SMTPS, POPS, IMAPS: fix classification and extra dissection (#1685)

The big change in TLS code is to allow "master" protocols other than TLS/DTLS, like SMTPS, POPS and IMAPS. This change will allow, in a future, a proper and complete TLS dissection for all these protocols with "STARTTLS"-like messages.
ntop · Jul 30, 2022 · d54d508 · d54d508
1 parent 8402bd6
commit d54d508
Show file tree

Hide file tree

Showing 12 changed files with 84 additions and 79 deletions.
diff --git a/example/ndpiReader.c b/example/ndpiReader.c
@@ -1588,15 +1588,12 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa
       fprintf(out, "[ESNI Cipher: %s]", ndpi_cipher2str(flow->ssh_tls.encrypted_sni.cipher_suite));
     }
 
-    if((flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS)
-       || (flow->detected_protocol.app_protocol == NDPI_PROTOCOL_TLS)) {
-      if(flow->ssh_tls.sha1_cert_fingerprint_set) {
-	fprintf(out, "[Certificate SHA-1: ");
-	for(i=0; i<20; i++)
-	  fprintf(out, "%s%02X", (i > 0) ? ":" : "",
-		  flow->ssh_tls.sha1_cert_fingerprint[i] & 0xFF);
-	fprintf(out, "]");
-      }
+    if(flow->ssh_tls.sha1_cert_fingerprint_set) {
+      fprintf(out, "[Certificate SHA-1: ");
+      for(i=0; i<20; i++)
+        fprintf(out, "%s%02X", (i > 0) ? ":" : "",
+                flow->ssh_tls.sha1_cert_fingerprint[i] & 0xFF);
+      fprintf(out, "]");
     }
 
 #ifdef HEURISTICS_CODE

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
@@ -8236,6 +8236,9 @@ u_int8_t ndpi_extra_dissection_possible(struct ndpi_detection_module_struct *ndp
   switch(proto) {
   case NDPI_PROTOCOL_TLS:
   case NDPI_PROTOCOL_DTLS:
+  case NDPI_PROTOCOL_MAIL_POPS:
+  case NDPI_PROTOCOL_MAIL_IMAPS:
+  case NDPI_PROTOCOL_MAIL_SMTPS:
   case NDPI_PROTOCOL_HTTP:
   case NDPI_PROTOCOL_HTTP_PROXY:
   case NDPI_PROTOCOL_HTTP_CONNECT:

diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
@@ -101,39 +101,49 @@ union ja3_info {
 
 
 static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
-					struct ndpi_flow_struct *flow, u_int32_t protocol);
+					struct ndpi_flow_struct *flow);
 
 /* **************************************** */
 
 static u_int32_t ndpi_tls_refine_master_protocol(struct ndpi_detection_module_struct *ndpi_struct,
-						 struct ndpi_flow_struct *flow, u_int32_t protocol) {
+						 struct ndpi_flow_struct *flow) {
   struct ndpi_packet_struct *packet = &ndpi_struct->packet;
-
-  // protocol = NDPI_PROTOCOL_TLS;
+  u_int32_t protocol;
 
   if(packet->tcp != NULL) {
-    switch(protocol) {
-    case NDPI_PROTOCOL_TLS:
-      {
-	/*
-	  In case of TLS there are probably sub-protocols
-	  such as IMAPS that can be otherwise detected
-	*/
-	u_int16_t sport = ntohs(packet->tcp->source);
-	u_int16_t dport = ntohs(packet->tcp->dest);
-
-	if((sport == 465) || (dport == 465) || (sport == 587) || (dport == 587))
-	  protocol = NDPI_PROTOCOL_MAIL_SMTPS;
-	else if((sport == 993) || (dport == 993)
-		|| (flow->l4.tcp.mail_imap_starttls)
-		) protocol = NDPI_PROTOCOL_MAIL_IMAPS;
-	else if((sport == 995) || (dport == 995)) protocol = NDPI_PROTOCOL_MAIL_POPS;
-      }
-      break;
-    }
+    /*
+      In case of TLS there are probably sub-protocols
+      such as IMAPS that can be otherwise detected
+    */
+    u_int16_t sport = ntohs(packet->tcp->source);
+    u_int16_t dport = ntohs(packet->tcp->dest);
+
+    if((sport == 465) || (dport == 465) || (sport == 587) || (dport == 587))
+      protocol = NDPI_PROTOCOL_MAIL_SMTPS;
+    else if((sport == 993) || (dport == 993) || (flow->l4.tcp.mail_imap_starttls))
+      protocol = NDPI_PROTOCOL_MAIL_IMAPS;
+    else if((sport == 995) || (dport == 995))
+      protocol = NDPI_PROTOCOL_MAIL_POPS;
+    else
+      protocol = NDPI_PROTOCOL_TLS;
+  } else {
+      protocol = NDPI_PROTOCOL_DTLS;
   }
 
