Table 1: Statistics about destination port fetched by smartphones

Graph file: global_stats.py
Main fields:

conn.flows[0].attr[co.SOCKS_PORT]             # The port number in the initial SOCKS command
conn.flows[*].attr[direction][co.DATA_BYTES]  # Number of total bytes seen by tstat

Aggregation of data

The script just counts the number of connections and the number of bytes associated to each SOCKS port.

Additional information

To obtain the real port fetched by the application, the SOCKS command must be parsed.
The format of the SOCKS command sent by the client at the beginning of the connection is shown here.

+------------------+--------------------------+----------------------------+
| Command (1 Byte) | Destination IP (4 Bytes) | Destination Port (2 Bytes) |
+------------------+--------------------------+----------------------------+

If the packet has 7 data bytes and the first decoded byte (according to the SOCKS scheme) is x01, then the decoded two last bytes indicate the destination port.
This is done during a packet analysis with dpkt, see tcp.py and socks_parser.py for details.
Notice that similarly to the port, the SOCKS IP is also extracted.