From c65bc83c92f049a46ef3b9dbc6e59c0f9fc3a0ae Mon Sep 17 00:00:00 2001
From: Nardi Ivan <nardi.ivan@gmail.com>
Date: Tue, 27 Jun 2023 12:59:17 +0200
Subject: [PATCH] STUN: fix Skype/MsTeams detection and monitoring logic

---
 src/lib/ndpi_main.c                           |  13 +++++----
 src/lib/protocols/stun.c                      |   9 +++++--
 .../default/pcap/stun_msteams_unidir.pcapng   | Bin 0 -> 6472 bytes
 .../result/stun_msteams_unidir.pcapng.out     |  25 ++++++++++++++++++
 4 files changed, 40 insertions(+), 7 deletions(-)
 create mode 100644 tests/cfgs/default/pcap/stun_msteams_unidir.pcapng
 create mode 100644 tests/cfgs/default/result/stun_msteams_unidir.pcapng.out

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 52d38ba7900..ab5f7b6e877 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -6055,7 +6055,8 @@ static u_int32_t make_msteams_key(struct ndpi_flow_struct *flow, u_int8_t use_cl
 /* ********************************************************************************* */
 
 static void ndpi_reconcile_msteams_udp(struct ndpi_detection_module_struct *ndpi_str,
-				       struct ndpi_flow_struct *flow) {
+				       struct ndpi_flow_struct *flow,
+				       u_int16_t master) {
 
   /* This function can NOT access &ndpi_str->packet since it is called also from ndpi_detection_giveup(), via ndpi_reconcile_protocols() */
 
@@ -6067,8 +6068,10 @@ static void ndpi_reconcile_msteams_udp(struct ndpi_detection_module_struct *ndpi
 
     if(s_match || d_match) {
       ndpi_int_change_protocol(ndpi_str, flow,
-			       NDPI_PROTOCOL_SKYPE_TEAMS, flow->detected_protocol_stack[1],
-			       NDPI_CONFIDENCE_DPI_PARTIAL);
+			       NDPI_PROTOCOL_SKYPE_TEAMS, master,
+			       /* Keep the same confidence */
+			       flow->confidence);
+
 
       if(ndpi_str->msteams_cache)
 	ndpi_lru_add_to_cache(ndpi_str->msteams_cache,
@@ -6136,7 +6139,7 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s
 
   switch(ret->app_protocol) {
   case NDPI_PROTOCOL_MICROSOFT_AZURE:
-    ndpi_reconcile_msteams_udp(ndpi_str, flow);
+    ndpi_reconcile_msteams_udp(ndpi_str, flow, flow->detected_protocol_stack[1]);
     break;
 
     /*
@@ -6157,7 +6160,7 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s
 
   case NDPI_PROTOCOL_STUN:
     if(flow && (flow->guessed_protocol_id_by_ip == NDPI_PROTOCOL_MICROSOFT_AZURE))
-      ndpi_reconcile_msteams_udp(ndpi_str, flow);
+      ndpi_reconcile_msteams_udp(ndpi_str, flow, NDPI_PROTOCOL_STUN);
     break;
 
   case NDPI_PROTOCOL_NETFLOW:
diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c
index 3dab65770b8..81e90e94f84 100644
--- a/src/lib/protocols/stun.c
+++ b/src/lib/protocols/stun.c
@@ -51,7 +51,8 @@ static int stun_monitoring(struct ndpi_detection_module_struct *ndpi_struct,
   u_int8_t first_byte;
 
 #ifdef DEBUG_MONITORING
-  printf("[STUN-MON] Packet counter %d\n", flow->packet_counter);
+  printf("[STUN-MON] Packet counter %d protos %d/%d\n", flow->packet_counter,
+         flow->detected_protocol_stack[0], flow->detected_protocol_stack[1]);
 #endif
 
   if(packet->payload_packet_len == 0)
@@ -261,6 +262,10 @@ static void ndpi_int_stun_add_connection(struct ndpi_detection_module_struct *nd
                           0 /* dummy */, ndpi_get_current_time(flow));
   }
 