-  return(protocol);
+  return protocol;
+}
+
+/* **************************************** */
+
+static u_int32_t __get_master(struct ndpi_detection_module_struct *ndpi_struct,
+			      struct ndpi_flow_struct *flow) {
+
+  if(flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN)
+    return flow->detected_protocol_stack[1];
+  if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN)
+    return flow->detected_protocol_stack[0];
+
+  return ndpi_tls_refine_master_protocol(ndpi_struct, flow);
 }
 
 /* **************************************** */
@@ -301,9 +311,9 @@ static void checkTLSSubprotocol(struct ndpi_detection_module_struct *ndpi_struct
 
       if(ndpi_lru_find_cache(ndpi_struct->tls_cert_cache, key,
 			     &cached_proto, 0 /* Don't remove it as it can be used for other connections */)) {
-	ndpi_protocol ret = { NDPI_PROTOCOL_TLS, cached_proto, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NULL};
+	ndpi_protocol ret = { __get_master(ndpi_struct, flow), cached_proto, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NULL};
 
-	ndpi_set_detected_protocol(ndpi_struct, flow, cached_proto, NDPI_PROTOCOL_TLS, NDPI_CONFIDENCE_DPI_CACHE);
+	ndpi_set_detected_protocol(ndpi_struct, flow, cached_proto, __get_master(ndpi_struct, flow), NDPI_CONFIDENCE_DPI_CACHE);
 	flow->category = ndpi_get_proto_category(ndpi_struct, ret);
 	ndpi_check_subprotocol_risk(ndpi_struct, flow, cached_proto);
       }
@@ -641,7 +651,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
 		    }
 
 		    if(!flow->protos.tls_quic.subprotocol_detected)
-		      if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, dNSName, dNSName_len))
+		      if(ndpi_match_hostname_protocol(ndpi_struct, flow, __get_master(ndpi_struct, flow), dNSName, dNSName_len))
 			flow->protos.tls_quic.subprotocol_detected = 1;
 
 		    i += len;
@@ -681,9 +691,9 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
       if(rc == 0) {
 	/* Match found */
 	u_int16_t proto_id = (u_int16_t)val;
-	ndpi_protocol ret = { NDPI_PROTOCOL_TLS, proto_id, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NULL};
+	ndpi_protocol ret = { __get_master(ndpi_struct, flow), proto_id, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NULL};
 
-	ndpi_set_detected_protocol(ndpi_struct, flow, proto_id, NDPI_PROTOCOL_TLS, NDPI_CONFIDENCE_DPI);
+	ndpi_set_detected_protocol(ndpi_struct, flow, proto_id, __get_master(ndpi_struct, flow), NDPI_CONFIDENCE_DPI);
 	flow->category = ndpi_get_proto_category(ndpi_struct, ret);
 	ndpi_check_subprotocol_risk(ndpi_struct, flow, proto_id);
 
@@ -856,7 +866,7 @@ int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct,
   case 0x02: /* Server Hello */
     processClientServerHello(ndpi_struct, flow, 0);
     flow->protos.tls_quic.hello_processed = 1;
-    ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS);
+    ndpi_int_tls_add_connection(ndpi_struct, flow);
 
