Added Source Engine dissector.

Signed-off-by: lns <[email protected]>
ntop · Apr 9, 2023 · 5bbb781 · 5bbb781
1 parent 7714507
commit 5bbb781
Show file tree

Hide file tree

Showing 67 changed files with 208 additions and 73 deletions.
diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h
@@ -361,6 +361,7 @@ typedef enum {
   NDPI_PROTOCOL_ELASTICSEARCH         = 330,
   NDPI_PROTOCOL_TUYA_LP               = 331, /* TUYA LAN Protocol; IoT OS: https://github.com/tuya/tuya-iotos-embeded-sdk-wifi-ble-bk7231n */
   NDPI_PROTOCOL_TPLINK_SHP            = 332, /* TP-LINK Smart Home Protocol */
+  NDPI_PROTOCOL_SOURCE_ENGINE         = 333,
 
 
 #ifdef CUSTOM_NDPI_PROTOCOLS

diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h
@@ -237,6 +237,7 @@ void init_tuya_lp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_
 void init_tplink_shp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
 void init_merakicloud_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
 void init_tailscale_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
+void init_source_engine_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
 
 /* ndpi_main.c */
 extern u_int32_t ndpi_ip_port_hash_funct(u_int32_t ip, u_int16_t port);

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
@@ -2049,18 +2049,22 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
                           "Elasticsearch", NDPI_PROTOCOL_CATEGORY_SYSTEM_OS,
                           ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
                           ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
-  ndpi_set_proto_defaults(ndpi_str, 1 /* encrypted */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TUYA_LP,
+  ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TUYA_LP,
                           "TuyaLP", NDPI_PROTOCOL_CATEGORY_IOT_SCADA,
                           ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
                           ndpi_build_default_ports(ports_b, 6667, 0, 0, 0, 0) /* UDP */);
-  ndpi_set_proto_defaults(ndpi_str, 1 /* encrypted */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TPLINK_SHP,
+  ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TPLINK_SHP,
                           "TPLINK_SHP", NDPI_PROTOCOL_CATEGORY_IOT_SCADA,
                           ndpi_build_default_ports(ports_a, 9999, 0, 0, 0, 0) /* TCP */,
                           ndpi_build_default_ports(ports_b, 9999, 0, 0, 0, 0) /* UDP */);
   ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TAILSCALE,
 			  "Tailscale", NDPI_PROTOCOL_CATEGORY_VPN,
 			  ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
 			  ndpi_build_default_ports(ports_b, 41641, 0, 0, 0, 0) /* UDP */);
+  ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_SOURCE_ENGINE,
+                          "Source_Engine", NDPI_PROTOCOL_CATEGORY_GAME,
+                          ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
+                          ndpi_build_default_ports(ports_b, 27015, 0, 0, 0, 0) /* UDP */);
 
 
 #ifdef CUSTOM_NDPI_PROTOCOLS
@@ -4894,6 +4898,9 @@ static int ndpi_callback_init(struct ndpi_detection_module_struct *ndpi_str) {
   /* Tailscale */
   init_tailscale_dissector(ndpi_str, &a);
 
+  /* Source Engine */
+  init_source_engine_dissector(ndpi_str, &a);
+
 #ifdef CUSTOM_NDPI_PROTOCOLS
 #include "../../../nDPI-custom/custom_ndpi_main_init.c"
 #endif

diff --git a/src/lib/protocols/source_engine.c b/src/lib/protocols/source_engine.c
@@ -0,0 +1,88 @@
+/*
+ * source_engine.c
+ *
+ * Source Engine Protocol
+ *
+ * Copyright (C) 2023 - ntop.org
+ *
+ * nDPI is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * nDPI is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with nDPI.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+
+#include "ndpi_protocol_ids.h"
+
+#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SOURCE_ENGINE
+
+#include "ndpi_api.h"
+
+static void ndpi_int_source_engine_add_connection(struct ndpi_detection_module_struct * const ndpi_struct,
+                                                  struct ndpi_flow_struct * const flow)
+{
+  NDPI_LOG_INFO(ndpi_struct, "found Source Engine\n");
+
+  ndpi_set_detected_protocol(ndpi_struct, flow,
+                             NDPI_PROTOCOL_SOURCE_ENGINE,
+                             NDPI_PROTOCOL_UNKNOWN,
+                             NDPI_CONFIDENCE_DPI);
+}
+
+/* ***************************************************** */
+
+static void ndpi_search_source_engine(struct ndpi_detection_module_struct *ndpi_struct,
+                                      struct ndpi_flow_struct *flow)
+{
+  struct ndpi_packet_struct const * const packet = &ndpi_struct->packet;
+  char const source_engine_query[] = "Source Engine Query";
+  size_t const source_engine_query_len = strlen(source_engine_query);
+
+  NDPI_LOG_DBG(ndpi_struct, "search Source Engine\n");
+
+  if (packet->payload_packet_len < source_engine_query_len + 1 /* '\0' */)
+  {
+    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+    return;
+  }
+
+  if (packet->payload[packet->payload_packet_len - 1] != '\0')
+  {
+    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+    return;
+  }
+
+  if (strncmp((char const *)&packet->payload[packet->payload_packet_len - source_engine_query_len - 1],
+              source_engine_query, source_engine_query_len) != 0)
+  {
+    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+    return;
+  }
+
+  ndpi_int_source_engine_add_connection(ndpi_struct, flow);
+}
+
+/* ***************************************************** */
+
+void init_source_engine_dissector(struct ndpi_detection_module_struct *ndpi_struct,
+                                  u_int32_t *id)
+{
+  ndpi_set_bitmask_protocol_detection("Source_Engine", ndpi_struct, *id,
+                                      NDPI_PROTOCOL_SOURCE_ENGINE,
+                                      ndpi_search_source_engine,
+                                      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD,
+                                      SAVE_DETECTION_BITMASK_AS_UNKNOWN,
+                                      ADD_TO_DETECTION_BITMASK
+                                     );
+
+  *id += 1;
+}
diff --git a/tests/cfgs/default/pcap/source_engine.pcap b/tests/cfgs/default/pcap/source_engine.pcap
diff --git a/tests/cfgs/default/result/1kxun.pcap.out b/tests/cfgs/default/result/1kxun.pcap.out
@@ -6,7 +6,7 @@ Confidence Unknown          : 14 (flows)
 Confidence Match by port    : 4 (flows)
 Confidence DPI (partial)    : 2 (flows)
 Confidence DPI              : 177 (flows)
-Num dissector calls: 4417 (22.42 diss/flow)
+Num dissector calls: 4431 (22.49 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/60/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/4in4tunnel.pcap.out b/tests/cfgs/default/result/4in4tunnel.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	1
 
 DPI Packets (UDP):	5	(5.00 pkts/flow)
 Confidence Unknown          : 1 (flows)
-Num dissector calls: 175 (175.00 diss/flow)
+Num dissector calls: 176 (176.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/6in6tunnel.pcap.out b/tests/cfgs/default/result/6in6tunnel.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	1
 
 DPI Packets (UDP):	2	(2.00 pkts/flow)
 Confidence Unknown          : 1 (flows)
-Num dissector calls: 121 (121.00 diss/flow)
+Num dissector calls: 122 (122.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/EAQ.pcap.out b/tests/cfgs/default/result/EAQ.pcap.out
@@ -3,7 +3,7 @@ Guessed flow protos:	0
 DPI Packets (TCP):	12	(6.00 pkts/flow)
 DPI Packets (UDP):	116	(4.00 pkts/flow)
 Confidence DPI              : 31 (flows)
-Num dissector calls: 4271 (137.77 diss/flow)
+Num dissector calls: 4300 (138.71 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/adult_content.pcap.out b/tests/cfgs/default/result/adult_content.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (UDP):	4	(4.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 142 (142.00 diss/flow)
+Num dissector calls: 143 (143.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/anyconnect-vpn.pcap.out b/tests/cfgs/default/result/anyconnect-vpn.pcap.out
@@ -8,7 +8,7 @@ Confidence Match by port    : 5 (flows)
 Confidence DPI (partial)    : 1 (flows)
 Confidence DPI              : 60 (flows)
 Confidence Match by IP      : 1 (flows)
-Num dissector calls: 872 (12.64 diss/flow)
+Num dissector calls: 873 (12.65 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/27/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/collectd.pcap.out b/tests/cfgs/default/result/collectd.pcap.out
@@ -3,7 +3,7 @@ Guessed flow protos:	3
 DPI Packets (UDP):	13	(1.62 pkts/flow)
 Confidence Match by port    : 3 (flows)
 Confidence DPI              : 5 (flows)
-Num dissector calls: 395 (49.38 diss/flow)
+Num dissector calls: 398 (49.75 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/9/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/custom_rules_same-ip_multiple_ports.pcapng.out b/tests/cfgs/default/result/custom_rules_same-ip_multiple_ports.pcapng.out
@@ -23,5 +23,5 @@ Patricia protocols:   2/2 (search/found)
 CustomProtocolA	3	222	1
 CustomProtocolB	2	148	1
 
