vbIpHe0UX2D5wnI8oTjH0xZuCeEpj+BxDH+IBtT2KOwMEZPTXagMswVIHmJU1ZHgpM\/HWV10q6shQ2KESK7isLgmt5lmSXmdcfU9\/NQerKIKQs3Aeg5orSBjYppQUkI9qvayFxL1zYDWT4TleQSyWpt6iUgqBS1WSHf8vZzXKTUWOMZvqyRq5q\/dZEzQ0P3kdtWRqjatVLcc8tctaXiZ6g7BIdauVlKib\/GIr2YFwdx5Cu9RfAfrR9yw\/LmlRYK0M\/gjKcH1nu5EqzQImq0Zka10a7g3gRj8aKzC9A+Ng9\/3GT7T+Hu6EF5th8yybaUPIa0QfvjDEDz4jmGZU11F2i96nho7kBkiNQ+ovYZTVSGnReZDnJnC\/izlQgRYL\/jXj46gp+pxW+awTAQwf3uB83QFp67klbd2VyUDvWamZBCtvwirjf+5uWvXG12TMxVLkCWbBn2fXTi9U38XW3o="} +00578{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":20,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":5,"flow_src_last_pkt_time":1725108604628158,"flow_dst_last_pkt_time":1725108604628205,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1725108604628205,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADRAGUAAQAb8qH8AAAF\/AAABBNKfcgFEedyjGAAlgBAB+\/4oAAABAQgKgvXebYL13m0="} +00841{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":21,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725108604629032,"flow_src_last_pkt_time":1725108604629032,"flow_dst_last_pkt_time":1725108604629032,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725108604629032,"l3_proto":"ip6","src_ip":"2001:b07:a3d:c112:8628:88aa:8b00:913c","dst_ip":"2a00:1450:4006:80d::200e","src_port":48302,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":5} +00614{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":21,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_src_last_pkt_time":1725108604629032,"flow_dst_last_pkt_time":1725108604629032,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":96,"pkt_type":34525,"pkt_l3_offset":16,"pkt_l4_offset":56,"pkt_len":96,"pkt_l4_len":40,"thread_ts_usec":1725108604629032,"pkt":"AAQAAQAGCAAn\/ADWAACG3WAMqq0AKAZAIAELBwo9wRKGKIiqiwCRPCoAFFBABggNAAAAAAAAIA68rgG7EjfG2QAAAACgAv8oyAcAAAIEBYwEAggKdV18TAAAAAABAwMH"} +00614{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":23,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1725108605648857,"flow_dst_last_pkt_time":1725108604629032,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":96,"pkt_type":34525,"pkt_l3_offset":16,"pkt_l4_offset":56,"pkt_len":96,"pkt_l4_len":40,"thread_ts_usec":1725108605648857,"pkt":"AAQAAQAGCAAn\/ADWAACG3WAGAvMAKAZAIAELBwo9wRKGKIiqiwCRPCoAFFBABggNAAAAAAAAIA68rgG7EjfG2QAAAACgAv8oyAcAAAIEBYwEAggKdV2ASAAAAAABAwMH"} +00614{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1725108606672884,"flow_dst_last_pkt_time":1725108604629032,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":96,"pkt_type":34525,"pkt_l3_offset":16,"pkt_l4_offset":56,"pkt_len":96,"pkt_l4_len":40,"thread_ts_usec":1725108606672884,"pkt":"AAQAAQAGCAAn\/ADWAACG3WAO6GIAKAZAIAELBwo9wRKGKIiqiwCRPCoAFFBABggNAAAAAAAAIA68rgG7EjfG2QAAAACgAv8oyAcAAAIEBYwEAggKdV2ESAAAAAABAwMH"} +00615{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":25,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":4,"flow_src_last_pkt_time":1725108606672884,"flow_dst_last_pkt_time":1725108606682534,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":96,"pkt_type":34525,"pkt_l3_offset":16,"pkt_l4_offset":56,"pkt_len":96,"pkt_l4_len":40,"thread_ts_usec":1725108606682534,"pkt":"AAAAAQAGILAB4IZiAACG3WgIzOgAKAZ6KgAUUEAGCA0AAAAAAAAgDiABCwcKPcEShiiIqosAkTwBu7yuGkObbhI3xtqgEv\/\/GcUAAAIEBMQEAggKzLRTuXVdhEgBAwMI"} +00608{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":26,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":5,"flow_src_last_pkt_time":1725108606682587,"flow_dst_last_pkt_time":1725108606682534,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":88,"pkt_type":34525,"pkt_l3_offset":16,"pkt_l4_offset":56,"pkt_len":88,"pkt_l4_len":32,"thread_ts_usec":1725108606682587,"pkt":"AAQAAQAGCAAn\/ADWAACG3WAO6GIAIAZAIAELBwo9wRKGKIiqiwCRPCoAFFBABggNAAAAAAAAIA68rgG7EjfG2hpDm2+AEAH\/x\/8AAAEBCAp1XYRRzLRTuQ=="} +01319{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":27,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":1,"flow_first_seen":1725108604629032,"flow_src_last_pkt_time":1725108606682993,"flow_dst_last_pkt_time":1725108606682534,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725108606682993,"l3_proto":"ip6","src_ip":"2001:b07:a3d:c112:8628:88aa:8b00:913c","dst_ip":"2a00:1450:4006:80d::200e","src_port":48302,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","proto_by_ip":"Google","proto_by_ip_id":126,"encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"www.youtube.com","domainame":"www.youtube.com","tls": {"version":"TLSv1.2","ja3":"4ea056e63b7910cbf543f0c095064dfe","ja3s":"","ja4":"t13d3113h2_e8f1e7e78f70_ce5650b735ce","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","advertised_alpns":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","blocks":0}}} +01364{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":29,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":3,"flow_first_seen":1725108604629032,"flow_src_last_pkt_time":1725108606682993,"flow_dst_last_pkt_time":1725108606707789,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":2416,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":2416,"midstream":0,"thread_ts_usec":1725108606707789,"l3_proto":"ip6","src_ip":"2001:b07:a3d:c112:8628:88aa:8b00:913c","dst_ip":"2a00:1450:4006:80d::200e","src_port":48302,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","proto_by_ip":"Google","proto_by_ip_id":126,"encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"www.youtube.com","domainame":"www.youtube.com","tls": {"version":"TLSv1.3","ja3":"4ea056e63b7910cbf543f0c095064dfe","ja3s":"907bf3ecef1c987c889946b737b43de8","ja4":"t13d3113h2_e8f1e7e78f70_ce5650b735ce","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","advertised_alpns":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","blocks":0}}} +02231{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":87,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1725108604629032,"flow_src_last_pkt_time":1725108606811390,"flow_dst_last_pkt_time":1725108606811354,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":2416,"flow_src_tot_l4_payload_len":821,"flow_dst_tot_l4_payload_len":17178,"midstream":0,"thread_ts_usec":1725108606811390,"l3_proto":"ip6","src_ip":"2001:b07:a3d:c112:8628:88aa:8b00:913c","dst_ip":"2a00:1450:4006:80d::200e","src_port":48302,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":5,"data_analysis": {"iat": {"min":0,"avg":140796.1,"max":2053502,"stddev":429032.8,"var":184069177344.0,"ent":1.9,"data": [1019825,1024027,2053502,9703,406,10463,14792,0,24842,18,170,0,116,29,3354,490,13422,1,9609,1757,11412,77711,1,0,87369,366,324,304,298,178,191]},"pktlen": {"min":72,"avg":635.5,"max":2488,"stddev":846.4,"var":716345.8,"ent":3.9,"data": [80,80,80,80,72,589,72,2488,1280,72,72,1280,1840,72,72,152,202,720,103,135,103,72,1280,307,1280,72,2488,72,2488,72,2488,72]},"bins": {"c_to_s": [13,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,5]},"directions": [0,0,0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,1,1,0,0,1,1,1,1,0,1,0,1,0,1,0],"entropies": [4.850302696,4.800302982,4.850302696,5.367949963,5.219669819,4.818557739,5.209185123,7.915221691,7.834231853,5.219669819,5.247447491,7.848894119,7.900642872,5.219669819,5.219669819,6.392518997,6.617354393,7.706577778,5.915785313,6.435108185,5.884278774,5.236962795,7.850246906,7.152086258,7.852072716,5.247447491,7.906479836,5.247447491,7.917565346,5.247447491,7.928373814,5.247447491]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","proto_by_ip":"Google","proto_by_ip_id":126,"encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} +01074{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":18,"flow_first_seen":1725108604629032,"flow_src_last_pkt_time":1725108606831814,"flow_dst_last_pkt_time":1725108606831771,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":2416,"flow_src_tot_l4_payload_len":821,"flow_dst_tot_l4_payload_len":20846,"midstream":0,"thread_ts_usec":1725108606831814,"l3_proto":"ip6","src_ip":"2001:b07:a3d:c112:8628:88aa:8b00:913c","dst_ip":"2a00:1450:4006:80d::200e","src_port":48302,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","proto_by_ip":"Google","proto_by_ip_id":126,"encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"www.youtube.com"}} +01027{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":100,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":16,"flow_first_seen":1725108604546168,"flow_src_last_pkt_time":1725108606812347,"flow_dst_last_pkt_time":1725108606812408,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":681,"flow_dst_max_l4_payload_len":4726,"flow_src_tot_l4_payload_len":1234,"flow_dst_tot_l4_payload_len":19321,"midstream":0,"thread_ts_usec":1725108606831814,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":40818,"dst_port":1234,"l4_proto":"tcp","ndpi": {"flow_risk": {"51": {"risk":"Fully Encrypted Flow","severity":"Medium","risk_score": {"total":360,"client":240,"server":120}}},"proto":"Unknown","proto_id":"0","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Unrated"}} +00815{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":16,"flow_first_seen":1725108604546168,"flow_src_last_pkt_time":1725108606812347,"flow_dst_last_pkt_time":1725108606812408,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":681,"flow_dst_max_l4_payload_len":4726,"flow_src_tot_l4_payload_len":1234,"flow_dst_tot_l4_payload_len":19321,"midstream":0,"thread_ts_usec":1725108606831814,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":40818,"dst_port":1234,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":5} +01025{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1725108604543910,"flow_src_last_pkt_time":1725108604543926,"flow_dst_last_pkt_time":1725108604544652,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":446,"flow_src_tot_l4_payload_len":88,"flow_dst_tot_l4_payload_len":636,"midstream":0,"thread_ts_usec":1725108606831814,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.53","src_port":35957,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.YouTube","proto_id":"5.124","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":14,"category":"Network","hostname":"www.youtube.com"}} +00998{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":15,"flow_first_seen":1725108604542518,"flow_src_last_pkt_time":1725108606812524,"flow_dst_last_pkt_time":1725108606812503,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":7115,"flow_src_tot_l4_payload_len":847,"flow_dst_tot_l4_payload_len":18442,"midstream":0,"thread_ts_usec":1725108606831814,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":37218,"dst_port":1080,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"SOCKS","proto_id":"172","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +00829{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":100,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-tcp.pcapng","alias":"nDPId-test","version":"1.7.0","ndpi_version":"4.11.0-4976-59ee1fe","packets-captured":100,"packets-processed":100,"pfring_active":false,"pfring_recv":0,"pfring_drop":0,"pfring_shunt":0,"total-skipped-flows":0,"total-l4-payload-len":62235,"total-not-detected-flows":1,"total-guessed-flows":0,"total-detected-flows":3,"total-detection-updates":3,"total-updates":0,"current-active-flows":0,"total-active-flows":4,"total-idle-flows":4,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"global-alloc-count":0,"global-free-count":0,"global-alloc-bytes":0,"global-free-bytes":0,"total-events-serialized":38,"global_ts_usec":1725108606831814} +~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ +~~ packets captured/processed: 100/100 +~~ skipped flows.............: 0 +~~ total layer4 data length..: 62235 bytes +~~ total detected protocols..: 3 +~~ total active/idle flows...: 4/4 +~~ total timeout flows.......: 0 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ total memory allocated....: 6774572 bytes +~~ total memory freed........: 6774572 bytes +~~ total allocations/frees...: 114292/114292 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ json message min len.......: 581 chars +~~ json message max len.......: 2236 chars +~~ json message avg len.......: 1405 chars diff --git a/test/results/tls_heuristics_enabled/tls_heur__vmess-websocket.pcapng.out b/test/results/tls_heuristics_enabled/tls_heur__vmess-websocket.pcapng.out new file mode 100644 index 000000000..f8c4c3d45 --- /dev/null +++ b/test/results/tls_heuristics_enabled/tls_heur__vmess-websocket.pcapng.out @@ -0,0 +1,53 @@ +00598{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-websocket.pcapng","alias":"nDPId-test","version":"1.7.0","ndpi_version":"4.11.0-4976-59ee1fe","max-flows-per-thread":2048,"max-idle-flows-per-thread":64,"reader-thread-count":1,"flow-scan-interval":10000000,"generic-max-idle-time":600000000,"icmp-max-idle-time":120000000,"udp-max-idle-time":180000000,"tcp-max-idle-time":7560000000,"max-packets-per-flow-to-send":5,"max-packets-per-flow-to-process":32,"max-packets-per-flow-to-analyse":32,"global_ts_usec":0} +00822{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":1,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-websocket.pcapng","alias":"nDPId-test","version":"1.7.0","ndpi_version":"4.11.0-4976-59ee1fe","packets-captured":1,"packets-processed":0,"pfring_active":false,"pfring_recv":0,"pfring_drop":0,"pfring_shunt":0,"total-skipped-flows":0,"total-l4-payload-len":0,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":0,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":0,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"global-alloc-count":0,"global-free-count":0,"global-alloc-bytes":0,"global-free-bytes":0,"total-events-serialized":2,"global_ts_usec":1725278711295335} +00804{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-websocket.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725278711295335,"flow_src_last_pkt_time":1725278711295335,"flow_dst_last_pkt_time":1725278711295335,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725278711295335,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":44532,"dst_port":1080,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":5} +00597{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-websocket.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_src_last_pkt_time":1725278711295335,"flow_dst_last_pkt_time":1725278711295335,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"thread_ts_usec":1725278711295335,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADwSqkAAQAYqEH8AAAF\/AAABrfQEOJ96Es4AAAAAoAL\/1\/4wAAACBP\/XBAIICtChiqgAAAAAAQMDBw=="} +00597{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-websocket.