Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Transport layer identification of P2P traffic

advertisement 
Transport layer
identification of P2P traffic
Victor Gau
Yi-Hsien Wang
2007.11.16
Reference
 Transport layer identification of P2P traffic.
Proc. of the 4th ACM SIGCOMM Conf. on
Internet Measurement. 2004. pp.121-134.




Thomas Karagiannis (UC Riverside)
Andre Broido (CAIDA, SDSC)
Michalis Faloutsos (UC Riverside)
Kc Claffy (CAIDA, SDSC)
P2P Traffic Profiling (PTP)
 Features


Flow patterns and characteristics of P2P
behavior
No examination of user payload
 Effectiveness (compared to payload analysis)



99% of P2P flows
More than 95% of P2P bytes
False positives: <10%.
P2P Traffic Profiling (PTP)
 Capable of identifying P2P flows missed by
payload analysis
 Identifying approximately 10% additional P2P
flows over payload analysis




HTTP requests
Encryption
Other P2P protocols
Unidirectional traces
Characteristic Bit Strings of P2P
Packet Format
Methodology
 Based on the five-tuple key
{source IP, destination IP, protocol,
source port, destination port}
and 64-second flow timeout, examine two
primary heuristics:


TCP/UDP IP pairs
{IP, port} pairs
TCP/UDP IP Pairs
 Look for pairs of source-destination hosts that
use both TCP and UDP,
 Excluding
{IP, Port} Pairs
 for the advertised destination {IP, port} pair of
host A,


the number of distinct IPs connected to host
A will be equal to
the number of distinct ports used to connect
to host A.
2 IPs = 2 Ports
{B, 15}
{C, 10}
Exclusion
 For HTTP server, a client will initiate usually
more than one concurrent connection in
order to download objects in parallel.


A higher ratio of the number of distinct ports
versus number of distinct IPs
4 ports / 2 IPs = 2
{B, 15}
{B, 30}
{C, 10}
{C, 20}
Evaluation
 CAIDA’s Backbone Data Kit (BDK), consisting
of packet traces captured at an OC-48 link of
a Tier 1 US ISP connecting POPs from San
Jose, California to Seattle, Washington.
Method
 Captured 44 bytes of each packet, which
includes IP and TCP/UDP headers and an
initial 4 bytes of payload for some packets.

approximately 60%-80% of the packets with
an extra 4-byte MPLS label
 capture the February and April 2004 traces
(D11 and D13) with 16 bytes of TCP/UDP
payload which allows us to evaluate our nonpayload methodology.
 Combine and cross-validate identification
methods



fixed ports
signature-based payload analysis
transport layer dynamics
 http://www.cww.net.cn/tech/html/2007/10/24/2
0071024218482376.htm
Related documents
ADOT Vision and Long-Range Plan: P2P Linkage Implementation
ADOT Vision and Long-Range Plan: P2P Linkage Implementation
Copyright and P2P File Sharing
Copyright and P2P File Sharing
New Product/Project Proposal
New Product/Project Proposal
AP Biology Name__________________________Per______ Pre
AP Biology Name__________________________Per______ Pre
MonNet A project for network and traffic monitoring
MonNet A project for network and traffic monitoring
P2P proposal
P2P proposal
Across 2. HTTP 4. TCP 10. ports used for specific applications like
Across 2. HTTP 4. TCP 10. ports used for specific applications like
NPP Retail Operations Conversion Rate US$ to C
NPP Retail Operations Conversion Rate US$ to C
On Dominant Characteristics of Residential Broadband Internet Traffic Gregor Maier Anja Feldmann
On Dominant Characteristics of Residential Broadband Internet Traffic Gregor Maier Anja Feldmann
Document11438111 11438111
Document11438111 11438111
Download
advertisement