add socks_decoder, stratum_decoder and session_flags

author: root <[email protected]> 2024-09-03 07:01:58 +0000
committer: root <[email protected]> 2024-09-03 07:01:58 +0000
commit: 6f1ac6b36b28d082cebf8e4c3eeedd592c1946f9 (patch)
tree: 5c664bc282e5c01b634430531e43dae44dc50538 /test
parent: a8206cffc0ba55c6cb2b0b1054860ee28ec4a0b8 (diff)
88 files changed, 3674 insertions, 0 deletions
diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt
index 7f8f9f0..89f667b 100644
--- a/test/CMakeLists.txt
+++ b/test/CMakeLists.txt
@@ -3,3 +3,6 @@ add_subdirectory(packet_tool)
 add_subdirectory(debug_plugin)
 add_subdirectory(lpi_plugin)
 add_subdirectory(decoders/http)
+add_subdirectory(decoders/socks)
+add_subdirectory(decoders/stratum)
+add_subdirectory(decoders/session_flags)
+\ No newline at end of file
diff --git a/test/decoders/session_flags/CMakeLists.txt b/test/decoders/session_flags/CMakeLists.txt
new file mode 100644
index 0000000..4bf55ba
--- /dev/null
+++ b/test/decoders/session_flags/CMakeLists.txt
@@ -0,0 +1,56 @@
+set(DECODER_NAME session_flags)
+
+add_library(${DECODER_NAME}_test SHARED session_flags_test_plugin.cpp)
+add_dependencies(${DECODER_NAME}_test ${DECODER_NAME})
+set_target_properties(${DECODER_NAME}_test PROPERTIES PREFIX "")
+
+set(TEST_RUN_DIR ${CMAKE_BINARY_DIR}/testing)
+
+include_directories(${CMAKE_SOURCE_DIR}/include)
+include_directories(${CMAKE_SOURCE_DIR}/src)
+include_directories(${CMAKE_BINARY_DIR}/vendors/cjson/src/cjson/include)
+include_directories(${PROJECT_SOURCE_DIR}/decoders/session_flags)
+include_directories(${PROJECT_SOURCE_DIR}/include/stellar)
+
+add_executable(gtest_session_flags_pcap session_flags_pcap_test.cpp 
+                                        dummy.c 
+                                        ${PROJECT_SOURCE_DIR}/decoders/session_flags/fet.cpp 
+                                        ${PROJECT_SOURCE_DIR}/decoders/session_flags/onlinemean.c 
+                                        ${PROJECT_SOURCE_DIR}/decoders/session_flags/session_flags_plugin.cpp
+                                        ${PROJECT_SOURCE_DIR}/decoders/session_flags/session_flags.cpp 
+                                        ${PROJECT_SOURCE_DIR}/decoders/session_flags/tunneling.cpp)
+target_link_libraries(gtest_session_flags_pcap gtest pcap hyperscan_static hyperscan_runtime_static logger cjson-static libmesa_sts)
+
+add_executable(gtest_session_flags_static session_flags_static_test.cpp 
+                                        dummy.c 
+                                        ${PROJECT_SOURCE_DIR}/decoders/session_flags/fet.cpp 
+                                        ${PROJECT_SOURCE_DIR}/decoders/session_flags/onlinemean.c 
+                                        ${PROJECT_SOURCE_DIR}/decoders/session_flags/session_flags_plugin.cpp
+                                        ${PROJECT_SOURCE_DIR}/decoders/session_flags/session_flags.cpp 
+                                        ${PROJECT_SOURCE_DIR}/decoders/session_flags/tunneling.cpp)
+target_link_libraries(gtest_session_flags_static gtest pcap hyperscan_static hyperscan_runtime_static logger cjson-static libmesa_sts)
+
+add_executable(session_flags_test_main plugin_test_main.cpp)
+set_target_properties(session_flags_test_main 
+    PROPERTIES 
+    LINK_OPTIONS 
+    "-rdynamic" 
+    )
+set_target_properties(session_flags_test_main 
+    PROPERTIES 
+    LINK_FLAGS  
+    "-rdynamic" 
+    )
+set(LINK_FLAGS "-rdynamic")
+
+target_link_libraries(session_flags_test_main PUBLIC gtest cjson-static stellar_lib -Wl,--whole-archive packet_parser -Wl,--no-whole-archive)
+
+add_subdirectory(test_based_on_stellar)
+
+#copy pcap file folder to build directory
+file(COPY ${CMAKE_CURRENT_SOURCE_DIR}/pcap DESTINATION ${CMAKE_BINARY_DIR}/test/decoders/session_flags)
+file(COPY ${CMAKE_CURRENT_SOURCE_DIR}/test_based_on_stellar/env/session_flags.toml DESTINATION ${CMAKE_BINARY_DIR}/test/decoders/session_flags/etc/session_flags/)
+
+include(GoogleTest)
+gtest_discover_tests(gtest_session_flags_pcap)
+gtest_discover_tests(gtest_session_flags_static)
diff --git a/test/decoders/session_flags/dummy.c b/test/decoders/session_flags/dummy.c
new file mode 100644
index 0000000..9227261
--- /dev/null
+++ b/test/decoders/session_flags/dummy.c
@@ -0,0 +1,167 @@
+#include <stdlib.h>
+#include <string.h>
+
+#include "dummy.h"
+
+#define UNUSED(x) (void)(x)
+
+struct session g_sess;
+
+void session_set_current_payload(struct session *sess, char *payload, int payload_len)
+{
+	UNUSED(sess);
+	g_sess.payload_len = payload_len;
+	g_sess.payload = payload;
+}
+
+int session_exdata_set(struct session *sess, int idx, void *ex_ptr)
+{
+	UNUSED(sess);
+	UNUSED(idx);
+	UNUSED(ex_ptr);
+
+	return 0;
+}
+
+struct logger *stellar_get_logger(struct stellar *st)
+{
+	UNUSED(st);
+
+	return (struct logger *)1;
+}
+
+void *session_exdata_get(struct session *sess, int idx)
+{
+	UNUSED(sess);
+	UNUSED(idx);
+
+	return NULL;
+}
+
+const struct packet *session_get0_current_packet(const struct session *sess)
+{
+	UNUSED(sess);
+
+	return NULL;
+}
+
+uint16_t packet_get_payload_len(const struct packet *pkt)
+{
+	UNUSED(pkt);
+
+	return g_sess.payload_len;
+}
+
+const char *packet_get_payload(const struct packet *pkt)
+{
+	UNUSED(pkt);
+
+	return g_sess.payload;
+}
+
+enum session_direction session_get_direction(const struct session *sess)
+{
+	UNUSED(sess);
+
+	return SESSION_DIRECTION_OUTBOUND;
+}
+
+enum flow_type session_get_flow_type(const struct session *sess)
+{
+	UNUSED(sess);
+
+	return FLOW_TYPE_C2S;
+}
+
+const char *session_get0_readable_addr(const struct session *sess)
+{
+	UNUSED(sess);
+
+	return NULL;
+}
+
+uint16_t packet_get_raw_len(const struct packet *pkt)
+{
+	UNUSED(pkt);
+
+	return 0;
+}
+
+const struct timeval *packet_get_timeval(const struct packet *pkt)
+{
+	UNUSED(pkt);
+
+	return NULL;
+}
+
+void stellar_session_plugin_dettach_current_session(struct session *sess)
+{
+	UNUSED(sess);
+}
+
+int session_mq_publish_message(struct session *sess, int topic_id, void *msg)
+{
+	UNUSED(sess);
+	UNUSED(topic_id);
+	UNUSED(msg);
+
+	return 0;
+}
+
+int stellar_exdata_new_index(struct stellar *st, const char *name, stellar_exdata_free *free_func,void *arg)
+{
+	UNUSED(st);
+	UNUSED(name);
+	UNUSED(free_func);
+	UNUSED(arg);
+
+	return 0;
+}
+
+int stellar_mq_create_topic(struct stellar *st, const char *topic_name, stellar_msg_free_cb_func *msg_free_cb, void *msg_free_arg)
+{
+	UNUSED(st);
+	UNUSED(topic_name);
+	UNUSED(msg_free_cb);
+	UNUSED(msg_free_arg);
+
+	return 0;
+}
+
+int stellar_mq_get_topic_id(struct stellar *st, const char *topic_name)
+{
+	UNUSED(st);
+
+	if (strcmp(topic_name, TOPIC_TCP_INPUT) == 0)
+	{
+		return DUMMY_TCP_TOPIC_ID;
+	}
+	else if (strcmp(topic_name, TOPIC_UDP_INPUT) == 0)
+	{
+		return DUMMY_UDP_TOPIC_ID;
+	}
+	else
+	{
+		return -1;
+	}
+}
+
+int stellar_session_mq_subscribe(struct stellar *st, int topic_id, on_session_msg_cb_func *plugin_on_msg_cb, int plugin_id)
+{
+	UNUSED(st);
+	UNUSED(topic_id);
+	UNUSED(plugin_on_msg_cb);
+	UNUSED(plugin_id);
+
+	return 0;
+}
+
+int stellar_session_plugin_register(struct stellar *st, session_ctx_new_func session_ctx_new, session_ctx_free_func session_ctx_free, void *plugin_env)
+{
+	UNUSED(st);
+	UNUSED(session_ctx_new);
+	UNUSED(session_ctx_free);
+	UNUSED(plugin_env);
+
+	return 0;
+}
+\ No newline at end of file
diff --git a/test/decoders/session_flags/dummy.h b/test/decoders/session_flags/dummy.h
new file mode 100644
index 0000000..aec8383
--- /dev/null
+++ b/test/decoders/session_flags/dummy.h
@@ -0,0 +1,18 @@
+#include "stellar/stellar.h"
+#include "stellar/session.h"
+#include "stellar/stellar_mq.h"
+#include "stellar/stellar_exdata.h"
+
+#define DUMMY_TCP_TOPIC_ID 1
+#define DUMMY_UDP_TOPIC_ID 2
+
+struct session //stub just for test
+{
+	int payload_len;
+	char *payload;
+};
+
+void session_set_current_payload(struct session *sess, char *payload, int payload_len);
+
+void *session_flags_plugin_init(struct stellar *st);
+void session_flags_plugin_exit(void *arg);
+\ No newline at end of file
diff --git a/test/decoders/session_flags/pcap/1-dtls.192.168.44.32.pcap b/test/decoders/session_flags/pcap/1-dtls.192.168.44.32.pcap
new file mode 100644
index 0000000..4fa6ce4
--- /dev/null
+++ b/test/decoders/session_flags/pcap/1-dtls.192.168.44.32.pcap
diff --git a/test/decoders/session_flags/pcap/192.168.56.19.56554.json b/test/decoders/session_flags/pcap/192.168.56.19.56554.json
new file mode 100644
index 0000000..78d1fd1
--- /dev/null
+++ b/test/decoders/session_flags/pcap/192.168.56.19.56554.json
@@ -0,0 +1,20 @@
+[
+	{
+		"common_flags_0":	8200,
+ 		"common_flags_str_0":	"[Client is Local]",
+ 		"common_flags_identify_info_0":	"{\"Client is Local\":1,\"C2S\":1}",
+ 		"common_flags_1":	24584,
+ 		"common_flags_str_1":	"[Client is Local]",
+ 		"common_flags_identify_info_1":	"{\"Client is Local\":1,\"C2S\":1,\"S2C\":4}",
+ 		"common_flags_2":	2123980808,
+ 		"common_flags_str_2":	"[Client is Local]",
+ 		"common_flags_identify_info_2":	"{\"Client is Local\":1,\"C2S\":1,\"S2C\":4,\"frequency\":6,\"runs\":6,\"longest_run\":6,\"overlapping_template_matching\":6,\"random_excursions\":6,\"random_excursions_variant\":6,\"poker_detect\":6,\"runs_distribution\":6,\"self_correlation\":6,\"binary_derivative\":6}",
+ 		"common_flags_3":	2123980936,
+ 		"common_flags_str_3":	"[Client is Local,Inbound]",
+ 		"common_flags_identify_info_3":	"{\"Client is Local\":1,\"Inbound\":21,\"C2S\":1,\"S2C\":4,\"frequency\":6,\"runs\":6,\"longest_run\":6,\"overlapping_template_matching\":6,\"random_excursions\":6,\"random_excursions_variant\":6,\"poker_detect\":6,\"runs_distribution\":6,\"self_correlation\":6,\"binary_derivative\":6}",
+ 		"common_flags_4":	2123981960,
+ 		"common_flags_str_4":	"[Client is Local,Inbound,Streaming]",
+ 		"common_flags_identify_info_4":	"{\"Client is Local\":1,\"Inbound\":21,\"Streaming\":100,\"C2S\":1,\"S2C\":4,\"frequency\":6,\"runs\":6,\"longest_run\":6,\"overlapping_template_matching\":6,\"random_excursions\":6,\"random_excursions_variant\":6,\"poker_detect\":6,\"runs_distribution\":6,\"self_correlation\":6,\"binary_derivative\":6}",
+ 		"name":	"base_0"
+	}
+]
+\ No newline at end of file
diff --git a/test/decoders/session_flags/pcap/192.168.56.19.56555-47.93.59.84.443_869284834001082715.pcapng b/test/decoders/session_flags/pcap/192.168.56.19.56555-47.93.59.84.443_869284834001082715.pcapng
new file mode 100644
index 0000000..b675a02
--- /dev/null
+++ b/test/decoders/session_flags/pcap/192.168.56.19.56555-47.93.59.84.443_869284834001082715.pcapng
diff --git a/test/decoders/session_flags/pcap/192.168.56.31.58530.json b/test/decoders/session_flags/pcap/192.168.56.31.58530.json
new file mode 100644
index 0000000..67acb45
--- /dev/null
+++ b/test/decoders/session_flags/pcap/192.168.56.31.58530.json
@@ -0,0 +1,17 @@
+[
+	{
+		"common_flags_0":	8200,
+ 		"common_flags_str_0":	"[Client is Local]",
+ 		"common_flags_identify_info_0":	"{\"Client is Local\":1,\"C2S\":1}",
+ 		"common_flags_1":	24584,
+ 		"common_flags_str_1":	"[Client is Local]",
+ 		"common_flags_identify_info_1":	"{\"Client is Local\":1,\"C2S\":1,\"S2C\":2}",
+ 		"common_flags_2":	1185898504,
+ 		"common_flags_str_2":	"[Client is Local]",
+ 		"common_flags_identify_info_2":	"{\"Client is Local\":1,\"C2S\":1,\"S2C\":2,\"frequency\":4,\"block_frequency\":4,\"cumulative_sums\":4,\"runs\":4,\"rank\":4,\"overlapping_template_matching\":4,\"random_excursions\":4,\"random_excursions_variant\":4,\"binary_derivative\":4}",
+		"common_flags_3":	1185898632,
+		"common_flags_str_3":	"[Client is Local,Inbound]",
+ 		"common_flags_identify_info_3":	"{\"Client is Local\":1,\"Inbound\":34,\"C2S\":1,\"S2C\":2,\"frequency\":4,\"block_frequency\":4,\"cumulative_sums\":4,\"runs\":4,\"rank\":4,\"overlapping_template_matching\":4,\"random_excursions\":4,\"random_excursions_variant\":4,\"binary_derivative\":4}",
+ 		"name":	"base_0"
+	}
+]
+\ No newline at end of file
diff --git a/test/decoders/session_flags/pcap/192.168.56.31.58530.pcapng b/test/decoders/session_flags/pcap/192.168.56.31.58530.pcapng
new file mode 100644
index 0000000..6abe0ed
--- /dev/null
+++ b/test/decoders/session_flags/pcap/192.168.56.31.58530.pcapng
diff --git a/test/decoders/session_flags/pcap/192.168.64.61.62275.asymmetric.pcapng b/test/decoders/session_flags/pcap/192.168.64.61.62275.asymmetric.pcapng
new file mode 100644
index 0000000..afff17d
--- /dev/null
+++ b/test/decoders/session_flags/pcap/192.168.64.61.62275.asymmetric.pcapng
diff --git a/test/decoders/session_flags/pcap/192.168.64.61.62275.json b/test/decoders/session_flags/pcap/192.168.64.61.62275.json
new file mode 100644
index 0000000..ea68bf3
--- /dev/null
+++ b/test/decoders/session_flags/pcap/192.168.64.61.62275.json
@@ -0,0 +1,14 @@
+[
+	{
+		"common_flags_0":	8200,
+ 		"common_flags_str_0":	"[Client is Local]",
+ 		"common_flags_identify_info_0":	"{\"Client is Local\":1,\"C2S\":1}",
+ 		"common_flags_1":	1453269000,
+ 		"common_flags_str_1":	"[Client is Local]",
+ 		"common_flags_identify_info_1":	"{\"Client is Local\":1,\"C2S\":1,\"frequency\":3,\"block_frequency\":3,\"cumulative_sums\":3,\"runs\":3,\"longest_run\":3,\"overlapping_template_matching\":3,\"random_excursions\":3,\"random_excursions_variant\":3,\"runs_distribution\":3,\"binary_derivative\":3}",
+ 		"common_flags_2":	1453269001,
+ 		"common_flags_str_2":	"[Asymmetric,Client is Local]",
+ 		"common_flags_identify_info_2":	"{\"Asymmetric\":10,\"Client is Local\":1,\"C2S\":1,\"frequency\":3,\"block_frequency\":3,\"cumulative_sums\":3,\"runs\":3,\"longest_run\":3,\"overlapping_template_matching\":3,\"random_excursions\":3,\"random_excursions_variant\":3,\"runs_distribution\":3,\"binary_derivative\":3}",
+ 		"name":	"base_0"
+	}
+]
+\ No newline at end of file
diff --git a/test/decoders/session_flags/pcap/192.168.64.67.53813.json b/test/decoders/session_flags/pcap/192.168.64.67.53813.json
new file mode 100644
index 0000000..6893c7f
--- /dev/null
+++ b/test/decoders/session_flags/pcap/192.168.64.67.53813.json
@@ -0,0 +1,14 @@
+[
+	{
+		"common_flags_0":	8200,
+ 		"common_flags_str_0":	"[Client is Local]",
+ 		"common_flags_identify_info_0":	"{\"Client is Local\":1,\"C2S\":1}",
+ 		"common_flags_1":	2126340104,
+ 		"common_flags_str_1":	"[Client is Local]",
+		"common_flags_identify_info_1":	"{\"Client is Local\":1,\"C2S\":1,\"S2C\":2,\"frequency\":2,\"cumulative_sums\":2,\"runs\":2,\"longest_run\":2,\"rank\":2,\"overlapping_template_matching\":2,\"random_excursions\":2,\"random_excursions_variant\":2,\"poker_detect\":2,\"runs_distribution\":2,\"self_correlation\":2,\"binary_derivative\":2}",
+		"common_flags_2":	2126340232,
+ 		"common_flags_str_2":	"[Client is Local,Inbound]",
+ 		"common_flags_identify_info_2":	"{\"Client is Local\":1,\"Inbound\":18,\"C2S\":1,\"S2C\":2,\"frequency\":2,\"cumulative_sums\":2,\"runs\":2,\"longest_run\":2,\"rank\":2,\"overlapping_template_matching\":2,\"random_excursions\":2,\"random_excursions_variant\":2,\"poker_detect\":2,\"runs_distribution\":2,\"self_correlation\":2,\"binary_derivative\":2}",
+ 		"name":	"base_0"
+	}
+]
+\ No newline at end of file
diff --git a/test/decoders/session_flags/pcap/192.168.64.67.53813.pcapng b/test/decoders/session_flags/pcap/192.168.64.67.53813.pcapng
new file mode 100644
index 0000000..ffb6287
--- /dev/null
+++ b/test/decoders/session_flags/pcap/192.168.64.67.53813.pcapng
diff --git a/test/decoders/session_flags/pcap/1_result.json b/test/decoders/session_flags/pcap/1_result.json
new file mode 100644
index 0000000..57df72d
--- /dev/null
+++ b/test/decoders/session_flags/pcap/1_result.json
@@ -0,0 +1,11 @@
+[
+	{
+		"common_flags_0":	8208,
+ 		"common_flags_str_0":	"[Server is Local,C2S]",
+ 		"common_flags_identify_info_0":	"1,1,",
+ 		"common_flags_1":	24592,
+ 		"common_flags_str_1":	"[Server is Local,C2S,S2C]",
+ 		"common_flags_identify_info_1":	"1,1,2,",
+ 		"name":	"session_flags_test"
+	}
+]
+\ No newline at end of file
diff --git a/test/decoders/session_flags/pcap/bilibili-dtls.pcap b/test/decoders/session_flags/pcap/bilibili-dtls.pcap
new file mode 100644
index 0000000..9316c01
--- /dev/null
+++ b/test/decoders/session_flags/pcap/bilibili-dtls.pcap
diff --git a/test/decoders/session_flags/pcap/bilibili.json b/test/decoders/session_flags/pcap/bilibili.json
new file mode 100644
index 0000000..640957c
--- /dev/null
+++ b/test/decoders/session_flags/pcap/bilibili.json
@@ -0,0 +1,23 @@
+[
+	{
+		"common_flags_0":	16392,
+ 		"common_flags_str_0":	"[Client is Local]",
+ 		"common_flags_identify_info_0":	"{\"Client is Local\":1,\"S2C\":1}",
+ 		"common_flags_1":	24584,
+ 		"common_flags_str_1":	"[Client is Local]",
+ 		"common_flags_identify_info_1":	"{\"Client is Local\":1,\"C2S\":2,\"S2C\":1}",
+ 		"common_flags_2":	1585602568,
+ 		"common_flags_str_2":	"[Client is Local]",
+ 		"common_flags_identify_info_2":	"{\"Client is Local\":1,\"C2S\":2,\"S2C\":1,\"block_frequency\":5,\"overlapping_template_matching\":5,\"random_excursions\":5,\"random_excursions_variant\":5,\"poker_detect\":5,\"runs_distribution\":5,\"binary_derivative\":5}",
+ 		"common_flags_3":	1585602696,
+ 		"common_flags_str_3":	"[Client is Local,Inbound]",
+ 		"common_flags_identify_info_3":	"{\"Client is Local\":1,\"Inbound\":25,\"C2S\":2,\"S2C\":1,\"block_frequency\":5,\"overlapping_template_matching\":5,\"random_excursions\":5,\"random_excursions_variant\":5,\"poker_detect\":5,\"runs_distribution\":5,\"binary_derivative\":5}",
+		"common_flags_4":	1585603720,
+ 		"common_flags_str_4":	"[Client is Local,Inbound,Streaming]",
+ 		"common_flags_identify_info_4":	"{\"Client is Local\":1,\"Inbound\":25,\"Streaming\":186,\"C2S\":2,\"S2C\":1,\"block_frequency\":5,\"overlapping_template_matching\":5,\"random_excursions\":5,\"random_excursions_variant\":5,\"poker_detect\":5,\"runs_distribution\":5,\"binary_derivative\":5}",
+ 		"common_flags_5":	1585636488,
+ 		"common_flags_str_5":	"[Client is Local,Inbound,Streaming,Bidirectional]",
+ 		"common_flags_identify_info_5":	"{\"Client is Local\":1,\"Inbound\":25,\"Streaming\":186,\"C2S\":2,\"S2C\":1,\"Bidirectional\":8551,\"block_frequency\":5,\"overlapping_template_matching\":5,\"random_excursions\":5,\"random_excursions_variant\":5,\"poker_detect\":5,\"runs_distribution\":5,\"binary_derivative\":5}",
+ 		"name":	"base_0"
+	}
+]
+\ No newline at end of file
diff --git a/test/decoders/session_flags/pcap/dns_asymmetric.json b/test/decoders/session_flags/pcap/dns_asymmetric.json
new file mode 100644
index 0000000..3b3510b
--- /dev/null
+++ b/test/decoders/session_flags/pcap/dns_asymmetric.json
@@ -0,0 +1,14 @@
+[
+	{
+		"common_flags_0": 8208,
+		"common_flags_str_0": "[Server is Local]",
+		"common_flags_identify_info_0": "{\"Server is Local\":1,\"C2S\":1}",
+		"common_flags_1": 8209,
+		"common_flags_str_1": "[Asymmetric,Server is Local]",
+		"common_flags_identify_info_1": "{\"Asymmetric\":10,\"Server is Local\":1,\"C2S\":1}",
+		"common_flags_2": 24593,
+		"common_flags_str_2": "[Asymmetric,Server is Local]",
+		"common_flags_identify_info_2": "{\"Asymmetric\":10,\"Server is Local\":1,\"C2S\":1,\"S2C\":12}",
+		"name": "base_0"
+	}
+]
+\ No newline at end of file
diff --git a/test/decoders/session_flags/pcap/dns_asymmetric.pcap b/test/decoders/session_flags/pcap/dns_asymmetric.pcap
new file mode 100644
index 0000000..116934f
--- /dev/null
+++ b/test/decoders/session_flags/pcap/dns_asymmetric.pcap
diff --git a/test/decoders/session_flags/pcap/douyin.json b/test/decoders/session_flags/pcap/douyin.json
new file mode 100644
index 0000000..739d1db
--- /dev/null
+++ b/test/decoders/session_flags/pcap/douyin.json
@@ -0,0 +1,20 @@
+[
+	{
+		"common_flags_0":	8200,
+ 		"common_flags_str_0":	"[Client is Local]",
+ 		"common_flags_identify_info_0":	"{\"Client is Local\":1,\"C2S\":1}",
+ 		"common_flags_1":	24584,
+ 		"common_flags_str_1":	"[Client is Local]",
+		"common_flags_identify_info_1":	"{\"Client is Local\":1,\"C2S\":1,\"S2C\":2}",
+ 		"common_flags_2":	2124242952,
+ 		"common_flags_str_2":	"[Client is Local]",
+ 		"common_flags_identify_info_2":	"{\"Client is Local\":1,\"C2S\":1,\"S2C\":2,\"frequency\":4,\"cumulative_sums\":4,\"runs\":4,\"longest_run\":4,\"overlapping_template_matching\":4,\"random_excursions\":4,\"random_excursions_variant\":4,\"poker_detect\":4,\"runs_distribution\":4,\"self_correlation\":4,\"binary_derivative\":4}",