+
+#ifdef DEBUG_STUN
+  printf("[STUN] Setting %d\n", app_proto);
+#endif
   ndpi_set_detected_protocol(ndpi_struct, flow, app_proto, NDPI_PROTOCOL_STUN, confidence);
 
   if(ndpi_struct->monitoring_stun_pkts_to_process > 0 &&
@@ -268,7 +273,7 @@ static void ndpi_int_stun_add_connection(struct ndpi_detection_module_struct *nd
                                       * multiple msg in the same TCP segment
                                       * same msg split across multiple segments */) {
     if((ndpi_struct->monitoring_stun_flags & NDPI_MONITORING_STUN_SUBCLASSIFIED) ||
-       app_proto == NDPI_PROTOCOL_UNKNOWN /* No-subclassification */) {
+       flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN /* No-subclassification */) {
       flow->max_extra_packets_to_check = ndpi_struct->monitoring_stun_pkts_to_process;
       flow->extra_packets_func = stun_monitoring;
     }
diff --git a/tests/cfgs/default/pcap/stun_msteams_unidir.pcapng b/tests/cfgs/default/pcap/stun_msteams_unidir.pcapng
new file mode 100644
index 0000000000000000000000000000000000000000..c1ea31f4e61dc1d263d7bcd53877fa7c73a96c7f
GIT binary patch
literal 6472
zcmai%1ys~qyT)heMmhxsM5MbzIwhnVMo<_Sx;vC^>5!6!AteNdIy8c$NS8DS5`yF%
zy!w5|v+nV}YrSjsf7bl>^ILnb_002P;o@Rx00010F;+?-;`8Qb0RgN4EwDYr72^HW
zlJ1EYowhUB;;Ei9*xm~I)S1qmi$j1zi0+9S1Zqhq%qNU^69Bl~=XMXepPx53001W9
z8#Ki8ZP6k6cAbRi+Y)a_1@tMq@jD~dxBatF0c%|D7yvl{z*5K#0I(-eb>edg7sNtr
zj+^?IE<giF2m}K7K!gR-x{jEgm4NlM={R6~pd$bUu>(3n1_J<Gk#)(<6h^FwF{sIX
zAALtwuv<kHT3FSQ56)W~348!Rc`S~j{l6@?Os+r0Z<*c_`0+nRJm2=u`Y)4=kmC=g
zxZjvKTgn6b0jK}~@}{<&l&FI>3GsPWTEB_6@lhZk&lI@&`EC5>>gCun;^iM&x0*PJ
z-{00R%`F7~ZU3zQXrjytIo)b1e*3#7N-tY*U_X%cR+DdOL?b~cI(g8@ypq5+MTLxP
z{L;KaD$M2M*%Cj1|H;*nT1A+AS;4T?#*+SHv?Ac?Xs)KnXvt1q>ys?x!@W7xA=xC8
z7C(^}Uzzb$AAF(<d@{1HTr-RxTx4y~I1z^_Z;<Y^h3euQ>NUpN7~ry#4?(tUV1eM~
z4|zG87VNzxe&IOz;rr&>=@29b*c+^9ue)K5cJR*Lg@8EYDS*2+!#Q8C&4zUwT9@5)
z<O<|QDOicC`xQt8%y^%4FYIPg*w@D3(j&D01(teaHIWK?ZM;$jO^$OMTct_rLbsQJ
z0vDbOO!nL5$swmpsMy0usolp!oQKXI=2&<3LeRMf>~c;R2_uq`@mxa>FW&4g98y&k
z$HX4(_guB~=LyF6a@w2jQ4ir^^;A5J>GW3v-+aoMAM@H;{q}lk$bC?xdhU8v`Q<yY
z3NI^;yxhS3v6AiL4dso%tR8I29jVIpyQKCD_B)TNxaWo*M1!hMVn<JjU!@J@e93)P
