Improved Jabber/XMPP detection. (#1661)

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
2026-05-22 03:03:07 +00:00 · 2022-07-13 17:55:33 +02:00 · 2022-07-13 17:55:33 +02:00 · ae2bedce3a
commit ae2bedce3a
parent 407155755d
197 changed files with 266 additions and 228 deletions
--- a/src/lib/protocols/jabber.c
+++ b/src/lib/protocols/jabber.c
@ -65,20 +65,56 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
 void ndpi_search_jabber_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
 {
  struct ndpi_packet_struct *packet = &ndpi_struct->packet;
+  u_int16_t const max_packets = 4;
+  size_t i;
+  static uint8_t const valid_patterns[] = { 0x25, 0x26, 0x30 };

  NDPI_LOG_DBG(ndpi_struct, "search JABBER\n");

-  if (flow->packet_counter > 5) {
-    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
-    return;
-  }
-  
-  if (packet->tcp != 0 && packet->payload_packet_len == 0) {
-    return;
+  if (packet->payload_packet_len >= 3 &&
+      packet->payload[1] == 0x00 && packet->payload[2] == packet->payload_packet_len)
+  {
+    /* Old style Jabber/XMPP SSL. */
+    if (flow->packet_counter > max_packets - 1)
+    {
+      ndpi_int_jabber_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_JABBER, NDPI_CONFIDENCE_DPI);
+    }
+    for (i = 0; i < NDPI_ARRAY_LENGTH(valid_patterns); ++i)
+    {
+      if (packet->payload[0] == valid_patterns[i])
+      {
+        return;
+      }
+    }
  }

  /* search for jabber here */
  /* this part is working asymmetrically */
+  if (packet->payload_packet_len >= NDPI_STATICSTRING_LEN("<presence ") &&
+      memcmp(packet->payload, "<presence ", NDPI_STATICSTRING_LEN("<presence ")) == 0 &&
+      ndpi_strnstr((const char *)&packet->payload[0],
+                   "xmlns='http://jabber.org/protocol/caps'", packet->payload_packet_len) != NULL)
+  {
+    ndpi_int_jabber_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_JABBER, NDPI_CONFIDENCE_DPI);
+    return;
+  }
+
+  if (packet->payload_packet_len >= NDPI_STATICSTRING_LEN("<iq type='") &&
+      memcmp(packet->payload, "<iq type='", NDPI_STATICSTRING_LEN("<iq type='")) == 0 &&
+      ndpi_strnstr((const char *)&packet->payload[0],
+                   "xmlns='http://jabber.org/protocol/commands'", packet->payload_packet_len) != NULL)
+  {
+    ndpi_int_jabber_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_JABBER, NDPI_CONFIDENCE_DPI);
+    return;
+  }
+
+  if (packet->payload_packet_len == NDPI_STATICSTRING_LEN("</stream:stream>") &&
+      memcmp(packet->payload, "</stream:stream>", NDPI_STATICSTRING_LEN("</stream:stream>")) == 0)
+  {
+    ndpi_int_jabber_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_JABBER, NDPI_CONFIDENCE_DPI);
+    return;
+  }
+
  if ((packet->payload_packet_len > 13 && memcmp(packet->payload, "<?xml version=", 14) == 0)
      || (packet->payload_packet_len >= NDPI_STATICSTRING_LEN("<stream:stream ")
 	  && memcmp(packet->payload, "<stream:stream ", NDPI_STATICSTRING_LEN("<stream:stream ")) == 0)) {
@ -95,16 +131,11 @@ void ndpi_search_jabber_tcp(struct ndpi_detection_module_struct *ndpi_struct, st
      return;
    }
  }
-  
-  if (flow->packet_counter < 3) {
-    NDPI_LOG_DBG2(ndpi_struct, "packet_counter: %u\n", flow->packet_counter);
+
+  if (flow->packet_counter > max_packets) {
+    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
    return;
  }
-
-  NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
-
-  ndpi_exclude_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TRUPHONE,
-			__FILE__,__FUNCTION__,__LINE__);
 }


@ -113,7 +144,7 @@ void init_jabber_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_i
  ndpi_set_bitmask_protocol_detection("Jabber", ndpi_struct, detection_bitmask, *id,
 				      NDPI_PROTOCOL_JABBER,
 				      ndpi_search_jabber_tcp,
-				      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITHOUT_RETRANSMISSION,
+				      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
 				      SAVE_DETECTION_BITMASK_AS_UNKNOWN,
 				      ADD_TO_DETECTION_BITMASK);

--- a/tests/pcap/jabber.pcap
+++ b/tests/pcap/jabber.pcap
--- a/tests/result/1kxun.pcap.out
+++ b/tests/result/1kxun.pcap.out
@ -6,7 +6,7 @@ Confidence Unknown          : 14 (flows)
 Confidence Match by port    : 5 (flows)
 Confidence Match by IP      : 1 (flows)
 Confidence DPI              : 177 (flows)
-Num dissector calls: 5172 (26.25 diss/flow)
+Num dissector calls: 5084 (25.81 diss/flow)

 Unknown	24	6428	14
 DNS	2	378	1
--- a/tests/result/443-curl.pcap.out
+++ b/tests/result/443-curl.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	7	(7.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 18 (18.00 diss/flow)
+Num dissector calls: 15 (15.00 diss/flow)

 ntop	109	73982	1

--- a/tests/result/443-firefox.pcap.out
+++ b/tests/result/443-firefox.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	7	(7.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 18 (18.00 diss/flow)
+Num dissector calls: 15 (15.00 diss/flow)

 ntop	667	458067	1

--- a/tests/result/443-git.pcap.out
+++ b/tests/result/443-git.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	7	(7.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 18 (18.00 diss/flow)
+Num dissector calls: 15 (15.00 diss/flow)

 Github	70	37189	1

--- a/tests/result/443-opvn.pcap.out
+++ b/tests/result/443-opvn.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	6	(6.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 139 (139.00 diss/flow)
+Num dissector calls: 135 (135.00 diss/flow)

 OpenVPN	46	11573	1

--- a/tests/result/443-safari.pcap.out
+++ b/tests/result/443-safari.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	7	(7.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 18 (18.00 diss/flow)
+Num dissector calls: 15 (15.00 diss/flow)

 ntop	41	19929	1

--- a/tests/result/4in4tunnel.pcap.out
+++ b/tests/result/4in4tunnel.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	1

 DPI Packets (UDP):	5	(5.00 pkts/flow)
 Confidence Unknown          : 1 (flows)
-Num dissector calls: 169 (169.00 diss/flow)
+Num dissector calls: 171 (171.00 diss/flow)

 Unknown	5	850	1

--- a/tests/result/4in6tunnel.pcap.out
+++ b/tests/result/4in6tunnel.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	1

 DPI Packets (TCP):	4	(4.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 13 (13.00 diss/flow)
+Num dissector calls: 11 (11.00 diss/flow)

