From mboxrd@z Thu Jan 1 00:00:00 1970 From: Patrick McHardy Date: Mon, 31 Mar 2003 12:32:03 +0000 Subject: Re: [LARTC] Intelligent P2P detection Message-Id: List-Id: References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org Szymon Miotk wrote: > Luman wrote: > >> Probably, I'm not the first one who needs solve problem with p2p. >> Because, large part of my traffic is eaten by p2p software like KazAA, >> e-mule, Direct Connect etc, I'm looking for the way of detection of such >> traffic and marking it. However simple way with for instance 1214 port >> for KazAA doesn't work because this software uses floating port >> technology. This traffic can be send via different ports and these ports >> can change in the fly. This is rather well known. So I'm looking for >> the stuff working at higher level and analyzing >> traffic inside to determine the content and the real protocol. It could >> be a patch to the kernel or whatever. It should only be able to mark >> packet by a special marker. >> I need this solution not only to prioritizing the traffic (prioritizing >> can be achieve in other way) but also to selection the Internet link. I >> want to NAT this low quality data for some specific address in order to >> send it over cheaper link. >> What do you think is there any solution to do it? Or maybe there is >> ongoing project trying to tackle with this global problem with detection >> p2p traffic. > > > Snort has set of rules to detect P2P traffic. AFAIK snort is quite > fast, at least fast enough to cope with 10Mbits on average PC. > Maybe the solution is detecting snort alerts about P2P and > automagically cutting bandwidth of host playnig with P2P? > > Szymon Miotk snort signatures are quite poor in some manner. f.e. the X signature will not detect X from big-endian hosts (at least last time i checked). they seem to be extracted from sniffed sessions instead of protocol specifications. there is an interesting projekt called hank (sourceforge), it is missing signatures but it is equipped with almost everything you need for content-based classification, it can receive packets through netfilter ipq mechanism, with simple modifications you should be able to set skb->priority or skb->nfmark from userspace. unfortunately there seems to be no active development, but from what i can judge it looks useable. Patrick _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/