LARTC - Sep 2002 - Traffic classification.

Are there any Linux tools to identify and report network traffic at the
application layer (sort of an application-layer protocol sniffer)? Layer
2-to-4 sniffers are next to useless at identifying apps that do not use
fixed and documented ports. Examples: Peer-to-peer apps or apps
utilizing well known ports defined for other apps like non-http traffic
to tcp/80, or non-ftp traffic to tcp/21, etc...


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

On Wed, 11 Sep 2002, George J. Jahchan wrote:
> Are there any Linux tools to identify and report network traffic at the
> application layer (sort of an application-layer protocol sniffer)? Layer
> 2-to-4 sniffers are next to useless at identifying apps that do not use
> fixed and documented ports. Examples: Peer-to-peer apps or apps
> utilizing well known ports defined for other apps like non-http traffic
> to tcp/80, or non-ftp traffic to tcp/21, etc...
tcpflow -- 

packaged in RPMs, with underlying SRPM at:  ftp.owlriver.com
in /pub/local/ORC/tcpflow/

comes to mind -- it allows line by line post-reconstruction 
and reverse engineering of an arbitrary IP protocol.  I forget 
the reference site, but Google shjould reveal it.

-- Russ Herrold

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/