RTP, STUN: improve detection of multimedia flow type

Let's see if we are able to tell audio from video calls only looking at RTP Payload Type field...
ntop · Nov 19, 2024 · cd24cc3 · cd24cc3
1 parent c228502
commit cd24cc3
Show file tree

Hide file tree

Showing 31 changed files with 450 additions and 43 deletions.
diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h
@@ -691,7 +691,7 @@ const uint8_t *get_crypto_data(struct ndpi_detection_module_struct *ndpi_struct,
 int is_valid_rtp_payload_type(uint8_t type);
 int is_rtp_or_rtcp(struct ndpi_detection_module_struct *ndpi_struct,
                    const u_int8_t *payload, u_int16_t payload_len, u_int16_t *seq);
-u_int8_t rtp_get_stream_type(u_int8_t payloadType, ndpi_multimedia_flow_type *s_type);
+u_int8_t rtp_get_stream_type(u_int8_t payloadType, ndpi_multimedia_flow_type *s_type, u_int16_t sub_proto);
 
 /* Bittorrent */
 u_int64_t make_bittorrent_host_key(struct ndpi_flow_struct *flow, int client, int offset);

diff --git a/src/lib/protocols/rtp.c b/src/lib/protocols/rtp.c
@@ -40,43 +40,164 @@ int is_valid_rtp_payload_type(uint8_t type)
   return 1;
 }
 
-u_int8_t rtp_get_stream_type(u_int8_t payloadType, ndpi_multimedia_flow_type *s_type)
+u_int8_t rtp_get_stream_type(u_int8_t payloadType, ndpi_multimedia_flow_type *s_type, u_int16_t sub_proto)
 {
+  /* General, from IANA */
   switch(payloadType) {
   case 0: /* G.711 u-Law */
   case 3: /* GSM 6.10 */
   case 4: /* G.723.1  */
+  case 5: /* DVI4 */
+  case 6: /* DVI4 */
+  case 7: /* LPC */
   case 8: /* G.711 A-Law */
   case 9: /* G.722 */
+  case 10: /* L16 */
+  case 11: /* L16 */
+  case 12: /* QCELP */
   case 13: /* Comfort Noise */
-  case 96: /* Dynamic RTP */
-  case 97: /* Redundant Audio Data Payload */
-  case 98: /* DynamicRTP-Type-98 (Zoom) */
-  case 101: /* DTMF */
-  case 103: /* SILK Narrowband */
-  case 104: /* SILK Wideband */
-  case 111: /* Siren */
-  case 112: /* G.722.1 */
-  case 114: /* RT Audio Wideband */
-  case 115: /* RT Audio Narrowband */
-  case 116: /* G.726 */
-  case 117: /* G.722 */
-  case 118: /* Comfort Noise Wideband */
+  case 14: /* MPA */
+  case 15: /* G728 */
+  case 16: /* DVI4 */
+  case 17: /* DVI4 */
+  case 18: /* G729 */
     *s_type = ndpi_multimedia_audio_flow;
     return(1);
-
-  case 34: /* H.263 [MS-H26XPF] */
-  case 121: /* RT Video */
-  case 122: /* H.264 [MS-H264PF] */
-  case 123: /* H.264 FEC [MS-H264PF] */
-  case 127: /* x-data */
+
+  case 25: /* CelB */
+  case 26: /* JPEG */
+  case 28: /* nv */
+  case 31: /* H261 */
+  case 32: /* MPV */
+  case 34: /* H263 */
     *s_type = ndpi_multimedia_video_flow;
     return(1);
+  }
+
+  /* Microsoft; from https://learn.microsoft.com/en-us/openspecs/office_protocols/ms-rtp/3b8dc3c6-34b8-4827-9b38-3b00154f471c */
+  if(sub_proto == NDPI_PROTOCOL_SKYPE_TEAMS_CALL) {
+    switch(payloadType) {
+    case 103: /* SILK Narrowband */
+    case 104: /* SILK Wideband */
+    case 106: /* OPUS */
+    case 111: /* Siren */
+    case 112: /* G.722.1 */
+    case 114: /* RT Audio Wideband */
+    case 115: /* RT Audio Narrowband */
+    case 116: /* G.726 */
+    case 117: /* G.722 */
+    case 118: /* Comfort Noise Wideband */
+      *s_type = ndpi_multimedia_audio_flow;
+      return(1);
+
+    case 34: /* H.263 [MS-H26XPF] */
+    case 121: /* RT Video */
+    case 122: /* H.264 [MS-H264PF] */
+    case 123: /* H.264 FEC [MS-H264PF] */
+      *s_type = ndpi_multimedia_video_flow;
+      return(1);
+
+    default:
+      *s_type = ndpi_multimedia_unknown_flow;
+      return(0);
+    }
+  }
+
+  /* Dynamic PTs are... dynamic... :D
+   * Looking at some traces, it seems specific applications keep using
+   * always the same PT for audio/video...
+   * TODO: something better?
+   * Bottom line: checking only PT is very fast/easy, but we might have
+   * false positives/negatives
+   */
 