 #ifdef DEBUG_TLS
     printf("*** TLS [version: %02X][%s Hello]\n",
@@ -897,10 +907,8 @@ int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct,
 
 static void ndpi_looks_like_tls(struct ndpi_detection_module_struct *ndpi_struct,
 				struct ndpi_flow_struct *flow) {
-  // ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
-
   if(flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN)
-    flow->guessed_protocol_id = NDPI_PROTOCOL_TLS;
+    flow->guessed_protocol_id = __get_master(ndpi_struct, flow);
 }
 
 /* **************************************** */
@@ -995,7 +1003,7 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct,
           message->buffer[2] <= 0x04 &&
           alert_len == (u_int32_t)message->buffer_used - 5)
 	{
-	  ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS);
+	  ndpi_int_tls_add_connection(ndpi_struct, flow);
 	}
     }
 
@@ -1041,7 +1049,7 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct,
 	    message->buffer[2] <= 0x04 &&
 	    block_len == (u_int32_t)message->buffer_used - 5)
 	  {
-	    ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS);
+	    ndpi_int_tls_add_connection(ndpi_struct, flow);
 	  }
 
 	if(flow->l4.tcp.tls.certificate_processed) {
@@ -1254,27 +1262,21 @@ static void tlsCheckUncommonALPN(struct ndpi_detection_module_struct *ndpi_struc
 /* **************************************** */
 
 static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
-					struct ndpi_flow_struct *flow, u_int32_t protocol) {
-  struct ndpi_packet_struct *packet = &ndpi_struct->packet;
+					struct ndpi_flow_struct *flow) {
+  u_int32_t protocol;
 
 #if DEBUG_TLS
   printf("[TLS] %s()\n", __FUNCTION__);
 #endif
 
-  if((packet->udp != NULL) && (protocol == NDPI_PROTOCOL_TLS))
-    protocol = NDPI_PROTOCOL_DTLS;
-
-  if((flow->detected_protocol_stack[0] == protocol)
-     || (flow->detected_protocol_stack[1] == protocol)) {
+  if((flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) ||
+     (flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN)) {
     if(!flow->check_extra_packets)
       tlsInitExtraPacketProcessing(ndpi_struct, flow);
     return;
   }
 
-  if(protocol != NDPI_PROTOCOL_TLS)
-    ;
-  else
-    protocol = ndpi_tls_refine_master_protocol(ndpi_struct, flow, protocol);
+  protocol = __get_master(ndpi_struct, flow);
 
   ndpi_set_detected_protocol(ndpi_struct, flow, protocol, protocol, NDPI_CONFIDENCE_DPI);
 
@@ -1883,7 +1885,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 		    }
 
 		    if(!is_quic) {
-		      if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, sni, sni_len))
+		      if(ndpi_match_hostname_protocol(ndpi_struct, flow, __get_master(ndpi_struct, flow), sni, sni_len))
 		        flow->protos.tls_quic.subprotocol_detected = 1;
 		    } else {
 		      if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_QUIC, sni, sni_len))
@@ -1900,7 +1902,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 		         /* Check if it ends in .com or .net */
 		         && ((strcmp(&sni[sni_len-4], ".com") == 0) || (strcmp(&sni[sni_len-4], ".net") == 0))
 		         && (strncmp(sni, "www.", 4) == 0)) /* Not starting with www.... */
-		        ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TOR, NDPI_PROTOCOL_TLS, NDPI_CONFIDENCE_DPI);
+		        ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TOR, __get_master(ndpi_struct, flow), NDPI_CONFIDENCE_DPI);
 		    } else {
 #ifdef DEBUG_TLS
 		      printf("[TLS] SNI: (NO DGA) [%s]\n", sni);

diff --git a/tests/pcap/imaps.pcap b/tests/pcap/imaps.pcap
diff --git a/tests/result/6in4tunnel.pcap.out b/tests/result/6in4tunnel.pcap.out
@@ -1,6 +1,6 @@
-Guessed flow protos:	0
+Guessed flow protos:	2
 
-DPI Packets (TCP):	27	(5.40 pkts/flow)
+DPI Packets (TCP):	29	(5.80 pkts/flow)
 DPI Packets (UDP):	4	(2.00 pkts/flow)
 DPI Packets (other):	3	(1.00 pkts/flow)
 Confidence DPI              : 10 (flows)

diff --git a/tests/result/dtls2.pcap.out b/tests/result/dtls2.pcap.out
@@ -26,4 +26,4 @@ JA3 Host Stats:
 	1	 61.68.110.153            	 1      
 
 
-	1	UDP 61.68.110.153:53045 <-> 212.32.214.39:61457 [proto: 30/DTLS][Encrypted][Confidence: DPI][cat: Web/5][14 pkts/2246 bytes <-> 16 pkts/2745 bytes][Goodput ratio: 74/75][382.15 sec][bytes ratio: -0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 2/241 27857/28359 60550/60551 26256/25033][Pkt Len c2s/s2c min/avg/max/stddev: 123/102 160/172 325/867 46/180][Risk: ** Weak TLS Cipher **** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **][Risk Score: 160][Risk Info: No ALPN / Cipher TLS_RSA_WITH_AES_256_CBC_SHA][DTLSv1.0][JA3C: 1b45c913a0c0fde5f263502e65999485][JA3S: 749bd1edea60396ffaa65213b7971718 (WEAK)][Issuer: C=US][Subject: C=US, CN=*.relay.ros.rockstargames.com][Validity: 2014-09-12 21:31:19 - 2037-02-15 21:31:19][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][PLAIN TEXT (140912213119Z)][Plen Bins: 0,3,43,46,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	1	UDP 61.68.110.153:53045 <-> 212.32.214.39:61457 [proto: 30/DTLS][Encrypted][Confidence: DPI][cat: Web/5][14 pkts/2246 bytes <-> 16 pkts/2745 bytes][Goodput ratio: 74/75][382.15 sec][bytes ratio: -0.100 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 2/241 27857/28359 60550/60551 26256/25033][Pkt Len c2s/s2c min/avg/max/stddev: 123/102 160/172 325/867 46/180][Risk: ** Weak TLS Cipher **** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **][Risk Score: 160][Risk Info: No ALPN / Cipher TLS_RSA_WITH_AES_256_CBC_SHA][DTLSv1.0][JA3C: 1b45c913a0c0fde5f263502e65999485][JA3S: 749bd1edea60396ffaa65213b7971718 (WEAK)][Issuer: C=US][Subject: C=US, CN=*.relay.ros.rockstargames.com][Certificate SHA-1: AB:59:0E:11:EC:94:4D:D5:D3:40:7E:6E:3B:8B:6A:19:CA:B7:85:2C][Validity: 2014-09-12 21:31:19 - 2037-02-15 21:31:19][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA][PLAIN TEXT (140912213119Z)][Plen Bins: 0,3,43,46,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/result/dtls_certificate.pcapng.out b/tests/result/dtls_certificate.pcapng.out
@@ -25,4 +25,4 @@ JA3 Host Stats:
 		 IP Address                  	 # JA3C     
 
 
-	1	UDP 191.62.60.190:443 -> 163.205.15.180:38876 [proto: 91.147/TLS.WindowsUpdate][Encrypted][Confidence: DPI][cat: SoftwareUpdate/19][1 pkts/1486 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][< 1 sec][Risk: ** TLS Cert Expired **** Unidirectional Traffic **][Risk Score: 110][Risk Info: No client to server traffic / 27/Feb/2017 12:00:00 - 27/Feb/2019 00:00:00][JA3S: 953c1507994f72697446de4eff6e300b][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Update Secure Server CA 1][Subject: C=US, ST=Washington, L=Redmond, O=Microsoft, OU=DSP, CN=www.update.microsoft.com][Certificate SHA-1: D1:88:0F:51:C1:01:91:72:A1:A4:6E:69:F4:33:7F:FE:3E:C4:F0:39][Validity: 2017-02-27 12:00:00 - 2019-02-27 00:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][PLAIN TEXT (Washington1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0]
+	1	UDP 191.62.60.190:443 -> 163.205.15.180:38876 [proto: 30.147/DTLS.WindowsUpdate][Encrypted][Confidence: DPI][cat: SoftwareUpdate/19][1 pkts/1486 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][< 1 sec][Risk: ** TLS Cert Expired **** Unidirectional Traffic **][Risk Score: 110][Risk Info: No client to server traffic / 27/Feb/2017 12:00:00 - 27/Feb/2019 00:00:00][JA3S: 953c1507994f72697446de4eff6e300b][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Update Secure Server CA 1][Subject: C=US, ST=Washington, L=Redmond, O=Microsoft, OU=DSP, CN=www.update.microsoft.com][Certificate SHA-1: D1:88:0F:51:C1:01:91:72:A1:A4:6E:69:F4:33:7F:FE:3E:C4:F0:39][Validity: 2017-02-27 12:00:00 - 2019-02-27 00:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][PLAIN TEXT (Washington1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0]
diff --git a/tests/result/imaps.pcap.out b/tests/result/imaps.pcap.out
@@ -1,29 +1,32 @@
-Guessed flow protos:	0
+Guessed flow protos:	1
 
