Traffic type determination?

How do you determine traffic type? Are you simply using TCP/UDP port to determine this, or are you layering protocol payload analysis (like libprotoident or nDPI [worth noting the latter is LGPL])?

You can actually allow users to create their own byte pattern definitions for applications… check out rauserdata and raservices from the argus project.



Just a wee bump… have you guys considered this type of robust analysis?

I have never heard of either of them to be honest. I’ll check it out, thank you. What would be an example of something you could do with rauserdata/raservices?

I think using the nDPI classes might make more sense.

Basically, it’s payload and header analysis to qualify traffic as an application. It’s very obvious once you see the code:

It is based on OpenDPI’s original code, considers things like destination IP address or byte patterns to decide traffic. nTop actually uses it in line. Here’s a quick list comparing libprotoident and nDPI…except since nDPI’s code is licensed with LGPL, you all can use it free/free without having to release your source.

I had implemented argus at my last place of work. I never was able to effectively use rauserdata & raservices to tag traffic; but the idea is that rauserdata mines flow data (binary flow data) to create patterns that you can associate with a given application; and raservices tags the traffic. It is explained by the argus dev here. Sort of too advanced right now. I do think layering nDPI will be fairly easy, depending on how you are sitting in the stack!

What do you think?

1 Like

I’m not a developer but I’ll forward it on to someone who can take a look. Thanks!