From 51fdde70e05ec479c870d7abea366b18897ca681 Mon Sep 17 00:00:00 2001
From: Toni Uhlig <matzeton@googlemail.com>
Date: Fri, 24 May 2024 17:59:26 +0200
Subject: [PATCH 1/2] Improved Kafka dissector.

 * detect more Kafka request packet's
 * requires less flow memory
 * same detection behavior as before e.g. no asym detection implemented
   (can be done by dissecting responses, requires more effort)

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
---
 src/include/ndpi_typedefs.h                |   6 ---
 src/lib/protocols/kafka.c                  |  51 +++++++++++++--------
 tests/cfgs/default/pcap/kafka.pcap         | Bin 0 -> 5816 bytes
 tests/cfgs/default/result/kafka.pcap.out   |  37 +++++++++++++++
 tests/cfgs/default/result/kafka.pcapng.out |   6 +--
 5 files changed, 72 insertions(+), 28 deletions(-)
 create mode 100644 tests/cfgs/default/pcap/kafka.pcap
 create mode 100644 tests/cfgs/default/result/kafka.pcap.out

diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index ffc98ecd141..a2e10878fdb 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -835,9 +835,6 @@ struct ndpi_flow_tcp_struct {
   /* NDPI_PROTOCOL_SSH */
   u_int32_t ssh_stage:3;
 
-  /* NDPI_PROTOCOL_KAFKA */
-  u_int32_t kafka_stage:1;
-
   /* NDPI_PROTOCOL_VNC */
   u_int32_t vnc_stage:2;			// 0 - 3
 
@@ -891,9 +888,6 @@ struct ndpi_flow_tcp_struct {
 
   /* NDPI_PROTOCOL_RADMIN */
   u_int32_t radmin_stage:1;
-
-  /* NDPI_PROTOCOL_KAFKA */
-  u_int32_t kafka_correlation_id;
 };
 
 /* ************************************************** */
diff --git a/src/lib/protocols/kafka.c b/src/lib/protocols/kafka.c
index cffd1f32f6e..abf0ae3ca9a 100644
--- a/src/lib/protocols/kafka.c
+++ b/src/lib/protocols/kafka.c
@@ -29,6 +29,14 @@
 #include "ndpi_api.h"
 #include "ndpi_private.h"
 
+static void ndpi_int_kafka_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
+                                          struct ndpi_flow_struct *flow)
+{
+  NDPI_LOG_INFO(ndpi_struct, "found Apache Kafka\n");
+  ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_APACHE_KAFKA,
+                             NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
+}
+
 static void ndpi_search_kafka(struct ndpi_detection_module_struct *ndpi_struct,
                               struct ndpi_flow_struct *flow)
 {
@@ -41,32 +49,37 @@ static void ndpi_search_kafka(struct ndpi_detection_module_struct *ndpi_struct,
    * API keys: https://kafka.apache.org/protocol.html#protocol_api_keys
    * API versions: https://cwiki.apache.org/confluence/display/KAFKA/Kafka+APIs
    */
-  if (packet->payload_packet_len > 40 &&
-      ntohl(get_u_int32_t(packet->payload, 0)) == (u_int32_t)(packet->payload_packet_len-4))
+  if (packet->payload_packet_len < 8 /* min. required packet length */ ||
+      ntohl(get_u_int32_t(packet->payload, 0)) != (uint32_t)(packet->payload_packet_len - 4))
+  {
+    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+    return;
+  }
+
+  /* Request */
+  if (ntohs(get_u_int16_t(packet->payload, 4)) < 75 && /* API key */
+      ntohs(get_u_int16_t(packet->payload, 6)) < 16    /* API version */)
   {
-    /* Request */
-    if (!flow->l4.tcp.kafka_stage &&
-        current_pkt_from_client_to_server(ndpi_struct, flow) &&
-        ntohs(get_u_int16_t(packet->payload, 4)) < 75 && /* API key */
-        ntohs(get_u_int16_t(packet->payload, 6)) < 16    /* API version */)
+    if (packet->payload_packet_len < 14)
     {
-      flow->l4.tcp.kafka_correlation_id = ntohl(get_u_int16_t(packet->payload, 8));
-      flow->l4.tcp.kafka_stage = 1;
-      return;
+        NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+        return;
     }
 
-    /* Response */
-    if (flow->l4.tcp.kafka_stage == 1 && 
-        current_pkt_from_server_to_client(ndpi_struct, flow))
+    const uint16_t client_id_len = ntohs(get_u_int16_t(packet->payload, 12));
+    if (client_id_len + 12 + 2 > packet->payload_packet_len)
     {
-      if (ntohl(get_u_int16_t(packet->payload, 4)) == flow->l4.tcp.kafka_correlation_id)
-      {
-        NDPI_LOG_INFO(ndpi_struct, "found Apache Kafka\n");
-        ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_APACHE_KAFKA,
-                                   NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
+        NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
         return;
-      }
     }
+    if (ndpi_is_printable_buffer(&packet->payload[14], client_id_len) == 0)
+    {
+        NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+        return;
+    }
+
+    ndpi_int_kafka_add_connection(ndpi_struct, flow);
+    return;
   }
 
   NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
diff --git a/tests/cfgs/default/pcap/kafka.pcap b/tests/cfgs/default/pcap/kafka.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..c99f1099585d6ffd5df945873082d860d4ad50e4
GIT binary patch
literal 5816
zcmeHLdvH|M89#UPAO^@oA%vH?*`*jD+3dq4o1Fv_n4(b<qC-R>3|u#N!zTO6-6bIw
z+a+#!OwkenW!iKmXi8DBSO%hHL?gr48K)J;s_+NxghVM1VbZDXR0k&gedq3FH%pco
zow3X~oSpOCbG~!;e6Qd6&N(-I^5pajjIr8^1v3OZM<YdGLAKQ8mPLmmOF_9we6myY
z$V#)z+iVxpX~b+7i-R72ajWEPm5LO(EnxIJB)>Xni5m>~V@IuVqiu?;4JWZlY?;fu
zVWU`TG#hP}WLC~<Ay=lU3s$=D=6XqKohROJv>HufK|6mc4pWiYYA!8mb~+u-5}V0l
zHA$uOU=J0tk8GO~d5(^%?NszPp;GDnI)$A#*IZkTHq~!(7C!!F0n1tFud7UBKZb**
zy;H@iQr~hP%*vJz-pj5Ggbd*m?km~-+mF~oxx%HE0Z0+j((~Nb<L8#1$-^X5+1;Rw
zZDtdcChjNRC7C39fRsWZ*-!V>T<b-jsw!30fMg5L_kUi+DpO|)B$wnH!UG|a3;FXy
zxgpkmNtF$`6(k?MRhVZp&CYC`-o;%oiRsWwWl5kDSu$t}ehht5XaauJP6JJ2cX3WS
z=S<}7NubGWGN&1!DJ+xIEY8UW6}ZJo>>jiyaEGVD3k*_o_&d`$%>_+j(>a~N=}b_8
z&EoCZpgMLhr{qN)6G4+%K5y$eHE=qI(;tB*vAMi`AEyPJQuuXjKBo&fEd&)<5h!Cu
zPK!A;feOsbsfBZ_oT{EH=j{qkD~S#uM&z!YoW<Ba#BbozeHmW#sosR0b<+l_2s<m|
zurt4Z`_a9?&V`o0LIJ{#|NTLVAtot+O%$uHSnLQad)eZ(wbeCsYnLs5U~NrZeZvY>
z57Or>DizXa-O7TDV`x*2#}hl)f1cy%i?Mh*x)*qQjPP`DtE$hrhg;W>PM9Nz+Jy?+
zlP<DJ<}!=XYBHLP7Hb(}hA`Gt&Lbstb*{(josU}DR#f|zmbl8S57jsG_xb<ERbCyz
z#L@RKzb1#<6mQ!nFJCs_!nO<Cw&Ah1^=HAhF0!rhK}-%`pIfmjFR%0Je#j!*p1C3O
z|85)MiONfe+o80dr}d&wH9l^_^ZPcDZ6;ULwxN@|8yCFM+GFb`+l~MY+_qmlGd=H(
zzrTy#D$KKkX1|jMu%5n`JfN*RieJX1bu$uUbKg%Xe&*V-@hi$e{Ek!nE<YKG-_EI<
z^NzMr?jmeHi+Y>ZotERswz>673KQqJ>%XBK_i?9|<AzQe!erO(#-c4_a@?_$)#qRz
zY|?VvbKgG4kv_TaEh)T(uS49|56Ag>3v{|jzCO_q@%8Rk4&_0oh_9c!eZG#x(GSfw
z4M%;5+mXx>F)@x(77>m<IHTdHr^OJi+&#MZN_Nx9SR9FV^Wf0LLj(W~M}6NON2HH^
z(}<WDN4`H2jvRMKan#d7x<Dr{;b=>%ild<^pZ<e%ir}d4_Tgv~L{lN#wk=$=gP=|I
zrgKT{f1f2^pYG9oefCR3_@#>;*3jP28hfS{8(!TxWU6byB-)wwK&-FTb2RPK+FnMo
zxBh<7j>LOe)kEah?q5g!diG0_3;EN@uODDJ&|U_)+ekiot03S2>YcrePPX66UN%R^
z{mTv@e*2HlJf%aQYCLv?ujal$*!dm5k5CNvh=y==-__-NR!J|@I(6gZNAb&dU-^9a
zfo`1ng|{&`-8^(Ru!CbGHnw}VfjR!!mWHVaA^zY*pgoc4mbgDE(U`*47f;l`h1d8~
zyTq#3S-c~3(IrRtD)}e+pvxl%f|AFtx9iQNHnXkFW;K=R3-yZZkX`L^Q#>E92c%{h
z>}tOvn#)B~sohdyH<gJ>pflk1H8<HsakWoz;chGje9mBpq{x+xdTq2(F9tdula+wW
z=LOqlv|5ZNFgF(YT}@z^%gcGs<#qbdT^|hk?Zw3%9UaEV3`U2~)2Lr_L!8(l1;hs%
z>Y-|(e!VXcglbTu$l-IlWk=AbfE|$AWyKZj#1PF3j#F~D+$u*^8$7?_YgQzWSMrc~
zn!*?eO3g70yZ-6P>F^(6gVuO2Diy*=cfqVvKSP^p{CSnNb=qi+Kk;F7jqec&AJu&$
znW5aS++Y0`Q2|DPj}pQO=AhdaVer;)zzdAMR*@f#H2S@$q~Bl!Go)Wr*_>1FqEGcE
z4F6&7Uc&GJqn7_v43A_&$3c!^+%Q!Pk7SXK=ygH>VL0hKV3^+?@m~~yZktS(_gQE=
zHK-7FSM+MnsAbfm;cFyTxSEsz!#2ciJPZ>*5r%Ezl1G=<t-jw<vc@j@CC}OoUf0F~
zhvM_v1AsjcJI^jgTB5`43*bYL)2E0V0<t11K3@=Xe-{Kw8-nZoimM%eAB#a!2TT=z
zQQcGkQe5xEH$F%G@ZzhT6>0rmKXd)V#An6yskDCI*J<nb<1|C~g<t;V^wAd^K8ign
z=DW{V4ln+X9}7r3D}Hig{nDx$_tOOF5ufia@1Jw4d}rtR?$2@gZm_!VpF2XiVN>^0
zkj3-eE-BwVk_7>j@A$$VR|RMmEw5GRqges$UR2UgJMX;$f0_PvB02GS?=yTqs7n3%
zb<JPHZyUm=4^OdmZQh0N2hnes`A@w%d$^&t29s;&z2sPbMbCS&vOmq4HJVuVVF$^c
l{U=TKsR~2*@XmMs^@Zi%-;9xc?7f-8dz!=;*_k)X{vShJ4ZHvV

literal 0
HcmV?d00001

diff --git a/tests/cfgs/default/result/kafka.pcap.out b/tests/cfgs/default/result/kafka.pcap.out
new file mode 100644
index 00000000000..7b5894e3471
--- /dev/null
+++ b/tests/cfgs/default/result/kafka.pcap.out
@@ -0,0 +1,37 @@
+Guessed flow protos:	1
+
+DPI Packets (TCP):	12	(1.50 pkts/flow)
+Confidence Match by port    : 1 (flows)
+Confidence DPI              : 7 (flows)
+Num dissector calls: 221 (27.62 diss/flow)
+LRU cache ookla:      0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/3/0 (insert/search/found)
+LRU cache stun:       0/0/0 (insert/search/found)
+LRU cache tls_cert:   0/0/0 (insert/search/found)
+LRU cache mining:     0/1/0 (insert/search/found)
+LRU cache msteams:    0/0/0 (insert/search/found)
+LRU cache stun_zoom:  0/0/0 (insert/search/found)
+Automa host:          0/0 (search/found)
+Automa domain:        0/0 (search/found)
+Automa tls cert:      0/0 (search/found)
+Automa risk mask:     0/0 (search/found)
+Automa common alpns:  0/0 (search/found)
+Patricia risk mask:   14/0 (search/found)
+Patricia risk mask IPv6: 0/0 (search/found)
+Patricia risk:        0/0 (search/found)
+Patricia risk IPv6:   0/0 (search/found)
+Patricia protocols:   16/0 (search/found)
+Patricia protocols IPv6: 0/0 (search/found)
+
+Kafka	22	4830	8
+
+Acceptable                      22 4830          8            
+
+	1	TCP 172.16.17.101:38176 <-> 172.30.0.237:9092 [proto: 377/Kafka][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: RPC/16][3 pkts/1408 bytes <-> 2 pkts/254 bytes][Goodput ratio: 86/48][0.58 sec][Risk: ** Probing attempt **][Risk Score: 50][Risk Info: No server to client traffic / TCP connection with unidirectional traffic][PLAIN TEXT (timestamp)][Plen Bins: 0,40,0,0,0,0,0,0,0,0,0,40,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	2	TCP 172.30.0.237:9092 <-> 172.16.17.101:58052 [proto: 377/Kafka][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 5][cat: RPC/16][4 pkts/974 bytes <-> 1 pkts/110 bytes][Goodput ratio: 73/40][599.70 sec][PLAIN TEXT (172.30.0.237)][Plen Bins: 0,20,0,60,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	3	TCP 172.16.17.101:49280 <-> 172.30.0.237:9092 [proto: 377/Kafka][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: RPC/16][2 pkts/201 bytes <-> 3 pkts/788 bytes][Goodput ratio: 34/75][899.84 sec][Risk: ** Probing attempt **][Risk Score: 50][Risk Info: No server to client traffic / TCP connection with unidirectional traffic][PLAIN TEXT (172.30.0.237)][Plen Bins: 20,20,0,40,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	4	TCP 172.16.17.101:56556 <-> 172.30.0.237:9092 [proto: 377/Kafka][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: RPC/16][1 pkts/91 bytes <-> 1 pkts/416 bytes][Goodput ratio: 27/84][0.03 sec][Risk: ** Probing attempt **][Risk Score: 50][Risk Info: No server to client traffic / TCP connection with unidirectional traffic][Plen Bins: 50,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	5	TCP 172.16.17.101:40042 <-> 172.30.0.237:9092 [proto: 377/Kafka][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: RPC/16][1 pkts/110 bytes <-> 1 pkts/186 bytes][Goodput ratio: 40/64][0.03 sec][Risk: ** Probing attempt **][Risk Score: 50][Risk Info: No server to client traffic / TCP connection with unidirectional traffic][PLAIN TEXT (172.30.0.237)][Plen Bins: 0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	6	TCP 172.16.17.101:53768 -> 172.30.0.237:9092 [proto: 377/Kafka][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: RPC/16][1 pkts/110 bytes -> 0 pkts/0 bytes][Goodput ratio: 40/0][< 1 sec][Risk: ** Unidirectional Traffic **** Probing attempt **][Risk Score: 60][Risk Info: No server to client traffic / TCP connection with unidirectional traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	7	TCP 172.16.17.101:53052 -> 172.30.0.237:9092 [proto: 377/Kafka][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: RPC/16][1 pkts/91 bytes -> 0 pkts/0 bytes][Goodput ratio: 27/0][< 1 sec][Risk: ** Unidirectional Traffic **** Probing attempt **][Risk Score: 60][Risk Info: No server to client traffic / TCP connection with unidirectional traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	8	TCP 172.16.17.101:58300 -> 172.30.0.237:9092 [proto: 377/Kafka][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: RPC/16][1 pkts/91 bytes -> 0 pkts/0 bytes][Goodput ratio: 27/0][< 1 sec][Risk: ** Unidirectional Traffic **** Probing attempt **][Risk Score: 60][Risk Info: No server to client traffic / TCP connection with unidirectional traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/cfgs/default/result/kafka.pcapng.out b/tests/cfgs/default/result/kafka.pcapng.out
index ee0deb38df9..99a7d1174a1 100644
--- a/tests/cfgs/default/result/kafka.pcapng.out
+++ b/tests/cfgs/default/result/kafka.pcapng.out
@@ -1,6 +1,6 @@
-DPI Packets (TCP):	6	(6.00 pkts/flow)
+DPI Packets (TCP):	4	(4.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 150 (150.00 diss/flow)
+Num dissector calls: 1 (1.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)
@@ -24,4 +24,4 @@ Kafka	19	2237	1
 
 Acceptable                      19 2237          1            
 
-	1	TCP 127.0.0.1:46136 <-> 127.0.0.1:9092 [proto: 377/Kafka][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 6][cat: RPC/16][12 pkts/1107 bytes <-> 7 pkts/1130 bytes][Goodput ratio: 28/58][13.63 sec][bytes ratio: -0.010 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 800/288 6849/1049 2039/441][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 92/161 206/512 42/149][PLAIN TEXT (console)][Plen Bins: 12,38,12,12,12,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	1	TCP 127.0.0.1:46136 <-> 127.0.0.1:9092 [proto: 377/Kafka][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: RPC/16][12 pkts/1107 bytes <-> 7 pkts/1130 bytes][Goodput ratio: 28/58][13.63 sec][bytes ratio: -0.010 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 800/288 6849/1049 2039/441][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 92/161 206/512 42/149][Risk: ** Probing attempt **][Risk Score: 50][Risk Info: TCP connection with unidirectional traffic][PLAIN TEXT (console)][Plen Bins: 12,38,12,12,12,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]

From 9a1561c5a5dae21e590c8dc967f961f6e435d19d Mon Sep 17 00:00:00 2001
From: Nardi Ivan <nardi.ivan@gmail.com>
Date: Mon, 27 May 2024 09:07:06 +0200
Subject: [PATCH 2/2] Merge kafka traces

---
 tests/cfgs/default/pcap/kafka.pcap         | Bin 5816 -> 0 bytes
 tests/cfgs/default/pcap/kafka.pcapng       | Bin 3240 -> 8676 bytes
 tests/cfgs/default/result/kafka.pcap.out   |  37 ---------------------
 tests/cfgs/default/result/kafka.pcapng.out |  29 +++++++++++-----
 4 files changed, 20 insertions(+), 46 deletions(-)
 delete mode 100644 tests/cfgs/default/pcap/kafka.pcap
 delete mode 100644 tests/cfgs/default/result/kafka.pcap.out

diff --git a/tests/cfgs/default/pcap/kafka.pcap b/tests/cfgs/default/pcap/kafka.pcap
deleted file mode 100644
index c99f1099585d6ffd5df945873082d860d4ad50e4..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 5816
zcmeHLdvH|M89#UPAO^@oA%vH?*`*jD+3dq4o1Fv_n4(b<qC-R>3|u#N!zTO6-6bIw
z+a+#!OwkenW!iKmXi8DBSO%hHL?gr48K)J;s_+NxghVM1VbZDXR0k&gedq3FH%pco
zow3X~oSpOCbG~!;e6Qd6&N(-I^5pajjIr8^1v3OZM<YdGLAKQ8mPLmmOF_9we6myY
z$V#)z+iVxpX~b+7i-R72ajWEPm5LO(EnxIJB)>Xni5m>~V@IuVqiu?;4JWZlY?;fu
zVWU`TG#hP}WLC~<Ay=lU3s$=D=6XqKohROJv>HufK|6mc4pWiYYA!8mb~+u-5}V0l
zHA$uOU=J0tk8GO~d5(^%?NszPp;GDnI)$A#*IZkTHq~!(7C!!F0n1tFud7UBKZb**
zy;H@iQr~hP%*vJz-pj5Ggbd*m?km~-+mF~oxx%HE0Z0+j((~Nb<L8#1$-^X5+1;Rw
zZDtdcChjNRC7C39fRsWZ*-!V>T<b-jsw!30fMg5L_kUi+DpO|)B$wnH!UG|a3;FXy
zxgpkmNtF$`6(k?MRhVZp&CYC`-o;%oiRsWwWl5kDSu$t}ehht5XaauJP6JJ2cX3WS
z=S<}7NubGWGN&1!DJ+xIEY8UW6}ZJo>>jiyaEGVD3k*_o_&d`$%>_+j(>a~N=}b_8
z&EoCZpgMLhr{qN)6G4+%K5y$eHE=qI(;tB*vAMi`AEyPJQuuXjKBo&fEd&)<5h!Cu
zPK!A;feOsbsfBZ_oT{EH=j{qkD~S#uM&z!YoW<Ba#BbozeHmW#sosR0b<+l_2s<m|
zurt4Z`_a9?&V`o0LIJ{#|NTLVAtot+O%$uHSnLQad)eZ(wbeCsYnLs5U~NrZeZvY>
z57Or>DizXa-O7TDV`x*2#}hl)f1cy%i?Mh*x)*qQjPP`DtE$hrhg;W>PM9Nz+Jy?+
zlP<DJ<}!=XYBHLP7Hb(}hA`Gt&Lbstb*{(josU}DR#f|zmbl8S57jsG_xb<ERbCyz
z#L@RKzb1#<6mQ!nFJCs_!nO<Cw&Ah1^=HAhF0!rhK}-%`pIfmjFR%0Je#j!*p1C3O
z|85)MiONfe+o80dr}d&wH9l^_^ZPcDZ6;ULwxN@|8yCFM+GFb`+l~MY+_qmlGd=H(
zzrTy#D$KKkX1|jMu%5n`JfN*RieJX1bu$uUbKg%Xe&*V-@hi$e{Ek!nE<YKG-_EI<
z^NzMr?jmeHi+Y>ZotERswz>673KQqJ>%XBK_i?9|<AzQe!erO(#-c4_a@?_$)#qRz
zY|?VvbKgG4kv_TaEh)T(uS49|56Ag>3v{|jzCO_q@%8Rk4&_0oh_9c!eZG#x(GSfw
z4M%;5+mXx>F)@x(77>m<IHTdHr^OJi+&#MZN_Nx9SR9FV^Wf0LLj(W~M}6NON2HH^
z(}<WDN4`H2jvRMKan#d7x<Dr{;b=>%ild<^pZ<e%ir}d4_Tgv~L{lN#wk=$=gP=|I
zrgKT{f1f2^pYG9oefCR3_@#>;*3jP28hfS{8(!TxWU6byB-)wwK&-FTb2RPK+FnMo
zxBh<7j>LOe)kEah?q5g!diG0_3;EN@uODDJ&|U_)+ekiot03S2>YcrePPX66UN%R^
z{mTv@e*2HlJf%aQYCLv?ujal$*!dm5k5CNvh=y==-__-NR!J|@I(6gZNAb&dU-^9a
zfo`1ng|{&`-8^(Ru!CbGHnw}VfjR!!mWHVaA^zY*pgoc4mbgDE(U`*47f;l`h1d8~
zyTq#3S-c~3(IrRtD)}e+pvxl%f|AFtx9iQNHnXkFW;K=R3-yZZkX`L^Q#>E92c%{h
z>}tOvn#)B~sohdyH<gJ>pflk1H8<HsakWoz;chGje9mBpq{x+xdTq2(F9tdula+wW
z=LOqlv|5ZNFgF(YT}@z^%gcGs<#qbdT^|hk?Zw3%9UaEV3`U2~)2Lr_L!8(l1;hs%
z>Y-|(e!VXcglbTu$l-IlWk=AbfE|$AWyKZj#1PF3j#F~D+$u*^8$7?_YgQzWSMrc~
zn!*?eO3g70yZ-6P>F^(6gVuO2Diy*=cfqVvKSP^p{CSnNb=qi+Kk;F7jqec&AJu&$
znW5aS++Y0`Q2|DPj}pQO=AhdaVer;)zzdAMR*@f#H2S@$q~Bl!Go)Wr*_>1FqEGcE
z4F6&7Uc&GJqn7_v43A_&$3c!^+%Q!Pk7SXK=ygH>VL0hKV3^+?@m~~yZktS(_gQE=
zHK-7FSM+MnsAbfm;cFyTxSEsz!#2ciJPZ>*5r%Ezl1G=<t-jw<vc@j@CC}OoUf0F~
zhvM_v1AsjcJI^jgTB5`43*bYL)2E0V0<t11K3@=Xe-{Kw8-nZoimM%eAB#a!2TT=z
zQQcGkQe5xEH$F%G@ZzhT6>0rmKXd)V#An6yskDCI*J<nb<1|C~g<t;V^wAd^K8ign
z=DW{V4ln+X9}7r3D}Hig{nDx$_tOOF5ufia@1Jw4d}rtR?$2@gZm_!VpF2XiVN>^0
zkj3-eE-BwVk_7>j@A$$VR|RMmEw5GRqges$UR2UgJMX;$f0_PvB02GS?=yTqs7n3%
zb<JPHZyUm=4^OdmZQh0N2hnes`A@w%d$^&t29s;&z2sPbMbCS&vOmq4HJVuVVF$^c
l{U=TKsR~2*@XmMs^@Zi%-;9xc?7f-8dz!=;*_k)X{vShJ4ZHvV

diff --git a/tests/cfgs/default/pcap/kafka.pcapng b/tests/cfgs/default/pcap/kafka.pcapng
index bcdabe98abeddda0e685720138a416084ebd7d97..88ddd53a217bb4c39698b4b102b17d0100e1a8d2 100644
GIT binary patch
literal 8676
zcmeHM3vg7`89uvt5CVCM5FnVFhY&Ek?B+p28YB;+f+P@2z(Q<TcQ;{^&F-?hNr**V
zVyf7pfPh+?jsa6%Qb8I(8O6vjc80cKRm3{fhD2#VaZ+owGD7<O=iHmzESt>ej5_0Z
zcK-9a_nz;6eCOPA&xS`tgl}YwmE_$tNrSRqPC+b=EwDN2S4&xXW0u~aGa9mW)mDeq
zZ8Hb6QdVMhS6j^{mz28H=C*oPn%uS1rA&RgK1)iy&E}OFMBQaF*P5!W7RlrhS9Qkw
z>+h*|c<a**dPAn(aKFoCGEN6D66rxYjFU^of(PoitNOG|%j{0ZM&s_$=pV}_%DT?d
z&(de<R?o_8$k44eIqIAiBd$}T=R+ZDsDae>We7WOocGmo)JZOnzxl4iscihsuF^SS
ztQZcNa5SIghrVdv8y#cadjq@F=}T@oX1^43=#h?GU!3M*O((R~goP*AGhR7&>$?dU
z<a!p1oUyfRl-p8ks;V{dCSekGCmDxC*!Q*0`>G9X5`ii-AZ*R!hd#(>b3!L;2$%4a
zTRMG&3;Y?rI3H`cD6oN>NBC$h!#Hbcbe6+&at^shi#(JCAs+*GG8Td#Lz@&Dg&)<!
zkcV+sj$+}wXAHkO7I`p>;CUqS5EjMrXx<ZpT*EC6V%MQQiU%tcUSL2S&+nPQ^El)|
z2omL!cs?1qhQ;&x6y#cV1JB8eS|%Y6W{JF>#PejHr||qn<UwpIuTSH7D$j{US~i2{
zH}O0TxrXVGGp6VHOr9H%YZy^O!_s+A2G51(X7hR;&*xCy2~U!{h@X_UA%2|~r$stY
zC%J|@D<*X26L*&Sac9P%M-Dy(?)28Y1!&@q>-8>*AqGi>O%$tUHFq>DW<g<PNx{6*
z$^{E=tDIN5sC==|gY-EIp+x$uSehDn1a%UBKC!)r&T~F}IFwHZp8}tj5TEuwEc7{d
zNA2CD6UOjDnjx?~=mHyS%ud&5V9M&#GqM>=Zt3r5<IA#2OKo>8s=70M)#3u@ty#A0
zjQNYI`ThL4fXa(27<lkLjIZEuoBVBi``M3-BiPo<ZR;6o+o5RK)=ailVCs{v&n@1Z
zkkItW4q%aO4-Q~{=e7}_C~ZgF_J#d2tPO1v|F~%$-?oNqGuQ@g>ps4v;->wztvQ>>
zwhpj?+xF`RCnoHF|5db>VVw0e`j6`X=F_*b4k+`E;um>w#iZf6x$S<6pRr_U{B)6s
z-zyZqkM5D<xAFS52?tlv+C|)a6!JaIJ7tX{+omomN*jKSyYf3)<KApi*0}ED$t`5p
zmI~cNL)N$>A<NIfKG>wJagTldHIDR&d#xyK1Yi5OukY~l^+V9<0{Qw_x$NsLyZ0qP
zC)wAJeSf}I^XP|Wo5G`Z#H}N$Pa2*_A#;gGC*D<f)LN6=GG|MF;iVYMaW#*mTw_=F
zn0-V5g-7jQpGTxm?wUSncpf=lA|9Dz2YJ+5L%KjG2l42kTEV04ai{-9I>|h0|NeNi
z2GEqqwskkpT~E{|xn^Hd^1nyP*JoN4U!VOrxn=u>I#%9LUaQ{IO67Ytb{k4-Fo?3J
z-KF-m*hkZQT6vcd_QTK5T|fN0EPp=vb<=ML{d)Fe!Ug_B^6Lpq2YQzQcOBuQwG05e
zAV0p#XlMJayvtIw+`nuW;<w|K$)~hvllXH-^V!rVh&wy^_Xx#stCZYQ(EiE7t;<Z$
z(mb_e=ST5Nv|sw5=eAAQ^J`wl*!1P09pDbOjd-zLw+@|w_qKGIlE%jio@wZv$h1ZF
zH?ovY&BIR~Tl6As<E8S^Dn4IvkEWSEax|X>|02n2tFwB%raD(rZjy0Ujxi@YC&Q4P
zl$PYSnyt15tHr+`w|nr(itYlJTQbg;46}06vvLjDlH1edu{*0RxstTp>9$qd9FoUb
z<!v;%t#c}pl&cj<lBaQr)$Or49q7){XQb;5=v=LH*(~TV&YsO%Hb<2c&6QrSD|hD1
z#>PgyJc8crtgA@6djL*q#K-gP<%^(dTGC3V#|zb<hR*D?+pT7=(~WMAwE<t|-X>h4
zanVy{GTZE;N2rZHm)lwGHq|*yb!48RFfMpa)vAu%r28Vm;XmRA&G9w}CF01Y)c8{m
zpibhyUuCPBa%hhK?Bw7a-zpJ53flXkd~wZjPyZfK0Y|`(EaC~qpsy|B;K+2q4U9dP
zmpB+{wA&!0Uzf}o($A8ea_UvINv`4W3savW4)4+{>!09oUlerg;vB{orr>a2H0g*|
z699<ALEnJG{Ob|VB5C+Rgf`(F-y@;}UEuEGHl-Z2jB516R|Kp1Bxo28=OAu@I86P+
zaX3dRx^rRa^33$CyK^O%sjjl#VOyPQb~_!p9?%|)ot`VnHOXvudT?@6<#bE+9;;h&
zJDpyP{Y@BXs`svRxor)2d?*J=9dru*4eBNcNOAo!zW!^}4==vTUXkYSm3Ob49Dc7D
zem%|K*R{(0eKRb%<%tb{J#+BM@;B6b#YFr0IX#7+yD)*2z2e&g^Ot5-z@rJ$!+*W|
zXh+IO>s>Bi@BZSq-gOnU|9ibJuEntFUSRR{ZnG)T-WLr3TJQM84yXb&8%)pTB@M0$
z=x&3Me#(AtH~eMz$Fbny_j~W){2)K{%Reao>UlZ2<;;O`In8S~<NRRo3^VcGJyUwh
zOXgv4Wxp4!_SfKkPmO(ge0=}#*aysnJ>^dd_Nlz&mIE7){^!H=|6U$~edM*tJzFi3
z3Ogz=wjH;Sf3lBmpYZhl;_msVlc*CvyUmMzp0H<(#al{4(vgF++smKR4vMvD3)ocy
zUOK`3XM(k1;bl8-;d@L?5QT*>$j54|?qefiF-BN<M-;5&mX4g_qxL(1m(~{hXUQLn
z@P=YpfT!5?_&dejg=mwg6Spffb|1IvIt5F%D-C!He9^Eg6(fOfgdyyrvB{oRh=OrC
zYDqVU$w<_RW7uQ&6UOxS0%F7gW5oc*ZrOL4I0Y8($Y`_E;c?onIxO>+db8EdVomrD
zV5L>ZkHd8}rUp}J22Sbebx1mqZfg6TH!c~${`i@so3vTcP4@Ky_}b!&KGCbPpLE+T
z#wH92dkn??qS}gXhBg-zO5$hlpT-*q<A%2bV#J;3?LR+Y{~m#%If4;jzj)n`7C<;D
zCx|dH+sD#@HXV_(5EQ7APPm2+dJ;7fJW2)ay>QDI6zIXD)QUiXXCp-+&fys?D7Y4b
z0>;sw4;W0G#mk5B@@c$$9M8mgJpS9^&rK8$OcKRp6c{C5w5EuHj^#0Cf+!>uz)M5{
z<B~*?EILy}>qZoKV5%sliOy6}Oc$LqL`!_nur#y)t3!dL7lk;dXPBmRjmUyR9Mv;%
zR?m+&0YvL5uH}m7@<btTyb46CP!vU?K#nP*)Fs$Kv9M4#gw~dxmWpnAMt%-8k>ok}
zLO%F0BSzteJO?esM;+n5=(&X|4iZ21403P_hEXv3u2lA}LYqXLIEFd)0AWl&7Z4*3
z7)!YknCHb&0s~)%<0&+dYv&+)KzWbwlJH0uvU?3g(MfNs>8(JUM4h-!rSV46NorJd
z5_8WHj=8tlhk0=o?h<Pc=~PS%75@RLhvId@^!K^r!J6I?eEvu7^C$&d_W5S`JY}fQ
z6>N$pVYEZYzS)TD=;lwen^7lGCvKlNwuAfpWIzn^`AWsU<q@)dd0;wC&yWB<*Qyby
zKGuVeP`h=p(`7SrmAG!CV;4lx@u$DJn%#*ui8^r|55%YQ7{n?%$}vbm4Bp}~*rC>O
zIjtGA$kUo5uXf>fr`cquJv{x3!`K8zv2Nk~hID6HQ+<(n^@4j#R+pP^ZItg<>wLVu
z^Pj6K3l6uoZ+(5*EvN0w&qChhnTGl3d2SckN3l@sOFVovyAW*>b>jAA#vbHxj!^8A
z<NOxlynSe#DF$R8jZGMR5Cy~WzODWw+9c}4F*;)p@i_YeVo;nr6dzWO6BukAMxnJi
zG(ep3k2xHCR;zXu_d=Np`WBjZ+HJ?r($dG1X8o_8+3<HD$)(b-Tuwnn6L-7SZg)zJ
zPPg5XD6Wv5WN#ZpvG={=4GliDNz{qk>yFRhoGDZ6l{vHh*yS%OIcKT{?44G&vvM3p
zpv5$lU2D?d;L3WU^pGk%wITP9`7`bf4I{+-Fpv2dML!YqFDeo9uAwonB>nJ4QDROd
z0sjPZd&j(!kt1Nd$T7kLV#KJ|?55t~F(&-{ZzEvDXL3J3reMf^?t-6J_+r$1lco!0
jJDYj~+p+4IkuYLk;&zNyFl1k?fUnLC^%cjsATa(9`VJF3

