Using Packet Size Distributions to Identify RealTime Networked Applications PowerPoint PPT Presentation

presentation player overlay
1 / 33
About This Presentation
Transcript and Presenter's Notes

Title: Using Packet Size Distributions to Identify RealTime Networked Applications


1
Using Packet Size Distributions to Identify
Real-Time Networked Applications
  • Prof. David Parish
  • Dr. Iain Phillips
  • Dr. Mark Sandford

2
Introduction
  • HSN
  • Loughborough University
  • Monitoring Work
  • BTURI, EPSRC
  • Various Projects based on Monitoring
  • QoS Prediction, Visualisation, Event Detection /
    Correlation, Network Security, Application
    Detection

3
Application Detection
  • Why do we want to know what applications are
    running on our network?
  • What means do we have of detecting applications,
    and what are the limitations?
  • Using packet size distributions to detect
    real-time applications
  • Furthering the work - TCP

4
Application Detection Motivation
  • Network Managers, ISPs, Home Users?
  • Prevent Improper Network Use
  • Bandwidth consumption
  • Security
  • Illegal Activity
  • Breaks some company policy
  • Performance Optimisation
  • Adapt the network to suit the application

5
Application Detection Methods
141051.642488 158.125.49.65.1342 gt
158.125.51.167.80 S 33531965683353196568(0) win
64240 ltmss 1460,nop,nop,sackOKgt
(DF) 141051.642546 158.125.51.167.80 gt
158.125.49.65.1342 S 657127904657127904(0) ack
3353196569 win 5840 ltmss 1460,nop,nop,sackOKgt
(DF) 141051.642674 158.125.49.65.1342 gt
158.125.51.167.80 . ack 1 win 64240
(DF) 141051.643731 158.125.49.65.1342 gt
158.125.51.167.80 P 1437(436) ack 1 win 64240
(DF) 141051.643771 158.125.51.167.80 gt
158.125.49.65.1342 . ack 437 win 6432
(DF) 141051.644231 158.125.51.167.80 gt
158.125.49.65.1342 P 1199(198) ack 437 win 6432
(DF) 141051.791345 158.125.49.65.1342 gt
158.125.51.167.80 . ack 199 win 64042 (DF)
6
Application Detection Methods
  • Well known port numbers
  • Applications recognisable by their port numbers
  • FTP (21), SSH (22), Telnet (23), HTTP (80)
  • Well known ports 0 1023

7
Packet Classification
  • Sometimes called Deep Packet Analysis
  • The data portion of the field is searched for
    known patterns
  • These often occur in the first few packets of the
    session
  • Maintain a database of identifiers or keywords

8
Application Detection Methods
164140.152593 green.lut.ac.uk.1126 gt
uls.intel.four11.com.http P 68388(320) ack 1
win 8760 (DF) 4500 0168 0e0c 4000 2006 71f5 9e7d
3396 E..h.._at_. .q..3. cdb4 39c7 0466 0050 001e
e6b4 f09a 7f21 ..9..f.P.! 5018 2238 3f20 0000
4365 6e74 656e 742d P.8? ..Content- . 7369 6f6e
3d30 3126 7573 6572 6964 3d6b sion01useridk 2e6
2 6861 7261 6469 6140 6c62 6f72
6f2e .bharadia_at_lboro. 6574 616e 2532 3042 6861
7261 6469 6126 ac.ukusernameK 6970 6164 6472
6537 733d 3135 382e 3132 etan20Bharadia 6163
2e75 6b26 7573 6572 6e61 6d65 3d4b ipaddress158.1
2 6526 6170 706e 616d 653d 496e 7465
6c25 eappnameIntel 3230 496e 7465 726e 6574
2532 3056 6964 20Internet20Vid 656f 2532 3050
686f 6e65 2661 7070 6d69 eo20Phoneappmi 6d65
3d61 7070 6c69 6361 7469 6f6e 2f78 meapplication/
x
9
Application Detection Methods
  • Content Detection allows applications to be
    identified without ambiguity
  • Application spoofing?
  • There are limitations however .

10
Application Detection Limitations
  • Packet Classification
  • Often requires specific packets to be captured
  • High performance monitor needed
  • Database needs to be established and maintained
  • Ineffectual when dealing with encrypted streams

11
Application Detection Limitations
  • Port Numbers
  • Not all applications use well known ports
  • Particularly newer, real-time applications
  • Games, video-conference, streaming apps..
  • Port numbers are not necessarily fixed
  • E.g. You can run http on any port

12
Using Packet Size Distributions
  • Packet Size Distribution used as an alternative
    application Signature
  • Statistical approach
  • Doesnt require every packet to be captured
  • Doesnt rely on the data portion of the packet

13
Using Packet Size Distributions
  • Traces of Applications Required

14
Using Packet Size Distributions
  • Means of comparing network traces
  • Nearest Neighbour
  • Chi-squared
  • Correlation
  • Neural Network
  • Optimum length of time for obtaining traces?
  • 30 seconds

15
Using Packet Size Distributions
Unreal Tournament
Real Player
16
Using Packet Size Distributions
17
Using Packet Size Distributions
18
Using Packet Size Distributions
  • Like Packet Classification, requires creation and
    maintenance of a database
  • possibly easier to create
  • more than one entry per application

19
Using Packet Size Distributions
20
Implemenation
  • Implementation build under linux
  • uses tcpdump, iptables (optionally), plus demux,
    detect and snapui processes
  • Deployment
  • in hsn lab
  • in a student lab
  • in a school
  • in a small company

21
Implementation
TcpConnections
loadProfiles
Process TCP packet
Pipe to Detector
Build and Detect
tcpdump
Detect
Process UDP packet
Process RTP
Exclude ports
UdpConnections
22
Implementation
archui
ConPort Flags
archive
archcheck
Create Connection
snapshot
Detect All
WriteSnap
Archive
Snapui
snapcheck
Create AppStore
Normalise Distribution
23
Implementation
24
Implementation
25
Using Packet Size Distributions
  • No 100 guarantee
  • unlike contents based detection
  • Processing overhead is relatively small
  • as compared to packet classification
  • Could be used in conjunction with other methods

26
Furthering the work
  • TCP previously not considered
  • In many cases the packet size distribution is
    very similar (MTU)
  • Well known or registered port numbers
  • TCP revisited
  • Some real time applications are beginning to use
    TCP
  • Packet sizes used to verify port number?

27
Real time TCP applications
  • Some games
  • E.g. Warcraft 3, Crimson Skies
  • Media Streaming
  • Windows Media Player, Real Player
  • Conferencing tools
  • MSN, Yahoo (audio and video features)

28
TCP packet sizes
  • TCP Algorithm works in two distinct modes
  • Bulk Transfer
  • Packet sizes will predominantly be MTU
  • Interactive
  • Packet sizes may vary according to network
    performance

29
Examples Audio Streaming
30
Examples - Nadar
31
Examples WarCraft3
32
Application Detector for BT
  • Application Detector provided for BT
  • Operating System RedHat 9 Linux
  • Built to include specific applications requested
    by BT

33
Application Detector for BT
  • Applications
  • Commonly used Internet Apps (CD provided)
  • Windows Media Player, Real Player, Netmeeting,
    MSN messenger, Halo, Quake3, Unreal Tournament,
    Age-of-Kings
  • BT requested UDP applications
  • Heretic, Teamspeak, Overkill
  • BT requested TCP applications
  • Opennap, Openverse, NADAR, Icecast
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The : "Using Packet Size Distributions to Identify RealTime Networked Applications" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!