Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improved Protobuf dissector. #2119

Merged
merged 1 commit into from
Oct 27, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
118 changes: 49 additions & 69 deletions src/lib/protocols/protobuf.c
Original file line number Diff line number Diff line change
Expand Up @@ -26,20 +26,21 @@
#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_PROTOBUF
//#define DEBUG_PROTOBUF
#define PROTOBUF_MIN_ELEMENTS 2
#define PROTOBUF_MAX_ELEMENTS 8
#define PROTOBUF_MAX_ELEMENTS 32
#define PROTOBUF_REQUIRED_ELEMENTS 8
#define PROTOBUF_MIN_PACKETS 4
#define PROTOBUF_MAX_PACKETS 8

#include "ndpi_api.h"

enum protobuf_tag {
TAG_INVALID = -1,
TAG_VARINT = 0,
TAG_I64,
TAG_LEN,
TAG_SGROUP, // deprecated
TAG_EGROUP, // deprecated
TAG_I32
enum protobuf_type {
PT_INVALID = -1,
PT_VARINT = 0,
PT_I64,
PT_LEN,
PT_SGROUP, // deprecated
PT_EGROUP, // deprecated
PT_I32
};

static void ndpi_int_protobuf_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
Expand All @@ -49,32 +50,24 @@ static void ndpi_int_protobuf_add_connection(struct ndpi_detection_module_struct
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_PROTOBUF, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
}

static enum protobuf_tag
protobuf_dissect_wire_type(struct ndpi_packet_struct const * const packet,
size_t * const offset,
uint8_t * const field_number)
static enum protobuf_type
protobuf_dissect_tag(uint64_t tag, uint64_t * const field_number)
{
if (packet->payload_packet_len < *offset + 1)
{
return TAG_INVALID;
}

uint8_t const wire_type = packet->payload[*offset] & 0x07; // field number ignored
*field_number = packet->payload[*offset] >> 3;
uint8_t const wire_type = tag & 0x07;
*field_number = tag >> 3;

switch (wire_type)
{
case TAG_VARINT:
case TAG_I64:
case TAG_LEN:
case TAG_SGROUP:
case TAG_EGROUP:
case TAG_I32:
(*offset)++;
case PT_VARINT:
case PT_I64:
case PT_LEN:
case PT_SGROUP:
case PT_EGROUP:
case PT_I32:
return wire_type;
}

return TAG_INVALID;
return PT_INVALID;
}

static int
Expand Down Expand Up @@ -107,36 +100,13 @@ protobuf_dissect_varint(struct ndpi_packet_struct const * const packet,
return 0;
}

static int protobuf_validate_field_number(uint32_t * const saved_field_numbers,
uint8_t field_number,
enum protobuf_tag tag)
{
uint32_t shifted_field_number;

if (field_number > 31 || field_number == 0)
{
return -1;
}

shifted_field_number = 1u << (field_number - 1);
if (tag != TAG_LEN
&& (*saved_field_numbers & shifted_field_number) != 0)
{
return -1;
}

*saved_field_numbers |= shifted_field_number;
return 0;
}

static void ndpi_search_protobuf(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow)
{
struct ndpi_packet_struct const * const packet = &ndpi_struct->packet;

NDPI_LOG_DBG(ndpi_struct, "search Protobuf\n");

uint32_t field_numbers_used = 0;
size_t protobuf_elements = 0;
size_t protobuf_len_elements = 0;
size_t offset = 0;
Expand All @@ -148,26 +118,27 @@ static void ndpi_search_protobuf(struct ndpi_detection_module_struct *ndpi_struc
#ifdef DEBUG_PROTOBUF
printf(" ");
#endif
uint8_t field_number;
enum protobuf_tag tag = protobuf_dissect_wire_type(packet, &offset,
&field_number);
if (tag == TAG_INVALID)
uint64_t tag;
// A Protobuf tag has a type and a field number stored as u32 varint.
if (protobuf_dissect_varint(packet, &offset, &tag) != 0)
{
break;
}
if (protobuf_validate_field_number(&field_numbers_used, field_number,
tag) != 0)

uint64_t field_number;
enum protobuf_type type = protobuf_dissect_tag(tag, &field_number);
if (type == PT_INVALID || field_number == 0 || field_number > (UINT_MAX >> 3))
{
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
return;
}

