ntop · IvanNardi · Jun 23, 2023 · Apr 25, 2023
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
@@ -807,9 +807,6 @@ struct ndpi_flow_tcp_struct {
   /* NDPI_PROTOCOL_WORLDOFWARCRAFT */
   u_int32_t wow_stage:2;
 
-  /* NDPI_PROTOCOL_RTP */
-  u_int32_t rtp_special_packets_seen:1;
-
   /* NDPI_PROTOCOL_MAIL_POP */
   u_int32_t mail_pop_stage:2;
 
@@ -848,6 +845,9 @@ struct ndpi_flow_udp_struct {
   /* NDPI_PROTOCOL_XBOX */
   u_int32_t xbox_stage:1;
 
+  /* NDPI_PROTOCOL_RTP */
+  u_int32_t rtp_stage:2;
+
   /* NDPI_PROTOCOL_QUIC */
   u_int32_t quic_0rtt_found:1;
   u_int32_t quic_vn_pair:1;

diff --git a/src/lib/protocols/rtp.c b/src/lib/protocols/rtp.c
@@ -28,10 +28,25 @@
 
 #include "ndpi_api.h"
 
+#define RTP_MIN_HEADER	12
+#define RTCP_MIN_HEADER	8
 
-/* http://www.myskypelab.com/2014/05/microsoft-lync-wireshark-plugin.html */
+enum {
+  NO_RTP_RTCP = 0,
+  IS_RTP = 1,
+  IS_RTCP = 2,
+};
 
-static u_int8_t isValidMSRTPType(u_int8_t payloadType, enum ndpi_rtp_stream_type *s_type) {
+/* https://www.iana.org/assignments/rtp-parameters/rtp-parameters.xhtml */
+int is_valid_rtp_payload_type(uint8_t type)
+{
+  if(!(type <= 34 || (type >= 96 && type <= 127)))
+    return 0;
+  return 1;
+}
+
+u_int8_t rtp_get_stream_type(u_int8_t payloadType, enum ndpi_rtp_stream_type *s_type)
+{
   switch(payloadType) {
   case 0: /* G.711 u-Law */
   case 3: /* GSM 6.10 */
@@ -71,14 +86,14 @@ static u_int8_t isValidMSRTPType(u_int8_t payloadType, enum ndpi_rtp_stream_type
     return(2 /* RTCP */);
 
   default:
+    *s_type = rtp_unknown;
     return(0);
   }
 }
 
-int is_valid_rtp_payload_type(uint8_t type)
+static int is_valid_rtcp_payload_type(uint8_t type)
 {
-  /* https://www.iana.org/assignments/rtp-parameters/rtp-parameters.xhtml */
-  return type <= 34 || (type >= 96 && type <= 127);
+  return (type >= 192 && type <= 213);
 }
 
 /* *************************************************************** */
@@ -165,25 +180,83 @@ static u_int8_t isZoom(struct ndpi_flow_struct *flow,
   return(0);
 }
 
