Oscar protocol detects only in connect about ndpi HOT 5 CLOSED

Please attach a pcap file that we can use to reproduce the issue

from ndpi.

Please tell how to make a pcap file. I just test this in my program, I add to a code a line like this:
printf("%u\t%u\t%u\t%u\t%d\n", ntohl(flow->lower_ip), ntohl(flow->upper_ip), flow->lower_port, flow->upper_port, flow->detected_protocol);
And show detected protocol to flows between my IP and login.icq.com. Sometimes (usually in initial connect) protocol detects as 69 (Oscar), and sometimes (usually after long idle, about some minutes) protocol is not detects. I show all traffic between those IP, not only 5190. Messages goes over 443 port.

from ndpi.

@Skryabind Sorry for the late reply. Please use wireshark to capture traffic of your ICQ connection, so that we can both see the beginning of the connection and also when the connection gets idle.

from ndpi.

@lucaderi

1. This is pcap file with connection process, Oscar detects correct: https://dl.dropboxusercontent.com/u/5135944/Github/icq_dump_connect_cut.cap
2. This is pcap file with some messages only. traffic detects as SSL: https://dl.dropboxusercontent.com/u/5135944/Github/icq_dump.cap
   This traffic is not encrypted, you can read a message "HI" by command tcpdump -n -r /root/icq_dump.cap -X | grep HI

from ndpi.

Implemented with 9d1e99a.

If you have a longer pcap with an initial longer session establishment i can try to extend the dissector.
For the time being i close the issue.
Thank You

from ndpi.