User login

JP Moller's blog




Over the last week, I have taken recorded flows and have gathered some statistics on most common patterns for a select number of well known ports based on the amount of bytes transferred within the flow, as well as how many flows observed.

Have also gathered some statistics on the protocols that have been identified on these well known ports that wouldn't be expected.

Made some graphs :)




Last week I had been looking at some traffic that had been coming from Taobao servers (a shopping site in china that rivals aliexpress and ebay), that were using port 80, but weren't necessarily doing HTTP traffic.

I downloaded a few taobao applications on an android emulator to capture some traffic to try and replicate the traces we have been observing. It seemed promising as we were seeing traffic that was almost following the same trends being observed.

When I ran these traces through libprotoident this week, they were being classified as SPDY, which is used over HTTP to decrease loading time for web pages. Looking at their protocol manual, it appears that the traffic was conforming to ping packets for SPDY. I have now extended the module to account for this type of packet.





My project is to try and classify packets within the university network that cannot be classified by libtrace protoident. This week I will be looking at all unidentified packets that are coming in or going out on TCP port 80 to see what applications may be using this for anything other than a web server.