1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
00475{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"anydesk.pcap","alias":"nDPId-test","max-flows-per-thread":2048,"max-idle-flows-per-thread":256,"tick-resolution":1000,"reader-thread-count":1,"idle-scan-period":10000,"generic-max-idle-time":600000,"icmp-max-idle-time":30000,"udp-max-idle-time":180000,"tcp-max-idle-time":7440000,"tcp-max-post-end-flow-time":120000,"max-packets-per-flow-to-send":15,"max-packets-per-flow-to-process":255}
00486{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"anydesk.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_first_seen":1591342198821,"flow_last_seen":0,"flow_min_l4_payload_len":51,"flow_max_l4_payload_len":51,"flow_tot_l4_payload_len":51,"flow_avg_l4_payload_len":51,"midstream":1,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.239.144","src_port":36351,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":15}
00479{"flow_id":1,"flow_packet_id":1,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"anydesk.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1591342198,"pkt_ts_usec":821353,"pkt_caplen":105,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":105,"pkt_l4_len":71,"pkt":"AFBW5dKtAAwplUdeCABFAABbtopAAEAGCwXAqJWBM1PvkI3\/AFB7i54qMVwSUlAY+DR5WwAAFwMDAC7mz9mv7V5op8uDzrVlyYzGPOa22i4SIRv\/ctzVUMWyqJzhwIdSdK\/Qd7DJrcKc"}
00414{"flow_id":1,"flow_packet_id":2,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"anydesk.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1591342198,"pkt_ts_usec":821804,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"pkt":"AAwplUdeAFBW5dKtCABFAAAoe1AAAIAGRnIzU++QwKiVgQBQjf8xXBJSe4ueXVAQ+vBP7wAAAAAAAAAA"}
00473{"flow_id":1,"flow_packet_id":3,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"anydesk.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1591342198,"pkt_ts_usec":998446,"pkt_caplen":102,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":102,"pkt_l4_len":68,"pkt":"AFBW5dKtAAwplUdeCABFAABYtotAAEAGCwfAqJWBM1PvkI3\/AFB7i55dMVwSUlAY+DR5WAAAFwMDACvmz9mv7V5oqHbrZghdQbdzwBFFDzsTJ43BfdwI8acT8HfThIVfMXtYD9Ln"}
00414{"flow_id":1,"flow_packet_id":4,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4,"source":"anydesk.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1591342198,"pkt_ts_usec":999092,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"pkt":"AAwplUdeAFBW5dKtCABFAAAoe1EAAIAGRnEzU++QwKiVgQBQjf8xXBJSe4uejVAQ+vBPvwAAAAAAAAAA"}
00477{"flow_id":1,"flow_packet_id":5,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5,"source":"anydesk.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1591342199,"pkt_ts_usec":30552,"pkt_caplen":103,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":103,"pkt_l4_len":69,"pkt":"AAwplUdeAFBW5dKtCABFAABZe1IAAIAGRj8zU++QwKiVgQBQjf8xXBJSe4uejVAY+vBoPwAAFwMDACwkrUQuni1bEw+EOVXQULZxliYh7KSKyV8boo6+bx\/PbNgRA1Ej\/EtfUWhm2A=="}
00406{"flow_id":1,"flow_packet_id":6,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6,"source":"anydesk.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1591342199,"pkt_ts_usec":30587,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"pkt":"AFBW5dKtAAwplUdeCABFAAAotoxAAEAGCzbAqJWBM1PvkI3\/AFB7i56NMVwSg1AQ+DR5KAAA"}
