In version 2.0.368 (released 23th November 2024) of FastNetMon Advanced we completely removed field attack_protocol from JSON script and POST callbacks. In version 2.0.367 (released October 20 2024) this flag was set to “unknown” and marked as obsoleted.
We did this change as attack_protocol did not reflect attack vector and was based solely on amount of traffic for host and it used following logic:
unsigned int detect_attack_protocol(const subnet_counter_t& speed_element, direction_t attack_direction) {
if (attack_direction == INCOMING) {
return get_max_used_protocol(speed_element.tcp.in_packets, speed_element.udp.in_packets, speed_element.icmp.in_packets);
} else {
// OUTGOING
return get_max_used_protocol(speed_element.tcp.out_packets, speed_element.udp.out_packets, speed_element.icmp.out_packets);
}
}
#define my_max_on_defines(a, b) (a > b ? a : b)
unsigned int get_max_used_protocol(uint64_t tcp, uint64_t udp, uint64_t icmp) {
unsigned int max = my_max_on_defines(my_max_on_defines(udp, tcp), icmp);
if (max == tcp) {
return IPPROTO_TCP;
} else if (max == udp) {
return IPPROTO_UDP;
} else if (max == icmp) {
return IPPROTO_ICMP;
}
return 0;
}
You can get more reliable results by using fields attack_detection_threshold and attack_detection_threshold_direction from JSON callback. To replicate this logic as is you can add UDP, TCP and ICMP based thresholds instead of single one for total bandwidth.