Add DingTalk protocol support

ntop · Oct 7, 2024 · f2f951d · f2f951d
1 parent 7629b94
commit f2f951d
Show file tree

Hide file tree

Showing 129 changed files with 240 additions and 122 deletions.
diff --git a/doc/protocols.rst b/doc/protocols.rst
@@ -974,3 +974,21 @@ References: `Main site: <https://cactusvpn.com/>`_
 Windscribe is a commercial, cross-platform virtual private network (VPN) service provider based in Canada.
 
 References: `Main site: <https://windscribe.com/>`_
+
+
+.. _Proto 430:
+
+`NDPI_PROTOCOL_SONOS`
+=========================
+Sonos is a company that provides high-quality, wireless sound systems allowing users to stream audio through a variety of speakers seamlessly throughout their home.
+
+References: `Main site: <https://www.sonos.com/>`_
+
+
+.. _Proto 431:
+
+`NDPI_PROTOCOL_DINGTALK`
+=========================
+DingTalk is a versatile communication and collaboration platform developed by Alibaba Group.
+
+References: `Main site: <https://www.dingtalk.com/en>`_
diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h
@@ -956,6 +956,7 @@ void init_cnp_ip_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_i
 void init_atg_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
 void init_trdp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
 void init_lustre_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
+void init_dingtalk_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
 
 #endif
 

diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h
@@ -459,6 +459,7 @@ typedef enum {
   NDPI_PROTOCOL_CACTUSVPN             = 428,
   NDPI_PROTOCOL_WINDSCRIBE            = 429,
   NDPI_PROTOCOL_SONOS                 = 430,
+  NDPI_PROTOCOL_DINGTALK              = 431,
 
 #ifdef CUSTOM_NDPI_PROTOCOLS
 #include "../../../nDPI-custom/custom_ndpi_protocol_ids.h"

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
@@ -2379,6 +2379,10 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
 			  "Lustre", NDPI_PROTOCOL_CATEGORY_DATA_TRANSFER,
 			  ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
 			  ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
+  ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DINGTALK,
+			  "DingTalk", NDPI_PROTOCOL_CATEGORY_CHAT,
+			  ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
+			  ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
 
 #ifdef CUSTOM_NDPI_PROTOCOLS
 #include "../../../nDPI-custom/custom_ndpi_main.c"
@@ -6356,6 +6360,9 @@ static int ndpi_callback_init(struct ndpi_detection_module_struct *ndpi_str) {
   /* Lustre */
   init_lustre_dissector(ndpi_str, &a);
 
+  /* DingTalk */
+  init_dingtalk_dissector(ndpi_str, &a);
+
 #ifdef CUSTOM_NDPI_PROTOCOLS
 #include "../../../nDPI-custom/custom_ndpi_main_init.c"
 #endif