#ifdef DEBUG_PROTOBUF
printf("[id: %u]", field_number);
printf("[id: %llu]", (unsigned long long int)field_number);
#endif
switch (tag)
switch (type)
{
case TAG_VARINT:
case PT_VARINT:
{
uint64_t value;
if (protobuf_dissect_varint(packet, &offset, &value) != 0)
Expand All @@ -181,7 +152,7 @@ static void ndpi_search_protobuf(struct ndpi_detection_module_struct *ndpi_struc
#endif
break;
}
case TAG_I64: {
case PT_I64: {
if (packet->payload_packet_len < offset + sizeof(uint64_t))
{
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
Expand All @@ -200,9 +171,7 @@ static void ndpi_search_protobuf(struct ndpi_detection_module_struct *ndpi_struc
offset += 8;
break;
}
case TAG_LEN:
case TAG_SGROUP:
case TAG_EGROUP:
case PT_LEN:
{
uint64_t length;
if (protobuf_dissect_varint(packet, &offset, &length) != 0)
Expand All @@ -223,11 +192,16 @@ static void ndpi_search_protobuf(struct ndpi_detection_module_struct *ndpi_struc
offset += length;
protobuf_len_elements++;
#ifdef DEBUG_PROTOBUF
printf("[LEN/SGROUP/EGROUP length: %llu]", (unsigned long long int)length);
printf("[LEN length: %llu]", (unsigned long long int)length);
#endif
break;
}
case TAG_I32: {
case PT_SGROUP:
case PT_EGROUP:
// Start/End groups are deprecated and therefor ignored to reduce false positives.
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
return;
case PT_I32: {
if (packet->payload_packet_len < offset + sizeof(uint32_t))
{
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
Expand All @@ -245,17 +219,23 @@ static void ndpi_search_protobuf(struct ndpi_detection_module_struct *ndpi_struc
offset += 4;
break;
}
case TAG_INVALID:
case PT_INVALID:
break;
}
} while (++protobuf_elements < PROTOBUF_MAX_ELEMENTS);

#ifdef DEBUG_PROTOBUF
printf("\n");
printf(" [offset: %llu][length: %u][elems: %llu][len_elems: %llu]\n",
(unsigned long long int)offset, packet->payload_packet_len,
(unsigned long long int)protobuf_elements,
(unsigned long long int)protobuf_len_elements);
#endif
if ((protobuf_elements == PROTOBUF_MAX_ELEMENTS && protobuf_len_elements > 0)
if ((protobuf_elements >= PROTOBUF_REQUIRED_ELEMENTS && protobuf_len_elements > 0)
|| (flow->packet_counter >= PROTOBUF_MIN_PACKETS && protobuf_elements >= PROTOBUF_MIN_ELEMENTS))
{
#ifdef DEBUG_PROTOBUF
printf("Protobuf found after %u packets.\n", flow->packet_counter);
#endif
ndpi_int_protobuf_add_connection(ndpi_struct, flow);
return;
}
Expand Down
2 changes: 1 addition & 1 deletion tests/cfgs/caches_cfg/result/ookla.pcap.out
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ Guessed flow protos: 1
DPI Packets (TCP): 40 (6.67 pkts/flow)
Confidence Match by port : 1 (flows)
Confidence DPI : 5 (flows)
Num dissector calls: 510 (85.00 diss/flow)
Num dissector calls: 508 (84.67 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
LRU cache bittorrent: 0/3/0 (insert/search/found)
LRU cache zoom: 0/0/0 (insert/search/found)
Expand Down
Binary file modified tests/cfgs/default/pcap/protobuf.pcap
Binary file not shown.
2 changes: 1 addition & 1 deletion tests/cfgs/default/result/6in6tunnel.pcap.out
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ Guessed flow protos: 1

DPI Packets (UDP): 2 (2.00 pkts/flow)
Confidence Unknown : 1 (flows)
Num dissector calls: 128 (128.00 diss/flow)
Num dissector calls: 129 (129.00 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
LRU cache bittorrent: 0/3/0 (insert/search/found)
LRU cache zoom: 0/0/0 (insert/search/found)
Expand Down
2 changes: 1 addition & 1 deletion tests/cfgs/default/result/KakaoTalk_talk.pcap.out
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ DPI Packets (UDP): 10 (2.00 pkts/flow)
Confidence Match by port : 8 (flows)
Confidence DPI : 11 (flows)
Confidence Match by IP : 1 (flows)
Num dissector calls: 1093 (54.65 diss/flow)
Num dissector calls: 1092 (54.60 diss/flow)
LRU cache ookla: 0/2/0 (insert/search/found)
LRU cache bittorrent: 0/27/0 (insert/search/found)
LRU cache zoom: 0/0/0 (insert/search/found)
Expand Down
2 changes: 1 addition & 1 deletion tests/cfgs/default/result/cloudflare-warp.pcap.out
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ DPI Packets (TCP): 41 (5.12 pkts/flow)
Confidence Match by port : 2 (flows)
Confidence DPI : 5 (flows)
Confidence Match by IP : 1 (flows)
Num dissector calls: 181 (22.62 diss/flow)
Num dissector calls: 180 (22.50 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
LRU cache bittorrent: 0/9/0 (insert/search/found)
LRU cache zoom: 0/0/0 (insert/search/found)
Expand Down
17 changes: 9 additions & 8 deletions tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out
Original file line number Diff line number Diff line change
@@ -1,18 +1,18 @@
Guessed flow protos: 173
Guessed flow protos: 172

DPI Packets (TCP): 48 (2.29 pkts/flow)
DPI Packets (UDP): 369 (1.64 pkts/flow)
DPI Packets (other): 5 (1.00 pkts/flow)
Confidence Unknown : 34 (flows)
Confidence Match by port : 28 (flows)
Confidence DPI : 189 (flows)
Num dissector calls: 6275 (25.00 diss/flow)
Confidence Match by port : 27 (flows)
Confidence DPI : 190 (flows)
Num dissector calls: 6273 (24.99 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
LRU cache bittorrent: 0/192/0 (insert/search/found)
LRU cache bittorrent: 0/189/0 (insert/search/found)
LRU cache zoom: 0/0/0 (insert/search/found)
LRU cache stun: 0/0/0 (insert/search/found)
LRU cache tls_cert: 0/0/0 (insert/search/found)
LRU cache mining: 0/62/0 (insert/search/found)
LRU cache mining: 0/61/0 (insert/search/found)
LRU cache msteams: 0/0/0 (insert/search/found)
LRU cache stun_zoom: 0/34/0 (insert/search/found)
Automa host: 254/0 (search/found)
Expand All @@ -26,14 +26,15 @@ Patricia protocols: 502/1 (search/found)
Patricia protocols IPv6: 0/0 (search/found)

Unknown 34 4212 34
FTP_CONTROL 36 2569 12
FTP_CONTROL 35 2456 11
DNS 301 26612 159
NetBIOS 102 9445 25
SMBv1 7 1620 3
DHCP 2 932 1
SMBv23 3 186 1
RTP 5 1070 1
SIP 85 39540 15
Protobuf 1 113 1

