Added collectd dissector (again).

example/reader_util.c

@@ -1140,7 +1140,16 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
       ndpi_snprintf(flow->http.content_type, sizeof(flow->http.content_type), "%s", flow->ndpi_flow->http.content_type ? flow->ndpi_flow->http.content_type : "");
       ndpi_snprintf(flow->http.request_content_type, sizeof(flow->http.request_content_type), "%s", flow->ndpi_flow->http.request_content_type ? flow->ndpi_flow->http.request_content_type : "");
     }
-  } else if(is_ndpi_proto(flow, NDPI_PROTOCOL_TELNET)) {
+  }
+  /* COLLECTD */
+  else if(is_ndpi_proto(flow, NDPI_PROTOCOL_COLLECTD)) {
+    flow->info_type = INFO_GENERIC;
+    if(flow->ndpi_flow->protos.collectd.client_username[0] != '\0')
+      ndpi_snprintf(flow->info, sizeof(flow->info), "Username: %s",
+                    flow->ndpi_flow->protos.collectd.client_username);
+  }
+  /* TELNET */
+  else if(is_ndpi_proto(flow, NDPI_PROTOCOL_TELNET)) {
     if(flow->ndpi_flow->protos.telnet.username[0] != '\0')
       flow->telnet.username = ndpi_strdup(flow->ndpi_flow->protos.telnet.username);
     if(flow->ndpi_flow->protos.telnet.password[0] != '\0')

src/include/ndpi_protocol_ids.h

@@ -326,6 +326,7 @@ typedef enum {
   NDPI_PROTOCOL_1KXUN                 = 295,
   NDPI_PROTOCOL_IP_PGM                = 296,
   NDPI_PROTOCOL_IP_PIM                = 297,
+  NDPI_PROTOCOL_COLLECTD              = 298,
 
 #ifdef CUSTOM_NDPI_PROTOCOLS
 #include "../../../nDPI-custom/custom_ndpi_protocol_ids.h"

src/include/ndpi_protocols.h

@@ -228,6 +228,7 @@ void init_xiaomi_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_i
 void init_mpegdash_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
 void init_rsh_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
 void init_ipsec_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
+void init_collectd_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
 
 /* ndpi_main.c */
 extern u_int32_t ndpi_ip_port_hash_funct(u_int32_t ip, u_int16_t port);

src/include/ndpi_typedefs.h

@@ -1191,7 +1191,7 @@ struct ndpi_flow_struct {
   char flow_extra_info[16];
 
   /* General purpose field used to save mainly hostname/SNI information.
-   * In details it used for: DNS, SSDP and NETBIOS name, HTTP and DHCP hostname,
+   * In details it used for: COLLECTD, DNS, SSDP and NETBIOS name, HTTP and DHCP hostname,
    * WHOIS request, TLS/QUIC server name, XIAOMI domain and STUN realm.
    *
    * Please, think *very* hard before increasing its size!
@@ -1297,6 +1297,10 @@ struct ndpi_flow_struct {
       char command[48];
     } rsh;
 
+    struct {
+      char client_username[32];
+    } collectd;
+
     struct {
       char version[32];
     } ubntac2;

src/lib/ndpi_main.c

@@ -1916,9 +1916,13 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
                           ndpi_build_default_ports(ports_a, 514, 0, 0, 0, 0) /* TCP */,
                           ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
   ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_IP_PIM,
-			  "IP_PIM", NDPI_PROTOCOL_CATEGORY_NETWORK,
-			  ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
-			  ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
+                          "IP_PIM", NDPI_PROTOCOL_CATEGORY_NETWORK,
+                          ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
+                          ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
+  ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_COLLECTD,
+                          "collectd", NDPI_PROTOCOL_CATEGORY_SYSTEM_OS,
+                          ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
+                          ndpi_build_default_ports(ports_b, 25826, 0, 0, 0, 0) /* UDP */);
 
 #ifdef CUSTOM_NDPI_PROTOCOLS
 #include "../../../nDPI-custom/custom_ndpi_main.c"
@@ -4424,6 +4428,9 @@ static int ndpi_callback_init(struct ndpi_detection_module_struct *ndpi_str) {
   /* IPsec */
   init_ipsec_dissector(ndpi_str, &a, detection_bitmask);
 
