In version 2.0.368 (released 23rd November 2024) of FastNetMon Advanced, we completely removed field attack_protocol from JSON script and POST callbacks. In version 2.0.367 (released October 20 2024), this flag was set to “unknown” and marked as obsoleted.
We did this change as attack_protocol did not reflect attack vector and was based solely on the amount of traffic for the host, and it used the following logic:
unsigned int detect_attack_protocol(const subnet_counter_t& speed_element, direction_t attack_direction) {
if (attack_direction == INCOMING) {
return get_max_used_protocol(speed_element.tcp.in_packets, speed_element.udp.in_packets, speed_element.icmp.in_packets);
} else {
// OUTGOING
return get_max_used_protocol(speed_element.tcp.out_packets, speed_element.udp.out_packets, speed_element.icmp.out_packets);
}
}
#define my_max_on_defines(a, b) (a > b ? a : b)
unsigned int get_max_used_protocol(uint64_t tcp, uint64_t udp, uint64_t icmp) {
unsigned int max = my_max_on_defines(my_max_on_defines(udp, tcp), icmp);
if (max == tcp) {
return IPPROTO_TCP;
} else if (max == udp) {
return IPPROTO_UDP;
} else if (max == icmp) {
return IPPROTO_ICMP;
}
return 0;
}
You can get more reliable results by using fields attack_detection_threshold and attack_detection_threshold_direction from JSON callback. To replicate this logic as is, you can add UDP, TCP and ICMP-based thresholds instead of a single threshold for total bandwidth.