A recap of my master’s thesis that proves you can sniff out nasty traffic using only one‑way packet metadata (TTL, ports, timing)—no payload inspection required.