diff --git a/src/lib/protocols/dingtalk.c b/src/lib/protocols/dingtalk.c
@@ -0,0 +1,62 @@
+/*
+ * dingtalk.c
+ *
+ * Copyright (C) 2024 - ntop.org
+ * Copyright (C) 2024 - V.G <v.gavrilov@securitycode.ru>
+ *
+ * This file is part of nDPI, an open source deep packet inspection
+ * library based on the OpenDPI and PACE technology by ipoque GmbH
+ *
+ * nDPI is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * nDPI is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with nDPI.  If not, see <http://www.gnu.org/licenses/>.
+ * 
+ */
+
+#include "ndpi_protocol_ids.h"
+
+#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_DINGTALK
+
+#include "ndpi_api.h"
+#include "ndpi_private.h"
+
+static void ndpi_search_dingtalk(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
+{
+  struct ndpi_packet_struct const * const packet = &ndpi_struct->packet;
+
+  NDPI_LOG_DBG(ndpi_struct, "search DingTalk\n");
+
+  if (packet->payload_packet_len > 90 && packet->payload[0] == 0x10)
+  {
+    if (get_u_int32_t(packet->payload, 2) == 0x18087 && get_u_int32_t(packet->payload, 6) == 0x20001 &&
+        get_u_int32_t(packet->payload, 10) == 0x36B6402 && get_u_int16_t(packet->payload, 14) == 0x2000)
+    {
+      NDPI_LOG_INFO(ndpi_struct, "found DingTalk\n");
+      ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DINGTALK,
+                                 NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
+      return;
+    }
+  }
+
+  NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+}
+
+void init_dingtalk_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id)
+{
+  ndpi_set_bitmask_protocol_detection("DingTalk", ndpi_struct, *id,
+				      NDPI_PROTOCOL_DINGTALK,
+				      ndpi_search_dingtalk,
+				      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
+				      SAVE_DETECTION_BITMASK_AS_UNKNOWN,
+				      ADD_TO_DETECTION_BITMASK);
+  *id += 1;
+}
diff --git a/tests/cfgs/caches_cfg/result/ookla.pcap.out b/tests/cfgs/caches_cfg/result/ookla.pcap.out
@@ -3,7 +3,7 @@ Guessed flow protos:	1
 DPI Packets (TCP):	40	(6.67 pkts/flow)
 Confidence Match by port    : 1 (flows)
 Confidence DPI              : 5 (flows)
-Num dissector calls: 580 (96.67 diss/flow)
+Num dissector calls: 583 (97.17 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/caches_cfg/result/teams.pcap.out b/tests/cfgs/caches_cfg/result/teams.pcap.out
@@ -7,7 +7,7 @@ Confidence Unknown          : 1 (flows)
 Confidence Match by port    : 1 (flows)
 Confidence DPI (partial)    : 1 (flows)
 Confidence DPI              : 80 (flows)
-Num dissector calls: 521 (6.28 diss/flow)
+Num dissector calls: 522 (6.29 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/9/0 (insert/search/found)
 LRU cache stun:       30/0/0 (insert/search/found)

diff --git a/tests/cfgs/caches_global/result/ookla.pcap.out b/tests/cfgs/caches_global/result/ookla.pcap.out
@@ -4,7 +4,7 @@ DPI Packets (TCP):	40	(6.67 pkts/flow)
 Confidence DPI (partial cache): 1 (flows)
 Confidence DPI              : 4 (flows)
 Confidence DPI (aggressive) : 1 (flows)
-Num dissector calls: 580 (96.67 diss/flow)
+Num dissector calls: 583 (97.17 diss/flow)
 LRU cache ookla:      4/2/2 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/caches_global/result/teams.pcap.out b/tests/cfgs/caches_global/result/teams.pcap.out
@@ -7,7 +7,7 @@ Confidence Unknown          : 1 (flows)
 Confidence Match by port    : 1 (flows)
 Confidence DPI (partial)    : 5 (flows)
 Confidence DPI              : 76 (flows)
-Num dissector calls: 521 (6.28 diss/flow)
+Num dissector calls: 522 (6.29 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/9/0 (insert/search/found)
 LRU cache stun:       30/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/pcap/dingtalk.pcap b/tests/cfgs/default/pcap/dingtalk.pcap
diff --git a/tests/cfgs/default/result/1kxun.pcap.out b/tests/cfgs/default/result/1kxun.pcap.out
@@ -5,7 +5,7 @@ DPI Packets (UDP):	120	(1.21 pkts/flow)
 Confidence Unknown          : 14 (flows)
 Confidence Match by port    : 6 (flows)
 Confidence DPI              : 177 (flows)
-Num dissector calls: 5024 (25.50 diss/flow)
+Num dissector calls: 5027 (25.52 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/60/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/443-chrome.pcap.out b/tests/cfgs/default/result/443-chrome.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	1
 
