identifying application type of network traffic
Hi, I'm trying to identify applications which generate those traffic on our border routers. I use sampled netflow as data source and some flow-tools as analizer. Currently, I use (protocol, port_number) as indicator of application. Referring to rfc on wellknown protocol and port allocation, I can only identity about 50% of traffic type. Is there a complete (protocol, port_number) list ? or is there a better way to identify application type based on netflow data? regards Joe __________________________________________________ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
On Thu, 16 Dec 2004 10:52:33 +0800 (CST), Joe Shen <joe_hznm@yahoo.com.sg> wrote:
I'm trying to identify applications which generate those traffic on our border routers. I use sampled netflow as data source and some flow-tools as analizer.
You will find that quite a few generators of network traffic (p2p apps, worms, at least some messenger clients) use more than one port - or in several cases, use completely random ports. Also - a whole lot of ports that are commonly used by p2p and messenger clients (before they fall back to random ports) are not listed in "well known ports" RFCs, or in /etc/services --srs -- Suresh Ramasubramanian (ops.lists@gmail.com)
participants (2)
-
Joe Shen
-
Suresh Ramasubramanian