00625{"flow_id":1,"flow_packet_id":7,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7,"source":"anydesk.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1591342199,"pkt_ts_usec":192188,"pkt_caplen":213,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":213,"pkt_l4_len":179,"pkt":"AAwplUdeAFBW5dKtCABFAADHe1MAAIAGRdAzU++QwKiVgQBQjf8xXBKDe4uejVAY+vC7swAAFwMDAJokrUQuni1bFHnCrCrci8mu17SSshonC+8pGDiK6l\/Phzxh+NqjpoA5ePRAbTasLuAk4CkeR\/3tMjzdi54ShmUijEg7vw7jf2Yibglow2dlbDkiN8RweFkh8WAg9qfiulu\/uBXqXNlyQGNFnq0FuLddJpIfp\/rRQZTfZvnPbpMerzuj+HtmaUXL4pG6hubYJ0hdsp6pU1FeUjm4"}
00407{"flow_id":1,"flow_packet_id":8,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8,"source":"anydesk.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1591342199,"pkt_ts_usec":192219,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"pkt":"AFBW5dKtAAwplUdeCABFAAAoto1AAEAGCzXAqJWBM1PvkI3\/AFB7i56NMVwTIlAQ+DR5KAAA"}
00482{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":9,"source":"anydesk.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_first_seen":1591342199201,"flow_last_seen":0,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":0,"flow_tot_l4_payload_len":0,"flow_avg_l4_payload_len":0,"midstream":0,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.238.219","src_port":43535,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":15}
00434{"flow_id":2,"flow_packet_id":1,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9,"source":"anydesk.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1591342199,"pkt_ts_usec":201196,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"pkt":"AFBW5dKtAAwplUdeCABFAAA8CJBAAEAGudPAqJWBM1Pu26oPAFApppzyAAAAAKAC+vB4hwAAAgQFtAQCCAqukMx3AAAAAAEDAwc="}
00415{"flow_id":2,"flow_packet_id":2,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":10,"source":"anydesk.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1591342199,"pkt_ts_usec":366001,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"pkt":"AAwplUdeAFBW5dKtCABFAAAse1UAAIAGRx4zU+7bwKiVgQBQqg9odWR8Kaac82AS+vDm4QAAAgQFtAAA"}
00407{"flow_id":2,"flow_packet_id":3,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":11,"source":"anydesk.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1591342199,"pkt_ts_usec":366113,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"pkt":"AFBW5dKtAAwplUdeCABFAAAoCJFAAEAGuebAqJWBM1Pu26oPAFApppzzaHVkfVAQ+vB4cwAA"}
00765{"flow_id":2,"flow_packet_id":4,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":12,"source":"anydesk.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1591342199,"pkt_ts_usec":366725,"pkt_caplen":317,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":317,"pkt_l4_len":283,"pkt":"AFBW5dKtAAwplUdeCABFAAEvCJJAAEAGuN7AqJWBM1Pu26oPAFApppzzaHVkfVAY+vB5egAAFgMBAQIBAAD+AwPH+2RueS0bCFAjOjiKaUYj6rfjOOjwnxNAapJEdabvkAAAgMAwwCzAKMAkwBTACgClAKMAoQCfAGsAagBpAGgAOQA4ADcANsAywC7AKsAmwA\/ABQCdAD0ANcAvwCvAJ8AjwBPACQCkAKIAoACeAGcAQAA\/AD4AMwAyADEAMMAxwC3AKcAlwA7ABACcADwAL8ASwAgAFgATABAADcANwAMACgD\/AQAAVQALAAQDAAECAAoAHAAaABcAGQAcABsAGAAaABYADgANAAsADAAJAAoAIwAAAA0AIAAeBgEGAgYDBQEFAgUDBAEEAgQDAwEDAgMDAgECAgIDAA8AAQE="}
