All protocols should be excluded sooner or later (#1969)

For a lot of protocols, reduce the number of packets after which the protocols dissector gives up. The values are quite arbitary, tring to not impact on classification
ntop · May 10, 2023 · 31d23ae · 31d23ae
1 parent 99d7066
commit 31d23ae
Show file tree

Hide file tree

Showing 100 changed files with 206 additions and 171 deletions.
diff --git a/src/lib/protocols/afp.c b/src/lib/protocols/afp.c
@@ -56,6 +56,8 @@ static void ndpi_search_afp(struct ndpi_detection_module_struct *ndpi_struct, st
 	the initial connection, we need to discard these packets
 	as they are not an indication that this flow is not AFP	
       */
+      if(flow->packet_counter > 5)
+        NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
       return;
     }
 

diff --git a/src/lib/protocols/amqp.c b/src/lib/protocols/amqp.c
@@ -69,6 +69,8 @@ static void ndpi_search_amqp(struct ndpi_detection_module_struct *ndpi_struct, s
 			}
 		}
 	}
+	if(flow->packet_counter > 5)
+		NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 }
 
 

diff --git a/src/lib/protocols/checkmk.c b/src/lib/protocols/checkmk.c
@@ -40,6 +40,8 @@ static void ndpi_search_checkmk(struct ndpi_detection_module_struct *ndpi_struct
 {
   struct ndpi_packet_struct *packet = &ndpi_struct->packet;
 
+  NDPI_LOG_DBG(ndpi_struct, "search Checkmk\n");
+
   if (packet->payload_packet_len >= 15) {
 
     if(packet->payload_packet_len > 128) {
@@ -48,6 +50,8 @@ static void ndpi_search_checkmk(struct ndpi_detection_module_struct *ndpi_struct
 	the initial connection, we need to discard these packets
 	as they are not an indication that this flow is not AFP
       */
+      if(flow->packet_counter > 6)
+        NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
       return;
     }
 
@@ -58,13 +62,13 @@ static void ndpi_search_checkmk(struct ndpi_detection_module_struct *ndpi_struct
     if (packet->payload_packet_len >= 15 && packet->payload_packet_len < 100
         && memcmp(packet->payload, "<<<check_mk>>>", 14) == 0) {
 
-      NDPI_LOG(NDPI_PROTOCOL_CHECKMK, ndpi_struct, NDPI_LOG_DEBUG, "Check_MK: Flow detected.\n");
+      NDPI_LOG_DBG(ndpi_struct, "Check_MK: Flow detected.\n");
       ndpi_int_checkmk_add_connection(ndpi_struct, flow);
       return;
     }
   }
 
-  NDPI_LOG(NDPI_PROTOCOL_CHECKMK, ndpi_struct, NDPI_LOG_DEBUG, "Check_MK excluded.\n");
+  NDPI_LOG_DBG(ndpi_struct, "Check_MK excluded.\n");
   NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_CHECKMK);
 }
 

diff --git a/src/lib/protocols/corba.c b/src/lib/protocols/corba.c
@@ -41,8 +41,11 @@ static void ndpi_search_corba(struct ndpi_detection_module_struct *ndpi_struct,
        memcmp(packet->payload, "GIOP", 4) == 0) {
       NDPI_LOG_INFO(ndpi_struct, "found corba\n");
       ndpi_int_corba_add_connection(ndpi_struct, flow);
+      return;
     }
   }
+  if(flow->packet_counter > 5)
+    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 }
 
