# badprotocol

**Explanation**

The badprotocol event is triggered when the Netography Fusion Portal identifies an invalid IP protocol being used on the network. IP packets encapsulate higher level protocols such as TCP and UDP. There are 256 possible protocols, but some values are reserved or unexpected, and those will trigger this event.

**What to Look For**

This event is most likely triggered by the use of an uncommon networking technology within your environment. Unexpected or unauthorized use of invalid IP protocols might indicate an attempt by an attacker to hide command and control traffic within a network.

**Related MITRE ATT\&CK Categories**

[Command and Control: Protocol Tunneling, Technique T1572 - Enterprise](https://attack.mitre.org/techniques/T1572)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.fusion.vectra.ai/detection-models/library/informational/badprotocol.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.