00883{"flow_event_id":5,"flow_event_name":"detected","thread_id":0,"packet_id":12,"source":"anydesk.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":4,"flow_first_seen":1591342199201,"flow_last_seen":1591342199366,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":263,"flow_tot_l4_payload_len":263,"flow_avg_l4_payload_len":65,"midstream":0,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.238.219","src_port":43535,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing","30":"Desktop\/File Sharing Session"},"proto":"TLS.AnyDesk","breed":"Acceptable","category":"RemoteAccess"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"201999283915cc31cee6b15472ef3332","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}
00415{"flow_id":2,"flow_packet_id":5,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":13,"source":"anydesk.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1591342199,"pkt_ts_usec":367083,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"pkt":"AAwplUdeAFBW5dKtCABFAAAoe1YAAIAGRyEzU+7bwKiVgQBQqg9odWR9Kaad+lAQ+vD9lwAAAAAAAAAA"}
02165{"flow_id":2,"flow_packet_id":6,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14,"source":"anydesk.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1591342199,"pkt_ts_usec":532111,"pkt_caplen":1354,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1354,"pkt_l4_len":1320,"pkt":"AAwplUdeAFBW5dKtCABFAAU8e1cAAIAGQgwzU+7bwKiVgQBQqg9odWR9Kaad+lAY+vCKSQAAFgMDAFcCAABTAwNe2fR3FKnG2hMjkf\/flk2Q8alQACN4Gw3ceEAvBvF6LSCBWeatQQeDcBonXd4xN3eteAA\/15hN7vAwUwn3lLPAk8AsAAALAAsAAgEA\/wEAAQAWAwMItwsACLMACLAAA0MwggM\/MIIBJwIJAPGIMHZ0UySTMA0GCSqGSIb3DQEBCwUAMEgxFzAVBgNVBAMMDkFueU5ldCBSb290IENBMSAwHgYDVQQKDBdwaGlsYW5kcm8gU29mdHdhcmUgR21iSDELMAkGA1UEBhMCREUwHhcNMTgxMTE4MDIxNDIzWhcNMjgxMTE1MDIxNDIzWjBGMQswCQYDVQQGEwJERTEgMB4GA1UECgwXcGhpbGFuZHJvIFNvZnR3YXJlIEdtYkgxFTATBgNVBAMMDEFueU5ldCBSZWxheTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEimSq43jXFd4y0DWmX27+lJ7CD1sFgnD\/iYL6vzT5r88O9fhn8M\/e++YZZi52ShTQpoZZcpRdLmq451xVL8rL8wDQYJKoZIhvcNAQELBQADggIBAGaRMkjCQwOFjmCpjVewPT62MuIafRSC4Z0O+0QWB1PHDHb2GlJ5LWbUFThy1vpyjh19L1wPCxJWhaY8PttZrUJFsoFAOthHxaopXOcDA0mgW0k\/ljLL+1fwcvADKqBcacDvUvI3a9S1Cibm6CC5S4u7Y95vZWqfXdfBl5stME6agYW0HJKm7dh6+d+dA7OQnHipyLoOPKzsFNt9UbOXBrn2d2Cr\/lmDr46XVinH235xedHH99q2yPevjyTgGwDfFtEZD9FanUcBfCdTgE9e5p5qbCT+p+SAfI5YsNQSTfArm7reqCIp\/\/ykK+bUhdN7zx9uuxCVXAzDJjlTyOx8NOJ4zttMDeZwfJev+OGhYVouqoNxF0SgnfxMEfy0XPp2wXEZoySQO0+pz8APHRZysuwFzalvy9pDczR8elyWDce\/2b4BkLc4W7yJheLb539UUoq+3al4Vc7dPrKTUuUPOBbOuzXO4Z9Zod+eDRw0b1QJQAniymVNFEJMPaOrgfLzTcGa\/dKQ1diwXhIKLMNWxN7bQ5LBrfHh\/PvD74hacQYkXLdHYW\/kukh6eIsjvV9uEW1d+2PJsVgVlaMm0ky2p+Q5POfjWbYrXy6OcO14LP9VzsT8ZminOkRX8km1ObtFBCwm03x93FrfzkmQzxQdQ99Hr49V9XxJA52jASKsiq2RAAVnMIIFYzCCA0ugAwIBAgIJAIf7DQy3sYvoMA0GCSqGSIb3DQEBBQUAMEgxFzAVBgNVBAMMDkFueU5ldCBSb290IENBMSAwHgYDVQQKDBdwaGlsYW5kcm8gU29mdHdhcmUgR21iSDELMAkGA1UEBhMCREUwHhcNMTQwNDExMDIzNzU1WhcNMjQwNDA4MDIzNzU1WjBIMRcwFQYDVQQDDA5BbnlOZXQgUm9vdCBDQTEgMB4GA1UECgwXcGhpbGFuZHJvIFNvZnR3YXJlIEdtYkgxCzAJBgNVBAYTAkRFMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtBVBDdoa01og\/vnfvwqM8aSt79RUlufigrcNAOrxN+LXjKEWO6BoCDiqbdsmvqZpkzaojh5w3KyBHuLdFoM0tRVw9YrNne5dgHxaeKIHpK7m+NYx+lx7u+Ba61Evl7\/2+zMnkLPY5A=="}
