Fix detection of packet direction and NDPI_UNIDIRECTIONAL_TRAFFIC risk (

#1883)
ntop · Feb 13, 2023 · 200d1d4 · 200d1d4
1 parent a3a9a72
commit 200d1d4
Show file tree

Hide file tree

Showing 48 changed files with 817 additions and 815 deletions.
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
@@ -5448,7 +5448,8 @@ void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
       else if(flags == (TH_FIN | TH_PUSH | TH_URG))
 	ndpi_set_risk(ndpi_str, flow, NDPI_TCP_ISSUES, "TCP XMAS scan");
 
-      if(!ndpi_str->direction_detect_disable)
+      if(!ndpi_str->direction_detect_disable &&
+         (tcph->source != tcph->dest))
 	packet->packet_direction = (ntohs(tcph->source) < ntohs(tcph->dest)) ? 1 : 0;
 
       if(packet->packet_direction == 0 /* cli -> srv */) {
@@ -5525,7 +5526,8 @@ void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
 	flow->next_tcp_seq_nr[1] = 0;
       }
     } else if(udph != NULL) {
-      if(!ndpi_str->direction_detect_disable)
+      if(!ndpi_str->direction_detect_disable &&
+         (udph->source != udph->dest))
 	packet->packet_direction = (htons(udph->source) < htons(udph->dest)) ? 1 : 0;
     }
 
@@ -5618,9 +5620,9 @@ void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
     if(ndpi_is_multi_or_broadcast(packet))
       ; /* multicast or broadcast */
     else {
-      if(flow->packet_direction_complete_counter[0] == 0)
+      if(flow->packet_direction_complete_counter[flow->client_packet_direction] == 0)
 	ndpi_set_risk(ndpi_str, flow, NDPI_UNIDIRECTIONAL_TRAFFIC, "No client to server traffic"); /* Should never happen */
-      else if(flow->packet_direction_complete_counter[1] == 0)
+      else if(flow->packet_direction_complete_counter[!flow->client_packet_direction] == 0)
 	ndpi_set_risk(ndpi_str, flow, NDPI_UNIDIRECTIONAL_TRAFFIC, "No server to client traffic");
       else {
 	ndpi_unset_risk(ndpi_str, flow, NDPI_UNIDIRECTIONAL_TRAFFIC); /* Clear bit */

