From mboxrd@z Thu Jan  1 00:00:00 1970
From: R P Herrold <herrold@owlriver.com>
Date: Fri, 13 Sep 2002 13:02:18 +0000
Subject: Re: [LARTC] Traffic classification.
Message-Id: <marc-lartc-103192225310602@msgid-missing>
List-Id: <lartc.vger.kernel.org>
References: <marc-lartc-103189846224051@msgid-missing>
In-Reply-To: <marc-lartc-103189846224051@msgid-missing>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: lartc@vger.kernel.org

On Wed, 11 Sep 2002, George J. Jahchan wrote:

> Are there any Linux tools to identify and report network traffic at the
> application layer (sort of an application-layer protocol sniffer)? Layer
> 2-to-4 sniffers are next to useless at identifying apps that do not use
> fixed and documented ports. Examples: Peer-to-peer apps or apps
> utilizing well known ports defined for other apps like non-http traffic
> to tcp/80, or non-ftp traffic to tcp/21, etc...

tcpflow -- 

packaged in RPMs, with underlying SRPM at:  ftp.owlriver.com
in /pub/local/ORC/tcpflow/

comes to mind -- it allows line by line post-reconstruction 
and reverse engineering of an arbitrary IP protocol.  I forget 
the reference site, but Google shjould reveal it.

-- Russ Herrold

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/