00942{"flow_event_id":6,"flow_event_name":"detection-update","thread_id":0,"packet_id":14,"source":"anydesk.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":6,"flow_first_seen":1591342199201,"flow_last_seen":1591342199532,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1300,"flow_tot_l4_payload_len":1563,"flow_avg_l4_payload_len":260,"midstream":0,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.238.219","src_port":43535,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing","30":"Desktop\/File Sharing Session"},"proto":"TLS.AnyDesk","breed":"Acceptable","category":"RemoteAccess"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"201999283915cc31cee6b15472ef3332","ja3s":"107030a763c7224285717ff1569a17f3","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"}}
00407{"flow_id":2,"flow_packet_id":7,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":15,"source":"anydesk.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1591342199,"pkt_ts_usec":532151,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"pkt":"AFBW5dKtAAwplUdeCABFAAAoCJNAAEAGueTAqJWBM1Pu26oPAFAppp36aHVpkVAQ+NR4cwAA"}
02173{"flow_id":2,"flow_packet_id":8,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":16,"source":"anydesk.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1591342199,"pkt_ts_usec":532596,"pkt_caplen":1354,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1354,"pkt_l4_len":1320,"pkt":"AAwplUdeAFBW5dKtCABFAAU8e1gAAIAGQgszU+7bwKiVgQBQqg9odWmRKaad+lAY+vAgpgAA4M1oO2qHbKYN59i9Yd9WayrhHCv1n7+F3YxbBh5xf7pKpkCwdxfqLD9blBSFLq0RYauI9gG7s0dr4oEY8Y455th7DGOGg6xwhHUnLTU9e3uozrJIeQg4LYImfpNLMnZmhaf9yvEKL8diD2pA\/hprWBxT5GPBdYOaq3gESYMf5yNwn6O\/aNEzL0zeXoaYfWF9ATT1nOnLQWuuUCtn1dnyAvxfo1I0udxn7\/pzxZRA6rWK95js6Ju7hmxvNjeKgIyfhPbKSnYico1SfYV1TVXvra\/z5RYjAFvotu1+ny6AS+7VX9xl6Ync26ZDBLvO\/alMLxkzquZxIIb+RYuX5sgdT3C6x8DD86by2sKkG92JTuwc2nskj6pC+RQyg2hjyCa87BOzDQvitgjGxgZ+oxZvFdIbFlI8HyKRJRcVzEKC2juoOccqUMrZTKCMlTN1A3C436DJsrKLGziDeTLDEtozlkL0kRGqxiYxvOpDijBUZcVDnlA7+pGTDp07I0o9Q8HGIptory\/8AYBSGAUiDr1q5C7J1uzFj\/MTswIDAQABo1AwTjAdBgNVHQ4EFgQUGWV5BoDG3rKqWJlXsjZc7QFijUcwHwYDVR0jBBgwFoAUGWV5BoDG3rKqWJlXsjZc7QFijUcwDAYDVR0TBAUwAwEB\/zANBgkqhkiG9w0BAQUFAAOCAgEAs6pHF6Sv0mA0Fa0l1Y4oXsGqsY0wVptHdvLgIFQGPfEjwu+7ofKf46sMBr9UXgwaNVZt4ZNLxZlfkIZ+UoOUoKBHNvL88sJNcMnJbjRcpw8E\/esWXoq+hjugDHN\/o\/VfPSvFQQxnCuNIK8pi9qmaHsnkRLwX+dtcRZgJaezIY++FKU5x7fmZrEkgipC8WY7x86WZmRLjp3vlaDSrU1qt8UTKun\/CpnOSEOqMscbJ1eReKw8eSpP5bUwGhZBlUdOJzC6ia7Xk8Oo3Nal9wMuHEjJykyFRgR2jDMqW+IH0kqCv9xkk8+bN6hEpyfEpHbIrGBq0o8BYxHA5eKeI13QywoBig1jjtD4luFYsYHdSJaphMtGXjXckNCTF2\/LdYcjtY1cOwnDlH1LdbG84strtnacvh\/qzcOVkTfnDAtVG2h\/L8Fgg\/ESW8Mq2mznmzyfQLJl01MreR4jt3\/ecO6yKYtJ1kNkAgdP4wkeOmr2Hbc7lmn8odqR3xj+5v03xy98PLHP+tGDjJl6D8q42VpTpp52hPcpdbj1dqG\/ypY\/znmiFJ+zpZ4U0Fg1FNBSOBwx7JVFU8z+hKu+aF55R3hZk+93hyJQJjDm7d3PUZrtJK1z6K1eLZq33qHA7j54Jcd4SLu0CEEzVZx5y\/zo+NG2SYD1EXvQhYO5sLjpzGsMmavQWAwMAlAwAAJADABdBBJ4gqxu\/2Olw\/hDX4IRz1MnzWKHEoX5juzKFl0QvBpFxBeZDIFVOPCUvPpMn9UXfXp86d\/EthPoo4ljdTojgB5IGAwBHMEUCIF6xn0Z4OO3SABgfd1qVxd9TCdOKbYjboKDHbv2IgbH\/AiEAucA6fUIcRxnJDOsdT3ZwF8RSH7h1tM+xpD5QGUIjH9AWAwMAbg0AAGoDQAECABYGAwYBBQMFAQQDBAEDAwMBAgMCAQICAEwASjBIMRcwFQYDVQQDDA5BbnlOZXQgUm9vdCBDQTEgMB4GA1UECgwXcGhpbGFuZHJvIFNvZnR3YXJlIEdtYkgxCzAJBgNVBAYTAkRFFgMDAA=="}
