Sunday, October 23, 2011

How to Build DPI Products? (Part XIII - L7 Identification with 4 Bytes)

WAND, "a research group at the University of Waikato Computer Science Department" offers Libprotoident (here):

"a library that performs application layer protocol identification for flows. Unlike many techniques that require capturing the entire packet payload, only the first four bytes of payload sent in each direction, the size of the first payload-bearing packet in each direction and the TCP or UDP port numbers for the flow are used by libprotoident. Libprotoident features a very simple API that is easy to use, enabling developers to quickly write code that can make use of the protocol identification rules present in the library without needing to know anything about the applications they are trying to identify". The project is managed by Shane Alcock,

WAND says it collaborates with ipoque (here) - "The [former] CEO and co-founder of ipoque [now CEO of Adyton Systems], Klaus Mochalski, is an ex-employee of the WAND group. ipoque have provided WAND with a research license for their PACE application classification library, which is being used to compare [see chart below] the performance of libprotoident with a commercial-grade DPI product. In turn, WAND is sharing the results of research into application protocol detection with ipoque to enable them to improve their product".

See here how it works and here for an in-depth description.

No comments:

Post a Comment