+		"common_flags_3":	2124244104,
+ 		"common_flags_str_3":	"[Client is Local,Inbound,Streaming]",
+ 		"common_flags_identify_info_3":	"{\"Client is Local\":1,\"Inbound\":6036,\"Streaming\":6036,\"C2S\":1,\"S2C\":2,\"frequency\":4,\"cumulative_sums\":4,\"runs\":4,\"longest_run\":4,\"overlapping_template_matching\":4,\"random_excursions\":4,\"random_excursions_variant\":4,\"poker_detect\":4,\"runs_distribution\":4,\"self_correlation\":4,\"binary_derivative\":4}",
+ 		"common_flags_4":	2124244650,
+ 		"common_flags_str_4":	"[Bulky,Client is Local,Download,Inbound,Pseudo Unidirectional,Streaming]",
+ 		"common_flags_identify_info_4":	"{\"Bulky\":6042,\"Client is Local\":1,\"Download\":6042,\"Inbound\":6036,\"Pseudo Unidirectional\":6042,\"Streaming\":6036,\"C2S\":1,\"S2C\":2,\"frequency\":4,\"cumulative_sums\":4,\"runs\":4,\"longest_run\":4,\"overlapping_template_matching\":4,\"random_excursions\":4,\"random_excursions_variant\":4,\"poker_detect\":4,\"runs_distribution\":4,\"self_correlation\":4,\"binary_derivative\":4}",
+ 		"name":	"base_0"
+	}
+]
+\ No newline at end of file
diff --git a/test/decoders/session_flags/pcap/douyin.pcap b/test/decoders/session_flags/pcap/douyin.pcap
new file mode 100644
index 0000000..89e08d3
--- /dev/null
+++ b/test/decoders/session_flags/pcap/douyin.pcap
diff --git a/test/decoders/session_flags/pcap/ftp-data.pcap b/test/decoders/session_flags/pcap/ftp-data.pcap
new file mode 100644
index 0000000..9517dde
--- /dev/null
+++ b/test/decoders/session_flags/pcap/ftp-data.pcap
diff --git a/test/decoders/session_flags/pcap/https_download.json b/test/decoders/session_flags/pcap/https_download.json
new file mode 100644
index 0000000..b0f735d
--- /dev/null
+++ b/test/decoders/session_flags/pcap/https_download.json
@@ -0,0 +1,26 @@
+[{
+	"common_flags_0":       8200,
+	"common_flags_str_0":   "[Client is Local,C2S]",
+	"common_flags_identify_info_0": "1,1,",
+	"common_flags_1":       24584,
+	"common_flags_str_1":   "[Client is Local,C2S,S2C]",
+	"common_flags_identify_info_1": "1,1,2,",
+	"common_flags_2":       28680,
+	"common_flags_str_2":   "[Client is Local,Random Looking,C2S,S2C]",
+	"common_flags_identify_info_2": "1,4,1,2,",
+	"common_flags_3":       28808,
+	"common_flags_str_3":   "[Client is Local,Inbound,Random Looking,C2S,S2C]",
+	"common_flags_identify_info_3": "1,1188,4,1,2,",
+	"common_flags_4":       29832,
+	"common_flags_str_4":   "[Client is Local,Inbound,Streaming,Random Looking,C2S,S2C]",
+	"common_flags_identify_info_4": "1,1188,1662,4,1,2,",
+	"common_flags_5":       30344,
+	"common_flags_str_5":   "[Client is Local,Inbound,Pseudo Unidirectional,Streaming,Random Looking,C2S,S2C]",
+	"common_flags_identify_info_5": "1,1188,3546,1662,4,1,2,",
+	"common_flags_6":       30346,
+	"common_flags_str_6":   "[Bulky,Client is Local,Inbound,Pseudo Unidirectional,Streaming,Random Looking,C2S,S2C]",
+	"common_flags_identify_info_6": "4095,1,1188,3546,1662,4,1,2,",
+	"common_flags_7":       30378,
+	"common_flags_str_7":   "[Bulky,Client is Local,Download,Inbound,Pseudo Unidirectional,Streaming,Random Looking,C2S,S2C]",
+	"common_flags_identify_info_7": "4095,1,4201,1188,3546,1662,4,1,2,"
+}]
+\ No newline at end of file
diff --git a/test/decoders/session_flags/pcap/https_download.pcap b/test/decoders/session_flags/pcap/https_download.pcap
new file mode 100644
index 0000000..f2f5835
--- /dev/null
+++ b/test/decoders/session_flags/pcap/https_download.pcap
diff --git a/test/decoders/session_flags/pcap/mix-quic-ssl-quic-mail.pcap b/test/decoders/session_flags/pcap/mix-quic-ssl-quic-mail.pcap
new file mode 100644
index 0000000..05f2d03
--- /dev/null
+++ b/test/decoders/session_flags/pcap/mix-quic-ssl-quic-mail.pcap
diff --git a/test/decoders/session_flags/pcap/mix.json b/test/decoders/session_flags/pcap/mix.json
new file mode 100644
index 0000000..e3144b6
--- /dev/null
+++ b/test/decoders/session_flags/pcap/mix.json
@@ -0,0 +1,65 @@
+[
+	{
+		"common_flags_0":	8200,
+		"common_flags_str_0":	"[Client is Local]",
+ 		"common_flags_identify_info_0":	"{\"Client is Local\":1,\"C2S\":1}",
+ 		"common_flags_1":	24584,
+ 		"common_flags_str_1":	"[Client is Local]",
+ 		"common_flags_identify_info_1":	"{\"Client is Local\":1,\"C2S\":1,\"S2C\":2}",
+ 		"common_flags_2":	109076488,
+ 		"common_flags_str_2":	"[Client is Local]",
+ 		"common_flags_identify_info_2":	"{\"Client is Local\":1,\"C2S\":1,\"S2C\":2,\"overlapping_template_matching\":4,\"random_excursions\":4,\"random_excursions_variant\":4}",
+ 		"common_flags_3":	109078186,
+	 	"common_flags_str_3":	"[Bulky,Client is Local,Download,Inbound,Pseudo Unidirectional,Streaming]",
+	 	"common_flags_identify_info_3":	"{\"Bulky\":2250,\"Client is Local\":1,\"Download\":2250,\"Inbound\":2250,\"Pseudo Unidirectional\":2250,\"Streaming\":2250,\"C2S\":1,\"S2C\":2,\"overlapping_template_matching\":4,\"random_excursions\":4,\"random_excursions_variant\":4}",
+	 	"name":	"base_0"
+	},
+	{
+		"common_flags_0":	8200,
+		"common_flags_str_0":	"[Client is Local]",
+ 		"common_flags_identify_info_0":	"{\"Client is Local\":1,\"C2S\":1}",
+ 		"common_flags_1":	1451237384,
+ 		"common_flags_str_1":	"[Client is Local]",
+ 		"common_flags_identify_info_1":	"{\"Client is Local\":1,\"C2S\":1,\"overlapping_template_matching\":10,\"random_excursions\":10,\"random_excursions_variant\":10,\"runs_distribution\":10,\"binary_derivative\":10}",
+ 		"common_flags_2":	1451237385,
+ 		"common_flags_str_2":	"[Asymmetric,Client is Local]",
+ 		"common_flags_identify_info_2":	"{\"Asymmetric\":4168,\"Client is Local\":1,\"C2S\":1,\"overlapping_template_matching\":10,\"random_excursions\":10,\"random_excursions_variant\":10,\"runs_distribution\":10,\"binary_derivative\":10}",
+ 		"name":	"base_1"
+	},
+	{
+		"common_flags_0":	8200,
+ 		"common_flags_str_0":	"[Client is Local]",
+ 		"common_flags_identify_info_0":	"{\"Client is Local\":1,\"C2S\":1}",
+		"common_flags_1":	2126323720,
+ 		"common_flags_str_1":	"[Client is Local]",
+ 		"common_flags_identify_info_1":	"{\"Client is Local\":1,\"C2S\":1,\"frequency\":2,\"cumulative_sums\":2,\"runs\":2,\"longest_run\":2,\"rank\":2,\"overlapping_template_matching\":2,\"random_excursions\":2,\"random_excursions_variant\":2,\"poker_detect\":2,\"runs_distribution\":2,\"self_correlation\":2,\"binary_derivative\":2}",
+		"common_flags_2":	2126340104,
+ 		"common_flags_str_2":	"[Client is Local]",
+ 		"common_flags_identify_info_2":	"{\"Client is Local\":1,\"C2S\":1,\"S2C\":6,\"frequency\":2,\"cumulative_sums\":2,\"runs\":2,\"longest_run\":2,\"rank\":2,\"overlapping_template_matching\":2,\"random_excursions\":2,\"random_excursions_variant\":2,\"poker_detect\":2,\"runs_distribution\":2,\"self_correlation\":2,\"binary_derivative\":2}",
+		"common_flags_3":	2126340232,
+	 	"common_flags_str_3":	"[Client is Local,Inbound]",
+	 	"common_flags_identify_info_3":	"{\"Client is Local\":1,\"Inbound\":29,\"C2S\":1,\"S2C\":6,\"frequency\":2,\"cumulative_sums\":2,\"runs\":2,\"longest_run\":2,\"rank\":2,\"overlapping_template_matching\":2,\"random_excursions\":2,\"random_excursions_variant\":2,\"poker_detect\":2,\"runs_distribution\":2,\"self_correlation\":2,\"binary_derivative\":2}",
+ 		"name":	"base_2"
+	},
+	{
+		"common_flags_0":	8200,
+ 		"common_flags_str_0":	"[Client is Local]",
+ 		"common_flags_identify_info_0":	"{\"Client is Local\":1,\"C2S\":1}",
+ 		"common_flags_1":	1186291720,
+ 		"common_flags_str_1":	"[Client is Local]",
+ 		"common_flags_identify_info_1":	"{\"Client is Local\":1,\"C2S\":1,\"S2C\":2,\"frequency\":2,\"cumulative_sums\":2,\"longest_run\":2,\"rank\":2,\"overlapping_template_matching\":2,\"random_excursions\":2,\"random_excursions_variant\":2,\"binary_derivative\":2}",
+ 		"common_flags_2":	1186291848,
+	 	"common_flags_str_2":	"[Client is Local,Inbound]",
+	 	"common_flags_identify_info_2":	"{\"Client is Local\":1,\"Inbound\":21,\"C2S\":1,\"S2C\":2,\"frequency\":2,\"cumulative_sums\":2,\"longest_run\":2,\"rank\":2,\"overlapping_template_matching\":2,\"random_excursions\":2,\"random_excursions_variant\":2,\"binary_derivative\":2}",
+	 	"common_flags_3":	1186292872,
+	 	"common_flags_str_3":	"[Client is Local,Inbound,Streaming]",
+	 	"common_flags_identify_info_3":	"{\"Client is Local\":1,\"Inbound\":21,\"Streaming\":100,\"C2S\":1,\"S2C\":2,\"frequency\":2,\"cumulative_sums\":2,\"longest_run\":2,\"rank\":2,\"overlapping_template_matching\":2,\"random_excursions\":2,\"random_excursions_variant\":2,\"binary_derivative\":2}",
+	 	"common_flags_4":	1186292874,
+	 	"common_flags_str_4":	"[Bulky,Client is Local,Inbound,Streaming]",
+	 	"common_flags_identify_info_4":	"{\"Bulky\":430,\"Client is Local\":1,\"Inbound\":21,\"Streaming\":100,\"C2S\":1,\"S2C\":2,\"frequency\":2,\"cumulative_sums\":2,\"longest_run\":2,\"rank\":2,\"overlapping_template_matching\":2,\"random_excursions\":2,\"random_excursions_variant\":2,\"binary_derivative\":2}",
+	 	"common_flags_5":	1186292878,
+	 	"common_flags_str_5":	"[Bulky,CBR Streaming,Client is Local,Inbound,Streaming]",
+	 	"common_flags_identify_info_5":	"{\"Bulky\":430,\"CBR Streaming\":6984,\"Client is Local\":1,\"Inbound\":21,\"Streaming\":100,\"C2S\":1,\"S2C\":2,\"frequency\":2,\"cumulative_sums\":2,\"longest_run\":2,\"rank\":2,\"overlapping_template_matching\":2,\"random_excursions\":2,\"random_excursions_variant\":2,\"binary_derivative\":2}",
+	 	"name":	"base_3"
+	}
+]
+\ No newline at end of file
diff --git a/test/decoders/session_flags/pcap/quic_asymmetric.json b/test/decoders/session_flags/pcap/quic_asymmetric.json
new file mode 100644
index 0000000..68e3e37
--- /dev/null
+++ b/test/decoders/session_flags/pcap/quic_asymmetric.json
@@ -0,0 +1,17 @@
+[
+	{
+		"common_flags_0":	8200,
+ 		"common_flags_str_0":	"[Client is Local]",
+ 		"common_flags_identify_info_0":	"{\"Client is Local\":1,\"C2S\":1}",
+ 		"common_flags_1":	2126323720,
+ 		"common_flags_str_1":	"[Client is Local]",
+ 		"common_flags_identify_info_1":	"{\"Client is Local\":1,\"C2S\":1,\"frequency\":2,\"cumulative_sums\":2,\"runs\":2,\"longest_run\":2,\"rank\":2,\"overlapping_template_matching\":2,\"random_excursions\":2,\"random_excursions_variant\":2,\"poker_detect\":2,\"runs_distribution\":2,\"self_correlation\":2,\"binary_derivative\":2}",
+ 		"common_flags_2":	2126340104,
+ 		"common_flags_str_2":	"[Client is Local]",
+ 		"common_flags_identify_info_2":	"{\"Client is Local\":1,\"C2S\":1,\"S2C\":14,\"frequency\":2,\"cumulative_sums\":2,\"runs\":2,\"longest_run\":2,\"rank\":2,\"overlapping_template_matching\":2,\"random_excursions\":2,\"random_excursions_variant\":2,\"poker_detect\":2,\"runs_distribution\":2,\"self_correlation\":2,\"binary_derivative\":2}",
+		"common_flags_3":	2126340232,
+ 		"common_flags_str_3":	"[Client is Local,Inbound]",
+ 		"common_flags_identify_info_3":	"{\"Client is Local\":1,\"Inbound\":84,\"C2S\":1,\"S2C\":14,\"frequency\":2,\"cumulative_sums\":2,\"runs\":2,\"longest_run\":2,\"rank\":2,\"overlapping_template_matching\":2,\"random_excursions\":2,\"random_excursions_variant\":2,\"poker_detect\":2,\"runs_distribution\":2,\"self_correlation\":2,\"binary_derivative\":2}",
+ 		"name":	"base_0"
+	}
+]
+\ No newline at end of file
diff --git a/test/decoders/session_flags/pcap/quic_asymmetric.pcapng b/test/decoders/session_flags/pcap/quic_asymmetric.pcapng
new file mode 100644
index 0000000..5596a03
--- /dev/null
+++ b/test/decoders/session_flags/pcap/quic_asymmetric.pcapng
diff --git a/test/decoders/session_flags/pcap/quic_asymmetric_1.json b/test/decoders/session_flags/pcap/quic_asymmetric_1.json
new file mode 100644
index 0000000..dab7c23
--- /dev/null
+++ b/test/decoders/session_flags/pcap/quic_asymmetric_1.json
@@ -0,0 +1,14 @@
+[
+	{
+		"common_flags_0":	16392,
+ 		"common_flags_str_0":	"[Client is Local]",
+ 		"common_flags_identify_info_0":	"{\"Client is Local\":1,\"S2C\":1}",
+ 		"common_flags_1":	1452294152,
+ 		"common_flags_str_1":	"[Client is Local]",
+ 		"common_flags_identify_info_1":	"{\"Client is Local\":1,\"S2C\":1,\"longest_run\":2,\"overlapping_template_matching\":2,\"random_excursions\":2,\"random_excursions_variant\":2,\"runs_distribution\":2,\"binary_derivative\":2}",
+ 		"common_flags_2":	1452294153,
+ 		"common_flags_str_2":	"[Asymmetric,Client is Local]",
+ 		"common_flags_identify_info_2":	"{\"Asymmetric\":37,\"Client is Local\":1,\"S2C\":1,\"longest_run\":2,\"overlapping_template_matching\":2,\"random_excursions\":2,\"random_excursions_variant\":2,\"runs_distribution\":2,\"binary_derivative\":2}",
+ 		"name":	"base_0"
+	}
+]
+\ No newline at end of file
diff --git a/test/decoders/session_flags/pcap/quic_asymmetric_1.pcap b/test/decoders/session_flags/pcap/quic_asymmetric_1.pcap
new file mode 100644
index 0000000..bb55d52
--- /dev/null
+++ b/test/decoders/session_flags/pcap/quic_asymmetric_1.pcap
diff --git a/test/decoders/session_flags/pcap/quic_online_streaming.json b/test/decoders/session_flags/pcap/quic_online_streaming.json
new file mode 100644
index 0000000..443d331
--- /dev/null
+++ b/test/decoders/session_flags/pcap/quic_online_streaming.json
@@ -0,0 +1,26 @@
+[
+	{
+		"common_flags_0":	8200,
+ 		"common_flags_str_0":	"[Client is Local]",
+ 		"common_flags_identify_info_0":	"{\"Client is Local\":1,\"C2S\":1}",
+ 		"common_flags_1":	2124226568,
+ 		"common_flags_str_1":	"[Client is Local]",
+ 		"common_flags_identify_info_1":	"{\"Client is Local\":1,\"C2S\":1,\"frequency\":3,\"cumulative_sums\":3,\"runs\":3,\"longest_run\":3,\"overlapping_template_matching\":3,\"random_excursions\":3,\"random_excursions_variant\":3,\"poker_detect\":3,\"runs_distribution\":3,\"self_correlation\":3,\"binary_derivative\":3}",
+ 		"common_flags_2":	2124242952,
+ 		"common_flags_str_2":	"[Client is Local]",
+ 		"common_flags_identify_info_2":	"{\"Client is Local\":1,\"C2S\":1,\"S2C\":4,\"frequency\":3,\"cumulative_sums\":3,\"runs\":3,\"longest_run\":3,\"overlapping_template_matching\":3,\"random_excursions\":3,\"random_excursions_variant\":3,\"poker_detect\":3,\"runs_distribution\":3,\"self_correlation\":3,\"binary_derivative\":3}",
+ 		"common_flags_3":	2124244104,
+	 	"common_flags_str_3":	"[Client is Local,Inbound,Streaming]",
+	 	"common_flags_identify_info_3":	"{\"Client is Local\":1,\"Inbound\":291,\"Streaming\":291,\"C2S\":1,\"S2C\":4,\"frequency\":3,\"cumulative_sums\":3,\"runs\":3,\"longest_run\":3,\"overlapping_template_matching\":3,\"random_excursions\":3,\"random_excursions_variant\":3,\"poker_detect\":3,\"runs_distribution\":3,\"self_correlation\":3,\"binary_derivative\":3}",
+	 	"common_flags_4":	2124244106,
+	 	"common_flags_str_4":	"[Bulky,Client is Local,Inbound,Streaming]",
+	 	"common_flags_identify_info_4":	"{\"Bulky\":630,\"Client is Local\":1,\"Inbound\":291,\"Streaming\":291,\"C2S\":1,\"S2C\":4,\"frequency\":3,\"cumulative_sums\":3,\"runs\":3,\"longest_run\":3,\"overlapping_template_matching\":3,\"random_excursions\":3,\"random_excursions_variant\":3,\"poker_detect\":3,\"runs_distribution\":3,\"self_correlation\":3,\"binary_derivative\":3}",
+	 	"common_flags_5":	2124276874,
+	 	"common_flags_str_5":	"[Bulky,Client is Local,Inbound,Streaming,Bidirectional]",
+	 	"common_flags_identify_info_5":	"{\"Bulky\":630,\"Client is Local\":1,\"Inbound\":291,\"Streaming\":291,\"C2S\":1,\"S2C\":4,\"Bidirectional\":7315,\"frequency\":3,\"cumulative_sums\":3,\"runs\":3,\"longest_run\":3,\"overlapping_template_matching\":3,\"random_excursions\":3,\"random_excursions_variant\":3,\"poker_detect\":3,\"runs_distribution\":3,\"self_correlation\":3,\"binary_derivative\":3}",
+	 	"common_flags_6":	2124276938,
+	 	"common_flags_str_6":	"[Bulky,Client is Local,Interactive,Inbound,Streaming,Bidirectional]",
+	 	"common_flags_identify_info_6":	"{\"Bulky\":630,\"Client is Local\":1,\"Interactive\":25786,\"Inbound\":291,\"Streaming\":291,\"C2S\":1,\"S2C\":4,\"Bidirectional\":7315,\"frequency\":3,\"cumulative_sums\":3,\"runs\":3,\"longest_run\":3,\"overlapping_template_matching\":3,\"random_excursions\":3,\"random_excursions_variant\":3,\"poker_detect\":3,\"runs_distribution\":3,\"self_correlation\":3,\"binary_derivative\":3}",
+	 	"name":	"base_0"
+	}
+]
+\ No newline at end of file
diff --git a/test/decoders/session_flags/pcap/quic_online_streaming.pcap b/test/decoders/session_flags/pcap/quic_online_streaming.pcap
new file mode 100644
index 0000000..9db5c49
--- /dev/null
+++ b/test/decoders/session_flags/pcap/quic_online_streaming.pcap
diff --git a/test/decoders/session_flags/pcap/ssh-interactive.json b/test/decoders/session_flags/pcap/ssh-interactive.json
new file mode 100644
index 0000000..e6a3e40
--- /dev/null
+++ b/test/decoders/session_flags/pcap/ssh-interactive.json
@@ -0,0 +1,29 @@
+[ 
+	{
+		"common_flags_0":	8208,
+ 		"common_flags_str_0":	"[Server is Local]",
+ 		"common_flags_identify_info_0":	"{\"Server is Local\":1,\"C2S\":1}",
+ 		"common_flags_1":	24592,
+ 		"common_flags_str_1":	"[Server is Local]",
+ 		"common_flags_identify_info_1":	"{\"Server is Local\":1,\"C2S\":1,\"S2C\":2}",
+ 		"common_flags_2":	111173648,
+ 		"common_flags_str_2":	"[Server is Local]",
+ 		"common_flags_identify_info_2":	"{\"Server is Local\":1,\"C2S\":1,\"S2C\":2,\"rank\":7,\"overlapping_template_matching\":7,\"random_excursions\":7,\"random_excursions_variant\":7}",
+ 		"common_flags_3":	111173904,
+	 	"common_flags_str_3":	"[Server is Local,Outbound]",
+	 	"common_flags_identify_info_3":	"{\"Server is Local\":1,\"Outbound\":40,\"C2S\":1,\"S2C\":2,\"rank\":7,\"overlapping_template_matching\":7,\"random_excursions\":7,\"random_excursions_variant\":7}",
+	 	"common_flags_4":	111173968,
+	 	"common_flags_str_4":	"[Server is Local,Interactive,Outbound]",
+ 		"common_flags_identify_info_4":	"{\"Server is Local\":1,\"Interactive\":52,\"Outbound\":40,\"C2S\":1,\"S2C\":2,\"rank\":7,\"overlapping_template_matching\":7,\"random_excursions\":7,\"random_excursions_variant\":7}",
+	 	"name":	"base_0"
+	},
+	{
+ 		"common_flags_0":	16400,
+ 		"common_flags_str_0":	"[Server is Local]",
+ 		"common_flags_identify_info_0":	"{\"Server is Local\":1,\"S2C\":1}",
+ 		"common_flags_1":	16401,
+		"common_flags_str_1":	"[Asymmetric,Server is Local]",
+ 		"common_flags_identify_info_1":	"{\"Asymmetric\":2,\"Server is Local\":1,\"S2C\":1}",
+		"name":	"base_1"
+ 	}
+]
+\ No newline at end of file
diff --git a/test/decoders/session_flags/pcap/ssh-interactive.pcap b/test/decoders/session_flags/pcap/ssh-interactive.pcap
new file mode 100644
index 0000000..6efe2ab
--- /dev/null
+++ b/test/decoders/session_flags/pcap/ssh-interactive.pcap
diff --git a/test/decoders/session_flags/pcap/telegram_mtproto_ipv4_key_1.pcap b/test/decoders/session_flags/pcap/telegram_mtproto_ipv4_key_1.pcap
new file mode 100644
index 0000000..7b966dd
--- /dev/null
+++ b/test/decoders/session_flags/pcap/telegram_mtproto_ipv4_key_1.pcap
diff --git a/test/decoders/session_flags/pcap/telegram_mtproto_ipv6_key_1.pcap b/test/decoders/session_flags/pcap/telegram_mtproto_ipv6_key_1.pcap
new file mode 100644
index 0000000..e0b3144
--- /dev/null
+++ b/test/decoders/session_flags/pcap/telegram_mtproto_ipv6_key_1.pcap
diff --git a/test/decoders/session_flags/pcap/tencent_meeting_video.json b/test/decoders/session_flags/pcap/tencent_meeting_video.json
new file mode 100644
index 0000000..bb29da4
--- /dev/null
+++ b/test/decoders/session_flags/pcap/tencent_meeting_video.json
@@ -0,0 +1,23 @@
+[
+    {
+        "common_flags_0":	16392,
+	 	"common_flags_str_0":	"[Client is Local]",
+	 	"common_flags_identify_info_0":	"{\"Client is Local\":1,\"S2C\":1}",
+	 	"common_flags_1":	2126462984,
+	 	"common_flags_str_1":	"[Client is Local]",
+	 	"common_flags_identify_info_1":	"{\"Client is Local\":1,\"S2C\":1,\"frequency\":2,\"block_frequency\":2,\"cumulative_sums\":2,\"runs\":2,\"longest_run\":2,\"rank\":2,\"overlapping_template_matching\":2,\"random_excursions\":2,\"random_excursions_variant\":2,\"poker_detect\":2,\"runs_distribution\":2,\"self_correlation\":2,\"binary_derivative\":2}",
+	 	"common_flags_2":	2126471176,
+	 	"common_flags_str_2":	"[Client is Local]",
+	 	"common_flags_identify_info_2":	"{\"Client is Local\":1,\"C2S\":5,\"S2C\":1,\"frequency\":2,\"block_frequency\":2,\"cumulative_sums\":2,\"runs\":2,\"longest_run\":2,\"rank\":2,\"overlapping_template_matching\":2,\"random_excursions\":2,\"random_excursions_variant\":2,\"poker_detect\":2,\"runs_distribution\":2,\"self_correlation\":2,\"binary_derivative\":2}",
