July 20, 2008 02:03am pdt

1. donjohnston 4,300
2. from_exp 2,800
3. blu 2,000
3. AdriendeC 2,000
3. ckimball99 2,000
3. Melaleuca 2,000
3. jazarfinn 2,000
8. networkthug 1,500
9. kdearing 1,400
10. omarfarid 1,350
11. dalesit 1,200
11. keith_al... 1,200
13. naftalig... 1,000
13. tfowles 1,000
13. A2the6th 1,000
13. superiz 1,000

1. donjohnston 4,300
2. AdriendeC 4,000
3. BillBach 3,000
4. from_exp 2,800
5. jaredcall 2,424
6. rsivanandan 2,150
7. blu 2,000
7. Jim_Coyne 2,000
7. Melaleuca 2,000
7. jazarfinn 2,000
7. tlrjohn 2,000
7. ckimball99 2,000
7. Faulkenator 2,000
7. skaap2k 2,000
7. rakeshmi... 2,000

03.07.2008 at 09:17AM PST, ID: 23223515 | Points: 500

	[x] Attachment Details

Can anyone help with P2P traffic capture looking like HTTP ?

Asked by fireflyinternet in Transport, Internet Service Providers (ISP), Network Analysis Software

I've used WireShark to capture traffic from my network card when conducting a download via a Kazaa client.

I don't know enough about IP packets but this data is slightly confusing as it would appear to be getting identified as HTTP within the header packet (HTTP/1.1)

Can anyone provide any background information or clarification on this data ?

Thanks in advance.

---------------------------------------------------

Start Free Trial

         
           
             1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:

           
           
             GET /.hash=41353cbc68340436a9988f40dbc772530364c6dd HTTP/1.1
 
Host: 69.141.35.145:1214
 
UserAgent: KazaaClient Sep 26 2006 14:16:34
 
X-Kazaa-Username: apricotuk
 
X-Kazaa-Network: KaZaA
 
X-Kazaa-IP: 10.10.2.6:2866
 
X-Kazaa-SupernodeIP: 83.245.14.99:22386
 
Connection: close
 
X-Kazaa-XferId: 8214753
 
X-Kazaa-XferUid: au2x7ne/jLwDmVjLIVtUUxnIgABbAJu6hFuKTzan0u4=
 
 
 
HTTP/1.1 200 OK
 
Content-Length: 2466944
 
Accept-Ranges: bytes
 
Date: Fri, 07 Mar 2008 16:37:32 GMT
 
Server: KazaaClient May 28 2002 14:51:21
 
Connection: close
 
Last-Modified: Wed, 13 Jun 2007 23:39:44 GMT
 
X-Kazaa-Username: Katie8204
 
X-Kazaa-Network: fileshare
 
X-Kazaa-IP: 69.141.35.145:1214
 
X-Kazaa-SupernodeIP: 70.129.108.157:3796
 
X-KazaaTag: 5=181
 
X-KazaaTag: 21=112
 
X-KazaaTag: 4=Imperial March
 
X-KazaaTag: 6=Soundtrack
 
X-KazaaTag: 8=Star Wars
 
X-KazaaTag: 14=Classical
 
X-KazaaTag: 3==QTU8vGg0BDapmI9A28dyUwNkxt0=
 
Content-Type: audio/mpeg

           
         

Keywords: Can anyone help with P2P traffic capt…

	Title
1	need help analyzing wireshark capture
2	WireShark for Dummies
3	How do I interpret Wireshark's ouput?
4	Restrict Kazaa Lite - ISA Server
5	How to Configure Wireshark
6	configure wireshark to capture all net…

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
Automotive
New Net Users
New Users

Software
Digital Music
Gaming World
Home Security

Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Displays / Monitors
Handhelds / PDAs
Components
Peripherals
Laptops/Notebooks

Servers
Misc
Apple
Embedded Hardware
Networking Hardware

Storage
Desktops
New Users

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMware
Misc
Web Development

OS
CYGWIN
Voice Recognition
Virtualization
Message Queue
Quality Assurance
Security
Firewalls

