The samples of smelling-based application protocols

How to define a smelling rule to identified BitTorrent?

It is known that the peer protocol of BitTorrent starts from a handshake. Handshake process is first sending “19″, and then sending “BitTorrent protocol”. 19 is the length of “BitTorrent protocol”. Therefore, we can make use of the character “BitTorrent protocol” to identify the traffic between the peers of BitTorrent protocol.

We create the BitTorrent protocol as follows:

Figure 8-3. The property of BitTorrent

Netwalk proto bittorrent The samples of smelling based application protocols

Note: Because BitTorrent protocol is based on TCP, the number of smelling must be not less than 4(the first three of each TCP flow is handshake packets for the TCP setup, generally, there is no payload and no way to smell).

Figure 8-4. The smelling rule of BitTorrent

Netwalk proto bt rule The samples of smelling based application protocols

How to define a smelling rule to identified RTP?

We create the RTP protocol as follows:

Figure 8-5 The property of BitTorrent

Netwalk proto rtp The samples of smelling based application protocols

Note: RTP is transporteded over UDP, and all the RTP packets should match the smelling rule defined below, so only the first packet in a flow need to be smelt. That is, if the first packet of a flow doesn’t match the smelling rule, the flow is not a RTP flow. Minimize the number of smelling could improve the efficiency of processing of AthTek NetWalk.

Figure 8-6. The smelling rules of RTP

Netwalk proto rtp rule The samples of smelling based application protocols

How to understand the rules?

  • First, RTP is transported over UDP, so the first rule is to require first and foremost a UDP packet.
  • Figure 8-7. RTP rule 1

    Netwalk proto rtp rule 1 The samples of smelling based application protocols

  • RTP specification requires that RTP should use an even destination port number. “Value Rule” can be used to implement such a rule. The figure shows that the bit must be 0 which is the last bit of 2 bytes after 2 bytes offset starting from the IP layer (that is the destination port in UDP), this ensures an even-numbered UDP destination port.
  • Figure 8-8. RTP rule 2

    Netwalk proto rtp rule 2 The samples of smelling based application protocols

  • The third rule is to make sure the version number of RTP used currently is 2. According to RTP specification, the first two bits of byte 1 in RTP header identifies the version of RTP.
  • Figure 8-9. RTP rule 3

    Netwalk proto rtp rule 3 The samples of smelling based application protocols

  • We can do further judgments according to payload type in RTP header. According to RTP specification, the first seven bits of byte 2 in RTP header identifies the format of the RTP payload and determines its interpretation by the application. It is believed that the legal value of payload type in RTP header is <=34 || (>= 96 && <=127).
  • Figure 8-10. RTP rule 4 – 6

    Netwalk proto rtp rule 4 The samples of smelling based application protocols

The samples of smelling-based application protocols