From cec8c847380e3b4141bf7eb4b9348c3da997ebd1 Mon Sep 17 00:00:00 2001
From: 0xA50C1A1 <mage.wizard.88@gmail.com>
Date: Wed, 29 Nov 2023 01:56:19 +0300
Subject: [PATCH 1/3] Add Beckhoff ADS protocol dissector

---
 doc/protocols.rst                             |   9 ++
 src/include/ndpi_protocol_ids.h               |   1 +
 src/include/ndpi_protocols.h                  |   1 +
 src/lib/ndpi_main.c                           |   7 ++
 src/lib/protocols/beckhoff_ads.c              | 116 ++++++++++++++++++
 tests/cfgs/caches_cfg/result/ookla.pcap.out   |   2 +-
 tests/cfgs/caches_cfg/result/teams.pcap.out   |   2 +-
 tests/cfgs/default/pcap/beckhoff_ads.pcapng   | Bin 0 -> 8044 bytes
 tests/cfgs/default/result/1kxun.pcap.out      |   2 +-
 tests/cfgs/default/result/443-chrome.pcap.out |   2 +-
 tests/cfgs/default/result/443-opvn.pcap.out   |   2 +-
 .../default/result/KakaoTalk_chat.pcap.out    |   2 +-
 .../default/result/KakaoTalk_talk.pcap.out    |   2 +-
 tests/cfgs/default/result/Oscar.pcap.out      |   2 +-
 .../cfgs/default/result/alexa-app.pcapng.out  |   2 +-
 tests/cfgs/default/result/amqp.pcap.out       |   2 +-
 .../default/result/anyconnect-vpn.pcap.out    |   2 +-
 .../default/result/beckhoff_ads.pcapng.out    |  28 +++++
 .../result/bittorrent_tcp_miss.pcapng.out     |   2 +-
 tests/cfgs/default/result/cassandra.pcap.out  |   2 +-
 .../default/result/cloudflare-warp.pcap.out   |   2 +-
 .../result/custom_rules_ipv6.pcapng.out       |  10 +-
 ...om_rules_same-ip_multiple_ports.pcapng.out |   6 +-
 tests/cfgs/default/result/edonkey.pcap.out    |   2 +-
 tests/cfgs/default/result/emotet.pcap.out     |   2 +-
 tests/cfgs/default/result/fastcgi.pcap.out    |   2 +-
 .../default/result/ftp-start-tls.pcap.out     |   2 +-
 tests/cfgs/default/result/ftp.pcap.out        |   2 +-
 tests/cfgs/default/result/ftp_failed.pcap.out |   2 +-
 .../result/fuzz-2006-06-26-2594.pcap.out      |   2 +-
 .../result/fuzz-2006-09-29-28586.pcap.out     |   2 +-
 .../default/result/fuzz-2021-10-13.pcap.out   |   2 +-
 tests/cfgs/default/result/google_ssl.pcap.out |   2 +-
 .../http_guessed_host_and_guessed.pcapng.out  |   2 +-
 .../default/result/imap-starttls.pcap.out     |   2 +-
 tests/cfgs/default/result/imap.pcap.out       |   2 +-
 tests/cfgs/default/result/instagram.pcap.out  |   2 +-
 tests/cfgs/default/result/irc.pcap.out        |   2 +-
 tests/cfgs/default/result/jabber.pcap.out     |   2 +-
 tests/cfgs/default/result/kerberos.pcap.out   |   2 +-
 .../result/log4j-webapp-exploit.pcap.out      |   2 +-
 tests/cfgs/default/result/memcached.cap.out   |   2 +-
 .../result/mongo_false_positive.pcapng.out    |   2 +-
 tests/cfgs/default/result/mssql_tds.pcap.out  |   2 +-
 .../default/result/nest_log_sink.pcap.out     |   2 +-
 tests/cfgs/default/result/netbios.pcap.out    |   2 +-
 tests/cfgs/default/result/nntp.pcap.out       |   2 +-
 tests/cfgs/default/result/ookla.pcap.out      |   2 +-
 tests/cfgs/default/result/openvpn.pcap.out    |   2 +-
 tests/cfgs/default/result/oracle12.pcapng.out |   2 +-
 .../ossfuzz_seed_fake_traces_1.pcapng.out     |   2 +-
 .../ossfuzz_seed_fake_traces_2.pcapng.out     |   2 +-
 tests/cfgs/default/result/pgsql.pcap.out      |   2 +-
 tests/cfgs/default/result/pop3.pcap.out       |   2 +-
 tests/cfgs/default/result/pop3_stls.pcap.out  |   2 +-
 tests/cfgs/default/result/protobuf.pcap.out   |   2 +-
 .../result/reasm_crash_anon.pcapng.out        |   2 +-
 .../default/result/reasm_segv_anon.pcapng.out |   2 +-
 tests/cfgs/default/result/riot.pcapng.out     |   2 +-
 tests/cfgs/default/result/rsh.pcap.out        |   2 +-
 tests/cfgs/default/result/rtmp.pcap.out       |   2 +-
 .../cfgs/default/result/s7comm-plus.pcap.out  |   2 +-
 tests/cfgs/default/result/s7comm.pcap.out     |   2 +-
 .../cfgs/default/result/shadowsocks.pcap.out  |   2 +-
 tests/cfgs/default/result/skype.pcap.out      |   2 +-
 .../default/result/skype_no_unknown.pcap.out  |   2 +-
 tests/cfgs/default/result/smb_frags.pcap.out  |   2 +-
 tests/cfgs/default/result/smbv1.pcap.out      |   2 +-
 .../default/result/smtp-starttls.pcap.out     |   2 +-
 tests/cfgs/default/result/smtp.pcap.out       |   2 +-
 tests/cfgs/default/result/soap.pcap.out       |   2 +-
 tests/cfgs/default/result/socks.pcap.out      |   2 +-
 .../default/result/starcraft_battle.pcap.out  |   2 +-
 tests/cfgs/default/result/synscan.pcap.out    |   4 +-
 tests/cfgs/default/result/teams.pcap.out      |   2 +-
 .../result/telegram_videocall.pcapng.out      |   2 +-
 tests/cfgs/default/result/telnet.pcap.out     |   2 +-
 tests/cfgs/default/result/threema.pcap.out    |   2 +-
 tests/cfgs/default/result/tinc.pcap.out       |   2 +-
 .../cfgs/default/result/tls-appdata.pcap.out  |   2 +-
 .../result/tls_certificate_too_long.pcap.out  |   2 +-
 .../result/tls_false_positives.pcapng.out     |   2 +-
 .../default/result/tls_invalid_reads.pcap.out |   2 +-
 .../result/tls_missing_ch_frag.pcap.out       |   2 +-
 tests/cfgs/default/result/viber.pcap.out      |   2 +-
 tests/cfgs/default/result/vnc.pcap.out        |   2 +-
 tests/cfgs/default/result/wa_video.pcap.out   |   2 +-
 tests/cfgs/default/result/waze.pcap.out       |   2 +-
 tests/cfgs/default/result/wechat.pcap.out     |   2 +-
 tests/cfgs/default/result/whatsapp.pcap.out   |   2 +-
 .../result/whatsapp_login_chat.pcap.out       |   2 +-
 tests/cfgs/default/result/whois.pcapng.out    |   2 +-
 tests/cfgs/default/result/z3950.pcapng.out    |   2 +-
 tests/cfgs/default/result/zoom.pcap.out       |   2 +-
 .../result/ookla.pcap.out                     |   2 +-
 .../disable_protocols/result/soap.pcap.out    |   2 +-
 .../enable_payload_stat/result/1kxun.pcap.out |   2 +-
 windows/nDPI.vcxproj                          |   1 +
 windows/nDPI.vcxproj.filters                  |   1 +
 99 files changed, 261 insertions(+), 97 deletions(-)
 create mode 100644 src/lib/protocols/beckhoff_ads.c
 create mode 100644 tests/cfgs/default/pcap/beckhoff_ads.pcapng
 create mode 100644 tests/cfgs/default/result/beckhoff_ads.pcapng.out

diff --git a/doc/protocols.rst b/doc/protocols.rst
index 1cbc7de811f..ed4407ff459 100644
--- a/doc/protocols.rst
+++ b/doc/protocols.rst
@@ -280,3 +280,12 @@ References: `Wireshark wiki: <https://wiki.wireshark.org/EtherSIO.md>`_.
 UMAS is a proprietary Schneider Electric protocol based on Modbus. It's used in Modicon M580 and Modicon M340 CPU-based PLCs.
 
 References: `Unofficial article: <https://ics-cert.kaspersky.com/publications/reports/2022/09/29/the-secrets-of-schneider-electrics-umas-protocol/>`_.
+
+
+.. _Proto 365:
+
+`NDPI_PROTOCOL_BECKHOFF_ADS`
+============================
+Automation Device Specification is the protocol used for interfacing with Beckhoff PLCs via TwinCAT.
+
+References: `Protocol Specs: <https://infosys.beckhoff.com/english.php?content=../content/1033/tc3_ads_intro/115847307.html>`_.
diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h
index a1f0732eab1..01c7ff69ea4 100644
--- a/src/include/ndpi_protocol_ids.h
+++ b/src/include/ndpi_protocol_ids.h
@@ -393,6 +393,7 @@ typedef enum {
   NDPI_PROTOCOL_FINS                  = 362,
   NDPI_PROTOCOL_ETHERSIO              = 363,
   NDPI_PROTOCOL_UMAS                  = 364,
+  NDPI_PROTOCOL_BECKHOFF_ADS          = 365,
 
 #ifdef CUSTOM_NDPI_PROTOCOLS
 #include "../../../nDPI-custom/custom_ndpi_protocol_ids.h"
diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h
index 8e2f0cc4377..31ae72958df 100644
--- a/src/include/ndpi_protocols.h
+++ b/src/include/ndpi_protocols.h
@@ -256,6 +256,7 @@ void init_rtps_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int
 void init_opc_ua_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
 void init_fins_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
 void init_ethersio_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
+void init_beckhoff_ads_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
 
 /* ndpi_main.c */
 extern u_int32_t ndpi_ip_port_hash_funct(u_int32_t ip, u_int16_t port);
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index f3786a719cd..bb4f39d079e 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -2158,6 +2158,10 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
 			  "UMAS", NDPI_PROTOCOL_CATEGORY_IOT_SCADA,
 			  ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
 			  ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
+  ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_BECKHOFF_ADS,
+			  "BeckhoffADS", NDPI_PROTOCOL_CATEGORY_IOT_SCADA,
+			  ndpi_build_default_ports(ports_a, 48898, 0, 0, 0, 0) /* TCP */,
+			  ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
 
 #ifdef CUSTOM_NDPI_PROTOCOLS
 #include "../../../nDPI-custom/custom_ndpi_main.c"
@@ -5606,6 +5610,9 @@ static int ndpi_callback_init(struct ndpi_detection_module_struct *ndpi_str) {
   /* Ether-S-I/O */
   init_ethersio_dissector(ndpi_str, &a);
 
+  /* Automation Device Specification */
+  init_beckhoff_ads_dissector(ndpi_str, &a);
+
 #ifdef CUSTOM_NDPI_PROTOCOLS
 #include "../../../nDPI-custom/custom_ndpi_main_init.c"
 #endif
diff --git a/src/lib/protocols/beckhoff_ads.c b/src/lib/protocols/beckhoff_ads.c
new file mode 100644
index 00000000000..17a36b02156
--- /dev/null
+++ b/src/lib/protocols/beckhoff_ads.c
@@ -0,0 +1,116 @@
+/*
+ * beckhoff_ads.c
+ *
+ * Beckhoff Automation Device Specification
+ * 
+ * Copyright (C) 2023 - ntop.org
+ * Copyright (C) 2023 - V.G <jacendi@protonmail.com>
+ *
+ * This file is part of nDPI, an open source deep packet inspection
+ * library based on the OpenDPI and PACE technology by ipoque GmbH
+ *
+ * nDPI is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * nDPI is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with nDPI.  If not, see <http://www.gnu.org/licenses/>.
+ * 
+ */
+
+#include "ndpi_protocol_ids.h"
+
+#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_BECKHOFF_ADS
+
+#include "ndpi_api.h"
+#include "ndpi_private.h"
+
+PACK_ON
+struct ams_tcp_hdr {
+  u_int16_t reserved;
+  u_int32_t length;
+} PACK_OFF;
+
+struct ams_hdr {
+  u_int64_t target_netid : 48;
+  u_int64_t target_port : 16;
+  u_int64_t source_netid : 48;
+  u_int64_t source_port : 16;
+  u_int16_t command_id;
+  u_int16_t state_flags;
+  u_int32_t length;
+  u_int32_t error_code;
+  u_int32_t invoke_id;
+};
+
+static void ndpi_int_beckhoff_ads_add_connection(struct ndpi_detection_module_struct * const ndpi_struct,
+                                                 struct ndpi_flow_struct * const flow)
+{
+  NDPI_LOG_INFO(ndpi_struct, "found Beckhoff ADS\n");
+  ndpi_set_detected_protocol(ndpi_struct, flow,
+                             NDPI_PROTOCOL_BECKHOFF_ADS,
+                             NDPI_PROTOCOL_UNKNOWN,
+                             NDPI_CONFIDENCE_DPI);
+}
+
+static void ndpi_search_beckhoff_ads(struct ndpi_detection_module_struct *ndpi_struct,
+                                     struct ndpi_flow_struct *flow)
+{
+  struct ndpi_packet_struct const * const packet = &ndpi_struct->packet;
+
+  NDPI_LOG_DBG(ndpi_struct, "search Beckhoff ADS\n");
+
+  if (packet->payload_packet_len >= 38) {
+    struct ams_tcp_hdr const * const ams_tcp = (struct ams_tcp_hdr *)packet->payload;
+    u_int16_t ams_message_length = packet->payload_packet_len - sizeof(struct ams_tcp_hdr);
+
+    if ((ams_tcp->reserved != 0) ||
+        (le32toh(ams_tcp->length) != ams_message_length))
+    {
+      goto not_beckhoff_ads;
+    }
+
+    struct ams_hdr const * const ams = (struct ams_hdr *)&packet->payload[6];
+    u_int16_t ams_data_len = ams_message_length - sizeof(struct ams_hdr);
+
+    if (le32toh(ams->length) == ams_data_len) {
+      /* Just additional checks to avoid potential 
+       * false positives */
+      if ((le32toh(ams->state_flags) != 0x0004) &&
+          (le32toh(ams->state_flags) != 0x0005))
+      {
+        goto not_beckhoff_ads;
+      }
+      
+      if ((le32toh(ams->command_id) > 0x0009) ||
+          ((le32toh(ams->error_code) > 0x0000001E)))
+      {
+        goto not_beckhoff_ads;
+      }
+
+      ndpi_int_beckhoff_ads_add_connection(ndpi_struct, flow);
+      return;
+    }
+  }
+
+not_beckhoff_ads:
+  NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+}
+
+void init_beckhoff_ads_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id)
+{
+  ndpi_set_bitmask_protocol_detection("BeckhoffADS", ndpi_struct, *id,
+              NDPI_PROTOCOL_BECKHOFF_ADS,
+              ndpi_search_beckhoff_ads,
+              NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
+              SAVE_DETECTION_BITMASK_AS_UNKNOWN,
+              ADD_TO_DETECTION_BITMASK);
+
+  *id += 1;
+}
diff --git a/tests/cfgs/caches_cfg/result/ookla.pcap.out b/tests/cfgs/caches_cfg/result/ookla.pcap.out
index fd63ee5ea56..b99d575bcae 100644
--- a/tests/cfgs/caches_cfg/result/ookla.pcap.out
+++ b/tests/cfgs/caches_cfg/result/ookla.pcap.out
@@ -3,7 +3,7 @@ Guessed flow protos:	1
 DPI Packets (TCP):	40	(6.67 pkts/flow)
 Confidence Match by port    : 1 (flows)
 Confidence DPI              : 5 (flows)
-Num dissector calls: 515 (85.83 diss/flow)
+Num dissector calls: 518 (86.33 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/caches_cfg/result/teams.pcap.out b/tests/cfgs/caches_cfg/result/teams.pcap.out
index 9407e030219..092cdf614b2 100644
--- a/tests/cfgs/caches_cfg/result/teams.pcap.out
+++ b/tests/cfgs/caches_cfg/result/teams.pcap.out
@@ -6,7 +6,7 @@ DPI Packets (other):	1	(1.00 pkts/flow)
 Confidence Unknown          : 1 (flows)
 Confidence Match by port    : 2 (flows)
 Confidence DPI              : 80 (flows)
-Num dissector calls: 513 (6.18 diss/flow)
+Num dissector calls: 514 (6.19 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/9/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/pcap/beckhoff_ads.pcapng b/tests/cfgs/default/pcap/beckhoff_ads.pcapng
new file mode 100644
index 0000000000000000000000000000000000000000..1c35bb746bc385af2064260963151c16d1a0b0dc
GIT binary patch
literal 8044
zcmbtZ4RBP|6~6nj!2mMG7MUG%rdy3ALUuQs>~50!W`|@0O)OcqAp)kMVUt}Tm5`V}
z#0qXDYG}u?wH8}wMfs5*D|8quR9L}jJGH`49jV%m;tUaWs{PSYt5!|F@4kK6m$#3{
zwmmav-+lMKd(L;hd+y!)?wc}g+LRF?M3XvarUTcpj1-7DqO!u%(KX;+(zPbhv$o$|
z<zAHR8|vyzx?}Oqo8A60cgJAY>V&&0RPGl}5fJr*-MyXhUbo-tukZ%kr9)c5Q|?*W
z5vUIN6LI&7zMgJ(cf5Zf+2>*Fb#N)@pT700fHg%_h_?D9-L*wy^V`2w5eP<tHC0uf
zx}blaClIO*d1{0H8c$$eRj|COHdtRbzh=D<lVNERY+d?a;zt+hpM96}2J-vLLh+8e
z??@PBs&Eue8(e;P|6ev-xu8hQ6QW$%JXfU9<@g>)C$#9e|Cr(&J$r%=_bOv!8_x)#
zI18U}IGl=R*KB`&IBQ?Cta;Jwi!ajt&^yvLd>m7b`$hY!0zOXmer{t~^{AEorF0J=
z{`+A+gfcY;f2s1ICH|A};fNIj|4Zyfd&GS^Zy>ZgWA45qZ75T7>_(Lz+1Pc#?kDW#
zhLTZ-qj(k>bT|r9PT^#eltTQ{Cw&jg8qN31b^DGaa8J$QY_YhSzK4Eo;>-cg-jBI9
zPC6B(sZyx!Q^(*Gg`$X!5c;MRA`|JG7>vBW+VHp?uRpeo|9$Z41FtVk<du0(A+HCn
z3Zz$|OwHl7RoP-=*EROSu!LWRu3AivOpKSM6!3Z}Z9<SVq5z7NL~S<jjX1vN&f>`7
zxK&(397D%U9Q&N3qa`udou}WegIPfw8poHVbUX?eHR9lN#Bd=T-m)wX3qH0Ihvr3M
zk@Ih~1U$!MuCZ<T@$m-ylMk*zZ$rrg$9pv^ARL$JzCd~b?x|)z9AQyH9D{!{@ev0f
zi^0eC9W}I5jJ{TU{GE*u;-C-%rLZ?9^N{1DErsr&yEL-YA1p8TG*$Y`<?1OPl|STo
zlEmyxWqUT%M!xEaMY4}slz?iRL-s5%^jy?1FWPWp?F}KD?t4GmHuHb$sWCy0$@R_*
zDsuhjO@Z_<?x{IrKBWA_a?BTt_Se?NT%T<kE@8I@sFrhy4Cj}pCLzm8*$DYOlmU;8
z;m4_sKT4Le6Sc%B@!(2~bH5u%Cs3xE^Fb^Y*AnB<GZXXSwYA8Hoydol<@9P;gD%g^
zj|BW=*C1k~5GQ>T1J^@}%*n3>(_DY4IXp#`pIY*?6Flt#PhY>#8eE(*uECraR%`G#
zn}c@oe@VuF+!X&V#Qz-P_dc_akU17w78GaVFP>#wgXx=MT!T}xMvH&{@?d&7?x{KP
zH!BZW#{V4Re-ZI}$fyt{P;;JKBC-rjM?3jXLCHU_6!Kr(k@cUG1I=O<{SW=h#KDW;
z;5;~RuG~#K^sjM{&4Ei0v6GDu`lqCz=6N!<Drh%Pw$Z<4U1HGI#`B2(Q^a48-#obj
ze*d3&a{Ol7JSmkNJ#FIXQ|IU#burhspIo*M?hSd8<;XZsh>^l|au`aU4nrv%r=`8Y
z^k$T)Ie9XoJZ#0&8+D@n%$%6((?1N$ty3$yYI&mXRW3_S7EbYH+JyWA`m8Kr{YK)>
zMtM=sih;H9zGPcnvh(IuJu6nUwXE%06RB-!tMBU?O7``Omd@suuI?nBC0^nlfl`Qj
zYJV`zHrXzBof>+%H(VmFliVGh$laMa;BGs(Tl~V+w8Os$Ex+{t;Nn@6kzbS92qA6?
z$CyI@#PI}gAjC1_)?oSvC{uIzyGwb*lE3ZXuNC|~I$X(aOQ2T#Rk0Cr9%|%o7Vh)l
zFA|MtSc#cqPa)>t-DaD2vn{!61$SdHSL&nZ3CECk6S*s5BZLnz=O}vK8F@Q*M=<>W
z+Ne3a-K}i5<ZTSRjexgXhXd@!J*O3K)og_P6KdqG6!-b?7O8ELV{Fd3`|q^PxjB-z
zr%X9F;v7A<47_bU^&4WkSk4hM#hi1-Is1!yg6SXP8EOu9_b5B8xI4ED+#LdUjl)59
zy9sK=o!pF}?E|QhJL1lVy9JHWd3bbu&KmP>`FCvduFR6ZL*VZy_)||kNV^<Et2tZ5
zMhJ1+<=q4K+2-9&OYV+>yK~^~%KY-~U%+7Gj+pb|F18?InRj#Vx6M0`<n6F2@6I_#
z-<%n9-ErpRD!9LB-Vrm!F7IxC(DuJ#mlbz!&J^vhPmj4ic{jiRiVuOo$X%ZQ6_Mta
z#wI2n=ZSgV&fa3npI7pCXd-{FPX~XufxitW<dnGByd`dmnLp#2*Raht_a3$6?>6uk
z0e|WIa_=KxF!Gmg?lms@%6RS>=j;cM*v?s>C3g{U_X@akpO{Kch{0~o60>>Ej<6$y
z|5pvWgLd!zyDfQp1-#t?-tIHM=VtdP#`pe@;p-?saQvK5`Zwp%smHQ7a`v>XqFi!u
z(3D5FI7i=_5_4_%Yx&DCY4P4)Jj?jrPaG6t*bF>YI9@uK#gViAw<>$A_;_my_}BqH
zmgUFCzu{l!!-(T5?B6IHm-`L{(;ovP)y#+TuJ9Abz!yw>>;NAs_&ECfHMH|I`kHft
zd_07D3UN?~L2c=5iTABc4%8?6JHx70Zduox4CB4OyrSF_nWy>;wV5XtV>j8=vnH(S
zg$mWD7u9AQqsmslU-gaOsC7KO4OdiDRI5I%tXm%MsX3aTj1LU<CHuqbg5*$gbr@^7
z>eGs9W+xlY6vCMut?JVn4E2pY7L~Epoffr`cz3ooV+r1)$$`d1IOz3Pdj0+?Z%xRH
zBV^U5RqNQZU>o9n32wi`YEw@Fut}fl)5<E2vb*A|qdnnJWhhjo`o{0oNbE*E{*bpu
z^%?Hf`uIRHT;ccD;OH6%dB^8#`#M*34J13sQW!qWRjMzGWnq6~cYG!K$%}TZlNnpp
zXROm6(4ka%gYYQZ^(yTFZ5$e6i!!a5aaq_Ojdv%*`q@3RCR3#@?AI-Xya1cMWjO=R
zHz5s?o17C|D|i+_;oNw>GGurDu-9^qs-peuN}SE*oB^MA=ySv&R|d_Gg2hTde=z#?
z2D84+^HM}b1$_^h-i^+##Judlyxjb^>9p>K>OQr7;&~ip6|zajdLiGxY|Z-4S(~ED
zKFhc}5cj=^`;X>x7k7b<!5DXeA#VBp08He3Mq4O7fHE~F?iHd^#=Qd;i)dB*UU2qa
z#Eo}~4ZROvf^MQ3s{7R9cEeqvaIq0W-xOtPRT1X8{OptL)9Q%DoCkaFvgPA3OFl-x
z#|iMU)y&7RB_B=$AI3b`vnlI4hmWWTNIp#OD`!uDkNx1|hPDHY$_<^!$FSssZH)Co
zzEAu->)Rp^er6f>e#HGA;vO`|U1pj8g@(9|c`)~&Z5{+=+>e;@;622B8gZA5H8Hl_
zJSda-ujc`MQ<SNJqDJ4s@jQquY`WGe51x!x+pPzWTk>&Qw2%70N0pfmeGhZt^GM_V
z=`?(=0#<6yShOnpEq#Bi`!??vp3US#amu)VA{|tj6S&ep%WY5!=jZu_)oB%FYEC|u
zijW+aGZV*U6yHtWE{hefKlzPyv_qjy+BWV}_cmACow-&?+XpOdyVjpP>V`SPJ~jU{
z*QM+TVSHP9u21tojGDu9sdB)I=eNti^D=z*ntb8!Uf11n{rLFh@YX7-Wo-LQu`QFl
zAvVVqgp>W=q{sFw_T1U;O__8S+;?*8#qr~6zZyzmd?mmAe%c|f5|N(4HTX!~@9ypE
s8R|+T6Yh?6?u7P%TftXCK3o6cO-~hM%IxPv`A*Fg>=tE8+J!#;1NuuE@c;k-

literal 0
HcmV?d00001

diff --git a/tests/cfgs/default/result/1kxun.pcap.out b/tests/cfgs/default/result/1kxun.pcap.out
index fd3b717c753..6835750d597 100644
--- a/tests/cfgs/default/result/1kxun.pcap.out
+++ b/tests/cfgs/default/result/1kxun.pcap.out
@@ -5,7 +5,7 @@ DPI Packets (UDP):	120	(1.21 pkts/flow)
 Confidence Unknown          : 14 (flows)
 Confidence Match by port    : 6 (flows)
 Confidence DPI              : 177 (flows)
-Num dissector calls: 4587 (23.28 diss/flow)
+Num dissector calls: 4590 (23.30 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/60/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/443-chrome.pcap.out b/tests/cfgs/default/result/443-chrome.pcap.out
index 08d9fe4bae1..1585cba60ee 100644
--- a/tests/cfgs/default/result/443-chrome.pcap.out
+++ b/tests/cfgs/default/result/443-chrome.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	1
 
 DPI Packets (TCP):	1	(1.00 pkts/flow)
 Confidence Match by port    : 1 (flows)
-Num dissector calls: 126 (126.00 diss/flow)
+Num dissector calls: 127 (127.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/443-opvn.pcap.out b/tests/cfgs/default/result/443-opvn.pcap.out
index fdb862d63d2..9ab69b06617 100644
--- a/tests/cfgs/default/result/443-opvn.pcap.out
+++ b/tests/cfgs/default/result/443-opvn.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (TCP):	6	(6.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 127 (127.00 diss/flow)
+Num dissector calls: 128 (128.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/KakaoTalk_chat.pcap.out b/tests/cfgs/default/result/KakaoTalk_chat.pcap.out
index e9c1971fd10..be3f377c771 100644
--- a/tests/cfgs/default/result/KakaoTalk_chat.pcap.out
+++ b/tests/cfgs/default/result/KakaoTalk_chat.pcap.out
@@ -5,7 +5,7 @@ DPI Packets (UDP):	36	(2.00 pkts/flow)
 DPI Packets (other):	1	(1.00 pkts/flow)
 Confidence Match by port    : 5 (flows)
 Confidence DPI              : 33 (flows)
-Num dissector calls: 543 (14.29 diss/flow)
+Num dissector calls: 545 (14.34 diss/flow)
 LRU cache ookla:      0/1/0 (insert/search/found)
 LRU cache bittorrent: 0/15/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/KakaoTalk_talk.pcap.out b/tests/cfgs/default/result/KakaoTalk_talk.pcap.out
index 08d393d1aa8..2af665f1acd 100644
--- a/tests/cfgs/default/result/KakaoTalk_talk.pcap.out
+++ b/tests/cfgs/default/result/KakaoTalk_talk.pcap.out
@@ -5,7 +5,7 @@ DPI Packets (UDP):	10	(2.00 pkts/flow)
 Confidence Match by port    : 8 (flows)
 Confidence DPI              : 11 (flows)
 Confidence Match by IP      : 1 (flows)
-Num dissector calls: 1116 (55.80 diss/flow)
+Num dissector calls: 1120 (56.00 diss/flow)
 LRU cache ookla:      0/2/0 (insert/search/found)
 LRU cache bittorrent: 0/27/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/Oscar.pcap.out b/tests/cfgs/default/result/Oscar.pcap.out
index f7c9c08d6bb..600ae5dd6f8 100644
--- a/tests/cfgs/default/result/Oscar.pcap.out
+++ b/tests/cfgs/default/result/Oscar.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	1
 
 DPI Packets (TCP):	21	(21.00 pkts/flow)
 Confidence Match by port    : 1 (flows)
-Num dissector calls: 252 (252.00 diss/flow)
+Num dissector calls: 253 (253.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/alexa-app.pcapng.out b/tests/cfgs/default/result/alexa-app.pcapng.out
index 38f7cff2cb3..79ed70f2c3e 100644
--- a/tests/cfgs/default/result/alexa-app.pcapng.out
+++ b/tests/cfgs/default/result/alexa-app.pcapng.out
@@ -5,7 +5,7 @@ DPI Packets (UDP):	64	(1.94 pkts/flow)
 DPI Packets (other):	6	(1.00 pkts/flow)
 Confidence Match by port    : 14 (flows)
 Confidence DPI              : 146 (flows)
-Num dissector calls: 502 (3.14 diss/flow)
+Num dissector calls: 503 (3.14 diss/flow)
 LRU cache ookla:      0/5/0 (insert/search/found)
 LRU cache bittorrent: 0/42/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/amqp.pcap.out b/tests/cfgs/default/result/amqp.pcap.out
index f22e409c3f6..8696ff34043 100644
--- a/tests/cfgs/default/result/amqp.pcap.out
+++ b/tests/cfgs/default/result/amqp.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (TCP):	9	(3.00 pkts/flow)
 Confidence DPI              : 3 (flows)
-Num dissector calls: 373 (124.33 diss/flow)
+Num dissector calls: 374 (124.67 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/anyconnect-vpn.pcap.out b/tests/cfgs/default/result/anyconnect-vpn.pcap.out
index 71137dbc792..d0361f19378 100644
--- a/tests/cfgs/default/result/anyconnect-vpn.pcap.out
+++ b/tests/cfgs/default/result/anyconnect-vpn.pcap.out
@@ -6,7 +6,7 @@ DPI Packets (other):	10	(1.00 pkts/flow)
 Confidence Unknown          : 2 (flows)
 Confidence Match by port    : 6 (flows)
 Confidence DPI              : 61 (flows)
-Num dissector calls: 850 (12.32 diss/flow)
+Num dissector calls: 851 (12.33 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/24/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/beckhoff_ads.pcapng.out b/tests/cfgs/default/result/beckhoff_ads.pcapng.out
new file mode 100644
index 00000000000..e833327ee01
--- /dev/null
+++ b/tests/cfgs/default/result/beckhoff_ads.pcapng.out
@@ -0,0 +1,28 @@
+Guessed flow protos:	0
+
+DPI Packets (TCP):	4	(4.00 pkts/flow)
+Confidence DPI              : 1 (flows)
+Num dissector calls: 1 (1.00 diss/flow)
+LRU cache ookla:      0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/0/0 (insert/search/found)
+LRU cache zoom:       0/0/0 (insert/search/found)
+LRU cache stun:       0/0/0 (insert/search/found)
+LRU cache tls_cert:   0/0/0 (insert/search/found)
+LRU cache mining:     0/0/0 (insert/search/found)
+LRU cache msteams:    0/0/0 (insert/search/found)
+LRU cache stun_zoom:  0/0/0 (insert/search/found)
+Automa host:          0/0 (search/found)
+Automa domain:        0/0 (search/found)
+Automa tls cert:      0/0 (search/found)
+Automa risk mask:     0/0 (search/found)
+Automa common alpns:  0/0 (search/found)
+Patricia risk mask:   0/0 (search/found)
+Patricia risk mask IPv6: 0/0 (search/found)
+Patricia risk:        0/0 (search/found)
+Patricia risk IPv6:   0/0 (search/found)
+Patricia protocols:   2/0 (search/found)
+Patricia protocols IPv6: 0/0 (search/found)
+
+BeckhoffADS	50	6032	1
+
+	1	TCP 192.168.1.99:49201 <-> 192.168.1.8:48898 [proto: 365/BeckhoffADS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: IoT-Scada/31][26 pkts/2788 bytes <-> 24 pkts/3244 bytes][Goodput ratio: 49/60][26.29 sec][bytes ratio: -0.076 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1250/1381 25613/25812 5448/5759][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 107/135 150/762 31/139][PLAIN TEXT (Device 5 )][Plen Bins: 0,76,15,4,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/cfgs/default/result/bittorrent_tcp_miss.pcapng.out b/tests/cfgs/default/result/bittorrent_tcp_miss.pcapng.out
index 511d026325c..bf6e046450c 100644
--- a/tests/cfgs/default/result/bittorrent_tcp_miss.pcapng.out
+++ b/tests/cfgs/default/result/bittorrent_tcp_miss.pcapng.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (TCP):	10	(10.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 227 (227.00 diss/flow)
+Num dissector calls: 228 (228.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 5/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/cassandra.pcap.out b/tests/cfgs/default/result/cassandra.pcap.out
index a9c049d01b5..cf5310c5794 100644
--- a/tests/cfgs/default/result/cassandra.pcap.out
+++ b/tests/cfgs/default/result/cassandra.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (TCP):	16	(8.00 pkts/flow)
 Confidence DPI              : 2 (flows)
-Num dissector calls: 306 (153.00 diss/flow)
+Num dissector calls: 308 (154.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/cloudflare-warp.pcap.out b/tests/cfgs/default/result/cloudflare-warp.pcap.out
index 0b8932d0714..08df35a4c7a 100644
--- a/tests/cfgs/default/result/cloudflare-warp.pcap.out
+++ b/tests/cfgs/default/result/cloudflare-warp.pcap.out
@@ -4,7 +4,7 @@ DPI Packets (TCP):	41	(5.12 pkts/flow)
 Confidence Match by port    : 2 (flows)
 Confidence DPI              : 5 (flows)
 Confidence Match by IP      : 1 (flows)
-Num dissector calls: 183 (22.88 diss/flow)
+Num dissector calls: 184 (23.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/9/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/custom_rules_ipv6.pcapng.out b/tests/cfgs/default/result/custom_rules_ipv6.pcapng.out
index 71d4c1d8f41..16549195b0d 100644
--- a/tests/cfgs/default/result/custom_rules_ipv6.pcapng.out
+++ b/tests/cfgs/default/result/custom_rules_ipv6.pcapng.out
@@ -29,8 +29,8 @@ CustomProtocolF	1	1287	1
 CustomProtocolG	1	318	1
 CustomProtocolH	1	318	1
 
-	1	UDP [247f:855b:5e16:3caf:3f2c:4134:9592:661b]:100 -> [21bc:b273:7f68:88d7:77a8:585:3990:927b]:1991 [proto: 375/CustomProtocolE][IP: 375/CustomProtocolE][ClearText][Confidence: Unknown][DPI packets: 1][1 pkts/1287 bytes -> 0 pkts/0 bytes][Goodput ratio: 95/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0]
-	2	UDP [247f:855b:5e16:3caf:3f2c:4134:9592:661b]:36098 -> [21bc:b273:7f68:88d7:77a8:585:3990:927b]:50621 [proto: 376/CustomProtocolF][IP: 376/CustomProtocolF][ClearText][Confidence: Unknown][DPI packets: 1][1 pkts/1287 bytes -> 0 pkts/0 bytes][Goodput ratio: 95/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0]
-	3	UDP [3ffe:507::1:200:86ff:fe05:80da]:21554 <-> [3ffe:501:4819::42]:5333 [proto: 374/CustomProtocolD][IP: 374/CustomProtocolD][ClearText][Confidence: Unknown][DPI packets: 1][1 pkts/90 bytes <-> 1 pkts/510 bytes][Goodput ratio: 31/88][0.07 sec][PLAIN TEXT (itojun)][Plen Bins: 50,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	4	UDP [fe80::76ac:b9ff:fe6c:c124]:12717 -> [ff02::1]:64315 [proto: 377/CustomProtocolG][IP: 377/CustomProtocolG][ClearText][Confidence: Unknown][DPI packets: 1][1 pkts/318 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][< 1 sec][PLAIN TEXT (BZ.qca956)][Plen Bins: 0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	5	UDP [fe80::76ac:b9ff:fe6c:c124]:12718 -> [ff02::1]:26993 [proto: 378/CustomProtocolH][IP: 378/CustomProtocolH][ClearText][Confidence: Unknown][DPI packets: 1][1 pkts/318 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][< 1 sec][PLAIN TEXT (BZ.qca956)][Plen Bins: 0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	1	UDP [247f:855b:5e16:3caf:3f2c:4134:9592:661b]:100 -> [21bc:b273:7f68:88d7:77a8:585:3990:927b]:1991 [proto: 376/CustomProtocolE][IP: 376/CustomProtocolE][ClearText][Confidence: Unknown][DPI packets: 1][1 pkts/1287 bytes -> 0 pkts/0 bytes][Goodput ratio: 95/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0]
+	2	UDP [247f:855b:5e16:3caf:3f2c:4134:9592:661b]:36098 -> [21bc:b273:7f68:88d7:77a8:585:3990:927b]:50621 [proto: 377/CustomProtocolF][IP: 377/CustomProtocolF][ClearText][Confidence: Unknown][DPI packets: 1][1 pkts/1287 bytes -> 0 pkts/0 bytes][Goodput ratio: 95/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0]
+	3	UDP [3ffe:507::1:200:86ff:fe05:80da]:21554 <-> [3ffe:501:4819::42]:5333 [proto: 375/CustomProtocolD][IP: 375/CustomProtocolD][ClearText][Confidence: Unknown][DPI packets: 1][1 pkts/90 bytes <-> 1 pkts/510 bytes][Goodput ratio: 31/88][0.07 sec][PLAIN TEXT (itojun)][Plen Bins: 50,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	4	UDP [fe80::76ac:b9ff:fe6c:c124]:12717 -> [ff02::1]:64315 [proto: 378/CustomProtocolG][IP: 378/CustomProtocolG][ClearText][Confidence: Unknown][DPI packets: 1][1 pkts/318 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][< 1 sec][PLAIN TEXT (BZ.qca956)][Plen Bins: 0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	5	UDP [fe80::76ac:b9ff:fe6c:c124]:12718 -> [ff02::1]:26993 [proto: 379/CustomProtocolH][IP: 379/CustomProtocolH][ClearText][Confidence: Unknown][DPI packets: 1][1 pkts/318 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][< 1 sec][PLAIN TEXT (BZ.qca956)][Plen Bins: 0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/cfgs/default/result/custom_rules_same-ip_multiple_ports.pcapng.out b/tests/cfgs/default/result/custom_rules_same-ip_multiple_ports.pcapng.out
index b49c07032d2..33e11b83399 100644
--- a/tests/cfgs/default/result/custom_rules_same-ip_multiple_ports.pcapng.out
+++ b/tests/cfgs/default/result/custom_rules_same-ip_multiple_ports.pcapng.out
@@ -27,6 +27,6 @@ CustomProtocolA	3	222	1
 CustomProtocolB	2	148	1
 Unknown	3	222	1
 
-	1	TCP 192.168.1.245:56866 -> 3.3.3.3:443 [proto: 91.371/TLS.CustomProtocolA][IP: 371/CustomProtocolA][Encrypted][Confidence: Unknown][DPI packets: 1][cat: Web/5][3 pkts/222 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][3.05 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	2	TCP 192.168.1.245:58288 -> 3.3.3.3:446 [proto: 400/CustomProtocolC][IP: 373/Unknown][Encrypted][Confidence: Unknown][DPI packets: 1][3 pkts/222 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][3.04 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	3	TCP 192.168.1.245:59682 -> 3.3.3.3:444 [proto: 372/CustomProtocolB][IP: 372/CustomProtocolB][ClearText][Confidence: Unknown][DPI packets: 1][2 pkts/148 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][1.02 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	1	TCP 192.168.1.245:56866 -> 3.3.3.3:443 [proto: 91.372/TLS.CustomProtocolA][IP: 372/CustomProtocolA][Encrypted][Confidence: Unknown][DPI packets: 1][cat: Web/5][3 pkts/222 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][3.05 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	2	TCP 192.168.1.245:58288 -> 3.3.3.3:446 [proto: 400/CustomProtocolC][IP: 374/Unknown][Encrypted][Confidence: Unknown][DPI packets: 1][3 pkts/222 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][3.04 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	3	TCP 192.168.1.245:59682 -> 3.3.3.3:444 [proto: 373/CustomProtocolB][IP: 373/CustomProtocolB][ClearText][Confidence: Unknown][DPI packets: 1][2 pkts/148 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][1.02 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/cfgs/default/result/edonkey.pcap.out b/tests/cfgs/default/result/edonkey.pcap.out
index d010428c359..87d15019a6f 100644
--- a/tests/cfgs/default/result/edonkey.pcap.out
+++ b/tests/cfgs/default/result/edonkey.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (TCP):	5	(5.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 129 (129.00 diss/flow)
+Num dissector calls: 130 (130.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/emotet.pcap.out b/tests/cfgs/default/result/emotet.pcap.out
index 2972f3d66a4..89a26d86bc5 100644
--- a/tests/cfgs/default/result/emotet.pcap.out
+++ b/tests/cfgs/default/result/emotet.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (TCP):	48	(8.00 pkts/flow)
 Confidence DPI              : 6 (flows)
-Num dissector calls: 195 (32.50 diss/flow)
+Num dissector calls: 196 (32.67 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/fastcgi.pcap.out b/tests/cfgs/default/result/fastcgi.pcap.out
index f1e0a3c8f30..5eca667500d 100644
--- a/tests/cfgs/default/result/fastcgi.pcap.out
+++ b/tests/cfgs/default/result/fastcgi.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (TCP):	6	(6.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 154 (154.00 diss/flow)
+Num dissector calls: 155 (155.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/ftp-start-tls.pcap.out b/tests/cfgs/default/result/ftp-start-tls.pcap.out
index 79b704b1172..dd2504f65d4 100644
--- a/tests/cfgs/default/result/ftp-start-tls.pcap.out
+++ b/tests/cfgs/default/result/ftp-start-tls.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (TCP):	17	(17.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 154 (154.00 diss/flow)
+Num dissector calls: 155 (155.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/ftp.pcap.out b/tests/cfgs/default/result/ftp.pcap.out
index 17711657345..e1e0d3b9b5f 100644
--- a/tests/cfgs/default/result/ftp.pcap.out
+++ b/tests/cfgs/default/result/ftp.pcap.out
@@ -3,7 +3,7 @@ Guessed flow protos:	1
 DPI Packets (TCP):	39	(13.00 pkts/flow)
 Confidence Unknown          : 1 (flows)
 Confidence DPI              : 2 (flows)
-Num dissector calls: 521 (173.67 diss/flow)
+Num dissector calls: 523 (174.33 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/ftp_failed.pcap.out b/tests/cfgs/default/result/ftp_failed.pcap.out
index 6ed0842c535..191654ef864 100644
--- a/tests/cfgs/default/result/ftp_failed.pcap.out
+++ b/tests/cfgs/default/result/ftp_failed.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (TCP):	8	(8.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 154 (154.00 diss/flow)
+Num dissector calls: 155 (155.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out b/tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out
index 6cb9815fde4..6f9cf6a1a2c 100644
--- a/tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out
+++ b/tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out
@@ -6,7 +6,7 @@ DPI Packets (other):	5	(1.00 pkts/flow)
 Confidence Unknown          : 34 (flows)
 Confidence Match by port    : 27 (flows)
 Confidence DPI              : 190 (flows)
-Num dissector calls: 6535 (26.04 diss/flow)
+Num dissector calls: 6547 (26.08 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/189/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/fuzz-2006-09-29-28586.pcap.out b/tests/cfgs/default/result/fuzz-2006-09-29-28586.pcap.out
index bea71d27c63..bfaa194ae70 100644
--- a/tests/cfgs/default/result/fuzz-2006-09-29-28586.pcap.out
+++ b/tests/cfgs/default/result/fuzz-2006-09-29-28586.pcap.out
@@ -5,7 +5,7 @@ DPI Packets (other):	1	(1.00 pkts/flow)
 Confidence Unknown          : 3 (flows)
 Confidence Match by port    : 26 (flows)
 Confidence DPI              : 11 (flows)
-Num dissector calls: 992 (24.80 diss/flow)
+Num dissector calls: 998 (24.95 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/87/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/fuzz-2021-10-13.pcap.out b/tests/cfgs/default/result/fuzz-2021-10-13.pcap.out
index 47102aac33a..9151d97ab52 100644
--- a/tests/cfgs/default/result/fuzz-2021-10-13.pcap.out
+++ b/tests/cfgs/default/result/fuzz-2021-10-13.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	1
 
 DPI Packets (TCP):	1	(1.00 pkts/flow)
 Confidence Unknown          : 1 (flows)
-Num dissector calls: 125 (125.00 diss/flow)
+Num dissector calls: 126 (126.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/google_ssl.pcap.out b/tests/cfgs/default/result/google_ssl.pcap.out
index c1bb0aa4e26..7065aff7e77 100644
--- a/tests/cfgs/default/result/google_ssl.pcap.out
+++ b/tests/cfgs/default/result/google_ssl.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	1
 
 DPI Packets (TCP):	24	(24.00 pkts/flow)
 Confidence Match by port    : 1 (flows)
-Num dissector calls: 192 (192.00 diss/flow)
+Num dissector calls: 193 (193.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/http_guessed_host_and_guessed.pcapng.out b/tests/cfgs/default/result/http_guessed_host_and_guessed.pcapng.out
index 18241f6682a..af971925360 100644
--- a/tests/cfgs/default/result/http_guessed_host_and_guessed.pcapng.out
+++ b/tests/cfgs/default/result/http_guessed_host_and_guessed.pcapng.out
@@ -2,7 +2,7 @@ Guessed flow protos:	1
 
 DPI Packets (TCP):	1	(1.00 pkts/flow)
 Confidence Match by port    : 1 (flows)
-Num dissector calls: 126 (126.00 diss/flow)
+Num dissector calls: 127 (127.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/imap-starttls.pcap.out b/tests/cfgs/default/result/imap-starttls.pcap.out
index 03f80584746..6afddd69994 100644
--- a/tests/cfgs/default/result/imap-starttls.pcap.out
+++ b/tests/cfgs/default/result/imap-starttls.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (TCP):	19	(19.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 202 (202.00 diss/flow)
+Num dissector calls: 203 (203.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/imap.pcap.out b/tests/cfgs/default/result/imap.pcap.out
index 85d00b2ca10..dc4984c12c4 100644
--- a/tests/cfgs/default/result/imap.pcap.out
+++ b/tests/cfgs/default/result/imap.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (TCP):	11	(11.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 202 (202.00 diss/flow)
+Num dissector calls: 203 (203.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/instagram.pcap.out b/tests/cfgs/default/result/instagram.pcap.out
index a3bbb69b5aa..8f3aae63066 100644
--- a/tests/cfgs/default/result/instagram.pcap.out
+++ b/tests/cfgs/default/result/instagram.pcap.out
@@ -6,7 +6,7 @@ DPI Packets (other):	1	(1.00 pkts/flow)
 Confidence Unknown          : 1 (flows)
 Confidence Match by port    : 7 (flows)
 Confidence DPI              : 30 (flows)
-Num dissector calls: 1356 (35.68 diss/flow)
+Num dissector calls: 1360 (35.79 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/24/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/irc.pcap.out b/tests/cfgs/default/result/irc.pcap.out
index 2d645d1c070..bcc8e33b588 100644
--- a/tests/cfgs/default/result/irc.pcap.out
+++ b/tests/cfgs/default/result/irc.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (TCP):	7	(7.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 160 (160.00 diss/flow)
+Num dissector calls: 161 (161.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/jabber.pcap.out b/tests/cfgs/default/result/jabber.pcap.out
index 8f977969ebf..6bba6ddc1ae 100644
--- a/tests/cfgs/default/result/jabber.pcap.out
+++ b/tests/cfgs/default/result/jabber.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (TCP):	74	(6.17 pkts/flow)
 Confidence DPI              : 12 (flows)
-Num dissector calls: 1436 (119.67 diss/flow)
+Num dissector calls: 1445 (120.42 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/kerberos.pcap.out b/tests/cfgs/default/result/kerberos.pcap.out
index b9a09e9b70e..9ff1ceecf82 100644
--- a/tests/cfgs/default/result/kerberos.pcap.out
+++ b/tests/cfgs/default/result/kerberos.pcap.out
@@ -4,7 +4,7 @@ DPI Packets (TCP):	77	(2.14 pkts/flow)
 Confidence Unknown          : 2 (flows)
 Confidence Match by port    : 23 (flows)
 Confidence DPI              : 11 (flows)
-Num dissector calls: 3958 (109.94 diss/flow)
+Num dissector calls: 3983 (110.64 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/75/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/log4j-webapp-exploit.pcap.out b/tests/cfgs/default/result/log4j-webapp-exploit.pcap.out
index 1cc167f37de..fbb5083f024 100644
--- a/tests/cfgs/default/result/log4j-webapp-exploit.pcap.out
+++ b/tests/cfgs/default/result/log4j-webapp-exploit.pcap.out
@@ -3,7 +3,7 @@ Guessed flow protos:	2
 DPI Packets (TCP):	56	(8.00 pkts/flow)
 Confidence Unknown          : 2 (flows)
 Confidence DPI              : 5 (flows)
-Num dissector calls: 352 (50.29 diss/flow)
+Num dissector calls: 353 (50.43 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/6/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/memcached.cap.out b/tests/cfgs/default/result/memcached.cap.out
index 1546ab9e2e6..8f39dd55f91 100644
--- a/tests/cfgs/default/result/memcached.cap.out
+++ b/tests/cfgs/default/result/memcached.cap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (TCP):	6	(6.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 127 (127.00 diss/flow)
+Num dissector calls: 128 (128.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/mongo_false_positive.pcapng.out b/tests/cfgs/default/result/mongo_false_positive.pcapng.out
index f266c2ace29..bbabd9b99c5 100644
--- a/tests/cfgs/default/result/mongo_false_positive.pcapng.out
+++ b/tests/cfgs/default/result/mongo_false_positive.pcapng.out
@@ -2,7 +2,7 @@ Guessed flow protos:	1
 
 DPI Packets (TCP):	14	(14.00 pkts/flow)
 Confidence Match by port    : 1 (flows)
-Num dissector calls: 265 (265.00 diss/flow)
+Num dissector calls: 266 (266.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/mssql_tds.pcap.out b/tests/cfgs/default/result/mssql_tds.pcap.out
index 7842943eab1..08f16306ef0 100644
--- a/tests/cfgs/default/result/mssql_tds.pcap.out
+++ b/tests/cfgs/default/result/mssql_tds.pcap.out
@@ -3,7 +3,7 @@ Guessed flow protos:	1
 DPI Packets (TCP):	18	(1.50 pkts/flow)
 Confidence Match by port    : 1 (flows)
 Confidence DPI              : 11 (flows)
-Num dissector calls: 268 (22.33 diss/flow)
+Num dissector calls: 269 (22.42 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/nest_log_sink.pcap.out b/tests/cfgs/default/result/nest_log_sink.pcap.out
index 104134fdef7..4012d3deefa 100644
--- a/tests/cfgs/default/result/nest_log_sink.pcap.out
+++ b/tests/cfgs/default/result/nest_log_sink.pcap.out
@@ -4,7 +4,7 @@ DPI Packets (TCP):	130	(10.00 pkts/flow)
 DPI Packets (UDP):	2	(2.00 pkts/flow)
 Confidence Match by port    : 1 (flows)
 Confidence DPI              : 13 (flows)
-Num dissector calls: 1873 (133.79 diss/flow)
+Num dissector calls: 1885 (134.64 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/netbios.pcap.out b/tests/cfgs/default/result/netbios.pcap.out
index 207fca0f56c..00614a1caf0 100644
--- a/tests/cfgs/default/result/netbios.pcap.out
+++ b/tests/cfgs/default/result/netbios.pcap.out
@@ -4,7 +4,7 @@ DPI Packets (TCP):	2	(2.00 pkts/flow)
 DPI Packets (UDP):	14	(1.00 pkts/flow)
 Confidence Match by port    : 1 (flows)
 Confidence DPI              : 14 (flows)
-Num dissector calls: 140 (9.33 diss/flow)
+Num dissector calls: 141 (9.40 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/nntp.pcap.out b/tests/cfgs/default/result/nntp.pcap.out
index 1cfd2f159d1..e977e40eec0 100644
--- a/tests/cfgs/default/result/nntp.pcap.out
+++ b/tests/cfgs/default/result/nntp.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (TCP):	6	(6.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 133 (133.00 diss/flow)
+Num dissector calls: 134 (134.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/ookla.pcap.out b/tests/cfgs/default/result/ookla.pcap.out
index 7e67e722a39..bb652460356 100644
--- a/tests/cfgs/default/result/ookla.pcap.out
+++ b/tests/cfgs/default/result/ookla.pcap.out
@@ -4,7 +4,7 @@ DPI Packets (TCP):	40	(6.67 pkts/flow)
 Confidence DPI (partial cache): 1 (flows)
 Confidence DPI              : 4 (flows)
 Confidence DPI (aggressive) : 1 (flows)
-Num dissector calls: 515 (85.83 diss/flow)
+Num dissector calls: 518 (86.33 diss/flow)
 LRU cache ookla:      4/2/2 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/openvpn.pcap.out b/tests/cfgs/default/result/openvpn.pcap.out
index f8a733e8790..5b471ac44e9 100644
--- a/tests/cfgs/default/result/openvpn.pcap.out
+++ b/tests/cfgs/default/result/openvpn.pcap.out
@@ -3,7 +3,7 @@ Guessed flow protos:	0
 DPI Packets (TCP):	6	(6.00 pkts/flow)
 DPI Packets (UDP):	5	(2.50 pkts/flow)
 Confidence DPI              : 3 (flows)
-Num dissector calls: 421 (140.33 diss/flow)
+Num dissector calls: 422 (140.67 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/oracle12.pcapng.out b/tests/cfgs/default/result/oracle12.pcapng.out
index e0d79d599f0..20c93ff3901 100644
--- a/tests/cfgs/default/result/oracle12.pcapng.out
+++ b/tests/cfgs/default/result/oracle12.pcapng.out
@@ -2,7 +2,7 @@ Guessed flow protos:	1
 
 DPI Packets (TCP):	20	(20.00 pkts/flow)
 Confidence Match by port    : 1 (flows)
-Num dissector calls: 257 (257.00 diss/flow)
+Num dissector calls: 258 (258.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/ossfuzz_seed_fake_traces_1.pcapng.out b/tests/cfgs/default/result/ossfuzz_seed_fake_traces_1.pcapng.out
index ea5a00cbce0..aaaddde6c61 100644
--- a/tests/cfgs/default/result/ossfuzz_seed_fake_traces_1.pcapng.out
+++ b/tests/cfgs/default/result/ossfuzz_seed_fake_traces_1.pcapng.out
@@ -3,7 +3,7 @@ Guessed flow protos:	0
 DPI Packets (TCP):	8	(1.33 pkts/flow)
 DPI Packets (UDP):	9	(2.25 pkts/flow)
 Confidence DPI              : 10 (flows)
-Num dissector calls: 714 (71.40 diss/flow)
+Num dissector calls: 716 (71.60 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/6/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/ossfuzz_seed_fake_traces_2.pcapng.out b/tests/cfgs/default/result/ossfuzz_seed_fake_traces_2.pcapng.out
index f6c24b3b738..3b56315dbc9 100644
--- a/tests/cfgs/default/result/ossfuzz_seed_fake_traces_2.pcapng.out
+++ b/tests/cfgs/default/result/ossfuzz_seed_fake_traces_2.pcapng.out
@@ -4,7 +4,7 @@ DPI Packets (TCP):	18	(6.00 pkts/flow)
 DPI Packets (UDP):	4	(2.00 pkts/flow)
 Confidence Match by port    : 1 (flows)
 Confidence DPI              : 4 (flows)
-Num dissector calls: 653 (130.60 diss/flow)
+Num dissector calls: 656 (131.20 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/pgsql.pcap.out b/tests/cfgs/default/result/pgsql.pcap.out
index 2b88959e06d..c455c371391 100644
--- a/tests/cfgs/default/result/pgsql.pcap.out
+++ b/tests/cfgs/default/result/pgsql.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (TCP):	36	(6.00 pkts/flow)
 Confidence DPI              : 6 (flows)
-Num dissector calls: 762 (127.00 diss/flow)
+Num dissector calls: 768 (128.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/pop3.pcap.out b/tests/cfgs/default/result/pop3.pcap.out
index 1cff630773b..77200497b72 100644
--- a/tests/cfgs/default/result/pop3.pcap.out
+++ b/tests/cfgs/default/result/pop3.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	2
 
 DPI Packets (TCP):	83	(13.83 pkts/flow)
 Confidence DPI              : 6 (flows)
-Num dissector calls: 1148 (191.33 diss/flow)
+Num dissector calls: 1154 (192.33 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/pop3_stls.pcap.out b/tests/cfgs/default/result/pop3_stls.pcap.out
index 0db917b8041..e93b56165ca 100644
--- a/tests/cfgs/default/result/pop3_stls.pcap.out
+++ b/tests/cfgs/default/result/pop3_stls.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (TCP):	18	(18.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 193 (193.00 diss/flow)
+Num dissector calls: 194 (194.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/protobuf.pcap.out b/tests/cfgs/default/result/protobuf.pcap.out
index 970003272de..e0851ae9393 100644
--- a/tests/cfgs/default/result/protobuf.pcap.out
+++ b/tests/cfgs/default/result/protobuf.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (TCP):	26	(5.20 pkts/flow)
 Confidence DPI              : 5 (flows)
-Num dissector calls: 696 (139.20 diss/flow)
+Num dissector calls: 697 (139.40 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/reasm_crash_anon.pcapng.out b/tests/cfgs/default/result/reasm_crash_anon.pcapng.out
index 78b1c0cfbae..99eadd45f0c 100644
--- a/tests/cfgs/default/result/reasm_crash_anon.pcapng.out
+++ b/tests/cfgs/default/result/reasm_crash_anon.pcapng.out
@@ -2,7 +2,7 @@ Guessed flow protos:	1
 
 DPI Packets (TCP):	23	(23.00 pkts/flow)
 Confidence Unknown          : 1 (flows)
-Num dissector calls: 247 (247.00 diss/flow)
+Num dissector calls: 248 (248.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/reasm_segv_anon.pcapng.out b/tests/cfgs/default/result/reasm_segv_anon.pcapng.out
index 3a6a39aba2c..1219c1a1bc7 100644
--- a/tests/cfgs/default/result/reasm_segv_anon.pcapng.out
+++ b/tests/cfgs/default/result/reasm_segv_anon.pcapng.out
@@ -2,7 +2,7 @@ Guessed flow protos:	1
 
 DPI Packets (TCP):	21	(21.00 pkts/flow)
 Confidence Match by port    : 1 (flows)
-Num dissector calls: 195 (195.00 diss/flow)
+Num dissector calls: 196 (196.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/riot.pcapng.out b/tests/cfgs/default/result/riot.pcapng.out
index 0180dd330a7..0fabee9f86b 100644
--- a/tests/cfgs/default/result/riot.pcapng.out
+++ b/tests/cfgs/default/result/riot.pcapng.out
@@ -3,7 +3,7 @@ Guessed flow protos:	1
 DPI Packets (TCP):	7	(3.50 pkts/flow)
 Confidence Match by port    : 1 (flows)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 184 (92.00 diss/flow)
+Num dissector calls: 185 (92.50 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/rsh.pcap.out b/tests/cfgs/default/result/rsh.pcap.out
index a5ff9b6ab0e..6676b5a155a 100644
--- a/tests/cfgs/default/result/rsh.pcap.out
+++ b/tests/cfgs/default/result/rsh.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (TCP):	12	(6.00 pkts/flow)
 Confidence DPI              : 2 (flows)
-Num dissector calls: 302 (151.00 diss/flow)
+Num dissector calls: 304 (152.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/rtmp.pcap.out b/tests/cfgs/default/result/rtmp.pcap.out
index ae542217e22..f1a57191c47 100644
--- a/tests/cfgs/default/result/rtmp.pcap.out
+++ b/tests/cfgs/default/result/rtmp.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (TCP):	8	(8.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 156 (156.00 diss/flow)
+Num dissector calls: 157 (157.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/s7comm-plus.pcap.out b/tests/cfgs/default/result/s7comm-plus.pcap.out
index b0fee849bda..21f8860e45e 100644
--- a/tests/cfgs/default/result/s7comm-plus.pcap.out
+++ b/tests/cfgs/default/result/s7comm-plus.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (TCP):	9	(9.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 172 (172.00 diss/flow)
+Num dissector calls: 173 (173.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/s7comm.pcap.out b/tests/cfgs/default/result/s7comm.pcap.out
index 3b1358e95ad..c64a11f4cf0 100644
--- a/tests/cfgs/default/result/s7comm.pcap.out
+++ b/tests/cfgs/default/result/s7comm.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (TCP):	3	(3.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 174 (174.00 diss/flow)
+Num dissector calls: 175 (175.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/shadowsocks.pcap.out b/tests/cfgs/default/result/shadowsocks.pcap.out
index f1d013d379b..904d01ea58e 100644
--- a/tests/cfgs/default/result/shadowsocks.pcap.out
+++ b/tests/cfgs/default/result/shadowsocks.pcap.out
@@ -3,7 +3,7 @@ Guessed flow protos:	1
 DPI Packets (TCP):	21	(10.50 pkts/flow)
 Confidence Unknown          : 1 (flows)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 333 (166.50 diss/flow)
+Num dissector calls: 335 (167.50 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/skype.pcap.out b/tests/cfgs/default/result/skype.pcap.out
index f7f111e7ebb..4ebbb89d046 100644
--- a/tests/cfgs/default/result/skype.pcap.out
+++ b/tests/cfgs/default/result/skype.pcap.out
@@ -6,7 +6,7 @@ DPI Packets (other):	5	(1.00 pkts/flow)
 Confidence Unknown          : 59 (flows)
 Confidence Match by port    : 28 (flows)
 Confidence DPI              : 206 (flows)
-Num dissector calls: 26923 (91.89 diss/flow)
+Num dissector calls: 27009 (92.18 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/261/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/skype_no_unknown.pcap.out b/tests/cfgs/default/result/skype_no_unknown.pcap.out
index 95e1fbc4fce..7313a753423 100644
--- a/tests/cfgs/default/result/skype_no_unknown.pcap.out
+++ b/tests/cfgs/default/result/skype_no_unknown.pcap.out
@@ -6,7 +6,7 @@ DPI Packets (other):	5	(1.00 pkts/flow)
 Confidence Unknown          : 44 (flows)
 Confidence Match by port    : 22 (flows)
 Confidence DPI              : 201 (flows)
-Num dissector calls: 22439 (84.04 diss/flow)
+Num dissector calls: 22503 (84.28 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/198/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/smb_frags.pcap.out b/tests/cfgs/default/result/smb_frags.pcap.out
index 3db06b62a27..a14220c9855 100644
--- a/tests/cfgs/default/result/smb_frags.pcap.out
+++ b/tests/cfgs/default/result/smb_frags.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (TCP):	5	(5.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 155 (155.00 diss/flow)
+Num dissector calls: 156 (156.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/smbv1.pcap.out b/tests/cfgs/default/result/smbv1.pcap.out
index d3136baccf3..7bd6a571c3b 100644
--- a/tests/cfgs/default/result/smbv1.pcap.out
+++ b/tests/cfgs/default/result/smbv1.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (TCP):	3	(3.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 157 (157.00 diss/flow)
+Num dissector calls: 158 (158.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/smtp-starttls.pcap.out b/tests/cfgs/default/result/smtp-starttls.pcap.out
index c499535d1ae..edcc101acad 100644
--- a/tests/cfgs/default/result/smtp-starttls.pcap.out
+++ b/tests/cfgs/default/result/smtp-starttls.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (TCP):	26	(13.00 pkts/flow)
 Confidence DPI              : 2 (flows)
-Num dissector calls: 153 (76.50 diss/flow)
+Num dissector calls: 154 (77.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/smtp.pcap.out b/tests/cfgs/default/result/smtp.pcap.out
index 395863d36b0..834b17f68bd 100644
--- a/tests/cfgs/default/result/smtp.pcap.out
+++ b/tests/cfgs/default/result/smtp.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (TCP):	11	(11.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 196 (196.00 diss/flow)
+Num dissector calls: 197 (197.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/soap.pcap.out b/tests/cfgs/default/result/soap.pcap.out
index 4c0cb6fdcf2..c243c831571 100644
--- a/tests/cfgs/default/result/soap.pcap.out
+++ b/tests/cfgs/default/result/soap.pcap.out
@@ -3,7 +3,7 @@ Guessed flow protos:	2
 DPI Packets (TCP):	20	(6.67 pkts/flow)
 Confidence Match by port    : 1 (flows)
 Confidence DPI              : 2 (flows)
-Num dissector calls: 377 (125.67 diss/flow)
+Num dissector calls: 379 (126.33 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/socks.pcap.out b/tests/cfgs/default/result/socks.pcap.out
index f596d511c5b..de992048302 100644
--- a/tests/cfgs/default/result/socks.pcap.out
+++ b/tests/cfgs/default/result/socks.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (TCP):	23	(5.75 pkts/flow)
 Confidence DPI              : 4 (flows)
-Num dissector calls: 510 (127.50 diss/flow)
+Num dissector calls: 514 (128.50 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/starcraft_battle.pcap.out b/tests/cfgs/default/result/starcraft_battle.pcap.out
index 9264b8d07cd..96942f658d5 100644
--- a/tests/cfgs/default/result/starcraft_battle.pcap.out
+++ b/tests/cfgs/default/result/starcraft_battle.pcap.out
@@ -6,7 +6,7 @@ DPI Packets (other):	1	(1.00 pkts/flow)
 Confidence Match by port    : 12 (flows)
 Confidence DPI              : 39 (flows)
 Confidence Match by IP      : 1 (flows)
-Num dissector calls: 1520 (29.23 diss/flow)
+Num dissector calls: 1523 (29.29 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/39/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/synscan.pcap.out b/tests/cfgs/default/result/synscan.pcap.out
index d372f8f36e2..ceb80a55617 100644
--- a/tests/cfgs/default/result/synscan.pcap.out
+++ b/tests/cfgs/default/result/synscan.pcap.out
@@ -129,7 +129,7 @@ iSCSI	2	116	2
 	45	TCP 172.16.0.8:36050 -> 64.13.134.52:2605 [proto: 13/BGP][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	46	TCP 172.16.0.8:36050 -> 64.13.134.52:3000 [proto: 26/ntop][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	47	TCP 172.16.0.8:36050 -> 64.13.134.52:3128 [proto: 131/HTTP_Proxy][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][cat: Web/5][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	48	TCP 172.16.0.8:36050 -> 64.13.134.52:3260 [proto: 365/iSCSI][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	48	TCP 172.16.0.8:36050 -> 64.13.134.52:3260 [proto: 366/iSCSI][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	49	TCP 172.16.0.8:36050 -> 64.13.134.52:3306 [proto: 20/MySQL][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][cat: Database/11][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	50	TCP 172.16.0.8:36050 -> 64.13.134.52:3389 [proto: 88/RDP][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][cat: RemoteAccess/12][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Desktop/File Sharing **** Unidirectional Traffic **][Risk Score: 20][Risk Info: No server to client traffic / Found RDP][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	51	TCP 172.16.0.8:36050 -> 64.13.134.52:4343 [proto: 170/Whois-DAS][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
@@ -194,7 +194,7 @@ iSCSI	2	116	2
 	110	TCP 172.16.0.8:36051 -> 64.13.134.52:2605 [proto: 13/BGP][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	111	TCP 172.16.0.8:36051 -> 64.13.134.52:3000 [proto: 26/ntop][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	112	TCP 172.16.0.8:36051 -> 64.13.134.52:3128 [proto: 131/HTTP_Proxy][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][cat: Web/5][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	113	TCP 172.16.0.8:36051 -> 64.13.134.52:3260 [proto: 365/iSCSI][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	113	TCP 172.16.0.8:36051 -> 64.13.134.52:3260 [proto: 366/iSCSI][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	114	TCP 172.16.0.8:36051 -> 64.13.134.52:3306 [proto: 20/MySQL][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][cat: Database/11][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	115	TCP 172.16.0.8:36051 -> 64.13.134.52:3389 [proto: 88/RDP][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][cat: RemoteAccess/12][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Desktop/File Sharing **** Unidirectional Traffic **][Risk Score: 20][Risk Info: No server to client traffic / Found RDP][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	116	TCP 172.16.0.8:36051 -> 64.13.134.52:4343 [proto: 170/Whois-DAS][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/cfgs/default/result/teams.pcap.out b/tests/cfgs/default/result/teams.pcap.out
index d0eae360298..c27773c0a83 100644
--- a/tests/cfgs/default/result/teams.pcap.out
+++ b/tests/cfgs/default/result/teams.pcap.out
@@ -7,7 +7,7 @@ Confidence Unknown          : 1 (flows)
 Confidence Match by port    : 2 (flows)
 Confidence DPI (partial)    : 4 (flows)
 Confidence DPI              : 76 (flows)
-Num dissector calls: 513 (6.18 diss/flow)
+Num dissector calls: 514 (6.19 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/9/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/telegram_videocall.pcapng.out b/tests/cfgs/default/result/telegram_videocall.pcapng.out
index 36c6160e686..a8bafa378fc 100644
--- a/tests/cfgs/default/result/telegram_videocall.pcapng.out
+++ b/tests/cfgs/default/result/telegram_videocall.pcapng.out
@@ -7,7 +7,7 @@ Confidence Match by port    : 8 (flows)
 Confidence DPI (cache)      : 10 (flows)
 Confidence DPI              : 15 (flows)
 Confidence Match by IP      : 1 (flows)
-Num dissector calls: 1886 (55.47 diss/flow)
+Num dissector calls: 1894 (55.71 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/27/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/telnet.pcap.out b/tests/cfgs/default/result/telnet.pcap.out
index 1690e7d0b57..093882e4cc5 100644
--- a/tests/cfgs/default/result/telnet.pcap.out
+++ b/tests/cfgs/default/result/telnet.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (TCP):	33	(33.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 154 (154.00 diss/flow)
+Num dissector calls: 155 (155.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/threema.pcap.out b/tests/cfgs/default/result/threema.pcap.out
index dc0d2993544..83248747e57 100644
--- a/tests/cfgs/default/result/threema.pcap.out
+++ b/tests/cfgs/default/result/threema.pcap.out
@@ -3,7 +3,7 @@ Guessed flow protos:	2
 DPI Packets (TCP):	66	(11.00 pkts/flow)
 Confidence DPI              : 4 (flows)
 Confidence Match by IP      : 2 (flows)
-Num dissector calls: 1242 (207.00 diss/flow)
+Num dissector calls: 1248 (208.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/6/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/tinc.pcap.out b/tests/cfgs/default/result/tinc.pcap.out
index 4ebd12d6cb2..e50e4ecc19b 100644
--- a/tests/cfgs/default/result/tinc.pcap.out
+++ b/tests/cfgs/default/result/tinc.pcap.out
@@ -4,7 +4,7 @@ DPI Packets (TCP):	19	(9.50 pkts/flow)
 DPI Packets (UDP):	2	(1.00 pkts/flow)
 Confidence DPI (cache)      : 2 (flows)
 Confidence DPI              : 2 (flows)
-Num dissector calls: 508 (127.00 diss/flow)
+Num dissector calls: 510 (127.50 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/tls-appdata.pcap.out b/tests/cfgs/default/result/tls-appdata.pcap.out
index 49f0658b47e..5e35eea0f4d 100644
--- a/tests/cfgs/default/result/tls-appdata.pcap.out
+++ b/tests/cfgs/default/result/tls-appdata.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	1
 