MultiMedia Applications
Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals
Devices

Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
Web Computing
WebApplications
IDS
Vulnerabilities
Email Clients
File Sharing

Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Consulting
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMware

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel
Automation

Algorithms
Game
Signal Processing
Project Management
Open Source
Database

Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Web Services

Images
Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration

WebApplications
Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Web Computing

Broadband
Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Lounge
Business Travel
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles
Automotive

Community Support

Suggestions
New to EE
New Topics
CleanUp

Announcements
General
Feedback

Input
EE Bugs

03.07.2008 at 09:37AM PST, ID: 21072488

favoretti:

Yes, it uses HTTP protocol with special HTTP headers. So in essence, it is HTTP.
What is it you want to know about that data?

03.07.2008 at 11:18AM PST, ID: 21073365

fireflyinternet:

Jeez !

So realistically, our Cisco NBAR could be categorising Kazaa junk as HTTP ? ? ?
If this is the case, could it be occurring for other P2P traffic ?

{feels slightly unwell}

03.08.2008 at 03:23AM PST, ID: 21076608

favoretti:

Now, it depends on how the NBAR analyzes traffic. if it only looks at ports, then it won't. I'm not that much of a kazaa user, so I'm not 100% sure what happens when it leeches goodies, but from the packet you quoted it very much looks like HTTP-based protocol.

P2P naturally try to mask themselves ;)

Torrents, for instance, won't get counted as HTTP for sure.

03.11.2008 at 12:14AM PDT, ID: 21093591

Bamit99:

Neat....but is Kazaa using Non Standard Port for HTTP or are we just looking at some random sockets created in the course of transfer...Whatever it is, looks very interesting..;)..Anyways, is this your network traffic that you came across or what? You must be worried about it now...hehehe.

X-Kazaa-IP: 10.10.2.6:2866
X-Kazaa-SupernodeIP: 83.245.14.99:22386

03.11.2008 at 01:54AM PDT, ID: 21093951

fireflyinternet:

If it uses port 80 or any other port, NBAR looks like it's classifying it as HTTP due to the header info which is very concerning.

We're looking at examining the content type of HTTP traffic so if we see "X-Kazaa" then it's dumped down the queue...

03.11.2008 at 02:32AM PDT, ID: 21094113

Bamit99:

Would it be possible for you to take a network trace and attach it here. I want to study the packet more closely...If it is not much of a problem...we might have to create Firewall Rule using HTTP Header or similar rather than protocol\TCP Port etc.

03.11.2008 at 02:43AM PDT, ID: 21094143

fireflyinternet:

What more info is required other than the snippet posted above ?

03.11.2008 at 02:53AM PDT, ID: 21094196

Bamit99:

Is this the complete data section of the frame or is there anything else as well?

03.11.2008 at 03:02AM PDT, ID: 21094240

fireflyinternet:

The rest of it looks just like binary data I'm afraid :(

03.11.2008 at 03:20AM PDT, ID: 21094338

Bamit99:

Configure Firewall in such a way that it blocks all the packets that contains these strings...

X-Kazaa-Username, X-Kazaa-Network, X-Kazaa-IP, X-Kazaa-SupernodeIP, X-Kazaa-XferId,
X-Kazaa-XferUid

03.11.2008 at 03:25AM PDT, ID: 21094356

fireflyinternet:

Yeah, that's what I'm looking at currently :(
I'm awaiting feedback from an upstream partner company on the procedures surrounding this.

03.11.2008 at 03:29AM PDT, ID: 21094368

Bamit99:

Cool...keep me updated !!. TC

03.11.2008 at 03:37AM PDT, ID: 21094407

fireflyinternet:

Should hear within a day or so...or someone's butt will get a boot ;-)

03.11.2008 at 03:43AM PDT, ID: 21094440

Bamit99:

lol... keep me updated nonetheless..:D

20080716-EE-VQP-32 / EE_QW_2_20070628