-DPI Packets (TCP):	7	(7.00 pkts/flow)
-Confidence DPI              : 1 (flows)
-Num dissector calls: 3 (3.00 diss/flow)
+DPI Packets (TCP):	15	(7.50 pkts/flow)
+Confidence DPI              : 2 (flows)
+Num dissector calls: 6 (3.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)
 LRU cache tls_cert:   0/0/0 (insert/search/found)
 LRU cache mining:     0/0/0 (insert/search/found)
 LRU cache msteams:    0/0/0 (insert/search/found)
-Automa host:          1/1 (search/found)
-Automa domain:        1/0 (search/found)
+Automa host:          3/1 (search/found)
+Automa domain:        2/0 (search/found)
 Automa tls cert:      0/0 (search/found)
-Automa risk mask:     1/0 (search/found)
+Automa risk mask:     2/0 (search/found)
 Automa common alpns:  0/0 (search/found)
-Patricia risk mask:   2/0 (search/found)
+Patricia risk mask:   6/0 (search/found)
 Patricia risk:        0/0 (search/found)
-Patricia protocols:   4/0 (search/found)
+Patricia protocols:   12/0 (search/found)
 
 ntop	20	5196	1
+IMAPS	8	4378	1
 
 JA3 Host Stats: 
 		 IP Address                  	 # JA3C     
-	1	 192.168.1.8              	 1      
+	1	 192.168.0.1              	 1      
+	2	 192.168.1.8              	 1      
 
 
-	1	TCP 192.168.1.8:50506 <-> 167.99.215.164:993 [proto: 91.26/TLS.ntop][Encrypted][Confidence: DPI][cat: Network/14][10 pkts/1220 bytes <-> 10 pkts/3976 bytes][Goodput ratio: 45/83][0.33 sec][Hostname/SNI: mail.ntop.org][bytes ratio: -0.530 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 33/22 77/43 26/19][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 122/398 293/1506 78/557][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: 4923a265be4d81c68ecda45bb89cdf6a][ServerNames: mail.ntop.org][JA3S: b653c251b0ee54c3088fe7bb997cf59d][Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3][Subject: CN=mail.ntop.org][Certificate SHA-1: F1:9A:35:30:96:57:5E:56:81:28:2C:D9:45:A5:83:21:9E:E8:C5:DF][Firefox][Validity: 2020-04-18 00:15:22 - 2020-07-17 00:15:22][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,20,10,10,20,10,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0]
+	1	TCP 192.168.1.8:50506 <-> 167.99.215.164:993 [proto: 51.26/IMAPS.ntop][Encrypted][Confidence: DPI][cat: Email/3][10 pkts/1220 bytes <-> 10 pkts/3976 bytes][Goodput ratio: 45/83][0.33 sec][Hostname/SNI: mail.ntop.org][bytes ratio: -0.530 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 33/22 77/43 26/19][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 122/398 293/1506 78/557][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: 4923a265be4d81c68ecda45bb89cdf6a][ServerNames: mail.ntop.org][JA3S: b653c251b0ee54c3088fe7bb997cf59d][Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3][Subject: CN=mail.ntop.org][Certificate SHA-1: F1:9A:35:30:96:57:5E:56:81:28:2C:D9:45:A5:83:21:9E:E8:C5:DF][Firefox][Validity: 2020-04-18 00:15:22 - 2020-07-17 00:15:22][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][PLAIN TEXT (mail.ntop.org)][Plen Bins: 0,20,10,10,20,10,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0]
+	2	TCP 192.168.0.1:51529 <-> 10.10.10.1:993 [proto: 51/IMAPS][Encrypted][Confidence: DPI][cat: Email/3][4 pkts/1322 bytes <-> 4 pkts/3056 bytes][Goodput ratio: 78/91][0.22 sec][Hostname/SNI: imap.asia.secureserver.net][bytes ratio: -0.396 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/0 46/68 136/135 64/68][Pkt Len c2s/s2c min/avg/max/stddev: 78/74 330/764 583/1454 252/690][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: 66b2d7acea2c20aeeebd69c8d44089d7][JA3S: a9e3ed16ee3208291487c8d2aa2ad924][Safari][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][PLAIN TEXT (imap.asia.secureserver.net)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0]
diff --git a/tests/result/pops.pcapng.out b/tests/result/pops.pcapng.out
@@ -1,6 +1,6 @@
-Guessed flow protos:	0
+Guessed flow protos:	1
 
