Towards the detection of encrypted peer-to-peer file sharing traffic and peer-to-peer TV traffic using deep packet inspection methods

Abstract

This dissertation is devoted to the study of Peer-to-Peer (P2P) network traffic identification, using Deep Packet Inspection (DPI) methods. The approach followed in this work is based on the analysis of the content of a packet payload, being paid particular attention to the cases where encryption or obfuscation is used. The protocols and applications under study along this dissertation are organized into two main categories: P2P file sharing (BitTorrent, Gnutella and eDonkey) and P2P TV (Lvestation, TVU Player and Goalbit). The history of P2P and its major milestones are briefly presented, along with their classification according to the functionalities they provide and the network protocol architectures being used by them. Studies on the evolution and current state in the detection of P2P traffic are particularly detailed, as they were the main motivation towards the detection of both encrypted P2P file sharing and P2P TV traffic. The detection of Peer-to-Peer traffic is accomplished by using a set of open source tools, emphasizing Snort, Wireshark and Tcpdump. Snort is used for triggering the alerts concerning this kind of traffic, by using a specified set of rules. These are manually created, based on the observed P2P traffic protocol signatures and patterns, by usingWireshark and Tcpdump. For the storage and visualization of the triggered alerts in a user friendly manner, two open source tools were used, respectively, MySQL and BASE. Finally, the main conclusions achieved in this work are briefly exposed. A section dedicated to future work contains possible directions that may be followed in order to improve this work.