some identify problems

[Dmitry V]

Hi All


There are two problems what i see:
1. BitTorrent traffic in "download direction" was not detected by
OpenDPI.
2. So many undefined protocols traffic


1.
Netfilter rule is:

#iptables -A FORWARD -m opendpi --bittorrent -j DROP

So, this rule not prevent downloading torrents in uTorrent 2.2.
But distributing of torrents are blocking normally.
How i can block (log or QoS etc) the torrents downloading?
Is it commercial PACE can't identify this traffic too?


2.
I was collected network traffic (~3GB) and give it to OpenDPI_demo:
The max amount of traffic is unknown!
Is it normally?
Or i do somethink wrong?


# ./OpenDPI_demo -f /tst

pcap file contains
ip packets: 3712957 of 3725717 packets total
ip bytes: 3009681928
unique ids: 26621
unique flows: 60548


detected protocols:
unknown packets: 1692687 bytes:
1348904068 flows: 38213
DNS packets: 6408 bytes:
660731 flows: 1865
HTTP packets: 944851 bytes:
624271611 flows: 16521
NTP packets: 48 bytes:
4320 flows: 12
NETBIOS packets: 230 bytes:
22534 flows: 25
SMB packets: 25 bytes:
5162 flows: 1
DirectDownloadLink packets: 224 bytes:
79298 flows: 8
Bittorrent packets: 76322 bytes:
51964045 flows: 864
Flash packets: 130867 bytes:
122569526 flows: 373
MPEG packets: 65687 bytes:
66802887 flows: 14
QuickTime packets: 728301 bytes:
759324304 flows: 12
Windowsmedia packets: 10 bytes:
2481 flows: 2
Yahoo packets: 35 bytes:
5409 flows: 1
ICMP packets: 5346 bytes:
621109 flows: 1392
RDP packets: 2215 bytes:
954162 flows: 35
SSL packets: 59521 bytes:
33453073 flows: 1202
SSH packets: 172 bytes:
35064 flows: 8

[Katrin Pflugfelder]

Hi Dimitry,

1. There are two kinds of bittorrent traffic: encrypted and unencrypted. OpenDPI can only detect the unencryted bittorrent traffic. The commercial Version of OpenDPI, PACE, also provides a detection for encrypted bittorrent traffic. For the encrypted bittorrent detection statistical analysis is necessary.

Bittorrent behaves like this: when the unencrypted traffic is blocked, bittorrent traffic becomes encrypted. That is why blocking with OpenDPI cannot work so well.

The commercial version PACE is able to detect and to block all bittorrent traffic correctly.

2. This depends on the traffic that you have captured: when it contains many encrypted bittorrent traffic, OpenDPI will mark this traffic as unknown. Another thing is that OpenDPI cannot classify connections that do not start with the first packet. If you want, you can send your pcap to me, I could have a quick look into it and tell you why it contains so many unknown traffic.

Best Regards, Katrin

--
Katrin Pflugfelder | Product Manager | ipoque
Mozartstr. 3 | 04107 Leipzig | Germany
phone + 49-341 - 59 40 3 - 0
fax +49-341 59 40 3 - 019 | web www.ipoque.com
trade register Amtsgericht Leipzig HRB21462
Gesellschaft mit beschränkter Haftung (GmbH)
board Klaus Mochalski, Hendrik Schulze, Dr. Frank Stummer

Networkshop 39, Hertfordshire, 12 - 14 April 2011

ipoque Executive Blog at http://blog.ipoque.com