 Microsoft	4	2188	1

--- a/tests/result/6in4tunnel.pcap.out
+++ b/tests/result/6in4tunnel.pcap.out
@ -4,7 +4,7 @@ DPI Packets (TCP):	27	(5.40 pkts/flow)
 DPI Packets (UDP):	4	(2.00 pkts/flow)
 DPI Packets (other):	3	(1.00 pkts/flow)
 Confidence DPI              : 10 (flows)
-Num dissector calls: 67 (6.70 diss/flow)
+Num dissector calls: 58 (5.80 diss/flow)

 HTTP	10	1792	1
 IMAPS	4	516	2
--- a/tests/result/BGP_Cisco_hdlc_slarp.pcap.out
+++ b/tests/result/BGP_Cisco_hdlc_slarp.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	4	(4.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 18 (18.00 diss/flow)
+Num dissector calls: 15 (15.00 diss/flow)

 BGP	14	969	1

--- a/tests/result/EAQ.pcap.out
+++ b/tests/result/EAQ.pcap.out
@ -3,7 +3,7 @@ Guessed flow protos:	0
 DPI Packets (TCP):	12	(6.00 pkts/flow)
 DPI Packets (UDP):	116	(4.00 pkts/flow)
 Confidence DPI              : 31 (flows)
-Num dissector calls: 4108 (132.52 diss/flow)
+Num dissector calls: 4102 (132.32 diss/flow)

 Google	23	11743	2
 EAQ	174	10092	29
--- a/tests/result/IEC104.pcap.out
+++ b/tests/result/IEC104.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	4	(2.00 pkts/flow)
 Confidence DPI              : 2 (flows)
-Num dissector calls: 16 (8.00 diss/flow)
+Num dissector calls: 14 (7.00 diss/flow)

 IEC60870	15	1431	2

--- a/tests/result/KakaoTalk_chat.pcap.out
+++ b/tests/result/KakaoTalk_chat.pcap.out
@ -6,7 +6,7 @@ DPI Packets (other):	1	(1.00 pkts/flow)
 Confidence Match by port    : 4 (flows)
 Confidence Match by IP      : 1 (flows)
 Confidence DPI              : 33 (flows)
-Num dissector calls: 949 (24.97 diss/flow)
+Num dissector calls: 894 (23.53 diss/flow)

 DNS	2	217	1
 HTTP	1	56	1
--- a/tests/result/KakaoTalk_talk.pcap.out
+++ b/tests/result/KakaoTalk_talk.pcap.out
@ -5,7 +5,7 @@ DPI Packets (UDP):	6	(1.20 pkts/flow)
 Confidence Match by port    : 4 (flows)
 Confidence Match by IP      : 5 (flows)
 Confidence DPI              : 11 (flows)
-Num dissector calls: 1027 (51.35 diss/flow)
+Num dissector calls: 999 (49.95 diss/flow)

 HTTP	5	280	1
 QQ	15	1727	1
--- a/tests/result/Oscar.pcap.out
+++ b/tests/result/Oscar.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	1

 DPI Packets (TCP):	71	(71.00 pkts/flow)
 Confidence Match by port    : 1 (flows)
-Num dissector calls: 367 (367.00 diss/flow)
+Num dissector calls: 365 (365.00 diss/flow)

 TLS	71	9386	1

--- a/tests/result/WebattackSQLinj.pcap.out
+++ b/tests/result/WebattackSQLinj.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	54	(6.00 pkts/flow)
 Confidence DPI              : 9 (flows)
-Num dissector calls: 288 (32.00 diss/flow)
+Num dissector calls: 261 (29.00 diss/flow)

 HTTP	94	30008	9

--- a/tests/result/WebattackXSS.pcap.out
+++ b/tests/result/WebattackXSS.pcap.out
@ -3,7 +3,7 @@ Guessed flow protos:	639
 DPI Packets (TCP):	3972	(6.01 pkts/flow)
 Confidence Match by port    : 639 (flows)
 Confidence DPI              : 22 (flows)
-Num dissector calls: 21182 (32.05 diss/flow)
+Num dissector calls: 17276 (26.14 diss/flow)

 HTTP	9374	4721148	661

--- a/tests/result/aimini-http.pcap.out
+++ b/tests/result/aimini-http.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	36	(9.00 pkts/flow)
 Confidence DPI              : 4 (flows)
-Num dissector calls: 164 (41.00 diss/flow)
+Num dissector calls: 148 (37.00 diss/flow)

 Aimini	133	86722	4

--- a/tests/result/ajp.pcap.out
+++ b/tests/result/ajp.pcap.out
@ -4,7 +4,7 @@ DPI Packets (TCP):	8	(4.00 pkts/flow)
 DPI Packets (other):	6	(3.00 pkts/flow)
 Confidence Unknown          : 2 (flows)
 Confidence DPI              : 2 (flows)
-Num dissector calls: 36 (9.00 diss/flow)
+Num dissector calls: 30 (7.50 diss/flow)

 Unknown	6	2200	2
 AJP	26	4446	2
--- a/tests/result/alexa-app.pcapng.out
+++ b/tests/result/alexa-app.pcapng.out
@ -6,7 +6,7 @@ DPI Packets (other):	6	(1.00 pkts/flow)
 Confidence Match by port    : 5 (flows)
 Confidence Match by IP      : 9 (flows)
 Confidence DPI              : 146 (flows)
-Num dissector calls: 2719 (16.99 diss/flow)
+Num dissector calls: 2329 (14.56 diss/flow)

 DNS	4	400	2
 DHCP	3	1056	2
--- a/tests/result/amqp.pcap.out
+++ b/tests/result/amqp.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	9	(3.00 pkts/flow)
 Confidence DPI              : 3 (flows)
-Num dissector calls: 401 (133.67 diss/flow)
+Num dissector calls: 400 (133.33 diss/flow)

 AMQP	160	23514	3

--- a/tests/result/android.pcap.out
+++ b/tests/result/android.pcap.out
@ -5,7 +5,7 @@ DPI Packets (UDP):	52	(1.68 pkts/flow)
 DPI Packets (other):	4	(1.00 pkts/flow)
 Confidence Match by IP      : 3 (flows)
 Confidence DPI              : 60 (flows)
-Num dissector calls: 668 (10.60 diss/flow)
+Num dissector calls: 600 (9.52 diss/flow)

 DNS	4	390	2
 MDNS	2	174	2
--- a/tests/result/anyconnect-vpn.pcap.out
+++ b/tests/result/anyconnect-vpn.pcap.out
@ -7,7 +7,7 @@ Confidence Unknown          : 2 (flows)
 Confidence Match by port    : 5 (flows)
 Confidence Match by IP      : 1 (flows)
 Confidence DPI              : 61 (flows)
-Num dissector calls: 1226 (17.77 diss/flow)
+Num dissector calls: 1176 (17.04 diss/flow)

