Peer-to-Peer Behaviour Detection through TCP Flows Analysis
This page is about my end-of-studies dissertation to achieve the grade of Engineer in Computer Sciences at the University of Liège (ULg) in 2004.
Abstract
The use of peer-to-peer (P2P) applications is growing dramatically. It concerns applications like Gnutella, Kazaa or eDonkey. These applications sometimes represent as most as 50% of Internet trafic. So, it became important for ISPs to detect these applications. As the TCP port can change, an identification based on TCP gate is not possible.
Main goal of this work is to use knowledge about TCP flows on routers (Cisco's NetFlow) to identify P2P users and flows.
We first present P2P networks in general and some popular file-sharing systems. We then discuss different techniques to try to measure P2P traffic. We analyse results of measurement of P2P traffic and we try to derive a characterisation of P2P behaviour based on these results. Our characterisation is based on the existence of an application layer overlay network between peers.
We test our characterisation in a practical case. We develop a detector for eDonkey traffic under Linux based on NetFlow traces. This detector is tested against traces from the traffic of University of Liège. We show than our characterisation allows a significant gain for the detection of P2P traffic volume and we discuss performance of our detector. Finally, possible improvements and suggestions for further work are proposed.
Download
