ntop · IvanNardi · May 8, 2022 · May 8, 2022
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
@@ -987,8 +987,9 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct,
 	if(block_len < 16384 /* Max TLS block size */)
 	  ndpi_looks_like_tls(ndpi_struct, flow);
 
-    if (packet->payload[1] == 0x03 && packet->payload[2] <= 4 &&
-        block_len == (u_int32_t)packet->payload_packet_len - 5)
+    if (flow->l4.tcp.tls.message.buffer[1] == 0x03 &&
+        flow->l4.tcp.tls.message.buffer[2] <= 0x04 &&
+        block_len == (u_int32_t)flow->l4.tcp.tls.message.buffer_used - 5)
     {
       ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS);
     }

diff --git a/tests/pcap/tls-appdata.pcap b/tests/pcap/tls-appdata.pcap
diff --git a/tests/result/skype.pcap.out b/tests/result/skype.pcap.out
@@ -4,9 +4,9 @@ DPI Packets (TCP):	1771	(18.26 pkts/flow)
 DPI Packets (UDP):	366	(1.92 pkts/flow)
 DPI Packets (other):	5	(1.00 pkts/flow)
 Confidence Unknown          : 61 (flows)
-Confidence Match by port    : 28 (flows)
+Confidence Match by port    : 27 (flows)
 Confidence Match by IP      : 1 (flows)
-Confidence DPI              : 203 (flows)
+Confidence DPI              : 204 (flows)
 
 Unknown	1575	272476	61
 DNS	2	267	1
@@ -34,7 +34,7 @@ JA3 Host Stats:
 	3	TCP 192.168.1.34:50128 <-> 17.172.100.36:443 [proto: 91.143/TLS.AppleiCloud][Encrypted][Confidence: DPI][cat: Web/5][43 pkts/9635 bytes <-> 43 pkts/10651 bytes][Goodput ratio: 76/77][46.31 sec][Hostname/SNI: p05-keyvalueservice.icloud.com][bytes ratio: -0.050 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 115/85 899/1012 250/251][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 224/248 680/1494 261/324][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][TLSv1.2][JA3C: 799135475da362592a4be9199d258726][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5][Plen Bins: 16,20,2,0,0,0,0,2,0,0,14,0,0,0,0,4,2,7,7,16,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,2,0,0]
 	4	UDP 192.168.1.92:50084 -> 239.255.255.250:1900 [proto: 12/SSDP][ClearText][Confidence: DPI][cat: System/18][14 pkts/7281 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][6.11 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 508/0 3090/0 1136/0][Pkt Len c2s/s2c min/avg/max/stddev: 475/0 520/0 555/0 31/0][PLAIN TEXT (NOTIFY )][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,35,0,42,21,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	5	TCP 108.160.170.46:443 <-> 192.168.1.34:49445 [proto: 91.121/TLS.Dropbox][Encrypted][Confidence: DPI][cat: Cloud/13][8 pkts/1636 bytes <-> 8 pkts/4344 bytes][Goodput ratio: 68/88][141.04 sec][bytes ratio: -0.453 (Download)][IAT c2s/s2c min/avg/max/stddev: 141/2 23483/23483 53811/53950 23773/23909][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 204/543 343/1020 138/477][Plen Bins: 0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	6	TCP 192.168.1.34:50131 <-> 212.161.8.36:13392 [proto: 91/TLS][Encrypted][Confidence: Match by port][cat: Web/5][11 pkts/4406 bytes <-> 8 pkts/705 bytes][Goodput ratio: 83/26][0.60 sec][bytes ratio: 0.724 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 57/29 343/72 105/31][Pkt Len c2s/s2c min/avg/max/stddev: 66/60 401/88 1506/237 547/56][Plen Bins: 55,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,22,0,0,0,0,0,0,0,0,0,0,11,0,0]
+	6	TCP 192.168.1.34:50131 <-> 212.161.8.36:13392 [proto: 91/TLS][Encrypted][Confidence: DPI][cat: Web/5][11 pkts/4406 bytes <-> 8 pkts/705 bytes][Goodput ratio: 83/26][0.60 sec][bytes ratio: 0.724 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 57/29 343/72 105/31][Pkt Len c2s/s2c min/avg/max/stddev: 66/60 401/88 1506/237 547/56][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Plen Bins: 55,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,22,0,0,0,0,0,0,0,0,0,0,11,0,0]
 	7	TCP 192.168.1.34:50027 <-> 23.223.73.34:443 [proto: 91.125/TLS.Skype_Teams][Encrypted][Confidence: DPI][cat: VoIP/10][17 pkts/3605 bytes <-> 1 pkts/74 bytes][Goodput ratio: 69/0][69.74 sec][Hostname/SNI: apps.skypeassets.com][bytes ratio: 0.960 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 4362/0 8437/0 3867/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/74 212/74 257/74 81/0][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][TLSv1.2][JA3C: 799135475da362592a4be9199d258726][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	8	TCP 192.168.1.34:50029 <-> 23.206.33.166:443 [proto: 91.125/TLS.Skype_Teams][Encrypted][Confidence: DPI][cat: VoIP/10][16 pkts/3461 bytes <-> 1 pkts/74 bytes][Goodput ratio: 69/0][55.58 sec][Hostname/SNI: apps.skype.com][bytes ratio: 0.958 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 3492/0 6700/0 2904/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/74 216/74 251/74 72/0][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][TLSv1.2][JA3C: 799135475da362592a4be9199d258726][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	9	UDP 192.168.1.34:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][ClearText][Confidence: DPI][cat: Cloud/13][6 pkts/3264 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][150.37 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 30053/0 30073/0 30087/0 10/0][Pkt Len c2s/s2c min/avg/max/stddev: 544/0 544/0 544/0 0/0][PLAIN TEXT ( 1573195445)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]