-  default:
-    *s_type = ndpi_multimedia_unknown_flow;
-    return(0);
+  if(sub_proto == NDPI_PROTOCOL_GOOGLE_CALL) {
+    switch(payloadType) {
+    case 111:
+      *s_type = ndpi_multimedia_audio_flow;
+      return(1);
+
+    case 96:
+    case 100:
+      *s_type = ndpi_multimedia_video_flow;
+      return(1);
+
+    default:
+      *s_type = ndpi_multimedia_unknown_flow;
+      return(0);
+    }
+  }
+
+  if(sub_proto == NDPI_PROTOCOL_WHATSAPP_CALL) {
+    switch(payloadType) {
+    case 120:
+      *s_type = ndpi_multimedia_audio_flow;
+      return(1);
+
+    case 97:
+    case 102:
+      *s_type = ndpi_multimedia_video_flow;
+      return(1);
+
+    default:
+      *s_type = ndpi_multimedia_unknown_flow;
+      return(0);
+    }
   }
+
+  if(sub_proto == NDPI_PROTOCOL_FACEBOOK_VOIP) {
+    switch(payloadType) {
+    case 96:
+    case 97:
+    case 101:
+    case 109:
+      *s_type = ndpi_multimedia_audio_flow;
+      return(1);
+
+    case 127:
+      *s_type = ndpi_multimedia_video_flow;
+      return(1);
+
+    default:
+      *s_type = ndpi_multimedia_unknown_flow;
+      return(0);
+    }
+  }
+
+  if(sub_proto == NDPI_PROTOCOL_TELEGRAM_VOIP) {
+    switch(payloadType) {
+    case 111:
+      *s_type = ndpi_multimedia_audio_flow;
+      return(1);
+
+    case 106:
+      *s_type = ndpi_multimedia_video_flow;
+      return(1);
+
+    default:
+      *s_type = ndpi_multimedia_unknown_flow;
+      return(0);
+    }
+  }
+
+  if(sub_proto == NDPI_PROTOCOL_SIGNAL_VOIP) {
+    switch(payloadType) {
+    case 102:
+      *s_type = ndpi_multimedia_audio_flow;
+      return(1);
+
+    case 120:
+      *s_type = ndpi_multimedia_video_flow;
+      return(1);
+
+    default:
+      *s_type = ndpi_multimedia_unknown_flow;
+      return(0);
+    }
+  }
+
+  *s_type = ndpi_multimedia_unknown_flow;
+  return(0);
 }
 
 static int is_valid_rtcp_payload_type(uint8_t type) {
@@ -203,7 +324,7 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct,
         NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
         NDPI_EXCLUDE_PROTO_EXT(ndpi_struct, flow, NDPI_PROTOCOL_RTCP);
       } else {
-        rtp_get_stream_type(payload[1] & 0x7F, &flow->flow_multimedia_type);
+        rtp_get_stream_type(payload[1] & 0x7F, &flow->flow_multimedia_type, NDPI_PROTOCOL_UNKNOWN);
 