+	 	"common_flags_3":	2126471432,
+	 	"common_flags_str_3":	"[Client is Local,Outbound]",
+	 	"common_flags_identify_info_3":	"{\"Client is Local\":1,\"Outbound\":414,\"C2S\":5,\"S2C\":1,\"frequency\":2,\"block_frequency\":2,\"cumulative_sums\":2,\"runs\":2,\"longest_run\":2,\"rank\":2,\"overlapping_template_matching\":2,\"random_excursions\":2,\"random_excursions_variant\":2,\"poker_detect\":2,\"runs_distribution\":2,\"self_correlation\":2,\"binary_derivative\":2}",
+	 	"common_flags_4":	2126504200,
+	 	"common_flags_str_4":	"[Client is Local,Outbound,Bidirectional]",
+	 	"common_flags_identify_info_4":	"{\"Client is Local\":1,\"Outbound\":414,\"C2S\":5,\"S2C\":1,\"Bidirectional\":2448,\"frequency\":2,\"block_frequency\":2,\"cumulative_sums\":2,\"runs\":2,\"longest_run\":2,\"rank\":2,\"overlapping_template_matching\":2,\"random_excursions\":2,\"random_excursions_variant\":2,\"poker_detect\":2,\"runs_distribution\":2,\"self_correlation\":2,\"binary_derivative\":2}",
+	 	"common_flags_5":	2126504204,
+	 	"common_flags_str_5":	"[CBR Streaming,Client is Local,Outbound,Bidirectional]",
+	 	"common_flags_identify_info_5":	"{\"CBR Streaming\":4095,\"Client is Local\":1,\"Outbound\":414,\"C2S\":5,\"S2C\":1,\"Bidirectional\":2448,\"frequency\":2,\"block_frequency\":2,\"cumulative_sums\":2,\"runs\":2,\"longest_run\":2,\"rank\":2,\"overlapping_template_matching\":2,\"random_excursions\":2,\"random_excursions_variant\":2,\"poker_detect\":2,\"runs_distribution\":2,\"self_correlation\":2,\"binary_derivative\":2}",
+	 	"name":	"base_0"
+    }
+]
+\ No newline at end of file
diff --git a/test/decoders/session_flags/pcap/tencent_meeting_video.pcapng b/test/decoders/session_flags/pcap/tencent_meeting_video.pcapng
new file mode 100644
index 0000000..6013cfb
--- /dev/null
+++ b/test/decoders/session_flags/pcap/tencent_meeting_video.pcapng
diff --git a/test/decoders/session_flags/pcap/tencent_meeting_voice.json b/test/decoders/session_flags/pcap/tencent_meeting_voice.json
new file mode 100644
index 0000000..a81e3c5
--- /dev/null
+++ b/test/decoders/session_flags/pcap/tencent_meeting_voice.json
@@ -0,0 +1,20 @@
+[
+    {
+        "common_flags_0":	16392,
+ 		"common_flags_str_0":	"[Client is Local]",
+ 		"common_flags_identify_info_0":	"{\"Client is Local\":1,\"S2C\":1}",
+ 		"common_flags_1":	24584,
+ 		"common_flags_str_1":	"[Client is Local]",
+ 		"common_flags_identify_info_1":	"{\"Client is Local\":1,\"C2S\":2,\"S2C\":1}",
+ 		"common_flags_2":	2123980808,
+ 		"common_flags_str_2":	"[Client is Local]",
+ 		"common_flags_identify_info_2":	"{\"Client is Local\":1,\"C2S\":2,\"S2C\":1,\"frequency\":4,\"runs\":4,\"longest_run\":4,\"overlapping_template_matching\":4,\"random_excursions\":4,\"random_excursions_variant\":4,\"poker_detect\":4,\"runs_distribution\":4,\"self_correlation\":4,\"binary_derivative\":4}",
+ 		"common_flags_3":	2123981064,
+	 	"common_flags_str_3":	"[Client is Local,Outbound]",
+	 	"common_flags_identify_info_3":	"{\"Client is Local\":1,\"Outbound\":21,\"C2S\":2,\"S2C\":1,\"frequency\":4,\"runs\":4,\"longest_run\":4,\"overlapping_template_matching\":4,\"random_excursions\":4,\"random_excursions_variant\":4,\"poker_detect\":4,\"runs_distribution\":4,\"self_correlation\":4,\"binary_derivative\":4}",
+	 	"common_flags_4":	2124013832,
+	 	"common_flags_str_4":	"[Client is Local,Outbound,Bidirectional]",
+	 	"common_flags_identify_info_4":	"{\"Client is Local\":1,\"Outbound\":21,\"C2S\":2,\"S2C\":1,\"Bidirectional\":606,\"frequency\":4,\"runs\":4,\"longest_run\":4,\"overlapping_template_matching\":4,\"random_excursions\":4,\"random_excursions_variant\":4,\"poker_detect\":4,\"runs_distribution\":4,\"self_correlation\":4,\"binary_derivative\":4}",
+	 	"name":	"base_0"
+    }
+]
+\ No newline at end of file
diff --git a/test/decoders/session_flags/pcap/tencent_meeting_voice.pcapng b/test/decoders/session_flags/pcap/tencent_meeting_voice.pcapng
new file mode 100644
index 0000000..2935fe5
--- /dev/null
+++ b/test/decoders/session_flags/pcap/tencent_meeting_voice.pcapng
diff --git a/test/decoders/session_flags/pcap/tls1.2.pcapng b/test/decoders/session_flags/pcap/tls1.2.pcapng
new file mode 100644
index 0000000..ad1a1e0
--- /dev/null
+++ b/test/decoders/session_flags/pcap/tls1.2.pcapng
diff --git a/test/decoders/session_flags/pcap/tls1.2_no_reuse.pcap b/test/decoders/session_flags/pcap/tls1.2_no_reuse.pcap
new file mode 100644
index 0000000..e911f2b
--- /dev/null
+++ b/test/decoders/session_flags/pcap/tls1.2_no_reuse.pcap
diff --git a/test/decoders/session_flags/pcap/tls_over_tls_1.2_no_reuse.pcap b/test/decoders/session_flags/pcap/tls_over_tls_1.2_no_reuse.pcap
new file mode 100644
index 0000000..9deb86f
--- /dev/null
+++ b/test/decoders/session_flags/pcap/tls_over_tls_1.2_no_reuse.pcap
diff --git a/test/decoders/session_flags/pcap/unidirectional.json b/test/decoders/session_flags/pcap/unidirectional.json
new file mode 100644
index 0000000..a681f54
--- /dev/null
+++ b/test/decoders/session_flags/pcap/unidirectional.json
@@ -0,0 +1,14 @@
+[
+	{
+		"common_flags_0":	8200,
+ 		"common_flags_str_0":	"[Client is Local]",
+ 		"common_flags_identify_info_0":	"{\"Client is Local\":1,\"C2S\":1}",
+ 		"common_flags_1":	24584,
+ 		"common_flags_str_1":	"[Client is Local]",
+ 		"common_flags_identify_info_1":	"{\"Client is Local\":1,\"C2S\":1,\"S2C\":2}",
+ 		"common_flags_2":	1185898504,
+ 		"common_flags_str_2":	"[Client is Local]",
+ 		"common_flags_identify_info_2":	"{\"Client is Local\":1,\"C2S\":1,\"S2C\":2,\"frequency\":4,\"block_frequency\":4,\"cumulative_sums\":4,\"runs\":4,\"rank\":4,\"overlapping_template_matching\":4,\"random_excursions\":4,\"random_excursions_variant\":4,\"binary_derivative\":4}",
+ 		"name":	"base_0"
+	}
+]
+\ No newline at end of file
diff --git a/test/decoders/session_flags/pcap/unidirectional.pcap b/test/decoders/session_flags/pcap/unidirectional.pcap
new file mode 100644
index 0000000..9e7b65a
--- /dev/null
+++ b/test/decoders/session_flags/pcap/unidirectional.pcap
diff --git a/test/decoders/session_flags/pcap/wechat_voice_call.json b/test/decoders/session_flags/pcap/wechat_voice_call.json
new file mode 100644
index 0000000..a2077d6
--- /dev/null
+++ b/test/decoders/session_flags/pcap/wechat_voice_call.json
@@ -0,0 +1,20 @@
+[
+	{
+		"common_flags_0":	8208,
+ 		"common_flags_str_0":	"[Server is Local]",
+ 		"common_flags_identify_info_0":	"{\"Server is Local\":1,\"C2S\":1}",
+ 		"common_flags_1":	2123390992,
+ 		"common_flags_str_1":	"[Server is Local]",
+ 		"common_flags_identify_info_1":	"{\"Server is Local\":1,\"C2S\":1,\"S2C\":2,\"longest_run\":2,\"overlapping_template_matching\":2,\"random_excursions\":2,\"random_excursions_variant\":2,\"poker_detect\":2,\"runs_distribution\":2,\"self_correlation\":2,\"binary_derivative\":2}",
+ 		"common_flags_2":	2123391120,
+ 		"common_flags_str_2":	"[Server is Local,Inbound]",
+ 		"common_flags_identify_info_2":	"{\"Server is Local\":1,\"Inbound\":83,\"C2S\":1,\"S2C\":2,\"longest_run\":2,\"overlapping_template_matching\":2,\"random_excursions\":2,\"random_excursions_variant\":2,\"poker_detect\":2,\"runs_distribution\":2,\"self_correlation\":2,\"binary_derivative\":2}",
+ 		"common_flags_3":	2123391124,
+ 		"common_flags_str_3":	"[CBR Streaming,Server is Local,Inbound]",
+ 		"common_flags_identify_info_3":	"{\"CBR Streaming\":3634,\"Server is Local\":1,\"Inbound\":83,\"C2S\":1,\"S2C\":2,\"longest_run\":2,\"overlapping_template_matching\":2,\"random_excursions\":2,\"random_excursions_variant\":2,\"poker_detect\":2,\"runs_distribution\":2,\"self_correlation\":2,\"binary_derivative\":2}",
+ 		"common_flags_4":	2123423892,
+ 		"common_flags_str_4":	"[CBR Streaming,Server is Local,Inbound,Bidirectional]",
+ 		"common_flags_identify_info_4":	"{\"CBR Streaming\":3634,\"Server is Local\":1,\"Inbound\":83,\"C2S\":1,\"S2C\":2,\"Bidirectional\":3808,\"longest_run\":2,\"overlapping_template_matching\":2,\"random_excursions\":2,\"random_excursions_variant\":2,\"poker_detect\":2,\"runs_distribution\":2,\"self_correlation\":2,\"binary_derivative\":2}",
+ 		"name":	"base_0"
+	}
+]
+\ No newline at end of file
diff --git a/test/decoders/session_flags/pcap/wechat_voice_call.pcap b/test/decoders/session_flags/pcap/wechat_voice_call.pcap
new file mode 100644
index 0000000..4690892
--- /dev/null
+++ b/test/decoders/session_flags/pcap/wechat_voice_call.pcap
diff --git a/test/decoders/session_flags/pcap/youtube-quic.pcap b/test/decoders/session_flags/pcap/youtube-quic.pcap
new file mode 100644
index 0000000..b6ae0cd
--- /dev/null
+++ b/test/decoders/session_flags/pcap/youtube-quic.pcap
diff --git a/test/decoders/session_flags/pcap/youtube.json b/test/decoders/session_flags/pcap/youtube.json
new file mode 100644
index 0000000..6c055db
--- /dev/null
+++ b/test/decoders/session_flags/pcap/youtube.json
@@ -0,0 +1,20 @@
+[
+	{
+		"common_flags_0":	8200,
+ 		"common_flags_str_0":	"[Client is Local]",
+ 		"common_flags_identify_info_0":	"{\"Client is Local\":1,\"C2S\":1}",
+ 		"common_flags_1":	1991270408,
+ 		"common_flags_str_1":	"[Client is Local]",
+		"common_flags_identify_info_1":	"{\"Client is Local\":1,\"C2S\":1,\"S2C\":2,\"longest_run\":2,\"rank\":2,\"overlapping_template_matching\":2,\"random_excursions\":2,\"random_excursions_variant\":2,\"runs_distribution\":2,\"self_correlation\":2,\"binary_derivative\":2}",
+		"common_flags_2":	1991271560,
+ 		"common_flags_str_2":	"[Client is Local,Inbound,Streaming]",
+ 		"common_flags_identify_info_2":	"{\"Client is Local\":1,\"Inbound\":633,\"Streaming\":633,\"C2S\":1,\"S2C\":2,\"longest_run\":2,\"rank\":2,\"overlapping_template_matching\":2,\"random_excursions\":2,\"random_excursions_variant\":2,\"runs_distribution\":2,\"self_correlation\":2,\"binary_derivative\":2}",
+ 		"common_flags_3":	1991271562,
+ 		"common_flags_str_3":	"[Bulky,Client is Local,Inbound,Streaming]",
+ 		"common_flags_identify_info_3":	"{\"Bulky\":635,\"Client is Local\":1,\"Inbound\":633,\"Streaming\":633,\"C2S\":1,\"S2C\":2,\"longest_run\":2,\"rank\":2,\"overlapping_template_matching\":2,\"random_excursions\":2,\"random_excursions_variant\":2,\"runs_distribution\":2,\"self_correlation\":2,\"binary_derivative\":2}",
+ 		"common_flags_4":	1991271566,
+ 		"common_flags_str_4":	"[Bulky,CBR Streaming,Client is Local,Inbound,Streaming]",
+ 		"common_flags_identify_info_4":	"{\"Bulky\":635,\"CBR Streaming\":7070,\"Client is Local\":1,\"Inbound\":633,\"Streaming\":633,\"C2S\":1,\"S2C\":2,\"longest_run\":2,\"rank\":2,\"overlapping_template_matching\":2,\"random_excursions\":2,\"random_excursions_variant\":2,\"runs_distribution\":2,\"self_correlation\":2,\"binary_derivative\":2}",
+ 		"name":	"base_0"
+	}
+]
+\ No newline at end of file
diff --git a/test/decoders/session_flags/plugin_test_main.cpp b/test/decoders/session_flags/plugin_test_main.cpp
new file mode 100644
index 0000000..8f3d996
--- /dev/null
+++ b/test/decoders/session_flags/plugin_test_main.cpp
@@ -0,0 +1,135 @@
+#include "cJSON.h"
+#include <gtest/gtest.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <assert.h>
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+#include "stellar/stellar.h"
+#ifdef __cplusplus
+}
+#endif
+
+// #define IGNORE_PRINTF
+#ifdef IGNORE_PRINTF
+#define printf(fmt, ...) (0)
+#endif
+static cJSON *g_test_result_root = NULL;
+static cJSON *g_load_result_root = NULL;
+static const char *result_json_path = NULL;
+
+extern "C" int commit_test_result_json(cJSON *node, const char *name)
+{
+	(void)name;
+	if (g_test_result_root)
+	{
+		// cJSON_AddItemToObject(g_test_result_root, name, node);
+		// cJSON_AddStringToObject(node, "name", name);
+		cJSON_AddItemToArray(g_test_result_root, node);
+		return 0;
+	}
+	return -1;
+}
+
+static cJSON *load_result_from_jsonfile(const char *json_path)
+{
+	if (json_path == NULL)
+		return NULL;
+
+	long file_len = 0;
+	char *file_content = NULL;
+	FILE *fp = NULL;
+
+	fp = fopen(json_path, "r+");
+	if (NULL == fp)
+	{
+		return NULL;
+	}
+	fseek(fp, 0, SEEK_END);
+	file_len = ftell(fp);
+	fseek(fp, 0, SEEK_SET);
+	if (file_len == 0)
+	{
+		fclose(fp);
+		return NULL;
+	}
+	file_content = (char *)malloc(file_len + 1);
+	fread(file_content, file_len, 1, fp);
+	file_content[file_len] = '\0';
+	cJSON *load = cJSON_Parse(file_content);
+	free(file_content);
+	fclose(fp);
+
+	return load;
+}
+
+TEST(PROTOCOL, compare_result_json)
+{
+	EXPECT_EQ(cJSON_GetArraySize(g_test_result_root), cJSON_GetArraySize(g_load_result_root));
+	int ret = cJSON_Compare(g_test_result_root, g_load_result_root, 0);
+	EXPECT_EQ(1, ret);
+
+	if (ret != 1)
+	{
+		char *load_json_str = cJSON_Print(g_load_result_root);
+		printf("LOAD Raw:\n%s\n", load_json_str);
+		free(load_json_str);
+		char *result_json_str = cJSON_Print(g_test_result_root);
+		printf("TEST Raw:\n%s\n", result_json_str);
+		free(result_json_str);
+
+		cJSON *t_load = g_load_result_root->child, *t_test = g_test_result_root->child;
+		while (t_load != NULL)
+		{
+			ret = cJSON_Compare(t_load, t_test, 0);
+			if (ret != 1)
+			{
+				load_json_str = cJSON_Print(t_load);
+				printf("LOAD Diff:\n%s\n", load_json_str);
+				free(load_json_str);
+				result_json_str = cJSON_Print(t_test);
+				printf("TEST Diff:\n%s\n", result_json_str);
+				free(result_json_str);
+				goto fail;
+			}
+			t_load = t_load->next;
+			t_test = t_test->next;
+		}
+	}
+	cJSON_Delete(g_load_result_root);
+	cJSON_Delete(g_test_result_root);
+	return;
+fail:
+	cJSON_Delete(g_load_result_root);
+	cJSON_Delete(g_test_result_root);
+	return;
+}
+
+int main(int argc, char *argv[])
+{
+	int ret = 0;
+	if (argc < 2)
+	{
+		printf("Usage: %s <result_json_path>\n", argv[0]);
+		result_json_path = NULL;
+	}
+	else
+	{
+		result_json_path = argv[1];
+		g_test_result_root = cJSON_CreateArray();
+		g_load_result_root = load_result_from_jsonfile(result_json_path);
+		assert(g_load_result_root != NULL && g_test_result_root != NULL);
+	}
+	::testing::InitGoogleTest(&argc, argv);
+	struct stellar *st = stellar_new("./conf/stellar.toml", "./plugin/spec.toml", "./conf/log.toml");
+	stellar_run(st);
+	if (result_json_path != NULL)
+	{
+		ret = RUN_ALL_TESTS();
+	}
+	stellar_free(st);
+	return ret;
+}
diff --git a/test/decoders/session_flags/session_flags_pcap_test.cpp b/test/decoders/session_flags/session_flags_pcap_test.cpp
new file mode 100644
index 0000000..14af115
--- /dev/null
+++ b/test/decoders/session_flags/session_flags_pcap_test.cpp
@@ -0,0 +1,630 @@
+#include <netinet/ip.h>
+#include <netinet/tcp.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stellar/session.h>
+#include <time.h>
+#include <pcap/pcap.h>
+#include <pcap/sll.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include "session_flags_internal.h"
+#include "gtest/gtest.h"
+extern "C" {
+#include "dummy.h"
+}
+
+#define MAC_FRAME_HEADER_LEN    14
+#define IP_HEADER_LEN   20
+#define TCP_HEADER_LEN  20
+#define UDP_HEADER_LEN  8
+#define LINUX_COOKED_CAPTURE 20
+
+struct pcap_loop_arg
+{
+	pcap_t *pcap_handle;
+	struct session_flags_ctx *ctx;
+};
+
+struct session_flags_plugin_info *sf_plugin_info = NULL;
+
+extern int MESA_dir_link_to_human(int link_route_dir);
+extern char *session_flags_generate_firewall_message(uint64_t flags, uint32_t identify[session_flags_all_mask]);
+
+static inline size_t ts2ms(const timeval *ts)
+{
+	return ts->tv_sec * 1000 + ts->tv_usec / 1000;
+}
+
+static void pcap_handle_cb(pcap_loop_arg *userarg, const struct pcap_pkthdr *pkthdr, const u_char *packet)
+{
+	struct pcap_loop_arg *arg = (struct pcap_loop_arg *)userarg;
+	struct session sess;
+	int payload_len = 0;
+	char *payload = NULL;
+	unsigned short sport, dport;
+	unsigned short eth_proto_type;
+	unsigned char *ip_header;
+	int topic_id = 0;
+
+	memset(&sess, 0, sizeof(sess));
+
+	int data_link_type = pcap_datalink(arg->pcap_handle);
+	switch (data_link_type) {
+		case DLT_EN10MB:
+			eth_proto_type = ntohs(*(unsigned short *)(packet + 12));
+			ip_header = (unsigned char *)(packet + sizeof(struct ethhdr));
+			break;
+		case 276://DLT_LINUX_SLL2
+			eth_proto_type = ntohs(*(unsigned short *)packet);
+			ip_header = (unsigned char *)(packet + LINUX_COOKED_CAPTURE);
+			break;
+		default:
+			return;
+	}
+
+	if (eth_proto_type == ETH_P_IP) {
+		int l4_proto = *(unsigned char *)(ip_header + 9);
+		if (l4_proto == IPPROTO_TCP) {
+			topic_id = DUMMY_TCP_TOPIC_ID;
+			int ip_total_len = ntohs(*(unsigned short *)(ip_header + 2));
+			int ip_header_len = (*(unsigned char *)ip_header & 0x0f) * 4;
+			int tcp_header_len = 4 * ((*(unsigned char *)(ip_header + sizeof(iphdr) + 12) & 0xf0) >> 4);
+			payload_len = ip_total_len - ip_header_len - tcp_header_len;
+			payload = (char *)ip_header + ip_header_len + tcp_header_len;
+		} else if (l4_proto == IPPROTO_UDP) {
+			topic_id = DUMMY_UDP_TOPIC_ID;
+			payload_len = pkthdr->caplen - (ip_header - packet) - sizeof(iphdr) - sizeof(struct udphdr);
+			payload = (char *)ip_header + sizeof(iphdr) + sizeof(struct udphdr);
+		} else {
+			return;
+		}
+
+		sport = ntohs(*(unsigned short *)(ip_header + sizeof(iphdr) + 0));
+		dport = ntohs(*(unsigned short *)(ip_header + sizeof(iphdr) + 2));
+		
+	} else if (eth_proto_type == ETH_P_IPV6) {
+		int l4_proto = *(unsigned char *)(ip_header + 6);
+		if (l4_proto == IPPROTO_TCP) {
+			topic_id = DUMMY_TCP_TOPIC_ID;
+			int tcp_header_len = 4 * ((*(unsigned char *)(ip_header + sizeof(struct ip6_hdr) + 12) & 0xf0) >> 4);
+			payload_len = pkthdr->caplen - (ip_header - packet) - sizeof(struct ip6_hdr) - tcp_header_len;
+			payload = (char *)ip_header + sizeof(struct ip6_hdr) + tcp_header_len;
+		} else if (l4_proto == IPPROTO_UDP) {
+			topic_id = DUMMY_UDP_TOPIC_ID;
+			payload_len = pkthdr->caplen - (ip_header - packet) - sizeof(struct ip6_hdr) - sizeof(struct udphdr);
+			payload = (char *)ip_header + sizeof(struct ip6_hdr) + sizeof(struct udphdr);
+		} else {
+			return;
+		}
+
+		sport = ntohs(*(unsigned short *)(ip_header + sizeof(struct ip6_hdr) + 0));
+		dport = ntohs(*(unsigned short *)(ip_header + sizeof(struct ip6_hdr) + 2));
+	} else {
+		return;
+	}
+
+	session_set_current_payload(&sess, payload, payload_len);
+
+	if (sport > dport)
+	{
+		session_flags(sf_plugin_info, arg->ctx, &sess, topic_id, pkthdr->caplen, FLOW_TYPE_C2S, ts2ms(&pkthdr->ts));
+	}
+	else
+	{
+		session_flags(sf_plugin_info, arg->ctx, &sess, topic_id, pkthdr->caplen, FLOW_TYPE_S2C, ts2ms(&pkthdr->ts));
+	}
+
+}
+
+TEST(session_flags, bulky_and_download)
+{
+	char error[100];
+	struct pcap_loop_arg arg;
+	struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx));
+	pcap_t * handle = pcap_open_offline("pcap/ftp-data.pcap", error);
+	ASSERT_NE(handle, nullptr);
+
+	session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
+
+	memset(&arg, 0, sizeof(arg));
+	arg.ctx = ctx;
+	arg.pcap_handle = handle;
+
+	pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
+	
+	session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
+	EXPECT_EQ(flags_info->flags & SESSION_FLAGS_BULKY, SESSION_FLAGS_BULKY);
+	EXPECT_EQ(flags_info->identify[session_flags_bulky_mask], 2333);
+
+	EXPECT_EQ(flags_info->flags & SESSION_FLAGS_DOWNLOAD, SESSION_FLAGS_DOWNLOAD);
+	EXPECT_EQ(flags_info->identify[session_flags_download_mask], 2333);
+
+	pcap_close(handle);
+	free(ctx);
+}
+
+TEST(session_flags, CBR)
+{
+	char error[100];
+	struct pcap_loop_arg arg;
+	struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx));
+	pcap_t * handle = pcap_open_offline("pcap/youtube-quic.pcap", error);
+	ASSERT_NE(handle, nullptr);
+
+	session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
+
+	memset(&arg, 0, sizeof(arg));
+	arg.ctx = ctx;
+	arg.pcap_handle = handle;
+
+	pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
+	
+	struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
+	EXPECT_EQ(flags_info->flags & SESSION_FLAGS_CBR, SESSION_FLAGS_CBR);
+	EXPECT_EQ(flags_info->identify[session_flags_cbr_mask], 3351);
+
+	pcap_close(handle);
+	free(ctx);
+}
+
+TEST(session_flags, not_CBR_ftp)
+{
+	char error[100];
+	struct pcap_loop_arg arg;
+	struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx));
+	pcap_t * handle = pcap_open_offline("pcap/ftp-data.pcap", error);
+	ASSERT_NE(handle, nullptr);
+