+  /* collectd */
+  init_collectd_dissector(ndpi_str, &a, detection_bitmask);
+
 #ifdef CUSTOM_NDPI_PROTOCOLS
 #include "../../../nDPI-custom/custom_ndpi_main_init.c"
 #endif

src/lib/protocols/collectd.c

@@ -0,0 +1,209 @@
+/*
+ * collectd.c
+ *
+ * Copyright (C) 2022 - ntop.org
+ *
+ * nDPI is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * nDPI is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with nDPI.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+
+#include "ndpi_protocol_ids.h"
+
+#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_COLLECTD
+
+#include "ndpi_api.h"
+
+#define COLLECTD_MIN_BLOCKS_REQUIRED 3
+#define COLLECTD_MAX_BLOCKS_TO_DISSECT 5
+
+#define COLLECTD_ENCR_AES256_MIN_BLOCK_SIZE 6
+#define COLLECTD_ENCR_AES256_IV_SIZE 16
+
+enum collectd_type {
+  COLLECTD_TYPE_HOST            = 0x0000,
+  COLLECTD_TYPE_TIME            = 0x0001,
+  COLLECTD_TYPE_TIME_HR         = 0x0008,
+  COLLECTD_TYPE_PLUGIN          = 0x0002,
+  COLLECTD_TYPE_PLUGIN_INSTANCE = 0x0003,
+  COLLECTD_TYPE_TYPE            = 0x0004,
+  COLLECTD_TYPE_TYPE_INSTANCE   = 0x0005,
+  COLLECTD_TYPE_VALUES          = 0x0006,
+  COLLECTD_TYPE_INTERVAL        = 0x0007,
+  COLLECTD_TYPE_INTERVAL_HR     = 0x0009,
+  COLLECTD_TYPE_MESSAGE         = 0x0100,
+  COLLECTD_TYPE_SEVERITY        = 0x0101,
+  COLLECTD_TYPE_SIGN_SHA256     = 0x0200,
+  COLELCTD_TYPE_ENCR_AES256     = 0x0210,
+};
+
+static u_int16_t const collectd_types[] = {
+  COLLECTD_TYPE_HOST, COLLECTD_TYPE_TIME, COLLECTD_TYPE_TIME_HR, COLLECTD_TYPE_PLUGIN,
+  COLLECTD_TYPE_PLUGIN_INSTANCE, COLLECTD_TYPE_TYPE, COLLECTD_TYPE_TYPE_INSTANCE,
+  COLLECTD_TYPE_VALUES, COLLECTD_TYPE_INTERVAL, COLLECTD_TYPE_INTERVAL_HR,
+  COLLECTD_TYPE_MESSAGE, COLLECTD_TYPE_SEVERITY, COLLECTD_TYPE_SIGN_SHA256,
+  COLELCTD_TYPE_ENCR_AES256
+};
+static const size_t collectd_types_length = NDPI_ARRAY_LENGTH(collectd_types);
+
+static void ndpi_int_collectd_add_connection(struct ndpi_detection_module_struct * const ndpi_struct,
+                                             struct ndpi_flow_struct * const flow)
+{
+  NDPI_LOG_INFO(ndpi_struct, "found collectd\n");
+  ndpi_set_detected_protocol(ndpi_struct, flow,
+                             NDPI_PROTOCOL_COLLECTD,
+                             NDPI_PROTOCOL_UNKNOWN,
+                             NDPI_CONFIDENCE_DPI);
+}
+
+static u_int16_t npdi_int_collectd_block_size(struct ndpi_packet_struct const * const packet,
+                                              u_int16_t const block_offset)
+{
+  if (block_offset + 4 > packet->payload_packet_len)
+  {
+    return 0;
+  }
+
+  u_int16_t next_block = ntohs(get_u_int16_t(packet->payload, block_offset + 2));
+  if (block_offset + next_block > packet->payload_packet_len ||
+      (u_int16_t)(block_offset + next_block) <= block_offset /* possible overflow or next_block is zero */)
+  {
+    return 0;
+  }
+
+  return next_block;
+}
+
+static int ndpi_int_collectd_check_type(u_int16_t block_type)
+{
+  size_t i;
+
+  for (i = 0; i < collectd_types_length; ++i)
+  {
+    if (block_type == collectd_types[i])
+    {
+      return 0;
+    }
+  }
+
+  return 1;
+}
+
+static int ndpi_int_collectd_dissect_hostname(struct ndpi_flow_struct * const flow,
+                                              struct ndpi_packet_struct const * const packet,
+                                              u_int16_t block_offset, u_int16_t block_length)
+{
