Previous Work Detailed characterization of a small subset of P2P protocols networks Properties of topology, bandwidth, caching availability, etc Signature-based traffic identification Traffic estimation of P2P applications with fixed ports
Previous Work • Detailed characterization of a small subset of P2P protocols & networks • Properties of topology, bandwidth, caching & availability, etc. • Signature-based traffic identification • Traffic estimation of P2P applications with fixed ports
Payload Analysis Table 2: Strings at the beginning of the payload of P2P protocols. The character 0x" below implies Hex strings P2P Protocol String Trans. prot. Def. ports eDonkey20000xe319010000TCP/UDP4661-4665 0xc53f010000 Fasttrack "Get hash' TCP 1214 0x270000002980 UDP Bittorrent "Ox13bit' TCP 6881-6889 gnutella GNUT”.“GIV TCP 6346-6347 GND” UDP GO!!. MD5. SIZOx 20 TCP 41170UDP Direct connect $MyN”,"$Dir TCP41-412 SR” UDP A res "get hash: TCP Get shal
Payload Analysis
Payload Analysis M1: Flag a flow with a src/dst port number matching one of the well-known port numbers M2: Flag a flow as p2P if the 16-byte payload of any packet matches the signatures, else flag it as non-P2P A loose lower bound on P2p volume M3: Hash the (src, dst] ip pair of a flow flagged as P2P into a table. Flag the flows containing an IP address in the table as "possible P2P" even if no payload matches
Payload Analysis • M1: Flag a flow with a src/dst port number matching one of the well-known port numbers. • M2: Flag a flow as P2P if the 16-byte payload of any packet matches the signatures , else flag it as non-P2P. – A loose lower bound on P2P volume • M3: Hash the {src, dst} ip pair of a flow flagged as P2P into a table. Flag the flows containing an IP address in the table as “possible P2P” even if no payload matches
Limitations Captured payload size Only first 16 bytes of payload Only 4 bytes in older traces Http requests Encryption o Other P2P protocols o Unidirectional traces
Limitations • Captured payload size – Only first 16 bytes of payload – Only 4 bytes in older traces • HTTP requests • Encryption • Other P2P protocols • Unidirectional traces
Non-payload Identification ● Two main heuristics dsrc, dst IP pairs that use both TCP and udp to transfer data The behavior of peers by studying connection characteristics of (IP porty pairs
Non-payload Identification • Two main heuristics: – {src, dst} IP pairs that use both TCP and UDP to transfer data – The behavior of peers by studying connection characteristics of {IP, port} pairs