diff --git a/tests/result/skype_no_unknown.pcap.out b/tests/result/skype_no_unknown.pcap.out
@@ -4,8 +4,8 @@ DPI Packets (TCP):	1240	(16.32 pkts/flow)
 DPI Packets (UDP):	310	(1.67 pkts/flow)
 DPI Packets (other):	5	(1.00 pkts/flow)
 Confidence Unknown          : 45 (flows)
-Confidence Match by port    : 26 (flows)
-Confidence DPI              : 196 (flows)
+Confidence Match by port    : 22 (flows)
+Confidence DPI              : 200 (flows)
 
 Unknown	850	152468	45
 DNS	2	267	1
@@ -28,11 +28,11 @@ JA3 Host Stats:
 
 	1	TCP 192.168.1.34:51230 <-> 157.56.126.211:443 [proto: 91.125/TLS.Skype_Teams][Encrypted][Confidence: DPI][cat: VoIP/10][166 pkts/39042 bytes <-> 182 pkts/142645 bytes][Goodput ratio: 72/92][51.22 sec][bytes ratio: -0.570 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 370/331 45360/45460 3946/3736][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 235/784 1506/1506 433/565][Risk: ** Obsolete TLS (v1.1 or older) **][Risk Score: 100][TLSv1][JA3C: 06207a1730b5deeb207b0556e102ded2][ServerNames: *.gateway.messenger.live.com,*.beta.gateway.edge.messenger.live.com,*.by2.gateway.edge.messenger.live.com,*.sn1.gateway.edge.messenger.live.com][JA3S: 5e4e5596180ebd0ac0317125ee490707][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT SSL SHA2][Subject: CN=*.gateway.messenger.live.com][Certificate SHA-1: 95:C4:07:41:85:D4:EF:AA:D9:1F:0F:1F:3C:08:BF:8E:8B:D0:90:51][Validity: 2014-10-27 22:51:07 - 2016-10-26 22:51:07][Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA][Plen Bins: 19,2,1,5,0,1,2,0,0,3,0,0,0,1,0,0,0,1,1,0,0,1,1,0,1,0,1,10,1,1,0,0,0,0,0,0,2,0,0,0,3,5,0,0,0,30,0,0]
 	2	TCP 192.168.1.34:51227 <-> 17.172.100.36:443 [proto: 91.140/TLS.Apple][Encrypted][Confidence: DPI][cat: Web/5][38 pkts/9082 bytes <-> 38 pkts/10499 bytes][Goodput ratio: 77/80][68.36 sec][bytes ratio: -0.072 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 2273/323 55625/8255 10014/1510][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 239/276 680/1494 273/358][Plen Bins: 16,16,0,0,0,0,0,0,0,0,16,0,0,0,0,5,2,5,13,16,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,2,0,0]
-	3	TCP 192.168.1.34:51307 <-> 149.13.32.15:13392 [proto: 91/TLS][Encrypted][Confidence: Match by port][cat: Web/5][19 pkts/16968 bytes <-> 7 pkts/531 bytes][Goodput ratio: 93/13][10.40 sec][bytes ratio: 0.939 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 625/19 4127/44 1113/18][Pkt Len c2s/s2c min/avg/max/stddev: 66/60 893/76 1506/123 670/20][Plen Bins: 27,5,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,5,0,0,0,0,0,0,51,0,0]
-	4	TCP 192.168.1.34:51312 <-> 149.13.32.15:13392 [proto: 91/TLS][Encrypted][Confidence: Match by port][cat: Web/5][18 pkts/15111 bytes <-> 7 pkts/531 bytes][Goodput ratio: 92/13][6.05 sec][bytes ratio: 0.932 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 377/19 2072/42 642/17][Pkt Len c2s/s2c min/avg/max/stddev: 66/60 840/76 1506/123 681/20][Plen Bins: 23,5,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,48,0,0]
+	3	TCP 192.168.1.34:51307 <-> 149.13.32.15:13392 [proto: 91/TLS][Encrypted][Confidence: DPI][cat: Web/5][19 pkts/16968 bytes <-> 7 pkts/531 bytes][Goodput ratio: 93/13][10.40 sec][bytes ratio: 0.939 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 625/19 4127/44 1113/18][Pkt Len c2s/s2c min/avg/max/stddev: 66/60 893/76 1506/123 670/20][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Plen Bins: 27,5,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,5,0,0,0,0,0,0,51,0,0]
+	4	TCP 192.168.1.34:51312 <-> 149.13.32.15:13392 [proto: 91/TLS][Encrypted][Confidence: DPI][cat: Web/5][18 pkts/15111 bytes <-> 7 pkts/531 bytes][Goodput ratio: 92/13][6.05 sec][bytes ratio: 0.932 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 377/19 2072/42 642/17][Pkt Len c2s/s2c min/avg/max/stddev: 66/60 840/76 1506/123 681/20][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Plen Bins: 23,5,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,48,0,0]
