Raknet/RTP: avoid Raknet false positives and harden RTP heuristic (#2427)

There is some overlap between RTP and Raknet detection: give precedence to RTP logic. Consequences: * Raknet might require a little bit more packets for some flows (not a big issue) * some very small (1-2 pkts) Raknet flows are not classified (not sure what do do about that..)
author: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> 2024-05-09 21:18:18 +0200
committer: GitHub <noreply@github.com> 2024-05-09 21:18:18 +0200
commit: d4650f0f817c8d1663284b7dd225df802104a60b (patch)
tree: b89b00b37b9ad01212fa755e1f44d8d3e8b92eaf
parent: e4fd6e47a323923cf320880c2dd3bb1d149c4fbe (diff)
8 files changed, 65 insertions, 35 deletions
diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h
index 358138f70..65cdd9891 100644
--- a/src/include/ndpi_private.h
+++ b/src/include/ndpi_private.h
@@ -652,7 +652,7 @@ const uint8_t *get_crypto_data(struct ndpi_detection_module_struct *ndpi_struct,
 
 /* RTP */
 int is_valid_rtp_payload_type(uint8_t type);
-int is_rtp_or_rtcp(struct ndpi_detection_module_struct *ndpi_struct);
+int is_rtp_or_rtcp(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t *seq);
 u_int8_t rtp_get_stream_type(u_int8_t payloadType, ndpi_multimedia_flow_type *s_type);
 
 /* Bittorrent */
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 9a65e292a..08b8e490f 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -930,6 +930,10 @@ struct ndpi_flow_udp_struct {
   /* NDPI_PROTOCOL_RAKNET */
   u_int32_t raknet_custom:1;
 
+  /* NDPI_PROTOCOL_RTP */
+  u_int16_t rtp_seq[2];
+  u_int8_t rtp_seq_set[2];
+
   /* NDPI_PROTOCOL_EAQ */
   u_int8_t eaq_pkt_id;
   u_int32_t eaq_sequence;
diff --git a/src/lib/protocols/raknet.c b/src/lib/protocols/raknet.c
index 8aeaddc2d..b11107ec3 100644
--- a/src/lib/protocols/raknet.c
+++ b/src/lib/protocols/raknet.c
@@ -294,7 +294,9 @@ static void ndpi_search_raknet(struct ndpi_detection_module_struct *ndpi_struct,
         /* We've dissected enough to be sure. */
         if (frame_offset == packet->payload_packet_len)
         {
-          ndpi_int_raknet_add_connection(ndpi_struct, flow);
+          /* This packet might also be a RTP/RTCP one: give precedence to RTP/RTCP dissector */
+          if(flow->l4.udp.rtp_stage == 0 && flow->l4.udp.rtcp_stage == 0)
+            ndpi_int_raknet_add_connection(ndpi_struct, flow);
         } else {
           exclude_proto(ndpi_struct, flow);
         }
@@ -363,7 +365,9 @@ static void ndpi_search_raknet(struct ndpi_detection_module_struct *ndpi_struct,
 
         if (record_index == record_count && record_offset == packet->payload_packet_len)
         {
-          ndpi_int_raknet_add_connection(ndpi_struct, flow);
+          /* This packet might also be a RTP/RTCP one: give precedence to RTP/RTCP dissector */
+          if(flow->l4.udp.rtp_stage == 0 && flow->l4.udp.rtcp_stage == 0)
+            ndpi_int_raknet_add_connection(ndpi_struct, flow);
         } else {
           exclude_proto(ndpi_struct, flow);
         }
diff --git a/src/lib/protocols/rtp.c b/src/lib/protocols/rtp.c
index 9a4c15117..97e392f02 100644
--- a/src/lib/protocols/rtp.c
+++ b/src/lib/protocols/rtp.c
@@ -84,10 +84,10 @@ static int is_valid_rtcp_payload_type(uint8_t type)
   return (type >= 192 && type <= 213);
 }
 