z82T*Dbf{$vPU<t|`E1N}yNaS|doHAePh@6&y5{RJc+Fjt7XvG8k54%9^`1S)cq_<h
zu!IS4VSHVCSYmwh*?8&zz0k)1ptm<}Nt!U4|In;@>L^T0Ra}Z@dy{`fMten^r}o)s
z|DABHo*?K|pjWJLZB9lg&Y+I=H+<FLfM;)u9Gq}#T|SEn_~?gQu&1mg?n^B`Ilsy8
z^vm+p2ji{Hhu+&eOD79HV6jA5i?4M^4GKnkneXB~T2qLw?p*07#<h>F0FE6|W16S>
zR@E<3%Ze>Yxw%a)*-k{he+{LY=&0Q$=pgCrOj#82+p5x34<#^d^auf>Bu4b6Z6C^g
z*jtQnIRu?uST+dfH`2$SRETJt$V&Ljy-`P-n+{<Kyvz8;E}!2o0<w#=W7C-8x6c~h
zbiBIiD|wB9U13*N_hfZH4r0DzY`9ge*W~_U{%+kGXm?ENcy2tmA&A*)Jbi1M@nc$=
zyVNLsVcT1i^~uaJ8l)MzLe1$no1Ss^i|B!02Rr2`^qo9(vYmpwRO_=Mn~P>RXIP$n
z6!-je5?>!fE*3LHBYikyt^AgJ=W8fOXYJEZ73w4FsP0Y5WY6YIi~0w~%9V-zHWnrx
zIUQ_of!ZMT$KgZfyeJJH^!Z=AF<{hCweR-j`a{w8{b?oH6QdYWumO9VA4BkURBQQj
zG=MXr`>y;7L*~iYy|Qeh-DgS<&E8PZt;wKc*Squ$GQ_uy3%eZ_#hSUi0=k@0jTE&P
zv?&kul_n4|b;vlZOo%vlI>(!EWA^7d;eCXLR@QvDCZhEK8!kv<4^tG(X&{C04p3qn
zVI(+vPiU@)z@Er{>l8?*U}T?lt9;2UE13c<(B@<erhbd-E9*9lv{*khqxN82cMnI?
zr^P;T4~JN>4jdC63}?moCdqqBA~_jObnUIgle0?O1rJc{sE1$MR^WW}S*Z88b2t5>
zJ4p3Yz!}XB?iGWf)N0;UJ9={X@t2J|Vw}F<$MDDj@0S`#MqQR&<dz9|#~?$}sCyLG
zMW;;Y2W^5id`4S5aSYx{(atOs^e>1EBJX6#6J+yEkM-EjBfQWIsH&EHMw`1sah-)Q
zx?2zYrx$J_{Pz!Di1@2Oc;U(KUidZWmlxjKw6c<JuCF5(sC>02-MRFaB8d@mqIF#r
zvFlYcr_2|?ddneRciuuQcWLvC5lnt65N-HC`RbG+tbzyUaXtIMwHu9T`>UPMu-y5X
zY@;h<+$Eg>xLL@>M5YJ<z}QjRoZMGiyERy46y7SstESwbc`z3tZ=SChO?Is{&aR7W
zBGG)KBz2&XJ{ejR($}*<Jjd0^1KYBzpwSkcY2Ff}Y*O)_Kig=Imp>_xXZ5bkG}7-P
z_plT;q342OR;st~w5<SOE-5dYIodYQ=(%O5QWp+;*_JJLygqwfz5xZ72=AP0!>DIo
z%(c!sq-2h-_#}I>sx3bEqty%9M)Qh5Uk?hkYU|YBw59pXyo_az{islyFZ!@ilvDEB
zDtk_0k_-+OJUwLB&1o4~sOqUX%<z;&&BD_2sm(W1sB^piXsaE64Jd{NLuUhAHB;z&
zzQM#oI4ZH@@(fU)%0>6unG(!Z@J?HkY{3SwdsMk)s|qF`ipp|CSvwMpj;D7+OP&#K
zh0@B&OzHYP^W$SEpdK78M-za%`L}a9Jkk&McHOgAFA!z*t7vR}@wD@iSmo;gNP_%c
zd0NT-pl2=DOQE4MF@0hQInM0~ulu+KcYIgTQhB-t?Wv5jGgC_zXoX#Mo1QVHE22P}
zEeL1%P$TbEZW&$q`%JfMMA|sJH&Uqm^{iwL7Y!TSgJu`u$4ltjm+9EnHIejaIB1(-
z8>#m&Oe53{8m|a9bSZ$rQOyLC*3VTQyjggMQIQW#fd)%Txz)!)I(gioS|6v%C30&V
zY(>6`Sw|DFLpSy<wa;kF@lCFY>P`4$InLO$>ZGQ^QY$)zTcb->I79jbm)vOSP-E?v
z0w~p=YVhee<?4}9ZAu1e;=2vn5R&R0sPMcjGqmDOcwGxYAw(i&p?wV@aM;IR^As@^
z?=_6nb|yE9d<ZsEOd?c&+Ayrm%4N36ulQlB$b`SbC65KkxYJ}$IUr+^prnrtW<{>i
zu`i>R_kGvmXps{$Q)<#IkrNf(L{`wq?T_hFR#xL?HLA&086vN~E-%4`Cvh)qD%U2M
zst)N!RdOwnpHT!<VVu7lW4EW`<m`LlR)1Otatb4)K{0~yzU*G5Q^dqMoV$MAq;D@^
