Re: Regional differences in P2P

["Stephen J. Wilcox" <steve () telecomplete co uk>]

On Sun, 18 Jul 2004, Walter De Smedt wrote:

> How are ISPs monitoring P2P traffic these days? Monitoring based on
> Netflow/cflowd data and fixed port numbers for application
> classification doesn't seem to do the trick anymore as more P2P
> applications use random port numbers or even use port 80, with the
> purpose of circumventing potential ISP policies or accounting.
> With Netflow/fixed port nrs the amount of 'unknown traffic' is
> increasing steadily.
>
> The next step in P2P recognition seems to be deep packet inspection with
> signature based detection. The major problem here is scalability - I
> don't see some device analyzing 1G, the typical uplink capacity of
> Internet gateways in a medium SP network, of traffic at layer 7.
> If this should be feasable, what if P2P applications would employ
> encryption schemes (e.g. IPSec) - this would render signature-based
> recognition useless.

you can also be fairly accurate from the flow data.. eg genuine web traffic is 
short small transfers, P2P is long-lived flows of continous high usage

Steve