+  return (ndpi_hostname_sni_set(flow, &packet->payload[4], block_length) == NULL);
+}
+
+static int ndpi_int_collectd_dissect_username(struct ndpi_flow_struct * const flow,
+                                              struct ndpi_packet_struct const * const packet,
+                                              u_int16_t block_offset)
+{
+  u_int16_t username_length = ntohs(get_u_int16_t(packet->payload, 4));
+
+  if(username_length > packet->payload_packet_len -
+     COLLECTD_ENCR_AES256_MIN_BLOCK_SIZE -
+     COLLECTD_ENCR_AES256_IV_SIZE)
+  {
+    return 1;
+  }
+
+  size_t sz_len = ndpi_min(sizeof(flow->protos.collectd.client_username) - 1, username_length);
+  memcpy(flow->protos.collectd.client_username, &packet->payload[6], sz_len);
+  flow->protos.collectd.client_username[sz_len] = '\0';
+
+  return 0;
+}
+
+void ndpi_search_collectd(struct ndpi_detection_module_struct *ndpi_struct,
+                          struct ndpi_flow_struct *flow)
+{
+  struct ndpi_packet_struct const * const packet = &ndpi_struct->packet;
+  u_int16_t num_blocks;
+  u_int16_t block_offset = 0, block_type, block_length;
+  u_int16_t hostname_offset, hostname_length = 0;
+
+  NDPI_LOG_DBG(ndpi_struct, "search collectd\n");
+
+  for (num_blocks = 0; num_blocks < COLLECTD_MAX_BLOCKS_TO_DISSECT;
+       ++num_blocks, block_offset += block_length)
+  {
+    block_length = npdi_int_collectd_block_size(packet, block_offset);
+    if (block_length == 0)
+    {
+      break;
+    }
+
+    block_type = ntohs(get_u_int16_t(packet->payload, block_offset));
+    if (ndpi_int_collectd_check_type(block_type) != 0)
+    {
+      break;
+    } else {
+      if (block_type == COLLECTD_TYPE_HOST)
+      {
+        /*
+         * Dissect the hostname later, when we are sure that it is
+         * the collectd protocol.
+         */
+        hostname_offset = block_offset;
+        hostname_length = block_length;
+      } else if (block_type == COLELCTD_TYPE_ENCR_AES256) {
+        /*
+         * The encrypted data block is a special case.
+         * It is the only dissectable block as everything else in it
+         * is encrypted.
+         */
+        if (block_length != packet->payload_packet_len ||
+            block_length < COLLECTD_ENCR_AES256_MIN_BLOCK_SIZE ||
+            ndpi_int_collectd_dissect_username(flow, packet, block_offset) != 0)
+        {
+          NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+        } else {
+          ndpi_int_collectd_add_connection(ndpi_struct, flow);
+        }
+        return;
+      }
+    }
+  }
+
+  if (num_blocks < COLLECTD_MIN_BLOCKS_REQUIRED)
+  {
+    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+    return;
+  }
+
+  if (hostname_length > 0 &&
+      ndpi_int_collectd_dissect_hostname(flow, packet, hostname_offset,
+                                         hostname_length) != 0)
+  {
+    ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid collectd Header");
+  }
+
+  ndpi_int_collectd_add_connection(ndpi_struct, flow);
+}
+
+void init_collectd_dissector(struct ndpi_detection_module_struct *ndpi_struct,
+                             u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask)
+{
+  ndpi_set_bitmask_protocol_detection("collectd", ndpi_struct, detection_bitmask, *id,
+    NDPI_PROTOCOL_COLLECTD,
+    ndpi_search_collectd,
+    NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD,
+    SAVE_DETECTION_BITMASK_AS_UNKNOWN,
+    ADD_TO_DETECTION_BITMASK
+  );
+
+  *id += 1;
+}