 Unknown	19	1054	2
 DNS	32	3655	16
--- a/tests/result/anydesk-2.pcap.out
+++ b/tests/result/anydesk-2.pcap.out
@ -3,7 +3,7 @@ Guessed flow protos:	0
 DPI Packets (TCP):	13	(6.50 pkts/flow)
 DPI Packets (UDP):	4	(2.00 pkts/flow)
 Confidence DPI              : 4 (flows)
-Num dissector calls: 42 (10.50 diss/flow)
+Num dissector calls: 36 (9.00 diss/flow)

 AnyDesk	2083	346113	4

--- a/tests/result/anydesk.pcap.out
+++ b/tests/result/anydesk.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	21	(10.50 pkts/flow)
 Confidence DPI              : 2 (flows)
-Num dissector calls: 23 (11.50 diss/flow)
+Num dissector calls: 20 (10.00 diss/flow)

 AnyDesk	6963	2795460	2

--- a/tests/result/bot.pcap.out
+++ b/tests/result/bot.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	6	(6.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 32 (32.00 diss/flow)
+Num dissector calls: 29 (29.00 diss/flow)

 Azure	402	431124	1

--- a/tests/result/cachefly.pcapng.out
+++ b/tests/result/cachefly.pcapng.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	6	(6.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 8 (8.00 diss/flow)
+Num dissector calls: 7 (7.00 diss/flow)

 Cachefly	6	6163	1

--- a/tests/result/cassandra.pcap.out
+++ b/tests/result/cassandra.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	8	(4.00 pkts/flow)
 Confidence DPI              : 2 (flows)
-Num dissector calls: 36 (18.00 diss/flow)
+Num dissector calls: 30 (15.00 diss/flow)

 Cassandra	286	126016	2

--- a/tests/result/check_mk_new.pcap.out
+++ b/tests/result/check_mk_new.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	4	(4.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 18 (18.00 diss/flow)
+Num dissector calls: 15 (15.00 diss/flow)

 CHECKMK	98	20242	1

--- a/tests/result/chrome.pcap.out
+++ b/tests/result/chrome.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	36	(6.00 pkts/flow)
 Confidence DPI              : 6 (flows)
-Num dissector calls: 108 (18.00 diss/flow)
+Num dissector calls: 90 (15.00 diss/flow)

 TLS	5633	4985157	6

--- a/tests/result/citrix.pcap.out
+++ b/tests/result/citrix.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	4	(4.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 18 (18.00 diss/flow)
+Num dissector calls: 15 (15.00 diss/flow)

 Citrix	100	11332	1

--- a/tests/result/cloudflare-warp.pcap.out
+++ b/tests/result/cloudflare-warp.pcap.out
@ -1,12 +1,11 @@
-Guessed flow protos:	5
+Guessed flow protos:	4

-DPI Packets (TCP):	42	(5.25 pkts/flow)
-Confidence Unknown          : 1 (flows)
+DPI Packets (TCP):	41	(5.12 pkts/flow)
 Confidence Match by IP      : 3 (flows)
-Confidence DPI              : 4 (flows)
-Num dissector calls: 328 (41.00 diss/flow)
+Confidence DPI              : 5 (flows)
+Num dissector calls: 285 (35.62 diss/flow)

-Unknown	11	890	1
+Jabber	11	890	1
 Google	8	476	3
 Messenger	17	2369	1
 GoogleServices	5	492	1
@ -20,11 +19,8 @@ JA3 Host Stats:
 	1	TCP 10.8.0.1:45606 <-> 104.18.47.234:443 [proto: 91.300/TLS.CloudflareWarp][Encrypted][Confidence: DPI][cat: VPN/2][6 pkts/924 bytes <-> 5 pkts/3107 bytes][Goodput ratio: 63/91][0.16 sec][Hostname/SNI: api.cloudflareclient.com][ALPN: http/1.1][bytes ratio: -0.542 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/2 31/50 75/75 36/34][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 154/621 355/2891 111/1135][TLSv1.2][JA3C: 6f5e62edfa5933b1332ddf8b9fb3ef9d][ServerNames: cloudflareclient.com,*.cloudflareclient.com][JA3S: 9ebc57def2efb523f25c77af13aa6d48][Issuer: C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3][Subject: C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=cloudflareclient.com][Certificate SHA-1: E6:54:3B:82:07:1E:29:C4:57:8C:B4:9E:64:38:11:38:9B:FC:66:98][Safari][Validity: 2022-05-19 00:00:00 - 2023-05-19 23:59:59][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,25,0,0,25,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25]
 	2	TCP 10.8.0.1:45610 <-> 104.18.47.234:443 [proto: 91.300/TLS.CloudflareWarp][Encrypted][Confidence: DPI][cat: VPN/2][6 pkts/623 bytes <-> 5 pkts/3108 bytes][Goodput ratio: 45/91][0.15 sec][Hostname/SNI: api.cloudflareclient.com][ALPN: http/1.1][bytes ratio: -0.666 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/50 29/48 143/93 57/38][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 104/622 240/2854 69/1116][TLSv1.2][JA3C: 6f5e62edfa5933b1332ddf8b9fb3ef9d][ServerNames: cloudflareclient.com,*.cloudflareclient.com][JA3S: 9ebc57def2efb523f25c77af13aa6d48][Issuer: C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3][Subject: C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=cloudflareclient.com][Certificate SHA-1: E6:54:3B:82:07:1E:29:C4:57:8C:B4:9E:64:38:11:38:9B:FC:66:98][Safari][Validity: 2022-05-19 00:00:00 - 2023-05-19 23:59:59][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,25,25,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25]
 	3	TCP 10.8.0.1:40214 <-> 157.240.16.32:443 [proto: 91.157/TLS.Messenger][Encrypted][Confidence: DPI][cat: Chat/9][9 pkts/1498 bytes <-> 8 pkts/871 bytes][Goodput ratio: 66/50][0.90 sec][Hostname/SNI: mqtt-mini.facebook.com][bytes ratio: 0.265 (Upload)][IAT c2s/s2c min/avg/max/stddev: 3/6 113/132 238/257 88/85][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 166/109 576/290 191/89][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.3][JA3C: 159db30fc8fac7fb58bcaeee8785a687][JA3S: fcb2d4d0991292272fcb1e464eedfd43][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 28,14,0,0,0,14,0,14,0,0,0,0,14,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	4	TCP 10.8.0.1:51296 <-> 142.250.183.163:443 [proto: 91.239/TLS.GoogleServices][Encrypted][Confidence: DPI][cat: Web/5][3 pkts/384 bytes <-> 2 pkts/108 bytes][Goodput ratio: 52/0][0.00 sec][Hostname/SNI: crashlyticsreports-pa.googleapis.com][ALPN: http/1.1][TLSv1.2][JA3C: d8c87b9bfde38897979e41242626c2f3][Safari][Plen Bins: 0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	5	TCP 10.158.134.93:40454 <-> 216.58.196.68:443 [proto: 91.126/TLS.Google][Encrypted][Confidence: Match by IP][cat: Web/5][2 pkts/120 bytes <-> 2 pkts/108 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	6	TCP 10.8.0.1:43600 <-> 172.217.194.188:5228 [proto: 126/Google][Encrypted][Confidence: Match by IP][cat: Web/5][2 pkts/128 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0/0][0.00 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	7	TCP 10.158.134.93:55512 -> 142.251.42.106:443 [proto: 91.126/TLS.Google][Encrypted][Confidence: Match by IP][cat: Web/5][1 pkts/66 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-
-
-Undetected flows:
-	1	TCP 10.8.0.1:42344 <-> 159.138.85.48:5223 [proto: 0/Unknown][ClearText][Confidence: Unknown][6 pkts/567 bytes <-> 5 pkts/323 bytes][Goodput ratio: 39/16][0.37 sec][bytes ratio: 0.274 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/50 56/79 122/101 56/20][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 94/65 208/91 56/15][Plen Bins: 25,25,25,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	4	TCP 10.8.0.1:42344 <-> 159.138.85.48:5223 [proto: 67/Jabber][ClearText][Confidence: DPI][cat: Web/5][6 pkts/567 bytes <-> 5 pkts/323 bytes][Goodput ratio: 39/16][0.37 sec][bytes ratio: 0.274 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/50 56/79 122/101 56/20][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 94/65 208/91 56/15][Plen Bins: 25,25,25,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	5	TCP 10.8.0.1:51296 <-> 142.250.183.163:443 [proto: 91.239/TLS.GoogleServices][Encrypted][Confidence: DPI][cat: Web/5][3 pkts/384 bytes <-> 2 pkts/108 bytes][Goodput ratio: 52/0][0.00 sec][Hostname/SNI: crashlyticsreports-pa.googleapis.com][ALPN: http/1.1][TLSv1.2][JA3C: d8c87b9bfde38897979e41242626c2f3][Safari][Plen Bins: 0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	6	TCP 10.158.134.93:40454 <-> 216.58.196.68:443 [proto: 91.126/TLS.Google][Encrypted][Confidence: Match by IP][cat: Web/5][2 pkts/120 bytes <-> 2 pkts/108 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	7	TCP 10.8.0.1:43600 <-> 172.217.194.188:5228 [proto: 126/Google][Encrypted][Confidence: Match by IP][cat: Web/5][2 pkts/128 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0/0][0.00 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	8	TCP 10.158.134.93:55512 -> 142.251.42.106:443 [proto: 91.126/TLS.Google][Encrypted][Confidence: Match by IP][cat: Web/5][1 pkts/66 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
--- a/tests/result/coap_mqtt.pcap.out
+++ b/tests/result/coap_mqtt.pcap.out
@ -3,7 +3,7 @@ Guessed flow protos:	0
 DPI Packets (TCP):	7	(1.75 pkts/flow)
 DPI Packets (UDP):	12	(1.00 pkts/flow)
 Confidence DPI              : 16 (flows)
-Num dissector calls: 364 (22.75 diss/flow)
+Num dissector calls: 361 (22.56 diss/flow)

