Tools classifying network traffic to applications

Joe_Shen · September 22, 2005, 10:11am

Hi,

As I know there is tools designed to analyze VoIP
traffic, but for viewpoint of traffic management this
is not enough. Is there tool which could classify
network traffic to its applications?

e.g. the tools catch network traffic and recognize its
application type automatically. If 80% of (80/tcp) is
web browsing (tcp/80) is recognized as WEB browsing;
if 80% of (1234/tcp) is Edonky, it is recognized as
Edonkey application.

Joe

Send instant messages to your online friends http://asia.messenger.yahoo.com

Erik_Haagsman · September 22, 2005, 10:21am

Google for FlowScan and CUFlow

Christopher_L_Morro1 · September 22, 2005, 3:02pm

Google for FlowScan and CUFlow

which can't really tell bittorrent (or ssh or aim or...) over tcp/80 from
http over tcp/80... I think Joe's looking for something that knows what
protocols look like below the port number and can spit out numbers for
that... these, it would seem to me, would all require in-line traffic
capture or mirrored port (mirrored traffic, not necessarily an ethernet
port mirror) to be effective.

Darren_Bounds · September 22, 2005, 3:18pm

Sure,

Check out Intrusense nSight: http://www.intrusense.com/products

Darren

Petri_Helenius · September 22, 2005, 3:35pm

Christopher L. Morrow wrote:

which can't really tell bittorrent (or ssh or aim or...) over tcp/80 from
http over tcp/80... I think Joe's looking for something that knows what
protocols look like below the port number and can spit out numbers for
that... these, it would seem to me, would all require in-line traffic
capture or mirrored port (mirrored traffic, not necessarily an ethernet
port mirror) to be effective.

We can do that up to 2Gbps; http://www.rommon.com/ , BitTorrent, KaZaa, eDonkey, HTTP, etc. supported.

Pete

Joe_Shen · September 23, 2005, 3:51am

hi,

Christopher L. Morrow wrote:

>>which can't really tell bittorrent (or ssh or aim
or...) over tcp/80 from
>>http over tcp/80... I think Joe's looking for
something that knows what
>>protocols look like below the port number and can
spit out numbers for
>>that... these, it would seem to me, would all
require in-line traffic
>>capture or mirrored port (mirrored traffic, not
necessarily an ethernet
>>port mirror) to be effective.
>>

Yes, that's what I want-- Find out what application
use what protocol and what number, then apply that
result to netflow analysis system which could be used
to get statistics of multiple sites.

>>
>>
We can do that up to 2Gbps; http://www.rommon.com/
, BitTorrent, KaZaa,
eDonkey, HTTP, etc. supported.

It seems to focus on P2P application. Is there tool to
support applications as more as possible( include p2p,
voip, web, ftp, network game, etc. )

regards

Joe

Send instant messages to your online friends http://asia.messenger.yahoo.com

Christopher_L_Morro1 · September 23, 2005, 4:00am

It's not clear to me that you can easily correlate netflow and capture
data, especially since you may not see the same data at each point... Most
of the data capture/analysis boxes probably also do graphs and traffic
info as well, why not rely on their data?

ravinald · September 23, 2005, 7:08am

not sure if this meets your requirements, but if you want an
appliance there are:

http://www.visualnetworks.com/
http://www.networkinstruments.com/

-r

Petri_Helenius · September 23, 2005, 6:25pm

Joe Shen wrote:

It seems to focus on P2P application. Is there tool to
support applications as more as possible( include p2p,
voip, web, ftp, network game, etc. )

The emphasis on p2p is mainly due to the usual questions focusing on them. Obviously the more "traditional" protocols like RTP, HTTP, FTP, etc. are supported also. (RTP with loss/jitter analysis has quite a few uses)

Pete