 DPI Packets (TCP):	17	(8.50 pkts/flow)
 Confidence DPI              : 2 (flows)
-Num dissector calls: 128 (64.00 diss/flow)
+Num dissector calls: 129 (64.50 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/tls_certificate_too_long.pcap.out b/tests/cfgs/default/result/tls_certificate_too_long.pcap.out
index eec234c5a9a..baba0e0d2e1 100644
--- a/tests/cfgs/default/result/tls_certificate_too_long.pcap.out
+++ b/tests/cfgs/default/result/tls_certificate_too_long.pcap.out
@@ -6,7 +6,7 @@ DPI Packets (other):	2	(1.00 pkts/flow)
 Confidence Unknown          : 1 (flows)
 Confidence Match by port    : 1 (flows)
 Confidence DPI              : 33 (flows)
-Num dissector calls: 585 (16.71 diss/flow)
+Num dissector calls: 588 (16.80 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/6/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/tls_false_positives.pcapng.out b/tests/cfgs/default/result/tls_false_positives.pcapng.out
index 08438ab4496..0f800a8e169 100644
--- a/tests/cfgs/default/result/tls_false_positives.pcapng.out
+++ b/tests/cfgs/default/result/tls_false_positives.pcapng.out
@@ -2,7 +2,7 @@ Guessed flow protos:	1
 