+int is_rtp_or_rtcp(struct ndpi_detection_module_struct *ndpi_struct,
+		   struct ndpi_flow_struct *flow)
+{
+  struct ndpi_packet_struct *packet = &ndpi_struct->packet;
+  u_int8_t padding, csrc_count, ext_header;
+  u_int16_t ext_len;
+  u_int32_t min_len;
+  const u_int8_t *payload = packet->payload;
+  const u_int16_t payload_len = packet->payload_packet_len;
+
+  if(payload_len < 2)
+    return NO_RTP_RTCP;
+
+  if((payload[0] & 0xC0) != 0x80) { /* Version 2 */
+    NDPI_LOG_DBG(ndpi_struct, "Not version 2\n");
+    return NO_RTP_RTCP;
+  }
+
+  if(is_valid_rtp_payload_type(payload[1] & 0x7F) &&
+     payload_len >= RTP_MIN_HEADER) {
+    /* RTP */
+    csrc_count = payload[0] & 0x0F;
+    padding = payload[0] & 0x20;
+    ext_header =  !!(payload[0] & 0x10);
+    min_len = RTP_MIN_HEADER + 4 * csrc_count + 4 * ext_header;
+    if(ext_header) {
+      if(min_len > payload_len) {
+        NDPI_LOG_DBG(ndpi_struct, "Too short (a) %d vs %d\n", min_len, payload_len);
+        return NO_RTP_RTCP;
+      }
+      ext_len = ntohs(*(unsigned short *)&payload[min_len - 2]);
+      min_len += ext_len * 4;
+    }
+    if(min_len > payload_len) {
+      NDPI_LOG_DBG(ndpi_struct, "Too short (b) %d vs %d\n", min_len, payload_len);
+      return NO_RTP_RTCP;
+    }
+    /* TODO: this check doesn't work if we have multiple RTP packets in the
+       same UDP datagram */
+    if(padding &&
+       min_len + payload[payload_len - 1] > payload_len) {
+      NDPI_LOG_DBG(ndpi_struct, "Invalid padding len %d\n", payload[payload_len - 1]);
+      return NO_RTP_RTCP;
+    }
+    return IS_RTP;
+  } else if(is_valid_rtcp_payload_type(payload[1]) &&
+            payload_len >= RTCP_MIN_HEADER) {
+    min_len = (ntohs(*(unsigned short *)&payload[2]) + 1) * 4;
+    if(min_len > payload_len) {
+      NDPI_LOG_DBG(ndpi_struct, "Too short (c) %d vs %d\n", min_len, payload_len);
+      return NO_RTP_RTCP;
+    }
+    return IS_RTCP;
+  }
+  NDPI_LOG_DBG(ndpi_struct, "not RTP/RTCP\n");
+  return NO_RTP_RTCP;
+}
+
 /* *************************************************************** */
 
 static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct,
-			    struct ndpi_flow_struct *flow,
-			    const u_int8_t * payload, u_int16_t payload_len) {
-  u_int8_t payload_type;
-  u_int16_t s_port = ntohs(ndpi_struct->packet.udp->source), d_port = ntohs(ndpi_struct->packet.udp->dest), payload_offset;
+			    struct ndpi_flow_struct *flow) {
   u_int8_t is_rtp, zoom_stream_type;
+  u_int16_t s_port = ntohs(ndpi_struct->packet.udp->source), d_port = ntohs(ndpi_struct->packet.udp->dest), payload_offset;
+  struct ndpi_packet_struct *packet = &ndpi_struct->packet;
+  const u_int8_t *payload = packet->payload;
+  const u_int16_t payload_len = packet->payload_packet_len;
 
   NDPI_LOG_DBG(ndpi_struct, "search RTP\n");
 
-  if((payload_len < 2)
-     || (d_port == 5355 /* LLMNR_PORT */)
-     || (d_port == 5353 /* MDNS_PORT */)
-     ) {
+  if(d_port == 5355 || /* LLMNR_PORT */
+     d_port == 5353    /* MDNS_PORT */) {
     NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
     return;
   }
 
+  /* TODO: should we move zoom stuff in a new, separated dissector? */
   if(isZoom(flow, s_port, d_port, payload, payload_len,
 	    &is_rtp, &zoom_stream_type, &payload_offset)) {
     if(payload_offset < payload_len) {
@@ -221,42 +294,51 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct,
     }
   }
 