-int is_rtp_or_rtcp(struct ndpi_detection_module_struct *ndpi_struct)
+int is_rtp_or_rtcp(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t *seq)
 {
   struct ndpi_packet_struct *packet = &ndpi_struct->packet;
-  u_int8_t padding, csrc_count, ext_header;
+  u_int8_t csrc_count, ext_header;
   u_int16_t ext_len;
   u_int32_t min_len;
   const u_int8_t *payload = packet->payload;
@@ -105,7 +105,6 @@ int is_rtp_or_rtcp(struct ndpi_detection_module_struct *ndpi_struct)
      payload_len >= RTP_MIN_HEADER) {
     /* RTP */
     csrc_count = payload[0] & 0x0F;
-    padding = payload[0] & 0x20;
     ext_header =  !!(payload[0] & 0x10);
     min_len = RTP_MIN_HEADER + 4 * csrc_count + 4 * ext_header;
     if(ext_header) {
@@ -120,13 +119,11 @@ int is_rtp_or_rtcp(struct ndpi_detection_module_struct *ndpi_struct)
       NDPI_LOG_DBG(ndpi_struct, "Too short (b) %d vs %d\n", min_len, payload_len);
       return NO_RTP_RTCP;
     }
-    /* TODO: this check doesn't work if we have multiple RTP packets in the
-       same UDP datagram */
-    if(padding &&
-       min_len + payload[payload_len - 1] > payload_len) {
-      NDPI_LOG_DBG(ndpi_struct, "Invalid padding len %d\n", payload[payload_len - 1]);
-      return NO_RTP_RTCP;
-    }
+    /* Check on padding doesn't work because:
+       * we may have multiple RTP packets in the same TCP/UDP datagram
+       * with SRTP, padding_length field is encrypted */
+    if(seq)
+      *seq = ntohs(*(unsigned short *)&payload[2]);
     return IS_RTP;
   } else if(is_valid_rtcp_payload_type(payload[1]) &&
             payload_len >= RTCP_MIN_HEADER) {
@@ -149,6 +146,7 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct,
   u_int16_t d_port = ntohs(ndpi_struct->packet.udp->dest);
   struct ndpi_packet_struct *packet = &ndpi_struct->packet;
   const u_int8_t *payload = packet->payload;
+  u_int16_t seq;
 
   NDPI_LOG_DBG(ndpi_struct, "search RTP (stage %d/%d)\n", flow->l4.udp.rtp_stage, flow->l4.udp.rtcp_stage);
 
@@ -173,13 +171,24 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct,
     return;
   }
 
-  is_rtp = is_rtp_or_rtcp(ndpi_struct);
+  is_rtp = is_rtp_or_rtcp(ndpi_struct, &seq);
   if(is_rtp == IS_RTP) {
+
     if(flow->l4.udp.rtp_stage == 2) {
       if(flow->l4.udp.line_pkts[0] >= 2 && flow->l4.udp.line_pkts[1] >= 2) {
         /* It seems that it is a LINE stuff; let its dissector to evaluate */
       } else if(flow->l4.udp.epicgames_stage > 0) {
         /* It seems that it is a EpicGames stuff; let its dissector to evaluate */
+      } else if(flow->l4.udp.rtp_seq_set[packet->packet_direction] &&
+                flow->l4.udp.rtp_seq[packet->packet_direction] == seq) {
+        /* Simple heuristic to avoid false positives. tradeoff between:
+	   * consecutive RTP packets should have different sequence number
+	   * we should handle duplicated traffic */
+        NDPI_LOG_DBG(ndpi_struct, "Same seq on consecutive pkts\n");
+        flow->l4.udp.rtp_stage = 0;
+        flow->l4.udp.rtcp_stage = 0;
+        NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+        NDPI_EXCLUDE_PROTO_EXT(ndpi_struct, flow, NDPI_PROTOCOL_RTCP);
       } else {
         rtp_get_stream_type(payload[1] & 0x7F, &flow->flow_multimedia_type);
 