 

diff --git a/src/lib/protocols/csgo.c b/src/lib/protocols/csgo.c
@@ -32,6 +32,8 @@ static void ndpi_search_csgo(struct ndpi_detection_module_struct* ndpi_struct, s
   if(packet->udp != NULL) {
     if(packet->payload_packet_len < sizeof(uint32_t)) {
       NDPI_LOG_DBG2(ndpi_struct, "Short csgo packet\n");
+      if(flow->packet_counter > 5)
+        NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
       return;
     }
 

diff --git a/src/lib/protocols/dhcp.c b/src/lib/protocols/dhcp.c
@@ -185,7 +185,8 @@ static void ndpi_search_dhcp_udp(struct ndpi_detection_module_struct *ndpi_struc
           i += len + 2;
         }
       }
-    }
+    } else
+      NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
   }
 }
 

diff --git a/src/lib/protocols/edonkey.c b/src/lib/protocols/edonkey.c
@@ -159,8 +159,8 @@ static void ndpi_check_edonkey(struct ndpi_detection_module_struct *ndpi_struct,
   struct ndpi_packet_struct *packet = &ndpi_struct->packet;
   u_int32_t payload_len = packet->payload_packet_len;
 
-  /* Break after 20 packets. */
-  if(flow->packet_counter > 20) {
+  /* Break after 10 packets. */
+  if(flow->packet_counter > 10) {
     NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
     return;
   }

diff --git a/src/lib/protocols/ftp_control.c b/src/lib/protocols/ftp_control.c
@@ -37,6 +37,7 @@ extern void switch_extra_dissection_to_tls(struct ndpi_detection_module_struct *
 static void ndpi_int_ftp_control_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
 						struct ndpi_flow_struct *flow) {
 
+  NDPI_LOG_INFO(ndpi_struct, "found FTP_CONTROL\n");
   flow->host_server_name[0] = '\0'; /* Remove any data set by other dissectors (eg. SMTP) */
   ndpi_set_detected_protocol(ndpi_struct, flow,
 			     NDPI_PROTOCOL_FTP_CONTROL, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);

diff --git a/src/lib/protocols/nats.c b/src/lib/protocols/nats.c
@@ -44,9 +44,12 @@ static void ndpi_search_nats_tcp(struct ndpi_detection_module_struct *ndpi_struc
   /* Check connection over TCP */
   NDPI_LOG_DBG(ndpi_struct, "search NATS\n");
 
-  if(packet->tcp && (packet->payload_packet_len > 4)) {
+  if(packet->tcp) {
     int i;
 
+    if(packet->payload_packet_len <= 4)
+      NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+
     for(i=0; commands[i] != NULL; i++) {
       int len = ndpi_min(strlen(commands[i]), packet->payload_packet_len);
       int rc = strncmp((const char *)packet->payload, commands[i], len);

diff --git a/src/lib/protocols/oracle.c b/src/lib/protocols/oracle.c
@@ -50,13 +50,17 @@ static void ndpi_search_oracle(struct ndpi_detection_module_struct *ndpi_struct,
 		 && (packet->payload[3] == 0x00)))) {
       NDPI_LOG_INFO(ndpi_struct, "found oracle\n");
       ndpi_int_oracle_add_connection(ndpi_struct, flow);
+      return;
     } else if (packet->payload_packet_len == 213 && packet->payload[0] == 0x00 &&
                packet->payload[1] == 0xd5 && packet->payload[2] == 0x00 &&
                packet->payload[3] == 0x00 ) {
       NDPI_LOG_INFO(ndpi_struct, "found oracle\n");
       ndpi_int_oracle_add_connection(ndpi_struct, flow);
+      return;
     }
   }
+  if(flow->packet_counter > 5)
+    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 }
 
 

diff --git a/src/lib/protocols/radius.c b/src/lib/protocols/radius.c
@@ -57,13 +57,12 @@ static void ndpi_check_radius(struct ndpi_detection_module_struct *ndpi_struct,
        && (ntohs(h->len) == payload_len)) {
       NDPI_LOG_INFO(ndpi_struct, "Found radius\n");
       ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RADIUS, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
-
       return;
     }
-
-    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
-    return;
   }
+  if(flow->packet_counter > 3)
+    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+  return;
 }
 
 static void ndpi_search_radius(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)

diff --git a/src/lib/protocols/redis_net.c b/src/lib/protocols/redis_net.c
@@ -33,8 +33,8 @@ static void ndpi_int_redis_add_connection(struct ndpi_detection_module_struct *n
 static void ndpi_check_redis(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
   struct ndpi_packet_struct *packet = &ndpi_struct->packet;
 
