Identifying P2P Heavy-Hitters from Network-Flow Data
September 2005 • White Paper
Arno Wagner (Communication Systems Laboratory Swiss Federal Institute of Technology Zurich (ETH Zurich)), Thomas Dubendorfer (Communication Systems Laboratory Swiss Federal Institute of Technology Zurich (ETH Zurich)), Lukas Hammerle (Communication Systems Laboratory Swiss Federal Institute of Technology Zurich (ETH Zurich)), Bernhard Plattner (Communication Systems Laboratory Swiss Federal Institute of Technology Zurich (ETH Zurich))
In this September 2005 paper, the authors present measurements done on a medium sized internet backbone and discusses accuracy issues.
Abstract
One major new and often not welcome source of Internet traffic is P2P filesharing traffic. Banning P2P
usage is not always possible or enforceable, especially in a university environment. A more restrained approach allows P2P usage, but limits the available bandwidth. This approach fails when users start to use non-default ports for the client software. The PeerTracker algorithm, presented in this paper, allows detection of running P2P clients from NetFlow data in near real-time. The algorithm is especially suitable to identify clients that generate large amounts of traffic. A prototype system based on the PeerTracker algorithm is currently used by the network operations staff at the Swiss Federal Institute of Technology Zurich. We present measurements done on a medium sized Internet backbone and discuss accuracy issues, as well as possibilities and results from validation of the detection algorithm by direct polling in real-time.