On Fri, Jul 16, 2004 at 09:32:14PM -0400, Jared Mauch wrote:
On Fri, Jul 16, 2004 at 06:15:53PM -0700, Michel Py wrote:
Michel Py wrote: BitTorrent is a third of p2p traffic in Sweden? Wow. In the US it is a small blip on the radar.
Petri Helenius wrote: Should hold water for Sweden too. Wonder why so many of the bittorrent streams terminate in the US if it's not on your radar. Maybe time for finetuning the radar ...
Jared Mauch wrote: BitTorrent is in my "top ten" tcp ports in my netflow.
Gee I must have something wrong. How does in compare to the FastTrack/Kazaa monster on your side?
this is from a 10-15 min sample period, based on flow count, not bytecount.
TOP TEN:
(tcp) 80, 25, 6699, 4662, 1433 443, 445, 6881, 7171, 6346
(udp) 53, 6257, 27960, 1026, 135 27015, 22321, 1027, 3310, 28960
- jared
How are ISPs monitoring P2P traffic these days? Monitoring based on Netflow/cflowd data and fixed port numbers for application classification doesn't seem to do the trick anymore as more P2P applications use random port numbers or even use port 80, with the purpose of circumventing potential ISP policies or accounting. With Netflow/fixed port nrs the amount of 'unknown traffic' is increasing steadily. The next step in P2P recognition seems to be deep packet inspection with signature based detection. The major problem here is scalability - I don't see some device analyzing 1G, the typical uplink capacity of Internet gateways in a medium SP network, of traffic at layer 7. If this should be feasable, what if P2P applications would employ encryption schemes (e.g. IPSec) - this would render signature-based recognition useless. -walter