# network analyzer for streaming data

## Vieri

Hi,

I'd like to know if by any chance there's already an OSS that can analyze network traffic on, say, a gentoo linux bridge or gateway, and detect "streaming behavior" on any kind of ports (even port 80 and 443).

I have a very large LAN and can block specific ports and/or IP addresses (such as logmein, p2p apps, etc) but it's a hassle trying to keep track of everything (either by firewall rules or via squid proxy settings). Also, some p2p programs, or simply radio stations (and there are quite a lot), use ports 80 or 443 which have to be kept open. Also, my job isn't to "educate" the users but I do need to at least "know" who's abusing resources. 

Is there such a software already? Something that would measure how much time a tcp/ip connection is active (and data flowing at more or less constant rate)...

I would only need to "autodetect" source and destination IP addresses and alert the "admin" via email for manual intervention or launch another script that would simply "interrupt the connection" and blacklist the destination IP address on the firewall.

Thanks for your ideas,

Vieri

[EDIT] I'm assuming that low-bandwidth but constant data flow usually reveals internet radio or video streaming, remote desktops such as logmein or gotomypc and the likes. Standard FTP/HTTP down/uploads could be detected as such but usually don't stay active as long.

----------

## eccerr0r

I'm curious too...

... of people who don't care for net neutrality, things like this would kill my VPN connections...

----------

## Vieri

 *eccerr0r wrote:*   

> I'm curious too...
> 
> ... of people who don't care for net neutrality, things like this would kill my VPN connections...

 

First of all, I care for net neutrality but also think that in a corporate LAN users should respect common resources. I know it's more a "management issue" but I'm not responsible for that. I'm in the IT department and need to find out quickly who's abusing our services when other users complain that they can't work efficiently.

However, if a user is legitimately using vpn (like me for instance) or any other means, then it won't be denied. At least I will be informed as to which IP addresses are "potentially misusing" resources. Deciding whether to cut off a connection or not is besides the point.

I'm sure people who have to manage large networks understand my point of view.

[EDIT] your vpn connections wouldn't be using ports 80 or 443 anyway...

----------

## yzg

It sounds like L7-filter.

----------

