Counting eapol packets might still be a good way to flag a device as "green" (if we determine, for example, that some exceptionally quiet devices do not send or receive anyother traffic after reauthenticating), but we should still be able to treat a single encrypted packet as a sign that we have somehow gotten out of sync and should therefore re-flag the corresponding device as "red."
Counting eapol packets might still be a good way to flag a device as "green" (if we determine, for example, that some exceptionally quiet devices do not send or receive any other traffic after reauthenticating), but we should still be able to treat a single encrypted packet as a sign that we have somehow gotten out of sync and should therefore re-flag the corresponding device as "red."