 	5	UDP 192.168.0.254:1025 -> 239.255.255.250:1900 [proto: 12/SSDP][ClearText][Confidence: DPI][cat: System/18][36 pkts/13402 bytes -> 0 pkts/0 bytes][Goodput ratio: 89/0][60.04 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1254/0 19850/0 4801/0][Pkt Len c2s/s2c min/avg/max/stddev: 327/0 372/0 405/0 29/0][PLAIN TEXT (NOTIFY )][Plen Bins: 0,0,0,0,0,0,0,0,11,27,22,38,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	6	TCP 192.168.1.34:51315 <-> 212.161.8.36:13392 [proto: 91/TLS][Encrypted][Confidence: Match by port][cat: Web/5][16 pkts/11797 bytes <-> 7 pkts/493 bytes][Goodput ratio: 91/6][3.34 sec][bytes ratio: 0.920 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 218/30 1428/74 413/32][Pkt Len c2s/s2c min/avg/max/stddev: 66/60 737/70 1506/85 681/7][Plen Bins: 33,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,40,0,0]
-	7	TCP 192.168.1.34:51317 <-> 149.13.32.15:13392 [proto: 91/TLS][Encrypted][Confidence: Match by port][cat: Web/5][12 pkts/5655 bytes <-> 8 pkts/553 bytes][Goodput ratio: 86/5][0.16 sec][bytes ratio: 0.822 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 15/19 43/43 19/18][Pkt Len c2s/s2c min/avg/max/stddev: 66/60 471/69 1506/85 596/8][Plen Bins: 45,9,0,9,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,18,0,0]
+	6	TCP 192.168.1.34:51315 <-> 212.161.8.36:13392 [proto: 91/TLS][Encrypted][Confidence: DPI][cat: Web/5][16 pkts/11797 bytes <-> 7 pkts/493 bytes][Goodput ratio: 91/6][3.34 sec][bytes ratio: 0.920 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 218/30 1428/74 413/32][Pkt Len c2s/s2c min/avg/max/stddev: 66/60 737/70 1506/85 681/7][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Plen Bins: 33,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,40,0,0]
+	7	TCP 192.168.1.34:51317 <-> 149.13.32.15:13392 [proto: 91/TLS][Encrypted][Confidence: DPI][cat: Web/5][12 pkts/5655 bytes <-> 8 pkts/553 bytes][Goodput ratio: 86/5][0.16 sec][bytes ratio: 0.822 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 15/19 43/43 19/18][Pkt Len c2s/s2c min/avg/max/stddev: 66/60 471/69 1506/85 596/8][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Plen Bins: 45,9,0,9,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,18,0,0]
 	8	TCP 192.168.1.34:51231 <-> 23.206.33.166:443 [proto: 91.125/TLS.Skype_Teams][Encrypted][Confidence: DPI][cat: VoIP/10][16 pkts/3461 bytes <-> 1 pkts/74 bytes][Goodput ratio: 69/0][54.57 sec][Hostname/SNI: apps.skype.com][bytes ratio: 0.958 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 3429/0 6616/0 2851/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/74 216/74 251/74 72/0][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][TLSv1.2][JA3C: 799135475da362592a4be9199d258726][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	9	TCP 108.160.163.108:443 <-> 192.168.1.34:51222 [proto: 91.121/TLS.Dropbox][Encrypted][Confidence: DPI][cat: Cloud/13][4 pkts/818 bytes <-> 4 pkts/2172 bytes][Goodput ratio: 68/88][30.64 sec][bytes ratio: -0.453 (Download)][IAT c2s/s2c min/avg/max/stddev: 222/2 10212/10139 30193/30413 14128/14336][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 204/543 343/1020 138/477][Plen Bins: 0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	10	TCP 192.168.1.34:51295 <-> 23.206.33.166:443 [proto: 91.125/TLS.Skype_Teams][Encrypted][Confidence: DPI][cat: VoIP/10][11 pkts/2074 bytes <-> 1 pkts/74 bytes][Goodput ratio: 64/0][14.82 sec][Hostname/SNI: apps.skype.com][bytes ratio: 0.931 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1393/0 6406/0 1894/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/74 189/74 233/74 73/0][Risk: ** Obsolete TLS (v1.1 or older) **][Risk Score: 100][TLSv1][JA3C: 3d49c0a7161d6636fcb6973f14e05046][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]

