1. Qs to the list, not me personally unless you're interested in paid support.
Could it? Yeah Does it? No Should it? Probably not - per packet overhead would be steep -----Burton -----Original Message----- From: Dan Michitsch [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 25, 2003 11:16 AM To: [EMAIL PROTECTED] Subject: p2p bandwidth usage not ports based? Is there any way to detect and gather bandwidth usage statistics on the top p2p programs that do not use any defined ports (KaZaa, etc.)? I saw a brief mention of the netflow.c code possibly having such ability? "Update of /export/home/ntop/ntop/plugins In directory jabber:/tmp/cvs-serv9809/plugins Modified Files: netflowPlugin.c Log Message: Added a new field isP2P in the ipSession structure. Now the known P2P protocols (Kazaa, Gnutella, WinMX, DirectConnect), if recognized by the protocol decoders, are accounted correctly." I also saw in your faq the mention of p2p traffic being determined from header information which I assume is then not port usage based? "Q. What does the "Users" flag mean on a host? A. If you go to the "Info about host xxxx" page, there will be data in the "Known Users" section, if it's acting as a server for certain protocols. In sessions.c, the function updateHostUsers() is used to maintain the list of "users" of a host. In handleSession(), as part of the protocol level analysis, the "user" information for various protocols is pulled out of the packets. Stuff like the "X-Kazaa-Username" header, the "MAIL FROM:" header, etc. We tag users as one or more of the following types: P2P_USER, SMTP_USER, FTP_USER, POP_USER, IMAP_USER Note that for P2P, we also record - where possible - whether this user is in P2P_UPLOAD_MODE and/or P2P_DOWNLOAD_MODE. " My question is can ntop use TCP header inspection and signature matching (somewhat like snort) to determine accurate protocol distribution of p2p and other traffic? Without that, I get far too much "Other TCP/UDP-based Prot." which may or may not be p2p traffic. I'd really just like to see how much bandwidth p2p apps are using and not base that info on ports as it is becoming more and more inaccurate as the p2p apps use random ports. Thanks for any info you can provide! -Dan _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
