On Sun, 18 Jul 2004, Walter De Smedt wrote:
How are ISPs monitoring P2P traffic these days? Monitoring based on Netflow/cflowd data and fixed port numbers for application classification doesn't seem to do the trick anymore as more P2P applications use random port numbers or even use port 80, with the purpose of circumventing potential ISP policies or accounting. With Netflow/fixed port nrs the amount of 'unknown traffic' is increasing steadily.
The next step in P2P recognition seems to be deep packet inspection with signature based detection. The major problem here is scalability - I don't see some device analyzing 1G, the typical uplink capacity of Internet gateways in a medium SP network, of traffic at layer 7. If this should be feasable, what if P2P applications would employ encryption schemes (e.g. IPSec) - this would render signature-based recognition useless.
you can also be fairly accurate from the flow data.. eg genuine web traffic is short small transfers, P2P is long-lived flows of continous high usage Steve