identifying application type of network traffic


I'm trying to identify applications which generate
those traffic on our border routers. I use sampled
netflow as data source and some flow-tools as

Currently, I use (protocol, port_number) as indicator
of application. Referring to rfc on wellknown protocol
and port allocation, I can only identity about 50% of
traffic type.

Is there a complete (protocol, port_number) list ? or
is there a better way to identify application type
based on netflow data?



You will find that quite a few generators of network traffic (p2p
apps, worms, at least some messenger clients) use more than one port -
or in several cases, use completely random ports.

Also - a whole lot of ports that are commonly used by p2p and
messenger clients (before they fall back to random ports) are not
listed in "well known ports" RFCs, or in /etc/services