zJ*niuZ03KQ1(WvZ<;$U5<!ddW<)QPRV-Ol9rN)VW@pfQ?WIB%rbVq!`2YF)Dv`(9&
z=YeuF9=yzf(m>6T3}=T?R+ssW0I4^9u8o`4C@HeYBk3g2LUai$tL4`B@vO1d>`I2s
zG&_E~nFB8EPdrCraNm$*=iLGoVNTi&&riJ9IzEtwxqAjX77qT2S4j;fA{P=X_x7UJ
zY`-?q8255lL!w}m_f3E*{)c&YX=h5|`o01zF3(>)$^(X;fmRYJANIbbhMUwiC+eba
zM`<#lJaopSsIyL?@4&sU!eS;f=3P9!3kWkKrni*Fq3R(rR5@#DX<(G->O#WiP^?xz
zzJnjWPR806x+v%)6&_;@=MP>iQaoRFQjq=fft{4Ax1avI$ArXS{TY`4>bIad{P3d#
zx5;d_=c{|2Z~mIc2e*2OHXV<Mg@=9sq9MG{9JmyW-2AfJyu7mMZ(ex2zOCC_s5&3S
zpNv@F_RsoHE(C-LAz~{cA1nOb3jr>9Yk_?LyxUx8z{ZfE$;>{cg`>NjwPQW-wN1^=
zkVx^v+I^(GZgwlVJ2PzASh(Tr1F*OnsHY{4ua6uJ^TzSbd7{g!a2zXh(5vyLO7d=Q
zUEZ+I+*9<55KZS|1oso5uD<^92hmGD2rdHZmiM2z-m@d@Pr2UX2e;L4+!}Jbzj8e@
zv8-Il@{H&ldlJXL<$8*!Z!Kf`wkwVPvM-!#ar)u!$#iaWJ*A=A>VI?n-)D_2;fy~q
z`Tbx5|IXC??ibSx1lEuu{kc1*#d`SPn6fh{WI)_tZ$JKzUnX<mwbbO{;9Dl^@XCt+
zGX4F2FB}X0biXftFbV#~<Wfcc>wZJgmgPqReLX@%-)w5juB26{?UZkzWt&j$cDtw&
z9oYBr_@hV<Z85AX9$iuQ*v~`-6k6_%v8VRNCp^H?FUhgYWf2Yp1DGsGyZx10-*9Hi
zkc1)b*9NF#ahj>$r>uYC^)L6URu22qS%&@K*87cH!`$T8S@!TrvzcSmN<R<YJN>t_
z%wi`jR$61V$S}0W#q;N05YY?%etVY4Hc5!N^7dZ;Ikz$UHUDXDi~7Oj`Wq8x2>jRF
zmii7mwJDED1FhMgYQN#25^)Z8KqlR{3i&~s<jj-^z1tb_pIJo~q4|fb5`C+wIQw@^
zl-|q8Us(lL#B^ZErKO|QL!MW^^x%1lMcqBImaR+vSZ`x8DAk2m5x-Bl*^$ou=0W2-
z14fgC^ssj~l%GlV#Ltmi0s}uPIN`=<pHo`F=dUV?Y|wMsC2E?fSCFj6Q23&{ahaBo
zii28*JS75y>L6bwtG64PMuQx&8FSNVTpY@+!RfOOXDSH|4i#pUIaR(H7fjqnbW}lS
zF~lBJ3oDrG4GhGkK4H;!ks?+W46KABIhDA8*56w#k4PExOY1Cwq$sVT9%ohoMDI(z
zqCW6$Yc=f^3eQi;y_2v8i;~s9YR<4(?Km?Kr80U>Sd>Qa)EtQwdguD6K)E=zatlrN
zt5>Utf7G)+g1u7XFSdFE+q$+WlGL2Oj=9}0MHU5%;!NiqA5T&`WU%qXZhTtWD$Ax2
zeN$POCJAR1->(K08Kk2HGV_PzLKlgvNgajPaYw4$Qcp9Rl~hleSQ|gdVEIT5n@f9@
z4EO9f3^cXMSj29vFoJfcGAXg7Yp4r2bRXj2j2voQufju1$a(0B>Y2#-h{tVpi=xC}
zFn0>i>@7i~h~wsxjd3B5!eOHKyiRuQ(ve{ayvAOK@CTm?NSHyj_p0A=sy?5-mP3{x
zho%TkzcW=w|4K-sCni<hu|2+o+C2AJVV1O-v%9V<cVd=DtMg+66B;dA2+>$4O@~ZK
zzr<(CFO4di9PIk~dM{n~Pu7+NR7LDVuQqodgobgAm_!6yKlp}TN>l6(T2YyFkq~(y
zg}!f|aphuHPHe-|z!oAl)QU1hoYgDH<}d>+3pSK)?|!l57{V#0EVtlE%D7f@(ac4)
ze%8F*<-lq2$;E;%CjeWhh9ZQF3wxiWu7`{qSO4-$uaLL@!$|a2IrDL0RNJs+?0ef3
za=vgq<pZq?PNQ8X;W?v`WnQ9D9OhA1GIz^dslb<w_XWm<5|Q76xs&B$ETVSmbm%Nt
z$`UIsxVaw=2yYGQ^x7e#p#25U)nn;7#AHwk9NB`;@+S7d=q}MO8$Li#{En*yjjZ2!