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1725278711295335,"flow_dst_last_pkt_time":1725278711295427,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"thread_ts_usec":1725278711295427,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADwAAEAAQAY8un8AAAF\/AAABBDit9LL9yaKfehLPoBL\/y\/4wAAACBP\/XBAIICtChiqjQoYqoAQMDBw=="} +00583{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-websocket.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1725278711295448,"flow_dst_last_pkt_time":1725278711295427,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1725278711295448,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADQSq0AAQAYqF38AAAF\/AAABrfQEOJ96Es+y\/cmjgBACAP4oAAABAQgK0KGKqNChiqg="} +00587{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-websocket.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":4,"flow_src_last_pkt_time":1725278711295526,"flow_dst_last_pkt_time":1725278711295427,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":72,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":72,"pkt_l4_len":36,"thread_ts_usec":1725278711295526,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADgSrEAAQAYqEn8AAAF\/AAABrfQEOJ96Es+y\/cmjgBgCAP4sAAABAQgK0KGKqNChiqgFAgAB"} +00582{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-websocket.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":5,"flow_src_last_pkt_time":1725278711295526,"flow_dst_last_pkt_time":1725278711295533,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1725278711295533,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADR+iUAAQAa+OH8AAAF\/AAABBDit9LL9yaOfehLTgBACAP4oAAABAQgK0KGKqNChiqg="} +00948{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":6,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-websocket.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1725278711295335,"flow_src_last_pkt_time":1725278711295526,"flow_dst_last_pkt_time":1725278711295915,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":4,"flow_dst_max_l4_payload_len":2,"flow_src_tot_l4_payload_len":4,"flow_dst_tot_l4_payload_len":2,"midstream":0,"thread_ts_usec":1725278711295915,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":44532,"dst_port":1080,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"SOCKS","proto_id":"172","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +00805{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":8,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-websocket.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725278711296937,"flow_src_last_pkt_time":1725278711296937,"flow_dst_last_pkt_time":1725278711296937,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725278711296937,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.53","src_port":39646,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":5} +00610{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-websocket.pcapng","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1725278711296937,"flow_dst_last_pkt_time":1725278711296937,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":88,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":88,"pkt_l4_len":52,"thread_ts_usec":1725278711296937,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAAEi6BEAAQBGCan8AAAF\/AAA1mt4ANQA0\/nuOygEgAAEAAAAAAAEDd3d3B3lvdXR1YmUDY29tAAABAAEAACkEsAAAAAAAAA=="} +01113{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":8,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-websocket.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725278711296937,"flow_src_last_pkt_time":1725278711296937,"flow_dst_last_pkt_time":1725278711296937,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725278711296937,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.53","src_port":39646,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.YouTube","proto_id":"5.124","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":14,"category":"Network","hostname":"www.youtube.com","domainame":"www.youtube.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr": []}}} +00978{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-websocket.pcapng","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1725278711296937,"flow_dst_last_pkt_time":1725278711297510,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":362,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":362,"pkt_l4_len":326,"thread_ts_usec":1725278711297510,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAAVrOWUAAARGsA38AADV\/AAABADWa3gFG\/42OyoGAAAEACQAAAAUDd3d3B3lvdXR1YmUDY29tAAABAAHADAAFAAEAAAEGABYKeW91dHViZS11aQFsBmdvb2dsZcAYwC0AAQABAAABEQAEjvq0jsAtAAEAAQAAAREABNg60S7ALQABAAEAAAERAASO+9EuwC0AAQABAAABEQAE2DrNLsAtAAEAAQAAAREABNg6zI7ALQABAAEAAAERAATYOszuwC0AAQABAAABEQAEjvvRDsAtAAEAAQAAAREABI76tK7ALQAcAAEAAAEGABAqABRQQAIEAgAAAAAAACAOwC0AHAABAAABBgAQKgAUUEACBBYAAAAAAAAgDsAtABwAAQAAAQYAECoAFFBAAgQDAAAAAAAAIA7ALQAcAAEAAAEGABAqABRQQAIEFQAAAAAAACAOAAAp\/9YAAAAAAAA="} +01224{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":9,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-websocket.