-	1	TCP 192.168.1.245:56866 -> 3.3.3.3:443 [proto: 91.339/TLS.CustomProtocolA][IP: 339/CustomProtocolA][Encrypted][Confidence: Unknown][DPI packets: 1][cat: Web/5][3 pkts/222 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][3.05 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	2	TCP 192.168.1.245:59682 -> 3.3.3.3:444 [proto: 340/CustomProtocolB][IP: 340/CustomProtocolB][ClearText][Confidence: Unknown][DPI packets: 1][2 pkts/148 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][1.02 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	1	TCP 192.168.1.245:56866 -> 3.3.3.3:443 [proto: 91.340/TLS.CustomProtocolA][IP: 340/CustomProtocolA][Encrypted][Confidence: Unknown][DPI packets: 1][cat: Web/5][3 pkts/222 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][3.05 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	2	TCP 192.168.1.245:59682 -> 3.3.3.3:444 [proto: 341/CustomProtocolB][IP: 341/CustomProtocolB][ClearText][Confidence: Unknown][DPI packets: 1][2 pkts/148 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][1.02 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/cfgs/default/result/dhcp-fuzz.pcapng.out b/tests/cfgs/default/result/dhcp-fuzz.pcapng.out
@@ -2,7 +2,7 @@ Guessed flow protos:	1
 
 DPI Packets (UDP):	1	(1.00 pkts/flow)
 Confidence Match by port    : 1 (flows)
-Num dissector calls: 106 (106.00 diss/flow)
+Num dissector calls: 107 (107.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/discord.pcap.out b/tests/cfgs/default/result/discord.pcap.out
@@ -3,7 +3,7 @@ Guessed flow protos:	0
 DPI Packets (TCP):	5	(5.00 pkts/flow)
 DPI Packets (UDP):	60	(1.82 pkts/flow)
 Confidence DPI              : 34 (flows)
-Num dissector calls: 3931 (115.62 diss/flow)
+Num dissector calls: 3958 (116.41 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/discord_mid_flow.pcap.out b/tests/cfgs/default/result/discord_mid_flow.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (UDP):	3	(3.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 143 (143.00 diss/flow)
+Num dissector calls: 144 (144.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/dnscrypt-v1-and-resolver-pings.pcap.out b/tests/cfgs/default/result/dnscrypt-v1-and-resolver-pings.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (UDP):	256	(1.04 pkts/flow)
 Confidence DPI              : 245 (flows)
-Num dissector calls: 20770 (84.78 diss/flow)
+Num dissector calls: 20781 (84.82 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/513/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/dnscrypt-v2.pcap.out b/tests/cfgs/default/result/dnscrypt-v2.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (UDP):	6	(2.00 pkts/flow)
 Confidence DPI              : 3 (flows)
-Num dissector calls: 366 (122.00 diss/flow)
+Num dissector calls: 369 (123.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/dnscrypt_skype_false_positive.pcapng.out b/tests/cfgs/default/result/dnscrypt_skype_false_positive.pcapng.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (UDP):	2	(2.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 123 (123.00 diss/flow)
+Num dissector calls: 124 (124.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out b/tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out
@@ -6,7 +6,7 @@ DPI Packets (other):	5	(1.00 pkts/flow)
 Confidence Unknown          : 30 (flows)
 Confidence Match by port    : 28 (flows)
 Confidence DPI              : 193 (flows)
-Num dissector calls: 5367 (21.38 diss/flow)
+Num dissector calls: 5400 (21.51 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/180/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/fuzz-2020-02-16-11740.pcap.out b/tests/cfgs/default/result/fuzz-2020-02-16-11740.pcap.out
@@ -5,7 +5,7 @@ DPI Packets (other):	7	(1.00 pkts/flow)
 Confidence Unknown          : 19 (flows)
 Confidence Match by port    : 3 (flows)
 Confidence DPI              : 55 (flows)
-Num dissector calls: 1757 (22.82 diss/flow)
+Num dissector calls: 1773 (23.03 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/66/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/gnutella.pcap.out b/tests/cfgs/default/result/gnutella.pcap.out
@@ -6,7 +6,7 @@ DPI Packets (other):	10	(1.00 pkts/flow)
 Confidence Unknown          : 592 (flows)
 Confidence Match by port    : 1 (flows)
 Confidence DPI              : 167 (flows)
-Num dissector calls: 66146 (87.03 diss/flow)
+Num dissector calls: 66658 (87.71 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/1779/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/gtp_false_positive.pcapng.out b/tests/cfgs/default/result/gtp_false_positive.pcapng.out
@@ -3,7 +3,7 @@ Guessed flow protos:	3
 DPI Packets (UDP):	7	(2.33 pkts/flow)
 Confidence Unknown          : 1 (flows)
 Confidence Match by port    : 2 (flows)
-Num dissector calls: 391 (130.33 diss/flow)
+Num dissector calls: 394 (131.33 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/9/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/h323-overflow.pcap.out b/tests/cfgs/default/result/h323-overflow.pcap.out
@@ -1,8 +1,8 @@
 Guessed flow protos:	1
 
