Protocols > Remote Desktop Protocol (RDP)

RDP, or the Remote Desktop Protocol, is the protocol designed by Microsoft to allow for visual remote administration of Windows systems.  This protocol is an encrypted protocol that allows for clients to log in to a Windows machine from remote.  The protocol is actually a pretty simple protocol to identify because of it's very standard first data packet format.  The first packet of every RDP stream follows the pattern below.

<0x03 00 00><2 unknown bytes><0xe0 00 00 00 00><Optional Cookie Data>

So, based on those 2 static known sets of bytes we are able to readily identify the first packet of an RDP stream.  It's pretty straightforward and very simple, and fortunately, enough to readily identify this traffic.