 COAP	19	1614	8
 Dropbox	800	80676	4
--- a/tests/result/collectd.pcap.out
+++ b/tests/result/collectd.pcap.out
@ -3,7 +3,7 @@ Guessed flow protos:	3
 DPI Packets (UDP):	13	(1.62 pkts/flow)
 Confidence Match by port    : 3 (flows)
 Confidence DPI              : 5 (flows)
-Num dissector calls: 376 (47.00 diss/flow)
+Num dissector calls: 378 (47.25 diss/flow)

 collectd	81	109386	8

--- a/tests/result/corba.pcap.out
+++ b/tests/result/corba.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	12	(4.00 pkts/flow)
 Confidence DPI              : 3 (flows)
-Num dissector calls: 273 (91.00 diss/flow)
+Num dissector calls: 264 (88.00 diss/flow)

 Corba	22	3681	3

--- a/tests/result/dazn.pcapng.out
+++ b/tests/result/dazn.pcapng.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	12	(4.00 pkts/flow)
 Confidence DPI              : 3 (flows)
-Num dissector calls: 39 (13.00 diss/flow)
+Num dissector calls: 33 (11.00 diss/flow)

 Dazn	12	6675	3

--- a/tests/result/discord.pcap.out
+++ b/tests/result/discord.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	5	(5.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 13 (13.00 diss/flow)
+Num dissector calls: 11 (11.00 diss/flow)

 Discord	7	3708	1

--- a/tests/result/dnp3.pcap.out
+++ b/tests/result/dnp3.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	80	(10.00 pkts/flow)
 Confidence DPI              : 8 (flows)
-Num dissector calls: 408 (51.00 diss/flow)
+Num dissector calls: 352 (44.00 diss/flow)

 DNP3	543	38754	8

--- a/tests/result/dns_doh.pcap.out
+++ b/tests/result/dns_doh.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	6	(6.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 18 (18.00 diss/flow)
+Num dissector calls: 15 (15.00 diss/flow)

 DoH_DoT	142	20362	1

--- a/tests/result/dns_dot.pcap.out
+++ b/tests/result/dns_dot.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	6	(6.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 20 (20.00 diss/flow)
+Num dissector calls: 17 (17.00 diss/flow)

 DoH_DoT	24	5869	1

--- a/tests/result/dns_fragmented.pcap.out
+++ b/tests/result/dns_fragmented.pcap.out
@ -3,7 +3,7 @@ Guessed flow protos:	1
 DPI Packets (TCP):	12	(6.00 pkts/flow)
 DPI Packets (UDP):	39	(2.05 pkts/flow)
 Confidence DPI              : 21 (flows)
-Num dissector calls: 51 (2.43 diss/flow)
+Num dissector calls: 45 (2.14 diss/flow)

 DNS	53	16888	18
 Google	6	4807	3
--- a/tests/result/drda_db2.pcap.out
+++ b/tests/result/drda_db2.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	4	(4.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 103 (103.00 diss/flow)
+Num dissector calls: 100 (100.00 diss/flow)

 DRDA	38	6691	1

--- a/tests/result/emotet.pcap.out
+++ b/tests/result/emotet.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	48	(8.00 pkts/flow)
 Confidence DPI              : 6 (flows)
-Num dissector calls: 300 (50.00 diss/flow)
+Num dissector calls: 281 (46.83 diss/flow)

 SMTP	626	438465	1
 HTTP	1601	1581542	3
--- a/tests/result/ethereum.pcap.out
+++ b/tests/result/ethereum.pcap.out
@ -5,7 +5,7 @@ DPI Packets (UDP):	18	(1.00 pkts/flow)
 Confidence Match by port    : 1 (flows)
 Confidence Match by IP      : 2 (flows)
 Confidence DPI              : 71 (flows)
-Num dissector calls: 1515 (20.47 diss/flow)
+Num dissector calls: 1353 (18.28 diss/flow)