1 UDP 212.242.33.35:5060 <-> 192.168.1.2:5060 [proto: 100/SIP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][23 pkts/11772 bytes <-> 37 pkts/14743 bytes][Goodput ratio: 91/89][1521.43 sec][bytes ratio: -0.112 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 19/227 32597/38366 167478/304738 41340/57147][Pkt Len c2s/s2c min/avg/max/stddev: 344/47 512/398 711/1118 86/358][PLAIN TEXT (SIP/2.0 401 Unauthorized)][Plen Bins: 29,0,0,0,0,0,0,0,0,3,6,0,3,6,8,13,1,0,3,0,1,15,0,0,0,5,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
2 UDP 192.168.1.2:5060 <-> 200.68.120.81:5060 [proto: 100/SIP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: VoIP/10][9 pkts/4647 bytes <-> 3 pkts/1944 bytes][Goodput ratio: 92/93][66.58 sec][bytes ratio: 0.410 (Upload)][IAT c2s/s2c min/avg/max/stddev: 507/34556 8170/34556 32608/34556 10578/0][Pkt Len c2s/s2c min/avg/max/stddev: 417/637 516/648 864/656 186/8][PLAIN TEXT (INVITEKsip)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,59,0,0,0,0,0,0,8,16,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
Expand Down Expand Up @@ -134,7 +135,7 @@ SIP 85 39540 15
97 UDP 192.168.1.3:53 -> 192.168.1.2:2712 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][1 pkts/144 bytes -> 0 pkts/0 bytes][Goodput ratio: 70/0][< 1 sec][Hostname/SNI: sip.cybercity.dk][::][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][PLAIN TEXT (cybercity)][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
98 TCP 147.234.1.253:21 -> 192.169.1.2:2720 [proto: 1/FTP_CONTROL][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][cat: Download/7][1 pkts/130 bytes -> 0 pkts/0 bytes][Goodput ratio: 58/0][< 1 sec][Risk: ** Unsafe Protocol **** Unidirectional Traffic **][Risk Score: 20][Risk Info: No client to server traffic][PLAIN TEXT (331 Anonymous login ok)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
99 TCP 192.168.1.2:2718 -> 147.137.21.94:139 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 2][cat: System/18][2 pkts/124 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][2.92 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
100 TCP 147.234.1.253:21 -> 192.168.1.2:2732 [proto: 1/FTP_CONTROL][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 1][cat: Download/7][1 pkts/113 bytes -> 0 pkts/0 bytes][Goodput ratio: 52/0][< 1 sec][Risk: ** Unsafe Protocol **** Unidirectional Traffic **][Risk Score: 20][Risk Info: No client to server traffic][PLAIN TEXT ( Files larger then 250MB will b)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
100 TCP 147.234.1.253:21 -> 192.168.1.2:2732 [proto: 353/Protobuf][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][1 pkts/113 bytes -> 0 pkts/0 bytes][Goodput ratio: 52/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][PLAIN TEXT ( Files larger then 250MB will b)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
101 UDP 192.168.1.1:53 -> 192.168.1.2:2572 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][1 pkts/105 bytes -> 0 pkts/0 bytes][Goodput ratio: 59/0][< 1 sec][::][Risk: ** Malformed Packet **** Unidirectional Traffic **][Risk Score: 20][Risk Info: No client to server traffic / Invalid DNS Query Lenght][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
102 UDP 192.168.1.1:53 -> 192.168.1.2:2723 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][1 pkts/105 bytes -> 0 pkts/0 bytes][Goodput ratio: 59/0][< 1 sec][Hostname/SNI: 1.0.0.127.in-adds.arpa][::][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
103 UDP 192.168.1.1:53 -> 192.168.1.2:2745 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][1 pkts/105 bytes -> 0 pkts/0 bytes][Goodput ratio: 59/0][< 1 sec][Hostname/SNI: 1.0.0.127.in-addr.arpa][::][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
Expand Down
2 changes: 1 addition & 1 deletion tests/cfgs/default/result/gnutella.pcap.out
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ DPI Packets (other): 10 (1.00 pkts/flow)
Confidence Unknown : 389 (flows)
Confidence Match by port : 1 (flows)
Confidence DPI : 370 (flows)
Num dissector calls: 43471 (57.20 diss/flow)
Num dissector calls: 43452 (57.17 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
LRU cache bittorrent: 0/1170/0 (insert/search/found)
LRU cache zoom: 0/0/0 (insert/search/found)
Expand Down
2 changes: 1 addition & 1 deletion tests/cfgs/default/result/imap-starttls.pcap.out
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ Guessed flow protos: 0

DPI Packets (TCP): 19 (19.00 pkts/flow)
Confidence DPI : 1 (flows)
Num dissector calls: 200 (200.00 diss/flow)
Num dissector calls: 199 (199.00 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
LRU cache bittorrent: 0/0/0 (insert/search/found)
LRU cache zoom: 0/0/0 (insert/search/found)
Expand Down
2 changes: 1 addition & 1 deletion tests/cfgs/default/result/imap.pcap.out
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ Guessed flow protos: 0