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1725278711296937,"flow_src_last_pkt_time":1725278711296937,"flow_dst_last_pkt_time":1725278711297510,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":318,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":318,"midstream":0,"thread_ts_usec":1725278711297510,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.53","src_port":39646,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.YouTube","proto_id":"5.124","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":14,"category":"Network","hostname":"www.youtube.com","domainame":"www.youtube.com","dns": {"num_queries":1,"num_answers":14,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr": ["142.250.180.142,ttl=273","216.58.209.46,ttl=273","142.251.209.46,ttl=273","216.58.205.46,ttl=273"]}}} +00611{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":10,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-websocket.pcapng","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1725278711297554,"flow_dst_last_pkt_time":1725278711297510,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":88,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":88,"pkt_l4_len":52,"thread_ts_usec":1725278711297554,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAAEi6BUAAQBGCaX8AAAF\/AAA1mt4ANQA0\/nvGyQEgAAEAAAAAAAEDd3d3B3lvdXR1YmUDY29tAAAcAAEAACkEsAAAAAAAAA=="} +00807{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":11,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-websocket.pcapng","alias":"nDPId-test","flow_id":2,"flow_packet_id":4,"flow_src_last_pkt_time":1725278711297554,"flow_dst_last_pkt_time":1725278711297705,"flow_idle_time":200000000,"pkt_datalink":113,"pkt_caplen":234,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":234,"pkt_l4_len":198,"thread_ts_usec":1725278711297705,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAANrOWkAAARGsgn8AADV\/AAABADWa3gDG\/w3GyYGAAAEABQAAAAEDd3d3B3lvdXR1YmUDY29tAAAcAAHADAAFAAEAAAEGABYKeW91dHViZS11aQFsBmdvb2dsZcAYwC0AHAABAAABBgAQKgAUUEACBAIAAAAAAAAgDsAtABwAAQAAAQYAECoAFFBAAgQDAAAAAAAAIA7ALQAcAAEAAAEGABAqABRQQAIEFgAAAAAAACAOwC0AHAABAAABBgAQKgAUUEACBBUAAAAAAAAgDgAAKf\/WAAAAAAAA"} +00805{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":14,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-websocket.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725278711300968,"flow_src_last_pkt_time":1725278711300968,"flow_dst_last_pkt_time":1725278711300968,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725278711300968,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":33702,"dst_port":1234,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":5} +00598{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-websocket.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1725278711300968,"flow_dst_last_pkt_time":1725278711300968,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"thread_ts_usec":1725278711300968,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADzadUAAQAZiRH8AAAF\/AAABg6YE0tC4yngAAAAAoAL\/1\/4wAAACBP\/XBAIICtChiq0AAAAAAQMDBw=="} +00598{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":15,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-websocket.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1725278711300968,"flow_dst_last_pkt_time":1725278711300981,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"thread_ts_usec":1725278711300981,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADwAAEAAQAY8un8AAAF\/AAABBNKDprSj9ZbQuMp5oBL\/y\/4wAAACBP\/XBAIICtChiq3QoYqtAQMDBw=="} +00584{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":16,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-websocket.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1725278711300988,"flow_dst_last_pkt_time":1725278711300981,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1725278711300988,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADTadkAAQAZiS38AAAF\/AAABg6YE0tC4ynm0o\/WXgBACAP4oAAABAQgK0KGKrdChiq0="} +00835{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":17,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-websocket.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":4,"flow_src_last_pkt_time":1725278711301309,"flow_dst_last_pkt_time":1725278711300981,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":253,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":253,"pkt_l4_len":217,"thread_ts_usec":1725278711301309,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAAO3ad0AAQAZhkX8AAAF\/AAABg6YE0tC4ynm0o\/WXgBgCAP7hAAABAQgK0KGKrtChiq1HRVQgLyBIVFRQLzEuMQ0KSG9zdDogMTI3LjAuMC4xOjEyMzQNClVzZXItQWdlbnQ6IEdvLWh0dHAtY2xpZW50LzEuMQ0KQ29ubmVjdGlvbjogVXBncmFkZQ0KU2VjLVdlYlNvY2tldC1LZXk6IGtaWkl3RHJuSG1XWXhqaDdhL3ZsOHc9PQ0KU2VjLVdlYlNvY2tldC1WZXJzaW9uOiAxMw0KVXBncmFkZTogd2Vic29ja2V0DQoNCg=="} +01351{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":17,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-websocket.