 Mining	1997	215877	72
 AmazonAWS	1	78	1
--- a/tests/result/exe_download.pcap.out
+++ b/tests/result/exe_download.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	6	(6.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 32 (32.00 diss/flow)
+Num dissector calls: 29 (29.00 diss/flow)

 HTTP	703	717463	1

--- a/tests/result/exe_download_as_png.pcap.out
+++ b/tests/result/exe_download_as_png.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	6	(6.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 32 (32.00 diss/flow)
+Num dissector calls: 29 (29.00 diss/flow)

 HTTP	534	529449	1

--- a/tests/result/facebook.pcap.out
+++ b/tests/result/facebook.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	16	(8.00 pkts/flow)
 Confidence DPI              : 2 (flows)
-Num dissector calls: 36 (18.00 diss/flow)
+Num dissector calls: 30 (15.00 diss/flow)

 Facebook	60	30511	2

--- a/tests/result/firefox.pcap.out
+++ b/tests/result/firefox.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	36	(6.00 pkts/flow)
 Confidence DPI              : 6 (flows)
-Num dissector calls: 108 (18.00 diss/flow)
+Num dissector calls: 90 (15.00 diss/flow)

 TLS	5441	4952732	6

--- a/tests/result/fix2.pcap.out
+++ b/tests/result/fix2.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	8	(4.00 pkts/flow)
 Confidence DPI              : 2 (flows)
-Num dissector calls: 212 (106.00 diss/flow)
+Num dissector calls: 206 (103.00 diss/flow)

 FIX	3046	246540	2

--- a/tests/result/forticlient.pcap.out
+++ b/tests/result/forticlient.pcap.out
@ -3,7 +3,7 @@ Guessed flow protos:	0
 DPI Packets (TCP):	35	(7.00 pkts/flow)
 Confidence DPI (cache)      : 4 (flows)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 100 (20.00 diss/flow)
+Num dissector calls: 85 (17.00 diss/flow)

 FortiClient	2000	430931	5

--- a/tests/result/ftp-start-tls.pcap.out
+++ b/tests/result/ftp-start-tls.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	10	(10.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 181 (181.00 diss/flow)
+Num dissector calls: 177 (177.00 diss/flow)

 FTP_CONTROL	51	7510	1

--- a/tests/result/ftp.pcap.out
+++ b/tests/result/ftp.pcap.out
@ -3,7 +3,7 @@ Guessed flow protos:	1
 DPI Packets (TCP):	97	(32.33 pkts/flow)
 Confidence Unknown          : 1 (flows)
 Confidence DPI              : 2 (flows)
-Num dissector calls: 701 (233.67 diss/flow)
+Num dissector calls: 691 (230.33 diss/flow)

 Unknown	1115	1122198	1
 FTP_CONTROL	68	5571	1
--- a/tests/result/ftp_failed.pcap.out
+++ b/tests/result/ftp_failed.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	8	(8.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 166 (166.00 diss/flow)
+Num dissector calls: 161 (161.00 diss/flow)

 FTP_CONTROL	18	1700	1

--- a/tests/result/fuzz-2006-06-26-2594.pcap.out
+++ b/tests/result/fuzz-2006-06-26-2594.pcap.out
@ -6,7 +6,7 @@ DPI Packets (other):	5	(1.00 pkts/flow)
 Confidence Unknown          : 30 (flows)
 Confidence Match by port    : 28 (flows)
 Confidence DPI              : 193 (flows)
-Num dissector calls: 5319 (21.19 diss/flow)
+Num dissector calls: 5311 (21.16 diss/flow)

 Unknown	30	3356	30
 FTP_CONTROL	36	2569	12
--- a/tests/result/fuzz-2006-09-29-28586.pcap.out
+++ b/tests/result/fuzz-2006-09-29-28586.pcap.out
@ -6,7 +6,7 @@ Confidence Unknown          : 3 (flows)
 Confidence Match by port    : 23 (flows)
 Confidence Match by IP      : 2 (flows)
 Confidence DPI              : 12 (flows)
-Num dissector calls: 1274 (31.85 diss/flow)
+Num dissector calls: 1229 (30.73 diss/flow)

 Unknown	3	655	3
 HTTP	116	27378	35
--- a/tests/result/genshin-impact.pcap.out
+++ b/tests/result/genshin-impact.pcap.out
@ -3,7 +3,7 @@ Guessed flow protos:	0
 DPI Packets (TCP):	12	(4.00 pkts/flow)
 DPI Packets (UDP):	3	(1.00 pkts/flow)
 Confidence DPI              : 6 (flows)
-Num dissector calls: 565 (94.17 diss/flow)
+Num dissector calls: 556 (92.67 diss/flow)

 GenshinImpact	90	18405	6

--- a/tests/result/git.pcap.out
+++ b/tests/result/git.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	4	(4.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 18 (18.00 diss/flow)
+Num dissector calls: 15 (15.00 diss/flow)

 Git	90	74005	1

--- a/tests/result/gnutella.pcap.out
+++ b/tests/result/gnutella.pcap.out
@ -7,7 +7,7 @@ Confidence Unknown          : 595 (flows)
 Confidence Match by port    : 1 (flows)
 Confidence Match by IP      : 1 (flows)
 Confidence DPI              : 163 (flows)
-Num dissector calls: 64871 (85.36 diss/flow)
+Num dissector calls: 64728 (85.17 diss/flow)

 Unknown	1423	119577	595
 MDNS	18	1632	2
--- a/tests/result/google_ssl.pcap.out
+++ b/tests/result/google_ssl.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	1

 DPI Packets (TCP):	28	(28.00 pkts/flow)
 Confidence Match by IP      : 1 (flows)
-Num dissector calls: 268 (268.00 diss/flow)
+Num dissector calls: 261 (261.00 diss/flow)

 Google	28	9108	1

--- a/tests/result/googledns_android10.pcap.out
+++ b/tests/result/googledns_android10.pcap.out
@ -4,7 +4,7 @@ DPI Packets (TCP):	42	(6.00 pkts/flow)
 DPI Packets (other):	1	(1.00 pkts/flow)
 Confidence Match by IP      : 2 (flows)
 Confidence DPI              : 6 (flows)
-Num dissector calls: 145 (18.12 diss/flow)
+Num dissector calls: 122 (15.25 diss/flow)

 ICMP	4	392	1
 Google	8	504	2
--- a/tests/result/gtp_false_positive.pcapng.out
+++ b/tests/result/gtp_false_positive.pcapng.out
@ -3,7 +3,7 @@ Guessed flow protos:	3
 DPI Packets (UDP):	7	(2.33 pkts/flow)
 Confidence Unknown          : 1 (flows)
 Confidence Match by port    : 2 (flows)
-Num dissector calls: 371 (123.67 diss/flow)
+Num dissector calls: 373 (124.33 diss/flow)

 Unknown	5	428	1
 GTP	2	424	2
--- a/tests/result/hpvirtgrp.pcap.out
+++ b/tests/result/hpvirtgrp.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	37	(4.11 pkts/flow)
 Confidence DPI              : 9 (flows)
-Num dissector calls: 1143 (127.00 diss/flow)
+Num dissector calls: 1116 (124.00 diss/flow)