-  /* Break after 20 packets. */
-  if(flow->packet_counter > 20) {
+  /* Break after 10 packets. */
+  if(flow->packet_counter > 10) {
     NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
     return;
   }

diff --git a/src/lib/protocols/rsync.c b/src/lib/protocols/rsync.c
@@ -40,17 +40,20 @@ static void ndpi_search_rsync(struct ndpi_detection_module_struct *ndpi_struct,
   if(packet->tcp) {
     NDPI_LOG_DBG2(ndpi_struct, "calculating RSYNC over tcp\n");
     /*
-     * Should match: memcmp(packet->payload, "@RSYNCD: 28", 14) == 0)
+     * Should match: memcmp(packet->payload, "@RSYNCD:", 8) == 0)
      */
-    if (packet->payload_packet_len == 12 && packet->payload[0] == 0x40 &&
+    if (packet->payload_packet_len >= 8 && packet->payload[0] == 0x40 &&
 	packet->payload[1] == 0x52 && packet->payload[2] == 0x53 &&
 	packet->payload[3] == 0x59 && packet->payload[4] == 0x4e &&
 	packet->payload[5] == 0x43 && packet->payload[6] == 0x44 &&
 	packet->payload[7] == 0x3a ) {
       NDPI_LOG_INFO(ndpi_struct, "found rsync\n");
       ndpi_int_rsync_add_connection(ndpi_struct, flow);
+      return;
     }
   }
+  if(flow->packet_counter > 5)
+    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 }
 
 

diff --git a/src/lib/protocols/rtcp.c b/src/lib/protocols/rtcp.c
@@ -37,6 +37,9 @@ static void ndpi_search_rtcp(struct ndpi_detection_module_struct *ndpi_struct,
       NDPI_LOG_INFO(ndpi_struct, "found rtcp\n");
       ndpi_int_rtcp_add_connection(ndpi_struct, flow);
     }
+
+    if(flow->packet_counter > 3)
+      NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
   } else if(packet->udp != NULL) {
     /* Let's check first the RTCP packet length */
     u_int16_t len, offset = 0, rtcp_section_len;

diff --git a/src/lib/protocols/rtmp.c b/src/lib/protocols/rtmp.c
@@ -40,8 +40,8 @@ static void ndpi_check_rtmp(struct ndpi_detection_module_struct *ndpi_struct, st
   struct ndpi_packet_struct *packet = &ndpi_struct->packet;
   u_int32_t payload_len = packet->payload_packet_len;
 
-  /* Break after 20 packets. */
-  if (flow->packet_counter > 20) {
+  /* Break after 13 packets. */
+  if (flow->packet_counter > 13) {
     NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
     return;
   }
@@ -50,7 +50,10 @@ static void ndpi_check_rtmp(struct ndpi_detection_module_struct *ndpi_struct, st
   if(flow->rtmp_stage == 0) {
     NDPI_LOG_DBG2(ndpi_struct, "RTMP stage 0: \n");
 
-    if ((payload_len >= 4) && ((packet->payload[0] == 0x03) || (packet->payload[0] == 0x06))) {
+    if ((payload_len >= 9) &&
+	((packet->payload[0] == 0x03) || (packet->payload[0] == 0x06)) &&
+	/* https://en.wikipedia.org/w/index.php?title=Real-Time_Messaging_Protocol&section=12#Handshake */
+	get_u_int32_t(packet->payload, 5) == 0) {
       NDPI_LOG_DBG2(ndpi_struct, "Possible RTMP request detected, we will look further for the response\n");
 
       /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */

diff --git a/src/lib/protocols/sip.c b/src/lib/protocols/sip.c
@@ -180,7 +180,7 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct
 