         NDPI_LOG_INFO(ndpi_struct, "Found RTP\n");
         ndpi_int_rtp_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_RTP);

diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c
@@ -877,7 +877,7 @@ static int stun_search_again(struct ndpi_detection_module_struct *ndpi_struct,
       NDPI_LOG_DBG(ndpi_struct, "RTP (dir %d)\n", packet->packet_direction);
       NDPI_LOG_INFO(ndpi_struct, "Found RTP over STUN\n");
 
-      rtp_get_stream_type(packet->payload[1] & 0x7F, &flow->flow_multimedia_type);
+      rtp_get_stream_type(packet->payload[1] & 0x7F, &flow->flow_multimedia_type, flow->detected_protocol_stack[0]);
 
       if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_RTP &&
          flow->detected_protocol_stack[0] != NDPI_PROTOCOL_RTCP &&

diff --git a/tests/cfgs/default/pcap/signal_audiocall.pcapng b/tests/cfgs/default/pcap/signal_audiocall.pcapng
diff --git a/tests/cfgs/default/pcap/signal_videocall.pcapng b/tests/cfgs/default/pcap/signal_videocall.pcapng
diff --git a/tests/cfgs/default/pcap/telegram_videocall_2.pcapng b/tests/cfgs/default/pcap/telegram_videocall_2.pcapng
diff --git a/tests/cfgs/default/pcap/telegram_voice.pcapng b/tests/cfgs/default/pcap/telegram_voice.pcapng
diff --git a/tests/cfgs/default/result/false_positives.pcapng.out b/tests/cfgs/default/result/false_positives.pcapng.out
@@ -32,7 +32,7 @@ Unrated                          6 460           1
 	1	UDP 10.192.92.81:52070 <-> 10.136.43.69:21048 [VLAN: 20][proto: 87/RTP][IP: 0/Unknown][Stream Content: Audio][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 3][cat: Media/1][15 pkts/3330 bytes <-> 15 pkts/3330 bytes][Goodput ratio: 77/77][0.30 sec][bytes ratio: 0.000 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 19/19 19/19 20/20 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 222/222 222/222 222/222 0/0][PLAIN TEXT (UUUUUUUUUUUUU)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	2	UDP 10.126.70.67:23784 <-> 10.236.7.225:50160 [VLAN: 107][proto: 87/RTP][IP: 0/Unknown][Stream Content: Audio][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 3][cat: Media/1][18 pkts/3924 bytes <-> 12 pkts/2616 bytes][Goodput ratio: 79/79][0.34 sec][bytes ratio: 0.200 (Upload)][IAT c2s/s2c min/avg/max/stddev: 19/19 20/20 20/20 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 218/218 218/218 218/218 0/0][PLAIN TEXT (UUUUUUUUU)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	3	UDP 10.102.45.249:31046 <-> 10.133.48.100:21176 [VLAN: 10][proto: GTP:87/RTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 3][cat: Media/1][22 pkts/2860 bytes <-> 8 pkts/989 bytes][Goodput ratio: 34/30][0.44 sec][bytes ratio: 0.486 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/19 22/19 44/20 15/0][Pkt Len c2s/s2c min/avg/max/stddev: 130/113 130/124 130/130 0/8][Plen Bins: 10,90,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	4	UDP 10.133.32.101:36408 -> 10.110.31.25:1272 [VLAN: 10][proto: GTP:87/RTP][IP: 0/Unknown][Stream Content: Audio][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 3][cat: Media/1][20 pkts/2260 bytes -> 0 pkts/0 bytes][Goodput ratio: 24/0][0.38 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 19/0 20/0 21/0 1/0][Pkt Len c2s/s2c min/avg/max/stddev: 113/0 113/0 113/0 0/0][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	4	UDP 10.133.32.101:36408 -> 10.110.31.25:1272 [VLAN: 10][proto: GTP:87/RTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 3][cat: Media/1][20 pkts/2260 bytes -> 0 pkts/0 bytes][Goodput ratio: 24/0][0.38 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 19/0 20/0 21/0 1/0][Pkt Len c2s/s2c min/avg/max/stddev: 113/0 113/0 113/0 0/0][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	5	TCP 10.140.231.26:61202 <-> 159.65.12.169:443 [VLAN: 113][proto: GTP:7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 4][cat: Web/5][2 pkts/557 bytes <-> 2 pkts/416 bytes][Goodput ratio: 58/45][0.20 sec][Hostname/SNI: wludo.superkinglabs.com][URL: wludo.superkinglabs.com:443/ws][StatusCode: 101][Server: nginx/1.12.2][Risk: ** Known Proto on Non Std Port **** HTTP Susp User-Agent **** HTTP Obsolete Server **][Risk Score: 200][Risk Info: Empty or missing User-Agent / Expected on port 80 / Obsolete nginx server 1.12.2][TCP Fingerprint: 2_64_65535_15db81ff8b0d/Unknown][PLAIN TEXT (GET /ws HTTP/1.1)][Plen Bins: 0,0,0,0,0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 
 