 HP_VIRTGRP	135	12739	9

--- a/tests/result/http-crash-content-disposition.pcap.out
+++ b/tests/result/http-crash-content-disposition.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	8	(8.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 32 (32.00 diss/flow)
+Num dissector calls: 29 (29.00 diss/flow)

 AmazonAWS	9	3328	1

--- a/tests/result/http-lines-split.pcap.out
+++ b/tests/result/http-lines-split.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	8	(8.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 32 (32.00 diss/flow)
+Num dissector calls: 29 (29.00 diss/flow)

 HTTP	14	2503	1

--- a/tests/result/http-manipulated.pcap.out
+++ b/tests/result/http-manipulated.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	12	(6.00 pkts/flow)
 Confidence DPI              : 2 (flows)
-Num dissector calls: 64 (32.00 diss/flow)
+Num dissector calls: 58 (29.00 diss/flow)

 HTTP	328	959347	2

--- a/tests/result/http_auth.pcap.out
+++ b/tests/result/http_auth.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	6	(6.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 32 (32.00 diss/flow)
+Num dissector calls: 29 (29.00 diss/flow)

 HTTP	33	20574	1

--- a/tests/result/http_connect.pcap.out
+++ b/tests/result/http_connect.pcap.out
@ -3,7 +3,7 @@ Guessed flow protos:	0
 DPI Packets (TCP):	10	(5.00 pkts/flow)
 DPI Packets (UDP):	2	(2.00 pkts/flow)
 Confidence DPI              : 3 (flows)
-Num dissector calls: 37 (12.33 diss/flow)
+Num dissector calls: 31 (10.33 diss/flow)

 DNS	2	178	1
 TLS	58	36496	1
--- a/tests/result/http_ipv6.pcap.out
+++ b/tests/result/http_ipv6.pcap.out
@ -5,7 +5,7 @@ DPI Packets (UDP):	4	(2.00 pkts/flow)
 Confidence Unknown          : 1 (flows)
 Confidence Match by port    : 6 (flows)
 Confidence DPI              : 8 (flows)
-Num dissector calls: 264 (17.60 diss/flow)
+Num dissector calls: 234 (15.60 diss/flow)

 Unknown	3	502	1
 ntop	80	36401	4
--- a/tests/result/iec60780-5-104.pcap.out
+++ b/tests/result/iec60780-5-104.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	24	(4.00 pkts/flow)
 Confidence DPI              : 6 (flows)
-Num dissector calls: 108 (18.00 diss/flow)
+Num dissector calls: 90 (15.00 diss/flow)

 IEC60870	147	9033	6

--- a/tests/result/imap-starttls.pcap.out
+++ b/tests/result/imap-starttls.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	10	(10.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 198 (198.00 diss/flow)
+Num dissector calls: 193 (193.00 diss/flow)

 IMAPS	32	7975	1

--- a/tests/result/imap.pcap.out
+++ b/tests/result/imap.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	11	(11.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 218 (218.00 diss/flow)
+Num dissector calls: 215 (215.00 diss/flow)

 IMAP	33	3774	1

--- a/tests/result/imaps.pcap.out
+++ b/tests/result/imaps.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	7	(7.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 20 (20.00 diss/flow)
+Num dissector calls: 17 (17.00 diss/flow)

 ntop	20	5196	1

--- a/tests/result/instagram.pcap.out
+++ b/tests/result/instagram.pcap.out
@ -7,7 +7,7 @@ Confidence Unknown          : 1 (flows)
 Confidence Match by port    : 6 (flows)
 Confidence Match by IP      : 1 (flows)
 Confidence DPI              : 30 (flows)
-Num dissector calls: 2166 (57.00 diss/flow)
+Num dissector calls: 2126 (55.95 diss/flow)

 Unknown	1	66	1
 HTTP	116	91784	6
--- a/tests/result/iphone.pcap.out
+++ b/tests/result/iphone.pcap.out
@ -5,7 +5,7 @@ DPI Packets (UDP):	55	(1.77 pkts/flow)
 DPI Packets (other):	5	(1.00 pkts/flow)
 Confidence Unknown          : 1 (flows)
 Confidence DPI              : 50 (flows)
-Num dissector calls: 608 (11.92 diss/flow)
+Num dissector calls: 563 (11.04 diss/flow)

 Unknown	2	120	1
 MDNS	17	7012	5
--- a/tests/result/ipp.pcap.out
+++ b/tests/result/ipp.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	21	(7.00 pkts/flow)
 Confidence DPI              : 3 (flows)
-Num dissector calls: 108 (36.00 diss/flow)
+Num dissector calls: 99 (33.00 diss/flow)

 IPP	277	248554	3

--- a/tests/result/irc.pcap.out
+++ b/tests/result/irc.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	7	(7.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 172 (172.00 diss/flow)
+Num dissector calls: 168 (168.00 diss/flow)

 IRC	29	8945	1

--- a/tests/result/ja3_lots_of_cipher_suites.pcap.out
+++ b/tests/result/ja3_lots_of_cipher_suites.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	7	(7.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 18 (18.00 diss/flow)
+Num dissector calls: 15 (15.00 diss/flow)

 TLS	11	5132	1

--- a/tests/result/ja3_lots_of_cipher_suites_2_anon.pcap.out
+++ b/tests/result/ja3_lots_of_cipher_suites_2_anon.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	7	(7.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 18 (18.00 diss/flow)
+Num dissector calls: 15 (15.00 diss/flow)

 TLS	27	6966	1

--- a/tests/result/jabber.pcap.out
+++ b/tests/result/jabber.pcap.out
@ -1,9 +1,20 @@
 Guessed flow protos:	0

-DPI Packets (TCP):	6	(6.00 pkts/flow)
-Confidence DPI              : 1 (flows)
-Num dissector calls: 142 (142.00 diss/flow)
+DPI Packets (TCP):	74	(6.17 pkts/flow)
+Confidence DPI              : 12 (flows)
+Num dissector calls: 1525 (127.08 diss/flow)