@@ -190,6 +199,10 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct,
       }
       return;
     }
+    if(flow->l4.udp.rtp_stage == 0) {
+      flow->l4.udp.rtp_seq[packet->packet_direction] = seq;
+      flow->l4.udp.rtp_seq_set[packet->packet_direction] = 1;
+    }
     flow->l4.udp.rtp_stage += 1;
   } else if(is_rtp == IS_RTCP && flow->l4.udp.rtp_stage > 0) {
     /* RTCP after (some) RTP. Keep looking for RTP */
@@ -210,6 +223,8 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct,
       /* TODO: we should switch to the demultiplexing-code in stun dissector */
       if(!is_stun(ndpi_struct, flow, &app_proto) &&
          !is_dtls(packet->payload, packet->payload_packet_len, &unused)) {
+        flow->l4.udp.rtp_stage = 0;
+        flow->l4.udp.rtcp_stage = 0;
         NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
         NDPI_EXCLUDE_PROTO_EXT(ndpi_struct, flow, NDPI_PROTOCOL_RTCP);
       }
diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c
index 0cc0d1d80..d12a51843 100644
--- a/src/lib/protocols/stun.c
+++ b/src/lib/protocols/stun.c
@@ -789,7 +789,7 @@ static int stun_search_again(struct ndpi_detection_module_struct *ndpi_struct,
     NDPI_LOG_DBG(ndpi_struct, "QUIC range. Unexpected\n");
   } else if(first_byte <= 191) {
 
-    rtp_rtcp = is_rtp_or_rtcp(ndpi_struct);
+    rtp_rtcp = is_rtp_or_rtcp(ndpi_struct, NULL);
     if(rtp_rtcp == IS_RTP) {
       NDPI_LOG_DBG(ndpi_struct, "RTP (dir %d)\n", packet->packet_direction);
       NDPI_LOG_INFO(ndpi_struct, "Found RTP over STUN\n");
diff --git a/tests/cfgs/default/pcap/false_positives.pcapng b/tests/cfgs/default/pcap/false_positives.pcapng
index 6a89d0aed..ed2a92061 100644
--- a/tests/cfgs/default/pcap/false_positives.pcapng
+++ b/tests/cfgs/default/pcap/false_positives.pcapng
diff --git a/tests/cfgs/default/result/false_positives.pcapng.out b/tests/cfgs/default/result/false_positives.pcapng.out
index 18052fb75..bcbe6c9f6 100644
--- a/tests/cfgs/default/result/false_positives.pcapng.out
+++ b/tests/cfgs/default/result/false_positives.pcapng.out
@@ -1,6 +1,6 @@
-DPI Packets (UDP):	6	(3.00 pkts/flow)
-Confidence DPI              : 2 (flows)
-Num dissector calls: 311 (155.50 diss/flow)
+DPI Packets (UDP):	9	(3.00 pkts/flow)
+Confidence DPI              : 3 (flows)
+Num dissector calls: 467 (155.67 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)
@@ -13,16 +13,17 @@ Automa domain:        0/0 (search/found)
 Automa tls cert:      0/0 (search/found)
 Automa risk mask:     0/0 (search/found)
 Automa common alpns:  0/0 (search/found)
-Patricia risk mask:   2/0 (search/found)
+Patricia risk mask:   4/0 (search/found)
 Patricia risk mask IPv6: 0/0 (search/found)
 Patricia risk:        0/0 (search/found)
 Patricia risk IPv6:   0/0 (search/found)
-Patricia protocols:   4/0 (search/found)
+Patricia protocols:   6/0 (search/found)
 Patricia protocols IPv6: 0/0 (search/found)
 
-RTP	60	13200	2
+RTP	90	17049	3
 
-Acceptable                      60 13200         2            
+Acceptable                      90 17049         3            
 