diff --git a/tests/cfgs/default/result/rtp.pcapng.out b/tests/cfgs/default/result/rtp.pcapng.out
@@ -30,4 +30,4 @@ Fun                             30 16092         1
 	1	TCP 172.16.168.24:40252 <-> 172.16.168.64:5000 [proto: 87/RTP][IP: 0/Unknown][Stream Content: Audio][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 8][cat: Media/1][19 pkts/21900 bytes <-> 18 pkts/1196 bytes][Goodput ratio: 94/0][85.30 sec][bytes ratio: 0.896 (Upload)][IAT c2s/s2c min/avg/max/stddev: 93/93 5654/6060 82923/82923 20651/21318][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 1153/66 1280/74 371/2][TCP Fingerprint: 2_64_5840_1596d0698b3d/Unknown][PLAIN TEXT (QQSPSSV)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0]
 	2	UDP 10.204.220.71:6000 -> 10.204.220.171:6000 [proto: 87/RTP][IP: 0/Unknown][Stream Content: Video][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 3][cat: Media/1][15 pkts/18438 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][0.34 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/0 25/0 77/0 31/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/0 1229/0 1486/0 467/0][Plen Bins: 6,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,6,0,0,0,0,0,0,0,0,0,6,0,0,0,68,0,0]
 	3	UDP 150.219.118.19:54234 <-> 192.113.193.227:50003 [proto: 58/Discord][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 2][cat: Collaborative/15][11 pkts/1455 bytes <-> 19 pkts/14637 bytes][Goodput ratio: 68/95][0.14 sec][Client IP: 85.154.2.145][bytes ratio: -0.819 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 13/6 36/29 11/11][Pkt Len c2s/s2c min/avg/max/stddev: 85/116 132/770 207/1146 54/475][PLAIN TEXT (85.154.2.145)][Plen Bins: 0,20,6,20,3,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,26,13,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	4	UDP 10.140.67.167:55402 -> 148.153.85.97:6008 [VLAN: 1508][proto: 87/RTP][IP: 0/Unknown][Stream Content: Audio][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 4][cat: Media/1][30 pkts/2181 bytes -> 0 pkts/0 bytes][Goodput ratio: 37/0][0.82 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 29/0 118/0 35/0][Pkt Len c2s/s2c min/avg/max/stddev: 62/0 73/0 106/0 12/0][Plen Bins: 80,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	4	UDP 10.140.67.167:55402 -> 148.153.85.97:6008 [VLAN: 1508][proto: 87/RTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 4][cat: Media/1][30 pkts/2181 bytes -> 0 pkts/0 bytes][Goodput ratio: 37/0][0.82 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 29/0 118/0 35/0][Pkt Len c2s/s2c min/avg/max/stddev: 62/0 73/0 106/0 12/0][Plen Bins: 80,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/cfgs/default/result/signal_audiocall.pcapng.out b/tests/cfgs/default/result/signal_audiocall.pcapng.out
@@ -0,0 +1,31 @@
+DPI Packets (UDP):	28	(7.00 pkts/flow)
+Confidence DPI (cache)      : 3 (flows)
+Confidence DPI              : 1 (flows)
+Num dissector calls: 14 (3.50 diss/flow)
+LRU cache ookla:      0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/0/0 (insert/search/found)
+LRU cache stun:       8/11/3 (insert/search/found)
+LRU cache tls_cert:   0/0/0 (insert/search/found)
+LRU cache mining:     0/0/0 (insert/search/found)
+LRU cache msteams:    0/0/0 (insert/search/found)
+LRU cache fpc_dns:    0/0/0 (insert/search/found)
+Automa host:          0/0 (search/found)
+Automa domain:        0/0 (search/found)
+Automa tls cert:      0/0 (search/found)
+Automa risk mask:     0/0 (search/found)
+Automa common alpns:  0/0 (search/found)
+Patricia risk mask:   8/0 (search/found)
+Patricia risk mask IPv6: 0/0 (search/found)
+Patricia risk:        0/0 (search/found)
+Patricia risk IPv6:   0/0 (search/found)
+Patricia protocols:   4/4 (search/found)
+Patricia protocols IPv6: 0/0 (search/found)
+
+SignalVoip	268	50558	4
+
+Acceptable                     268 50558         4            
+
+	1	UDP 192.168.12.67:45419 <-> 35.219.226.11:54116 [proto: 78.269/STUN.SignalVoip][IP: 284/GoogleCloud][ClearText][Confidence: DPI (cache)][FPC: 78.269/STUN.SignalVoip, Confidence: DPI][DPI packets: 7][cat: VoIP/10][91 pkts/20258 bytes <-> 87 pkts/18776 bytes][Goodput ratio: 81/81][16.10 sec][bytes ratio: 0.038 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 185/163 2145/2221 406/335][Pkt Len c2s/s2c min/avg/max/stddev: 70/70 223/216 337/337 105/106][Mapped IP/Port: 93.35.168.30:45251][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (zaziGwgI)][Plen Bins: 6,15,11,11,0,0,0,0,46,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	2	UDP 192.168.12.67:45419 <-> 35.219.252.146:3478 [proto: 78.269/STUN.SignalVoip][IP: 284/GoogleCloud][ClearText][Confidence: DPI][FPC: 78/STUN, Confidence: DPI][DPI packets: 7][cat: VoIP/10][29 pkts/3570 bytes <-> 29 pkts/4210 bytes][Goodput ratio: 66/71][19.07 sec][Hostname/SNI: signal.org][bytes ratio: -0.082 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/0 594/604 2518/2516 688/680][Pkt Len c2s/s2c min/avg/max/stddev: 62/94 123/145 182/182 41/34][Mapped IP/Port: 93.35.168.30:45250][Relayed IP/Port: 35.219.252.146:22269][PLAIN TEXT (BDIbPI2)][Plen Bins: 17,8,15,32,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	3	UDP 192.168.12.67:45419 <-> 35.219.226.11:12261 [proto: 78.269/STUN.SignalVoip][IP: 284/GoogleCloud][ClearText][Confidence: DPI (cache)][FPC: 78.269/STUN.SignalVoip, Confidence: DPI][DPI packets: 7][cat: VoIP/10][11 pkts/1238 bytes <-> 11 pkts/1454 bytes][Goodput ratio: 63/68][14.81 sec][bytes ratio: -0.080 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 97/26 1215/1207 2521/2521 1083/1093][Pkt Len c2s/s2c min/avg/max/stddev: 106/106 113/132 146/138 14/12][Mapped IP/Port: 93.35.168.30:45251][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (BV39hIkc1)][Plen Bins: 0,0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	4	UDP 192.168.12.67:45419 <-> 35.216.234.234:3478 [proto: 78.269/STUN.SignalVoip][IP: 284/GoogleCloud][ClearText][Confidence: DPI (cache)][FPC: 78/STUN, Confidence: DPI][DPI packets: 7][cat: VoIP/10][5 pkts/510 bytes <-> 5 pkts/542 bytes][Goodput ratio: 59/61][10.03 sec][Hostname/SNI: signal.org][bytes ratio: -0.030 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 8/8 2504/2504 9975/9975 4313/4313][Pkt Len c2s/s2c min/avg/max/stddev: 62/94 102/108 158/126 46/15][Mapped IP/Port: 93.35.168.30:45250][Relayed IP/Port: 35.216.234.234:45312][PLAIN TEXT (sWCyiFie)][Plen Bins: 30,30,20,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/cfgs/default/result/signal_videocall.pcapng.out b/tests/cfgs/default/result/signal_videocall.pcapng.out