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1725278711300968,"flow_src_last_pkt_time":1725278711301309,"flow_dst_last_pkt_time":1725278711300981,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":185,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":185,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725278711301309,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":33702,"dst_port":1234,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":160,"client":140,"server":20}},"12": {"risk":"HTTP\/TLS\/QUIC Numeric Hostname\/SNI","severity":"Low","risk_score": {"total":300,"client":270,"server":30}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"127.0.0.1","domainame":"127.0.0.1","http": {"url":"127.0.0.1:1234\/","code":0,"content_type":"","user_agent":"Go-http-client\/1.1"}}} +00585{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":18,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-websocket.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":5,"flow_src_last_pkt_time":1725278711301309,"flow_dst_last_pkt_time":1725278711301316,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1725278711301316,"pkt":"AAADBAAGAAAAAAAAAAAIAEUAADQh2kAAQAYa6H8AAAF\/AAABBNKDprSj9ZfQuMsygBAB\/\/4oAAABAQgK0KGKrtChiq4="} +00814{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":24,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-websocket.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1725278711354999,"flow_src_last_pkt_time":1725278711354999,"flow_dst_last_pkt_time":1725278711354999,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725278711354999,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"142.250.180.142","src_port":51390,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":5} +00596{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-websocket.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_src_last_pkt_time":1725278711354999,"flow_dst_last_pkt_time":1725278711354999,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"thread_ts_usec":1725278711354999,"pkt":"AAQAAQAGCAAn\/ADWAAAIAEUAADxpTUAAQAbLhsCoAbeO+rSOyL4Bu\/iOndoAAAAAoAL68AYXAAACBAW0BAIICn93k8EAAAAAAQMDBw=="} +00597{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":25,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-websocket.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1725278711354999,"flow_dst_last_pkt_time":1725278711357820,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"thread_ts_usec":1725278711357820,"pkt":"AAAAAQAGILAB4IZiAAAIAEWAADwAAEAAegb6U476tI7AqAG3AbvIvhyjoLD4jp3boBL\/\/639AAACBAWEBAIICidEO4R\/d5PBAQMDCA=="} +00584{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":26,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-websocket.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1725278711357866,"flow_dst_last_pkt_time":1725278711357820,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1725278711357866,"pkt":"AAQAAQAGCAAn\/ADWAAAIAEUAADRpTkAAQAbLjcCoAbeO+rSOyL4Bu\/iOndsco6CxgBAB9gYPAAABAQgKf3eTxCdEO4Q="} +01279{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":27,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-websocket.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":4,"flow_src_last_pkt_time":1725278711358145,"flow_dst_last_pkt_time":1725278711357820,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":585,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":585,"pkt_l4_len":549,"thread_ts_usec":1725278711358145,"pkt":"AAQAAQAGCAAn\/ADWAAAIAEUAAjlpT0AAQAbJh8CoAbeO+rSOyL4Bu\/iOndsco6CxgBgB9ggUAAABAQgKf3eTxCdEO4QWAwECAAEAAfwDA46xyPKufA0h2C\/na1nFm9C+KMncQt0f3tSOiZ28qNdGIL9APvSF8v4p3TWMCqfXvgibYWFwkYj2wAKYq4tRTOVrAD4TAhMDEwHALMAwAJ\/MqcyozKrAK8AvAJ7AJMAoAGvAI8AnAGfACsAUADnACcATADMAnQCcAD0APAA1AC8A\/wEAAXUAAAAUABIAAA93d3cueW91dHViZS5jb20ACwAEAwABAgAKABYAFAAdABcAHgAZABgBAAEBAQIBAwEEM3QAAAAQAA4ADAJoMghodHRwLzEuMQAWAAAAFwAAADEAAAANACoAKAQDBQMGAwgHCAgICQgKCAsIBAgFCAYEAQUBBgEDAwMBAwIEAgUCBgIAKwAFBAMEAwMALQACAQEAMwAmACQAHQAgCUnwEnwXeX81FYV10UkXFjD\/yp2qEOm4vSM6NHBI6TUAFQCuAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} +01292{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":27,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-websocket.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1725278711354999,"flow_src_last_pkt_time":1725278711358145,"flow_dst_last_pkt_time":1725278711357820,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1725278711358145,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"142.250.180.142","src_port":51390,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","proto_by_ip":"Google","proto_by_ip_id":126,"encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"www.youtube.com","domainame":"www.youtube.com","tls": {"version":"TLSv1.2","ja3":"4ea056e63b7910cbf543f0c095064dfe","ja3s":"","ja4":"t13d3113h2_e8f1e7e78f70_ce5650b735ce","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","advertised_alpns":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","blocks":0}}} +00583{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":28,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-websocket.