diff --git a/tests/result/tls-appdata.pcap.out b/tests/result/tls-appdata.pcap.out
@@ -1,8 +1,10 @@
 Guessed flow protos:	1
 
-DPI Packets (TCP):	6	(6.00 pkts/flow)
-Confidence DPI              : 1 (flows)
+DPI Packets (TCP):	87	(43.50 pkts/flow)
+Confidence DPI              : 2 (flows)
 
 Facebook	6	789	1
+Twitch	114	119156	1
 
-	1	TCP 179.60.195.173:443 <-> 192.168.2.100:60636 [proto: 91.119/TLS.Facebook][Encrypted][Confidence: DPI][cat: SocialNetwork/6][3 pkts/627 bytes <-> 3 pkts/162 bytes][Goodput ratio: 68/0][0.22 sec][bytes ratio: 0.589 (Upload)][IAT c2s/s2c min/avg/max/stddev: 11/0 56/0 101/0 45/0][Pkt Len c2s/s2c min/avg/max/stddev: 201/54 209/54 225/54 11/0][Plen Bins: 0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	1	TCP 192.168.2.100:58976 <-> 52.223.198.7:443 [proto: 91.195/TLS.Twitch][Encrypted][Confidence: DPI][cat: Video/26][65 pkts/15286 bytes <-> 49 pkts/103870 bytes][Goodput ratio: 77/97][4470.16 sec][bytes ratio: -0.743 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 86847/10887 1637911/4294921408 325792/696728256][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 235/2120 1506/2958 476/1092][Plen Bins: 14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,33,0,51]
+	2	TCP 179.60.195.173:443 <-> 192.168.2.100:60636 [proto: 91.119/TLS.Facebook][Encrypted][Confidence: DPI][cat: SocialNetwork/6][3 pkts/627 bytes <-> 3 pkts/162 bytes][Goodput ratio: 68/0][0.22 sec][bytes ratio: 0.589 (Upload)][IAT c2s/s2c min/avg/max/stddev: 11/0 56/0 101/0 45/0][Pkt Len c2s/s2c min/avg/max/stddev: 201/54 209/54 225/54 11/0][Plen Bins: 0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/result/wechat.pcap.out b/tests/result/wechat.pcap.out
@@ -4,8 +4,8 @@ DPI Packets (TCP):	531	(9.00 pkts/flow)
 DPI Packets (UDP):	124	(3.35 pkts/flow)
 DPI Packets (other):	7	(1.00 pkts/flow)
 Confidence Match by port    : 18 (flows)
-Confidence Match by IP      : 9 (flows)
-Confidence DPI              : 76 (flows)
+Confidence Match by IP      : 8 (flows)
+Confidence DPI              : 77 (flows)
 