-Jabber	13	901	1
+Jabber	358	61304	12

-	1	TCP 192.168.58.1:53460 <-> 192.168.58.153:5222 [proto: 67/Jabber][ClearText][Confidence: DPI][cat: Web/5][7 pkts/565 bytes <-> 6 pkts/336 bytes][Goodput ratio: 28/0][0.07 sec][bytes ratio: 0.254 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/14 13/7 48/14 18/7][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 81/56 173/66 38/4][PLAIN TEXT (xml version)][Plen Bins: 66,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	1	TCP 172.16.0.62:57094 <-> 172.16.1.138:5222 [proto: 67/Jabber][ClearText][Confidence: DPI][cat: Web/5][44 pkts/5701 bytes <-> 42 pkts/13807 bytes][Goodput ratio: 49/80][2.17 sec][bytes ratio: -0.416 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 36/39 611/611 109/111][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 130/329 559/1514 104/415][PLAIN TEXT (xml version)][Plen Bins: 2,4,2,24,9,13,4,6,9,0,2,2,2,0,0,4,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0]
+	2	TCP 172.16.0.62:57122 <-> 172.16.1.138:5222 [proto: 67/Jabber][ClearText][Confidence: DPI][cat: Web/5][44 pkts/5701 bytes <-> 42 pkts/13806 bytes][Goodput ratio: 49/80][2.16 sec][bytes ratio: -0.415 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 36/39 521/520 99/101][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 130/329 677/1514 116/415][PLAIN TEXT (xml version)][Plen Bins: 2,4,2,22,9,15,4,7,9,0,2,2,2,0,0,2,0,0,0,2,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0]
+	3	TCP 172.16.0.62:57149 <-> 172.16.1.138:5222 [proto: 67/Jabber][ClearText][Confidence: DPI][cat: Web/5][21 pkts/2752 bytes <-> 17 pkts/3414 bytes][Goodput ratio: 50/67][656.22 sec][bytes ratio: -0.107 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 35858/700 600484/4996 141164/1575][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 131/201 305/529 77/137][PLAIN TEXT (presence to)][Plen Bins: 0,18,0,22,18,9,18,4,0,0,0,0,4,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	4	TCP 172.16.0.62:57129 <-> 172.16.1.138:5222 [proto: 67/Jabber][ClearText][Confidence: DPI][cat: Web/5][16 pkts/2866 bytes <-> 9 pkts/2273 bytes][Goodput ratio: 63/74][423.43 sec][bytes ratio: 0.115 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/2 23604/41249 136091/136094 40743/50152][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 179/253 769/481 173/115][PLAIN TEXT (iq type)][Plen Bins: 0,0,6,18,18,6,12,18,6,0,0,0,6,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	5	TCP 172.16.0.62:57147 <-> 172.16.1.138:5222 [proto: 67/Jabber][ClearText][Confidence: DPI][cat: Web/5][16 pkts/1698 bytes <-> 12 pkts/1584 bytes][Goodput ratio: 38/49][0.42 sec][bytes ratio: 0.035 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 32/52 333/333 89/108][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 106/132 404/351 90/93][PLAIN TEXT (xml version)][Plen Bins: 30,0,0,10,10,30,0,0,10,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	6	TCP 192.168.2.100:58388 <-> 160.44.201.102:5223 [proto: 67/Jabber][ClearText][Confidence: DPI][cat: Web/5][9 pkts/809 bytes <-> 6 pkts/455 bytes][Goodput ratio: 37/26][300.65 sec][bytes ratio: 0.280 (Upload)][IAT c2s/s2c min/avg/max/stddev: 13/1 30058/52574 209840/209871 73396/90816][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 90/76 221/91 51/13][Plen Bins: 12,63,12,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	7	TCP 192.168.2.100:34070 <-> 160.44.201.102:5223 [proto: 67/Jabber][ClearText][Confidence: DPI][cat: Web/5][9 pkts/808 bytes <-> 6 pkts/455 bytes][Goodput ratio: 37/26][279.71 sec][bytes ratio: 0.279 (Upload)][IAT c2s/s2c min/avg/max/stddev: 26/0 39051/68333 273088/273176 95545/118266][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 90/76 221/91 51/12][Plen Bins: 12,63,12,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	8	TCP 192.168.2.100:41420 <-> 160.44.201.102:5223 [proto: 67/Jabber][ClearText][Confidence: DPI][cat: Web/5][8 pkts/791 bytes <-> 7 pkts/471 bytes][Goodput ratio: 43/15][35.65 sec][bytes ratio: 0.254 (Upload)][IAT c2s/s2c min/avg/max/stddev: 31/0 5924/67 35140/231 13066/91][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 99/67 221/91 53/11][Plen Bins: 28,28,28,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	9	TCP 192.168.2.100:34218 <-> 160.44.201.102:5223 [proto: 67/Jabber][ClearText][Confidence: DPI][cat: Web/5][9 pkts/808 bytes <-> 6 pkts/453 bytes][Goodput ratio: 37/26][306.20 sec][bytes ratio: 0.282 (Upload)][IAT c2s/s2c min/avg/max/stddev: 23/1 42924/75084 299903/299938 104911/129819][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 90/76 221/91 51/13][Plen Bins: 12,63,12,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	10	TCP 192.168.2.100:37614 <-> 160.44.201.102:5223 [proto: 67/Jabber][ClearText][Confidence: DPI][cat: Web/5][9 pkts/808 bytes <-> 6 pkts/453 bytes][Goodput ratio: 37/26][393.79 sec][bytes ratio: 0.282 (Upload)][IAT c2s/s2c min/avg/max/stddev: 24/1 13370/23387 93313/93412 32637/40429][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 90/76 221/91 51/13][Plen Bins: 12,63,12,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	11	TCP 192.168.58.1:53460 <-> 192.168.58.153:5222 [proto: 67/Jabber][ClearText][Confidence: DPI][cat: Web/5][7 pkts/565 bytes <-> 6 pkts/336 bytes][Goodput ratio: 28/0][0.07 sec][bytes ratio: 0.254 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/14 13/7 48/14 18/7][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 81/56 173/66 38/4][PLAIN TEXT (xml version)][Plen Bins: 66,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	12	TCP 172.16.0.62:57126 <-> 172.16.1.138:5222 [proto: 67/Jabber][ClearText][Confidence: DPI][cat: Web/5][4 pkts/280 bytes <-> 3 pkts/210 bytes][Goodput ratio: 6/0][0.00 sec][bytes ratio: 0.143 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 0/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 70/70 82/78 7/6][PLAIN TEXT (/stream)][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
--- a/tests/result/kerberos-login.pcap.out
+++ b/tests/result/kerberos-login.pcap.out
@ -3,7 +3,7 @@ Guessed flow protos:	0
 DPI Packets (TCP):	11	(11.00 pkts/flow)
 DPI Packets (UDP):	12	(1.00 pkts/flow)
 Confidence DPI              : 13 (flows)
-Num dissector calls: 35 (2.69 diss/flow)
+Num dissector calls: 31 (2.38 diss/flow)

 Kerberos	39	37272	13

--- a/tests/result/kerberos.pcap.out
+++ b/tests/result/kerberos.pcap.out
@ -4,7 +4,7 @@ DPI Packets (TCP):	77	(2.14 pkts/flow)
 Confidence Unknown          : 2 (flows)
 Confidence Match by port    : 23 (flows)
 Confidence DPI              : 11 (flows)
-Num dissector calls: 3863 (107.31 diss/flow)
+Num dissector calls: 3865 (107.36 diss/flow)