tests/result/collectd.pcap.out

@@ -0,0 +1,16 @@
+Guessed flow protos:	3
+
+DPI Packets (UDP):	13	(1.62 pkts/flow)
+Confidence Match by port    : 3 (flows)
+Confidence DPI              : 5 (flows)
+
+collectd	81	109386	8
+
+	1	UDP 127.0.0.1:35988 -> 127.0.0.1:25826 [proto: 298/collectd][ClearText][Confidence: DPI][cat: System/18][49 pkts/66012 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][406.49 sec][Hostname/SNI: devlap.fritz.box][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 8783/0 10000/0 3188/0][Pkt Len c2s/s2c min/avg/max/stddev: 193/0 1347/0 1388/0 167/0][PLAIN TEXT (devlap.fritz.box)][Plen Bins: 0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,83,10,0,0,0,0,0]
+	2	UDP 127.0.0.1:36832 -> 127.0.0.1:25826 [proto: 298/collectd][ClearText][Confidence: DPI][cat: System/18][17 pkts/22755 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][134.67 sec][Hostname/SNI: devlap.fritz.box][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 8311/0 10000/0 3518/0][Pkt Len c2s/s2c min/avg/max/stddev: 924/0 1339/0 1384/0 104/0][PLAIN TEXT (devlap.fritz.box)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,5,89,0,0,0,0,0,0]
+	3	UDP 192.168.178.35:39576 -> 239.192.74.66:25826 [proto: 298/collectd][ClearText][Confidence: Match by port][cat: System/18][6 pkts/8363 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][708570048.00 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 907/0 839078848/0 4195363456/0 1678142336/0][Pkt Len c2s/s2c min/avg/max/stddev: 1274/0 1394/0 1434/0 54/0][PLAIN TEXT (RmBJSP)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,33,50,0,0,0,0]
+	4	UDP 127.0.0.1:54138 -> 127.0.0.1:25826 [proto: 298/collectd][ClearText][Confidence: DPI][cat: System/18][5 pkts/6744 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][33.27 sec][Hostname/SNI: devlap.fritz.box][PLAIN TEXT (devlap.fritz.box)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,20,40,20,0,0,0,0,0]
+	5	UDP 192.168.178.35:39577 -> 239.192.74.66:25826 [proto: 298/collectd][ClearText][Confidence: Match by port][cat: System/18][1 pkts/1408 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0]
+	6	UDP 127.0.0.1:36064 -> 127.0.0.1:25826 [proto: 298/collectd][ClearText][Confidence: DPI][cat: System/18][1 pkts/1368 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][< 1 sec][Hostname/SNI: devlap.fritz.box][PLAIN TEXT (devlap.fritz.box)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0]
+	7	UDP 127.0.0.1:36320 -> 127.0.0.1:25826 [proto: 298/collectd][ClearText][Confidence: Match by port][cat: System/18][1 pkts/1368 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][< 1 sec][PLAIN TEXT (devlap.fritz.box)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0]
+	8	UDP 127.0.0.1:36576 -> 127.0.0.1:25826 [proto: 298/collectd][ClearText][Confidence: DPI][cat: System/18][1 pkts/1368 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][< 1 sec][Hostname/SNI: devlap.fritz.box][PLAIN TEXT (devlap.fritz.box)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0]

tests/result/synscan.pcap.out

@@ -104,7 +104,7 @@ iSCSI	2	116	2
 	43	TCP 172.16.0.8:36050 -> 64.13.134.52:2605 [proto: 13/BGP][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	44	TCP 172.16.0.8:36050 -> 64.13.134.52:3000 [proto: 26/ntop][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	45	TCP 172.16.0.8:36050 -> 64.13.134.52:3128 [proto: 131/HTTP_Proxy][ClearText][Confidence: Match by port][cat: Web/5][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	46	TCP 172.16.0.8:36050 -> 64.13.134.52:3260 [proto: 298/iSCSI][ClearText][Confidence: Match by port][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	46	TCP 172.16.0.8:36050 -> 64.13.134.52:3260 [proto: 299/iSCSI][ClearText][Confidence: Match by port][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	47	TCP 172.16.0.8:36050 -> 64.13.134.52:3306 [proto: 20/MySQL][ClearText][Confidence: Match by port][cat: Database/11][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	48	TCP 172.16.0.8:36050 -> 64.13.134.52:3389 [proto: 88/RDP][ClearText][Confidence: Match by port][cat: RemoteAccess/12][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Desktop/File Sharing **][Risk Score: 10][Risk Info: Found RDP][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	49	TCP 172.16.0.8:36050 -> 64.13.134.52:4343 [proto: 170/Whois-DAS][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
@@ -165,7 +165,7 @@ iSCSI	2	116	2
 	104	TCP 172.16.0.8:36051 -> 64.13.134.52:2605 [proto: 13/BGP][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	105	TCP 172.16.0.8:36051 -> 64.13.134.52:3000 [proto: 26/ntop][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	106	TCP 172.16.0.8:36051 -> 64.13.134.52:3128 [proto: 131/HTTP_Proxy][ClearText][Confidence: Match by port][cat: Web/5][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	107	TCP 172.16.0.8:36051 -> 64.13.134.52:3260 [proto: 298/iSCSI][ClearText][Confidence: Match by port][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	107	TCP 172.16.0.8:36051 -> 64.13.134.52:3260 [proto: 299/iSCSI][ClearText][Confidence: Match by port][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	108	TCP 172.16.0.8:36051 -> 64.13.134.52:3306 [proto: 20/MySQL][ClearText][Confidence: Match by port][cat: Database/11][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	109	TCP 172.16.0.8:36051 -> 64.13.134.52:3389 [proto: 88/RDP][ClearText][Confidence: Match by port][cat: RemoteAccess/12][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Desktop/File Sharing **][Risk Score: 10][Risk Info: Found RDP][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	110	TCP 172.16.0.8:36051 -> 64.13.134.52:4343 [proto: 170/Whois-DAS][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]