North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: identifying application type of network traffic

  • From: Suresh Ramasubramanian
  • Date: Wed Dec 15 21:59:26 2004
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta;; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=O0nQKZ3hTTXmcmmJe4zXL0k5Qk0Sn7/83G1jPftJI/NfOG8kposNNNYPqwUPaQiF5x94x5DFoYVkF9hwotnAPSgL2tKeKRuo7lPN3P5DrAfDPOCyD1MgSXq5TUZY5GGAY5yF0rvM0VRDNublnDCZgNX1gINOjAXvQK/fzvBrJkY=

On Thu, 16 Dec 2004 10:52:33 +0800 (CST), Joe Shen
<[email protected]> wrote:
>  I'm trying to identify applications which generate
> those traffic on our border routers. I use sampled
> netflow as data source and some flow-tools as
> analizer.

You will find that quite a few generators of network traffic (p2p
apps, worms, at least some messenger clients) use more than one port -
or in several cases, use completely random ports.

Also - a whole lot of ports that are commonly used by p2p and
messenger clients (before they fall back to random ports) are not
listed in "well known ports" RFCs, or in /etc/services

Suresh Ramasubramanian ([email protected])