 DPI Packets (TCP):	1	(1.00 pkts/flow)
 Confidence Match by port    : 1 (flows)
-Num dissector calls: 155 (155.00 diss/flow)
+Num dissector calls: 156 (156.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/443-opvn.pcap.out b/tests/cfgs/default/result/443-opvn.pcap.out
@@ -1,6 +1,6 @@
 DPI Packets (TCP):	6	(6.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 156 (156.00 diss/flow)
+Num dissector calls: 157 (157.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/KakaoTalk_chat.pcap.out b/tests/cfgs/default/result/KakaoTalk_chat.pcap.out
@@ -5,7 +5,7 @@ DPI Packets (UDP):	36	(2.00 pkts/flow)
 DPI Packets (other):	1	(1.00 pkts/flow)
 Confidence Match by port    : 5 (flows)
 Confidence DPI              : 33 (flows)
-Num dissector calls: 552 (14.53 diss/flow)
+Num dissector calls: 554 (14.58 diss/flow)
 LRU cache ookla:      0/1/0 (insert/search/found)
 LRU cache bittorrent: 0/15/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/KakaoTalk_talk.pcap.out b/tests/cfgs/default/result/KakaoTalk_talk.pcap.out
@@ -5,7 +5,7 @@ DPI Packets (UDP):	10	(2.00 pkts/flow)
 Confidence Match by port    : 8 (flows)
 Confidence DPI              : 11 (flows)
 Confidence Match by IP      : 1 (flows)
-Num dissector calls: 1230 (61.50 diss/flow)
+Num dissector calls: 1234 (61.70 diss/flow)
 LRU cache ookla:      0/2/0 (insert/search/found)
 LRU cache bittorrent: 0/27/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/Oscar.pcap.out b/tests/cfgs/default/result/Oscar.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	1
 
 DPI Packets (TCP):	21	(21.00 pkts/flow)
 Confidence Match by port    : 1 (flows)
-Num dissector calls: 256 (256.00 diss/flow)
+Num dissector calls: 257 (257.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/alexa-app.pcapng.out b/tests/cfgs/default/result/alexa-app.pcapng.out
@@ -5,7 +5,7 @@ DPI Packets (UDP):	64	(1.94 pkts/flow)
 DPI Packets (other):	6	(1.00 pkts/flow)
 Confidence Match by port    : 14 (flows)
 Confidence DPI              : 146 (flows)
-Num dissector calls: 569 (3.56 diss/flow)
+Num dissector calls: 570 (3.56 diss/flow)
 LRU cache ookla:      0/5/0 (insert/search/found)
 LRU cache bittorrent: 0/42/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/amqp.pcap.out b/tests/cfgs/default/result/amqp.pcap.out
@@ -1,6 +1,6 @@
 DPI Packets (TCP):	9	(3.00 pkts/flow)
 Confidence DPI              : 3 (flows)
-Num dissector calls: 380 (126.67 diss/flow)
+Num dissector calls: 381 (127.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/anyconnect-vpn.pcap.out b/tests/cfgs/default/result/anyconnect-vpn.pcap.out
@@ -6,7 +6,7 @@ DPI Packets (other):	10	(1.00 pkts/flow)
 Confidence Unknown          : 2 (flows)
 Confidence Match by port    : 6 (flows)
 Confidence DPI              : 61 (flows)
-Num dissector calls: 814 (11.80 diss/flow)
+Num dissector calls: 815 (11.81 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/24/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/bfcp.pcapng.out b/tests/cfgs/default/result/bfcp.pcapng.out
@@ -1,7 +1,7 @@
 DPI Packets (TCP):	6	(6.00 pkts/flow)
 DPI Packets (UDP):	2	(2.00 pkts/flow)
 Confidence DPI              : 2 (flows)
-Num dissector calls: 336 (168.00 diss/flow)
+Num dissector calls: 337 (168.50 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/bittorrent_tcp_miss.pcapng.out b/tests/cfgs/default/result/bittorrent_tcp_miss.pcapng.out
@@ -1,6 +1,6 @@
 DPI Packets (TCP):	10	(10.00 pkts/flow)
 Confidence DPI (cache)      : 1 (flows)
-Num dissector calls: 240 (240.00 diss/flow)
+Num dissector calls: 241 (241.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 10/1/1 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/cassandra.pcap.out b/tests/cfgs/default/result/cassandra.pcap.out
@@ -1,6 +1,6 @@
 DPI Packets (TCP):	16	(5.33 pkts/flow)
 Confidence DPI              : 3 (flows)
-Num dissector calls: 313 (104.33 diss/flow)
+Num dissector calls: 315 (105.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/cloudflare-warp.pcap.out b/tests/cfgs/default/result/cloudflare-warp.pcap.out
@@ -5,7 +5,7 @@ DPI Packets (UDP):	1	(1.00 pkts/flow)
 Confidence Match by port    : 2 (flows)
 Confidence DPI              : 6 (flows)
 Confidence Match by IP      : 1 (flows)
-Num dissector calls: 350 (38.89 diss/flow)
+Num dissector calls: 351 (39.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/9/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/codm.pcap.out b/tests/cfgs/default/result/codm.pcap.out
@@ -1,7 +1,7 @@
 DPI Packets (TCP):	7	(7.00 pkts/flow)
 DPI Packets (UDP):	5	(2.50 pkts/flow)
 Confidence DPI              : 3 (flows)
-Num dissector calls: 477 (159.00 diss/flow)
+Num dissector calls: 478 (159.33 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/custom_rules_same-ip_multiple_ports.pcapng.out b/tests/cfgs/default/result/custom_rules_same-ip_multiple_ports.pcapng.out
@@ -26,6 +26,6 @@ CustomProtocolC	3	222	1
 
