[Ntop] Why edonkey and Kazaa Traffic is coming
Burton at ntopSupport.com
Thu Jan 5 14:48:52 CET 2006
If you check the article in docs/FAQ, you will see that ntop uses the lower
port # of the packet for classification.
Remember, part of the tcp/ip protocol involves a random port # - say you
connect to x.y.com on port 80 - the return path uses a random port #.
This works great when one of the port #s (the lower #) is obvious. But many
protocols use two random port #s or have a high # as their 'well known #',
and so ntop CAN be confused. In some cases we do a deeper analysis on the
packets (e.g. ftp), but not all.
Port #s are just #s. You CAN use a port for anything, as long as the two
sides (sender and receiver) agree. That can lead to unexpected
classification. Some protocols do this deliberately, i.e. AOL uses a
variety of port #s if the default, 5190, is blocked for any reason.
And so on. This is usually a small amount of traffic.
From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of
Sent: Wednesday, January 04, 2006 10:45 PM
To: ntop at Unipi.IT
Subject: Re: [Ntop] Why edonkey and Kazaa Traffic is coming
I am using NTOP to moniter around 50 PCs in my office and some of the days i
see edonkey and Kazaa traffic on few of the workstations even though dont
have any file sharing software installed on them , what can be the reason
that ntop is seeing some of the data trf. as being from kazaa / edonkey,
can it be a virus / ntop misreading the data transfer.
since the workstations keep on changing so i dont think that its a virus ,
Yahoo! DSL - Something to write home about.
Just $16.99/mo. or less.
Ntop mailing list
Ntop at unipi.it
More information about the Ntop