 	1	UDP 10.192.92.81:52070 <-> 10.136.43.69:21048 [VLAN: 20][proto: 87/RTP][IP: 0/Unknown][Stream Content: Audio][ClearText][Confidence: DPI][DPI packets: 3][cat: Media/1][15 pkts/3330 bytes <-> 15 pkts/3330 bytes][Goodput ratio: 77/77][0.30 sec][bytes ratio: 0.000 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 19/19 19/19 20/20 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 222/222 222/222 222/222 0/0][PLAIN TEXT (UUUUUUUUUUUUU)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	2	UDP 10.126.70.67:23784 <-> 10.236.7.225:50160 [VLAN: 107][proto: 87/RTP][IP: 0/Unknown][Stream Content: Audio][ClearText][Confidence: DPI][DPI packets: 3][cat: Media/1][18 pkts/3924 bytes <-> 12 pkts/2616 bytes][Goodput ratio: 79/79][0.34 sec][bytes ratio: 0.200 (Upload)][IAT c2s/s2c min/avg/max/stddev: 19/19 20/20 20/20 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 218/218 218/218 218/218 0/0][PLAIN TEXT (UUUUUUUUU)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	3	UDP 10.102.45.249:31046 <-> 10.133.48.100:21176 [VLAN: 10][proto: GTP:87/RTP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 3][cat: Media/1][22 pkts/2860 bytes <-> 8 pkts/989 bytes][Goodput ratio: 34/30][0.44 sec][bytes ratio: 0.486 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/19 22/19 44/20 15/0][Pkt Len c2s/s2c min/avg/max/stddev: 130/113 130/124 130/130 0/8][Plen Bins: 10,90,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/cfgs/default/result/raknet.pcap.out b/tests/cfgs/default/result/raknet.pcap.out
index 05e74d498..1de876cd1 100644
--- a/tests/cfgs/default/result/raknet.pcap.out
+++ b/tests/cfgs/default/result/raknet.pcap.out
@@ -1,28 +1,31 @@
-DPI Packets (UDP):	24	(2.00 pkts/flow)
-Confidence DPI              : 12 (flows)
-Num dissector calls: 1511 (125.92 diss/flow)
+DPI Packets (UDP):	26	(2.17 pkts/flow)
+Confidence Unknown          : 2 (flows)
+Confidence DPI              : 10 (flows)
+Num dissector calls: 1711 (142.58 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
-LRU cache bittorrent: 0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/6/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)
 LRU cache tls_cert:   0/0/0 (insert/search/found)
-LRU cache mining:     0/0/0 (insert/search/found)
+LRU cache mining:     0/2/0 (insert/search/found)
 LRU cache msteams:    0/0/0 (insert/search/found)
-LRU cache stun_zoom:  0/0/0 (insert/search/found)
+LRU cache stun_zoom:  0/2/0 (insert/search/found)
 Automa host:          0/0 (search/found)
 Automa domain:        0/0 (search/found)
 Automa tls cert:      0/0 (search/found)
 Automa risk mask:     0/0 (search/found)
 Automa common alpns:  0/0 (search/found)
-Patricia risk mask:   18/0 (search/found)
+Patricia risk mask:   14/0 (search/found)
 Patricia risk mask IPv6: 0/0 (search/found)
 Patricia risk:        0/0 (search/found)
 Patricia risk IPv6:   0/0 (search/found)
 Patricia protocols:   24/0 (search/found)
 Patricia protocols IPv6: 0/0 (search/found)
 
-RakNet	66	9600	12
+Unknown	2	314	2
+RakNet	64	9286	10
 
-Fun                             66 9600          12           
+Fun                             64 9286          10           
+Unrated                          2 314           2            
 