   /* add bitmask for tcp only, some stupid udp programs
    * send a very few (< 10 ) packets before invite (mostly a 0x0a0x0d, but just search the first 3 payload_packets here */
-  if(packet->udp != NULL && flow->packet_counter < 20) {
+  if(packet->udp != NULL && flow->packet_counter < 10) {
     NDPI_LOG_DBG2(ndpi_struct, "need next packet\n");
     return;
   }

diff --git a/src/lib/protocols/socks45.c b/src/lib/protocols/socks45.c
@@ -39,8 +39,8 @@ static void ndpi_check_socks4(struct ndpi_detection_module_struct *ndpi_struct,
   struct ndpi_packet_struct *packet = &ndpi_struct->packet;
   u_int32_t payload_len = packet->payload_packet_len;
 
-  /* Break after 20 packets. */
-  if(flow->packet_counter > 20) {
+  /* Break after 10 packets. */
+  if(flow->packet_counter > 10) {
     NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
     return;
   }
@@ -80,8 +80,8 @@ static void ndpi_check_socks5(struct ndpi_detection_module_struct *ndpi_struct,
   struct ndpi_packet_struct *packet = &ndpi_struct->packet;
   u_int32_t payload_len = packet->payload_packet_len;
 
-  /* Break after 20 packets. */
-  if(flow->packet_counter > 20) {
+  /* Break after 10 packets. */
+  if(flow->packet_counter > 10) {
     NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
     return;
   }

diff --git a/src/lib/protocols/someip.c b/src/lib/protocols/someip.c
@@ -98,7 +98,7 @@ static void ndpi_search_someip(struct ndpi_detection_module_struct *ndpi_struct,
   const struct ndpi_packet_struct *packet = &ndpi_struct->packet;
 
   if (packet->payload_packet_len < 16) {
-    NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG,
+    NDPI_LOG_DBG(ndpi_struct,
 	     "Excluding SOME/IP .. mandatory header not found (not enough data for all fields)\n");
     NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP);
     return;

diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c
@@ -491,7 +491,8 @@ static void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, s
     return;
   }
 
-  if(flow->stun.num_pkts >= MAX_NUM_STUN_PKTS)
+  if(flow->stun.num_pkts >= MAX_NUM_STUN_PKTS ||
+     flow->packet_counter > 10)
     NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 
   if(flow->packet_counter > 0) {

diff --git a/src/lib/protocols/ubntac2.c b/src/lib/protocols/ubntac2.c
@@ -74,7 +74,6 @@ static void ndpi_search_ubntac2(struct ndpi_detection_module_struct *ndpi_struct
 
 	ndpi_int_ubntac2_add_connection(ndpi_struct, flow);
       }
-      return;
     }
   }
 

diff --git a/src/lib/protocols/viber.c b/src/lib/protocols/viber.c
@@ -83,6 +83,9 @@ static void ndpi_search_viber(struct ndpi_detection_module_struct *ndpi_struct,
     NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
     return;
   }
+
+  if(flow->packet_counter > 3)
+    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 }
 
 

diff --git a/src/lib/protocols/xbox.c b/src/lib/protocols/xbox.c
@@ -91,6 +91,8 @@ static void ndpi_search_xbox(struct ndpi_detection_module_struct *ndpi_struct, s
     }
 #endif
   }
+  if(flow->packet_counter >= 5)
+    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 }
 
 

diff --git a/src/lib/protocols/zeromq.c b/src/lib/protocols/zeromq.c
@@ -37,8 +37,8 @@ static void ndpi_check_zmq(struct ndpi_detection_module_struct *ndpi_struct, str
   u_char p1[] =  { 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x7f };
   u_char p2[] =  { 0x28, 0x66, 0x6c, 0x6f, 0x77, 0x00 };
 