01144{"flow_event_id":6,"flow_event_name":"detection-update","thread_id":0,"packet_id":16,"source":"anydesk.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":8,"flow_first_seen":1591342199201,"flow_last_seen":1591342199532,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1300,"flow_tot_l4_payload_len":2863,"flow_avg_l4_payload_len":357,"midstream":0,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.238.219","src_port":43535,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"5":"Known protocol on non standard port","15":"TLS (probably) not carrying HTTPS","24":"SNI TLS extension was missing","30":"Desktop\/File Sharing Session"},"proto":"TLS.AnyDesk","breed":"Acceptable","category":"RemoteAccess"},"tls": {"version":"TLSv1.2","client_requested_server_name":"","ja3":"201999283915cc31cee6b15472ef3332","ja3s":"107030a763c7224285717ff1569a17f3","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","issuerDN":"CN=AnyNet Root CA, O=philandro Software GmbH, C=DE","issuerDN":"C=DE, O=philandro Software GmbH, CN=AnyNet Relay","fingerprint":"9E:08:D2:58:A9:02:CD:4F:E2:4A:26:B8:48:5C:43:0B:81:29:99:E3"}}
00407{"flow_id":2,"flow_packet_id":9,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":17,"source":"anydesk.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1591342199,"pkt_ts_usec":532606,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"pkt":"AFBW5dKtAAwplUdeCABFAAAoCJRAAEAGuePAqJWBM1Pu26oPAFAppp36aHVupVAQ+NR4cwAA"}
00416{"flow_id":2,"flow_packet_id":10,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":18,"source":"anydesk.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1591342199,"pkt_ts_usec":532935,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":25,"pkt":"AAwplUdeAFBW5dKtCABFAAAte1kAAIAGRxkzU+7bwKiVgQBQqg9odW6lKaad+lAY+vDvVAAABA4AAAAA"}
00408{"flow_id":2,"flow_packet_id":11,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":19,"source":"anydesk.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1591342199,"pkt_ts_usec":532944,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"pkt":"AFBW5dKtAAwplUdeCABFAAAoCJVAAEAGueLAqJWBM1Pu26oPAFAppp36aHVuqlAQ+NR4cwAA"}
01891{"flow_id":2,"flow_packet_id":12,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":20,"source":"anydesk.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1591342199,"pkt_ts_usec":534700,"pkt_caplen":1148,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1148,"pkt_l4_len":1114,"pkt":"AFBW5dKtAAwplUdeCABFAARuCJZAAEAGtZvAqJWBM1Pu26oPAFAppp36aHVuqlAY+NR8uQAAFgMDArYLAAKyAAKvAAKsMIICqDCCAZACAQEwDQYJKoZIhvcNAQELBQAwGTEXMBUGA1UEAwwOQW55RGVzayBDbGllbnQwIBcNMjAwNjA1MDY0NzE5WhgPMjA3MDA1MjQwNjQ3MTlaMBkxFzAVBgNVBAMMDkFueURlc2sgQ2xpZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2CJZ+76MBIM9tYv4RIU8hggSYQdC1Z23AXHEmEdKU2blbdgJ1JD7560PgYb+jw8lHJ2aspIhYVhj\/mFIIJIgcxgFDLBZ05BdXAEDNouFLA7mGVB17Fc9EwT5sfLnpZdQGBkdOgtch7VHHx4uMIvsbBP1vA1Wz2QCNZAAw6SR08AXXa\/+nMDmvYW5Ya4aF+NUHaF0W1du6kjDzfD0\/Cd+OjMkK9FgLsMv2OPD\/LyNe0ROv0TjYBH8TXFRAMGHpTtCDnQLRgU\/z4IxKakjhbVmIDIpMosDKrW1LtcJjuBFOjuYzuc7ywkcx40R3pjdf0nUbncZT8AQdDK2nm\/ZdDQH+wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA+rEBC06lmi6Y8ghSh5ga6+M5IqGE205kqOSIIgb2om86\/CVyeHNN\/+8w\/9\/lO7sGX\/ZwFhkUWK+AQANiTxUbOcOyCBJcsHNiDzYN2snA9OhvXtRc55WoaQ6\/EaLCZ+dge221DKm3nLNfUDTIJCVl\/AN4FDciFCdA9OTyz9XmP2n86iEe5uobdxXoDtyad6MCDLZP+EXGyrhFzaTnf8Grkt4ggvJA+qmnE04fq1F868g9vkFZE8C8QcKkaNbJ3SyYld5nGbCCXjJPLGs+JVN1Xi1TQmNt9P2cJ1\/q0cBHUEkKcQZNBUxcvzD1GJiNEgDvqsPXy\/algtmd1y3KFFhoGFgMDAEYQAABCQQTn1vQPBEkcOQdImspLS+wT75p5cEpgvfpCz9Nj+aFOSNDMoeNgtZAANrNPK1339MpexyXDDmFgRrYTF5Uz8fBpFgMDAQgPAAEEBgEBADEA+25yugCgnYwr5qC+9eFazDm0g8fRRon26LpUWQMM21OuJ0pWi+aEwKNm9Hjx2fddVjECNjd6mVWRNtioH5t2qidvzxvr+cx7WPnSsWQXpMXAnFllUa\/U0Gs5VrIH2aqLbbv+3VPC7NnrLG3yowRb8JeKnSlLC0yubVMncjgwK0fJCH3md2oD5vgm1UYgYGlqEc9wvrioj8x0LniF73CauQACXL4qqgUEaQEHkqy60tYQpUdwkvD7vy7cIBaMw+H5gGIJ6phYrQLLDdJ4AYW\/3Z0pN6RwzNfPxJ519N8c4ssJrnwlnC9boYyx7zxeoCXz0zYFWmyBYgK8bZOiUwkUAwMAAQEWAwMAKKTfy7rSd5wySnHcBvqlfzZxM2OpA5CgVEJH9y2sl4I4KAEkx0+5214="}
00416{"flow_id":2,"flow_packet_id":13,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":21,"source":"anydesk.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1591342199,"pkt_ts_usec":534956,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"pkt":"AAwplUdeAFBW5dKtCABFAAAoe1oAAIAGRx0zU+7bwKiVgQBQqg9odW6qKaaiQFAQ+vDvJAAAAAAAAAAA"}
00478{"flow_id":2,"flow_packet_id":14,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":22,"source":"anydesk.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1591342199,"pkt_ts_usec":699842,"pkt_caplen":105,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":105,"pkt_l4_len":71,"pkt":"AAwplUdeAFBW5dKtCABFAABbe1sAAIAGRukzU+7bwKiVgQBQqg9odW6qKaaiQFAY+vB2YAAAFAMDAAEBFgMDACi4iiS75ftB9gM9aj9+xuZ4lRQvtRoX8YpGHm1rLD+ZptnwWDmjbYq4"}
00408{"flow_id":2,"flow_packet_id":15,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":23,"source":"anydesk.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1591342199,"pkt_ts_usec":699869,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"pkt":"AFBW5dKtAAwplUdeCABFAAAoCJdAAEAGueDAqJWBM1Pu26oPAFAppqJAaHVu3VAQ+NR4cwAA"}
00478{"flow_id":1,"flow_packet_id":9,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":675,"source":"anydesk.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1591342214,"pkt_ts_usec":31681,"pkt_caplen":105,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":105,"pkt_l4_len":71,"pkt":"AFBW5dKtAAwplUdeCABFAABbto5AAEAGCwHAqJWBM1PvkI3\/AFB7i56NMVwTIlAY+DR5WwAAFwMDAC7mz9mv7V5oqQRiiK1BmntnBec1wc6utyo8wHetLW4+4vpxLCxi5CGV1lyg9OUE"}
00416{"flow_id":1,"flow_packet_id":10,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":676,"source":"anydesk.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1591342214,"pkt_ts_usec":31959,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"pkt":"AAwplUdeAFBW5dKtCABFAAAofKsAAIAGRRczU++QwKiVgQBQjf8xXBMie4uewFAQ+vBOvAAAAAAAAAAA"}
00480{"flow_id":1,"flow_packet_id":11,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":740,"source":"anydesk.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1591342214,"pkt_ts_usec":255944,"pkt_caplen":103,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":103,"pkt_l4_len":69,"pkt":"AAwplUdeAFBW5dKtCABFAABZfM4AAIAGRMMzU++QwKiVgQBQjf8xXBMie4uewFAY+vBbDwAAFwMDACwkrUQuni1bFVh+peWRbnlsLw+6JDYDm31RWqGf060eD0C3WeR2ucetl5\/1QQ=="}
00410{"flow_id":1,"flow_packet_id":12,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":741,"source":"anydesk.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1591342214,"pkt_ts_usec":255969,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"pkt":"AFBW5dKtAAwplUdeCABFAAAoto9AAEAGCzPAqJWBM1PvkI3\/AFB7i57AMVwTU1AQ+DR5KAAA"}