 DNS	13	1075	8
 HTTP	70	4620	8
@@ -68,7 +68,7 @@ JA3 Host Stats:
 	37	TCP 192.168.1.103:36017 <-> 64.233.167.188:5228 [proto: 126/Google][Encrypted][Confidence: Match by IP][cat: Web/5][10 pkts/660 bytes <-> 10 pkts/660 bytes][Goodput ratio: 0/0][540.78 sec][bytes ratio: 0.000 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 45051/45051 61959/61957 180207/180208 44694/44695][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 66/66 66/66 0/0][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	38	UDP 192.168.1.100:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][ClearText][Confidence: DPI][cat: Network/14][14 pkts/1148 bytes -> 0 pkts/0 bytes][Goodput ratio: 49/0][123.08 sec][Hostname/SNI: _googlecast._tcp.local][_googlecast._tcp.local][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/0 4608/0 45058/0 12221/0][Pkt Len c2s/s2c min/avg/max/stddev: 82/0 82/0 82/0 0/0][PLAIN TEXT (googlecast)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	39	TCP 192.168.1.103:58039 <-> 203.205.147.171:443 [proto: 91.285/TLS.Tencent][Encrypted][Confidence: Match by IP][cat: SocialNetwork/6][13 pkts/866 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][140.92 sec][bytes ratio: 0.511 (Upload)][IAT c2s/s2c min/avg/max/stddev: 272/45308 12755/45308 45020/45308 13611/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 67/70 74/74 2/4][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	40	TCP 192.168.1.103:58143 -> 216.58.205.131:443 [proto: 91.126/TLS.Google][Encrypted][Confidence: Match by IP][cat: Web/5][3 pkts/1078 bytes -> 0 pkts/0 bytes][Goodput ratio: 82/0][92.69 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	40	TCP 192.168.1.103:58143 -> 216.58.205.131:443 [proto: 91.126/TLS.Google][Encrypted][Confidence: DPI][cat: Web/5][3 pkts/1078 bytes -> 0 pkts/0 bytes][Goodput ratio: 82/0][92.69 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	41	TCP 203.205.151.162:443 <-> 192.168.1.103:54084 [proto: 91/TLS][Encrypted][Confidence: Match by port][cat: Web/5][3 pkts/802 bytes <-> 3 pkts/198 bytes][Goodput ratio: 75/0][16.21 sec][bytes ratio: 0.604 (Upload)][IAT c2s/s2c min/avg/max/stddev: 6562/9679 8102/9679 9642/9679 1540/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 267/66 670/66 285/0][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	42	UDP 192.168.1.100:137 -> 192.168.1.255:137 [proto: 10/NetBIOS][ClearText][Confidence: DPI][cat: System/18][9 pkts/828 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][1.44 sec][Hostname/SNI: lbjamwptxz][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/0 179/0 816/0 313/0][Pkt Len c2s/s2c min/avg/max/stddev: 92/0 92/0 92/0 0/0][PLAIN TEXT ( EMECEKEBENFHFAFEFIFKCACACACACA)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	43	IGMP 192.168.1.100:0 -> 224.0.0.22:0 [proto: 82/IGMP][ClearText][Confidence: DPI][cat: Network/14][15 pkts/810 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][3769.99 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 409/0 289920/0 3384346/0 895904/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/0 54/0 54/0 0/0][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]

diff --git a/tests/result/whatsapp_login_call.pcap.out b/tests/result/whatsapp_login_call.pcap.out
@@ -1,6 +1,6 @@
 Guessed flow protos:	23
 
-DPI Packets (TCP):	169	(6.26 pkts/flow)
+DPI Packets (TCP):	167	(6.19 pkts/flow)
 DPI Packets (UDP):	35	(1.21 pkts/flow)
 DPI Packets (other):	1	(1.00 pkts/flow)
 Confidence Match by port    : 5 (flows)