Download as pdf or txt
Download as pdf or txt
You are on page 1of 15


General solution of P2P traffic

capture and P2P identification
methodology test

State Key Laboratory of Networking and Switching Technology

Beijing University of Posts and Telecommunications

2009-11-11 1

1 The state of the art in P2P identification

2 Solution of capturing P2P traffic

3 Solution of testing identification technique

2009-11-11 2

1 The state of the art in P2P identification

2 Solution of capturing P2P traffic

3 Solution of testing identification technique

2009-11-11 3
The state of the art
™ Port-base approaches[1]
ƒ Port number may be dynamic
™ Deep Packet Inspection(DPI) [2][3]

ƒ Advantages:
• can recognize particular P2P applications
• can achieve high detection accuracy
ƒ Drawbacks:
• cannot identify applications with unknown signatures.
• cannot be used on encrypted traffic.
• examining user payloads raises privacy and legal concerns
• The high computation overhead for checking signatures
™ Approaches based on P2P traffic behavior [4]-[10]

ƒ Advantages:
• Can identify unknown p2p application.
• Can identify encrypted p2p application
ƒ Drawbacks:
• Cannot recognize particular P2P applications
• False Positive

2009-11-11 4
™ [1]S. Sen and J. Wang, “Analyzing peer-to-peer traffic across large networks,” IEEE/ACM
Transactions on Networking (TON), vol. 12, no. 2, pp. 219–232, 2004.
™ [2]S. Sen, O. Spatscheck, and D. Wang, “Accurate, scalable innetwork identification of p2p traffic
using application signatures,” in WWW ’04: Proceedings of the 13th international conference on
World Wide Web, New York,
™ [3]Bleul H., Rathgeb E. P., Zilling S. Advanced P2P multiprotocol traffic analysis based on
application level signature detection. in 12th International Telecommunications Network
Strategy and Planning Symposium. New Delhi, India: Institute of Electrical ,arid Electronics
Engineers Inc. United States, 2007. 408-418
™ [4]F. Constantinou and P. Mavrommatis, “Identifying known and unknown peer-to-peer traffic,” in
NCA ’06: Proceedings of the Fifth IEEE International Symposium on Network Computing and
Applications, Cambridge, MA, USA, 2006, pp. 93–102.
™ [5] T. Karagiannis, A. Broido, M. Faloutsos, and K. claffy, “Transport layer identification of p2p
traffic,” in IMC ’04: Proceedings of the 4th ACM SIGCOMM conference on Internet measurement,
Taormina, Sicily, Italy, 2004, pp. 121–134. NY, USA, 2004, pp. 512–521.
™ [6] X. Lu, H. Duan, and X. Li, “Identification of p2p traffic based on the content redistribution
characteristic,” in ISCIT’07: Proceedings of the International Symposium on Communications and
Information Technologies, Sydney, Australia, 2007, pp. 596–601.
™ [7] M. Perenyi, A. G. Trang Dinh Dang, and S. Molnar, “Identification and analysis of peer-to-peer
traffic,” Journal of Communication, vol. 1, no. 7, pp. 36–46, 2006.
™ [8]Mong-Fong H., Chun-Wei C., Chin-Shun et al. Identification and Analysis of P2P Traffic- An
Example of BitTorrent. in First International Conference on Innovative Co
™ [9]DedinskiI L, H D. M., L H., et al. Cross-Layer Peer-to-Peer Traffic Identification and Optimization
Based on Active Networking. in the Seventh Annual International Working Conference on Active
and Programmable Networks. French Riviera: IEEE, 2005. 111-12 mputing, Information and Contr
™ [10]杨岳湘,王锐,唐川.基于双重特征的P2P流量检测方法.通信学报,2006,27(11A):135-138 ol. Beijing,
China: IEEE, 2006. 266-269
™ ……

2009-11-11 5

1 The state of the art in P2P identification

2 Solution of capturing P2P traffic

3 Solution of testing identification technique

2009-11-11 6

2 Solution of capturing P2P traffic

1 Capturing packet for P2P Applications analysis

2 Capturing packet for test and evaluation

2009-11-11 7
Capturing packet for P2P Applications analysis

™ Features: Controllable IP
address, P2P applications
and cross traffic etc.

™ >10 Controlled PC

™ Capture Tools:
Tcpdump,Wireshark etc.

™ Trace data format: pcap


™ Goal: analysis the protocol,

application Signatures,…
of our concerned P2P

2009-11-11 8
Capturing packet for test and evaluation

™ Features: Real P2P traffic

with cross traffic
™ Capture method: Switch
Port Mirroring
™ Tool: Special
Measurement server with
DAG Network Monitoring
Card of Endace Inc. that
providing 100% packet
™ Trace data format: pcap
™ Goal: providing base trace
data for test and evaluation
of identification technique
Trace data post-processing (classify application)

™ For Example:

1 The state of the art in P2P identification

2 Solution of capturing P2P traffic

3 Solution of testing identification technique

2009-11-11 11
Test and evaluation method
™ Baseline: signature-based payload methodology

™ 1: Identify P2P application with signature-based

payload methodology

™ 2: Identify P2P application with behavior-based

(or Transport Layer) identification methodology
that we will propose

™ 3: Comparison them with False Positives and

False Negative

2009-11-11 12
Evaluation metric

™False Positive (FP): erroneously

identifies non-P2P traffic as P2P traffic

™False Negative(FN): fails to identify P2P

traffic as such

2009-11-11 13
About signature-based payload methodology

™We will use the method in paper:

ƒ S. Sen, O. Spatscheck, and D. Wang, “Accurate, scalable in-
network identification of p2p traffic using application signatures,”
in WWW ’04: Proceedings of the 13th international conference on
World Wide Web, New York, 2004

You might also like