+	session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
+
+	memset(&arg, 0, sizeof(arg));
+	arg.ctx = ctx;
+	arg.pcap_handle = handle;
+
+	pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
+	
+	struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
+	EXPECT_NE(flags_info->flags & SESSION_FLAGS_CBR, SESSION_FLAGS_CBR);
+
+	pcap_close(handle);
+	free(ctx);
+}
+
+TEST(session_flags, not_CBR_dtls)
+{
+	char error[100];
+	struct pcap_loop_arg arg;
+	struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx));
+	pcap_t * handle = pcap_open_offline("pcap/bilibili-dtls.pcap", error);
+	ASSERT_NE(handle, nullptr);
+
+	session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
+
+	memset(&arg, 0, sizeof(arg));
+	arg.ctx = ctx;
+	arg.pcap_handle = handle;
+
+	pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
+	
+	struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
+	EXPECT_NE(flags_info->flags & SESSION_FLAGS_CBR, SESSION_FLAGS_CBR);
+	
+	pcap_close(handle);
+	free(ctx);
+}
+
+TEST(session_flags, server_is_local)
+{
+	char error[100];
+	struct pcap_loop_arg arg;
+	struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx));
+	// session_flags_ip(sf, inet_addr("192.168.1.1"), inet_addr("127.0.0.1"), inet_addr("192.168.1.1"));
+	pcap_t * handle = pcap_open_offline("pcap/ftp-data.pcap", error);
+	ASSERT_NE(handle, nullptr);
+
+	session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_INBOUND);
+
+	memset(&arg, 0, sizeof(arg));
+	arg.ctx = ctx;
+	arg.pcap_handle = handle;
+
+	pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
+
+	struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
+	EXPECT_EQ(flags_info->flags & SESSION_FLAGS_LOCAL_SERVER, SESSION_FLAGS_LOCAL_SERVER);
+	EXPECT_EQ(flags_info->identify[session_flags_local_server_mask], 1);
+
+	EXPECT_NE(flags_info->flags & SESSION_FLAGS_LOCAL_CLIENT, SESSION_FLAGS_LOCAL_CLIENT);
+	
+	pcap_close(handle);
+	free(ctx);
+}
+
+TEST(session_flags, client_is_local)
+{
+	char error[100];
+	struct pcap_loop_arg arg;
+	struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx));
+	pcap_t * handle = pcap_open_offline("pcap/ftp-data.pcap", error);
+	ASSERT_NE(handle, nullptr);
+
+	session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
+
+	memset(&arg, 0, sizeof(arg));
+	arg.ctx = ctx;
+	arg.pcap_handle = handle;
+
+	pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
+
+	struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
+	EXPECT_NE(flags_info->flags & SESSION_FLAGS_LOCAL_SERVER, SESSION_FLAGS_LOCAL_SERVER);
+
+	EXPECT_EQ(flags_info->flags & SESSION_FLAGS_LOCAL_CLIENT, SESSION_FLAGS_LOCAL_CLIENT);
+	EXPECT_EQ(flags_info->identify[session_flags_local_client_mask], 1);
+	
+	pcap_close(handle);
+	free(ctx);
+}
+
+TEST(session_flags, inbound)
+{
+	char error[100];
+	struct pcap_loop_arg arg;
+	struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx));
+	pcap_t * handle = pcap_open_offline("pcap/ftp-data.pcap", error);
+	ASSERT_NE(handle, nullptr);
+
+	session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
+
+	memset(&arg, 0, sizeof(arg));
+	arg.ctx = ctx;
+	arg.pcap_handle = handle;
+
+	pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
+	
+	struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
+	EXPECT_EQ(flags_info->flags & SESSION_FLAGS_LOCAL_CLIENT, SESSION_FLAGS_LOCAL_CLIENT);
+	EXPECT_EQ(flags_info->identify[session_flags_local_client_mask], 1);
+
+	EXPECT_EQ(flags_info->flags & SESSION_FLAGS_INBOUND, SESSION_FLAGS_INBOUND);
+	EXPECT_EQ(flags_info->identify[session_flags_inbound_mask], 1834);
+
+	EXPECT_NE(flags_info->flags & SESSION_FLAGS_OUTBOUND, SESSION_FLAGS_OUTBOUND);
+	EXPECT_NE(flags_info->flags & SESSION_FLAGS_LOCAL_SERVER, SESSION_FLAGS_LOCAL_SERVER);
+	
+	pcap_close(handle);
+	free(ctx);
+}
+
+TEST(session_flags, outbound)
+{
+	char error[100];
+	struct pcap_loop_arg arg;
+	struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx));
+	pcap_t * handle = pcap_open_offline("pcap/ftp-data.pcap", error);
+	ASSERT_NE(handle, nullptr);
+
+	session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_INBOUND);
+
+	memset(&arg, 0, sizeof(arg));
+	arg.ctx = ctx;
+	arg.pcap_handle = handle;
+
+	pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
+	
+	struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
+	EXPECT_EQ(flags_info->flags & SESSION_FLAGS_LOCAL_SERVER, SESSION_FLAGS_LOCAL_SERVER);
+	EXPECT_EQ(flags_info->identify[session_flags_local_server_mask], 1);
+	
+	EXPECT_EQ(flags_info->flags & SESSION_FLAGS_OUTBOUND, SESSION_FLAGS_OUTBOUND);
+	EXPECT_EQ(flags_info->identify[session_flags_outbound_mask], 1834);
+
+	EXPECT_NE(flags_info->flags & SESSION_FLAGS_LOCAL_CLIENT, SESSION_FLAGS_LOCAL_CLIENT);
+	EXPECT_NE(flags_info->flags & SESSION_FLAGS_INBOUND, SESSION_FLAGS_INBOUND);
+	
+	pcap_close(handle);
+	free(ctx);
+}
+
+TEST(session_flags, not_streaming)
+{
+	char error[100];
+	struct pcap_loop_arg arg;
+	struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx));
+	pcap_t * handle = pcap_open_offline("pcap/1-dtls.192.168.44.32.pcap", error);
+	ASSERT_NE(handle, nullptr);
+
+	session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
+
+	memset(&arg, 0, sizeof(arg));
+	arg.ctx = ctx;
+	arg.pcap_handle = handle;
+
+	pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
+	
+	struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
+	EXPECT_NE(flags_info->flags & SESSION_FLAGS_STREAMING, SESSION_FLAGS_STREAMING);
+	EXPECT_NE(flags_info->flags & SESSION_FLAGS_PSEUDO_UNIDIRECTIONAL, SESSION_FLAGS_PSEUDO_UNIDIRECTIONAL);
+	EXPECT_NE(flags_info->flags & SESSION_FLAGS_UNIDIRECTIONAL, SESSION_FLAGS_UNIDIRECTIONAL);
+	
+	pcap_close(handle);
+	free(ctx);
+}
+
+TEST(session_flags, streaming_pseudo_unidirectional_unidirectional)
+{
+	char error[100];
+	struct pcap_loop_arg arg;
+	struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx));
+	pcap_t * handle = pcap_open_offline("pcap/ftp-data.pcap", error);
+	ASSERT_NE(handle, nullptr);
+
+	session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
+
+	memset(&arg, 0, sizeof(arg));
+	arg.ctx = ctx;
+	arg.pcap_handle = handle;
+
+	pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
+	
+	struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
+	EXPECT_EQ(flags_info->flags & SESSION_FLAGS_STREAMING, SESSION_FLAGS_STREAMING);
+	EXPECT_EQ(flags_info->identify[session_flags_streaming_mask], 2333);
+
+	EXPECT_EQ(flags_info->flags & SESSION_FLAGS_PSEUDO_UNIDIRECTIONAL, SESSION_FLAGS_PSEUDO_UNIDIRECTIONAL);
+	EXPECT_EQ(flags_info->identify[session_flags_pseudo_unidirectional_mask], 2333);
+
+	EXPECT_EQ(flags_info->flags & SESSION_FLAGS_UNIDIRECTIONAL, SESSION_FLAGS_UNIDIRECTIONAL);
+	EXPECT_EQ(flags_info->identify[session_flags_unidirectional_mask], 1834);
+	
+	pcap_close(handle);
+	free(ctx);
+}
+
+TEST(session_flags, interactive)
+{
+	char error[100];
+	struct pcap_loop_arg arg;
+	struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx));
+	pcap_t * handle = pcap_open_offline("pcap/ssh-interactive.pcap", error);
+	ASSERT_NE(handle, nullptr);
+
+	session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
+
+	memset(&arg, 0, sizeof(arg));
+	arg.ctx = ctx;
+	arg.pcap_handle = handle;
+
+	pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
+	
+	struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
+	EXPECT_EQ(flags_info->flags & SESSION_FLAGS_INTERACTIVE, SESSION_FLAGS_INTERACTIVE);
+	EXPECT_EQ(flags_info->identify[session_flags_interactive_mask], 52);
+
+	pcap_close(handle);
+	free(ctx);
+}
+
+TEST(session_flags, not_interactive)
+{
+	char error[100];
+	struct pcap_loop_arg arg;
+	struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx));
+	pcap_t * handle = pcap_open_offline("pcap/youtube-quic.pcap", error);
+	ASSERT_NE(handle, nullptr);
+
+	session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
+
+	memset(&arg, 0, sizeof(arg));
+	arg.ctx = ctx;
+	arg.pcap_handle = handle;
+
+	pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
+	
+	struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
+	EXPECT_NE(flags_info->flags & SESSION_FLAGS_INTERACTIVE, SESSION_FLAGS_INTERACTIVE);
+
+	pcap_close(handle);
+	free(ctx);
+}
+
+TEST(session_flags, random_looking_flags_telegram_mtproto_ipv4_key_1)
+{
+	char error[100];
+	struct pcap_loop_arg arg;
+	struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx));
+	pcap_t * handle = pcap_open_offline("pcap/telegram_mtproto_ipv4_key_1.pcap", error);
+	ASSERT_NE(handle, nullptr);
+
+	session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
+
+	memset(&arg, 0, sizeof(arg));
+	arg.ctx = ctx;
+	arg.pcap_handle = handle;
+
+	pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
+
+	struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
+
+	EXPECT_EQ(flags_info->flags & SESSION_FLAGS_RANDOM_LOOKING, SESSION_FLAGS_RANDOM_LOOKING);
+#if 0
+	EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_FREQUENCY, SESSION_FLAGS_FREQUENCY);
+	EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_BLOCK_FREQUENCY, SESSION_FLAGS_BLOCK_FREQUENCY);
+	EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_CUMULATIVE_SUMS, SESSION_FLAGS_CUMULATIVE_SUMS);
+	EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_RUNS, SESSION_FLAGS_RUNS);
+	EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_LONGEST_RUN, SESSION_FLAGS_LONGEST_RUN);
+	EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_RANK, 0);
+	EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_NON_OVERLAPPING_TEMPLATE_MATCHING, 0);
+	EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_OVERLAPPING_TEMPLATE_MATCHING, SESSION_FLAGS_OVERLAPPING_TEMPLATE_MATCHING);
+	EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_UNIVERSAL, 0);
+	EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_RANDOM_EXCURSIONS, SESSION_FLAGS_RANDOM_EXCURSIONS);
+	EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_RANDOM_EXCURSIONS_VARIANT, SESSION_FLAGS_RANDOM_EXCURSIONS_VARIANT);
+	EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_POKER_DETECT, SESSION_FLAGS_POKER_DETECT);
+	EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_RUNS_DISTRIBUTION, SESSION_FLAGS_RUNS_DISTRIBUTION);
+	EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_SELF_CORRELATION, SESSION_FLAGS_SELF_CORRELATION);
+	EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_BINARY_DERIVATIVE, SESSION_FLAGS_BINARY_DERIVATIVE);
+#endif
+
+	pcap_close(handle);
+	free(ctx);
+}
+
+TEST(session_flags, random_looking_flags_telegram_mtproto_ipv6_key_1)
+{
+	char error[100];
+	struct pcap_loop_arg arg;
+	struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx));
+	pcap_t * handle = pcap_open_offline("pcap/telegram_mtproto_ipv6_key_1.pcap", error);
+	ASSERT_NE(handle, nullptr);
+
+	session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
+
+	memset(&arg, 0, sizeof(arg));
+	arg.ctx = ctx;
+	arg.pcap_handle = handle;
+
+	pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
+
+	struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
+
+	EXPECT_EQ(flags_info->flags & SESSION_FLAGS_RANDOM_LOOKING, SESSION_FLAGS_RANDOM_LOOKING);
+
+#if 0
+	EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_FREQUENCY, SESSION_FLAGS_FREQUENCY);
+	EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_BLOCK_FREQUENCY, SESSION_FLAGS_BLOCK_FREQUENCY);
+	EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_CUMULATIVE_SUMS, SESSION_FLAGS_CUMULATIVE_SUMS);
+	EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_RUNS, SESSION_FLAGS_RUNS);
+	EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_LONGEST_RUN, SESSION_FLAGS_LONGEST_RUN);
+	EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_RANK, 0);
+	EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_NON_OVERLAPPING_TEMPLATE_MATCHING, 0);
+	EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_OVERLAPPING_TEMPLATE_MATCHING, SESSION_FLAGS_OVERLAPPING_TEMPLATE_MATCHING);
+	EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_UNIVERSAL, 0);
+	EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_RANDOM_EXCURSIONS, SESSION_FLAGS_RANDOM_EXCURSIONS);
+	EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_RANDOM_EXCURSIONS_VARIANT, SESSION_FLAGS_RANDOM_EXCURSIONS_VARIANT);
+	EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_POKER_DETECT, SESSION_FLAGS_POKER_DETECT);
+	EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_RUNS_DISTRIBUTION, SESSION_FLAGS_RUNS_DISTRIBUTION);
+	EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_SELF_CORRELATION, SESSION_FLAGS_SELF_CORRELATION);
+	EXPECT_EQ(flags_info->random_looking_flags & SESSION_FLAGS_BINARY_DERIVATIVE, SESSION_FLAGS_BINARY_DERIVATIVE);
+#endif
+
+	pcap_close(handle);
+	free(ctx);
+}
+
+TEST(session_flags, bidirectional)
+{
+	char error[100];
+	struct pcap_loop_arg arg;
+	struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx));
+	pcap_t *handle = pcap_open_offline("pcap/wechat_voice_call.pcap", error);
+	ASSERT_NE(handle, nullptr);
+
+	session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_INBOUND);
+
+	memset(&arg, 0, sizeof(arg));
+	arg.ctx = ctx;
+	arg.pcap_handle = handle;
+
+	pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
+
+	struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
+
+	EXPECT_EQ(flags_info->flags & SESSION_FLAGS_BIDIRECTIONAL, SESSION_FLAGS_BIDIRECTIONAL);
+
+	pcap_close(handle);
+	free(ctx);
+}
+
+TEST(session_flags, tunneling_tls_fet)
+{
+	char error[100];
+	struct pcap_loop_arg arg;
+	struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx));
+	pcap_t *handle = pcap_open_offline("pcap/tls1.2_no_reuse.pcap", error);
+	ASSERT_NE(handle, nullptr);
+
+	session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
+	tunneling_hs_stream_init(sf_plugin_info, ctx);
+
+	memset(&arg, 0, sizeof(arg));
+	arg.ctx = ctx;
+	arg.pcap_handle = handle;
+
+	pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
+
+	struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
+
+	EXPECT_EQ(flags_info->flags & SESSION_FLAGS_TUNNELING, SESSION_FLAGS_TUNNELING);
+
+	tunneling_hs_stream_free(ctx);
+	pcap_close(handle);
+	free(ctx);
+}
+
+TEST(session_flags, tunneling_tls_over_tls)
+{
+	char error[100];
+	struct pcap_loop_arg arg;
+	struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx));
+	pcap_t *handle = pcap_open_offline("pcap/tls_over_tls_1.2_no_reuse.pcap", error);
+	ASSERT_NE(handle, nullptr);
+
+	session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
+	tunneling_hs_stream_init(sf_plugin_info, ctx);
+
+	memset(&arg, 0, sizeof(arg));
+	arg.ctx = ctx;
+	arg.pcap_handle = handle;
+
+	pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
+
+	struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
+
+	EXPECT_EQ(flags_info->flags & SESSION_FLAGS_TUNNELING, SESSION_FLAGS_TUNNELING);
+
+	tunneling_hs_stream_free(ctx);
+	pcap_close(handle);
+	free(ctx);
+}
+
+TEST(session_flags, tunneling_tls)
+{
+	char error[100];
+	struct pcap_loop_arg arg;
+	struct session_flags_ctx *ctx = (struct session_flags_ctx *)calloc(1, sizeof(struct session_flags_ctx));
+	pcap_t *handle = pcap_open_offline("pcap/tls1.2.pcapng", error);
+	ASSERT_NE(handle, nullptr);
+
+	session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
+	tunneling_hs_stream_init(sf_plugin_info, ctx);
+
+	memset(&arg, 0, sizeof(arg));
+	arg.ctx = ctx;
+	arg.pcap_handle = handle;
+
+	pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
+
+	struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
+
+	EXPECT_NE(flags_info->flags & SESSION_FLAGS_TUNNELING, SESSION_FLAGS_TUNNELING);
+
+	tunneling_hs_stream_free(ctx);
+	pcap_close(handle);
+	free(ctx);
+}
+
+int main(int argc, char **argv)
+{
+	testing::InitGoogleTest(&argc, argv);
+
+	sf_plugin_info = (struct session_flags_plugin_info *)session_flags_plugin_init(NULL);
+	sf_plugin_info->log_handle = NULL;
+	
+	int result = RUN_ALL_TESTS();
+
+	session_flags_plugin_exit(sf_plugin_info);
+
+	return result;
+}
+\ No newline at end of file
diff --git a/test/decoders/session_flags/session_flags_static_test.cpp b/test/decoders/session_flags/session_flags_static_test.cpp
new file mode 100644
index 0000000..d415807
--- /dev/null
+++ b/test/decoders/session_flags/session_flags_static_test.cpp
@@ -0,0 +1,494 @@
+#include <cstring>
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+#include <stellar/session.h>
+#include "session_flags_internal.h"
+#include "gtest/gtest.h"
+
+extern "C" {
+#include "dummy.h"
+}
+
+struct session_flags_plugin_info *sf_plugin_info = NULL;
+
+TEST(session_flags_static, bulky)
+{
+	struct session_flags_ctx *ctx = (struct session_flags_ctx*)calloc(1, sizeof(struct session_flags_ctx));
+	struct session sess;
+
+	memset(&sess, 0, sizeof(sess));
+	session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
+
+	int cur_time_ms = 1;
+	for (int i = 0; i < 100; i++)
+	{
+		for (int j = 0; j < 96; j++)
+		{
+			session_set_current_payload(&sess, NULL, 100);
+			session_flags(sf_plugin_info, ctx, &sess, DUMMY_UDP_TOPIC_ID, 1001, FLOW_TYPE_C2S, cur_time_ms);
+			cur_time_ms++;
+
+			session_set_current_payload(&sess, NULL, 0);
+			session_flags(sf_plugin_info, ctx, &sess, DUMMY_TCP_TOPIC_ID, 66, FLOW_TYPE_S2C, cur_time_ms);
+			cur_time_ms++;
+		}
+		for (int j = 0; j < 4; j++)
+		{
+			session_set_current_payload(&sess, NULL, 100);
+			session_flags(sf_plugin_info, ctx, &sess, DUMMY_UDP_TOPIC_ID, 100, FLOW_TYPE_S2C, cur_time_ms);
+			cur_time_ms++;
+		}
+	}
+	struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
+	EXPECT_EQ(flags_info->flags & SESSION_FLAGS_BULKY, SESSION_FLAGS_BULKY);
+	EXPECT_EQ(flags_info->identify[session_flags_bulky_mask], 6001);
+
+	//char *identify_str = session_flags_generate_firewall_message(flags_info->flags, flags_info->identify);
+	//EXPECT_STREQ("{\"Bulky\":196,\"Client is Local\":1,\"Outbound\":196,\"C2S\":1,\"S2C\":2}", identify_str);
+	//free(identify_str);
+	free(ctx);
+}
+
+TEST(session_flags_static, download_gt_95)
+{
+	struct session_flags_ctx *ctx = (struct session_flags_ctx*)calloc(1, sizeof(struct session_flags_ctx));
+	struct session sess;
+
+	memset(&sess, 0, sizeof(sess));
+	session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
+
+	int cur_time_ms = 1;
+	for (int i = 0; i < 100; i++)
+	{
+		for (int j = 0; j < 96; j++)
+		{
+			session_set_current_payload(&sess, NULL, 100);
+			session_flags(sf_plugin_info, ctx, &sess, DUMMY_UDP_TOPIC_ID, 1001, FLOW_TYPE_C2S, cur_time_ms);
+			cur_time_ms++;
+
+			session_set_current_payload(&sess, NULL, 0);
+			session_flags(sf_plugin_info, ctx, &sess, DUMMY_UDP_TOPIC_ID, 66, FLOW_TYPE_S2C, cur_time_ms);
+			cur_time_ms++;
+		}
+		for (int j = 0; j < 4; j++)
+		{
+			session_set_current_payload(&sess, NULL, 100);
+			session_flags(sf_plugin_info, ctx, &sess, DUMMY_UDP_TOPIC_ID, 100, FLOW_TYPE_S2C, cur_time_ms);
+			cur_time_ms++;
+		}
+	}
+
+	struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
+	EXPECT_EQ(flags_info->flags & SESSION_FLAGS_DOWNLOAD, SESSION_FLAGS_DOWNLOAD);
+	EXPECT_EQ(flags_info->identify[session_flags_download_mask], 6001);
+
+	//char *identify_str = session_flags_generate_firewall_message(flags_info->flags, flags_info->identify);
+	//EXPECT_STREQ("{\"Bulky\":195,\"Client is Local\":1,\"Outbound\":195,\"Streaming\":195,\"C2S\":1,\"S2C\":2}", identify_str);
+	//free(identify_str);
+	free(ctx);
+}
+
+TEST(session_flags_static, download_lt_95)
+{
+	struct session_flags_ctx *ctx = (struct session_flags_ctx*)calloc(1, sizeof(struct session_flags_ctx));
+	struct session sess;
+
+	memset(&sess, 0, sizeof(sess));
+	session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
+
+	int cur_time_ms = 1;
+	for (int i = 0; i < 100; i++)
+	{
+		for (int j = 0; j < 94; j++)
+		{
+			session_set_current_payload(&sess, NULL, 100);
+			session_flags(sf_plugin_info, ctx, &sess, DUMMY_UDP_TOPIC_ID, 1001, FLOW_TYPE_C2S, cur_time_ms);
+			cur_time_ms++;
+
+			session_set_current_payload(&sess, NULL, 0);
+			session_flags(sf_plugin_info, ctx, &sess, DUMMY_UDP_TOPIC_ID, 66, FLOW_TYPE_S2C, cur_time_ms);
+			cur_time_ms++;
+		}
+		for (int j = 0; j < 6; j++)
+		{
+			session_set_current_payload(&sess, NULL, 100);
+			session_flags(sf_plugin_info, ctx, &sess, DUMMY_UDP_TOPIC_ID, 100, FLOW_TYPE_S2C, cur_time_ms);
+			cur_time_ms++;
+		}
+	}
+
+	struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
+	EXPECT_NE(flags_info->flags & SESSION_FLAGS_DOWNLOAD, SESSION_FLAGS_DOWNLOAD);
+
