Subject: Re: Adding services to io_services
From: Dave Plonka (plonka@doit.wisc.edu)
Date: Tue Mar 06 2001 - 17:20:40 CST
On Tue, Mar 06, 2001 at 03:49:48PM -0600, Robert Lowe wrote:
> Dave Plonka wrote:
> > There's a scarcely-documented feature of CampusIO that if you create a
> > directory called "saved/other", CampusIO will begin to write all the
> > "Other" flows into raw flow files in that directory.
> >
> > The point of this feature is so that you can then use "flowdumper -s"
> > to see what sorts of things aren't being caught and hopefully improve
> > "CampusIO.cf" or "CampusIO.pm" so that it can identify those things (if
> > possible).
>
> I used this some time ago to help me identify some of my "other" traffic,
> which presently amounts to ~58% of my outbound and ~50% of my inbound
> traffic. A significant amount appeared to be Gnutella-related (port
> 6346, in particular), but ports 8888 and 6699 also showed up, which
> I'm fairly certain (especially 6699) are Napster. Do, or can, the
> current Napster rules reflect traffic related to client pushes, rather
> than just pulls??
In an effort to keep from overestimating traffic for certain
applications, Flowscan doesn't do a simple port number test to identify
Napster and other traffic on unreserved port numbers (>1024). It's
method for Napster and PASV ftp is described here:
http://net.doit.wisc.edu/~plonka/lisa/FlowScan/#ToC9
There are some conditions under which we know Napster traffic will
not be classified correctly by FlowScan. I.e.:
1) Occasionally Napster.com has moved some of their servers to
addresses that are not in the "Napster_subnets.boulder" that shipped
with the last FlowScan release. When this happens we have to
rediscover where they've moved and modify that file accordingly.
2) Also, some Napster users don't use just Napster.com's servers but
also use "open" Napster servers by using "napigator" application.
Consider the list of "alternative" servers here:
http://www.napigator.com/list.php
If you wish, you could augment your "Napster_subnets.boulder" file
to contain those servers as well. I have done that by using the
attached script. Honestly though, unless Napster.com is shut down I
think these alternative servers get very little activity.
But still, even under the best of circumstances, some Napster stuff can
slip through unidentified. It depends on the order that the flows are
exported from the Cisco because FlowScan (for performance reasons) only
makes one pass at the flows.
It helps, I think, to set the flow active timeout as low as possible (1
minute), which is mentioned in the INSTALL docs.
Lastly, note that the NapUserMaybe RRD file totals up traffic that
might be Napster (because the host in question has talked to
Napster.com) but since it's on a non-default port we're not sure. The
default graphs Makefile for FlowScan does not include NapUserMaybe
statistics in the graphs because the confidence is relatively low.
However, for institutions which may have made a futile attempt to block
Napster by port, your user-base may have scurried off to less common
TCP port numbers, so NapUserMaybe may be more useful to you.
Dave
--
plonka@doit.wisc.edu http://net.doit.wisc.edu/~plonka ARS:N9HZF Madison, WI
This archive was generated by hypermail 2b25 : Tue Mar 06 2001 - 17:25:57 CST