That would take heavy duty hardware, Since not only do you have to inspect every single TCP session concurrently regardless of port for application layer signatures that match Kazaa etc... it would also suck up major memory. You are probably better off running SNORT 2.1x + the ACID/MYSQL addon and use the P2P signature listing, snort is specifically designed for the purpose of tracking application layer attacks etc..
Ie: HOST A might have 12 port 80 sessions (10 legit HTTP get requests, and 2 KAZAA peer node probes using port 80) This would mean ntop would have to inspect all 10 sessions initially and flag+track the last 2 -----Original Message----- From: Pietro Bandera [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 8:26 AM To: [EMAIL PROTECTED] Subject: [Ntop-dev] P2P sniffing with ntop Hi all! I've got a question: With ntop i can sniff and "quote" the P2P traffic that use the classic port: Gnutella=6346|6347|6348 Kazaa=1214 WinMX=6699|7730 DirectConnect=0 Dummy port as this is a pure P2P protocol eDonkey=4661-4665 But if i would like to "quote" the P2P traffic that pass trought others ports? Ex: Kazaa could pass to about any port, f.e. 80... Is there a way to see? Thanks Ciao Pietro _______________________________________________ Ntop-dev mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop-dev