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":5,"flow_src_last_pkt_time":1725278711358145,"flow_dst_last_pkt_time":1725278711360754,"flow_idle_time":7580000000,"pkt_datalink":113,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1725278711360754,"pkt":"AAAAAQAGILAB4IZiAAAIAEWAADSPwQAAegaqmo76tI7AqAG3AbvIvhyjoLH4jp\/ggBABBdmKAAABAQgKJ0Q7h393k8Q="} +01337{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":29,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-websocket.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1725278711354999,"flow_src_last_pkt_time":1725278711358145,"flow_dst_last_pkt_time":1725278711376987,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":6600,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":6600,"midstream":0,"thread_ts_usec":1725278711376987,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"142.250.180.142","src_port":51390,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","proto_by_ip":"Google","proto_by_ip_id":126,"encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"www.youtube.com","domainame":"www.youtube.com","tls": {"version":"TLSv1.3","ja3":"4ea056e63b7910cbf543f0c095064dfe","ja3s":"907bf3ecef1c987c889946b737b43de8","ja4":"t13d3113h2_e8f1e7e78f70_ce5650b735ce","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","advertised_alpns":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","blocks":0}}} +02447{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":86,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-websocket.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1725278711300968,"flow_src_last_pkt_time":1725278711469124,"flow_dst_last_pkt_time":1725278711469141,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":699,"flow_dst_max_l4_payload_len":2052,"flow_src_tot_l4_payload_len":1330,"flow_dst_tot_l4_payload_len":18274,"midstream":0,"thread_ts_usec":1725278711469141,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":33702,"dst_port":1234,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":5,"data_analysis": {"iat": {"min":13,"avg":10849.3,"max":81912,"stddev":22504.7,"var":506460032.0,"ent":2.8,"data": [13,20,321,335,139,158,52949,76203,23289,91,56,38,34,108,111,5407,8441,3526,701,41202,81912,40932,58,43,54,53,30,29,27,26,23]},"pktlen": {"min":52,"avg":665.1,"max":2104,"stddev":842.7,"var":710078.0,"ent":3.9,"data": [60,60,52,237,52,181,52,751,2104,52,2104,52,2104,52,723,52,406,753,144,123,52,2084,52,2046,52,2079,52,2043,52,2075,52,531]},"bins": {"c_to_s": [13,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,1,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1],"entropies": [4.311033249,4.734919071,4.624013901,5.851198196,4.644789219,5.827358723,4.644789219,7.722790718,7.902339935,4.585552216,7.913048267,4.585552216,7.905004501,4.585552216,7.688803673,4.585552216,7.428673744,7.699780941,6.310562611,6.170208454,4.624013901,7.892062187,4.571035385,7.909559727,4.624013901,7.904311180,4.585552216,7.891872406,4.585552692,7.905772209,4.624013901,7.592932701]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":160,"client":140,"server":20}},"12": {"risk":"HTTP\/TLS\/QUIC Numeric Hostname\/SNI","severity":"Low","risk_score": {"total":300,"client":270,"server":30}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"127.0.0.1"}} +02176{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":96,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-websocket.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1725278711295335,"flow_src_last_pkt_time":1725278711469489,"flow_dst_last_pkt_time":1725278711469627,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":3932,"flow_src_tot_l4_payload_len":835,"flow_dst_tot_l4_payload_len":18380,"midstream":0,"thread_ts_usec":1725278711469627,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":44532,"dst_port":1080,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":5,"data_analysis": {"iat": {"min":13,"avg":11240.2,"max":82049,"stddev":21975.3,"var":482912224.0,"ent":3.1,"data": [92,113,78,106,382,425,4533,4672,44031,9418,77646,24339,284,267,4160,279,19,13,40,4612,3350,3674,624,41294,82049,41160,126,151,203,160,146]},"pktlen": {"min":52,"avg":653.0,"max":3984,"stddev":1237.6,"var":1531706.8,"ent":3.3,"data": [60,60,52,56,52,54,52,62,62,52,569,3984,52,2720,52,132,98,101,87,115,52,700,83,83,52,3984,52,3984,52,2428,52,901]},"bins": {"c_to_s": [13,4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,1,0,0,0,0,0,0,1,1,0,1,0,1,0,1,0,1,0,1],"entropies": [4.311033249,4.747500420,4.638530731,4.549884796,4.638531208,4.628801823,4.600069046,4.733144760,4.497382641,4.600069046,4.669951916,7.947538853,4.676992416,7.920604706,4.600069046,6.167953491,5.851360321,5.834712982,5.660713673,6.112284660,4.676992416,7.680773735,5.506919861,5.521921158,4.676992416,7.956730843,4.561607838,7.954389572,4.561607361,7.916389942,4.561607838,7.802294254]},"ndpi": {"confidence": {"6":"DPI"},"proto":"SOCKS","proto_id":"172","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01282{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-websocket.