Introduction: How does P2P Work and P2P Traffic Analysis Methods
In order to dive deeper on how to detect peer to peer activity on your network, let's see the basics on peer to peer programs. There are two types of peer-to-peer programs: centralized and partially decentralized. Centralized P2P programs work with a typical client-server architecture. The server holds information about the files shared by the members of its service. A user downloads the client, chooses a username/password to identify itself to the service, connects to the service, searches for files and then downloads the ones that he selected. The best example to this services is Napster. Partially decentralized P2P programs, on the other hand, does not rely on a server. The user does not need to identify itself. He goes to a search engine, searched the file he requests and downloads a small file, which holds information about which users have the file he requests, plus connection information. Then, he opens that small file with a specialized program and the program automatically finds the users sharing the file and downloads it. The best examples to this partially decentralized network are Edonkey2K, FastTrack, Gnutella and Overnet.
There are many downsides to P2P file sharing programs, be them centralized or decentralized. The top two dangers are the spread of the infected files (these are especially found in high-priced programs offered freely for sharing, such as Photoshop, Windows and MacOS) and the immense traffic it puts on the network with their default configuration options.
We can talk about a couple of ways to identify the P2P activity on a network:
- Port-based analysis
- Protocol-based analysis
- Client-based analysis
- Behavioral analysis