 Acceptable                       8 592           3            
 
-	1	TCP 192.168.1.245:56866 -> 3.3.3.3:443 [proto: 91.437/TLS.CustomProtocolA][IP: 437/CustomProtocolA][Encrypted][Confidence: Match by custom rule][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 1][cat: Web/5][3 pkts/222 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][3.05 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	1	TCP 192.168.1.245:56866 -> 3.3.3.3:443 [proto: 91.438/TLS.CustomProtocolA][IP: 438/CustomProtocolA][Encrypted][Confidence: Match by custom rule][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 1][cat: Web/5][3 pkts/222 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][3.05 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	2	TCP 192.168.1.245:58288 -> 3.3.3.3:446 [proto: 800/CustomProtocolC][IP: 800/CustomProtocolC][ClearText][Confidence: Match by custom rule][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 1][3 pkts/222 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][3.04 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	3	TCP 192.168.1.245:59682 -> 3.3.3.3:444 [proto: 438/CustomProtocolB][IP: 438/CustomProtocolB][ClearText][Confidence: Match by custom rule][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 1][2 pkts/148 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][1.02 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	3	TCP 192.168.1.245:59682 -> 3.3.3.3:444 [proto: 439/CustomProtocolB][IP: 439/CustomProtocolB][ClearText][Confidence: Match by custom rule][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 1][2 pkts/148 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][1.02 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/cfgs/default/result/dingtalk.pcap.out b/tests/cfgs/default/result/dingtalk.pcap.out
@@ -0,0 +1,27 @@
+DPI Packets (TCP):	4	(4.00 pkts/flow)
+Confidence DPI              : 1 (flows)
+Num dissector calls: 156 (156.00 diss/flow)
+LRU cache ookla:      0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/0/0 (insert/search/found)
+LRU cache stun:       0/0/0 (insert/search/found)
+LRU cache tls_cert:   0/0/0 (insert/search/found)
+LRU cache mining:     0/0/0 (insert/search/found)
+LRU cache msteams:    0/0/0 (insert/search/found)
+LRU cache fpc_dns:    0/1/0 (insert/search/found)
+Automa host:          0/0 (search/found)
+Automa domain:        0/0 (search/found)
+Automa tls cert:      0/0 (search/found)
+Automa risk mask:     0/0 (search/found)
+Automa common alpns:  0/0 (search/found)
+Patricia risk mask:   0/0 (search/found)
+Patricia risk mask IPv6: 0/0 (search/found)
+Patricia risk:        0/0 (search/found)
+Patricia risk IPv6:   0/0 (search/found)
+Patricia protocols:   1/1 (search/found)
+Patricia protocols IPv6: 0/0 (search/found)
+
+DingTalk	4	292	1
+
+Acceptable                       4 292           1            
+
+	1	TCP 10.215.173.1:48910 <-> 47.246.133.39:443 [proto: 431/DingTalk][IP: 274/Alibaba][ClearText][Confidence: DPI][FPC: 274/Alibaba, Confidence: IP address][DPI packets: 4][cat: Chat/9][3 pkts/244 bytes <-> 1 pkts/48 bytes][Goodput ratio: 42/0][0.02 sec][PLAIN TEXT (android/3.0.28)][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/cfgs/default/result/elf.pcap.out b/tests/cfgs/default/result/elf.pcap.out