00483{"flow_id":1,"flow_packet_id":13,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3394,"source":"anydesk.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1591342229,"pkt_ts_usec":256699,"pkt_caplen":105,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":105,"pkt_l4_len":71,"pkt":"AFBW5dKtAAwplUdeCABFAABbtpBAAEAGCv\/AqJWBM1PvkI3\/AFB7i57AMVwTU1AY+DR5WwAAFwMDAC7mz9mv7V5oqiGs9UmHGy59yVVeeA5lJVIYioWWJ6DRPZ7\/AKPnOzRdEdmukW2o"}
00418{"flow_id":1,"flow_packet_id":14,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3395,"source":"anydesk.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1591342229,"pkt_ts_usec":256927,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"pkt":"AAwplUdeAFBW5dKtCABFAAAogvwAAIAGPsYzU++QwKiVgQBQjf8xXBNTe4ue81AQ+vBOWAAAAAAAAAAA"}
00481{"flow_id":1,"flow_packet_id":15,"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3423,"source":"anydesk.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_ts_sec":1591342229,"pkt_ts_usec":454086,"pkt_caplen":103,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":103,"pkt_l4_len":69,"pkt":"AAwplUdeAFBW5dKtCABFAABZgw0AAIAGPoQzU++QwKiVgQBQjf8xXBNTe4ue81AY+vB\/XQAAFwMDACwkrUQuni1bFlXQfhlbpM1ompEjuxnWze1GuQIrlqNjGlJEE1Ae4+mTb0GZcg=="}
00558{"flow_event_id":4,"flow_event_name":"guessed","thread_id":0,"packet_id":6963,"source":"anydesk.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":20,"flow_first_seen":1591342198821,"flow_last_seen":1591342244652,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":159,"flow_tot_l4_payload_len":607,"flow_avg_l4_payload_len":30,"midstream":1,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.239.144","src_port":36351,"dst_port":80,"l4_proto":"tcp","ndpi": {"proto":"HTTP.AnyDesk","breed":"Acceptable","category":"RemoteAccess"},"http": {}}
00504{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":6963,"source":"anydesk.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":20,"flow_first_seen":1591342198821,"flow_last_seen":1591342244652,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":159,"flow_tot_l4_payload_len":607,"flow_avg_l4_payload_len":30,"midstream":1,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.239.144","src_port":36351,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":15}
00512{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":6963,"source":"anydesk.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":6943,"flow_first_seen":1591342199201,"flow_last_seen":1591342255171,"flow_min_l4_payload_len":0,"flow_max_l4_payload_len":1460,"flow_tot_l4_payload_len":2417415,"flow_avg_l4_payload_len":348,"midstream":0,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.238.219","src_port":43535,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":15}
00129{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":6963,"source":"anydesk.pcap","alias":"nDPId-test"}
~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
~~ packets captured/processed: 6963/6963
~~ skipped flows.............: 0
~~ total layer4 data length..: 2557306 bytes
~~ total detected protocols..: 1
~~ total active/idle flows...: 2/2
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~ total memory allocated....: 5043029 bytes
~~ total memory freed........: 5043029 bytes
~~ total allocations/frees...: 65332/65332
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|