diff --git a/tests/result/6in4tunnel.pcap.out b/tests/result/6in4tunnel.pcap.out
@@ -37,9 +37,9 @@ JA3 Host Stats:
 	2	TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:53234 <-> [2a03:2880:1010:6f03:face:b00c::2]:443 [proto: 91.119/TLS.Facebook][IP: 0/Unknown][Encrypted][Confidence: DPI][cat: SocialNetwork/6][18 pkts/6894 bytes <-> 15 pkts/7032 bytes][Goodput ratio: 72/77][0.53 sec][Hostname/SNI: www.facebook.com][(Advertised) ALPNs: spdy/3.1;h2-14;h2;http/1.1][bytes ratio: -0.010 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 20/23 98/97 33/36][Pkt Len c2s/s2c min/avg/max/stddev: 106/106 383/469 1504/1911 467/576][TLSv1.2][JA3C: eb7cdd4e7dea7a11b3016c3c9acbd2a3][ServerNames: *.facebook.com,facebook.com,*.xz.fbcdn.net,messenger.com,fb.com,*.m.facebook.com,*.fbsbx.com,*.xy.fbcdn.net,*.messenger.com,*.fb.com,*.fbcdn.net,*.xx.fbcdn.net,*.facebook.net][JA3S: 6806b8fe92d7d465715d771eb102ff04][Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3][Subject: C=US, ST=CA, L=Menlo Park, O=Facebook, Inc., CN=*.facebook.com][Certificate SHA-1: 93:C6:FD:1A:84:90:BB:F1:B2:3B:49:A0:9B:1F:6F:0B:46:7A:31:41][Validity: 2014-08-28 00:00:00 - 2015-12-31 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 5,32,5,0,0,5,5,0,5,0,0,0,0,0,0,0,0,0,0,0,0,5,5,0,0,0,0,0,5,0,0,0,0,0,5,0,0,0,0,0,0,0,0,15,0,0,0,5]
 	3	ICMPV6 [2001:470:1f17:13f:3e97:eff:fe73:4dec]:0 <-> [2604:a880:1:20::224:b001]:0 [proto: 102/ICMPV6][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][23 pkts/3174 bytes <-> 23 pkts/3174 bytes][Goodput ratio: 41/41][22.14 sec][bytes ratio: 0.000 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1000/992 1001/1001 1001/1012 0/4][Pkt Len c2s/s2c min/avg/max/stddev: 138/138 138/138 138/138 0/0][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	4	TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:41538 <-> [2604:a880:1:20::224:b001]:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Web/5][6 pkts/786 bytes <-> 4 pkts/1006 bytes][Goodput ratio: 18/57][0.82 sec][Hostname/SNI: mail.tomasu.net][bytes ratio: -0.123 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/2 164/56 495/110 171/54][Pkt Len c2s/s2c min/avg/max/stddev: 106/106 131/252 248/680 52/247][URL: mail.tomasu.net/][StatusCode: 301][Content-Type: text/html][Server: Apache/2.4.10 (Debian)][User-Agent: Wget/1.16.3 (linux-gnu)][PLAIN TEXT (GET / HTTP/1.1)][Plen Bins: 0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	5	ICMPV6 [2a03:2880:1010:6f03:face:b00c::2]:0 -> [2001:470:1f17:13f:3e97:eff:fe73:4dec]:0 [proto: 102/ICMPV6][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][1 pkts/1314 bytes -> 0 pkts/0 bytes][Goodput ratio: 94/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][PLAIN TEXT (ds 0/u6)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0]
+	5	ICMPV6 [2a03:2880:1010:6f03:face:b00c::2]:0 -> [2001:470:1f17:13f:3e97:eff:fe73:4dec]:0 [proto: 102/ICMPV6][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][1 pkts/1314 bytes -> 0 pkts/0 bytes][Goodput ratio: 94/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (ds 0/u6)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0]
 	6	UDP [2001:470:1f16:13f::2]:53959 <-> [2a03:2880:fffe:b:face:b00c::99]:53 [proto: 5.119/DNS.Facebook][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][1 pkts/133 bytes <-> 1 pkts/273 bytes][Goodput ratio: 38/70][0.09 sec][Hostname/SNI: star.c10r.facebook.com][2a03:2880:1010:6f03:face:b00c::2][PLAIN TEXT (facebook)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	7	UDP [2001:470:1f16:13f::2]:6404 <-> [2a03:2880:fffe:b:face:b00c::99]:53 [proto: 5.119/DNS.Facebook][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][1 pkts/133 bytes <-> 1 pkts/261 bytes][Goodput ratio: 38/68][0.09 sec][Hostname/SNI: star.c10r.facebook.com][173.252.120.6][PLAIN TEXT (facebook)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	8	TCP [2604:a880:1:20::224:b001]:993 <-> [2001:470:1f17:13f:6d69:c72:7313:616f]:35610 [proto: 51/IMAPS][IP: 0/Unknown][Encrypted][Confidence: DPI][cat: Email/3][1 pkts/152 bytes <-> 1 pkts/106 bytes][Goodput ratio: 30/0][0.01 sec][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	9	TCP [2604:a880:1:20::224:b001]:993 <-> [2001:470:1f17:13f:6d69:c72:7313:616f]:56381 [proto: 51/IMAPS][IP: 0/Unknown][Encrypted][Confidence: DPI][cat: Email/3][1 pkts/152 bytes <-> 1 pkts/106 bytes][Goodput ratio: 30/0][0.07 sec][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	10	ICMPV6 [2001:470:1f16:13f::2]:0 -> [2604:a880:1:20::224:b001]:0 [proto: 102/ICMPV6][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][1 pkts/200 bytes -> 0 pkts/0 bytes][Goodput ratio: 59/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	10	ICMPV6 [2001:470:1f16:13f::2]:0 -> [2604:a880:1:20::224:b001]:0 [proto: 102/ICMPV6][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][1 pkts/200 bytes -> 0 pkts/0 bytes][Goodput ratio: 59/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/result/KakaoTalk_chat.pcap.out b/tests/result/KakaoTalk_chat.pcap.out
@@ -71,6 +71,6 @@ JA3 Host Stats:
 	33	TCP 10.24.82.188:58927 -> 54.255.253.199:5223 [proto: 91/TLS][IP: 265/AmazonAWS][Encrypted][Confidence: DPI][cat: Web/5][2 pkts/181 bytes -> 0 pkts/0 bytes][Goodput ratio: 25/0][41.33 sec][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	34	UDP 10.24.82.188:43077 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/97 bytes][Goodput ratio: 45/54][0.04 sec][Hostname/SNI: dn-l.talk.kakao.com][110.76.141.86][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	35	TCP 10.24.82.188:34686 -> 173.194.72.188:5228 [proto: 91/TLS][IP: 126/Google][Encrypted][Confidence: DPI][cat: Web/5][1 pkts/164 bytes -> 0 pkts/0 bytes][Goodput ratio: 58/0][< 1 sec][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	36	ICMP 10.24.82.188:0 -> 10.188.191.1:0 [proto: 81/ICMP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][1 pkts/147 bytes -> 0 pkts/0 bytes][Goodput ratio: 70/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	36	ICMP 10.24.82.188:0 -> 10.188.191.1:0 [proto: 81/ICMP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][1 pkts/147 bytes -> 0 pkts/0 bytes][Goodput ratio: 70/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	37	TCP 10.24.82.188:49217 -> 216.58.220.174:443 [proto: 91/TLS][IP: 126/Google][Encrypted][Confidence: DPI][cat: Web/5][1 pkts/83 bytes -> 0 pkts/0 bytes][Goodput ratio: 32/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	38	TCP 120.28.26.242:80 -> 10.24.82.188:34503 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: Match by port][cat: Web/5][1 pkts/56 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **** TCP Connection Issues **][Risk Score: 60][Risk Info: No client to server traffic / TCP probing attempt][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/result/alexa-app.pcapng.out b/tests/result/alexa-app.pcapng.out
@@ -163,7 +163,7 @@ JA3 Host Stats:
 	119	TCP 172.16.42.216:37552 <-> 54.239.24.180:443 [proto: 91/TLS][IP: 265/AmazonAWS][Encrypted][Confidence: Match by port][cat: Web/5][4 pkts/236 bytes <-> 3 pkts/182 bytes][Goodput ratio: 0/0][0.92 sec][bytes ratio: 0.129 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 165/327 307/327 546/327 170/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 59/61 74/62 9/1][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	120	TCP 172.16.42.216:54413 <-> 52.85.209.216:443 [proto: 91/TLS][IP: 265/AmazonAWS][Encrypted][Confidence: Match by port][cat: Web/5][4 pkts/272 bytes <-> 2 pkts/140 bytes][Goodput ratio: 0/0][0.34 sec][bytes ratio: 0.320 (Upload)][IAT c2s/s2c min/avg/max/stddev: 47/0 114/0 244/0 92/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/70 74/74 3/4][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	121	TCP 172.16.42.216:45707 <-> 52.94.232.134:443 [proto: 91/TLS][IP: 265/AmazonAWS][Encrypted][Confidence: Match by port][cat: Web/5][4 pkts/236 bytes <-> 2 pkts/122 bytes][Goodput ratio: 0/0][2.59 sec][bytes ratio: 0.318 (Upload)][IAT c2s/s2c min/avg/max/stddev: 148/0 864/0 2109/0 