On Don, 27 Mär 2003, Matthias Weingart wrote: >Maybe another way is better. What is the most common of P2P traffic? It >makes much much traffic. Not really. Well, it depends on your users, if all they do is surfing, you are right, but not if they are mirroring www.kernel.org. A better criteria for finding P2P traffic is the number of different IPs involved. A P2P-Tool usually sends packets to many other hosts (eDonkey and Overnet in particular). That's how we detect them at our dormitory. Here are some scripts running here that count the number of IPs a host has sent to and received from (tcpdump, grep, and some perl). When this number gets too high too fast, all traffic from that IP gets a special treatment. >I guess it will be _very_ difficult to find and mark all packets of P2P >software (and you will always be behind if new software or new versions are >published). You don't need *all* packets. You just need to recognize the initial handshake the programs do to log into the p2p-network. Then you can proceed by tracking the following packets between the two hosts involved. cu Arvid -- in bunten Bildern wenig Klarheit, viel Irrtum und ein Fünkchen Wahrheit (Johann Wolfgang v. Goethe)