 Unknown	9	3031	2
 SMBv23	6	1914	3
--- a/tests/result/lisp_registration.pcap.out
+++ b/tests/result/lisp_registration.pcap.out
@ -3,7 +3,7 @@ Guessed flow protos:	0
 DPI Packets (TCP):	8	(4.00 pkts/flow)
 DPI Packets (UDP):	2	(1.00 pkts/flow)
 Confidence DPI              : 4 (flows)
-Num dissector calls: 232 (58.00 diss/flow)
+Num dissector calls: 226 (56.50 diss/flow)

 LISP	30	5266	4

--- a/tests/result/log4j-webapp-exploit.pcap.out
+++ b/tests/result/log4j-webapp-exploit.pcap.out
@ -3,7 +3,7 @@ Guessed flow protos:	2
 DPI Packets (TCP):	111	(15.86 pkts/flow)
 Confidence Unknown          : 2 (flows)
 Confidence DPI              : 5 (flows)
-Num dissector calls: 569 (81.29 diss/flow)
+Num dissector calls: 549 (78.43 diss/flow)

 Unknown	356	25081	2
 HTTP	34	6741	3
--- a/tests/result/long_tls_certificate.pcap.out
+++ b/tests/result/long_tls_certificate.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	12	(12.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 18 (18.00 diss/flow)
+Num dissector calls: 15 (15.00 diss/flow)

 Alibaba	47	14812	1

--- a/tests/result/malware.pcap.out
+++ b/tests/result/malware.pcap.out
@ -5,7 +5,7 @@ DPI Packets (UDP):	2	(2.00 pkts/flow)
 DPI Packets (other):	1	(1.00 pkts/flow)
 Confidence Match by port    : 1 (flows)
 Confidence DPI              : 4 (flows)
-Num dissector calls: 42 (8.40 diss/flow)
+Num dissector calls: 38 (7.60 diss/flow)

 DNS	2	216	1
 HTTP	1	66	1
--- a/tests/result/memcached.cap.out
+++ b/tests/result/memcached.cap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	6	(6.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 139 (139.00 diss/flow)
+Num dissector calls: 135 (135.00 diss/flow)

 Memcached	10	1711	1

--- a/tests/result/monero.pcap.out
+++ b/tests/result/monero.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	8	(4.00 pkts/flow)
 Confidence DPI              : 2 (flows)
-Num dissector calls: 94 (47.00 diss/flow)
+Num dissector calls: 88 (44.00 diss/flow)

 Mining	319	166676	2

--- a/tests/result/mongodb.pcap.out
+++ b/tests/result/mongodb.pcap.out
@ -4,7 +4,7 @@ DPI Packets (TCP):	27	(3.38 pkts/flow)
 Confidence Unknown          : 1 (flows)
 Confidence Match by port    : 2 (flows)
 Confidence DPI              : 5 (flows)
-Num dissector calls: 239 (29.88 diss/flow)
+Num dissector calls: 217 (27.12 diss/flow)

 Unknown	3	230	1
 MongoDB	24	2510	7
--- a/tests/result/mpeg-dash.pcap.out
+++ b/tests/result/mpeg-dash.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	10	(2.50 pkts/flow)
 Confidence DPI              : 4 (flows)
-Num dissector calls: 93 (23.25 diss/flow)
+Num dissector calls: 88 (22.00 diss/flow)

 AmazonAWS	9	2693	3
 MpegDash	4	1976	1
--- a/tests/result/mpeg.pcap.out
+++ b/tests/result/mpeg.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	6	(6.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 32 (32.00 diss/flow)
+Num dissector calls: 29 (29.00 diss/flow)

 ntop	19	10643	1

--- a/tests/result/mqtt.pcap.out
+++ b/tests/result/mqtt.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	3	(1.50 pkts/flow)
 Confidence DPI              : 2 (flows)
-Num dissector calls: 9 (4.50 diss/flow)
+Num dissector calls: 8 (4.00 diss/flow)

 MQTT	9	1481	2

--- a/tests/result/mssql_tds.pcap.out
+++ b/tests/result/mssql_tds.pcap.out
@ -3,7 +3,7 @@ Guessed flow protos:	1
 DPI Packets (TCP):	18	(1.50 pkts/flow)
 Confidence Match by port    : 1 (flows)
 Confidence DPI              : 11 (flows)
-Num dissector calls: 285 (23.75 diss/flow)
+Num dissector calls: 287 (23.92 diss/flow)

 MsSQL-TDS	38	16260	12

--- a/tests/result/mysql-8.pcap.out
+++ b/tests/result/mysql-8.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	4	(4.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 18 (18.00 diss/flow)
+Num dissector calls: 15 (15.00 diss/flow)

 MySQL	4	367	1

--- a/tests/result/nats.pcap.out
+++ b/tests/result/nats.pcap.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	10	(5.00 pkts/flow)
 Confidence DPI              : 2 (flows)
-Num dissector calls: 64 (32.00 diss/flow)
+Num dissector calls: 56 (28.00 diss/flow)

 Nats	27	2460	2

--- a/tests/result/ndpi_match_string_subprotocol__error.pcapng.out
+++ b/tests/result/ndpi_match_string_subprotocol__error.pcapng.out
@ -2,7 +2,7 @@ Guessed flow protos:	0

 DPI Packets (TCP):	3	(3.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 25 (25.00 diss/flow)
+Num dissector calls: 24 (24.00 diss/flow)

 SOAP	13	2935	1

--- a/tests/result/nest_log_sink.pcap.out
+++ b/tests/result/nest_log_sink.pcap.out
@ -4,7 +4,7 @@ DPI Packets (TCP):	176	(13.54 pkts/flow)
 DPI Packets (UDP):	2	(2.00 pkts/flow)
 Confidence Match by IP      : 1 (flows)
 Confidence DPI              : 13 (flows)
-Num dissector calls: 2195 (156.79 diss/flow)
+Num dissector calls: 2104 (150.29 diss/flow)

 DNS	15	1612	1
 NestLogSink	676	112058	12
--- a/tests/result/netbios.pcap.out
+++ b/tests/result/netbios.pcap.out
@ -4,7 +4,7 @@ DPI Packets (TCP):	2	(2.00 pkts/flow)
 DPI Packets (UDP):	14	(1.00 pkts/flow)
 Confidence Match by port    : 1 (flows)
 Confidence DPI              : 14 (flows)
-Num dissector calls: 137 (9.13 diss/flow)
+Num dissector calls: 136 (9.07 diss/flow)

 NetBIOS	258	24196	13
 SMBv1	2	486	2
--- a/tests/result/netflix.pcap.out
+++ b/tests/result/netflix.pcap.out
@ -5,7 +5,7 @@ DPI Packets (UDP):	27	(2.08 pkts/flow)
 DPI Packets (other):	1	(1.00 pkts/flow)
 Confidence Match by IP      : 1 (flows)
 Confidence DPI              : 60 (flows)
-Num dissector calls: 1250 (20.49 diss/flow)
+Num dissector calls: 1110 (18.20 diss/flow)

 DNS	4	386	2
 SSDP	16	2648	1
--- a/Show more
+++ b/Show more