-  payload_type = payload[1] & 0x7F;
-
-  /* Check whether this is an RTP flow */
-  if((payload_len >= 12)
-     && (((payload[0] & 0xFF) == 0x80)
-	 || ((payload[0] & 0xFF) == 0xA0)
-	 || ((payload[0] & 0xFF) == 0x90)
-	 ) /* RTP magic byte [1] */
-     && ((payload_type < 72) || (payload_type > 76))
-     && (is_valid_rtp_payload_type(payload_type))
-     ) {
-    if(flow->l4.udp.line_pkts[0] >= 2 && flow->l4.udp.line_pkts[1] >= 2) {
-      /* It seems that it is a LINE stuff; let its dissector to evaluate */
-      return;
-    } else {
-      isValidMSRTPType(payload_type, &flow->protos.rtp.stream_type);
-
-      /* Previous pkts were STUN */
-      if(flow->stun.num_binding_requests > 0 ||
-         flow->stun.num_processed_pkts > 0) {
-        NDPI_LOG_INFO(ndpi_struct, "Found RTP (previous traffic was STUN)\n");
-        ndpi_set_detected_protocol(ndpi_struct, flow,
-				   NDPI_PROTOCOL_RTP, NDPI_PROTOCOL_STUN,
-				   NDPI_CONFIDENCE_DPI);
+  /* * Let some "unknown" packets at the beginning
+     * search for 3 consecutive RTP/RTCP packets
+   */
+
+  if(flow->packet_counter > 3 &&
+     flow->l4.udp.rtp_stage == 0) {
+    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+    return;
+  }
+
+  is_rtp = is_rtp_or_rtcp(ndpi_struct, flow);
+  if(is_rtp == IS_RTP) {
+    if(flow->l4.udp.rtp_stage == 2) {
+      if(flow->l4.udp.line_pkts[0] >= 2 && flow->l4.udp.line_pkts[1] >= 2) {
+        /* It seems that it is a LINE stuff; let its dissector to evaluate */
+      } else if(flow->l4.udp.epicgames_stage > 0) {
+        /* It seems that it is a EpicGames stuff; let its dissector to evaluate */
       } else {
-        NDPI_LOG_INFO(ndpi_struct, "Found RTP\n");
-        ndpi_set_detected_protocol(ndpi_struct, flow,
-				   NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_RTP,
-				   NDPI_CONFIDENCE_DPI);
+        rtp_get_stream_type(payload[1] & 0x7F, &flow->protos.rtp.stream_type);
+
+	/* Previous pkts were STUN */
+        if(flow->stun.num_binding_requests > 0 ||
+           flow->stun.num_processed_pkts > 0) {
+          NDPI_LOG_INFO(ndpi_struct, "Found RTP (previous traffic was STUN)\n");
+          ndpi_set_detected_protocol(ndpi_struct, flow,
+                                     NDPI_PROTOCOL_RTP, NDPI_PROTOCOL_STUN,
+                                     NDPI_CONFIDENCE_DPI);
+        } else {
+          NDPI_LOG_INFO(ndpi_struct, "Found RTP\n");
+          ndpi_set_detected_protocol(ndpi_struct, flow,
+                                     NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_RTP,
+                                     NDPI_CONFIDENCE_DPI);
+	}
       }
       return;
     }
+    flow->l4.udp.rtp_stage += 1;
+  } else if(is_rtp == IS_RTCP && flow->l4.udp.rtp_stage > 0) {
+    /* RTCP after (some) RTP. Keep looking for RTP */
+  } else {
+    if(flow->l4.udp.rtp_stage) {
+      flow->l4.udp.rtp_stage = 0;
+      NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+    }
   }
-
-  /* No luck this time */
-  NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 }
 
 /* *************************************************************** */
@@ -274,7 +356,7 @@ static void ndpi_search_rtp(struct ndpi_detection_module_struct *ndpi_struct, st
   if((source != 30303) && (dest != 30303 /* Avoid to mix it with Ethereum that looks alike */)
      && (dest > 1023)
      )
-    ndpi_rtp_search(ndpi_struct, flow, packet->payload, packet->payload_packet_len);
+    ndpi_rtp_search(ndpi_struct, flow);
   else
     NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 }

diff --git a/tests/cfgs/caches_cfg/result/teams.pcap.out b/tests/cfgs/caches_cfg/result/teams.pcap.out
@@ -7,7 +7,7 @@ Confidence Unknown          : 1 (flows)
 Confidence Match by port    : 1 (flows)
 Confidence DPI (partial)    : 1 (flows)
 Confidence DPI              : 80 (flows)
-Num dissector calls: 497 (5.99 diss/flow)
+Num dissector calls: 499 (6.01 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/9/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/pcap/rtcp_multiple_pkts_in_the_same_datagram.pcap b/tests/cfgs/default/pcap/rtcp_multiple_pkts_in_the_same_datagram.pcap
diff --git a/tests/cfgs/default/pcap/rtp.pcapng b/tests/cfgs/default/pcap/rtp.pcapng
diff --git a/tests/cfgs/default/result/1kxun.pcap.out b/tests/cfgs/default/result/1kxun.pcap.out
@@ -5,7 +5,7 @@ DPI Packets (UDP):	120	(1.21 pkts/flow)
 Confidence Unknown          : 14 (flows)
 Confidence Match by port    : 6 (flows)
 Confidence DPI              : 177 (flows)
-Num dissector calls: 4534 (23.02 diss/flow)
+Num dissector calls: 4537 (23.03 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/60/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/4in4tunnel.pcap.out b/tests/cfgs/default/result/4in4tunnel.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	1
 