+	//char *identify_str = session_flags_generate_firewall_message(flags_info->flags, flags_info->identify);
+	//EXPECT_STREQ("{\"Bulky\":195,\"Client is Local\":1,\"Outbound\":195,\"Streaming\":195,\"C2S\":1,\"S2C\":2}", identify_str);
+	//free(identify_str);
+	free(ctx);
+}
+
+TEST(session_flags_static, CBR_lt_1s)
+{
+	struct session_flags_ctx *ctx = (struct session_flags_ctx*)calloc(1, sizeof(struct session_flags_ctx));
+	struct session sess;
+
+	memset(&sess, 0, sizeof(sess));
+	session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
+
+	srandom(time(NULL));
+	int std_bytes = 1000;
+	int cur_time_ms = 1;
+	for (int i = 0; i < 100; i++)
+	{
+		long delta = random() % 200;
+		session_set_current_payload(&sess, NULL, 100);
+		session_flags(sf_plugin_info, ctx, &sess, DUMMY_TCP_TOPIC_ID, std_bytes + delta, FLOW_TYPE_C2S, cur_time_ms++);
+
+		session_set_current_payload(&sess, NULL, 0);
+		session_flags(sf_plugin_info, ctx, &sess, DUMMY_TCP_TOPIC_ID, 66, FLOW_TYPE_S2C, cur_time_ms++);
+	}
+	struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
+	EXPECT_NE(flags_info->flags & SESSION_FLAGS_CBR, SESSION_FLAGS_CBR);
+
+	//char *identify_str = session_flags_generate_firewall_message(flags_info->flags, flags_info->identify);
+	//EXPECT_STREQ("{\"Bulky\":200,\"Client is Local\":1,\"Download\":200,\"Outbound\":200,\"Pseudo Unidirectional\":200,\"Streaming\":200,\"Unidirectional\":200,\"C2S\":1,\"S2C\":2}", identify_str);
+	//free(identify_str);
+	free(ctx);
+}
+
+TEST(session_flags_static, CBR)
+{
+	struct session_flags_ctx *ctx = (struct session_flags_ctx*)calloc(1, sizeof(struct session_flags_ctx));
+	struct session sess;
+
+	memset(&sess, 0, sizeof(sess));
+	session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
+
+	srandom(time(NULL));
+	for (uint64_t cur_time_ms = 1; cur_time_ms < 11000; cur_time_ms += 10)
+	{
+		long delta = random() % 200;
+		session_set_current_payload(&sess, NULL, 100);
+		session_flags(sf_plugin_info, ctx, &sess, DUMMY_TCP_TOPIC_ID, 1000 + delta, FLOW_TYPE_C2S, cur_time_ms);
+
+		session_set_current_payload(&sess, NULL, 0);
+		session_flags(sf_plugin_info, ctx, &sess, DUMMY_TCP_TOPIC_ID, 66, FLOW_TYPE_S2C, cur_time_ms);
+	}
+	struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
+	EXPECT_EQ(flags_info->flags & SESSION_FLAGS_CBR, SESSION_FLAGS_CBR);
+	EXPECT_EQ(flags_info->identify[session_flags_cbr_mask], 1001);
+	
+	//char *identify_str = session_flags_generate_firewall_message(flags_info->flags, flags_info->identify);
+	//EXPECT_STREQ("{\"Bulky\":201,\"CBR Streaming\":2021,\"Client is Local\":1,\"Download\":201,\"Outbound\":201,\"Pseudo Unidirectional\":201,\"Streaming\":201,\"Unidirectional\":201,\"C2S\":1,\"S2C\":2}", identify_str);
+	//free(identify_str);
+	free(ctx);
+}
+
+TEST(session_flags_static, not_CBR)
+{
+	struct session_flags_ctx *ctx = (struct session_flags_ctx*)calloc(1, sizeof(struct session_flags_ctx));
+	struct session sess;
+
+	memset(&sess, 0, sizeof(sess));
+	session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
+
+	srandom(time(NULL));
+	for (uint64_t cur_time_ms = 1, i = 0; cur_time_ms < 10000; cur_time_ms += 500)
+	{
+		int delta = (i++ % 10) * 100;
+		session_set_current_payload(&sess, NULL, 100);
+		session_flags(sf_plugin_info, ctx, &sess, DUMMY_TCP_TOPIC_ID, 100 + delta, FLOW_TYPE_C2S, cur_time_ms);
+
+		session_set_current_payload(&sess, NULL, 0);
+		session_flags(sf_plugin_info, ctx, &sess, DUMMY_TCP_TOPIC_ID, 66, FLOW_TYPE_S2C, cur_time_ms);
+	}
+	struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
+	EXPECT_NE(flags_info->flags & SESSION_FLAGS_CBR, SESSION_FLAGS_CBR);
+	
+	//char *identify_str = session_flags_generate_firewall_message(flags_info->flags, flags_info->identify);
+	//EXPECT_STREQ( "{\"Client is Local\":1,\"Outbound\":21,\"Pseudo Unidirectional\":21,\"Unidirectional\":21,\"C2S\":1,\"S2C\":2}", identify_str);
+	//free(identify_str);
+	free(ctx);
+}
+
+TEST(session_flags_static, interactive)
+{
+	struct session_flags_ctx *ctx = (struct session_flags_ctx*)calloc(1, sizeof(struct session_flags_ctx));
+	struct session sess;
+
+	memset(&sess, 0, sizeof(sess));
+	session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
+
+	srandom(time(NULL));
+	uint64_t cur_time_ms = 1;
+	while(cur_time_ms < 60000)
+	{
+		long delta = random() % 100;
+		session_set_current_payload(&sess, NULL, 100);
+		session_flags(sf_plugin_info, ctx, &sess, DUMMY_TCP_TOPIC_ID, 1000 + delta, FLOW_TYPE_C2S, cur_time_ms++);
+
+		session_set_current_payload(&sess, NULL, 0);
+		session_flags(sf_plugin_info, ctx, &sess, DUMMY_TCP_TOPIC_ID, 66, FLOW_TYPE_S2C, cur_time_ms++);
+	}
+	while(cur_time_ms < 200000)
+	{
+		cur_time_ms += 10000;
+		session_set_current_payload(&sess, NULL, 100);
+		session_flags(sf_plugin_info, ctx, &sess, DUMMY_TCP_TOPIC_ID, 80, FLOW_TYPE_C2S, cur_time_ms);
+
+		session_set_current_payload(&sess, NULL, 0);
+		session_flags(sf_plugin_info, ctx, &sess, DUMMY_TCP_TOPIC_ID, 66, FLOW_TYPE_S2C, cur_time_ms);
+	}
+	struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
+	EXPECT_EQ(flags_info->flags & SESSION_FLAGS_INTERACTIVE, SESSION_FLAGS_INTERACTIVE);
+	EXPECT_EQ(flags_info->identify[session_flags_interactive_mask], 60009);
+	
+	//char *identify_str = session_flags_generate_firewall_message(flags_info->flags, flags_info->identify);
+	//EXPECT_STREQ( "{\"Bulky\":1001,\"CBR Streaming\":10021,\"Client is Local\":1,\"Download\":1001,\"Interactive\":60009,\"Outbound\":1001,\"Pseudo Unidirectional\":1001,\"Streaming\":1001,\"Unidirectional\":1001,\"C2S\":1,\"S2C\":2}", identify_str);
+	//free(identify_str);
+	free(ctx);
+}
+
+TEST(session_flags_static, streaming_gt_90)
+{
+	struct session_flags_ctx *ctx = (struct session_flags_ctx*)calloc(1, sizeof(struct session_flags_ctx));
+	struct session sess;
+
+	memset(&sess, 0, sizeof(sess));
+	session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
+
+	srandom(time(NULL));
+	session_set_current_payload(&sess, NULL, 100);
+	for (uint64_t cur_time_ms = 1; cur_time_ms < 10000; cur_time_ms++)
+	{
+		session_flags(sf_plugin_info, ctx, &sess, DUMMY_TCP_TOPIC_ID, 861, FLOW_TYPE_C2S, cur_time_ms);
+		session_flags(sf_plugin_info, ctx, &sess, DUMMY_TCP_TOPIC_ID, 139, FLOW_TYPE_S2C, cur_time_ms);
+	}
+	struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
+	EXPECT_EQ(flags_info->flags & SESSION_FLAGS_STREAMING, SESSION_FLAGS_STREAMING);
+	EXPECT_EQ(flags_info->identify[session_flags_streaming_mask], 12001);
+	
+	//char *identify_str = session_flags_generate_firewall_message(flags_info->flags, flags_info->identify);
+	//EXPECT_STREQ("{\"Client is Local\":1,\"Outbound\":668,\"Streaming\":669,\"C2S\":1,\"S2C\":2}", identify_str);
+	//free(identify_str);
+	free(ctx);
+}
+
+TEST(session_flags_static, streaming_lt_90)
+{
+	struct session_flags_ctx *ctx = (struct session_flags_ctx*)calloc(1, sizeof(struct session_flags_ctx));
+	struct session sess;
+
+	memset(&sess, 0, sizeof(sess));
+	session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
+
+	srandom(time(NULL));
+	session_set_current_payload(&sess, NULL, 100);
+	for (uint64_t cur_time_ms = 1; cur_time_ms < 10000; cur_time_ms++)
+	{
+		session_flags(sf_plugin_info, ctx, &sess, DUMMY_TCP_TOPIC_ID, 859, FLOW_TYPE_C2S, cur_time_ms);
+		session_flags(sf_plugin_info, ctx, &sess, DUMMY_TCP_TOPIC_ID, 141, FLOW_TYPE_S2C, cur_time_ms);
+	}
+	struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
+	EXPECT_EQ(flags_info->flags & SESSION_FLAGS_STREAMING, 0);
+	EXPECT_EQ(flags_info->identify[session_flags_streaming_mask], 0);
+	
+	//char *identify_str = session_flags_generate_firewall_message(flags_info->flags, flags_info->identify);
+	//EXPECT_STREQ("{\"Client is Local\":1,\"Outbound\":668,\"Streaming\":669,\"C2S\":1,\"S2C\":2}", identify_str);
+	//free(identify_str);
+	free(ctx);
+}
+
+TEST(session_flags_static, presu_unidirectional_gt_95)
+{
+	struct session_flags_ctx *ctx = (struct session_flags_ctx*)calloc(1, sizeof(struct session_flags_ctx));
+	struct session sess;
+
+	memset(&sess, 0, sizeof(sess));
+	session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
+
+	srandom(time(NULL));
+	uint64_t cur_time_ms = 1;
+	session_set_current_payload(&sess, NULL, 100);
+	for (int i = 0; i < 100; i++)
+	{
+		for (int j = 0; j < 96; j++)
+		{
+			session_flags(sf_plugin_info, ctx, &sess, DUMMY_TCP_TOPIC_ID, 100 + random() % 1000, FLOW_TYPE_C2S, cur_time_ms);
+			cur_time_ms++;
+		}
+		for (int j = 0; j < 4; j++)
+		{
+			session_flags(sf_plugin_info, ctx, &sess, DUMMY_TCP_TOPIC_ID, 100 + random() % 1000, FLOW_TYPE_S2C, cur_time_ms);
+			cur_time_ms++;
+		}
+	}
+	struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
+	EXPECT_EQ(flags_info->flags & SESSION_FLAGS_PSEUDO_UNIDIRECTIONAL, SESSION_FLAGS_PSEUDO_UNIDIRECTIONAL);
+	EXPECT_EQ(flags_info->identify[session_flags_pseudo_unidirectional_mask], 6001);
+	
+	//char *identify_str = session_flags_generate_firewall_message(flags_info->flags, flags_info->identify);
+	//EXPECT_STREQ( "{\"Client is Local\":1,\"Outbound\":1002,\"Pseudo Unidirectional\":1002,\"Streaming\":1002,\"C2S\":1,\"S2C\":99}", identify_str);
+	//free(identify_str);
+	free(ctx);
+}
+
+TEST(session_flags_static, presu_unidirectional_lt_95)
+{
+	struct session_flags_ctx *ctx = (struct session_flags_ctx*)calloc(1, sizeof(struct session_flags_ctx));
+	struct session sess;
+
+	memset(&sess, 0, sizeof(sess));
+	session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
+
+	srandom(time(NULL));
+	uint64_t cur_time_ms = 1;
+	session_set_current_payload(&sess, NULL, 100);
+	for (int i = 0; i < 100; i++)
+	{
+		for (int j = 0; j < 94; j++)
+		{
+			session_flags(sf_plugin_info, ctx, &sess, DUMMY_UDP_TOPIC_ID, 100 + random() % 1000, FLOW_TYPE_C2S, cur_time_ms);
+			cur_time_ms++;
+		}
+		for (int j = 0; j < 6; j++)
+		{
+			session_flags(sf_plugin_info, ctx, &sess, DUMMY_UDP_TOPIC_ID, 100 + random() % 1000, FLOW_TYPE_S2C, cur_time_ms);
+			cur_time_ms++;
+		}
+	}
+	struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
+	EXPECT_EQ(flags_info->flags & SESSION_FLAGS_PSEUDO_UNIDIRECTIONAL, 0);
+	EXPECT_EQ(flags_info->identify[session_flags_pseudo_unidirectional_mask], 0);
+	
+	//char *identify_str = session_flags_generate_firewall_message(flags_info->flags, flags_info->identify);
+	//EXPECT_STREQ( "{\"Client is Local\":1,\"Outbound\":1002,\"Pseudo Unidirectional\":1002,\"Streaming\":1002,\"C2S\":1,\"S2C\":99}", identify_str);
+	//free(identify_str);
+	free(ctx);
+}
+
+TEST(session_flags_static, Unidirectional)
+{
+	struct session_flags_ctx *ctx = (struct session_flags_ctx*)calloc(1, sizeof(struct session_flags_ctx));
+	struct session sess;
+
+	memset(&sess, 0, sizeof(sess));
+	session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
+
+	srandom(time(NULL));
+	for (uint64_t cur_time_ms = 1; cur_time_ms < 10000; cur_time_ms++)
+	{
+		session_set_current_payload(&sess, NULL, 100);
+		session_flags(sf_plugin_info, ctx, &sess, DUMMY_TCP_TOPIC_ID, 100 + random() % 1000, FLOW_TYPE_C2S, cur_time_ms);
+
+		session_set_current_payload(&sess, NULL, 0);
+		session_flags(sf_plugin_info, ctx, &sess, DUMMY_TCP_TOPIC_ID, 80, FLOW_TYPE_S2C, cur_time_ms);
+	}
+	struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
+	EXPECT_EQ(flags_info->flags & SESSION_FLAGS_UNIDIRECTIONAL, SESSION_FLAGS_UNIDIRECTIONAL);
+	EXPECT_EQ(flags_info->identify[session_flags_unidirectional_mask], 10001);
+	EXPECT_EQ(flags_info->flags & SESSION_FLAGS_PSEUDO_UNIDIRECTIONAL, SESSION_FLAGS_PSEUDO_UNIDIRECTIONAL);
+	EXPECT_EQ(flags_info->identify[session_flags_pseudo_unidirectional_mask], 12001);
+	
+	//char *identify_str = session_flags_generate_firewall_message(flags_info->flags, flags_info->identify);
+	//EXPECT_STREQ("{\"Client is Local\":1,\"Outbound\":668,\"Pseudo Unidirectional\":669,\"Unidirectional\":669,\"C2S\":1,\"S2C\":2}", identify_str);
+	//free(identify_str);
+	free(ctx);
+}
+
+TEST(session_flags_static, not_unidirectional)
+{
+	struct session_flags_ctx *ctx = (struct session_flags_ctx*)calloc(1, sizeof(struct session_flags_ctx));
+	struct session sess;
+
+	memset(&sess, 0, sizeof(sess));
+	session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
+
+	srandom(time(NULL));
+	uint64_t cur_time_ms = 1;
+	session_set_current_payload(&sess, NULL, 100);
+	for (int i = 1; i < 10000; i++)
+	{
+		session_flags(sf_plugin_info, ctx, &sess, DUMMY_TCP_TOPIC_ID, 100 + random() % 1000, FLOW_TYPE_C2S, cur_time_ms++);
+	}
+	session_flags(sf_plugin_info, ctx, &sess, DUMMY_TCP_TOPIC_ID, 80, FLOW_TYPE_S2C, cur_time_ms++);
+	struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
+	EXPECT_NE(flags_info->flags & SESSION_FLAGS_UNIDIRECTIONAL, SESSION_FLAGS_UNIDIRECTIONAL);
+	
+	struct session_flags_message *msg = session_flags_generate_firewall_message(flags_info->flags, flags_info->identify);
+	//EXPECT_STREQ( "{\"Client is Local\":1, \"Outbound\":10000, \"C2S\":1,\"S2C\":10000}", identify_str);
+	EXPECT_EQ(msg->packet_sequence_array[0], 1);
+	EXPECT_EQ(msg->packet_sequence_array[1], 10000);
+	EXPECT_EQ(msg->packet_sequence_array[2], 1);
+	EXPECT_EQ(msg->packet_sequence_array[3], 10000);
+	free(msg->packet_sequence_array);
+	free(msg);
+	free(ctx);
+}
+
+TEST(session_flags_static, dns)
+{
+	struct session_flags_ctx *ctx = (struct session_flags_ctx*)calloc(1, sizeof(struct session_flags_ctx));
+	struct session sess;
+
+	memset(&sess, 0, sizeof(sess));
+	session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
+
+	uint64_t cur_time_ms = 1000;
+	session_set_current_payload(&sess, NULL, 100);
+	session_flags(sf_plugin_info, ctx, &sess, DUMMY_UDP_TOPIC_ID, 72, FLOW_TYPE_C2S, cur_time_ms);
+	session_flags(sf_plugin_info, ctx, &sess, DUMMY_UDP_TOPIC_ID, 72, FLOW_TYPE_C2S, cur_time_ms);
+	session_flags(sf_plugin_info, ctx, &sess, DUMMY_UDP_TOPIC_ID, 72, FLOW_TYPE_C2S, cur_time_ms+10000);
+	session_flags(sf_plugin_info, ctx, &sess, DUMMY_UDP_TOPIC_ID, 72, FLOW_TYPE_C2S, cur_time_ms+10000);
+	session_flags(sf_plugin_info, ctx, &sess, DUMMY_UDP_TOPIC_ID, 146, FLOW_TYPE_S2C, cur_time_ms+15000);
+	session_flags(sf_plugin_info, ctx, &sess, DUMMY_UDP_TOPIC_ID, 72, FLOW_TYPE_C2S, cur_time_ms+15000);
+	struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
+	EXPECT_NE(flags_info->flags & SESSION_FLAGS_CBR, SESSION_FLAGS_CBR);
+	EXPECT_EQ(flags_info->flags & SESSION_FLAGS_LOCAL_CLIENT, SESSION_FLAGS_LOCAL_CLIENT);
+	EXPECT_EQ(flags_info->flags & SESSION_FLAGS_C2S, SESSION_FLAGS_C2S);
+	EXPECT_EQ(flags_info->identify[session_flags_c2s_mask], 1);
+	EXPECT_EQ(flags_info->flags & SESSION_FLAGS_S2C, SESSION_FLAGS_S2C);
+	EXPECT_EQ(flags_info->identify[session_flags_s2c_mask], 5);
+	
+	//char *identify_str = session_flags_generate_firewall_message(flags_info->flags, flags_info->identify);
+	//EXPECT_STREQ( "{\"Client is Local\":1,\"Outbound\":6,\"C2S\":1,\"S2C\":5}", identify_str);
+	//free(identify_str);
+	free(ctx);
+}
+
+TEST(session_flags_static, bidirectional)
+{
+	struct session_flags_ctx *ctx = (struct session_flags_ctx*)calloc(1, sizeof(struct session_flags_ctx));
+	struct session sess;
+
+	memset(&sess, 0, sizeof(sess));
+	session_flags_stat_init(&ctx->stat, SESSION_DIRECTION_OUTBOUND);
+
+	int cur_time_ms = 1;
+	session_set_current_payload(&sess, NULL, 100);
+	for (int i = 0; i < 5000; i++)
+	{
+		session_set_current_payload(&sess, NULL, 100);
+		session_flags(sf_plugin_info, ctx, &sess, DUMMY_TCP_TOPIC_ID, 100, FLOW_TYPE_C2S, cur_time_ms++);
+
+		session_set_current_payload(&sess, NULL, 99);
+		session_flags(sf_plugin_info, ctx, &sess, DUMMY_TCP_TOPIC_ID, 99, FLOW_TYPE_S2C, cur_time_ms++);
+	}
+
+	struct session_flags_result *flags_info = session_flags_get_flags(&ctx->stat);
+	EXPECT_EQ(flags_info->flags & SESSION_FLAGS_BIDIRECTIONAL, SESSION_FLAGS_BIDIRECTIONAL);
+	EXPECT_EQ(flags_info->identify[session_flags_bidirectional_mask], 6001);
+	free(ctx);
+}
+
+int main(int argc, char **argv) 
+{
+    testing::InitGoogleTest(&argc, argv);
+    //testing::GTEST_FLAG(filter) = "";
+	sf_plugin_info = (struct session_flags_plugin_info *)session_flags_plugin_init(NULL);
+	sf_plugin_info->log_handle = NULL;
+    int result = RUN_ALL_TESTS();
+	session_flags_plugin_exit(sf_plugin_info);
+
+	return result;
+}
+\ No newline at end of file
diff --git a/test/decoders/session_flags/session_flags_test_plugin.cpp b/test/decoders/session_flags/session_flags_test_plugin.cpp
new file mode 100644
index 0000000..27d2377
--- /dev/null
+++ b/test/decoders/session_flags/session_flags_test_plugin.cpp
@@ -0,0 +1,210 @@
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "cJSON.h"
+
+#include "stellar/stellar.h"
+#include "stellar/session.h"
+#include "stellar/stellar_mq.h"
+#include "stellar/stellar_exdata.h"
+
+#include "stellar/session_flags.h"
+
+#ifdef __cplusplus
+extern "C"
+{
+int commit_test_result_json(cJSON *node, const char *name);
+}
+#endif
+
+#define unused(x) ((void)(x))
+
+int g_test_session_flags_plugin_id;
+int g_session_flags_topic_id;
+
+int g_receive_msg_count = 0;
+
+static void session_flags_2_str(uint64_t flags, char *str, int str_len)
+{
+	if (str == NULL || str_len == 0)
+		return;
+
+	int offset = 0;
+	str[0] = '[';
+	offset += 1;
+
+	if (flags & SESSION_FLAGS_BULKY && str_len > offset)
+	{
+		snprintf(&str[offset], str_len-offset, "Bulky,");
+		offset = strlen(str);
+	}
+
+	if (flags & SESSION_FLAGS_CBR && str_len > offset)
+	{
+		snprintf(&str[offset], str_len-offset, "CBR Streaming,");
+		offset = strlen(str);
+	}
+
+	if (flags & SESSION_FLAGS_LOCAL_CLIENT && str_len > offset)
+	{
+		snprintf(&str[offset], str_len-offset, "Client is Local,");
+		offset = strlen(str);
+	}
+
+	if (flags & SESSION_FLAGS_LOCAL_SERVER && str_len > offset)
+	{
+		snprintf(&str[offset], str_len-offset, "Server is Local,");
+		offset = strlen(str);
+	}
+
+	if (flags & SESSION_FLAGS_DOWNLOAD && str_len > offset)
+	{
+		snprintf(&str[offset], str_len-offset, "Download,");
+		offset = strlen(str);
+	}
+
+	if (flags & SESSION_FLAGS_INTERACTIVE && str_len > offset)
+	{
+		snprintf(&str[offset], str_len-offset, "Interactive,");
+		offset = strlen(str);
+	}
+
+	if (flags & SESSION_FLAGS_INBOUND && str_len > offset)
+	{
+		snprintf(&str[offset], str_len-offset, "Inbound,");
+		offset = strlen(str);
+	}
+
+	if (flags & SESSION_FLAGS_OUTBOUND && str_len > offset)
+	{
+		snprintf(&str[offset], str_len-offset, "Outbound,");
+		offset = strlen(str);
+	}
+
+	if (flags & SESSION_FLAGS_PSEUDO_UNIDIRECTIONAL && str_len > offset)
+	{
+		snprintf(&str[offset], str_len-offset, "Pseudo Unidirectional,");
+		offset = strlen(str);
+	}
+
+
+	if (flags & SESSION_FLAGS_STREAMING && str_len > offset)
+	{
+		snprintf(&str[offset], str_len-offset, "Streaming,");
+		offset = strlen(str);
+	}
+
+	if (flags & SESSION_FLAGS_UNIDIRECTIONAL && str_len > offset)
+	{
+		snprintf(&str[offset], str_len-offset, "Unidirectional,");
+		offset = strlen(str);
+	}
+
+	if (flags & SESSION_FLAGS_RANDOM_LOOKING && str_len > offset)
+	{
+		snprintf(&str[offset], str_len-offset, "Random Looking,");
+		offset = strlen(str);
+	}
+
+	if (flags & SESSION_FLAGS_C2S && str_len > offset)
+	{
+		snprintf(&str[offset], str_len-offset, "C2S,");
+		offset = strlen(str);
+	}
+
+	if (flags & SESSION_FLAGS_S2C && str_len > offset)
+	{
+		snprintf(&str[offset], str_len-offset, "S2C,");
+		offset = strlen(str);
+	}
+
+	if (flags & SESSION_FLAGS_BIDIRECTIONAL && str_len > offset)
+	{
+		snprintf(&str[offset], str_len-offset, "Bidirectional,");
+		offset = strlen(str);
+	}
+
+	if (flags & SESSION_FLAGS_TUNNELING && str_len > offset)
+	{
+		snprintf(&str[offset], str_len-offset, "Tunneling,");
+		offset = strlen(str);
+	}
+
+
+	str[offset-1] = ']';
+}
+
+static void append_json(cJSON *root, struct session_flags_message *sf_message)
+{
+	char key[128] = {0};
+	snprintf(key, 128, "common_flags_%d", g_receive_msg_count);
+    cJSON_AddNumberToObject(root, (const char *)key, sf_message->flags);
+
+	char str[1024] = {0};
+	session_flags_2_str(sf_message->flags, str, 1024);
+	snprintf(key, 128, "common_flags_str_%d", g_receive_msg_count);
+	cJSON_AddStringToObject(root, (const char *)key, str);
+
+	char identify_str[1024] = {0};
+	int offset = 0;
+	for (unsigned int i = 0; i < sf_message->array_num; i++)
+	{
+		offset += snprintf(identify_str + offset, 1024-offset, "%u,", sf_message->packet_sequence_array[i]);
+	}
+	snprintf(key, 128, "common_flags_identify_info_%d", g_receive_msg_count);
+	cJSON_AddStringToObject(root, (const char *)key, identify_str);
+
+	g_receive_msg_count++;
+}
+
+void test_session_flags_entry(struct session *session, int topic_id, const void *msg, void *per_session_ctx, void *plugin_env)
+{
+	unused(plugin_env);
+	unused(session);
+	unused(topic_id);
+
+	if (msg == NULL)
+	{
+		return;
+	}
+
+	struct session_flags_message *sf_message = (struct session_flags_message *)msg;
+	cJSON *json_root = (cJSON *)per_session_ctx;
+
+	append_json(json_root, sf_message);
+
+}
+
+void *ctx_new(struct session *session, void *plugin_env)
+{
+	unused(plugin_env);
+	unused(session);
+
+	cJSON *root = cJSON_CreateObject();
+	return (void *)root;
+}
+
+void ctx_free(struct session *sess, void *session_ctx, void *plugin_env)
+{
+	unused(sess);
+	unused(plugin_env);
+	
+	commit_test_result_json((cJSON *)session_ctx, "session_flags_test");
+}
+
+extern "C" void *SESSION_FLAGS_TEST_PLUG_INIT(struct stellar *st)
+{
+    g_test_session_flags_plugin_id = stellar_session_plugin_register(st, ctx_new, ctx_free, NULL);
+	g_session_flags_topic_id = stellar_mq_get_topic_id(st, SESSION_FLAGS_MESSAGE_TOPIC);
+
+	stellar_session_mq_subscribe(st, g_session_flags_topic_id, test_session_flags_entry, g_test_session_flags_plugin_id);
+
+	return NULL;
+}
+
+extern "C" void SESSION_FLAGS_TEST_PLUG_DESTROY(void *ctx)
+{
+	unused(ctx);
+	return;
+}
+\ No newline at end of file
diff --git a/test/decoders/session_flags/test_based_on_stellar/CMakeLists.txt b/test/decoders/session_flags/test_based_on_stellar/CMakeLists.txt
new file mode 100644
index 0000000..9f4f5ba
--- /dev/null
+++ b/test/decoders/session_flags/test_based_on_stellar/CMakeLists.txt
@@ -0,0 +1,37 @@
+set(DECODER_NAME session_flags)
+
+set(TEST_RUN_DIR ${CMAKE_BINARY_DIR}/test/decoders/session_flags)
+set(SAPP_DEVEL_DIR ${TEST_RUN_DIR}/lib)
+set(TEST_MAIN session_flags_test_main)
+
+include_directories(${CMAKE_SOURCE_DIR}/include)
+include_directories(${CMAKE_SOURCE_DIR}/test)
+include_directories(/usr/local/include/cjson)
+include_directories(/opt/tsg/framework/include/stellar)
+include_directories(/opt/MESA/include/MESA)
+include_directories(/opt/tsg/stellar/include/)
+
+#various ways to add -rdynamic for centos7, centos8, and different cmake version
+add_definitions(-rdynamic)
+link_directories(${SAPP_DEVEL_DIR})
+
+# assemble test env
+add_test(NAME SESSION_FLAGS_MKDIR_METRIC COMMAND sh -c "mkdir -p ${TEST_RUN_DIR}/metrics; mkdir -p ${TEST_RUN_DIR}/plugin; mkdir -p ${TEST_RUN_DIR}/log; mkdir -p ${TEST_RUN_DIR}/pcap")
+add_test(NAME SESSION_FLAGS_COPY_SPEC COMMAND sh -c "mkdir -p ${TEST_RUN_DIR}/plugin/ && cp ${CMAKE_CURRENT_SOURCE_DIR}/env/spec.toml ${TEST_RUN_DIR}/plugin/spec.toml")
+add_test(NAME SESSION_FLAGS_COPY_CONF COMMAND sh -c "mkdir -p ${TEST_RUN_DIR}/conf/ && cp ${CMAKE_CURRENT_SOURCE_DIR}/env/stellar.toml ${TEST_RUN_DIR}/conf/stellar.toml")
+add_test(NAME SESSION_FLAGS_COPY_LOG_CONF COMMAND sh -c "mkdir -p ${TEST_RUN_DIR}/conf/ && cp ${CMAKE_CURRENT_SOURCE_DIR}/env/log.toml ${TEST_RUN_DIR}/conf/log.toml")
+
+# update plugin to be tested
+add_test(NAME SESSION_FLAGS_CP_DECODER_SO COMMAND sh -c "cp ${CMAKE_BINARY_DIR}/decoders/session_flags/session_flags_dyn.so ${TEST_RUN_DIR}/plugin/${DECODER_NAME}.so")
+add_test(NAME SESSION_FLAGS_CP_DECODER_GTEST_SO COMMAND sh -c "cp ${CMAKE_BINARY_DIR}/test/decoders/session_flags/${DECODER_NAME}_test.so ${TEST_RUN_DIR}/plugin/${DECODER_NAME}_test.so")
+
+set_tests_properties(SESSION_FLAGS_MKDIR_METRIC SESSION_FLAGS_COPY_SPEC  
+                    SESSION_FLAGS_COPY_CONF SESSION_FLAGS_COPY_LOG_CONF 
+                    SESSION_FLAGS_CP_DECODER_SO SESSION_FLAGS_CP_DECODER_GTEST_SO 
+                    PROPERTIES FIXTURES_SETUP TestFixture)
+
+set(TEST_PCAP_DIR ${PROJECT_SOURCE_DIR}/test/decoders/session_flags/pcap)        
+
+# run tests
+add_test(NAME SESSION_FLAGS_PLUGIN_TEST COMMAND sh -c "ln -sf ${TEST_PCAP_DIR}/https_download.pcap ${TEST_RUN_DIR}/pcap/test.pcap; ./${TEST_MAIN} ${TEST_PCAP_DIR}/https_download.json"  WORKING_DIRECTORY ${TEST_RUN_DIR})
+
diff --git a/test/decoders/session_flags/test_based_on_stellar/env/log.toml b/test/decoders/session_flags/test_based_on_stellar/env/log.toml
new file mode 100644
index 0000000..a51abd8
--- /dev/null
+++ b/test/decoders/session_flags/test_based_on_stellar/env/log.toml
@@ -0,0 +1,4 @@
+[log]
+output = "stderr"        # stderr, file
+file = "log/stellar.log"
+level = "ERROR"          # TRACE, DEBUG, INFO, WARN, ERROR, FATAL
diff --git a/test/decoders/session_flags/test_based_on_stellar/env/session_flags.toml b/test/decoders/session_flags/test_based_on_stellar/env/session_flags.toml
new file mode 100644
index 0000000..af62a2b
--- /dev/null
+++ b/test/decoders/session_flags/test_based_on_stellar/env/session_flags.toml
@@ -0,0 +1,9 @@
+[SESSION_FLAGS]
+FET_ENABLED=1
+INTERACTIVE_STARTTIME_MS = 10000
+INTERACTIVE_PULSE_NUM = 4
+INTERACTIVE_LATENCY_MS = 5000
+MAIN_DIR_FRONT_N_PKTS = 100
+LARGE_PKTS_INIT_SIZE = 1000
+RANDOM_LOOKING_JUDGE_LIST="{\"random_looking_judge_list\":[ \"frequency\", \"block_frequency\", \"cumulative_sums\", \"runs\", \"longest_run\", \"rank\", \"non_overlapping_template_matching\", \"overlapping_template_matching\", \"universal\", \"random_excursions\", \"random_excursions_variant\", \"poker_detect\", \"runs_distribution\", \"self_correlation\", \"binary_derivative\" ]}"
+TUNNELING_PCRE_LIST="{\"tunneling_pcre_list\":[\"(B|C)(d){3,5}(a|b|c|d)(A|B)b(A|B|C|D)\", \"(B|C)(d){3,5}(a|b|c|d)Aa(A|B|C|D)\", \"(B|C)(d){2}(b|c)(A|B)b(A|B|C|D)\", \"(B|C)(d){2}(b|c)Aa(A|B|C|D)\"]}"
diff --git a/test/decoders/session_flags/test_based_on_stellar/env/spec.toml b/test/decoders/session_flags/test_based_on_stellar/env/spec.toml
new file mode 100644
index 0000000..ead4371
--- /dev/null
+++ b/test/decoders/session_flags/test_based_on_stellar/env/spec.toml
@@ -0,0 +1,9 @@
+[[plugin]]
+path = "./plugin/session_flags.so"
+init = "session_flags_plugin_init"
+exit = "session_flags_plugin_exit"
+
+[[plugin]]
+path = "./plugin/session_flags_test.so"
+init = "SESSION_FLAGS_TEST_PLUG_INIT"
+exit = "SESSION_FLAGS_TEST_PLUG_DESTROY"
diff --git a/test/decoders/session_flags/test_based_on_stellar/env/stellar.toml b/test/decoders/session_flags/test_based_on_stellar/env/stellar.toml
new file mode 100644
index 0000000..308c884
--- /dev/null
+++ b/test/decoders/session_flags/test_based_on_stellar/env/stellar.toml
@@ -0,0 +1,64 @@
+[instance]
+    id = 1 # range: [0, 4095] (20 bit)
+
+[packet_io]
+    mode = "pcapfile"                      # pcapfile, pcaplist, marsio
+    app_symbol = "stellar"
+    dev_symbol = "nf_0_fw"
+    pcap_path = "./pcap/test.pcap"
+    nr_worker_thread = 1                   # range: [1, 256]
+    cpu_mask = [5, 6, 7, 8, 9, 10, 11, 12]
+    idle_yield_interval_ms = 90           # range: [0, 60000] (ms)
+
+[ip_reassembly]
+    enable = 1
+    bucket_entries = 32 # range: [1, 4294967295] (must be power of 2)
+    bucket_num = 1024   # range: [1, 4294967295]
+
+    ip_frag_timeout_ms = 1000             # range: [1, 60000] (ms)
+    ip_frag_expire_polling_interval_ms = 0 # range: [0, 60000] (ms)
+    ip_frag_expire_polling_limit = 1024    # range: [1, 1024]
+
+[session_manager]
+    tcp_session_max = 500
+    udp_session_max = 500
+
+    evict_old_on_tcp_table_limit = 1 # range: [0, 1]
+    evict_old_on_udp_table_limit = 1 # range: [0, 1]
+
+    expire_period_ms = 0    # range: [0, 60000] (ms)
+    expire_batch_max = 1024 # range: [1, 1024]
+
+    [session_manager.tcp_timeout_ms]
+        init = 500             # range: [1, 60000] (ms)
+        handshake = 500        # range: [1, 60000] (ms)
+        data = 500             # range: [1, 15999999000] (ms)
+        half_closed = 500      # range: [1, 604800000] (ms)
+        time_wait = 500        # range: [1, 600000] (ms)
+        discard_default = 1000 # range: [1, 15999999000] (ms)
+        unverified_rst = 500   # range: [1, 600000] (ms)
+
+    [session_manager.udp_timeout_ms]
+        data = 500            # range: [1, 15999999000] (ms)
+        discard_default = 500 # range: [1, 15999999000] (ms)
+
+    [session_manager.duplicated_packet_bloom_filter]
+        enable = 0
+        capacity = 1000000     # range: [1, 4294967295]
+        time_window_ms = 10000 # range: [1, 60000] (ms)
+        error_rate = 0.00001   # range: [0.0, 1.0]
+
+    [session_manager.evicted_session_bloom_filter]
+        enable = 0             # range: [0, 1]
+        capacity = 1000000     # range: [1, 4294967295]
+        time_window_ms = 10000 # range: [1, 60000] (ms)
+        error_rate = 0.00001   # range: [0.0, 1.0]
+
+    [session_manager.tcp_reassembly]
+        enable = 1                  # range: [0, 1]
+        timeout_ms = 100          # range: [1, 60000] (ms)
+        buffered_segments_max = 256 # range: [2, 4096] per flow
+
+[stat]
+    merge_interval_ms = 500    # range: [0, 60000] (ms)
+    output_interval_ms = 1000  # range: [0, 60000] (ms)
diff --git a/test/decoders/socks/CMakeLists.txt b/test/decoders/socks/CMakeLists.txt
new file mode 100644
index 0000000..f40930a
--- /dev/null
+++ b/test/decoders/socks/CMakeLists.txt
@@ -0,0 +1,38 @@
+set(DECODER_NAME socks)
+
+add_library(${DECODER_NAME}_test SHARED socks_decoder_test_plugin.cpp)
+add_dependencies(${DECODER_NAME}_test ${DECODER_NAME})
+set_target_properties(${DECODER_NAME}_test PROPERTIES PREFIX "")
+
+set(TEST_RUN_DIR ${CMAKE_BINARY_DIR}/testing)
+
+include_directories(${CMAKE_SOURCE_DIR}/include)
+include_directories(${CMAKE_SOURCE_DIR}/src)
+include_directories(${CMAKE_BINARY_DIR}/vendors/cjson/src/cjson/include)
+include_directories(${PROJECT_SOURCE_DIR}/decoders/socks)
+include_directories(${PROJECT_SOURCE_DIR}/include/stellar)
+
+add_executable(gtest_pcap_socks socks_decoder_pcap_gtest.cpp dummy.c ${PROJECT_SOURCE_DIR}/decoders/socks/socks_decoder.cpp)
+target_link_libraries(gtest_pcap_socks gtest logger pcap)
+
+add_executable(socks_test_main plugin_test_main.cpp)
+set_target_properties(socks_test_main 
+    PROPERTIES 
+    LINK_OPTIONS 
+    "-rdynamic" 
+    )
+set_target_properties(socks_test_main 
+    PROPERTIES 
+    LINK_FLAGS  
+    "-rdynamic" 
+    )
+set(LINK_FLAGS "-rdynamic")
+target_link_libraries(socks_test_main gtest cjson-static stellar_lib)
+
+add_subdirectory(test_based_on_stellar)
+
+#copy pcap file folder to build directory
+file(COPY ${CMAKE_CURRENT_SOURCE_DIR}/pcap DESTINATION ${CMAKE_BINARY_DIR}/test/decoders/socks)
+
+include(GoogleTest)
+gtest_discover_tests(gtest_pcap_socks)
diff --git a/test/decoders/socks/dummy.c b/test/decoders/socks/dummy.c
new file mode 100644
index 0000000..bd15d44
--- /dev/null
+++ b/test/decoders/socks/dummy.c
@@ -0,0 +1,151 @@
+#include "dummy.h"
+
+#define UNUSED(x) (void)(x)
+
+int direction;
+
+void session_set_current_state(struct session *sess, enum session_state sess_state)
+{
+    sess->sess_state = sess_state;
+
+    return;
+}
+enum session_state session_get_current_state(const struct session *sess)
+{
+    return sess->sess_state;
+}
+
+void dummy_set_direction(int dir)
+{
+    direction = dir;
+}
+
+struct logger *stellar_get_logger(struct stellar *st)
+{
+	UNUSED(st);
+
+	return NULL;
+}
+
+enum flow_type session_get_flow_type(const struct session *sess)
+{
+	UNUSED(sess);
+
+	return direction;
+}
+
+const struct packet *session_get0_current_packet(const struct session *sess)
+{
+    UNUSED(sess);
+
+    return NULL;
+}
+
+const char *packet_get_payload(const struct packet *pkt)
+{
+	UNUSED(pkt);
+
+	return NULL;
+}
+
+uint16_t packet_get_payload_len(const struct packet *pkt)
+{
+	UNUSED(pkt);
+
+	return 0;
+}
+
+int session_mq_ignore_message(struct session *sess, int topic_id, int plugin_id)
+{
+    UNUSED(sess);
+    UNUSED(topic_id);
+    UNUSED(plugin_id);
+
+    return 0;
+}
+
+int session_exdata_set(struct session *sess, int idx, void *ex_ptr)
+{
+	UNUSED(sess);
+	UNUSED(idx);
+	UNUSED(ex_ptr);
+
+	return 0;
+}
+
+void *session_exdata_get(struct session *sess, int idx)
+{
+	UNUSED(sess);
+	UNUSED(idx);
+
+	return NULL;
+}
+
+void stellar_session_plugin_dettach_current_session(struct session *sess)
+{
+	UNUSED(sess);
+}
+
+int session_mq_publish_message(struct session *sess, int topic_id, void *msg)
+{
+	UNUSED(sess);
+	UNUSED(topic_id);
+	UNUSED(msg);
+
+	return 0;
+}
+
+const char *session_get0_readable_addr(const struct session *sess)
+{
+	UNUSED(sess);
+
+	return NULL;
+}
+
+int stellar_exdata_new_index(struct stellar *st, const char *name, stellar_exdata_free *free_func,void *arg)
+{
+	UNUSED(st);
+	UNUSED(name);
+	UNUSED(free_func);
+	UNUSED(arg);
+
+	return 0;
+}
+
+int stellar_mq_create_topic(struct stellar *st, const char *topic_name, stellar_msg_free_cb_func *msg_free_cb, void *msg_free_arg)
+{
+	UNUSED(st);
+	UNUSED(topic_name);
+	UNUSED(msg_free_cb);
+	UNUSED(msg_free_arg);
+
+	return 0;
+}
+
+int stellar_mq_get_topic_id(struct stellar *st, const char *topic_name)
+{
+	UNUSED(st);
+    UNUSED(topic_name);
+
+    return 0;
+}
+
+int stellar_session_mq_subscribe(struct stellar *st, int topic_id, on_session_msg_cb_func *plugin_on_msg_cb, int plugin_id)
+{
+	UNUSED(st);
+	UNUSED(topic_id);
+	UNUSED(plugin_on_msg_cb);
+	UNUSED(plugin_id);
+
+	return 0;
+}
+
+int stellar_session_plugin_register(struct stellar *st, session_ctx_new_func session_ctx_new, session_ctx_free_func session_ctx_free, void *plugin_env)
+{
+	UNUSED(st);
+	UNUSED(session_ctx_new);
+	UNUSED(session_ctx_free);
+	UNUSED(plugin_env);
+
+	return 0;
+}
+\ No newline at end of file
diff --git a/test/decoders/socks/dummy.h b/test/decoders/socks/dummy.h
new file mode 100644
index 0000000..48f801e
--- /dev/null
+++ b/test/decoders/socks/dummy.h
@@ -0,0 +1,14 @@
+#include "stellar/stellar.h"
+#include "stellar/session.h"
+#include "stellar/stellar_mq.h"
+#include "stellar/stellar_exdata.h"
+
+struct session //stub just for test
+{
+    enum session_state sess_state;
+	int payload_len;
+	char *payload;
+};
+
+void session_set_current_state(struct session *sess, enum session_state sess_state);
+void dummy_set_direction(int dir);
+\ No newline at end of file
diff --git a/test/decoders/socks/pcap/result.json b/test/decoders/socks/pcap/result.json
new file mode 100644
index 0000000..084d449
--- /dev/null
+++ b/test/decoders/socks/pcap/result.json
@@ -0,0 +1,7 @@
+[{
+    "socks_info":	{
+    "version":	"SOCKS4",
+    "dst_addr":	"127.0.0.1",
+    "dst_port":	8888
+    }
+}]
+\ No newline at end of file
diff --git a/test/decoders/socks/pcap/socks4.pcap b/test/decoders/socks/pcap/socks4.pcap
new file mode 100644
index 0000000..9091236
--- /dev/null
+++ b/test/decoders/socks/pcap/socks4.pcap
diff --git a/test/decoders/socks/pcap/socks4_nest_socks4a.pcap b/test/decoders/socks/pcap/socks4_nest_socks4a.pcap
new file mode 100644
index 0000000..b5bcc9f
--- /dev/null
+++ b/test/decoders/socks/pcap/socks4_nest_socks4a.pcap
diff --git a/test/decoders/socks/pcap/socks4a_domain.pcap b/test/decoders/socks/pcap/socks4a_domain.pcap
new file mode 100644
index 0000000..14fbf10
--- /dev/null
+++ b/test/decoders/socks/pcap/socks4a_domain.pcap
diff --git a/test/decoders/socks/pcap/socks5_auth_failed.pcap b/test/decoders/socks/pcap/socks5_auth_failed.pcap
new file mode 100644
index 0000000..1c75c66
--- /dev/null
+++ b/test/decoders/socks/pcap/socks5_auth_failed.pcap
diff --git a/test/decoders/socks/pcap/socks5_auth_success.pcap b/test/decoders/socks/pcap/socks5_auth_success.pcap
new file mode 100644
index 0000000..4c4b9fd
--- /dev/null
+++ b/test/decoders/socks/pcap/socks5_auth_success.pcap
diff --git a/test/decoders/socks/pcap/socks5_no_auth.pcap b/test/decoders/socks/pcap/socks5_no_auth.pcap
new file mode 100644
index 0000000..a00100f
--- /dev/null
+++ b/test/decoders/socks/pcap/socks5_no_auth.pcap
diff --git a/test/decoders/socks/plugin_test_main.cpp b/test/decoders/socks/plugin_test_main.cpp
new file mode 100644
index 0000000..8f3d996
--- /dev/null
+++ b/test/decoders/socks/plugin_test_main.cpp
@@ -0,0 +1,135 @@
+#include "cJSON.h"
+#include <gtest/gtest.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <assert.h>
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+#include "stellar/stellar.h"
+#ifdef __cplusplus
+}
+#endif
+
+// #define IGNORE_PRINTF
+#ifdef IGNORE_PRINTF
+#define printf(fmt, ...) (0)
+#endif
+static cJSON *g_test_result_root = NULL;
+static cJSON *g_load_result_root = NULL;
+static const char *result_json_path = NULL;
+
+extern "C" int commit_test_result_json(cJSON *node, const char *name)
+{
+	(void)name;
+	if (g_test_result_root)
+	{
+		// cJSON_AddItemToObject(g_test_result_root, name, node);
+		// cJSON_AddStringToObject(node, "name", name);
+		cJSON_AddItemToArray(g_test_result_root, node);
+		return 0;
+	}
+	return -1;
+}
+
+static cJSON *load_result_from_jsonfile(const char *json_path)
+{
+	if (json_path == NULL)
+		return NULL;
+
+	long file_len = 0;
+	char *file_content = NULL;
+	FILE *fp = NULL;
+
+	fp = fopen(json_path, "r+");
+	if (NULL == fp)
+	{
+		return NULL;
+	}
+	fseek(fp, 0, SEEK_END);
+	file_len = ftell(fp);
+	fseek(fp, 0, SEEK_SET);
+	if (file_len == 0)
+	{
+		fclose(fp);
+		return NULL;
+	}
+	file_content = (char *)malloc(file_len + 1);
+	fread(file_content, file_len, 1, fp);
+	file_content[file_len] = '\0';
+	cJSON *load = cJSON_Parse(file_content);
+	free(file_content);
+	fclose(fp);
+
+	return load;
+}
+
+TEST(PROTOCOL, compare_result_json)
+{
+	EXPECT_EQ(cJSON_GetArraySize(g_test_result_root), cJSON_GetArraySize(g_load_result_root));
+	int ret = cJSON_Compare(g_test_result_root, g_load_result_root, 0);
+	EXPECT_EQ(1, ret);
+
+	if (ret != 1)
+	{
+		char *load_json_str = cJSON_Print(g_load_result_root);
+		printf("LOAD Raw:\n%s\n", load_json_str);
+		free(load_json_str);
+		char *result_json_str = cJSON_Print(g_test_result_root);
+		printf("TEST Raw:\n%s\n", result_json_str);
+		free(result_json_str);
+
+		cJSON *t_load = g_load_result_root->child, *t_test = g_test_result_root->child;
+		while (t_load != NULL)
+		{
+			ret = cJSON_Compare(t_load, t_test, 0);
+			if (ret != 1)
+			{
+				load_json_str = cJSON_Print(t_load);
+				printf("LOAD Diff:\n%s\n", load_json_str);
+				free(load_json_str);
+				result_json_str = cJSON_Print(t_test);
+				printf("TEST Diff:\n%s\n", result_json_str);
+				free(result_json_str);
+				goto fail;
+			}
+			t_load = t_load->next;
+			t_test = t_test->next;
+		}
+	}
+	cJSON_Delete(g_load_result_root);
+	cJSON_Delete(g_test_result_root);
+	return;
+fail:
+	cJSON_Delete(g_load_result_root);
+	cJSON_Delete(g_test_result_root);
+	return;
+}
+
+int main(int argc, char *argv[])
+{
+	int ret = 0;
+	if (argc < 2)
+	{
+		printf("Usage: %s <result_json_path>\n", argv[0]);
+		result_json_path = NULL;
+	}
+	else
+	{
+		result_json_path = argv[1];
+		g_test_result_root = cJSON_CreateArray();
+		g_load_result_root = load_result_from_jsonfile(result_json_path);
+		assert(g_load_result_root != NULL && g_test_result_root != NULL);
+	}
+	::testing::InitGoogleTest(&argc, argv);
+	struct stellar *st = stellar_new("./conf/stellar.toml", "./plugin/spec.toml", "./conf/log.toml");
+	stellar_run(st);
+	if (result_json_path != NULL)
+	{
+		ret = RUN_ALL_TESTS();
+	}
+	stellar_free(st);
+	return ret;
+}
diff --git a/test/decoders/socks/socks_decoder_pcap_gtest.cpp b/test/decoders/socks/socks_decoder_pcap_gtest.cpp
new file mode 100644
index 0000000..b1cde22
--- /dev/null
+++ b/test/decoders/socks/socks_decoder_pcap_gtest.cpp
@@ -0,0 +1,246 @@
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <netinet/ip.h>
+#include <netinet/ip6.h>
+#include <netinet/tcp.h>
+#include <netinet/ether.h>
+#include <pcap/sll.h>
+#include <pcap/pcap.h>
+#include "gtest/gtest.h"
+
+#include "socks_decoder_internal.h"
+extern "C" {
+#include "stellar/session.h"
+#include "dummy.h"
+}
+
+#define LINUX_COOKED_CAPTURE 20
+
+extern int socks_process(struct socks_decoder_info *socks_decoder_info, struct session *sess, struct socks_tunnel_stream *stream, const char *payload, size_t payload_len);
+struct pcap_loop_arg
+{
+	pcap_t *pcap_handle;
+	struct socks_tunnel_stream *stream;
+};
+
+struct socks_decoder_info *socks_decoder_info = NULL;
+
+static void pcap_handle_cb(pcap_loop_arg *userarg, const struct pcap_pkthdr *pkthdr, const u_char *packet)
+{
+	struct pcap_loop_arg *arg = (struct pcap_loop_arg *)userarg;
+	struct session sess;
+	int payload_len = 0;
+	char *payload = NULL;