delta 390
zcmaFjyh1XNi<g&c2Ll6xuZ^}8Bar?N1xyTv4354o3PF`ssd);P3Z|9@1`!H|M!L@V
zMX3q_Mfu68#l`tW3L52^B^e6A!LBBHMw&qV%oC5wyRtA?F}RfG79=MYC}@Od7Nr(v
zBo<|BDwyaQ=ou?$xM!9qltI`9iOJcC>8U9SiNz3ET|<y5K(J%tLVwmA5Nq;Av1~?$
z$+F@gvQs=6NWK-H4Pr|G*_+==$TI;sywV_vLg~psl2xV}NH)rVM4rkl29lk!_km=l
z97yD>+<PFoSAIT_j8y=M90Zf9iXe8UVss8G&{nY3K>9Ba8-q^wk9tN183yP4(!7$?
zqGE-DqWrSV6ri({Diu;79%W+S0ISt3k1l71vN?eISb*$uP{;xSE0B#0Kz0BCO;TnK

diff --git a/tests/cfgs/default/result/kafka.pcap.out b/tests/cfgs/default/result/kafka.pcap.out
deleted file mode 100644
index 7b5894e3471..00000000000
--- a/tests/cfgs/default/result/kafka.pcap.out
+++ /dev/null
@@ -1,37 +0,0 @@
-Guessed flow protos:	1
-
-DPI Packets (TCP):	12	(1.50 pkts/flow)
-Confidence Match by port    : 1 (flows)
-Confidence DPI              : 7 (flows)
-Num dissector calls: 221 (27.62 diss/flow)
-LRU cache ookla:      0/0/0 (insert/search/found)
-LRU cache bittorrent: 0/3/0 (insert/search/found)
-LRU cache stun:       0/0/0 (insert/search/found)
-LRU cache tls_cert:   0/0/0 (insert/search/found)
-LRU cache mining:     0/1/0 (insert/search/found)
-LRU cache msteams:    0/0/0 (insert/search/found)
-LRU cache stun_zoom:  0/0/0 (insert/search/found)
-Automa host:          0/0 (search/found)
-Automa domain:        0/0 (search/found)
-Automa tls cert:      0/0 (search/found)
-Automa risk mask:     0/0 (search/found)
-Automa common alpns:  0/0 (search/found)
-Patricia risk mask:   14/0 (search/found)
-Patricia risk mask IPv6: 0/0 (search/found)
-Patricia risk:        0/0 (search/found)
-Patricia risk IPv6:   0/0 (search/found)
-Patricia protocols:   16/0 (search/found)
-Patricia protocols IPv6: 0/0 (search/found)
-
-Kafka	22	4830	8
-
-Acceptable                      22 4830          8            
-
-	1	TCP 172.16.17.101:38176 <-> 172.30.0.237:9092 [proto: 377/Kafka][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: RPC/16][3 pkts/1408 bytes <-> 2 pkts/254 bytes][Goodput ratio: 86/48][0.58 sec][Risk: ** Probing attempt **][Risk Score: 50][Risk Info: No server to client traffic / TCP connection with unidirectional traffic][PLAIN TEXT (timestamp)][Plen Bins: 0,40,0,0,0,0,0,0,0,0,0,40,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	2	TCP 172.30.0.237:9092 <-> 172.16.17.101:58052 [proto: 377/Kafka][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 5][cat: RPC/16][4 pkts/974 bytes <-> 1 pkts/110 bytes][Goodput ratio: 73/40][599.70 sec][PLAIN TEXT (172.30.0.237)][Plen Bins: 0,20,0,60,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	3	TCP 172.16.17.101:49280 <-> 172.30.0.237:9092 [proto: 377/Kafka][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: RPC/16][2 pkts/201 bytes <-> 3 pkts/788 bytes][Goodput ratio: 34/75][899.84 sec][Risk: ** Probing attempt **][Risk Score: 50][Risk Info: No server to client traffic / TCP connection with unidirectional traffic][PLAIN TEXT (172.30.0.237)][Plen Bins: 20,20,0,40,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	4	TCP 172.16.17.101:56556 <-> 172.30.0.237:9092 [proto: 377/Kafka][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: RPC/16][1 pkts/91 bytes <-> 1 pkts/416 bytes][Goodput ratio: 27/84][0.03 sec][Risk: ** Probing attempt **][Risk Score: 50][Risk Info: No server to client traffic / TCP connection with unidirectional traffic][Plen Bins: 50,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	5	TCP 172.16.17.101:40042 <-> 172.30.0.237:9092 [proto: 377/Kafka][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: RPC/16][1 pkts/110 bytes <-> 1 pkts/186 bytes][Goodput ratio: 40/64][0.03 sec][Risk: ** Probing attempt **][Risk Score: 50][Risk Info: No server to client traffic / TCP connection with unidirectional traffic][PLAIN TEXT (172.30.0.237)][Plen Bins: 0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	6	TCP 172.16.17.101:53768 -> 172.30.0.237:9092 [proto: 377/Kafka][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: RPC/16][1 pkts/110 bytes -> 0 pkts/0 bytes][Goodput ratio: 40/0][< 1 sec][Risk: ** Unidirectional Traffic **** Probing attempt **][Risk Score: 60][Risk Info: No server to client traffic / TCP connection with unidirectional traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	7	TCP 172.16.17.101:53052 -> 172.30.0.237:9092 [proto: 377/Kafka][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: RPC/16][1 pkts/91 bytes -> 0 pkts/0 bytes][Goodput ratio: 27/0][< 1 sec][Risk: ** Unidirectional Traffic **** Probing attempt **][Risk Score: 60][Risk Info: No server to client traffic / TCP connection with unidirectional traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	8	TCP 172.16.17.101:58300 -> 172.30.0.237:9092 [proto: 377/Kafka][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: RPC/16][1 pkts/91 bytes -> 0 pkts/0 bytes][Goodput ratio: 27/0][< 1 sec][Risk: ** Unidirectional Traffic **** Probing attempt **][Risk Score: 60][Risk Info: No server to client traffic / TCP connection with unidirectional traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/cfgs/default/result/kafka.pcapng.out b/tests/cfgs/default/result/kafka.pcapng.out
index 99a7d1174a1..47bdc80f339 100644
--- a/tests/cfgs/default/result/kafka.pcapng.out
+++ b/tests/cfgs/default/result/kafka.pcapng.out
@@ -1,11 +1,14 @@
-DPI Packets (TCP):	4	(4.00 pkts/flow)
-Confidence DPI              : 1 (flows)
-Num dissector calls: 1 (1.00 diss/flow)
+Guessed flow protos:	1
+
+DPI Packets (TCP):	16	(1.78 pkts/flow)
+Confidence Match by port    : 1 (flows)
+Confidence DPI              : 8 (flows)
+Num dissector calls: 222 (24.67 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
-LRU cache bittorrent: 0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)
 LRU cache tls_cert:   0/0/0 (insert/search/found)
-LRU cache mining:     0/0/0 (insert/search/found)
+LRU cache mining:     0/1/0 (insert/search/found)
 LRU cache msteams:    0/0/0 (insert/search/found)
 LRU cache stun_zoom:  0/0/0 (insert/search/found)
 Automa host:          0/0 (search/found)
@@ -13,15 +16,23 @@ Automa domain:        0/0 (search/found)
 Automa tls cert:      0/0 (search/found)
 Automa risk mask:     0/0 (search/found)
 Automa common alpns:  0/0 (search/found)
-Patricia risk mask:   0/0 (search/found)
+Patricia risk mask:   14/0 (search/found)
 Patricia risk mask IPv6: 0/0 (search/found)
 Patricia risk:        0/0 (search/found)
 Patricia risk IPv6:   0/0 (search/found)
-Patricia protocols:   2/0 (search/found)
+Patricia protocols:   18/0 (search/found)
 Patricia protocols IPv6: 0/0 (search/found)
 