 DPI Packets (UDP):	5	(5.00 pkts/flow)
 Confidence Unknown          : 1 (flows)
-Num dissector calls: 176 (176.00 diss/flow)
+Num dissector calls: 177 (177.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/EAQ.pcap.out b/tests/cfgs/default/result/EAQ.pcap.out
@@ -3,7 +3,7 @@ Guessed flow protos:	0
 DPI Packets (TCP):	12	(6.00 pkts/flow)
 DPI Packets (UDP):	116	(4.00 pkts/flow)
 Confidence DPI              : 31 (flows)
-Num dissector calls: 4389 (141.58 diss/flow)
+Num dissector calls: 4397 (141.84 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/FAX-Call-t38-CA-TDM-SIP-FB-1.pcap.out b/tests/cfgs/default/result/FAX-Call-t38-CA-TDM-SIP-FB-1.pcap.out
@@ -1,8 +1,8 @@
 Guessed flow protos:	0
 
-DPI Packets (UDP):	5	(1.00 pkts/flow)
+DPI Packets (UDP):	7	(1.40 pkts/flow)
 Confidence DPI              : 5 (flows)
-Num dissector calls: 7 (1.40 diss/flow)
+Num dissector calls: 135 (27.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
@@ -24,7 +24,7 @@ RTP	1330	182702	1
 SIP	92	52851	3
 Megaco	130	23570	1
 
-	1	UDP 10.35.60.100:15580 <-> 10.23.1.52:16756 [proto: 87/RTP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Media/1][159 pkts/33872 bytes <-> 1171 pkts/148830 bytes][Goodput ratio: 80/66][37.44 sec][RTP Stream Type: audio][bytes ratio: -0.629 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 20/30 81/286 7/49][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 213/127 214/214 12/32][PLAIN TEXT (UUUUUU)][Plen Bins: 0,0,50,0,0,49,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	1	UDP 10.35.60.100:15580 <-> 10.23.1.52:16756 [proto: 87/RTP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 3][cat: Media/1][159 pkts/33872 bytes <-> 1171 pkts/148830 bytes][Goodput ratio: 80/66][37.44 sec][RTP Stream Type: audio][bytes ratio: -0.629 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 20/30 81/286 7/49][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 213/127 214/214 12/32][PLAIN TEXT (UUUUUU)][Plen Bins: 0,0,50,0,0,49,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	2	UDP 10.35.40.25:5060 <-> 10.35.40.200:5060 [proto: 100/SIP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][22 pkts/13254 bytes <-> 24 pkts/13218 bytes][Goodput ratio: 93/92][83.79 sec][bytes ratio: 0.001 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 3385/1643 27628/17187 8177/4202][Pkt Len c2s/s2c min/avg/max/stddev: 425/304 602/551 923/894 205/186][PLAIN TEXT (INVITE sip)][Plen Bins: 0,0,0,0,0,0,0,0,4,0,8,4,22,18,4,0,8,0,0,0,0,0,0,4,8,4,4,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	3	UDP 10.35.40.22:2944 <-> 10.23.1.42:2944 [proto: 181/Megaco][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][65 pkts/7788 bytes <-> 65 pkts/15782 bytes][Goodput ratio: 65/83][109.25 sec][bytes ratio: -0.339 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1409/1356 4370/4370 1953/1909][Pkt Len c2s/s2c min/avg/max/stddev: 77/101 120/243 583/561 107/94][PLAIN TEXT (555282713)][Plen Bins: 0,48,0,23,0,1,1,21,0,0,1,0,0,0,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	4	UDP 10.35.60.72:5060 <-> 10.35.60.100:5060 [proto: 100/SIP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][11 pkts/6627 bytes <-> 12 pkts/6609 bytes][Goodput ratio: 93/92][83.79 sec][bytes ratio: 0.001 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/19 7451/3699 27579/17188 10544/5458][Pkt Len c2s/s2c min/avg/max/stddev: 425/304 602/551 923/894 205/186][PLAIN TEXT (INVITE sip)][Plen Bins: 0,0,0,0,0,0,0,0,4,0,8,4,22,18,4,0,8,0,0,0,0,0,0,4,8,4,4,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]