884/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 59/61 74/62 9/1][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	122	UDP 172.16.42.1:67 -> 172.16.42.216:68 [proto: 18/DHCP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][1 pkts/342 bytes -> 0 pkts/0 bytes][Goodput ratio: 87/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	122	UDP 172.16.42.1:67 -> 172.16.42.216:68 [proto: 18/DHCP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][1 pkts/342 bytes -> 0 pkts/0 bytes][Goodput ratio: 87/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	123	UDP 172.16.42.216:4920 <-> 172.16.42.1:53 [proto: 5.178/DNS.Amazon][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][1 pkts/81 bytes <-> 1 pkts/252 bytes][Goodput ratio: 48/83][0.20 sec][Hostname/SNI: ecx.images-amazon.com][52.84.63.56][PLAIN TEXT (images)][Plen Bins: 0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	124	UDP 172.16.42.216:23559 <-> 172.16.42.1:53 [proto: 5.265/DNS.AmazonAWS][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][1 pkts/100 bytes <-> 1 pkts/196 bytes][Goodput ratio: 57/78][0.05 sec][Hostname/SNI: cognito-identity.us-east-1.amazonaws.com][34.199.52.240][PLAIN TEXT (cognito)][Plen Bins: 0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	125	UDP 172.16.42.216:4612 <-> 172.16.42.1:53 [proto: 5.178/DNS.Amazon][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][1 pkts/91 bytes <-> 1 pkts/197 bytes][Goodput ratio: 53/78][0.06 sec][Hostname/SNI: images-na.ssl-images-amazon.com][52.84.62.115][PLAIN TEXT (images)][Plen Bins: 0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
@@ -185,7 +185,7 @@ JA3 Host Stats:
 	141	UDP 172.16.42.216:41030 <-> 172.16.42.1:53 [proto: 5.110/DNS.AmazonAlexa][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][1 pkts/76 bytes <-> 1 pkts/115 bytes][Goodput ratio: 44/63][0.11 sec][Hostname/SNI: alexa.amazon.com][52.94.232.134][PLAIN TEXT (amazon)][Plen Bins: 0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	142	UDP 172.16.42.216:59908 <-> 172.16.42.1:53 [proto: 5.110/DNS.AmazonAlexa][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][1 pkts/76 bytes <-> 1 pkts/115 bytes][Goodput ratio: 44/63][0.27 sec][Hostname/SNI: alexa.amazon.com][54.239.28.178][PLAIN TEXT (amazon)][Plen Bins: 0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	143	UDP 172.16.42.216:64073 <-> 172.16.42.1:53 [proto: 5.110/DNS.AmazonAlexa][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][1 pkts/76 bytes <-> 1 pkts/115 bytes][Goodput ratio: 44/63][0.06 sec][Hostname/SNI: alexa.amazon.com][52.94.232.134][PLAIN TEXT (amazon)][Plen Bins: 0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	144	ICMP 172.16.42.1:0 -> 172.16.42.216:0 [proto: 81/ICMP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][2 pkts/188 bytes -> 0 pkts/0 bytes][Goodput ratio: 55/0][2.80 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	144	ICMP 172.16.42.1:0 -> 172.16.42.216:0 [proto: 81/ICMP][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][2 pkts/188 bytes -> 0 pkts/0 bytes][Goodput ratio: 55/0][2.80 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	145	UDP 172.16.42.216:14476 <-> 172.16.42.1:53 [proto: 5.178/DNS.Amazon][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][1 pkts/83 bytes <-> 1 pkts/99 bytes][Goodput ratio: 49/57][0.14 sec][Hostname/SNI: skills-store.amazon.com][54.239.29.253][PLAIN TEXT (skills)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	146	UDP 172.16.42.216:7358 <-> 172.16.42.1:53 [proto: 5.178/DNS.Amazon][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][1 pkts/82 bytes <-> 1 pkts/98 bytes][Goodput ratio: 48/57][0.21 sec][Hostname/SNI: firs-ta-g7g.amazon.com][54.239.22.185][PLAIN TEXT (amazon)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	147	ICMPV6 [::]:0 -> [ff02::16]:0 [proto: 102/ICMPV6][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Network/14][2 pkts/180 bytes -> 0 pkts/0 bytes][Goodput ratio: 22/0][< 1 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]