+	unsigned short sport, dport;
+	unsigned short eth_proto_type;
+	unsigned char *ip_header;
+
+	memset(&sess, 0, sizeof(sess));
+
+	int data_link_type = pcap_datalink(arg->pcap_handle);
+	switch (data_link_type) {
+		case DLT_EN10MB:
+			eth_proto_type = ntohs(*(unsigned short *)(packet + 12));
+			ip_header = (unsigned char *)(packet + sizeof(struct ethhdr));
+			break;
+		case 276://DLT_LINUX_SLL2
+			eth_proto_type = ntohs(*(unsigned short *)packet);
+			ip_header = (unsigned char *)(packet + LINUX_COOKED_CAPTURE);
+			break;
+		default:
+			return;
+	}
+
+	if (eth_proto_type == ETH_P_IP) {
+		int l4_proto = *(unsigned char *)(ip_header + 9);
+		if (l4_proto == IPPROTO_TCP) {
+			int ip_total_len = ntohs(*(unsigned short *)(ip_header + 2));
+			int ip_header_len = (*(unsigned char *)ip_header & 0x0f) * 4;
+			int tcp_header_len = 4 * ((*(unsigned char *)(ip_header + sizeof(iphdr) + 12) & 0xf0) >> 4);
+			payload_len = ip_total_len - ip_header_len - tcp_header_len;
+			payload = (char *)ip_header + ip_header_len + tcp_header_len;
+		} else {
+			return;
+		}
+
+		sport = ntohs(*(unsigned short *)(ip_header + sizeof(iphdr) + 0));
+		dport = ntohs(*(unsigned short *)(ip_header + sizeof(iphdr) + 2));
+		
+	} else if (eth_proto_type == ETH_P_IPV6) {
+		int l4_proto = *(unsigned char *)(ip_header + 6);
+		if (l4_proto == IPPROTO_TCP) {
+			int tcp_header_len = 4 * ((*(unsigned char *)(ip_header + sizeof(struct ip6_hdr) + 12) & 0xf0) >> 4);
+			payload_len = pkthdr->caplen - (ip_header - packet) - sizeof(struct ip6_hdr) - tcp_header_len;
+			payload = (char *)ip_header + sizeof(struct ip6_hdr) + tcp_header_len;
+		} else {
+			return;
+		}
+
+		sport = ntohs(*(unsigned short *)(ip_header + sizeof(struct ip6_hdr) + 0));
+		dport = ntohs(*(unsigned short *)(ip_header + sizeof(struct ip6_hdr) + 2));
+	} else {
+		return;
+	}
+
+	session_set_current_state(&sess, SESSION_STATE_ACTIVE);
+
+	if (sport > dport)
+	{
+		dummy_set_direction(FLOW_TYPE_C2S);
+	} else {
+		dummy_set_direction(FLOW_TYPE_S2C);
+	}
+	socks_process(socks_decoder_info, &sess, arg->stream, payload, payload_len);
+
+}
+
+TEST(socks_decoder, socks4)
+{
+	char error[100];
+	struct pcap_loop_arg arg;
+	struct socks_tunnel_stream *stream = (struct socks_tunnel_stream *)calloc(1, sizeof(struct socks_tunnel_stream));
+	pcap_t * handle = pcap_open_offline("pcap/socks4.pcap", error);
+	ASSERT_NE(handle, nullptr);
+
+	memset(&arg, 0, sizeof(arg));
+	arg.stream = stream;
+	arg.pcap_handle = handle;
+
+	pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
+
+	EXPECT_EQ(stream->info.version, SOCKS_VERSION_4);
+	EXPECT_EQ(stream->info.dst_addr.type, SOCKS_ADDR_IPV4);
+	EXPECT_EQ(stream->info.dst_addr.ipv4, inet_addr("93.184.216.119"));
+	EXPECT_EQ(stream->info.dst_addr.port, htons(80));
+	EXPECT_EQ(stream->info.user_name.iov_len, 0);
+	EXPECT_EQ(stream->info.password.iov_len, 0);
+	EXPECT_EQ(stream->client_state, SS_END);
+	EXPECT_EQ(stream->server_state, SS_END);
+
+	pcap_close(handle);
+	free(stream);
+}
+
+TEST(socks_decoder, socks4a_domain)
+{
+	char error[100];
+	struct pcap_loop_arg arg;
+	struct socks_tunnel_stream *stream = (struct socks_tunnel_stream *)calloc(1, sizeof(struct socks_tunnel_stream));
+	pcap_t * handle = pcap_open_offline("pcap/socks4a_domain.pcap", error);
+	ASSERT_NE(handle, nullptr);
+
+	memset(&arg, 0, sizeof(arg));
+	arg.stream = stream;
+	arg.pcap_handle = handle;
+
+	pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
+
+	EXPECT_EQ(stream->info.version, SOCKS_VERSION_4);
+	EXPECT_EQ(stream->info.dst_addr.type, SOCKS_ADDR_FQDN);
+	EXPECT_EQ(stream->info.dst_addr.fqdn.iov_len, strlen("www.example.com"));
+	EXPECT_STREQ("www.example.com", (char *)stream->info.dst_addr.fqdn.iov_base);
+	EXPECT_EQ(stream->info.dst_addr.port, htons(80));
+	EXPECT_EQ(stream->info.user_name.iov_len, 0);
+	EXPECT_EQ(stream->info.password.iov_len, 0);
+	EXPECT_EQ(stream->client_state, SS_END);
+	EXPECT_EQ(stream->server_state, SS_END);
+
+	pcap_close(handle);
+	free(stream->info.dst_addr.fqdn.iov_base);
+	free(stream);
+}
+
+TEST(socks_decoder, socks5_no_auth)
+{
+	char error[100];
+	struct pcap_loop_arg arg;
+	struct socks_tunnel_stream *stream = (struct socks_tunnel_stream *)calloc(1, sizeof(struct socks_tunnel_stream));
+	pcap_t * handle = pcap_open_offline("pcap/socks5_no_auth.pcap", error);
+	ASSERT_NE(handle, nullptr);
+
+	memset(&arg, 0, sizeof(arg));
+	arg.stream = stream;
+	arg.pcap_handle = handle;
+
+	pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
+
+	EXPECT_EQ(stream->info.version, SOCKS_VERSION_5);
+	EXPECT_EQ(stream->info.dst_addr.type, SOCKS_ADDR_IPV4);
+	EXPECT_EQ(stream->info.dst_addr.ipv4, inet_addr("93.184.216.119"));
+	EXPECT_EQ(stream->info.dst_addr.port, htons(80));
+	EXPECT_EQ(stream->info.user_name.iov_len, 0);
+	EXPECT_EQ(stream->info.password.iov_len, 0);
+	EXPECT_EQ(stream->client_state, SS_END);
+	EXPECT_EQ(stream->server_state, SS_END);
+
+	pcap_close(handle);
+	free(stream);
+}
+
+TEST(socks_decoder, socks5_auth_success)
+{
+	char error[100];
+	struct pcap_loop_arg arg;
+	struct socks_tunnel_stream *stream = (struct socks_tunnel_stream *)calloc(1, sizeof(struct socks_tunnel_stream));
+	pcap_t * handle = pcap_open_offline("pcap/socks5_auth_success.pcap", error);
+	ASSERT_NE(handle, nullptr);
+
+	memset(&arg, 0, sizeof(arg));
+	arg.stream = stream;
+	arg.pcap_handle = handle;
+
+	pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
+
+	EXPECT_EQ(stream->info.version, SOCKS_VERSION_5);
+	EXPECT_EQ(stream->info.dst_addr.type, SOCKS_ADDR_IPV4);
+	EXPECT_EQ(stream->info.dst_addr.ipv4, inet_addr("93.184.216.119"));
+	EXPECT_EQ(stream->info.dst_addr.port, htons(80));
+	EXPECT_EQ(stream->info.user_name.iov_len, strlen("testuser"));
+	EXPECT_STREQ("testuser", (char *)stream->info.user_name.iov_base);
+	EXPECT_EQ(stream->info.password.iov_len, strlen("testuser"));
+	EXPECT_STREQ("testuser", (char *)stream->info.password.iov_base);
+	EXPECT_EQ(stream->client_state, SS_END);
+	EXPECT_EQ(stream->server_state, SS_END);
+
+	pcap_close(handle);
+	free(stream->info.user_name.iov_base);
+	free(stream->info.password.iov_base);
+	free(stream);
+}
+
+TEST(socks_decoder, socks5_auth_fail)
+{
+	char error[100];
+	struct pcap_loop_arg arg;
+	struct socks_tunnel_stream *stream = (struct socks_tunnel_stream *)calloc(1, sizeof(struct socks_tunnel_stream));
+	pcap_t * handle = pcap_open_offline("pcap/socks5_auth_failed.pcap", error);
+	ASSERT_NE(handle, nullptr);
+
+	memset(&arg, 0, sizeof(arg));
+	arg.stream = stream;
+	arg.pcap_handle = handle;
+
+	pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
+
+	EXPECT_EQ(stream->client_state, SS_SUB);
+	EXPECT_EQ(stream->server_state, SS_FAILED);
+
+	pcap_close(handle);
+	free(stream->info.user_name.iov_base);
+	free(stream->info.password.iov_base);
+	free(stream);
+}
+
+int main(int argc, char **argv)
+{
+	testing::InitGoogleTest(&argc, argv);
+
+	socks_decoder_info = (struct socks_decoder_info *)calloc(1, sizeof(struct socks_decoder_info));
+	
+	int result = RUN_ALL_TESTS();
+
+	free(socks_decoder_info);
+
+	return result;
+}
+\ No newline at end of file
diff --git a/test/decoders/socks/socks_decoder_test_plugin.cpp b/test/decoders/socks/socks_decoder_test_plugin.cpp
new file mode 100644
index 0000000..7edcf8d
--- /dev/null
+++ b/test/decoders/socks/socks_decoder_test_plugin.cpp
@@ -0,0 +1,88 @@
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <arpa/inet.h>
+
+extern "C" {
+#include "stellar/stellar.h"
+#include "stellar/session.h"
+#include "stellar/stellar_mq.h"
+#include "stellar/stellar_exdata.h"
+}
+
+#include "cJSON.h"
+#include "socks_decoder.h"
+
+extern "C" int commit_test_result_json(cJSON *node, const char *name);
+#define unused(x) ((void)(x))
+
+
+int g_test_socks_decoder_plugin_id = 0;
+int g_socks_message_topic_id = 0;
+
+void *ctx_new(struct session *session, void *plugin_env)
+{
+	unused(plugin_env);
+	unused(session);
+
+	cJSON *root = cJSON_CreateObject();
+	return (void *)root;
+}
+
+void ctx_free(struct session *sess, void *session_ctx, void *plugin_env)
+{
+	unused(sess);
+	unused(plugin_env);
+	
+	commit_test_result_json((cJSON *)session_ctx, "socks_decoder_test");
+}
+
+static void append_json(cJSON *root, struct socks_info *info)
+{
+    cJSON *json_stream = cJSON_CreateObject();
+
+    cJSON_AddStringToObject(json_stream, "version", info->version == SOCKS_VERSION_4 ? "SOCKS4" : "SOCKS5");
+
+    char ip_str[INET6_ADDRSTRLEN] = {0};
+    if (info->dst_addr.type == SOCKS_ADDR_IPV4) {
+        inet_ntop(AF_INET, &info->dst_addr.ipv4, ip_str, INET_ADDRSTRLEN);
+    } else if (info->dst_addr.type == SOCKS_ADDR_IPV6) {
+        inet_ntop(AF_INET6, info->dst_addr.ipv6, ip_str, INET6_ADDRSTRLEN);
+    } else {
+        memcpy(ip_str, info->dst_addr.fqdn.iov_base, info->dst_addr.fqdn.iov_len);
+    }
+    cJSON_AddStringToObject(json_stream, "dst_addr", ip_str);
+    cJSON_AddNumberToObject(json_stream, "dst_port", ntohs(info->dst_addr.port));
+    cJSON_AddStringToObject(json_stream, "user_name", (char *)info->user_name.iov_base);
+    cJSON_AddStringToObject(json_stream, "password", (char *)info->password.iov_base);
+
+    cJSON_AddItemToObject(root, "socks_info", json_stream);
+}
+
+void test_socks_decoder_on_message(struct session *session, int topic_id, const void *msg, void *per_session_ctx, void *plugin_env)
+{
+    unused(plugin_env);
+	unused(session);
+	unused(topic_id);
+
+    struct socks_info *info = (struct socks_info *)msg;
+    cJSON *json_root = (cJSON *)per_session_ctx;
+
+    append_json(json_root, info);
+}
+
+extern "C" void *SOCKS_DECODER_TEST_PLUG_INIT(struct stellar *st)
+{
+    g_test_socks_decoder_plugin_id = stellar_session_plugin_register(st, ctx_new, ctx_free, NULL);
+    g_socks_message_topic_id = stellar_mq_get_topic_id(st, SOCKS_MESSAGE_TOPIC);
+
+    stellar_session_mq_subscribe(st, g_socks_message_topic_id, test_socks_decoder_on_message, g_test_socks_decoder_plugin_id);
+
+
+    return NULL;
+}
+
+extern "C" void SOCKS_DECODER_TEST_PLUG_DESTROY(void *plugin_env)
+{
+    unused(plugin_env);
+}
+\ No newline at end of file
diff --git a/test/decoders/socks/test_based_on_stellar/CMakeLists.txt b/test/decoders/socks/test_based_on_stellar/CMakeLists.txt
new file mode 100644
index 0000000..2a3bc25
--- /dev/null
+++ b/test/decoders/socks/test_based_on_stellar/CMakeLists.txt
@@ -0,0 +1,37 @@
+set(DECODER_NAME socks)
+
+set(TEST_RUN_DIR ${CMAKE_BINARY_DIR}/test/decoders/socks)
+set(SAPP_DEVEL_DIR ${TEST_RUN_DIR}/lib)
+set(TEST_MAIN socks_test_main)
+
+include_directories(${CMAKE_SOURCE_DIR}/include)
+include_directories(${CMAKE_SOURCE_DIR}/test)
+include_directories(/usr/local/include/cjson)
+include_directories(/opt/tsg/framework/include/stellar)
+include_directories(/opt/MESA/include/MESA)
+include_directories(/opt/tsg/stellar/include/)
+
+#various ways to add -rdynamic for centos7, centos8, and different cmake version
+add_definitions(-rdynamic)
+link_directories(${SAPP_DEVEL_DIR})
+
+# assemble test env
+add_test(NAME SOCKS_MKDIR_METRIC COMMAND sh -c "mkdir -p ${TEST_RUN_DIR}/metrics; mkdir -p ${TEST_RUN_DIR}/plugin; mkdir -p ${TEST_RUN_DIR}/log; mkdir -p ${TEST_RUN_DIR}/pcap")
+add_test(NAME SOCKS_COPY_SPEC COMMAND sh -c "mkdir -p ${TEST_RUN_DIR}/plugin/ && cp ${CMAKE_CURRENT_SOURCE_DIR}/env/spec.toml ${TEST_RUN_DIR}/plugin/spec.toml")
+add_test(NAME SOCKS_COPY_CONF COMMAND sh -c "mkdir -p ${TEST_RUN_DIR}/conf/ && cp ${CMAKE_CURRENT_SOURCE_DIR}/env/stellar.toml ${TEST_RUN_DIR}/conf/stellar.toml")
+add_test(NAME SOCKS_COPY_LOG_CONF COMMAND sh -c "mkdir -p ${TEST_RUN_DIR}/conf/ && cp ${CMAKE_CURRENT_SOURCE_DIR}/env/log.toml ${TEST_RUN_DIR}/conf/log.toml")
+
+# update plugin to be tested
+add_test(NAME SOCKS_CP_DECODER_SO COMMAND sh -c "cp ${CMAKE_BINARY_DIR}/decoders/socks/socks_dyn.so ${TEST_RUN_DIR}/plugin/${DECODER_NAME}.so")
+add_test(NAME SOCKS_CP_DECODER_GTEST_SO COMMAND sh -c "cp ${CMAKE_BINARY_DIR}/test/decoders/socks/${DECODER_NAME}_test.so ${TEST_RUN_DIR}/plugin/${DECODER_NAME}_test.so")
+
+set_tests_properties(SOCKS_MKDIR_METRIC SOCKS_COPY_SPEC  
+                    SOCKS_COPY_CONF SOCKS_COPY_LOG_CONF 
+                    SOCKS_CP_DECODER_SO SOCKS_CP_DECODER_GTEST_SO 
+                    PROPERTIES FIXTURES_SETUP TestFixture)
+
+set(TEST_PCAP_DIR ${PROJECT_SOURCE_DIR}/test/decoders/socks/pcap)        
+
+# run tests
+add_test(NAME SOCKS_DECODER_PLUGIN_TEST COMMAND sh -c "ln -sf ${TEST_PCAP_DIR}/socks4_nest_socks4a.pcap ${TEST_RUN_DIR}/pcap/test.pcap; ./${TEST_MAIN} ${TEST_PCAP_DIR}/result.json"  WORKING_DIRECTORY ${TEST_RUN_DIR})
+
diff --git a/test/decoders/socks/test_based_on_stellar/env/log.toml b/test/decoders/socks/test_based_on_stellar/env/log.toml
new file mode 100644
index 0000000..a51abd8
--- /dev/null
+++ b/test/decoders/socks/test_based_on_stellar/env/log.toml
@@ -0,0 +1,4 @@
+[log]
+output = "stderr"        # stderr, file
+file = "log/stellar.log"
+level = "ERROR"          # TRACE, DEBUG, INFO, WARN, ERROR, FATAL
diff --git a/test/decoders/socks/test_based_on_stellar/env/spec.toml b/test/decoders/socks/test_based_on_stellar/env/spec.toml
new file mode 100644
index 0000000..71e58b4
--- /dev/null
+++ b/test/decoders/socks/test_based_on_stellar/env/spec.toml
@@ -0,0 +1,9 @@
+[[plugin]]
+path = "./plugin/socks.so"
+init = "socks_decoder_init"
+exit = "socks_decoder_exit"
+
+[[plugin]]
+path = "./plugin/socks_test.so"
+init = "SOCKS_DECODER_TEST_PLUG_INIT"
+exit = "SOCKS_DECODER_TEST_PLUG_DESTROY"
diff --git a/test/decoders/socks/test_based_on_stellar/env/stellar.toml b/test/decoders/socks/test_based_on_stellar/env/stellar.toml
new file mode 100644
index 0000000..308c884
--- /dev/null
+++ b/test/decoders/socks/test_based_on_stellar/env/stellar.toml
@@ -0,0 +1,64 @@
+[instance]
+    id = 1 # range: [0, 4095] (20 bit)
+
+[packet_io]
+    mode = "pcapfile"                      # pcapfile, pcaplist, marsio
+    app_symbol = "stellar"
+    dev_symbol = "nf_0_fw"
+    pcap_path = "./pcap/test.pcap"
+    nr_worker_thread = 1                   # range: [1, 256]
+    cpu_mask = [5, 6, 7, 8, 9, 10, 11, 12]
+    idle_yield_interval_ms = 90           # range: [0, 60000] (ms)
+
+[ip_reassembly]
+    enable = 1
+    bucket_entries = 32 # range: [1, 4294967295] (must be power of 2)
+    bucket_num = 1024   # range: [1, 4294967295]
+
+    ip_frag_timeout_ms = 1000             # range: [1, 60000] (ms)
+    ip_frag_expire_polling_interval_ms = 0 # range: [0, 60000] (ms)
+    ip_frag_expire_polling_limit = 1024    # range: [1, 1024]
+
+[session_manager]
+    tcp_session_max = 500
+    udp_session_max = 500
+
+    evict_old_on_tcp_table_limit = 1 # range: [0, 1]
+    evict_old_on_udp_table_limit = 1 # range: [0, 1]
+
+    expire_period_ms = 0    # range: [0, 60000] (ms)
+    expire_batch_max = 1024 # range: [1, 1024]
+
+    [session_manager.tcp_timeout_ms]
+        init = 500             # range: [1, 60000] (ms)
+        handshake = 500        # range: [1, 60000] (ms)
+        data = 500             # range: [1, 15999999000] (ms)
+        half_closed = 500      # range: [1, 604800000] (ms)
+        time_wait = 500        # range: [1, 600000] (ms)
+        discard_default = 1000 # range: [1, 15999999000] (ms)
+        unverified_rst = 500   # range: [1, 600000] (ms)
+
+    [session_manager.udp_timeout_ms]
+        data = 500            # range: [1, 15999999000] (ms)
+        discard_default = 500 # range: [1, 15999999000] (ms)
+
+    [session_manager.duplicated_packet_bloom_filter]
+        enable = 0
+        capacity = 1000000     # range: [1, 4294967295]
+        time_window_ms = 10000 # range: [1, 60000] (ms)
+        error_rate = 0.00001   # range: [0.0, 1.0]
+
+    [session_manager.evicted_session_bloom_filter]
+        enable = 0             # range: [0, 1]
+        capacity = 1000000     # range: [1, 4294967295]
+        time_window_ms = 10000 # range: [1, 60000] (ms)
+        error_rate = 0.00001   # range: [0.0, 1.0]
+
+    [session_manager.tcp_reassembly]
+        enable = 1                  # range: [0, 1]
+        timeout_ms = 100          # range: [1, 60000] (ms)
+        buffered_segments_max = 256 # range: [2, 4096] per flow
+
+[stat]
+    merge_interval_ms = 500    # range: [0, 60000] (ms)
+    output_interval_ms = 1000  # range: [0, 60000] (ms)
diff --git a/test/decoders/stratum/CMakeLists.txt b/test/decoders/stratum/CMakeLists.txt
new file mode 100644
index 0000000..683efee
--- /dev/null
+++ b/test/decoders/stratum/CMakeLists.txt
@@ -0,0 +1,41 @@
+set(DECODER_NAME stratum)
+
+add_library(${DECODER_NAME}_test SHARED stratum_test_plugin.cpp)
+add_dependencies(${DECODER_NAME}_test ${DECODER_NAME})
+set_target_properties(${DECODER_NAME}_test PROPERTIES PREFIX "")
+
+set(TEST_RUN_DIR ${CMAKE_BINARY_DIR}/testing)
+
+include_directories(${CMAKE_SOURCE_DIR}/include)
+include_directories(${CMAKE_SOURCE_DIR}/src)
+include_directories(${CMAKE_SOURCE_DIR}/deps/toml)
+include_directories(${CMAKE_BINARY_DIR}/vendors/cjson/src/cjson/include)
+include_directories(${PROJECT_SOURCE_DIR}/decoders/stratum)
+include_directories(${PROJECT_SOURCE_DIR}/include/stellar)
+
+add_executable(gtest_pcap_stratum stratum_decoder_pcap_gtest.cpp dummy.c ${PROJECT_SOURCE_DIR}/decoders/stratum/stratum_decoder.cpp)
+target_link_libraries(gtest_pcap_stratum gtest pcap cjson-static logger)
+
+add_executable(stratum_test_main plugin_test_main.cpp)
+set_target_properties(stratum_test_main 
+    PROPERTIES 
+    LINK_OPTIONS 
+    "-rdynamic" 
+    )
+set_target_properties(stratum_test_main 
+    PROPERTIES 
+    LINK_FLAGS  
+    "-rdynamic" 
+    )
+set(LINK_FLAGS "-rdynamic")
+#target_link_options(stratum_test_main PRIVATE -Wl,--whole-archive logger -Wl,--no-whole-archive)
+set(CMAKE_VERBOSE_MAKEFILE ON)
+target_link_libraries(stratum_test_main gtest cjson-static logger stellar_lib)
+
+add_subdirectory(test_based_on_stellar)
+
+#copy pcap file folder to build directory
+file(COPY ${CMAKE_CURRENT_SOURCE_DIR}/pcap DESTINATION ${CMAKE_BINARY_DIR}/test/decoders/stratum)
+
+include(GoogleTest)
+gtest_discover_tests(gtest_pcap_stratum)
diff --git a/test/decoders/stratum/dummy.c b/test/decoders/stratum/dummy.c
new file mode 100644
index 0000000..0290c59
--- /dev/null
+++ b/test/decoders/stratum/dummy.c
@@ -0,0 +1,86 @@
+#include "stellar/stellar.h"
+#include "stellar/session.h"
+#include "stellar/stellar_mq.h"
+#include "stellar/stellar_exdata.h"
+
+#define UNUSED(x) (void)(x)
+
+void stellar_session_plugin_dettach_current_session(struct session *sess)
+{
+	UNUSED(sess);
+}
+
+const struct packet *session_get0_current_packet(const struct session *sess)
+{
+	UNUSED(sess);
+
+	return NULL;
+}
+
+const char *packet_get_payload(const struct packet *pkt)
+{
+	UNUSED(pkt);
+
+	return NULL;
+}
+
+uint16_t packet_get_payload_len(const struct packet *pkt)
+{
+	UNUSED(pkt);
+
+	return 0;
+}
+
+struct logger *stellar_get_logger(struct stellar *st)
+{
+	UNUSED(st);
+
+	return NULL;
+}
+
+int session_mq_publish_message(struct session *sess, int topic_id, void *msg)
+{
+	UNUSED(sess);
+	UNUSED(topic_id);
+	UNUSED(msg);
+
+	return 0;
+}
+
+int stellar_mq_create_topic(struct stellar *st, const char *topic_name, stellar_msg_free_cb_func *msg_free_cb, void *msg_free_arg)
+{
+	UNUSED(st);
+	UNUSED(topic_name);
+	UNUSED(msg_free_cb);
+	UNUSED(msg_free_arg);
+
+	return 0;
+}
+
+int stellar_mq_get_topic_id(struct stellar *st, const char *topic_name)
+{
+	UNUSED(st);
+    UNUSED(topic_name);
+
+    return 0;
+}
+
+int stellar_session_mq_subscribe(struct stellar *st, int topic_id, on_session_msg_cb_func *plugin_on_msg_cb, int plugin_id)
+{
+	UNUSED(st);
+	UNUSED(topic_id);
+	UNUSED(plugin_on_msg_cb);
+	UNUSED(plugin_id);
+
+	return 0;
+}
+
+int stellar_session_plugin_register(struct stellar *st, session_ctx_new_func session_ctx_new, session_ctx_free_func session_ctx_free, void *plugin_env)
+{
+	UNUSED(st);
+	UNUSED(session_ctx_new);
+	UNUSED(session_ctx_free);
+	UNUSED(plugin_env);
+
+	return 0;
+}
+\ No newline at end of file
diff --git a/test/decoders/stratum/pcap/01-bch_f2pool_cpuminer_1.pcapng b/test/decoders/stratum/pcap/01-bch_f2pool_cpuminer_1.pcapng
new file mode 100644
index 0000000..725aed7
--- /dev/null
+++ b/test/decoders/stratum/pcap/01-bch_f2pool_cpuminer_1.pcapng
diff --git a/test/decoders/stratum/pcap/02-eth-antpool.pcapng b/test/decoders/stratum/pcap/02-eth-antpool.pcapng