-DPI Packets (TCP):	3	(3.00 pkts/flow)
+DPI Packets (TCP):	5	(5.00 pkts/flow)
 Confidence DPI              : 1 (flows)
 Num dissector calls: 3 (3.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
@@ -26,4 +26,4 @@ JA3 Host Stats:
 	1	 192.168.0.1              	 1      
 
 
-	1	TCP 192.168.0.1:55077 <-> 10.10.10.1:995 [proto: 23/POPS][Encrypted][Confidence: DPI][cat: Email/3][2 pkts/304 bytes <-> 3 pkts/2694 bytes][Goodput ratio: 60/94][0.55 sec][Hostname/SNI: pop.secureserver.net][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: 36f7277af969a6947a61ae0b815907a1][Firefox][PLAIN TEXT (pop.secureserver.net)][Plen Bins: 0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,66,0,0,0,0,0,0,0,0]
+	1	TCP 192.168.0.1:55077 <-> 10.10.10.1:995 [proto: 23/POPS][Encrypted][Confidence: DPI][cat: Email/3][2 pkts/304 bytes <-> 3 pkts/2694 bytes][Goodput ratio: 60/94][0.55 sec][Hostname/SNI: pop.secureserver.net][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: 36f7277af969a6947a61ae0b815907a1][JA3S: 245de059547a730e42852c315cdc5a02][Firefox][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384][PLAIN TEXT (pop.secureserver.net)][Plen Bins: 0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,66,0,0,0,0,0,0,0,0]
diff --git a/tests/result/smtps.pcapng.out b/tests/result/smtps.pcapng.out
@@ -1,6 +1,6 @@
 Guessed flow protos:	0
 
-DPI Packets (TCP):	3	(3.00 pkts/flow)
+DPI Packets (TCP):	4	(4.00 pkts/flow)
 Confidence DPI              : 1 (flows)
 Num dissector calls: 3 (3.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)

diff --git a/tests/result/whatsapp_login_call.pcap.out b/tests/result/whatsapp_login_call.pcap.out
@@ -1,6 +1,6 @@
 Guessed flow protos:	20
 
-DPI Packets (TCP):	93	(3.44 pkts/flow)
+DPI Packets (TCP):	105	(3.89 pkts/flow)
 DPI Packets (UDP):	35	(1.21 pkts/flow)
 DPI Packets (other):	1	(1.00 pkts/flow)
 Confidence Match by port    : 4 (flows)

diff --git a/tests/result/zoom.pcap.out b/tests/result/zoom.pcap.out
@@ -1,6 +1,6 @@
-Guessed flow protos:	4
+Guessed flow protos:	5
 
-DPI Packets (TCP):	118	(8.43 pkts/flow)
+DPI Packets (TCP):	119	(8.50 pkts/flow)
 DPI Packets (UDP):	25	(1.47 pkts/flow)
 DPI Packets (other):	2	(1.00 pkts/flow)
 Confidence Match by IP      : 2 (flows)