@@ -0,0 +1,30 @@
+DPI Packets (UDP):	21	(7.00 pkts/flow)
+Confidence DPI (cache)      : 2 (flows)
+Confidence DPI              : 1 (flows)
+Num dissector calls: 8 (2.67 diss/flow)
+LRU cache ookla:      0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/0/0 (insert/search/found)
+LRU cache stun:       6/10/2 (insert/search/found)
+LRU cache tls_cert:   0/0/0 (insert/search/found)
+LRU cache mining:     0/0/0 (insert/search/found)
+LRU cache msteams:    0/0/0 (insert/search/found)
+LRU cache fpc_dns:    0/0/0 (insert/search/found)
+Automa host:          0/0 (search/found)
+Automa domain:        0/0 (search/found)
+Automa tls cert:      0/0 (search/found)
+Automa risk mask:     0/0 (search/found)
+Automa common alpns:  0/0 (search/found)
+Patricia risk mask:   6/0 (search/found)
+Patricia risk mask IPv6: 0/0 (search/found)
+Patricia risk:        0/0 (search/found)
+Patricia risk IPv6:   0/0 (search/found)
+Patricia protocols:   3/3 (search/found)
+Patricia protocols IPv6: 0/0 (search/found)
+
+SignalVoip	334	123259	3
+
+Acceptable                     334 123259        3            
+
+	1	UDP 192.168.12.67:47926 <-> 35.219.252.146:56377 [proto: 78.269/STUN.SignalVoip][IP: 284/GoogleCloud][ClearText][Confidence: DPI (cache)][FPC: 78.269/STUN.SignalVoip, Confidence: DPI][DPI packets: 7][cat: VoIP/10][167 pkts/87565 bytes <-> 131 pkts/31930 bytes][Goodput ratio: 92/83][10.75 sec][bytes ratio: 0.466 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 64/82 2304/2449 291/279][Pkt Len c2s/s2c min/avg/max/stddev: 70/70 524/244 1223/900 385/198][Mapped IP/Port: 93.35.168.30:45266][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (17uAgN)][Plen Bins: 3,28,9,7,0,0,0,0,16,8,1,0,0,1,1,0,1,1,0,1,0,0,0,0,7,3,0,1,0,0,1,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	2	UDP 192.168.12.67:47926 <-> 35.219.252.146:3478 [proto: 78.269/STUN.SignalVoip][IP: 284/GoogleCloud][ClearText][Confidence: DPI][FPC: 78/STUN, Confidence: DPI][DPI packets: 7][cat: VoIP/10][13 pkts/1258 bytes <-> 13 pkts/1454 bytes][Goodput ratio: 57/62][10.01 sec][Hostname/SNI: signal.org][bytes ratio: -0.072 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 6/6 804/804 4015/4015 1248/1248][Pkt Len c2s/s2c min/avg/max/stddev: 62/94 97/112 162/126 43/14][Mapped IP/Port: 93.35.168.30:45265][Relayed IP/Port: 35.219.252.146:40378][PLAIN TEXT (BFODsIPgWuCIX)][Plen Bins: 34,19,30,15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	3	UDP 192.168.12.67:47926 <-> 35.216.234.234:3478 [proto: 78.269/STUN.SignalVoip][IP: 284/GoogleCloud][ClearText][Confidence: DPI (cache)][FPC: 78/STUN, Confidence: DPI][DPI packets: 7][cat: VoIP/10][5 pkts/510 bytes <-> 5 pkts/542 bytes][Goodput ratio: 59/61][10.02 sec][Hostname/SNI: signal.org][bytes ratio: -0.030 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 5/4 2503/2503 9988/9988 4321/4321][Pkt Len c2s/s2c min/avg/max/stddev: 62/94 102/108 158/126 46/15][Mapped IP/Port: 93.35.168.30:45265][Relayed IP/Port: 35.216.234.234:29688][PLAIN TEXT (42oPBlgi)][Plen Bins: 30,30,20,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]