 	1	UDP 192.168.2.100:60689 <-> 148.153.35.205:60028 [proto: 286/RakNet][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 3][cat: Game/8][8 pkts/2036 bytes <-> 7 pkts/577 bytes][Goodput ratio: 83/44][0.13 sec][bytes ratio: 0.558 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/10 14/16 30/21 11/5][Pkt Len c2s/s2c min/avg/max/stddev: 49/60 254/82 1506/152 474/31][Plen Bins: 60,20,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0]
 	2	UDP 192.168.2.100:32951 <-> 148.153.35.205:60021 [proto: 286/RakNet][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 3][cat: Game/8][8 pkts/2039 bytes <-> 7 pkts/563 bytes][Goodput ratio: 83/44][0.11 sec][bytes ratio: 0.567 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 13/12 25/21 10/9][Pkt Len c2s/s2c min/avg/max/stddev: 49/60 255/80 1506/152 474/30][Plen Bins: 60,20,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0]
@@ -31,8 +34,11 @@ Fun                             66 9600          12
 	5	UDP 192.168.2.100:44501 -> 148.153.35.205:59935 [proto: 286/RakNet][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 3][cat: Game/8][3 pkts/237 bytes -> 0 pkts/0 bytes][Goodput ratio: 47/0][120.00 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (3333333333333333)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	6	UDP 148.153.35.205:60025 -> 192.168.2.100:32951 [proto: 286/RakNet][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 3][cat: Game/8][3 pkts/231 bytes -> 0 pkts/0 bytes][Goodput ratio: 45/0][0.02 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	7	UDP 192.168.2.100:32952 -> 148.153.35.205:60021 [proto: 286/RakNet][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 3][cat: Game/8][3 pkts/228 bytes -> 0 pkts/0 bytes][Goodput ratio: 45/0][0.00 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	8	UDP 192.168.2.100:32953 -> 148.153.35.205:60021 [proto: 286/RakNet][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Game/8][3 pkts/210 bytes -> 0 pkts/0 bytes][Goodput ratio: 40/0][0.05 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	8	UDP 192.168.2.100:32953 -> 148.153.35.205:60021 [proto: 286/RakNet][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 3][cat: Game/8][3 pkts/210 bytes -> 0 pkts/0 bytes][Goodput ratio: 40/0][0.05 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	9	UDP 148.153.35.205:60005 -> 192.168.2.100:32951 [proto: 286/RakNet][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Game/8][3 pkts/180 bytes -> 0 pkts/0 bytes][Goodput ratio: 17/0][0.01 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	10	UDP 192.168.2.100:60690 -> 148.153.35.205:60028 [proto: 286/RakNet][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Game/8][1 pkts/162 bytes -> 0 pkts/0 bytes][Goodput ratio: 74/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	11	UDP 148.153.35.205:43582 -> 192.168.2.100:44501 [proto: 286/RakNet][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Game/8][1 pkts/152 bytes -> 0 pkts/0 bytes][Goodput ratio: 72/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	12	UDP 192.168.2.100:44501 -> 148.153.35.205:60031 [proto: 286/RakNet][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Game/8][1 pkts/65 bytes -> 0 pkts/0 bytes][Goodput ratio: 35/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	10	UDP 192.168.2.100:44501 -> 148.153.35.205:60031 [proto: 286/RakNet][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Game/8][1 pkts/65 bytes -> 0 pkts/0 bytes][Goodput ratio: 35/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+
+
+Undetected flows:
+	1	UDP 192.168.2.100:60690 -> 148.153.35.205:60028 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][DPI packets: 1][1 pkts/162 bytes -> 0 pkts/0 bytes][Goodput ratio: 74/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	2	UDP 148.153.35.205:43582 -> 192.168.2.100:44501 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][DPI packets: 1][1 pkts/152 bytes -> 0 pkts/0 bytes][Goodput ratio: 72/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
author	Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>	2024-05-09 21:18:18 +0200
committer	GitHub <noreply@github.com>	2024-05-09 21:18:18 +0200
commit	d4650f0f817c8d1663284b7dd225df802104a60b (patch)
tree	b89b00b37b9ad01212fa755e1f44d8d3e8b92eaf
parent	e4fd6e47a323923cf320880c2dd3bb1d149c4fbe (diff)