-Kafka	19	2237	1
+Kafka	41	7067	9
 
-Acceptable                      19 2237          1            
+Acceptable                      41 7067          9            
 
 	1	TCP 127.0.0.1:46136 <-> 127.0.0.1:9092 [proto: 377/Kafka][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: RPC/16][12 pkts/1107 bytes <-> 7 pkts/1130 bytes][Goodput ratio: 28/58][13.63 sec][bytes ratio: -0.010 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 800/288 6849/1049 2039/441][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 92/161 206/512 42/149][Risk: ** Probing attempt **][Risk Score: 50][Risk Info: TCP connection with unidirectional traffic][PLAIN TEXT (console)][Plen Bins: 12,38,12,12,12,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	2	TCP 172.16.17.101:38176 <-> 172.30.0.237:9092 [proto: 377/Kafka][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: RPC/16][3 pkts/1408 bytes <-> 2 pkts/254 bytes][Goodput ratio: 86/48][0.58 sec][Risk: ** Probing attempt **][Risk Score: 50][Risk Info: No server to client traffic / TCP connection with unidirectional traffic][PLAIN TEXT (timestamp)][Plen Bins: 0,40,0,0,0,0,0,0,0,0,0,40,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	3	TCP 172.30.0.237:9092 <-> 172.16.17.101:58052 [proto: 377/Kafka][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 5][cat: RPC/16][4 pkts/974 bytes <-> 1 pkts/110 bytes][Goodput ratio: 73/40][599.70 sec][PLAIN TEXT (172.30.0.237)][Plen Bins: 0,20,0,60,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	4	TCP 172.16.17.101:49280 <-> 172.30.0.237:9092 [proto: 377/Kafka][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: RPC/16][2 pkts/201 bytes <-> 3 pkts/788 bytes][Goodput ratio: 34/75][899.84 sec][Risk: ** Probing attempt **][Risk Score: 50][Risk Info: No server to client traffic / TCP connection with unidirectional traffic][PLAIN TEXT (172.30.0.237)][Plen Bins: 20,20,0,40,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	5	TCP 172.16.17.101:56556 <-> 172.30.0.237:9092 [proto: 377/Kafka][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: RPC/16][1 pkts/91 bytes <-> 1 pkts/416 bytes][Goodput ratio: 27/84][0.03 sec][Risk: ** Probing attempt **][Risk Score: 50][Risk Info: No server to client traffic / TCP connection with unidirectional traffic][Plen Bins: 50,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	6	TCP 172.16.17.101:40042 <-> 172.30.0.237:9092 [proto: 377/Kafka][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: RPC/16][1 pkts/110 bytes <-> 1 pkts/186 bytes][Goodput ratio: 40/64][0.03 sec][Risk: ** Probing attempt **][Risk Score: 50][Risk Info: No server to client traffic / TCP connection with unidirectional traffic][PLAIN TEXT (172.30.0.237)][Plen Bins: 0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	7	TCP 172.16.17.101:53768 -> 172.30.0.237:9092 [proto: 377/Kafka][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: RPC/16][1 pkts/110 bytes -> 0 pkts/0 bytes][Goodput ratio: 40/0][< 1 sec][Risk: ** Unidirectional Traffic **** Probing attempt **][Risk Score: 60][Risk Info: No server to client traffic / TCP connection with unidirectional traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	8	TCP 172.16.17.101:53052 -> 172.30.0.237:9092 [proto: 377/Kafka][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: RPC/16][1 pkts/91 bytes -> 0 pkts/0 bytes][Goodput ratio: 27/0][< 1 sec][Risk: ** Unidirectional Traffic **** Probing attempt **][Risk Score: 60][Risk Info: No server to client traffic / TCP connection with unidirectional traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	9	TCP 172.16.17.101:58300 -> 172.30.0.237:9092 [proto: 377/Kafka][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: RPC/16][1 pkts/91 bytes -> 0 pkts/0 bytes][Goodput ratio: 27/0][< 1 sec][Risk: ** Unidirectional Traffic **** Probing attempt **][Risk Score: 60][Risk Info: No server to client traffic / TCP connection with unidirectional traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]