-  /* Break after 17 packets. */
-  if(flow->packet_counter > 17) {
+  /* Break after 10 packets. */
+  if(flow->packet_counter > 10) {
     NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
     return;
   }

diff --git a/tests/cfgs/default/result/1kxun.pcap.out b/tests/cfgs/default/result/1kxun.pcap.out
@@ -1,12 +1,12 @@
 Guessed flow protos:	25
 
-DPI Packets (TCP):	411	(4.19 pkts/flow)
+DPI Packets (TCP):	408	(4.16 pkts/flow)
 DPI Packets (UDP):	120	(1.21 pkts/flow)
 Confidence Unknown          : 14 (flows)
 Confidence Match by port    : 4 (flows)
 Confidence DPI (partial)    : 2 (flows)
 Confidence DPI              : 177 (flows)
-Num dissector calls: 4469 (22.69 diss/flow)
+Num dissector calls: 4414 (22.41 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/60/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
@@ -85,7 +85,7 @@ JA3 Host Stats:
 	36	TCP 192.168.2.126:49370 <-> 14.136.136.108:80 [proto: 7.295/HTTP.1kxun][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Streaming/17][1 pkts/580 bytes <-> 4 pkts/7749 bytes][Goodput ratio: 88/97][0.22 sec][Hostname/SNI: hkbn.content.1kxun.com][URL: hkbn.content.1kxun.com/manga-hant/images/project/cartoons/b057f5cd8fe013d2299b57f14faa5fa9.jpg][StatusCode: 200][Content-Type: image/jpeg][Server: openresty/1.9.7.4][User-Agent: Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86 Build/RSR1.201013.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.106 Mobile Safari/537.36][PLAIN TEXT (AGET /manga)][Plen Bins: 0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,40,0,20]
 	37	TCP 192.168.2.126:45422 <-> 161.117.13.29:80 [proto: 7.295/HTTP.1kxun][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 5][cat: Streaming/17][3 pkts/2139 bytes <-> 4 pkts/6060 bytes][Goodput ratio: 91/96][4.31 sec][Hostname/SNI: mangaweb.1kxun.mobi][bytes ratio: -0.478 (Download)][IAT c2s/s2c min/avg/max/stddev: 221/224 2062/1374 3902/3898 1841/1787][Pkt Len c2s/s2c min/avg/max/stddev: 502/1413 713/1515 819/1720 149/124][URL: mangaweb.1kxun.mobi/js/application.min.js?1644808200][StatusCode: 200][Content-Type: image/png][Server: openresty/1.13.6.1][User-Agent: Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86 Build/RSR1.201013.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.106 Mobile Safari/537.36][PLAIN TEXT (GET /js/application.min.j)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,28,0,0,14,0,14]
 	38	TCP 192.168.2.126:60148 <-> 172.105.121.82:80 [proto: 7.295/HTTP.1kxun][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Streaming/17][2 pkts/536 bytes <-> 3 pkts/7066 bytes][Goodput ratio: 75/97][0.56 sec][Hostname/SNI: pic.1kxun.com][URL: pic.1kxun.com/video_kankan/images/icons/5-328e3cdf244c003df08754cca05fbc2f.png][StatusCode: 200][Content-Type: image/png][Server: openresty/1.13.6.1][User-Agent: okhttp/3.10.0][PLAIN TEXT (GET /video)][Plen Bins: 0,0,0,0,0,0,40,0,0,40,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20]
-	39	TCP 119.235.235.84:443 <-> 192.168.5.16:53406 [proto: 91.315/TLS.Line][IP: 315/Line][Encrypted][Confidence: DPI (partial)][DPI packets: 23][cat: Chat/9][13 pkts/6269 bytes <-> 10 pkts/1165 bytes][Goodput ratio: 88/51][18.02 sec][bytes ratio: 0.687 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/31 352/2546 3289/14274 980/4917][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 482/116 1514/386 582/101][Plen Bins: 23,7,0,0,0,15,7,0,7,0,7,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,23,0,0]
+	39	TCP 119.235.235.84:443 <-> 192.168.5.16:53406 [proto: 91.315/TLS.Line][IP: 315/Line][Encrypted][Confidence: DPI (partial)][DPI packets: 20][cat: Chat/9][13 pkts/6269 bytes <-> 10 pkts/1165 bytes][Goodput ratio: 88/51][18.02 sec][bytes ratio: 0.687 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/31 352/2546 3289/14274 980/4917][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 482/116 1514/386 582/101][Plen Bins: 23,7,0,0,0,15,7,0,7,0,7,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,23,0,0]
 	40	TCP 192.168.2.126:38314 <-> 172.105.121.82:80 [proto: 7.295/HTTP.1kxun][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Streaming/17][1 pkts/273 bytes <-> 4 pkts/6346 bytes][Goodput ratio: 76/96][0.33 sec][Hostname/SNI: pic.1kxun.com][URL: pic.1kxun.com/video_kankan/images/videos/40750-585645353a7a47615755b7714c611835.jpg][StatusCode: 200][Content-Type: image/jpeg][Server: openresty/1.13.6.1][User-Agent: okhttp/3.10.0][PLAIN TEXT (GET /video)][Plen Bins: 0,0,0,0,0,0,20,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,40,0,20]
 	41	TCP 192.168.2.126:45414 <-> 161.117.13.29:80 [proto: 7.295/HTTP.1kxun][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Streaming/17][3 pkts/2118 bytes <-> 3 pkts/3518 bytes][Goodput ratio: 91/94][4.32 sec][Hostname/SNI: mangaweb.1kxun.mobi][bytes ratio: -0.248 (Download)][IAT c2s/s2c min/avg/max/stddev: 215/216 2066/2066 3917/3916 1851/1850][Pkt Len c2s/s2c min/avg/max/stddev: 482/758 706/1173 819/1456 158/300][URL: mangaweb.1kxun.mobi/js/fb-sdk.js][StatusCode: 200][Content-Type: application/javascript][Server: openresty/1.13.6.1][User-Agent: Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86 Build/RSR1.201013.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.106 Mobile Safari/537.36][PLAIN TEXT (GET /js/fb)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,16,0,34,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,16,0,0,0,0]
 	42	TCP 192.168.2.126:47246 <-> 161.117.13.29:80 [proto: 7.295/HTTP.1kxun][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Streaming/17][2 pkts/1872 bytes <-> 2 pkts/3374 bytes][Goodput ratio: 93/96][1.30 sec][Hostname/SNI: kankan.1kxun.com][URL: kankan.1kxun.com/video_kankan_tags/v2/api/homePageVideoCollections/HomePageBanners?_brand=Google&_model=sdk_gphone_x86&_ov=Android11&_cpu=i686&_resolution=1080%2C1794&_package=com.sceneway.kankan&_v=2.8.2.1&_channel=1kxun&_carrier=310260&_android_id=b9e28][StatusCode: 200][Content-Type: application/json][Server: openresty/1.13.6.1][User-Agent: okhttp/3.10.0][PLAIN TEXT (GET /video)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,25,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25]

diff --git a/tests/cfgs/default/result/4in4tunnel.pcap.out b/tests/cfgs/default/result/4in4tunnel.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	1
 
 DPI Packets (UDP):	5	(5.00 pkts/flow)
 Confidence Unknown          : 1 (flows)
-Num dissector calls: 179 (179.00 diss/flow)
+Num dissector calls: 174 (174.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/EAQ.pcap.out b/tests/cfgs/default/result/EAQ.pcap.out
@@ -3,7 +3,7 @@ Guessed flow protos:	0
 DPI Packets (TCP):	12	(6.00 pkts/flow)
 DPI Packets (UDP):	116	(4.00 pkts/flow)
 Confidence DPI              : 31 (flows)
-Num dissector calls: 4387 (141.52 diss/flow)
+Num dissector calls: 4329 (139.65 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)