new file mode 100644
index 0000000..5902981
--- /dev/null
+++ b/test/decoders/stratum/pcap/02-eth-antpool.pcapng
diff --git a/test/decoders/stratum/pcap/03-xmr_f2pool_nanominer_1.pcapng b/test/decoders/stratum/pcap/03-xmr_f2pool_nanominer_1.pcapng
new file mode 100644
index 0000000..dfb0516
--- /dev/null
+++ b/test/decoders/stratum/pcap/03-xmr_f2pool_nanominer_1.pcapng
diff --git a/test/decoders/stratum/pcap/04-zec-antpool.pcapng b/test/decoders/stratum/pcap/04-zec-antpool.pcapng
new file mode 100644
index 0000000..d46ab7f
--- /dev/null
+++ b/test/decoders/stratum/pcap/04-zec-antpool.pcapng
diff --git a/test/decoders/stratum/pcap/stratum_result.json b/test/decoders/stratum/pcap/stratum_result.json
new file mode 100644
index 0000000..37747ed
--- /dev/null
+++ b/test/decoders/stratum/pcap/stratum_result.json
@@ -0,0 +1,11 @@
+[
+	{
+ 		"stratum":	
+		{
+			"Tuple4":	"192.168.50.243:58748-120.26.148.222:1228-6-0",
+			"type":	"OTHER",
+			"mining_program":	"cpuminer/2.5.1",
+			"mining_subscribe":	"{\"id\": 1, \"method\": \"mining.subscribe\", \"params\": [\"cpuminer/2.5.1\"]}\n"
+ 		}
+ 	}
+]
+\ No newline at end of file
diff --git a/test/decoders/stratum/plugin_test_main.cpp b/test/decoders/stratum/plugin_test_main.cpp
new file mode 100644
index 0000000..8f3d996
--- /dev/null
+++ b/test/decoders/stratum/plugin_test_main.cpp
@@ -0,0 +1,135 @@
+#include "cJSON.h"
+#include <gtest/gtest.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <assert.h>
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+#include "stellar/stellar.h"
+#ifdef __cplusplus
+}
+#endif
+
+// #define IGNORE_PRINTF
+#ifdef IGNORE_PRINTF
+#define printf(fmt, ...) (0)
+#endif
+static cJSON *g_test_result_root = NULL;
+static cJSON *g_load_result_root = NULL;
+static const char *result_json_path = NULL;
+
+extern "C" int commit_test_result_json(cJSON *node, const char *name)
+{
+	(void)name;
+	if (g_test_result_root)
+	{
+		// cJSON_AddItemToObject(g_test_result_root, name, node);
+		// cJSON_AddStringToObject(node, "name", name);
+		cJSON_AddItemToArray(g_test_result_root, node);
+		return 0;
+	}
+	return -1;
+}
+
+static cJSON *load_result_from_jsonfile(const char *json_path)
+{
+	if (json_path == NULL)
+		return NULL;
+
+	long file_len = 0;
+	char *file_content = NULL;
+	FILE *fp = NULL;
+
+	fp = fopen(json_path, "r+");
+	if (NULL == fp)
+	{
+		return NULL;
+	}
+	fseek(fp, 0, SEEK_END);
+	file_len = ftell(fp);
+	fseek(fp, 0, SEEK_SET);
+	if (file_len == 0)
+	{
+		fclose(fp);
+		return NULL;
+	}
+	file_content = (char *)malloc(file_len + 1);
+	fread(file_content, file_len, 1, fp);
+	file_content[file_len] = '\0';
+	cJSON *load = cJSON_Parse(file_content);
+	free(file_content);
+	fclose(fp);
+
+	return load;
+}
+
+TEST(PROTOCOL, compare_result_json)
+{
+	EXPECT_EQ(cJSON_GetArraySize(g_test_result_root), cJSON_GetArraySize(g_load_result_root));
+	int ret = cJSON_Compare(g_test_result_root, g_load_result_root, 0);
+	EXPECT_EQ(1, ret);
+
+	if (ret != 1)
+	{
+		char *load_json_str = cJSON_Print(g_load_result_root);
+		printf("LOAD Raw:\n%s\n", load_json_str);
+		free(load_json_str);
+		char *result_json_str = cJSON_Print(g_test_result_root);
+		printf("TEST Raw:\n%s\n", result_json_str);
+		free(result_json_str);
+
+		cJSON *t_load = g_load_result_root->child, *t_test = g_test_result_root->child;
+		while (t_load != NULL)
+		{
+			ret = cJSON_Compare(t_load, t_test, 0);
+			if (ret != 1)
+			{
+				load_json_str = cJSON_Print(t_load);
+				printf("LOAD Diff:\n%s\n", load_json_str);
+				free(load_json_str);
+				result_json_str = cJSON_Print(t_test);
+				printf("TEST Diff:\n%s\n", result_json_str);
+				free(result_json_str);
+				goto fail;
+			}
+			t_load = t_load->next;
+			t_test = t_test->next;
+		}
+	}
+	cJSON_Delete(g_load_result_root);
+	cJSON_Delete(g_test_result_root);
+	return;
+fail:
+	cJSON_Delete(g_load_result_root);
+	cJSON_Delete(g_test_result_root);
+	return;
+}
+
+int main(int argc, char *argv[])
+{
+	int ret = 0;
+	if (argc < 2)
+	{
+		printf("Usage: %s <result_json_path>\n", argv[0]);
+		result_json_path = NULL;
+	}
+	else
+	{
+		result_json_path = argv[1];
+		g_test_result_root = cJSON_CreateArray();
+		g_load_result_root = load_result_from_jsonfile(result_json_path);
+		assert(g_load_result_root != NULL && g_test_result_root != NULL);
+	}
+	::testing::InitGoogleTest(&argc, argv);
+	struct stellar *st = stellar_new("./conf/stellar.toml", "./plugin/spec.toml", "./conf/log.toml");
+	stellar_run(st);
+	if (result_json_path != NULL)
+	{
+		ret = RUN_ALL_TESTS();
+	}
+	stellar_free(st);
+	return ret;
+}
diff --git a/test/decoders/stratum/stratum_decoder_pcap_gtest.cpp b/test/decoders/stratum/stratum_decoder_pcap_gtest.cpp
new file mode 100644
index 0000000..a5c5b72
--- /dev/null
+++ b/test/decoders/stratum/stratum_decoder_pcap_gtest.cpp
@@ -0,0 +1,179 @@
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <netinet/ip.h>
+#include <netinet/ip6.h>
+#include <netinet/tcp.h>
+#include <netinet/ether.h>
+#include <pcap/sll.h>
+#include <pcap/pcap.h>
+#include "gtest/gtest.h"
+
+#include "stellar/stratum_decoder.h"
+
+#include <stellar/session.h>
+
+
+#define LINUX_COOKED_CAPTURE 20
+
+struct pcap_loop_arg
+{
+	pcap_t *pcap_handle;
+	void *ctx;
+};
+
+extern struct stratum_field *stratum_data_process(struct stratum_decoder_info *stratum_decoder_info, const char *tcpdata, size_t datalen);
+extern void free_stratum_filed(struct stratum_field *stratum_field);
+extern "C" void *stratum_decoder_init(struct stellar *st);
+
+struct stratum_decoder_info *stratum_decoder_info = NULL;
+
+static void pcap_handle_cb(pcap_loop_arg *userarg, const struct pcap_pkthdr *pkthdr, const u_char *packet)
+{
+	struct pcap_loop_arg *arg = (struct pcap_loop_arg *)userarg;
+	int payload_len = 0;
+	char *payload = NULL;
+	unsigned short eth_proto_type;
+	unsigned char *ip_header;
+
+	int data_link_type = pcap_datalink(arg->pcap_handle);
+	switch (data_link_type) {
+		case DLT_EN10MB:
+			eth_proto_type = ntohs(*(unsigned short *)(packet + 12));
+			ip_header = (unsigned char *)(packet + sizeof(struct ethhdr));
+			break;
+		case 276://DLT_LINUX_SLL2
+			eth_proto_type = ntohs(*(unsigned short *)packet);
+			ip_header = (unsigned char *)(packet + LINUX_COOKED_CAPTURE);
+			break;
+		default:
+			return;
+	}
+
+	if (eth_proto_type == ETH_P_IP) {
+		int l4_proto = *(unsigned char *)(ip_header + 9);
+		if (l4_proto == IPPROTO_TCP) {
+			int ip_total_len = ntohs(*(unsigned short *)(ip_header + 2));
+			int ip_header_len = (*(unsigned char *)ip_header & 0x0f) * 4;
+			int tcp_header_len = 4 * ((*(unsigned char *)(ip_header + sizeof(iphdr) + 12) & 0xf0) >> 4);
+			payload_len = ip_total_len - ip_header_len - tcp_header_len;
+			payload = (char *)ip_header + ip_header_len + tcp_header_len;
+		} else {
+			return;
+		}
+		
+	} else if (eth_proto_type == ETH_P_IPV6) {
+		int l4_proto = *(unsigned char *)(ip_header + 6);
+		if (l4_proto == IPPROTO_TCP) {
+			int tcp_header_len = 4 * ((*(unsigned char *)(ip_header + sizeof(struct ip6_hdr) + 12) & 0xf0) >> 4);
+			payload_len = pkthdr->caplen - (ip_header - packet) - sizeof(struct ip6_hdr) - tcp_header_len;
+			payload = (char *)ip_header + sizeof(struct ip6_hdr) + tcp_header_len;
+		} else {
+			return;
+		}
+	} else {
+		return;
+	}
+	
+    struct stratum_field *stratum = stratum_data_process(stratum_decoder_info, payload, payload_len);
+    if (stratum != NULL)
+    {
+        arg->ctx = stratum;
+        pcap_breakloop(arg->pcap_handle);
+    }
+}
+
+TEST(stratum_decoder, parse01)
+{
+    char error[100];
+    struct pcap_loop_arg arg;
+    pcap_t *handle = pcap_open_offline("pcap/01-bch_f2pool_cpuminer_1.pcapng", error);
+    ASSERT_NE(handle, nullptr);
+
+    memset(&arg, 0, sizeof(arg));
+    arg.pcap_handle = handle;
+    pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
+
+    struct stratum_field *stratum = (struct stratum_field *)arg.ctx;
+    EXPECT_EQ(stratum->type, OTHER);
+    EXPECT_STREQ((const char *)stratum->mining_program.iov_base, "cpuminer/2.5.1");
+    EXPECT_EQ(stratum->mining_pools.iov_len, 0);
+    EXPECT_STREQ((const char *)stratum->mining_subscribe.iov_base, "{\"id\": 1, \"method\": \"mining.subscribe\", \"params\": [\"cpuminer/2.5.1\"]}\n");
+
+    pcap_close(handle);
+    free_stratum_filed(stratum);
+}
+
+TEST(stratum_decoder, parse02)
+{
+    char error[100];
+    struct pcap_loop_arg arg;
+    pcap_t *handle = pcap_open_offline("pcap/02-eth-antpool.pcapng", error);
+    ASSERT_NE(handle, nullptr);
+
+    memset(&arg, 0, sizeof(arg));
+    arg.pcap_handle = handle;
+    pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
+
+    struct stratum_field *stratum = (struct stratum_field *)arg.ctx;
+    EXPECT_EQ(stratum->type, ETH);
+    EXPECT_STREQ((const char *)stratum->mining_program.iov_base, "lolMinerWorker");
+    EXPECT_EQ(stratum->mining_pools.iov_len, 0);
+    EXPECT_STREQ((const char *)stratum->mining_subscribe.iov_base, "{\"id\":1,\"jsonrpc\":\"2.0\",\"method\":\"eth_submitLogin\",\"worker\":\"lolMinerWorker\",\"params\":[\"0xa0279Ad2aA6BDb440f041Aa0947178431d9Bd253.lolMinerWorker\", \"x\"]} \n");
+
+    pcap_close(handle);
+    free_stratum_filed(stratum);
+}
+
+TEST(stratum_decoder, parse03)
+{
+    char error[100];
+    struct pcap_loop_arg arg;
+    pcap_t *handle = pcap_open_offline("pcap/03-xmr_f2pool_nanominer_1.pcapng", error);
+    ASSERT_NE(handle, nullptr);
+
+    memset(&arg, 0, sizeof(arg));
+    arg.pcap_handle = handle;
+    pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
+
+    struct stratum_field *stratum = (struct stratum_field *)arg.ctx;
+    EXPECT_EQ(stratum->type, OTHER);
+    EXPECT_STREQ((const char *)stratum->mining_program.iov_base, "nanominer/3.3.5-cuda11");
+    EXPECT_EQ(stratum->mining_pools.iov_len, 0);
+    EXPECT_STREQ((const char *)stratum->mining_subscribe.iov_base, "{\"id\": 1, \"method\": \"login\", \"params\": { \"login\":\"yhzzhk.001.001\",\"pass\" : \"x\", \"agent\" : \"nanominer/3.3.5-cuda11\"}}\n");
+
+    pcap_close(handle);
+    free_stratum_filed(stratum);
+}
+
+TEST(stratum_decoder, parse04)
+{
+    char error[100];
+    struct pcap_loop_arg arg;
+    pcap_t *handle = pcap_open_offline("pcap/04-zec-antpool.pcapng", error);
+    ASSERT_NE(handle, nullptr);
+
+    memset(&arg, 0, sizeof(arg));
+    arg.pcap_handle = handle;
+    pcap_loop(handle, -1, (pcap_handler)pcap_handle_cb, (u_char *)&arg);
+
+    struct stratum_field *stratum = (struct stratum_field *)arg.ctx;
+    EXPECT_EQ(stratum->type, OTHER);
+    EXPECT_STREQ((const char *)stratum->mining_program.iov_base, "nheqminer/0.5c");
+    EXPECT_STREQ((const char*)stratum->mining_pools.iov_base, "stratum-zec.antpool.com");
+    EXPECT_STREQ((const char *)stratum->mining_subscribe.iov_base, "{\"id\":1,\"method\":\"mining.subscribe\",\"params\":[\"nheqminer/0.5c\", null,\"stratum-zec.antpool.com\",\"8899\"]}\n");
+
+    pcap_close(handle);
+    free_stratum_filed(stratum);
+}
+
+int main(int argc, char **argv)
+{
+	testing::InitGoogleTest(&argc, argv);
+	
+    stratum_decoder_info = (struct stratum_decoder_info*)stratum_decoder_init(NULL);
+
+	int result = RUN_ALL_TESTS();
+
+	return result;
+}
+\ No newline at end of file
diff --git a/test/decoders/stratum/stratum_test_plugin.cpp b/test/decoders/stratum/stratum_test_plugin.cpp
new file mode 100644
index 0000000..3ec563b
--- /dev/null
+++ b/test/decoders/stratum/stratum_test_plugin.cpp
@@ -0,0 +1,72 @@
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "cJSON.h"
+#include "stellar/stellar.h"
+#include "stellar/session.h"
+#include "stellar/stellar_mq.h"
+#include "stellar/stellar_exdata.h"
+
+#include "stratum_decoder.h"
+
+#define unused(x) ((void)(x))
+extern "C" int commit_test_result_json(cJSON *node, const char *name);
+
+int g_test_stratum_decoder_plugin_id = 0;
+int g_stratum_message_topic_id = 0;
+
+void *ctx_new(struct session *session, void *plugin_env)
+{
+	unused(plugin_env);
+	unused(session);
+
+	cJSON *root = cJSON_CreateObject();
+	return (void *)root;
+}
+
+void ctx_free(struct session *sess, void *session_ctx, void *plugin_env)
+{
+	unused(sess);
+	unused(plugin_env);
+	
+	commit_test_result_json((cJSON *)session_ctx, "socks_decoder_test");
+}
+
+void test_stratum_decoder_on_message(struct session *session, int topic_id, const void *msg, void *per_session_ctx, void *plugin_env)
+{
+    unused(plugin_env);
+    unused(topic_id);
+
+    struct stratum_field *stratum = (struct stratum_field *)msg;
+    cJSON *root = (cJSON *)per_session_ctx;
+
+    cJSON *stratum_json = cJSON_CreateObject();
+    cJSON_AddItemToObject(root, "stratum", stratum_json);
+
+    cJSON_AddStringToObject(stratum_json, "Tuple4", session_get0_readable_addr(session));
+    cJSON_AddStringToObject(stratum_json, "type", stratum->type == ETH ? "ETH" : "OTHER");
+    cJSON_AddStringToObject(stratum_json, "mining_pools", (char *)stratum->mining_pools.iov_base);
+    cJSON_AddStringToObject(stratum_json, "mining_program", (char *)stratum->mining_program.iov_base);
+    cJSON_AddStringToObject(stratum_json, "mining_subscribe", (char *)stratum->mining_subscribe.iov_base);
+
+}
+
+extern "C" void *STRATUM_DECODER_TEST_PLUG_INIT(struct stellar *st)
+{
+    g_test_stratum_decoder_plugin_id = stellar_session_plugin_register(st, ctx_new, ctx_free, NULL);
+    g_stratum_message_topic_id = stellar_mq_get_topic_id(st, STRATUM_MESSAGE_TOPIC);
+
+    if (stellar_session_mq_subscribe(st, g_stratum_message_topic_id, test_stratum_decoder_on_message, g_test_stratum_decoder_plugin_id) < 0)
+    {
+        printf("subscribe topic %s failed\n", STRATUM_MESSAGE_TOPIC);
+        return NULL;
+    }
+
+    return NULL;
+}
+
+extern "C" void STRATUM_DECODER_TEST_PLUG_DESTROY(void * plugin_env)
+{
+    unused(plugin_env);
+}
+\ No newline at end of file
diff --git a/test/decoders/stratum/test_based_on_stellar/CMakeLists.txt b/test/decoders/stratum/test_based_on_stellar/CMakeLists.txt
new file mode 100644
index 0000000..1de14e5
--- /dev/null
+++ b/test/decoders/stratum/test_based_on_stellar/CMakeLists.txt
@@ -0,0 +1,37 @@
+set(DECODER_NAME stratum)
+
+set(TEST_RUN_DIR ${CMAKE_BINARY_DIR}/test/decoders/stratum)
+set(SAPP_DEVEL_DIR ${TEST_RUN_DIR}/lib)
+set(TEST_MAIN stratum_test_main)
+
+include_directories(${CMAKE_SOURCE_DIR}/include)
+include_directories(${CMAKE_SOURCE_DIR}/test)
+include_directories(/usr/local/include/cjson)
+include_directories(/opt/tsg/framework/include/stellar)
+include_directories(/opt/MESA/include/MESA)
+include_directories(/opt/tsg/stellar/include/)
+
+#various ways to add -rdynamic for centos7, centos8, and different cmake version
+add_definitions(-rdynamic)
+link_directories(${SAPP_DEVEL_DIR})
+
+# assemble test env
+add_test(NAME STRATUM_MKDIR_METRIC COMMAND sh -c "mkdir -p ${TEST_RUN_DIR}/metrics; mkdir -p ${TEST_RUN_DIR}/plugin; mkdir -p ${TEST_RUN_DIR}/log; mkdir -p ${TEST_RUN_DIR}/pcap")
+add_test(NAME STRATUM_COPY_SPEC COMMAND sh -c "mkdir -p ${TEST_RUN_DIR}/plugin/ && cp ${CMAKE_CURRENT_SOURCE_DIR}/env/spec.toml ${TEST_RUN_DIR}/plugin/spec.toml")
+add_test(NAME STRATUM_COPY_CONF COMMAND sh -c "mkdir -p ${TEST_RUN_DIR}/conf/ && cp ${CMAKE_CURRENT_SOURCE_DIR}/env/stellar.toml ${TEST_RUN_DIR}/conf/stellar.toml")
+add_test(NAME STRATUM_COPY_LOG_CONF COMMAND sh -c "mkdir -p ${TEST_RUN_DIR}/conf/ && cp ${CMAKE_CURRENT_SOURCE_DIR}/env/log.toml ${TEST_RUN_DIR}/conf/log.toml")
+
+# update plugin to be tested
+add_test(NAME STRATUM_CP_DECODER_SO COMMAND sh -c "cp ${CMAKE_BINARY_DIR}/decoders/stratum/stratum_dyn.so ${TEST_RUN_DIR}/plugin/${DECODER_NAME}.so")
+add_test(NAME STRATUM_CP_DECODER_GTEST_SO COMMAND sh -c "cp ${CMAKE_BINARY_DIR}/test/decoders/stratum/${DECODER_NAME}_test.so ${TEST_RUN_DIR}/plugin/${DECODER_NAME}_test.so")
+
+set_tests_properties(STRATUM_MKDIR_METRIC STRATUM_COPY_SPEC  
+                    STRATUM_COPY_CONF STRATUM_COPY_LOG_CONF 
+                    STRATUM_CP_DECODER_SO STRATUM_CP_DECODER_GTEST_SO 
+                    PROPERTIES FIXTURES_SETUP TestFixture)
+
+set(TEST_PCAP_DIR ${PROJECT_SOURCE_DIR}/test/decoders/stratum/pcap)        
+
+# run tests
+add_test(NAME STRATUM_DECODER_PLUGIN_TEST COMMAND sh -c "ln -sf ${TEST_PCAP_DIR}/01-bch_f2pool_cpuminer_1.pcapng ${TEST_RUN_DIR}/pcap/test.pcap; ./${TEST_MAIN} ${TEST_PCAP_DIR}/stratum_result.json"  WORKING_DIRECTORY ${TEST_RUN_DIR})
+
diff --git a/test/decoders/stratum/test_based_on_stellar/env/log.toml b/test/decoders/stratum/test_based_on_stellar/env/log.toml
new file mode 100644
index 0000000..b5213d9
--- /dev/null
+++ b/test/decoders/stratum/test_based_on_stellar/env/log.toml
@@ -0,0 +1,4 @@
+[log]
+output = "stderr"        # stderr, file
+file = "log/stellar.log"
+level = "INFO"           # TRACE, DEBUG, INFO, WARN, ERROR, FATAL
diff --git a/test/decoders/stratum/test_based_on_stellar/env/spec.toml b/test/decoders/stratum/test_based_on_stellar/env/spec.toml
new file mode 100644
index 0000000..6eafab8
--- /dev/null
+++ b/test/decoders/stratum/test_based_on_stellar/env/spec.toml
@@ -0,0 +1,9 @@
+[[plugin]]
+path = "./plugin/stratum.so"
+init = "stratum_decoder_init"
+exit = "stratum_decoder_exit"
+
+[[plugin]]
+path = "./plugin/stratum_test.so"
+init = "STRATUM_DECODER_TEST_PLUG_INIT"
+exit = "STRATUM_DECODER_TEST_PLUG_DESTROY"
diff --git a/test/decoders/stratum/test_based_on_stellar/env/stellar.toml b/test/decoders/stratum/test_based_on_stellar/env/stellar.toml
new file mode 100644
index 0000000..308c884
--- /dev/null
+++ b/test/decoders/stratum/test_based_on_stellar/env/stellar.toml
@@ -0,0 +1,64 @@
+[instance]
+    id = 1 # range: [0, 4095] (20 bit)
+
+[packet_io]
+    mode = "pcapfile"                      # pcapfile, pcaplist, marsio
+    app_symbol = "stellar"
+    dev_symbol = "nf_0_fw"
+    pcap_path = "./pcap/test.pcap"
+    nr_worker_thread = 1                   # range: [1, 256]
+    cpu_mask = [5, 6, 7, 8, 9, 10, 11, 12]
+    idle_yield_interval_ms = 90           # range: [0, 60000] (ms)
+
+[ip_reassembly]
+    enable = 1
+    bucket_entries = 32 # range: [1, 4294967295] (must be power of 2)
+    bucket_num = 1024   # range: [1, 4294967295]
+
+    ip_frag_timeout_ms = 1000             # range: [1, 60000] (ms)
+    ip_frag_expire_polling_interval_ms = 0 # range: [0, 60000] (ms)
+    ip_frag_expire_polling_limit = 1024    # range: [1, 1024]
+
+[session_manager]
+    tcp_session_max = 500
+    udp_session_max = 500
+
+    evict_old_on_tcp_table_limit = 1 # range: [0, 1]
+    evict_old_on_udp_table_limit = 1 # range: [0, 1]
+
+    expire_period_ms = 0    # range: [0, 60000] (ms)
+    expire_batch_max = 1024 # range: [1, 1024]
+
+    [session_manager.tcp_timeout_ms]
+        init = 500             # range: [1, 60000] (ms)
+        handshake = 500        # range: [1, 60000] (ms)
+        data = 500             # range: [1, 15999999000] (ms)
+        half_closed = 500      # range: [1, 604800000] (ms)
+        time_wait = 500        # range: [1, 600000] (ms)
+        discard_default = 1000 # range: [1, 15999999000] (ms)
+        unverified_rst = 500   # range: [1, 600000] (ms)
+
+    [session_manager.udp_timeout_ms]
+        data = 500            # range: [1, 15999999000] (ms)
+        discard_default = 500 # range: [1, 15999999000] (ms)
+
+    [session_manager.duplicated_packet_bloom_filter]
+        enable = 0
+        capacity = 1000000     # range: [1, 4294967295]
+        time_window_ms = 10000 # range: [1, 60000] (ms)
+        error_rate = 0.00001   # range: [0.0, 1.0]
+
+    [session_manager.evicted_session_bloom_filter]
+        enable = 0             # range: [0, 1]
+        capacity = 1000000     # range: [1, 4294967295]
+        time_window_ms = 10000 # range: [1, 60000] (ms)
+        error_rate = 0.00001   # range: [0.0, 1.0]
+
+    [session_manager.tcp_reassembly]
+        enable = 1                  # range: [0, 1]
+        timeout_ms = 100          # range: [1, 60000] (ms)
+        buffered_segments_max = 256 # range: [2, 4096] per flow
+
+[stat]
+    merge_interval_ms = 500    # range: [0, 60000] (ms)
+    output_interval_ms = 1000  # range: [0, 60000] (ms)
author	root <[email protected]>	2024-09-03 07:01:58 +0000
committer	root <[email protected]>	2024-09-03 07:01:58 +0000
commit	6f1ac6b36b28d082cebf8e4c3eeedd592c1946f9 (patch)
tree	5c664bc282e5c01b634430531e43dae44dc50538 /test
parent	a8206cffc0ba55c6cb2b0b1054860ee28ec4a0b8 (diff)