@@ -1,7 +1,7 @@
 DPI Packets (TCP):	10	(10.00 pkts/flow)
 DPI Packets (UDP):	2	(2.00 pkts/flow)
 Confidence Unknown          : 2 (flows)
-Num dissector calls: 339 (169.50 diss/flow)
+Num dissector calls: 340 (170.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/6/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/emotet.pcap.out b/tests/cfgs/default/result/emotet.pcap.out
@@ -1,6 +1,6 @@
 DPI Packets (TCP):	48	(8.00 pkts/flow)
 Confidence DPI              : 6 (flows)
-Num dissector calls: 226 (37.67 diss/flow)
+Num dissector calls: 227 (37.83 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/fastcgi.pcap.out b/tests/cfgs/default/result/fastcgi.pcap.out
@@ -1,6 +1,6 @@
 DPI Packets (TCP):	6	(6.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 176 (176.00 diss/flow)
+Num dissector calls: 177 (177.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/ftp-start-tls.pcap.out b/tests/cfgs/default/result/ftp-start-tls.pcap.out
@@ -1,6 +1,6 @@
 DPI Packets (TCP):	17	(17.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 179 (179.00 diss/flow)
+Num dissector calls: 180 (180.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/ftp.pcap.out b/tests/cfgs/default/result/ftp.pcap.out
@@ -1,7 +1,7 @@
 DPI Packets (TCP):	39	(13.00 pkts/flow)
 Confidence Unknown          : 1 (flows)
 Confidence DPI              : 2 (flows)
-Num dissector calls: 546 (182.00 diss/flow)
+Num dissector calls: 548 (182.67 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/ftp_failed.pcap.out b/tests/cfgs/default/result/ftp_failed.pcap.out
@@ -1,6 +1,6 @@
 DPI Packets (TCP):	8	(8.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 177 (177.00 diss/flow)
+Num dissector calls: 178 (178.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out b/tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out
@@ -6,7 +6,7 @@ DPI Packets (other):	5	(1.00 pkts/flow)
 Confidence Unknown          : 34 (flows)
 Confidence Match by port    : 28 (flows)
 Confidence DPI              : 189 (flows)
-Num dissector calls: 7837 (31.22 diss/flow)
+Num dissector calls: 7850 (31.27 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/192/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/fuzz-2006-09-29-28586.pcap.out b/tests/cfgs/default/result/fuzz-2006-09-29-28586.pcap.out
@@ -5,7 +5,7 @@ DPI Packets (other):	1	(1.00 pkts/flow)
 Confidence Unknown          : 3 (flows)
 Confidence Match by port    : 25 (flows)
 Confidence DPI              : 12 (flows)
-Num dissector calls: 1194 (29.85 diss/flow)
+Num dissector calls: 1200 (30.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/84/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/fuzz-2021-10-13.pcap.out b/tests/cfgs/default/result/fuzz-2021-10-13.pcap.out
@@ -1,6 +1,6 @@
 DPI Packets (TCP):	1	(1.00 pkts/flow)
 Confidence Unknown          : 1 (flows)
-Num dissector calls: 153 (153.00 diss/flow)
+Num dissector calls: 154 (154.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)