Not really. A heavy weight application filtering box can do it, by storing and (deeply) analyzing all of the traffic. It tracks the session setup, so it knows all traffic from a.b.c.d:e to/from v.w.x.y:z is part of this Kazza session.
W/o the session stuff, it boils down to how do you tell a random packet apart. It could be the middle of a graphic on a web page or the middle of an mp3 or a zipped download. Either way, it's basically white noise. And thus there's no way to tell. The whole point of protocols using 'standard' ports for fallback is that they pretty much pass though looking like all other traffic. ntop has some ability to look into packets (deep inspection) - that's how it determines the P2P users flag. And it does track tcp sessions. But there's no way to separate out the collected data (e.g. Port80, Port80/Kazza) - that counting is just done blindly by port. It might be possible to do something, but it would take some coding. -----Burton > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf > Of Pietro Bandera > Sent: Wednesday, March 24, 2004 7:26 AM > To: [EMAIL PROTECTED] > Subject: [Ntop-dev] P2P sniffing with ntop > > > > Hi all! > > I've got a question: > > With ntop i can sniff and "quote" the P2P traffic that use the > classic port: > > Gnutella=6346|6347|6348 > Kazaa=1214 > WinMX=6699|7730 > DirectConnect=0 Dummy port as this is a pure P2P > protocol > eDonkey=4661-4665 > > But if i would like to "quote" the P2P traffic that pass trought others > ports? > > Ex: Kazaa could pass to about any port, f.e. 80... > > Is there a way to see? > > Thanks > Ciao > > Pietro > > _______________________________________________ > Ntop-dev mailing list > [EMAIL PROTECTED] > http://listgateway.unipi.it/mailman/listinfo/ntop-dev > _______________________________________________ Ntop-dev mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop-dev
