+1 on P2P protocols being tricky. A lot of them are designed to be very sneaky. Same with Chat apps. A lot of those do behaviors that are, frankly, virus-like. They have a big bag of hacker tricks built in so that a receptionist can circumvent several layers of network security to sit there and chat with her friends when she's bored.
We have big $$$$ commercial intrusion prevention systems (that obviously ARE doing deep packet inspection) on our external public links, with signatures updated daily at great expense to us - and those things have only mixed results blocking this stuff. I've given up on trying to find everything on the inside - I just make sure that I'm not seeing a sudden spike in weird traffic like that. C -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burton Strauss Sent: Friday, January 06, 2006 7:09 AM To: [email protected] Subject: RE: [Ntop] Why edonkey and Kazaa Traffic is coming That's the most likely answer. Esp. with p2p, VoIP and other protocols that use random high ports. If there's enough traffic, there will be collisions between port #s. You do need to keep an eye on things, as some of the trojan's use those high port #s for their servers - and if those are out there, the lower # may well be the random port of the reply channel. Unfortunately, these P2P protcols are problematic, since even if we were to write the deep packet inspection code, there's no place on a switched network to put the ntop sensor that would see all the traffic. It's one thing if you are acting as the router (read up on Linux's connection tracking, for example), it's another if you are passively seeing packets. Since we can't be sure, we have to guess and that (lower port # recognition) is our "best guess" algorithm. -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vivek Kedia Sent: Friday, January 06, 2006 1:15 AM To: [email protected] Subject: RE: [Ntop] Why edonkey and Kazaa Traffic is coming Hi Burton, You are right , it is usually a small amount of traffic (less than few MBs )that is shown as Kazaa / edoney, so basically in layman terms it means that there is no actual Kazaa/Edoney traffic but rather a misinterpretation of port # regards vivek --- Burton Strauss <[EMAIL PROTECTED]> wrote: > If you check the article in docs/FAQ, you will see that ntop uses the > lower port # of the packet for classification. > > Remember, part of the tcp/ip protocol involves a random port # - say > you connect to x.y.com on port 80 - the return path uses a random port #. > > This works great when one of the port #s (the lower #) is obvious. > But many protocols use two random port #s or have a high # as their > 'well known #', and so ntop CAN be confused. In some cases we do a > deeper analysis on the packets (e.g. ftp), but not all. > > Port #s are just #s. You CAN use a port for anything, as long as the > two sides (sender and receiver) agree. That can lead to unexpected > classification. Some protocols do this deliberately, i.e. AOL uses a > variety of port #s if the default, 5190, is blocked for any reason. > > And so on. This is usually a small amount of traffic. > > -----Burton > > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of Vivek Kedia > Sent: Wednesday, January 04, 2006 10:45 PM > To: [email protected] > Subject: Re: [Ntop] Why edonkey and Kazaa Traffic is coming > > Hi All, > > I am using NTOP to moniter around 50 PCs in my office and some of the > days i see edonkey and Kazaa traffic on few of the workstations even > though dont have any file sharing software installed on them , what > can be the reason that ntop is seeing some of the data trf. as being > from kazaa / edonkey, > > can it be a virus / ntop misreading the data transfer. > > since the workstations keep on changing so i dont think that its a > virus , maybe ntop? > > regards > vivek > > > > __________________________________________ > Yahoo! DSL - Something to write home about. > Just $16.99/mo. or less. > dsl.yahoo.com > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > __________________________________________ Yahoo! DSL - Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop ********************************************************************** Confidential/Proprietary Note The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. Thank you. Guardian Mtg Documents, Inc. 225 Union Boulevard, Suite 200 Lakewood, CO 80228. ********************************************************************** _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