z$_QRUz_Bzl(w@pfQlDeWQQ4#i8<ltnidl}%UJrMwgYoX72%`?|m^P(;f$9S<<2=N_
zvNXTZ*y<H@KXLVc4+h0g`<s76TcwE}czOX)37-g&IGO9~s)k3ti>%=FqE+ZUmcR1%
zKe2`kXabT&a{x%my27c-M|2kZMS~~!sE}02*77HSTJZ>aDc^?k;%<QjmP<bjs0?qi
z>Y7CHGxXVNx$*)WE#qWnrjn&`I{x&KtiI(=;zQw)??&(3l%3LETyDvaxJ^$(UEf<J
z?D!tWH9A*GiW83FdDWgzQo-;mG!L*dn)IB!sr8Y7+!MzNA8NsdZk}J5hAO+=!k?g(
zg<{jUc7Ew2amc9WXKTeVazv}teKa72KiDLV5>eU!bT*Mh&i8W67j!V^f!)iinT(ND
z5p5|d3mB61l7re8cmyZCT@ZNae9>paoL6f4awtr3;<(RG1}Jsf-j;}w%114J$g>$q
zZ(u(nH+-q6LfB7I8iOwr|48lpdH?IFQ;bIy4xf`3`z?5QJ(bbo1k>H<%XLZ@UR`q3
zORLEy3-kFSywDzKX2Lh3@O)E+Q~}|G|JU61|9D}{4=<eg-3y;m|MJ2BGocF^r%e1W
z{_*GbsPjSPC{s_dltS%&ldQ$KDOs4;g}fsdTN5a^?#!efdcP?&!qg1lorU0gi9XTO
z`Ocp%CtRAfk(=N{AS?n)jiSVh-!aO_ot!{UV!D!Nj`r<I#-)LY#Rj`KS?_8Y!*$XE
zv?u~FrzfH4osw-R$~=^*gPqMjJ!bKD)Ii&`Ow`!AiRD$z3d*ez{!ECd3AA0%_C0cO
z<b6U$=}F(P64#J97c62kCC+N%4QeV*n)8QXFf}>@#MI#v<@DhqIfj9Qi0-2?3JWNm
zhlc2@aSS=%3)HT``{Ty5mXAs`)S^L;nX#Nrt5oS!7<wG{t8B#HrMKVbt1sRMY3xDh
zSiBj{iPi+f%jgYG2-C6nr}ucoN&41GM5@L2$f&Dd2GWbDiShJlpB4{nrB@S(EBjVW
ztJK*}Og;|M;&3e3W4}9(H6dz+GtQGE%UdpK*7@LcA*J_qdi&!MX8l;zGSAP)s&E{l
z>@;Ym9I0BOLx<fNanwuD+5L#{<3q;?{DC!9JP<+L<f?{@IE?t3!v~$;Rdcq+O`?!l
zUvX_=CVF~SE#FgI!{8{@e_p>5it%kT<E%Z&?E)^v2BIJ95t&&w9GpCpw6eErATcr~
zIW_{Kx#X32@huNd<ugJApetC%w#bunJEV&P#}7;}*3=gt6yL*Co<VD-B|rL-OoSOY
zoAn+Avp<4aJDaba-Cc)jFn0M}dJz3|F0+;-@Df7}Ej=4Q)HsWx=yCA?N-MTVih;cx
zvDT<!W;Q<c>RlsLtze?uSQTsc1C1TOZTF$<g;ZutMvXfhJ!w6k+?wfKupqM~BI;pJ
zjqPL_%onh$ii}n&Q!a-T*DsHfO1{^ft28j3KFY`u;_vB^UhD!!7t;Al!0wYJn)PL@
z<FByquBH`x-21$f5oxedpTNttQxbyn4L?0-zJ9vbXQ!4PjTH0FIiFrWtbvKhTzVOV
zoj&=*q1*@Ob(0dR7+sa)q!~y_u7vura_?YKNav;9<yMk%*iM(b?@eEDm&f8%5>YdG
z>4{V~3Ob0cp!r3XoMoBNYe!-$_nR%`X-?~)4T6n$@+YO2Kto1Cg~`OJuP3jJYy4HL
z++|tIh9o=oC>QVqN<sy2?L(9&?V{R9=w%t)<|DeD88zRDOl%ATEO|qgnQP$8Qfc_O
zg~=Vu4U{LI?-LH0f%svvWNc71)C$MKZfoYt11mddg0;=3j*_E_+H+J;a)oopIKzQ*
zeKbw?q4V;@_bXvbnYc=DWCcfi111c-iplo8ac(G`#aef9DFNMoC3(rFF|AZ^+#>-e
zmsV%Zv9Cs2P^ADR8#uvw*yy+0xgDv3q#l7sN%p*4sTur?$Fg5SVd0_Q%or<3>wwd8
zOv~Cnk)w{cP(AnrrAvP5s0QakXGGj4SdN%6;_EALAGxQBXtatO>_*@e6`s&Gi|6qv
zl4JI6Gu!dJ%9DZXO-e9T2FB&lV_z*la?fZlLyUsW*xav;r2+xSSOOt>#>N2cVvjL(
zuH+fp`W!Y)C~}YBlwFccELp<5H&4k5zkP0u`fDEB{w4MKn<zpOY=jp&0JW<js&qgC
Kih+)wUid%MQ~kyO

