That's the most likely answer. Esp. with p2p, VoIP and other protocols that use random high ports. If there's enough traffic, there will be collisions between port #s.
You do need to keep an eye on things, as some of the trojan's use those high port #s for their servers - and if those are out there, the lower # may well be the random port of the reply channel. Unfortunately, these P2P protcols are problematic, since even if we were to write the deep packet inspection code, there's no place on a switched network to put the ntop sensor that would see all the traffic. It's one thing if you are acting as the router (read up on Linux's connection tracking, for example), it's another if you are passively seeing packets. Since we can't be sure, we have to guess and that (lower port # recognition) is our "best guess" algorithm. -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vivek Kedia Sent: Friday, January 06, 2006 1:15 AM To: [email protected] Subject: RE: [Ntop] Why edonkey and Kazaa Traffic is coming Hi Burton, You are right , it is usually a small amount of traffic (less than few MBs )that is shown as Kazaa / edoney, so basically in layman terms it means that there is no actual Kazaa/Edoney traffic but rather a misinterpretation of port # regards vivek --- Burton Strauss <[EMAIL PROTECTED]> wrote: > If you check the article in docs/FAQ, you will see that ntop uses the > lower port # of the packet for classification. > > Remember, part of the tcp/ip protocol involves a random port # - say > you connect to x.y.com on port 80 - the return path uses a random port #. > > This works great when one of the port #s (the lower #) is obvious. > But many protocols use two random port #s or have a high # as their > 'well known #', and so ntop CAN be confused. In some cases we do a > deeper analysis on the packets (e.g. ftp), but not all. > > Port #s are just #s. You CAN use a port for anything, as long as the > two sides (sender and receiver) agree. That can lead to unexpected > classification. Some protocols do this deliberately, i.e. AOL uses a > variety of port #s if the default, 5190, is blocked for any reason. > > And so on. This is usually a small amount of traffic. > > -----Burton > > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of Vivek Kedia > Sent: Wednesday, January 04, 2006 10:45 PM > To: [email protected] > Subject: Re: [Ntop] Why edonkey and Kazaa Traffic is coming > > Hi All, > > I am using NTOP to moniter around 50 PCs in my office and some of the > days i see edonkey and Kazaa traffic on few of the workstations even > though dont have any file sharing software installed on them , what > can be the reason that ntop is seeing some of the data trf. as being > from kazaa / edonkey, > > can it be a virus / ntop misreading the data transfer. > > since the workstations keep on changing so i dont think that its a > virus , maybe ntop? > > regards > vivek > > > > __________________________________________ > Yahoo! DSL - Something to write home about. > Just $16.99/mo. or less. > dsl.yahoo.com > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > __________________________________________ Yahoo! DSL - Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
