How do you determine traffic type? Are you simply using TCP/UDP port to determine this, or are you layering protocol payload analysis (like libprotoident or nDPI [worth noting the latter is LGPL])?
You can actually allow users to create their own byte pattern definitions for applications… check out rauserdata and raservices from the argus project.
Thanks,
Matt
Just a wee bump… have you guys considered this type of robust analysis?
I have never heard of either of them to be honest. I’ll check it out, thank you. What would be an example of something you could do with rauserdata/raservices?
I think using the nDPI classes might make more sense.
Basically, it’s payload and header analysis to qualify traffic as an application. It’s very obvious once you see the code:
https://github.com/nyov/ndpi/blob/master/src/lib/protocols/bittorrent.c
or
https://github.com/nyov/ndpi/blob/master/src/lib/protocols/dropbox.c
It is based on OpenDPI’s original code, considers things like destination IP address or byte patterns to decide traffic. nTop actually uses it in line. Here’s a quick list comparing libprotoident and nDPI…except since nDPI’s code is licensed with LGPL, you all can use it free/free without having to release your source.
I had implemented argus at my last place of work. I never was able to effectively use rauserdata & raservices to tag traffic; but the idea is that rauserdata mines flow data (binary flow data) to create patterns that you can associate with a given application; and raservices tags the traffic. It is explained by the argus dev here. Sort of too advanced right now. I do think layering nDPI will be fairly easy, depending on how you are sitting in the stack!
What do you think?
I’m not a developer but I’ll forward it on to someone who can take a look. Thanks!