DPI Packets (TCP): 11 (11.00 pkts/flow)
Confidence DPI : 1 (flows)
Num dissector calls: 200 (200.00 diss/flow)
Num dissector calls: 199 (199.00 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
LRU cache bittorrent: 0/0/0 (insert/search/found)
LRU cache zoom: 0/0/0 (insert/search/found)
Expand Down
2 changes: 1 addition & 1 deletion tests/cfgs/default/result/imo.pcap.out
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ Guessed flow protos: 0

DPI Packets (UDP): 7 (3.50 pkts/flow)
Confidence DPI : 2 (flows)
Num dissector calls: 298 (149.00 diss/flow)
Num dissector calls: 297 (148.50 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
LRU cache bittorrent: 0/0/0 (insert/search/found)
LRU cache zoom: 0/0/0 (insert/search/found)
Expand Down
2 changes: 1 addition & 1 deletion tests/cfgs/default/result/jabber.pcap.out
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ Guessed flow protos: 0

DPI Packets (TCP): 74 (6.17 pkts/flow)
Confidence DPI : 12 (flows)
Num dissector calls: 1412 (117.67 diss/flow)
Num dissector calls: 1409 (117.42 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
LRU cache bittorrent: 0/0/0 (insert/search/found)
LRU cache zoom: 0/0/0 (insert/search/found)
Expand Down
2 changes: 1 addition & 1 deletion tests/cfgs/default/result/kerberos.pcap.out
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ DPI Packets (TCP): 77 (2.14 pkts/flow)
Confidence Unknown : 2 (flows)
Confidence Match by port : 23 (flows)
Confidence DPI : 11 (flows)
Num dissector calls: 3895 (108.19 diss/flow)
Num dissector calls: 3885 (107.92 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
LRU cache bittorrent: 0/75/0 (insert/search/found)
LRU cache zoom: 0/0/0 (insert/search/found)
Expand Down
2 changes: 1 addition & 1 deletion tests/cfgs/default/result/mongo_false_positive.pcapng.out
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ Guessed flow protos: 1

DPI Packets (TCP): 14 (14.00 pkts/flow)
Confidence Match by port : 1 (flows)
Num dissector calls: 264 (264.00 diss/flow)
Num dissector calls: 263 (263.00 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
LRU cache bittorrent: 0/3/0 (insert/search/found)
LRU cache zoom: 0/0/0 (insert/search/found)
Expand Down
2 changes: 1 addition & 1 deletion tests/cfgs/default/result/nest_log_sink.pcap.out
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ DPI Packets (TCP): 130 (10.00 pkts/flow)
DPI Packets (UDP): 2 (2.00 pkts/flow)
Confidence Match by port : 1 (flows)
Confidence DPI : 13 (flows)
Num dissector calls: 1844 (131.71 diss/flow)
Num dissector calls: 1837 (131.21 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
LRU cache bittorrent: 0/3/0 (insert/search/found)
LRU cache zoom: 0/0/0 (insert/search/found)
Expand Down
2 changes: 1 addition & 1 deletion tests/cfgs/default/result/ookla.pcap.out
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ DPI Packets (TCP): 40 (6.67 pkts/flow)
Confidence DPI (partial cache): 1 (flows)
Confidence DPI : 4 (flows)
Confidence DPI (aggressive) : 1 (flows)
Num dissector calls: 510 (85.00 diss/flow)
Num dissector calls: 508 (84.67 diss/flow)
LRU cache ookla: 4/2/2 (insert/search/found)
LRU cache bittorrent: 0/3/0 (insert/search/found)
LRU cache zoom: 0/0/0 (insert/search/found)
Expand Down
2 changes: 1 addition & 1 deletion tests/cfgs/default/result/openvpn.pcap.out
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ Guessed flow protos: 0
DPI Packets (TCP): 6 (6.00 pkts/flow)
DPI Packets (UDP): 5 (2.50 pkts/flow)
Confidence DPI : 3 (flows)
Num dissector calls: 407 (135.67 diss/flow)
Num dissector calls: 406 (135.33 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
LRU cache bittorrent: 0/0/0 (insert/search/found)
LRU cache zoom: 0/0/0 (insert/search/found)
Expand Down
Loading
Loading