 DPI Packets (TCP):	13	(13.00 pkts/flow)
 Confidence Unknown          : 1 (flows)
-Num dissector calls: 253 (253.00 diss/flow)
+Num dissector calls: 254 (254.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/tls_invalid_reads.pcap.out b/tests/cfgs/default/result/tls_invalid_reads.pcap.out
index 189d628ab18..054decbfbd8 100644
--- a/tests/cfgs/default/result/tls_invalid_reads.pcap.out
+++ b/tests/cfgs/default/result/tls_invalid_reads.pcap.out
@@ -3,7 +3,7 @@ Guessed flow protos:	2
 DPI Packets (TCP):	10	(3.33 pkts/flow)
 Confidence Match by port    : 1 (flows)
 Confidence DPI              : 2 (flows)
-Num dissector calls: 128 (42.67 diss/flow)
+Num dissector calls: 129 (43.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/tls_missing_ch_frag.pcap.out b/tests/cfgs/default/result/tls_missing_ch_frag.pcap.out
index f8f49ec876c..57e859a512c 100644
--- a/tests/cfgs/default/result/tls_missing_ch_frag.pcap.out
+++ b/tests/cfgs/default/result/tls_missing_ch_frag.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (TCP):	3	(3.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 127 (127.00 diss/flow)
+Num dissector calls: 128 (128.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/viber.pcap.out b/tests/cfgs/default/result/viber.pcap.out
index c8a7472b37e..20c898f8eda 100644
--- a/tests/cfgs/default/result/viber.pcap.out
+++ b/tests/cfgs/default/result/viber.pcap.out
@@ -5,7 +5,7 @@ DPI Packets (UDP):	27	(1.93 pkts/flow)
 DPI Packets (other):	2	(1.00 pkts/flow)
 Confidence Match by port    : 4 (flows)
 Confidence DPI              : 25 (flows)
-Num dissector calls: 452 (15.59 diss/flow)
+Num dissector calls: 453 (15.62 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/12/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/vnc.pcap.out b/tests/cfgs/default/result/vnc.pcap.out
index e2e49bbc654..281cf3cb70e 100644
--- a/tests/cfgs/default/result/vnc.pcap.out
+++ b/tests/cfgs/default/result/vnc.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (TCP):	10	(5.00 pkts/flow)
 Confidence DPI              : 2 (flows)
-Num dissector calls: 264 (132.00 diss/flow)
+Num dissector calls: 266 (133.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/wa_video.pcap.out b/tests/cfgs/default/result/wa_video.pcap.out
index d89c2f5e0ec..3ce819efcb7 100644
--- a/tests/cfgs/default/result/wa_video.pcap.out
+++ b/tests/cfgs/default/result/wa_video.pcap.out
@@ -5,7 +5,7 @@ DPI Packets (UDP):	13	(1.00 pkts/flow)
 Confidence DPI (cache)      : 2 (flows)
 Confidence DPI              : 11 (flows)
 Confidence Match by IP      : 1 (flows)
-Num dissector calls: 392 (28.00 diss/flow)
+Num dissector calls: 393 (28.07 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/waze.pcap.out b/tests/cfgs/default/result/waze.pcap.out
index 86095c95a29..ac5f0278446 100644
--- a/tests/cfgs/default/result/waze.pcap.out
+++ b/tests/cfgs/default/result/waze.pcap.out
@@ -5,7 +5,7 @@ DPI Packets (UDP):	1	(1.00 pkts/flow)
 Confidence Unknown          : 1 (flows)
 Confidence Match by port    : 9 (flows)
 Confidence DPI              : 23 (flows)
-Num dissector calls: 354 (10.73 diss/flow)
+Num dissector calls: 355 (10.76 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/30/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/wechat.pcap.out b/tests/cfgs/default/result/wechat.pcap.out
index 066cf159bf4..263b4645d66 100644
--- a/tests/cfgs/default/result/wechat.pcap.out
+++ b/tests/cfgs/default/result/wechat.pcap.out
@@ -6,7 +6,7 @@ DPI Packets (other):	7	(1.00 pkts/flow)
 Confidence Match by port    : 24 (flows)
 Confidence DPI              : 78 (flows)
 Confidence Match by IP      : 1 (flows)
-Num dissector calls: 309 (3.00 diss/flow)
+Num dissector calls: 310 (3.01 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/75/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/whatsapp.pcap.out b/tests/cfgs/default/result/whatsapp.pcap.out
index a4c26fcc7ab..c8bf1abdd8e 100644
--- a/tests/cfgs/default/result/whatsapp.pcap.out
+++ b/tests/cfgs/default/result/whatsapp.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (TCP):	344	(4.00 pkts/flow)
 Confidence DPI              : 86 (flows)
-Num dissector calls: 12556 (146.00 diss/flow)
+Num dissector calls: 12642 (147.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/whatsapp_login_chat.pcap.out b/tests/cfgs/default/result/whatsapp_login_chat.pcap.out
index cbede113f50..d0fc682ab7e 100644
--- a/tests/cfgs/default/result/whatsapp_login_chat.pcap.out
+++ b/tests/cfgs/default/result/whatsapp_login_chat.pcap.out
@@ -3,7 +3,7 @@ Guessed flow protos:	2
 DPI Packets (TCP):	17	(5.67 pkts/flow)
 DPI Packets (UDP):	7	(1.17 pkts/flow)
 Confidence DPI              : 9 (flows)
-Num dissector calls: 282 (31.33 diss/flow)
+Num dissector calls: 283 (31.44 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/whois.pcapng.out b/tests/cfgs/default/result/whois.pcapng.out
index 8f005a4582d..23f264e929f 100644
--- a/tests/cfgs/default/result/whois.pcapng.out
+++ b/tests/cfgs/default/result/whois.pcapng.out
@@ -3,7 +3,7 @@ Guessed flow protos:	1
 DPI Packets (TCP):	16	(5.33 pkts/flow)
 Confidence Match by port    : 1 (flows)
 Confidence DPI              : 2 (flows)
-Num dissector calls: 185 (61.67 diss/flow)
+Num dissector calls: 186 (62.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/z3950.pcapng.out b/tests/cfgs/default/result/z3950.pcapng.out
index 35dcc464a31..bfc6c9a750c 100644
--- a/tests/cfgs/default/result/z3950.pcapng.out
+++ b/tests/cfgs/default/result/z3950.pcapng.out
@@ -3,7 +3,7 @@ Guessed flow protos:	1
 DPI Packets (TCP):	26	(13.00 pkts/flow)
 Confidence Match by port    : 1 (flows)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 450 (225.00 diss/flow)
+Num dissector calls: 452 (226.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/zoom.pcap.out b/tests/cfgs/default/result/zoom.pcap.out
index c58deaf83ee..442f3896188 100644
--- a/tests/cfgs/default/result/zoom.pcap.out
+++ b/tests/cfgs/default/result/zoom.pcap.out
@@ -5,7 +5,7 @@ DPI Packets (UDP):	23	(1.35 pkts/flow)
 DPI Packets (other):	2	(1.00 pkts/flow)
 Confidence Match by port    : 2 (flows)
 Confidence DPI              : 31 (flows)
-Num dissector calls: 659 (19.97 diss/flow)
+Num dissector calls: 661 (20.03 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/6/0 (insert/search/found)
 LRU cache zoom:       7/0/0 (insert/search/found)
diff --git a/tests/cfgs/disable_aggressiveness/result/ookla.pcap.out b/tests/cfgs/disable_aggressiveness/result/ookla.pcap.out
index 5d7c8564823..a5c77e7fb92 100644
--- a/tests/cfgs/disable_aggressiveness/result/ookla.pcap.out
+++ b/tests/cfgs/disable_aggressiveness/result/ookla.pcap.out
@@ -3,7 +3,7 @@ Guessed flow protos:	1
 DPI Packets (TCP):	40	(6.67 pkts/flow)
 Confidence DPI (partial cache): 1 (flows)
 Confidence DPI              : 5 (flows)
-Num dissector calls: 515 (85.83 diss/flow)
+Num dissector calls: 518 (86.33 diss/flow)
 LRU cache ookla:      4/1/1 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/disable_protocols/result/soap.pcap.out b/tests/cfgs/disable_protocols/result/soap.pcap.out
index 71b6ef12b92..6e624a4cde5 100644
--- a/tests/cfgs/disable_protocols/result/soap.pcap.out
+++ b/tests/cfgs/disable_protocols/result/soap.pcap.out
@@ -3,7 +3,7 @@ Guessed flow protos:	3
 DPI Packets (TCP):	20	(6.67 pkts/flow)
 Confidence Match by port    : 2 (flows)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 367 (122.33 diss/flow)
+Num dissector calls: 369 (123.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/6/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/enable_payload_stat/result/1kxun.pcap.out b/tests/cfgs/enable_payload_stat/result/1kxun.pcap.out
index fb72cd941d0..d99b485213d 100644
--- a/tests/cfgs/enable_payload_stat/result/1kxun.pcap.out
+++ b/tests/cfgs/enable_payload_stat/result/1kxun.pcap.out
@@ -5,7 +5,7 @@ DPI Packets (UDP):	120	(1.21 pkts/flow)
 Confidence Unknown          : 14 (flows)
 Confidence Match by port    : 6 (flows)
 Confidence DPI              : 177 (flows)
-Num dissector calls: 4587 (23.28 diss/flow)
+Num dissector calls: 4590 (23.30 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/60/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/windows/nDPI.vcxproj b/windows/nDPI.vcxproj
index 2caba13d603..f435a0cfc07 100644
--- a/windows/nDPI.vcxproj
+++ b/windows/nDPI.vcxproj
@@ -337,6 +337,7 @@
     <ClCompile Include="..\src\lib\protocols\opc-ua.c" />
     <ClCompile Include="..\src\lib\protocols\fins.c" />
     <ClCompile Include="..\src\lib\protocols\ethersio.c" />
+    <ClCompile Include="..\src\lib\protocols\beckhoff_ads.c" />
     <ClCompile Include="..\src\lib\third_party\src\gcrypt_light.c" />
     <ClCompile Include="..\src\lib\third_party\src\libcache.c" />
     <ClCompile Include="..\src\lib\third_party\src\libinjection_html5.c" />
diff --git a/windows/nDPI.vcxproj.filters b/windows/nDPI.vcxproj.filters
index d5c3dba0adb..d7e118f3173 100644
--- a/windows/nDPI.vcxproj.filters
+++ b/windows/nDPI.vcxproj.filters
@@ -119,6 +119,7 @@
     <ClCompile Include="..\src\lib\protocols\opc-ua.c" />
     <ClCompile Include="..\src\lib\protocols\fins.c" />
     <ClCompile Include="..\src\lib\protocols\ethersio.c" />
+    <ClCompile Include="..\src\lib\protocols\beckhoff_ads.c" />
     <ClCompile Include="src\getopt.c" />
     <ClCompile Include="src\win-gettimeofday.c" />
     <ClCompile Include="..\src\lib\ndpi_analyze.c" />

From f1274c7179513262ea5cb70a7cd77302a1b16589 Mon Sep 17 00:00:00 2001
From: 0xA50C1A1 <mage.wizard.88@gmail.com>
Date: Wed, 29 Nov 2023 02:49:26 +0300
Subject: [PATCH 2/3] Remove redundant le32toh

---
 src/lib/protocols/beckhoff_ads.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/src/lib/protocols/beckhoff_ads.c b/src/lib/protocols/beckhoff_ads.c
index 17a36b02156..755945e212e 100644
--- a/src/lib/protocols/beckhoff_ads.c
+++ b/src/lib/protocols/beckhoff_ads.c
@@ -82,14 +82,12 @@ static void ndpi_search_beckhoff_ads(struct ndpi_detection_module_struct *ndpi_s
     if (le32toh(ams->length) == ams_data_len) {
       /* Just additional checks to avoid potential 
        * false positives */
-      if ((le32toh(ams->state_flags) != 0x0004) &&
-          (le32toh(ams->state_flags) != 0x0005))
+      if ((ams->state_flags != 0x0004) && (ams->state_flags != 0x0005))
       {
         goto not_beckhoff_ads;
       }
       
-      if ((le32toh(ams->command_id) > 0x0009) ||
-          ((le32toh(ams->error_code) > 0x0000001E)))
+      if ((ams->command_id > 0x0009) || (ams->error_code > 0x0000001E))
       {
         goto not_beckhoff_ads;
       }

From 9a7c1a6ea35f29c51a95799cc7b52ae4c2ebb5bc Mon Sep 17 00:00:00 2001
From: 0xA50C1A1 <mage.wizard.88@gmail.com>
Date: Thu, 30 Nov 2023 07:57:20 +0300
Subject: [PATCH 3/3] Fix detection on big-endian architectures

---
 src/lib/protocols/beckhoff_ads.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/src/lib/protocols/beckhoff_ads.c b/src/lib/protocols/beckhoff_ads.c
index 755945e212e..ea32871162b 100644
--- a/src/lib/protocols/beckhoff_ads.c
+++ b/src/lib/protocols/beckhoff_ads.c
@@ -38,10 +38,19 @@ struct ams_tcp_hdr {
 } PACK_OFF;
 
 struct ams_hdr {
+#if defined(__LITTLE_ENDIAN__)
   u_int64_t target_netid : 48;
   u_int64_t target_port : 16;
   u_int64_t source_netid : 48;
   u_int64_t source_port : 16;
+#elif defined(__BIG_ENDIAN__)
+  u_int64_t target_port : 16;
+  u_int64_t target_netid : 48;
+  u_int64_t source_port : 16;
+  u_int64_t source_netid : 48;
+#else
+#error "Missing endian macro definitions."
+#endif
   u_int16_t command_id;
   u_int16_t state_flags;
   u_int32_t length;
@@ -82,12 +91,14 @@ static void ndpi_search_beckhoff_ads(struct ndpi_detection_module_struct *ndpi_s
     if (le32toh(ams->length) == ams_data_len) {
       /* Just additional checks to avoid potential 
        * false positives */
-      if ((ams->state_flags != 0x0004) && (ams->state_flags != 0x0005))
+      if ((le16toh(ams->state_flags) != 0x0004) && 
+          (le16toh(ams->state_flags) != 0x0005))
       {
         goto not_beckhoff_ads;
       }
       
-      if ((ams->command_id > 0x0009) || (ams->error_code > 0x0000001E))
+      if ((le16toh(ams->command_id) > 0x0009) || 
+          (le32toh(ams->error_code) > 0x0000001E))
       {
         goto not_beckhoff_ads;
       }