diff options
author | Toni <matzeton@googlemail.com> | 2022-04-24 13:08:57 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-04-24 13:08:57 +0200 |
commit | ac0f50b56115acc7c8107d9b2661cac6b0d7bf2b (patch) | |
tree | 153bce02758a0aee485022ddb0e62e475e8a1ad8 | |
parent | 9d31b7450bea4f6677179fd3b4837e0afd331e70 (diff) |
Added RakNet protocol dissector. (#1527)
* Frame Set PDU's do not get fully dissected for the sake of simplicity
Signed-off-by: lns <matzeton@googlemail.com>
-rw-r--r-- | src/include/ndpi_protocol_ids.h | 1 | ||||
-rw-r--r-- | src/include/ndpi_protocols.h | 1 | ||||
-rw-r--r-- | src/lib/ndpi_main.c | 7 | ||||
-rw-r--r-- | src/lib/protocols/raknet.c | 346 | ||||
-rw-r--r-- | tests/pcap/raknet.pcap | bin | 0 -> 10680 bytes | |||
-rw-r--r-- | tests/result/raknet.pcap.out | 19 | ||||
-rw-r--r-- | tests/result/synscan.pcap.out | 4 |
7 files changed, 376 insertions, 2 deletions
diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index f8f1ba919..082db5cd0 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -314,6 +314,7 @@ typedef enum { NDPI_PROTOCOL_CYBERSECURITY = 283, /* Cybersecurity companies */ NDPI_PROTOCOL_GOOGLE_CLOUD = 284, NDPI_PROTOCOL_TENCENT = 285, + NDPI_PROTOCOL_RAKNET = 286, #ifdef CUSTOM_NDPI_PROTOCOLS #include "../../../nDPI-custom/custom_ndpi_protocol_ids.h" diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h index 4e9509cac..ea83f13ec 100644 --- a/src/include/ndpi_protocols.h +++ b/src/include/ndpi_protocols.h @@ -223,6 +223,7 @@ void init_cassandra_dissector(struct ndpi_detection_module_struct *ndpi_struct, void init_ethernet_ip_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_toca_boca_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_sd_rtn_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); +void init_raknet_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); /* ndpi_main.c */ extern u_int32_t ndpi_ip_port_hash_funct(u_int32_t ip, u_int16_t port); diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 3d4f7e96c..9432ce64b 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1862,6 +1862,10 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp "Tencent", NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); + ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_RAKNET, + "RakNet", NDPI_PROTOCOL_CATEGORY_GAME, + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); #ifdef CUSTOM_NDPI_PROTOCOLS #include "../../../nDPI-custom/custom_ndpi_main.c" @@ -4338,6 +4342,9 @@ static int ndpi_callback_init(struct ndpi_detection_module_struct *ndpi_str) { /* SD-RTN Software Defined Real-time Network */ init_sd_rtn_dissector(ndpi_str, &a, detection_bitmask); + /* RakNet */ + init_raknet_dissector(ndpi_str, &a, detection_bitmask); + #ifdef CUSTOM_NDPI_PROTOCOLS #include "../../../nDPI-custom/custom_ndpi_main_init.c" #endif diff --git a/src/lib/protocols/raknet.c b/src/lib/protocols/raknet.c new file mode 100644 index 000000000..6df9d0ecd --- /dev/null +++ b/src/lib/protocols/raknet.c @@ -0,0 +1,346 @@ +/* + * raknet.c + * + * Copyright (C) 2011-22 - ntop.org + * + * nDPI is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * nDPI is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with nDPI. If not, see <http://www.gnu.org/licenses/>. + * + */ + +#include "ndpi_protocol_ids.h" + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_RAKNET + +#include "ndpi_api.h" + +static void ndpi_int_raknet_add_connection(struct ndpi_detection_module_struct * const ndpi_struct, + struct ndpi_flow_struct * const flow) +{ + NDPI_LOG_INFO(ndpi_struct, "found RakNet\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, + NDPI_PROTOCOL_RAKNET, + NDPI_PROTOCOL_UNKNOWN, + NDPI_CONFIDENCE_DPI); +} + +static size_t raknet_dissect_ip(struct ndpi_packet_struct * const packet, size_t offset) +{ + if (offset + 1 >= packet->payload_packet_len || + (packet->payload[offset] != 0x04 /* IPv4 */ && + packet->payload[offset] != 0x06 /* IPv6 */)) + { + return 0; + } + + return (packet->payload[offset] == 0x04 ? 