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":16,"flow_first_seen":1725278711300968,"flow_src_last_pkt_time":1725278711469193,"flow_dst_last_pkt_time":1725278711469186,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":699,"flow_dst_max_l4_payload_len":2052,"flow_src_tot_l4_payload_len":1330,"flow_dst_tot_l4_payload_len":19186,"midstream":0,"thread_ts_usec":1725278711492259,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":33702,"dst_port":1234,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":5,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":160,"client":140,"server":20}},"12": {"risk":"HTTP\/TLS\/QUIC Numeric Hostname\/SNI","severity":"Low","risk_score": {"total":300,"client":270,"server":30}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"127.0.0.1"}} +01004{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-websocket.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":13,"flow_first_seen":1725278711295335,"flow_src_last_pkt_time":1725278711469639,"flow_dst_last_pkt_time":1725278711469627,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":3932,"flow_src_tot_l4_payload_len":835,"flow_dst_tot_l4_payload_len":18380,"midstream":0,"thread_ts_usec":1725278711492259,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":44532,"dst_port":1080,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"SOCKS","proto_id":"172","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +01031{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-websocket.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1725278711296937,"flow_src_last_pkt_time":1725278711297554,"flow_dst_last_pkt_time":1725278711297705,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":318,"flow_src_tot_l4_payload_len":88,"flow_dst_tot_l4_payload_len":508,"midstream":0,"thread_ts_usec":1725278711492259,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.53","src_port":39646,"dst_port":53,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.YouTube","proto_id":"5.124","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Fun","category_id":14,"category":"Network","hostname":"www.youtube.com"}} +01014{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-websocket.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":11,"flow_dst_packets_processed":17,"flow_first_seen":1725278711354999,"flow_src_last_pkt_time":1725278711492259,"flow_dst_last_pkt_time":1725278711492259,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":6600,"flow_src_tot_l4_payload_len":821,"flow_dst_tot_l4_payload_len":21168,"midstream":0,"thread_ts_usec":1725278711492259,"l3_proto":"ip4","src_ip":"192.168.1.183","dst_ip":"142.250.180.142","src_port":51390,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":5,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","proto_by_ip":"Google","proto_by_ip_id":126,"encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} +00835{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":100,"source":"cfgs\/tls_heuristics_enabled\/pcap\/tls_heur__vmess-websocket.pcapng","alias":"nDPId-test","version":"1.7.0","ndpi_version":"4.11.0-4976-59ee1fe","packets-captured":100,"packets-processed":100,"pfring_active":false,"pfring_recv":0,"pfring_drop":0,"pfring_shunt":0,"total-skipped-flows":0,"total-l4-payload-len":62316,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":4,"total-detection-updates":2,"total-updates":0,"current-active-flows":0,"total-active-flows":4,"total-idle-flows":4,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"global-alloc-count":0,"global-free-count":0,"global-alloc-bytes":0,"global-free-bytes":0,"total-events-serialized":38,"global_ts_usec":1725278711492259} +~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ +~~ packets captured/processed: 100/100 +~~ skipped flows.............: 0 +~~ total layer4 data length..: 62316 bytes +~~ total detected protocols..: 4 +~~ total active/idle flows...: 4/4 +~~ total timeout flows.......: 0 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ total memory allocated....: 6848314 bytes +~~ total memory freed........: 6848314 bytes +~~ total allocations/frees...: 114295/114295 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~ json message min len.......: 587 chars +~~ json message max len.......: 2452 chars +~~ json message avg len.......: 1514 chars |