diff --git a/tests/cfgs/default/result/KakaoTalk_talk.pcap.out b/tests/cfgs/default/result/KakaoTalk_talk.pcap.out
@@ -1,11 +1,11 @@
 Guessed flow protos:	11
 
 DPI Packets (TCP):	71	(4.73 pkts/flow)
-DPI Packets (UDP):	6	(1.20 pkts/flow)
+DPI Packets (UDP):	10	(2.00 pkts/flow)
 Confidence Match by port    : 8 (flows)
 Confidence DPI              : 11 (flows)
 Confidence Match by IP      : 1 (flows)
-Num dissector calls: 815 (40.75 diss/flow)
+Num dissector calls: 1071 (53.55 diss/flow)
 LRU cache ookla:      0/2/0 (insert/search/found)
 LRU cache bittorrent: 0/27/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
@@ -38,8 +38,8 @@ JA3 Host Stats:
 	1	 10.24.82.188             	 2      
 
 
-	1	UDP 10.24.82.188:11320 <-> 1.201.1.174:23044 [proto: 87/RTP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Media/1][757 pkts/106335 bytes <-> 746 pkts/93906 bytes][Goodput ratio: 69/65][45.42 sec][bytes ratio: 0.062 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 57/48 202/340 49/48][Pkt Len c2s/s2c min/avg/max/stddev: 99/99 140/126 234/236 43/33][PLAIN TEXT (46yOXQ)][Plen Bins: 0,60,19,16,3,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	2	UDP 10.24.82.188:10268 <-> 1.201.1.174:23046 [proto: 87/RTP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Media/1][746 pkts/93906 bytes <-> 742 pkts/104604 bytes][Goodput ratio: 65/69][45.02 sec][bytes ratio: -0.054 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 5/0 58/49 112/476 23/54][Pkt Len c2s/s2c min/avg/max/stddev: 99/99 126/141 236/234 33/43][PLAIN TEXT (46yOXQ)][Plen Bins: 0,61,18,16,3,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	1	UDP 10.24.82.188:11320 <-> 1.201.1.174:23044 [proto: 87/RTP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 3][cat: Media/1][757 pkts/106335 bytes <-> 746 pkts/93906 bytes][Goodput ratio: 69/65][45.42 sec][bytes ratio: 0.062 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 57/48 202/340 49/48][Pkt Len c2s/s2c min/avg/max/stddev: 99/99 140/126 234/236 43/33][PLAIN TEXT (46yOXQ)][Plen Bins: 0,60,19,16,3,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	2	UDP 10.24.82.188:10268 <-> 1.201.1.174:23046 [proto: 87/RTP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 3][cat: Media/1][746 pkts/93906 bytes <-> 742 pkts/104604 bytes][Goodput ratio: 65/69][45.02 sec][bytes ratio: -0.054 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 5/0 58/49 112/476 23/54][Pkt Len c2s/s2c min/avg/max/stddev: 99/99 126/141 236/234 33/43][PLAIN TEXT (46yOXQ)][Plen Bins: 0,61,18,16,3,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	3	TCP 10.24.82.188:58857 <-> 110.76.143.50:9001 [proto: 91.193/TLS.KakaoTalk][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Chat/9][22 pkts/5326 bytes <-> 18 pkts/5212 bytes][Goodput ratio: 72/76][51.59 sec][bytes ratio: 0.011 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 14/0 2358/3528 20472/21237 5098/5912][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 242/290 878/920 254/276][Risk: ** Known Proto on Non Std Port **** Self-signed Cert **** Obsolete TLS (v1.1 or older) **** Weak TLS Cipher **][Risk Score: 350][Risk Info: TLSv1 / Cipher TLS_RSA_WITH_AES_128_CBC_SHA / C=KR, L=Seoul, O=Kakao, CN=Kakao.com][TLSv1][JA3C: 4b79ae67eb3b2cf1c75e68ea0100ca1b][JA3S: 4ea82b75038dd27e8a1cb69d8b839b26 (WEAK)][Issuer: C=KR, L=Seoul, O=Kakao, CN=Kakao.com][Subject: C=KR, L=Seoul, O=Kakao, CN=Kakao.com][Certificate SHA-1: 65:88:37:51:01:AA:1F:12:E4:44:27:52:F9:32:FD:40:94:C1:08:D9][Validity: 2011-12-05 09:19:25 - 2021-12-02 09:19:25][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,0,0,0,5,35,0,5,0,15,5,5,0,0,0,0,0,0,0,0,5,5,0,0,10,5,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	4	TCP 10.24.82.188:32968 <-> 110.76.143.50:8080 [proto: 91.193/TLS.KakaoTalk][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Chat/9][23 pkts/4380 bytes <-> 22 pkts/5728 bytes][Goodput ratio: 64/73][52.84 sec][bytes ratio: -0.133 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 2/0 691/1317 6069/10226 1399/2632][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 190/260 814/920 164/241][Risk: ** Known Proto on Non Std Port **** Self-signed Cert **** Obsolete TLS (v1.1 or older) **** Weak TLS Cipher **][Risk Score: 350][Risk Info: TLSv1 / Expected on port 443 / Cipher TLS_RSA_WITH_AES_128_CBC_SHA / C=KR, L=Seoul, O=Kakao, CN=Kakao.com][TLSv1][JA3C: 4b79ae67eb3b2cf1c75e68ea0100ca1b][JA3S: 4ea82b75038dd27e8a1cb69d8b839b26 (WEAK)][Issuer: C=KR, L=Seoul, O=Kakao, CN=Kakao.com][Subject: C=KR, L=Seoul, O=Kakao, CN=Kakao.com][Certificate SHA-1: 65:88:37:51:01:AA:1F:12:E4:44:27:52:F9:32:FD:40:94:C1:08:D9][Validity: 2011-12-05 09:19:25 - 2021-12-02 09:19:25][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA][Plen Bins: 0,0,0,0,4,48,0,4,0,17,4,4,0,0,0,4,0,0,0,0,0,0,4,4,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	5	TCP 10.24.82.188:59954 <-> 173.252.88.128:443 [proto: 91/TLS][IP: 119/Facebook][Encrypted][Confidence: DPI][DPI packets: 7][cat: Web/5][15 pkts/2932 bytes <-> 14 pkts/1092 bytes][Goodput ratio: 71/27][1.96 sec][bytes ratio: 0.457 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2/0 141/117 494/295 163/92][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 195/78 735/189 228/35][Risk: ** Obsolete TLS (v1.1 or older) **** Malicious JA3 Fingerp. **][Risk Score: 150][Risk Info: TLSv1 / dff8a0aa1c904aaea76c5bf624e88333][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][JA3S: 07dddc59e60135c7b479d39c3ae686af][Cipher: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA][Plen Bins: 30,23,0,0,15,0,7,0,7,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]

diff --git a/tests/cfgs/default/result/adult_content.pcap.out b/tests/cfgs/default/result/adult_content.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (UDP):	4	(4.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 146 (146.00 diss/flow)
+Num dissector calls: 147 (147.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/collectd.pcap.out b/tests/cfgs/default/result/collectd.pcap.out
@@ -3,7 +3,7 @@ Guessed flow protos:	3
 DPI Packets (UDP):	13	(1.62 pkts/flow)
 Confidence Match by port    : 3 (flows)
 Confidence DPI              : 5 (flows)
-Num dissector calls: 405 (50.62 diss/flow)
+Num dissector calls: 408 (51.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/9/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/epicgames.pcapng.out b/tests/cfgs/default/result/epicgames.pcapng.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (UDP):	12	(3.00 pkts/flow)
 Confidence DPI              : 4 (flows)
-Num dissector calls: 596 (149.00 diss/flow)
+Num dissector calls: 598 (149.50 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)