 DPI Packets (TCP):	1	(1.00 pkts/flow)
-Confidence nBPF             : 1 (flows)
-Num dissector calls: 0 (0.00 diss/flow)
+Confidence Match by port    : 1 (flows)
+Num dissector calls: 116 (116.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
@@ -16,13 +16,10 @@ Automa domain:        0/0 (search/found)
 Automa tls cert:      0/0 (search/found)
 Automa risk mask:     0/0 (search/found)
 Automa common alpns:  0/0 (search/found)
-Patricia risk mask:   0/0 (search/found)
+Patricia risk mask:   2/0 (search/found)
 Patricia risk:        0/0 (search/found)
-Patricia protocols:   0/0 (search/found)
+Patricia protocols:   2/0 (search/found)
 
-Unknown	1	58	1
+HTTP	1	58	1
 
-
-
-Undetected flows:
-	1	TCP 192.168.1.1:31337 -> 192.168.1.2:80 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: nBPF][DPI packets: 1][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 7/0][< 1 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	1	TCP 192.168.1.1:31337 -> 192.168.1.2:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][cat: Web/5][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 7/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/cfgs/default/result/h323.pcap.out b/tests/cfgs/default/result/h323.pcap.out
@@ -3,7 +3,7 @@ Guessed flow protos:	0
 DPI Packets (TCP):	2	(2.00 pkts/flow)
 DPI Packets (UDP):	2	(2.00 pkts/flow)
 Confidence DPI              : 2 (flows)
-Num dissector calls: 224 (112.00 diss/flow)
+Num dissector calls: 225 (112.50 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/http_ipv6.pcap.out b/tests/cfgs/default/result/http_ipv6.pcap.out
@@ -4,7 +4,7 @@ DPI Packets (TCP):	77	(5.92 pkts/flow)
 DPI Packets (UDP):	4	(2.00 pkts/flow)
 Confidence Match by port    : 7 (flows)
 Confidence DPI              : 8 (flows)
-Num dissector calls: 144 (9.60 diss/flow)
+Num dissector calls: 145 (9.67 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/21/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/imo.pcap.out b/tests/cfgs/default/result/imo.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (UDP):	7	(3.50 pkts/flow)
 Confidence DPI              : 2 (flows)
-Num dissector calls: 284 (142.00 diss/flow)
+Num dissector calls: 286 (143.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/instagram.pcap.out b/tests/cfgs/default/result/instagram.pcap.out
@@ -7,7 +7,7 @@ Confidence Unknown          : 1 (flows)
 Confidence Match by port    : 6 (flows)
 Confidence DPI (partial)    : 1 (flows)
 Confidence DPI              : 30 (flows)
-Num dissector calls: 1766 (46.47 diss/flow)
+Num dissector calls: 1767 (46.50 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/24/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/iphone.pcap.out b/tests/cfgs/default/result/iphone.pcap.out
@@ -5,7 +5,7 @@ DPI Packets (UDP):	55	(1.77 pkts/flow)
 DPI Packets (other):	5	(1.00 pkts/flow)
 Confidence Match by port    : 1 (flows)
 Confidence DPI              : 50 (flows)
-Num dissector calls: 346 (6.78 diss/flow)
+Num dissector calls: 347 (6.80 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/kontiki.pcap.out b/tests/cfgs/default/result/kontiki.pcap.out
@@ -4,7 +4,7 @@ DPI Packets (UDP):	6	(1.50 pkts/flow)
 DPI Packets (other):	4	(1.00 pkts/flow)
 Confidence Unknown          : 2 (flows)
 Confidence DPI              : 6 (flows)
-Num dissector calls: 316 (39.50 diss/flow)
+Num dissector calls: 318 (39.75 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/6/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/line.pcap.out b/tests/cfgs/default/result/line.pcap.out
@@ -3,7 +3,7 @@ Guessed flow protos:	0
 DPI Packets (TCP):	13	(6.50 pkts/flow)
 DPI Packets (UDP):	40	(13.33 pkts/flow)
 Confidence DPI              : 5 (flows)
-Num dissector calls: 713 (142.60 diss/flow)
+Num dissector calls: 716 (143.20 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/9/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)