literal 0
HcmV?d00001

diff --git a/tests/cfgs/default/result/stun_msteams_unidir.pcapng.out b/tests/cfgs/default/result/stun_msteams_unidir.pcapng.out
new file mode 100644
index 00000000000..67ca9b748fd
--- /dev/null
+++ b/tests/cfgs/default/result/stun_msteams_unidir.pcapng.out
@@ -0,0 +1,25 @@
+Guessed flow protos:	0
+
+DPI Packets (UDP):	7	(7.00 pkts/flow)
+Confidence DPI              : 1 (flows)
+Num dissector calls: 190 (190.00 diss/flow)
+LRU cache ookla:      0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/3/0 (insert/search/found)
+LRU cache zoom:       0/0/0 (insert/search/found)
+LRU cache stun:       0/6/0 (insert/search/found)
+LRU cache tls_cert:   0/0/0 (insert/search/found)
+LRU cache mining:     0/0/0 (insert/search/found)
+LRU cache msteams:    1/0/0 (insert/search/found)
+LRU cache stun_zoom:  0/0/0 (insert/search/found)
+Automa host:          0/0 (search/found)
+Automa domain:        0/0 (search/found)
+Automa tls cert:      0/0 (search/found)
+Automa risk mask:     0/0 (search/found)
+Automa common alpns:  0/0 (search/found)
+Patricia risk mask:   2/0 (search/found)
+Patricia risk:        0/0 (search/found)
+Patricia protocols:   2/1 (search/found)
+
+Skype_Teams	12	5944	1
+
+	1	UDP 52.115.136.55:3479 -> 10.0.0.1:50006 [proto: 78.125/STUN.Skype_Teams][IP: 276/Azure][ClearText][Confidence: DPI][DPI packets: 7][cat: VoIP/10][12 pkts/5944 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][4.53 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 453/0 1210/0 379/0][Pkt Len c2s/s2c min/avg/max/stddev: 81/0 495/0 1257/0 539/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][Plen Bins: 0,16,33,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0]