pmacct :: classification

pmacct 0.10.0 sees the introduction of IPv4/IPv6 traffic classification capabilities. The goal is being able to identify and classify flows (traffic is meant to be a set of flows) in a dynamical way, ie. understanding the network application they belong to and not just relying upon TCP/UDP port numbers. This latter approach, in fact, has two critical points: it can be easily circumvented from users by using non-standard ports for their applications and it's unable to deal with applications that allocate dynamic data channels (ie. file transfers, IP telephony, P2P, etc.).

Among the others, traffic classification can result highly beneficial for a) network planning and provisioning by determining services, quantities and peers involved; b) accounting and billing per application layer logical entities (ie. virtual hosts); c) detecting suspicious activities and either forbidden or just bandwidth hungry applications.

pmacct supports existing flow classification methods - eg. protocol decoding, signature-based identification and machine learning (ML) tecniques - by offering hooks for both regular expressions (RE) and dynamic shared objects (SO), loaded at runtime. Cooked regular expressions are available for download from the L7-filter project website; a few SO modules have been written (and can be downloaded below) mostly for example/testing purposes. However, it should be easy enough to adapt and hook code from the IPP2P project. Brief getting started instructions are available here and an outlook follows:

pmacct classification outlook

Let's briefly cover the pros and cons. Regular expression patterns are powerful but often unable to deal with binary payloads because of their string-orientation; however, they are available for download already cooked, are suitable for easy and quick development and don't require the knowledge of any programming language. In the pmacct implementation, SO modules are slightly more flexible than their RE counterparts as the formers can rely upon extra informations like context (informations gathered - by the same classifier - from previous packets either in the same uni-directional flow or in the reverse one), private memory areas and lower layer headers. More documentation for both developers users will be available soon.

Size: 6039 bytes | Date: 22-Mar-2006

The above archive contains the following classificators:

Some projects involved or related to application layer classification:

L7-filter project
IPP2P project

Any comment is warmly welcome. Feel free to contact me for bugs, critics, requests, suggestions or even for a simple feedback with your opinions about the work done at: