Proprietary VoIP Traffic Monitoring
by admin on Aug.31, 2009, under VoIP
The main VoIP protocol that falls into this category is Skype. As the protocol
implementation is currently unknown and the packet payload encrypted, the best way to monitor this protocol is to threat it as special eDonkey protocol communication.
Typically Skype is detected as follows:
• The underlying protocol must be eDonkey. This can be detected by dissecting the initial session payload as described in [karagiannis], and partially relying on the default port being used. Patterns searching for Skype detection has been implemented using the popular PCRE [pcre] library. This library that allows patterns to be efficiently searched into into a data buffer, has been used to search for Skype pattern into the packet payload. The protocol pattern definition has been borrowed by the popular l7-filter [l7-filter] tool that includes several patters not limited only to P2P/ VoIP protocols. Thanks to this solution, it is possible to detect not only Skype in general, but also the conversation type (skype2skype or skype-in/out call).
• As Skype traffic looks similar to the original eDonkey traffic, it is necessary to further characterize the traffic in order to distinguish eDonkey from Skype. As protocol payload is encrypted, the only choice left is the analysis of traffic conversations. In particular the main differences between a P2P and Skype conversation are:
• During a Skype conversation, traffic is bidirectional, packet frequency is high (in general around 64 packets/sec regardless of peers speaking or not) with limited jitter, packet size is limited (usually below 250 bytes).
• A eDonkey P2P session instead is mostly unidirectional (from the source of data to the host where data is directed), packet rate is not constant and packet size is much larger.
In a nutshell the only thing that a monitoring application can do with respect to Skype traffic, is to provide evidence of calls without furnishing any other information such the nickname of the people who held the conversation. For this reason Skype detection has been implemented only inside ntop and not on nProbe as there are almost no metrics to export while analyzing Skype traffic.
Source: Luca Deri (ntop.org)
