On Fri, 23 Sep 2005, Joe Shen wrote:
hi,
Christopher L. Morrow wrote:
which can't really tell bittorrent (or ssh or aim or...) over tcp/80 from http over tcp/80... I think Joe's looking for something that knows what protocols look like below the port number and can spit out numbers for that... these, it would seem to me, would all require in-line traffic capture or mirrored port (mirrored traffic, not necessarily an ethernet port mirror) to be effective.
Yes, that's what I want-- Find out what application use what protocol and what number, then apply that result to netflow analysis system which could be used to get statistics of multiple sites.
It's not clear to me that you can easily correlate netflow and capture data, especially since you may not see the same data at each point... Most of the data capture/analysis boxes probably also do graphs and traffic info as well, why not rely on their data?