On Sun, 18 Jul 2004, Walter De Smedt wrote:
> How are ISPs monitoring P2P traffic these days? Monitoring based on > Netflow/cflowd data and fixed port numbers for application > classification doesn't seem to do the trick anymore as more P2P > applications use random port numbers or even use port 80, with the > purpose of circumventing potential ISP policies or accounting. > With Netflow/fixed port nrs the amount of 'unknown traffic' is > increasing steadily. > > The next step in P2P recognition seems to be deep packet inspection with > signature based detection. The major problem here is scalability - I > don't see some device analyzing 1G, the typical uplink capacity of > Internet gateways in a medium SP network, of traffic at layer 7. > If this should be feasable, what if P2P applications would employ > encryption schemes (e.g. IPSec) - this would render signature-based > recognition useless. you can also be fairly accurate from the flow data.. eg genuine web traffic is short small transfers, P2P is long-lived flows of continous high usage Steve