Traffic Type? Napster?

Help
2010-04-28
2013-03-06
  • Rick Chisholm
    Rick Chisholm
    2010-04-28

    For the Daily Traffic Type report how does IPAudit-Web come up with the service name for the specific protocol?  I have a fair amount of traffic being tagged as Napster - but really, Napster is non-existent.  I assume this may be other P2P traffic.  I've checked my local /etc/services and there isn't a Napster entry, so this must be coming from elsewhere.

     
  • Rick Chisholm
    Rick Chisholm
    2010-04-29

    going to answer my own question here - the file is

    /home/ipaudit/bin/traffic_type
    
     
  • Rick Chisholm
    Rick Chisholm
    2010-04-30

    despite the sparse traffic this forum receives, I'm going to update this thread in the event someone at some point runs into similar issues.  The napster detection code in traffic_type appears to be too generalized and may be triggering on all sorts of non-napster traffic.  In my case, I also have snort running with P2P rules in force, there is no Napster traffic despite what ipaudit indicates.  I think the code says if any TCP traffic is using a port where the first two digits are the same and the last two digits are the same, then it is napster traffic.

    I may remove that code altogether, or rework it a bit.

     
  • Jon Rifkin
    Jon Rifkin
    2010-04-30

    Sorry for taking so long, I botched this post earlier …

    Ipaudit uses it own Perl script to classify traffic; it's located at
    ~ipaudit/bin/traffic_type.

    The script was written when Napster was a big deal.  It classifies
    traffic solely by protocol and port, and assumes any traffic with a port
    number like 1122, 2255 is Napster, i.e. any port number of the form
    XXYY.  When Napster was rampant, this classification was an OK guess -
    these days it's wrong.

    You can easily get rid of the Napster designation by commenting out
    lines 63 and 64 in ~ipaudit/bin/traffic_type, they look like this.

       } elsif ($lo_port=~/^(\d)\1(\d)\2$/ || $hi_port=~/^(\d)\1(\d)\2$/) {
          $port = "napster";

    I believe the only true way to identify Napster and many other types of traffic is deep packet inspection, and since IPaudit only stores protocol and port, it can't really do it.

     
  • Rick Chisholm
    Rick Chisholm
    2010-04-30

    no problem - I think I will edit those lines… I appreciate any feedback since I know, like me, you're a busy man.

    That should wrap this part up and I can move on to the graphing issues.

    thanks again