And that would depend - at least partly - on whether the spec is open or closed. And whether each packet is tagged or just the first. And on how much resources you wanted to spend per-packet to figure it out.
Remember: ntop sees packets - we don't do full-up connection tracking like some OSes and firewalls do. -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kurt Buff Sent: Wednesday, March 22, 2006 11:09 AM To: [email protected] Subject: Re: [Ntop] msn messenger traffic measurement Burton Strauss wrote: > Lots of the IM programs play nice - until you try and block them. For > example, AIM uses port 5190. If that gets through, it's easy to > track/monitor/capture. But if the 5190 port is blocked (for whatever > reason), the AIM program tries other ports which are rarely blocked (e.g. > 80) because they're common web user services. > > -----Burton That was kinda my point - MSN Messenger does that too, but it also tags its communications (over that port, at least) with a MIME content-type header, and I got a bit lucky because of it, since my firewall also evaluates http content based on MIME content-type headers. Sheer luck, but sometimes it's better to be lucky than good. The interesting question is whether the other IM apps also do something that would tag their chatter that way, allowing better logging/control. Kurt _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