4 : 16); +} + +/* Reference: https://wiki.vg/Raknet_Protocol */ +void ndpi_search_raknet(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) +{ + struct ndpi_packet_struct * const packet = &ndpi_struct->packet; + u_int8_t op, ip_addr_offset, required_packets = 3; + + NDPI_LOG_DBG(ndpi_struct, "search RakNet\n"); + + if (packet->udp == NULL || packet->payload_packet_len < 7) + { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + + op = packet->payload[0]; + + switch (op) + { + case 0x00: /* Connected Ping */ + if (packet->payload_packet_len != 8) + { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + required_packets = 6; + break; + + case 0x01: /* Unconnected Ping */ + case 0x02: /* Unconnected Ping */ + if (packet->payload_packet_len != 32) + { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + required_packets = 6; + break; + + case 0x03: /* Connected Pong */ + if (packet->payload_packet_len != 16) + { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + required_packets = 6; + break; + + case 0x05: /* Open Connection Request 1 */ + if (packet->payload_packet_len < 18 || + packet->payload[17] > 10 /* maximum supported protocol version */) + { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + required_packets = 6; + break; + + case 0x06: /* Open Connection Reply 1 */ + if (packet->payload_packet_len != 28 || + packet->payload[25] > 0x01 /* connection uses encryption: bool -> 0x00 or 0x01 */) + { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + + { + u_int16_t mtu_size = ntohs(get_u_int16_t(packet->payload, 26)); + if (mtu_size > 1500 /* Max. supported MTU, see: http://www.jenkinssoftware.com/raknet/manual/programmingtips.html */) + { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + } + required_packets = 4; + break; + + case 0x07: /* Open Connection Request 2 */ + ip_addr_offset = raknet_dissect_ip(packet, 17); + if (packet->payload_packet_len != 34 || ip_addr_offset == 0) + { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + + { + u_int16_t mtu_size = ntohs(get_u_int16_t(packet->payload, 20 + ip_addr_offset)); + if (mtu_size > 1500 /* Max. supported MTU, see: http://www.jenkinssoftware.com/raknet/manual/programmingtips.html */) + { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + } + break; + + case 0x08: /* Open Connection Reply 2 */ + ip_addr_offset = raknet_dissect_ip(packet, 25); + if (packet->payload_packet_len != 35 || ip_addr_offset == 0) + { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + + { + u_int16_t mtu_size = ntohs(get_u_int16_t(packet->payload, 28 + ip_addr_offset)); + if (mtu_size > 1500 /* Max. supported MTU, see: http://www.jenkinssoftware.com/raknet/manual/programmingtips.html */) + { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + } + break; + + case 0x10: /* Connection Request Accepted */ + case 0x13: /* New Incoming Connection */ + { + ip_addr_offset = 4 + raknet_dissect_ip(packet, 0); + if (op == 0x10) + { + ip_addr_offset += 2; // System Index + } + for (size_t i = 0; i < 10; ++i) + { + ip_addr_offset += 3 + raknet_dissect_ip(packet, ip_addr_offset); + } + ip_addr_offset += 16; + if (ip_addr_offset != packet->payload_packet_len) + { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + } + break; + + /* Check for Frame Set Packet's */ + case 0x80: + case 0x81: + case 0x82: + case 0x83: + case 0x84: + case 0x85: + case 0x86: + case 0x87: + case 0x88: + case 0x89: + case 0x8a: + case 0x8b: + case 0x8c: + case 0x8d: + { + size_t frame_offset = 4; + + do { + u_int8_t msg_flags = get_u_int8_t(packet->payload, frame_offset); + if ((msg_flags & 0x0F) != 0) + { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + + u_int16_t msg_size = ntohs(get_u_int16_t(packet->payload, frame_offset + 1)); + msg_size /= 8; + if (msg_size == 0) + { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + break; + } + + u_int8_t reliability_type = (msg_flags & 0xE0) >> 5; + if (reliability_type >= 2 && reliability_type <= 4 /* is reliable? */) + { + frame_offset += 3; + } + if (reliability_type == 1 || reliability_type == 4 /* is sequenced? */) + { + frame_offset += 3; + } + if (reliability_type == 3 || reliability_type == 7 /* is ordered? */) + { + frame_offset += 4; + } + if ((msg_flags & 0x10) != 0 /* is fragmented? */) + { + frame_offset += 10; + } + + frame_offset += msg_size + 3; + } while (frame_offset + 3 <= packet->payload_packet_len); + + /* We've dissected enough to be sure. */ + if (frame_offset == packet->payload_packet_len) + { + ndpi_int_raknet_add_connection(ndpi_struct, flow); + } else { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + } + return; + } + break; + + case 0x09: /* Connection Request */ + if (packet->payload_packet_len != 16) + { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + required_packets = 6; + break; + + case 0x15: /* Disconnect */ + required_packets = 8; + break; + + case 0x19: /* Incompatible Protocol */ + if (packet->payload_packet_len != 25 || + packet->payload[17] > 10) + { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + break; + + case 0x1c: /* Unconnected Pong */ + if (packet->payload_packet_len < 35) + { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + + { + u_int16_t motd_len = ntohs(get_u_int16_t(packet->payload, 33)); + + if (motd_len == 0 || motd_len + 35 != packet->payload_packet_len) + { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + } + break; + + case 0xa0: /* NACK */ + case 0xc0: /* ACK */ + { + u_int16_t record_count = ntohs(get_u_int16_t(packet->payload, 1)); + size_t record_index = 0, record_offset = 3; + + do { + if (packet->payload[record_offset] == 0x00 /* Range */) + { + record_offset += 7; + } else if (packet->payload[record_offset] == 0x01 /* No Range */) + { + record_offset += 4; + } else { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + } while (++record_index < record_count && + record_offset + 4 <= packet->payload_packet_len); + + if (record_index == record_count && record_offset == packet->payload_packet_len) + { + ndpi_int_raknet_add_connection(ndpi_struct, flow); + } else { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + } + return; + } + break; + + case 0xfe: /* Game Packet */ + required_packets = 8; + break; + + default: /* Invalid RakNet packet */ + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + + if (flow->packet_counter < required_packets) + { + return; + } + + ndpi_int_raknet_add_connection(ndpi_struct, flow); +} + +void init_raknet_dissector(struct ndpi_detection_module_struct *ndpi_struct, + u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) +{ + ndpi_set_bitmask_protocol_detection("RakNet", ndpi_struct, detection_bitmask, *id, + NDPI_PROTOCOL_RAKNET, + ndpi_search_raknet, + NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, + SAVE_DETECTION_BITMASK_AS_UNKNOWN, + ADD_TO_DETECTION_BITMASK); + + *id += 1; +} diff --git a/tests/pcap/raknet.pcap b/tests/pcap/raknet.pcap Binary files differnew file mode 100644 index 000000000..c1495772e --- /dev/null +++ b/tests/pcap/raknet.pcap diff --git a/tests/result/raknet.pcap.out b/tests/result/raknet.pcap.out new file mode 100644 index 000000000..4a18fc8f7 --- /dev/null +++ b/tests/result/raknet.pcap.out @@ -0,0 +1,19 @@ +Guessed flow protos: 0 + +DPI Packets (UDP): 24 (2.00 pkts/flow) +Confidence DPI : 12 (flows) + +RakNet 66 9600 12 + + 1 UDP 192.168.2.100:60689 <-> 148.153.35.205:60028 [proto: 286/RakNet][ClearText][Confidence: DPI][cat: Game/8][8 pkts/2036 bytes <-> 7 pkts/577 bytes][Goodput ratio: 83/44][0.13 sec][bytes ratio: 0.558 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/10 14/16 30/21 11/5][Pkt Len c2s/s2c min/avg/max/stddev: 49/60 254/82 1506/152 474/31][Plen Bins: 60,20,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0] + 2 UDP 192.168.2.100:32951 <-> 148.153.35.205:60021 [proto: 286/RakNet][ClearText][Confidence: DPI][cat: Game/8][8 pkts/2039 bytes <-> 7 pkts/563 bytes][Goodput ratio: 83/44][0.11 sec][bytes ratio: 0.567 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 13/12 25/21 10/9][Pkt Len c2s/s2c min/avg/max/stddev: 49/60 255/80 1506/152 474/30][Plen Bins: 60,20,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0] + 3 UDP 192.168.2.100:44501 <-> 148.153.35.205:60030 [proto: 286/RakNet][ClearText][Confidence: DPI][cat: Game/8][8 pkts/2039 bytes <-> 7 pkts/563 bytes][Goodput ratio: 83/44][0.14 sec][bytes ratio: 0.567 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 18/12 46/23 17/9][Pkt Len c2s/s2c min/avg/max/stddev: 49/60 255/80 1506/152 474/30][Plen Bins: 60,20,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0] + 4 UDP 148.153.35.205:60022 -> 192.168.2.100:32951 [proto: 286/RakNet][ClearText][Confidence: DPI][cat: Game/8][3 pkts/318 bytes -> 0 pkts/0 bytes][Goodput ratio: 23/0][0.00 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 5 UDP 192.168.2.100:44501 -> 148.153.35.205:59935 [proto: 286/RakNet][ClearText][Confidence: DPI][cat: Game/8][3 pkts/237 bytes -> 0 pkts/0 bytes][Goodput ratio: 47/0][120.00 sec][PLAIN TEXT (3333333333333333)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 6 UDP 148.153.35.205:60025 -> 192.168.2.100:32951 [proto: 286/RakNet][ClearText][Confidence: DPI][cat: Game/8][3 pkts/231 bytes -> 0 pkts/0 bytes][Goodput ratio: 45/0][0.02 sec][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 7 UDP 192.168.2.100:32952 -> 148.153.35.205:60021 [proto: 286/RakNet][ClearText][Confidence: DPI][cat: Game/8][3 pkts/228 bytes -> 0 pkts/0 bytes][Goodput ratio: 45/0][0.00 sec][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 8 UDP 192.168.2.100:32953 -> 148.153.35.205:60021 [proto: 286/RakNet][ClearText][Confidence: DPI][cat: Game/8][3 pkts/210 bytes -> 0 pkts/0 bytes][Goodput ratio: 40/0][0.05 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 9 UDP 148.153.35.205:60005 -> 192.168.2.100:32951 [proto: 286/RakNet][ClearText][Confidence: DPI][cat: Game/8][3 pkts/180 bytes -> 0 pkts/0 bytes][Goodput ratio: 17/0][0.01 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 10 UDP 192.168.2.100:60690 -> 148.153.35.205:60028 [proto: 286/RakNet][ClearText][Confidence: DPI][cat: Game/8][1 pkts/162 bytes -> 0 pkts/0 bytes][Goodput ratio: 74/0][< 1 sec][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 11 UDP 148.153.35.205:43582 -> 192.168.2.100:44501 [proto: 286/RakNet][ClearText][Confidence: DPI][cat: Game/8][1 pkts/152 bytes -> 0 pkts/0 bytes][Goodput ratio: 72/0][< 1 sec][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 12 UDP 192.168.2.100:44501 -> 148.153.35.205:60031 [proto: 286/RakNet][ClearText][Confidence: DPI][cat: Game/8][1 pkts/65 bytes -> 0 pkts/0 bytes][Goodput ratio: 35/0][< 1 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/synscan.pcap.out b/tests/result/synscan.pcap.out index 27bfa7d9e..69b58b55e 100644 --- a/tests/result/synscan.pcap.out +++ b/tests/result/synscan.pcap.out @@ -104,7 +104,7 @@ iSCSI 2 116 2 43 TCP 172.16.0.8:36050 -> 64.13.134.52:2605 [proto: 13/BGP][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 44 TCP 172.16.0.8:36050 -> 64.13.134.52:3000 [proto: 26/ntop][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 45 TCP 172.16.0.8:36050 -> 64.13.134.52:3128 [proto: 131/HTTP_Proxy][ClearText][Confidence: Match by port][cat: Web/5][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 46 TCP 172.16.0.8:36050 -> 64.13.134.52:3260 [proto: 286/iSCSI][ClearText][Confidence: Match by port][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 46 TCP 172.16.0.8:36050 -> 64.13.134.52:3260 [proto: 287/iSCSI][ClearText][Confidence: Match by port][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 47 TCP 172.16.0.8:36050 -> 64.13.134.52:3306 [proto: 20/MySQL][ClearText][Confidence: Match by port][cat: Database/11][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 48 TCP 172.16.0.8:36050 -> 64.13.134.52:3389 [proto: 88/RDP][ClearText][Confidence: Match by port][cat: RemoteAccess/12][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Desktop/File Sharing Session **][Risk Score: 10][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 49 TCP 172.16.0.8:36050 -> 64.13.134.52:4343 [proto: 170/Whois-DAS][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] @@ -165,7 +165,7 @@ iSCSI 2 116 2 104 TCP 172.16.0.8:36051 -> 64.13.134.52:2605 [proto: 13/BGP][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 105 TCP 172.16.0.8:36051 -> 64.13.134.52:3000 [proto: 26/ntop][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 106 TCP 172.16.0.8:36051 -> 64.13.134.52:3128 [proto: 131/HTTP_Proxy][ClearText][Confidence: Match by port][cat: Web/5][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 107 TCP 172.16.0.8:36051 -> 64.13.134.52:3260 [proto: 286/iSCSI][ClearText][Confidence: Match by port][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 107 TCP 172.16.0.8:36051 -> 64.13.134.52:3260 [proto: 287/iSCSI][ClearText][Confidence: Match by port][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 108 TCP 172.16.0.8:36051 -> 64.13.134.52:3306 [proto: 20/MySQL][ClearText][Confidence: Match by port][cat: Database/11][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 109 TCP 172.16.0.8:36051 -> 64.13.134.52:3389 [proto: 88/RDP][ClearText][Confidence: Match by port][cat: RemoteAccess/12][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Desktop/File Sharing Session **][Risk Score: 10][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 110 TCP 172.16.0.8:36051 -> 64.13.134.52:4343 [proto: 170/Whois-DAS][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |